3.1. Principles

The RD is primarily a tool to make discovery operations more efficient than querying /.well-known/core on all connected devices or across boundaries that would limit those operations.¶

It provides information about resources hosted by other devices that could otherwise only be obtained by directly querying the /.well-known/core resource on these other devices, either by a unicast request or a multicast request.¶

Information SHOULD only be stored in the RD if it can be obtained by querying the described device's /.well-known/core resource directly.¶

Data in the RD can only be provided by the device that hosts the data or a dedicated Commissioning Tool (CT). These CTs act on behalf of endpoints too constrained, or generally unable, to present that information themselves. No other client can modify data in the RD. Changes to the information in the RD do not propagate automatically back to the web servers from where the information originated.¶

3.2. Architecture

The RD architecture is illustrated in Figure 1. An RD is used as a repository of registrations describing resources hosted on other web servers, also called endpoints (EPs). An endpoint is a web server associated with a scheme, IP address, and port. A physical node may host one or more endpoints. The RD implements a set of REST interfaces for endpoints to register and maintain RD registrations and for endpoints to look up resources from the RD. An RD can be logically segmented by the use of sectors.¶

A mechanism to discover an RD using CoRE Link Format [RFC6690] is defined.¶

Registrations in the RD are soft state and need to be periodically refreshed.¶

An endpoint uses specific interfaces to register, update, and remove a registration. It is also possible for an RD to fetch web links from endpoints and add their contents to its registrations.¶

At the first registration of an endpoint, a "registration resource" is created, the location of which is returned to the registering endpoint. The registering endpoint uses this registration resource to manage the contents of registrations.¶

A lookup interface for discovering any of the web links stored in the RD is provided using the CoRE Link Format.¶

           Registration         Lookup
            Interface         Interface
+----+          |                 |
| EP |----      |                 |
+----+    ----  |                 |
              --|-    +------+    |
+----+          | ----|      |    |     +--------+
| EP | ---------|-----|  RD  |----|-----| Client |
+----+          | ----|      |    |     +--------+
              --|-    +------+    |
+----+    ----  |                 |
| CT |----      |                 |
+----+

A registrant-EP MAY keep concurrent registrations to more than one RD at the same time if explicitly configured to do so, but that is not expected to be supported by typical EP implementations. Any such registrations are independent of each other. The usual expectation when multiple discovery mechanisms or addresses are configured is that they constitute a fall-back path for a single registration.¶

3.3. RD Content Model

The Entity-Relationship (ER) models shown in Figures 2 and 3 model the contents of /.well-known/core and the RD respectively, with entity-relationship diagrams [ER]. Entities (rectangles) are used for concepts that exist independently. Attributes (ovals) are used for concepts that exist only in connection with a related entity. Relations (diamonds) give a semantic meaning to the relation between entities. Numbers specify the cardinality of the relations.¶

Some of the attribute values are URIs. Those values are always full URIs and never relative references in the information model. However, they can be expressed as relative references in serializations, and they often are.¶

These models provide an abstract view of the information expressed in link-format documents and an RD. They cover the concepts but not necessarily all details of an RD's operation; they are meant to give an overview and not be a template for implementations.¶

           +----------------------+
           |   /.well-known/core  |
           +----------------------+
                      |
                      | 1
              ////////\\\\\\\
             <    contains   >
              \\\\\\\\///////
                      |
                      | 0+
            +--------------------+
            |      link          |
            +--------------------+
                      |
                      |  1   oooooooo
                      +-----o target o
                      |      oooooooo
 oooooooooooo   0+    |
o    target  o--------+
o  attribute o        | 0+   oooooo
 oooooooooooo         +-----o rel  o
                      |      oooooo
                      |
                      | 1    ooooooooo
                      +-----o context o
                             ooooooooo

Figure 2 models the contents of /.well-known/core, which contains a set of links belonging to the hosting web server.¶

The web server is free to choose links it deems appropriate to be exposed in its /.well-known/core. Typically, the links describe resources that are served by the host, but the set can also contain links to resources on other servers (see examples in Section 5 of [RFC6690]). The set does not necessarily contain links to all resources served by the host.¶

A link has the following attributes (see Section 5 of [RFC8288]):¶

• Zero or more link relations: They describe relations between the link context and the link target.¶

  In link-format serialization, they are expressed as space-separated values in the "rel" attribute and default to "hosts".¶

• A link context URI: It defines the source of the relation, e.g., who "hosts" something.¶

  In link-format serialization, it is expressed in the "anchor" attribute and defaults to the Origin of the target (practically, the target with its path and later components removed).¶

• A link target URI: It defines the destination of the relation (e.g., what is hosted) and is the topic of all target attributes.¶

  In link-format serialization, it is expressed between angular brackets and sometimes called the "href".¶

• Other target attributes (e.g., resource type (rt), interface (if), or content format (ct)): These provide additional information about the target URI.¶

                 +--------------+
                 +      RD      +
                 +--------------+
                        | 1
                        |
                        |
                        |
                        |
                   //////\\\\
                  < contains >
                   \\\\\/////
                        |
                     0+ |
 ooooooo     1  +---------------+
o  base o-------|  registration |
 ooooooo        +---------------+
                    |       | 1
                    |       +--------------+
       oooooooo   1 |                      |
      o  href  o----+                 /////\\\\
       oooooooo     |                < contains >
                    |                 \\\\\/////
       oooooooo   1 |                      |
      o   ep   o----+                      | 0+
       oooooooo     |             +------------------+
                    |             |      link        |
       oooooooo 0-1 |             +------------------+
      o    d   o----+                      |
       oooooooo     |                      |  1   oooooooo
                    |                      +-----o target o
       oooooooo   1 |                      |      oooooooo
      o   lt   o----+     ooooooooooo   0+ |
       oooooooo     |    o  target   o-----+
                    |    o attribute o     | 0+   oooooo
    ooooooooooo 0+  |     ooooooooooo      +-----o rel  o
   o  endpoint o----+                      |      oooooo
   o attribute o                           |
    ooooooooooo                            | 1   ooooooooo
                                           +----o context o
                                                 ooooooooo

Figure 3 models the contents of the RD, which contains, in addition to /.well-known/core, 0 to n registrations of endpoints.¶

A registration is associated with one endpoint. A registration defines a set of links, as defined for /.well-known/core. A registration has six types of attributes:¶

• an endpoint name ("ep", a Unicode string) unique within a sector¶
• a registration base URI ("base", a URI typically describing the scheme://authority part)¶
• a lifetime ("lt")¶
• a registration resource location inside the RD ("href")¶
• optionally, a sector ("d", a Unicode string)¶
• optional additional endpoint attributes (from Section 9.3)¶

The cardinality of "base" is currently 1; future documents are invited to extend the RD specification to support multiple values (e.g., [COAP-PROT-NEG]). Its value is used as a base URI when resolving URIs in the links contained in the endpoint.¶

Links are modeled as they are in Figure 2.¶

3.4. Link-Local Addresses and Zone Identifiers

Registration base URIs can contain link-local IP addresses. To be usable across hosts, those cannot be serialized to contain zone identifiers (see [RFC6874], Section 1).¶

Link-local addresses can only be used on a single link (therefore, RD servers cannot announce them when queried on a different link), and lookup clients using them need to keep track of which interface they got them from.¶

Therefore, it is advisable in many scenarios to use addresses with larger scopes, if available.¶

3.5. Use Case: Cellular M2M

Over the last few years, mobile operators around the world have focused on development of M2M solutions in order to expand the business to the new type of users: machines. The machines are connected directly to a mobile network using an appropriate embedded wireless interface (GSM/General Packet Radio Service (GPRS), Wideband Code Division Multiple Access (W-CDMA), LTE, etc.) or via a gateway providing short- and wide-range wireless interfaces. The ambition in such systems is to build them from reusable components. These speed up development and deployment and enable shared use of machines across different applications. One crucial component of such systems is the discovery of resources (and thus the endpoints they are hosted on) capable of providing required information at a given time or acting on instructions from the end users.¶

Imagine a scenario where endpoints installed on vehicles enable tracking of the position of these vehicles for fleet management purposes and allow monitoring of environment parameters. During the boot-up process, endpoints register with an RD, which is hosted by the mobile operator or somewhere in the cloud. Periodically, these endpoints update their registration and may modify resources they offer.¶

When endpoints are not always connected, for example, because they enter a sleep mode, a remote server is usually used to provide proxy access to the endpoints. Mobile apps or web applications for environment monitoring contact the RD, look up the endpoints capable of providing information about the environment using an appropriate set of link parameters, obtain information on how to contact them (URLs of the proxy server), and then initiate interaction to obtain information that is finally processed, displayed on the screen, and usually stored in a database. Similarly, fleet management systems provide the appropriate link parameters to the RD to look up for EPs deployed on the vehicles the application is responsible for.¶

3.6. Use Case: Home and Building Automation

Home and commercial building automation systems can benefit from the use of IoT web services. The discovery requirements of these applications are demanding. Home automation usually relies on run-time discovery to commission the system, whereas, in building automation, a combination of professional commissioning and run-time discovery is used. Both home and building automation involve peer-to-peer interactions between endpoints and involve battery-powered sleeping devices. Both can use the common RD infrastructure to establish device interactions efficiently but can pick security policies suitable for their needs.¶

Two phases can be discerned for a network servicing the system: (1) installation and (2) operation. During the operational phase, the network is connected to the Internet with a border router (e.g., a 6LoWPAN Border Router (6LBR) [RFC6775]), and the nodes connected to the network can use the Internet services that are provided by the IP or network administrator. During the installation phase, the network is completely stand-alone, no border router is connected, and the network only supports the IP communication between the connected nodes. The installation phase is usually followed by the operational phase. As an RD's operations work without hard dependencies on names or addresses, it can be used for discovery across both phases.¶

3.7. Use Case: Link Catalogues

Resources may be shared through data brokers that have no knowledge beforehand of who is going to consume the data. An RD can be used to hold links about resources and services hosted anywhere to make them discoverable by a general class of applications.¶

For example, environmental and weather sensors that generate data for public consumption may provide data to an intermediary server or broker. Sensor data are published to the intermediary upon changes or at regular intervals. Descriptions of the sensors that resolve to links to sensor data may be published to an RD. Applications wishing to consume the data can use RD lookup to discover and resolve links to the desired resources and endpoints. The RD service need not be coupled with the data intermediary service. Mapping of RDs to data intermediaries may be many-to-many.¶

Metadata in web link formats, such as the one defined in [RFC6690], which may be internally stored as triples or relation/attribute pairs providing metadata about resource links, need to be supported by RDs. External catalogues that are represented in other formats may be converted to common web linking formats for storage and access by RDs. Since it is common practice for these to be encoded in URNs [RFC8141], simple and lossless structural transforms should generally be sufficient to store external metadata in RDs.¶

The additional features of an RD allow sectors to be defined to enable access to a particular set of resources from particular applications. This provides isolation and protection of sensitive data when needed. Application groups with multicast addresses may be defined to support efficient data transport.¶

4.1. Finding a Resource Directory

A (re)starting device may want to find one or more RDs before it can discover their URIs. Dependent on the operational conditions, one or more of the techniques below apply.¶

The device may be preconfigured to exercise specific mechanisms for finding the RD:¶

1. It may be configured with a specific IP address for the RD. That IP address may also be an anycast address, allowing the network to forward RD requests to an RD that is topologically close; each target network environment in which some of these preconfigured nodes are to be brought up is then configured with a route for this anycast address that leads to an appropriate RD. (Instead of using an anycast address, a multicast address can also be preconfigured. The RD servers then need to configure one of their interfaces with this multicast address.)¶
2. It may be configured with a DNS name for the RD and use DNS to return the IP address of the RD; it can find a DNS server to perform the lookup using the usual mechanisms for finding DNS servers.¶
3. It may be configured to use a service discovery mechanism, such as DNS-based Service Discovery (DNS-SD), as outlined in Section 4.1.2.¶

For cases where the device is not specifically configured with a way to find an RD, the network may want to provide a suitable default.¶

1. The IPv6 Neighbor Discovery option RDAO (Section 4.1.1) can do that.¶
2. When DHCP is in use, this could be provided via a DHCP option (no such option is defined at the time of writing).¶

Finally, if neither the device nor the network offers any specific configuration, the device may want to employ heuristics to find a suitable RD.¶

The present specification does not fully define these heuristics but suggests a number of candidates:¶

1. In a 6LoWPAN, just assume the 6LBR can act as an RD (using the Authoritative Border Router Option (ABRO) to find that [RFC6775]). Confirmation can be obtained by sending a unicast GET to coap://[6LBR]/.well-known/core?rt=core.rd*.¶
2. In a network that supports multicast well, discover the RD using a multicast query for /.well-known/core, as specified in CoRE Link Format [RFC6690], and send a Multicast GET to coap://[ff0x::fe]/.well-known/core?rt=core.rd*. RDs within the multicast scope will answer the query.¶

When answering a multicast request directed at a link-local group, the RD may want to respond from a routable address; this makes it easier for registrants to use one of their own routable addresses for registration. When source addresses are selected using the mechanism described in [RFC6724], this can be achieved by applying the changes of its Section 10.4, picking public addresses in Rule 7 of its Section 5, and superseding Rule 8 with preferring the source address's precedence.¶

As some of the RD addresses obtained by the methods listed here are just (more or less educated) guesses, endpoints MUST make use of any error messages to very strictly rate-limit requests to candidate IP addresses that don't work out. For example, an ICMP Destination Unreachable message (and, in particular, the port unreachable code for this message) may indicate the lack of a CoAP server on the candidate host, or a CoAP error response code, such as 4.05 (Method Not Allowed), may indicate unwillingness of a CoAP server to act as a directory server.¶

The following RD discovery mechanisms are recommended:¶

• In managed networks with border routers that need stand-alone operation, the RDAO is recommended (e.g., the operational phase described in Section 3.6).¶
• In managed networks without border routers (no Internet services available), the use of a preconfigured anycast address is recommended (e.g., the installation phase described in Section 3.6).¶
• In networks managed using DNS-SD, the use of DNS-SD for discovery, as described in Section 4.1.2, is recommended.¶

The use of multicast discovery in mesh networks is NOT RECOMMENDED.¶

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |  Length = 3   |          Reserved             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Valid Lifetime                         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                                                               +
|                                                               |
+                          RD Address                           +
|                                                               |
+                                                               +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

4.2. Payload Content Formats

RDs implementing this specification MUST support the application/link-format content format (ct=40).¶

RDs implementing this specification MAY support additional content formats.¶

Any additional content format supported by an RD implementing this specification SHOULD be able to express all the information expressible in link format. It MAY be able to express information that is inexpressible in link format, but those expressions SHOULD be avoided where possible.¶

4.3. URI Discovery

Before an endpoint can make use of an RD, it must first know the RD's address and port and the URI path information for its REST APIs. This section defines discovery of the RD and its URIs using the well-known interface of the CoRE Link Format [RFC6690] after having discovered a host, as described in Section 4.1.¶

Discovery of the RD registration URI is performed by sending either a multicast or unicast GET request to /.well-known/core and including a resource type (rt) parameter [RFC6690] with the value "core.rd" in the query string. Likewise, a resource type parameter value of "core.rd-lookup*" is used to discover the URIs for RD lookup operations, and "core.rd*" is used to discover all URIs for RD operations. Upon success, the response will contain a payload with a link format entry for each RD function discovered, indicating the URI of the RD function returned and the corresponding resource type. When performing multicast discovery, the multicast IP address used will depend on the scope required and the multicast capabilities of the network (see Section 9.5).¶

An RD MAY provide hints about the content formats it supports in the links it exposes or registers, using the "ct" target attribute, as shown in the example below. Clients MAY use these hints to select alternate content formats for interaction with the RD.¶

HTTP does not support multicast, and, consequently, only unicast discovery can be supported using the HTTP /.well-known/core resource.¶

RDs implementing this specification MUST support query filtering for the rt parameter, as defined in [RFC6690].¶

While the link targets in this discovery step are often expressed in path-absolute form, this is not a requirement. Clients of the RD SHOULD therefore accept URIs of all schemes they support, both as URIs and relative references, and not limit the set of discovered URIs to those hosted at the address used for URI discovery.¶

With security policies where the client requires the RD to be authorized to act as an RD, that authorization may be limited to resources on which the authorized RD advertises the adequate resource types. Clients that have obtained links they cannot rely on yet can repeat the "URI discovery" step at the /.well-known/core resource of the indicated host to obtain the resource type information from an authorized source.¶

The URI discovery operation can yield multiple URIs of a given resource type. The client of the RD can try out any of the discovered addresses.¶

The discovery request interface is specified as follows (this is exactly the well-known interface of [RFC6690], Section 4, with the additional requirement that the server MUST support query filtering):¶

Interaction:

EP, CT, or Client -> RD¶

Method:

GET¶

URI Template:

/.well-known/core{?rt}¶

URI Template Variables:

rt :=

Resource Type. SHOULD contain one of the values "core.rd", "core.rd-lookup*", "core.rd-lookup-res", "core.rd-lookup-ep", or "core.rd*"¶

Accept:

absent, application/link-format, or any other media type representing web links¶

The following response is expected on this interface:¶

Success:

2.05 (Content) or 200 (OK) with an application/link-format or other web link payload containing one or more matching entries for the RD resource.¶

The following example shows an endpoint discovering an RD using this interface, thus learning that the directory resource location in this example is /rd and that the content format delivered by the server hosting the resource is application/link-format (ct=40). Note that it is up to the RD to choose its RD locations.¶

Req: GET coap://[ff02::fe]/.well-known/core?rt=core.rd*

Res: 2.05 Content
Payload:
</rd>;rt=core.rd;ct=40,
</rd-lookup/ep>;rt=core.rd-lookup-ep;ct=40,
</rd-lookup/res>;rt=core.rd-lookup-res;ct=40

The following example shows the way of indicating that a client may request alternate content formats. The Content-Format code attribute "ct" MAY include a space-separated sequence of Content-Format codes, as specified in Section 7.2.1 of [RFC7252], indicating that multiple content formats are available. The example below shows the required Content-Format 40 (application/link-format) indicated, as well as Concise Binary Object Representation (CBOR) and JSON representations in the style of [CORE-LINKS-JSON] (for which the experimental values 65060 and 65050 are used in this example). The RD resource locations /rd and /rd-lookup are example values. The server in this example also indicates that it is capable of providing observation on resource lookups.¶

Req: GET coap://[ff02::fe]/.well-known/core?rt=core.rd*

Res: 2.05 Content
Payload:
</rd>;rt=core.rd;ct=40,
</rd-lookup/res>;rt=core.rd-lookup-res;ct="40 65060 65050";obs,
</rd-lookup/ep>;rt=core.rd-lookup-ep;ct="40 65060 65050"

For maintenance, management, and debugging, it can be useful to identify the components that constitute the RD server. The identification can be used to find client-server incompatibilities, supported features, required updates, and other aspects. The well-known interface described in Section 4 of [RFC6690] can be used to find such data.¶

It would typically be stored in an implementation information link (as described in [T2TRG-REL-IMPL]).¶

Req: GET /.well-known/core?rel=impl-info

Res: 2.05 Content
Payload:
<http://software.example.com/shiny-resource-directory/1.0beta1>;
    rel=impl-info

Note that, depending on the particular server's architecture, such a link could be anchored at the RD server's root (as in this example) or at individual RD components. The latter is to be expected when different applications are run on the same server.¶

5.1. Simple Registration

Not all endpoints hosting resources are expected to know how to upload links to an RD, as described in Section 5. Instead, simple endpoints can implement the simple registration approach described in this section. An RD implementing this specification MUST implement simple registration. However, there may be security reasons why this form of directory discovery would be disabled.¶

This approach requires that the registrant-EP makes available the hosted resources that it wants to be discovered as links on its /.well-known/core interface, as specified in [RFC6690]. The links in that document are subject to the same limitations as the payload of a registration (with respect to Appendix C).¶

• The registrant-EP finds one or more addresses of the directory server, as described in Section 4.1.¶

• The registrant-EP sends (and regularly refreshes with) a POST request to the /.well-known/rd URI of the directory server of choice. The body of the POST request is empty and triggers the resource directory server to perform GET requests (redone before lifetime expiry) at the requesting registrant-EP's /.well-known/core to obtain the link-format payload to register.¶

  The registrant-EP includes the same registration parameters in the POST request as it would with a regular registration, per Section 5. The registration base URI of the registration is taken from the registrant-EP's network address (as is default with regular registrations).¶

  The following is an example request from the registrant-EP to the RD (unanswered until the next step):¶

  Req: POST /.well-known/rd?lt=6000&ep=node1
  (No payload)
  

• The RD queries the registrant-EP's discovery resource to determine the success of the operation. It SHOULD keep a cache of the discovery resource and not query it again as long as it is fresh.¶

  The following is an example request from the RD to the registrant-EP:¶

  Req: GET /.well-known/core
  Accept: 40
  
  Res: 2.05 Content
  Content-Format: 40
  Payload:
  </sen/temp>
  

With this response, the RD would answer the previous step's request:¶

Res: 2.04 Changed

The sequence of fetching the registration content before sending a successful response was chosen to make responses reliable, and the point about caching was chosen to still allow very constrained registrants. Registrants MUST be able to serve a GET request to /.well-known/core after having requested registration. Constrained devices MAY regard the initial request as temporarily failed when they need RAM occupied by their own request to serve the RD's GET and retry later when the RD already has a cached representation of their discovery resources. Then, the RD can reply immediately, and the registrant can receive the response.¶

The simple registration request interface is specified as follows:¶

Interaction:

EP -> RD¶

Method:

POST¶

URI Template:

/.well-known/rd{?ep,d,lt,extra-attrs*}¶

URI Template Variables are the same as for registration in Section 5. The base attribute is not accepted to keep the registration interface simple; that rules out registration over CoAP-over-TCP or HTTP that would need to specify one. For some time during this document's development, the URI Template /.well-known/core{?ep,...} was in use instead.¶

The following response is expected on this interface:¶

Success:

2.04 (Changed)¶

For the second interaction triggered by the above, the registrant-EP takes the role of server and the RD takes the role of client. (Note that this is exactly the well-known interface of [RFC6690], Section 4):¶

Interaction:

RD -> EP¶

Method:

GET¶

URI Template:

/.well-known/core¶

The following response is expected on this interface:¶

Success:

2.05 (Content)¶

When the RD uses any authorization credentials to access the endpoint's discovery resource or when it is deployed in a location where third parties might reach it but not the endpoint, it SHOULD verify that the apparent registrant-EP intends to register with the given registration parameters before revealing the obtained discovery information to lookup clients. An easy way to do that is to verify the simple registration request's sender address using the Echo option, as described in [RFC9175], Section 2.4.¶

The RD MUST delete registrations created by simple registration after the expiration of their lifetime. Additional operations on the registration resource cannot be executed because no registration location is returned.¶

5.2. Third-Party Registration

For some applications, even simple registration may be too taxing for some very constrained devices, in particular, if the security requirements become too onerous.¶

In a controlled environment (e.g., building control), the RD can be filled by a third-party device, called a Commissioning Tool (CT). The CT can fill the RD from a database or other means. For that purpose scheme, the IP address and port of the URI of the registered device is the value of the "base" parameter of the registration described in Section 5.¶

It should be noted that the value of the "base" parameter applies to all the links of the registration and has consequences for the anchor value of the individual links, as exemplified in Appendix B. A potential (currently nonexistent) "base" attribute of the link is not affected by the value of "base" parameter in the registration.¶

5.3. Operations on the Registration Resource

This section describes how the registering endpoint can maintain the registrations that it created. The registering endpoint can be the registrant-EP or the CT. The registrations are resources of the RD.¶

An endpoint should not use this interface for registrations that it did not create. This is usually enforced by security policies, which, in general, require equivalent credentials for creation of and operations on a registration.¶

After the initial registration, the registering endpoint retains the returned location of the registration resource for further operations, including refreshing the registration in order to extend the lifetime and "keep-alive" the registration. When the lifetime of the registration has expired, the RD SHOULD NOT respond to discovery queries concerning this endpoint. The RD SHOULD continue to provide access to the registration resource after a registration timeout occurs in order to enable the registering endpoint to eventually refresh the registration. The RD MAY eventually remove the registration resource for the purpose of garbage collection. If the registration resource is removed, the corresponding endpoint will need to be reregistered.¶

The registration resource may also be used to cancel the registration using DELETE and to perform further operations beyond the scope of this specification.¶

Operations on the registration resource are sensitive to reordering; Section 5.3.4 describes how order is restored.¶

The operations on the registration resource are described below.¶

Req: POST /rd/4521

Res: 2.04 Changed

Req: GET /rd-lookup/res?ep=endpoint1

Res: 2.05 Content
Payload:
<coap://local-proxy-old.example.com/sensors/temp>;
    rt=temperature-c;if=sensor,
<http://www.example.com/sensors/temp>;
    anchor="coap://local-proxy-old.example.com/sensors/temp";
    rel=describedby

Req: POST /rd/4521?base=coaps://new.example.com

Res: 2.04 Changed

Req: GET /rd-lookup/res?ep=endpoint1

Res: 2.05 Content
Payload:
<coaps://new.example.com/sensors/temp>;
    rt=temperature-c;if=sensor,
<http://www.example.com/sensors/temp>;
    anchor="coaps://new.example.com/sensors/temp";
    rel=describedby

Req: DELETE /rd/4521

Res: 2.02 Deleted

Req: POST /rd/4521?lt=7200

Res: 4.01 Unauthorized
Echo: 0x0123

(EP tries again immediately.)

Req: POST /rd/4521?lt=7200
Echo: 0x0123

Res: 2.04 Changed
Echo: 0x0124

(Later, the EP regains its confidence in its long-term reachability.)

Req: POST /rd/4521?lt=90000
Echo: 0x0124

Res: 2.04 Changed
Echo: 0x0247

6.1. Resource Lookup

Resource lookup results in links that are semantically equivalent to the links submitted to the RD by the registrant. The links and link parameters returned by the lookup are equal to the originally submitted ones, except that the target reference is fully resolved and that the anchor reference is fully resolved if it is present in the lookup result at all.¶

Links that did not have an anchor attribute in the registration are returned without an anchor attribute. Links of which href or anchor was submitted as a (full) URI are returned with the respective attribute unmodified.¶

The above rules allow the client to interpret the response as links without any further knowledge of the storage conventions of the RD. The RD MAY replace the registration base URIs with a configured intermediate proxy, e.g., in the case of an HTTP lookup interface for CoAP endpoints.¶

If the base URI of a registration contains a link-local address, the RD MUST NOT show its links unless the lookup was made from the link on which the registered endpoint can be reached. The RD MUST NOT include zone identifiers in the resolved URIs.¶

6.2. Lookup Filtering

Using the Accept option, the requester can control whether the returned list is returned in CoRE Link Format (application/link-format, default) or in alternate content formats (e.g., from [CORE-LINKS-JSON]).¶

Multiple search criteria MAY be included in a lookup. All included criteria MUST match for a link to be returned. The RD MUST support matching with multiple search criteria.¶

A link matches a search criterion if it has an attribute of the same name and the same value, allowing for a trailing "*" wildcard operator, as in Section 4.1 of [RFC6690]. Attributes that are defined as relation-types (in the link-format ABNF) match if the search value matches any of their values (see Section 4.1 of [RFC6690]; for example, ?if=tag:example.net,2020:sensor matches ;if="example.regname tag:example.net,2020:sensor";. A resource link also matches a search criterion if its endpoint would match the criterion, and vice versa, an endpoint link matches a search criterion if any of its resource links matches it.¶

Note that href is a valid search criterion and matches target references. Like all search criteria, on a resource lookup, it can match the target reference of the resource link itself but also the registration resource of the endpoint that registered it. Queries for resource link targets MUST be in URI form (i.e., not relative references) and are matched against a resolved link target. Queries for endpoints SHOULD be expressed in path-absolute form if possible and MUST be expressed in URI form otherwise; the RD SHOULD recognize either. The anchor attribute is usable for resource lookups and, if queried, MUST be in URI form as well.¶

Additional query parameters "page" and "count" are used to obtain lookup results in specified increments using pagination, where count specifies how many links to return and page specifies which subset of links organized in sequential pages, each containing 'count' links, starting with link zero and page zero. Thus, specifying a count of 10 and page of 0 will return the first 10 links in the result set (links 0-9). Specifying a count of 10 and page of 1 will return the next 'page' containing links 10-19, and so on. Unlike block-wise transfer of a complete result set, these parameters ensure that each chunk of results can be interpreted on its own. This simplifies the processing but can result in duplicate or missed items when coinciding with changes from the registration interface.¶

Endpoints that are interested in a lookup result repeatedly or continuously can use mechanisms such as ETag caching, resource observation [RFC7641], or any future mechanism that might allow more efficient observations of collections. These are advertised, detected, and used according to their own specifications and can be used with the lookup interface as with any other resource.¶

When resource observation is used, every time the set of matching links changes or the content of a matching link changes, the RD sends a notification with the matching link set. The notification contains the successful current response to the given request, especially with respect to representing zero matching links (see "Success" item below).¶

The lookup interface is specified as follows:¶

Interaction:

Client -> RD¶

Method:

GET¶

URI Template:

{+type-lookup-location}{?page,count,search*}¶

URI Template Variables:

type-lookup-location :=

RD lookup URI for a given lookup type (mandatory). The address is discovered as described in Section 4.3.¶

search :=

Search criteria for limiting the number of results (optional). The search criteria are an associative array, expressed in a form-style query, as per the URI Template (see [RFC6570], Sections 2.4.2 and 3.2.8).¶

page :=

Page (optional). This parameter cannot be used without the count parameter. Results are returned from result set in pages that contain 'count' links starting from index (page * count). Page numbering starts with zero.¶

count :=

Count (optional). The number of results is limited to this parameter value. If the page parameter is also present, the response MUST only include 'count' links starting with the (page * count) link in the result set from the query. If the count parameter is not present, then the response MUST return all matching links in the result set. Link numbering starts with zero.¶

Accept:

absent, application/link-format, or any other indicated media type representing web links¶

The following responses codes are defined for this interface:¶

Success:

2.05 (Content) or 200 (OK) with an application/link-format or other web link payload containing matching entries for the lookup.¶

The payload can contain zero links (which is an empty payload in the link format described in [RFC6690] but could also be [] in JSON-based formats), indicating that no entities matched the request.¶

6.3. Resource Lookup Examples

The examples in this section assume the existence of CoAP hosts with a default CoAP port 61616. HTTP hosts are possible and do not change the nature of the examples.¶

The following example shows a client performing a resource lookup with the example resource lookup locations discovered in Figure 5:¶

Req: GET /rd-lookup/res?rt=tag:example.org,2020:temperature

Res: 2.05 Content
Payload:
<coap://[2001:db8:3::123]:61616/temp>;
    rt="tag:example.org,2020:temperature"

A client that wants to be notified of new resources as they show up can use this observation:¶

Req: GET /rd-lookup/res?rt=tag:example.org,2020:light
Observe: 0

Res: 2.05 Content
Observe: 23
Payload: empty

(at a later point in time)

Res: 2.05 Content
Observe: 24
Payload:
<coap://[2001:db8:3::124]/west>;rt="tag:example.org,2020:light",
<coap://[2001:db8:3::124]/south>;rt="tag:example.org,2020:light",
<coap://[2001:db8:3::124]/east>;rt="tag:example.org,2020:light"

The following example shows a client performing a paginated resource lookup:¶

Req: GET /rd-lookup/res?page=0&count=5

Res: 2.05 Content
Payload:
<coap://[2001:db8:3::123]:61616/res/0>;ct=60,
<coap://[2001:db8:3::123]:61616/res/1>;ct=60,
<coap://[2001:db8:3::123]:61616/res/2>;ct=60,
<coap://[2001:db8:3::123]:61616/res/3>;ct=60,
<coap://[2001:db8:3::123]:61616/res/4>;ct=60

Req: GET /rd-lookup/res?page=1&count=5

Res: 2.05 Content
Payload:
<coap://[2001:db8:3::123]:61616/res/5>;ct=60,
<coap://[2001:db8:3::123]:61616/res/6>;ct=60,
<coap://[2001:db8:3::123]:61616/res/7>;ct=60,
<coap://[2001:db8:3::123]:61616/res/8>;ct=60,
<coap://[2001:db8:3::123]:61616/res/9>;ct=60

The following example shows a client performing a lookup of all resources of all endpoints of a given endpoint type. It assumes that two endpoints (with endpoint names sensor1 and sensor2) have previously registered with their respective addresses (coap://sensor1.example.com and coap://sensor2.example.com) and posted the very payload of the 6th response of Section 5 of [RFC6690].¶

It demonstrates how absolute link targets stay unmodified, while relative ones are resolved:¶

Req: GET /rd-lookup/res?et=tag:example.com,2020:platform

Res: 2.05 Content
Payload:
<coap://sensor1.example.com/sensors>;ct=40;title="Sensor Index",
<coap://sensor1.example.com/sensors/temp>;rt=temperature-c;if=sensor,
<coap://sensor1.example.com/sensors/light>;rt=light-lux;if=sensor,
<http://www.example.com/sensors/t123>;rel=describedby;
    anchor="coap://sensor1.example.com/sensors/temp",
<coap://sensor1.example.com/t>;rel=alternate;
    anchor="coap://sensor1.example.com/sensors/temp",
<coap://sensor2.example.com/sensors>;ct=40;title="Sensor Index",
<coap://sensor2.example.com/sensors/temp>;rt=temperature-c;if=sensor,
<coap://sensor2.example.com/sensors/light>;rt=light-lux;if=sensor,
<http://www.example.com/sensors/t123>;rel=describedby;
    anchor="coap://sensor2.example.com/sensors/temp",
<coap://sensor2.example.com/t>;rel=alternate;
    anchor="coap://sensor2.example.com/sensors/temp"

6.4. Endpoint Lookup

The endpoint lookup returns links to and information about registration resources, which themselves can only be manipulated by the registering endpoint.¶

Endpoint registration resources are annotated with their endpoint names (ep), sectors (d, if present), and registration base URI (base; reports the registrant-EP's address if no explicit base was given), as well as a constant resource type (rt="core.rd-ep"); the lifetime (lt) is not reported. Additional endpoint attributes are added as target attributes to their endpoint link unless their specification says otherwise.¶

Links to endpoints SHOULD be presented in path-absolute form or, if required, as (full) URIs. (This ensures that the output conforms to Limited Link Format, as described in Appendix C.)¶

Base addresses that contain link-local addresses MUST NOT include zone identifiers, and such registrations MUST NOT be shown unless the lookup was made from the same link from which the registration was made.¶

While the endpoint lookup does expose the registration resources, the RD does not need to make them accessible to clients. Clients SHOULD NOT attempt to dereference or manipulate them.¶

An RD can report registrations in lookup whose URI scheme and authority differ from that of the lookup resource. Lookup clients MUST be prepared to see arbitrary URIs as registration resources in the results and treat them as opaque identifiers; the precise semantics of such links are left to future specifications.¶

The following example shows a client performing an endpoint lookup that is limited to endpoints of endpoint type tag:example.com,2020:platform:¶

Req: GET /rd-lookup/ep?et=tag:example.com,2020:platform

Res: 2.05 Content
Payload:
</rd/1234>;base="coap://[2001:db8:3::127]:61616";ep=node5;
    et="tag:example.com,2020:platform";ct=40;rt=core.rd-ep,
</rd/4521>;base="coap://[2001:db8:3::129]:61616";ep=node7;
    et="tag:example.com,2020:platform";ct=40;d=floor-3;
    rt=core.rd-ep

7.1. Endpoint Name

Whenever an RD needs to provide trustworthy results to clients doing endpoint lookup or resource lookup with filtering on the endpoint name, the RD must ensure that the registrant is authorized to use the given endpoint name. This applies both to registration and later to operations on the registration resource. It is immaterial whether the client is the registrant-EP itself or a CT is doing the registration. The RD cannot tell the difference, and CTs may use authorization credentials authorizing only operations on that particular endpoint name or a wider range of endpoint names.¶

It is up to the concrete security policy to describe how the endpoint name and sector are transported when certificates are used. For example, it may describe how SubjectAltName dNSName entries are mapped to endpoint and domain names.¶

7.2. Entered Links

When lookup clients expect that certain types of links can only originate from certain endpoints, then the RD needs to apply filtering to the links an endpoint may register.¶

For example, if clients use an RD to find a server that provides firmware updates, then any registrant that wants to register (or update) links to firmware sources will need to provide suitable credentials to do so, independently of its endpoint name.¶

Note that the impact of having undesirable links in the RD depends on the application. If the client requires the firmware server to present credentials as a firmware server, a fraudulent link's impact is limited to the client revealing its intention to obtain updates and slowing down the client until it finds a legitimate firmware server; if the client accepts any credentials from the server as long as they fit the provided URI, the impact is larger.¶

An RD may also require that links are only registered if the registrant is authorized to publish information about the anchor (or even target) of the link. One way to do this is to demand that the registrant present the same credentials in its role as a registering client that it would need to present in its role as a server when contacted at the resources' URI. These credentials may include using the address and port that are part of the URI. Such a restriction places severe practical limitations on the links that can be registered.¶

As above, the impact of undesirable links depends on the extent to which the lookup client relies on the RD. To avoid the limitations, RD applications should consider prescribing that lookup clients only use the discovered information as hints and describe which pieces of information need to be verified because they impact the application's security. A straightforward way to verify such information is to request it again from an authorized server, typically the one that hosts the target resource. That is similar to what happens in Section 4.3 when the "URI discovery" step is repeated.¶

7.3. Link Confidentiality

When registrants publish information in the RD that is not available to any client that would query the registrant's /.well-known/core interface, or when lookups to that interface are subject to stricter firewalling than lookups to the RD, the RD may need to limit which lookup clients may access the information.¶

In this case, the endpoint (and not the lookup clients) needs to be careful to check the RD's authorization. The RD needs to check any lookup client's authorization before revealing information directly (in resource lookup) or indirectly (when using it to satisfy a resource lookup search criterion).¶

7.4. Segmentation

Within a single RD, different security policies can apply.¶

One example of this are multi-tenant deployments separated by the sector (d) parameter. Some sectors might apply limitations on the endpoint names available, while others use a random identifier approach to endpoint names and place limits on the entered links based on their attributes instead.¶

Care must be taken in such setups to determine the applicable access control measures to each operation. One easy way to do that is to mandate the use of the sector parameter on all operations, as no credentials are suitable for operations across sector borders anyway.¶

7.5. "First Come First Remembered": A Default Policy

The "First Come First Remembered" policy is provided both as a reference example for a security policy definition and as a policy that implementations may choose to use as default policy in the absence of any other configuration. It is designed to enable efficient discovery operations even in ad hoc settings.¶

Under this policy, the RD accepts registrations for any endpoint name that is not assigned to an active registration resource and only accepts registration updates from the same endpoint. The policy is minimal in that it does not make any promises to lookup clients about the claims of Sections 7.2 and 7.3, and promises about the claims in Section 7.1 are limited to the lifetime of that endpoint's registration. It does however promise the endpoint that, for the duration of its registration, its links will be discoverable on the RD.¶

When a registration or operation is attempted, the RD MUST determine the client's subject name or public key:¶

• If the client's credentials indicate any subject name that is certified by any authority that the RD recognizes (which may be the system's trust anchor store), all such subject names are stored. With credentials based on CWT or JWT (as common with Authentication and Authorization for Constrained Environments (ACE)), the Subject (sub) claim is stored as a single name, if it exists. With X.509 certificates, the Common Name (CN) and the complete list of SubjectAltName entries are stored. In both cases, the authority that certified the claim is stored along with the subject, as the latter may only be locally unique.¶
• Otherwise, if the client proves possession of a private key, the matching public key is stored. This applies both to raw public keys and to the public keys indicated in certificates that failed the above authority check.¶
• If neither is present, a reference to the security session itself is stored. With (D)TLS, that is the connection itself or the session resumption information, if available. With OSCORE, that is the security context.¶

As part of the registration operation, that information is stored along with the registration resource.¶

The RD MUST accept all registrations whose registration resource is not already active, as long as they are made using a security layer supported by the RD.¶

Any operation on a registration resource, including registrations that lead to an existing registration resource, MUST be rejected by the RD unless all the stored information is found in the new request's credentials.¶

Note that, even though subject names are compared in this policy, they are never directly compared to endpoint names, and an endpoint cannot expect to "own" any particular endpoint name outside of an active registration -- even if a certificate says so. It is an accepted shortcoming of this approach that the endpoint has no indication of whether the RD remembers it by its subject name or public key; recognition by subject happens on a best-effort basis (given the RD may not recognize any authority). Clients MUST be prepared to pick a different endpoint name when rejected by the RD initially or after a change in their credentials; picking an endpoint name, as per Section 7.1.1, is an easy option for that.¶

For this policy to be usable without configuration, clients should not set a sector name in their registrations. An RD can set a default sector name for registrations accepted under this policy, which is especially useful in a segmented setup where different policies apply to different sectors. The configuration of such a behavior, as well as any other configuration applicable to such an RD (i.e., the set of recognized authorities), is out of scope for this document.¶

8.1. Discovery

Most steps in discovery of the RD, and possibly its resources, are not covered by CoAP's security mechanisms. This will not endanger the security properties of the registrations and lookup itself (where the client requires authorization of the RD if it expects any security properties of the operation) but may leak the client's intention to third parties and allow them to slow down the process.¶

To mitigate that, clients can retain the RD's address, use secure discovery options (such as configured addresses), and send queries for RDs in a very general form (e.g., ?rt=core.rd* rather than ?rt=core.rd-lookup-ep).¶

8.2. Endpoint Identification and Authentication

An endpoint (name, sector) pair is unique within the set of endpoints registered by the RD. An endpoint MUST NOT be identified by its protocol, port, or IP address, as these may change over the lifetime of an endpoint.¶

Every operation performed by an endpoint on an RD SHOULD be mutually authenticated using a pre-shared key, a raw public key, or certificate-based security.¶

Consider the following threat: two devices, A and B, are registered at a single server. Both devices have unique, per-device credentials for use with DTLS to make sure that only parties with authorization to access A or B can do so.¶

Now, imagine that a malicious device A wants to sabotage the device B. It uses its credentials during the DTLS exchange. Then, it specifies the endpoint name of device B as the name of its own endpoint in device A. If the server does not check whether the identifier provided in the DTLS handshake matches the identifier used at the CoAP layer, then it may be inclined to use the endpoint name for looking up what information to provision to the malicious device.¶

Endpoint authorization needs to be checked on registration and registration resource operations independently of whether there are configured requirements on the credentials for a given endpoint name and sector (Section 7.1) or whether arbitrary names are accepted (Section 7.1.1).¶

Simple registration could be used to circumvent address-based access control. An attacker would send a simple registration request with the victim's address as the source address and later look up the victim's /.well-known/core content in the RD. Mitigation for this is recommended in Section 5.1.¶

The registration resource path is visible to any client that is allowed endpoint lookup and can be extracted by resource lookup clients as well. The same goes for registration attributes that are shown as target attributes or lookup attributes. The RD needs to consider this in the choice of registration resource paths, as do administrators or endpoints in their choice of attributes.¶

8.3. Access Control

Access control SHOULD be performed separately for the RD registration and lookup API paths, as different endpoints may be authorized to register with an RD from those authorized to look up endpoints from the RD. Such access control SHOULD be performed in as fine-grained a level as possible. For example, access control for lookups could be performed either at the sector, endpoint, or resource level.¶

The precise access controls necessary (and the consequences of failure to enforce them) depend on the protection objectives of the application and the security policies (Section 7) derived from them.¶

8.4. Denial-of-Service Attacks

Services that run over UDP unprotected are vulnerable to unknowingly amplify and distribute a DoS attack, as UDP does not require a return routability check. Since RD lookup responses can be significantly larger than requests, RDs are prone to this.¶

[RFC7252] describes this at length in its Section 11.3, including some mitigation by using small block sizes in responses. [RFC9175] updates that by describing a source address verification mechanism using the Echo option.¶

8.5. Skipping Freshness Checks

When RD-based applications are built in which request freshness checks are not performed, these concerns need to be balanced:¶

• When alterations to registration attributes are reordered, an attacker may create any combination of attributes ever set, with the attack difficulty determined by the security layer's replay properties.¶

  For example, if Figure 18 were conducted without freshness assurances, an attacker could later reset the lifetime back to 7200. Thus, the device is made unreachable to lookup clients.¶

• When registration updates without query parameters (which just serve to restart the lifetime) can be reordered, an attacker can use intercepted messages to give the appearance of the device being alive to the RD.¶

  This is unacceptable when the RD's security policy promises reachability of endpoints (e.g., when disappearing devices would trigger further investigation) but may be acceptable with other policies.¶

9.1. Resource Types

IANA has added the following values to the "Resource Type (rt=) Link Target Attribute Values" subregistry of the "Constrained RESTful Environments (CoRE) Parameters" registry defined in [RFC6690]:¶

9.2. IPv6 ND Resource Directory Address Option

IANA has registered one new ND option type in the "IPv6 Neighbor Discovery Option Formats" subregistry of the "Internet Control Message Protocol version 6 (ICMPv6) Parameters" registry:¶

9.3. RD Parameters Registry

This specification defines a new subregistry for registration and lookup parameters called "RD Parameters" within the "Constrained RESTful Environments (CoRE) Parameters" registry. Although this specification defines a basic set of parameters, it is expected that other standards that make use of this interface will define new ones.¶

Each entry in the registry must include:¶

• the human-readable name of the parameter,¶
• the short name, as used in query parameters or target attributes,¶
• syntax and validity requirements (if any),¶
• indication of whether it can be passed as a query parameter at registration of endpoints, passed as a query parameter in lookups, or expressed as a target attribute,¶
• a description, and¶
• a link to reference documentation.¶

The query parameter MUST be both a valid URI query key [RFC3986] and a token as used in [RFC8288].¶

The reference documentation must give details on whether the parameter can be updated and how it is to be processed in lookups.¶

The mechanisms around new RD parameters should be designed in such a way that they tolerate RD implementations that are unaware of the parameter and expose any parameter passed at registration or updates in endpoint lookups. (For example, if a parameter used at registration were to be confidential, the registering endpoint should be instructed to only set that parameter if the RD advertises support for keeping it confidential at the discovery step.)¶

Initial entries in this subregistry are as follows:¶

Where:¶

Short:

Short name used in query parameters or target attributes¶

Validity:

Unicode* =

up to 63 bytes of UTF-8-encoded Unicode, with no control characters as per Section 5¶

Use:

R =

used at registration¶

L =

used at lookup¶

A =

expressed in the target attribute¶

The descriptions for the options defined in this document are only summarized here. To which registrations they apply and when they are to be shown are described in the respective sections of this document. All their reference documentation entries point to this document.¶

The IANA policy for future additions to the subregistry is Expert Review, as described in [RFC8126]. The evaluation should consider formal criteria, duplication of functionality (i.e., is the new entry redundant with an existing one?), topical suitability (e.g., is the described property actually a property of the endpoint and not a property of a particular resource, in which case it should go into the payload of the registration and need not be registered?), and the potential for conflict with commonly used target attributes (e.g., if could be used as a parameter for conditional registration if it were not to be used in lookup or attributes but would make a bad parameter for lookup because a resource lookup with an if query parameter could ambiguously filter by the registered endpoint property or the target attribute [RFC6690]).¶

9.4. Endpoint Type (et=) RD Parameter Values

This specification establishes a new subregistry called "Endpoint Type (et=) RD Parameter Values" within the "Constrained RESTful Environments (CoRE) Parameters" registry. The registry properties (required policy, requirements, and template) are identical to those of the "Resource Type (rt=) Link Target Attribute Values" subregistry defined in [RFC6690]; in short, the review policy is IETF Review for values starting with "core" and Specification Required for others.¶

The requirements to be enforced are:¶

• The values MUST be related to the purpose described in Section 9.3.1.¶
• The registered values MUST conform to the ABNF reg-rel-type definition of [RFC6690] and MUST NOT be a URI.¶
• It is recommended to use the period "." character for segmentation.¶

The initial contents of the registry are as follows:¶

9.5. Multicast Address Registration

IANA has assigned the following multicast addresses for use by CoAP nodes:¶

IPv4

-- "All CoRE Resource Directories" address 224.0.1.190, in the "Internetwork Control Block (224.0.1.0 - 224.0.1.255 (224.0.1/24))" subregistry within the "IPv4 Multicast Address Space Registry". As the address is used for discovery that may span beyond a single network, it has come from the Internetwork Control Block (224.0.1.x) [RFC5771].¶

IPv6

-- "All CoRE Resource Directories" address ff0x::fe, in the "Variable Scope Multicast Addresses" subregistry within the "IPv6 Multicast Address Space Registry" [RFC3307]. Note that there is a distinct multicast address for each scope that interested CoAP nodes should listen to; CoAP needs the link-local and site-local scopes only.¶

9.6. Well-Known URIs

IANA has registered the URI suffix "rd" in the "Well-Known URIs" registry as follows:¶

9.7. Service Name and Transport Protocol Port Number Registry

IANA has added four new items to the "Service Name and Transport Protocol Port Number Registry" as follows:¶

10.1. Lighting Installation

This example shows a simplified lighting installation that makes use of the RD with a CoAP interface to facilitate the installation and startup of the application code in the lights and sensors. In particular, the example leads to the definition of a group and the enabling of the corresponding multicast address, as described in Appendix A. No conclusions must be drawn on the realization of actual installation or naming procedures, because the example only emphasizes some of the issues that may influence the use of the RD and does not pretend to be normative.¶

Req: POST coap://[2001:db8:4::ff]/rd
  ?ep=lm_R2-4-015_wndw&base=coap://[2001:db8:4::1]&d=R2-4-015
Payload:
</light/left>;rt="tag:example.com,2020:light",
</light/middle>;rt="tag:example.com,2020:light",
</light/right>;rt="tag:example.com,2020:light"

Res: 2.01 Created
Location-Path: /rd/4521

Req: POST coap://[2001:db8:4::ff]/rd
  ?ep=lm_R2-4-015_door&base=coap://[2001:db8:4::2]&d=R2-4-015
Payload:
</light/left>;rt="tag:example.com,2020:light",
</light/middle>;rt="tag:example.com,2020:light",
</light/right>;rt="tag:example.com,2020:light"

Res: 2.01 Created
Location-Path: /rd/4522

Req: POST coap://[2001:db8:4::ff]/rd
  ?ep=ps_R2-4-015_door&base=coap://[2001:db8:4::3]&d=R2-4-015
Payload:
</ps>;rt="tag:example.com,2020:p-sensor"

Res: 2.01 Created
Location-Path: /rd/4523

Req: POST coap://[2001:db8:4::ff]/rd
  ?ep=grp_R2-4-015&et=core.rd-group&base=coap://[ff05::1]
Payload:
</light/left>;rt="tag:example.com,2020:light",
</light/middle>;rt="tag:example.com,2020:light",
</light/right>;rt="tag:example.com,2020:light"

Res: 2.01 Created
Location-Path: /rd/501

Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep
  ?d=R2-4-015&et=core.rd-group&rt=light

Res: 2.05 Content
Payload:
</rd/501>;ep=grp_R2-4-015;et=core.rd-group;
          base="coap://[ff05::1]";rt=core.rd-ep

10.2. OMA Lightweight M2M (LwM2M)

OMA LwM2M is a profile for device services based on CoAP, providing interfaces and operations for device management and device service enablement.¶

An LwM2M server is an instance of an LwM2M middleware service layer, containing an RD ([LwM2M], starting at page 36).¶

That RD only implements the registration interface, and no lookup is implemented. Instead, the LwM2M server provides access to the registered resources in a similar way to a reverse proxy.¶

The location of the LwM2M server and RD URI path is provided by the LwM2M bootstrap process, so no dynamic discovery of the RD is used. LwM2M servers and endpoints are not required to implement the /.well-known/core resource.¶

B.1. A Simple Example

Let's start this example with a very simple host, 2001:db8:f0::1. A client that follows classical CoAP discovery ([RFC7252], Section 7) sends the following multicast request to learn about neighbors supporting resources with resource-type "temperature".¶

The client sends a link-local multicast:¶

Req: GET coap://[ff02::fd]:5683/.well-known/core?rt=temperature

Res: 2.05 Content
Payload:
</sensors/temp>;rt=temperature;ct=0

where the response is sent by the server, [2001:db8:f0::1]:5683.¶

While a practical client side implementation might just go ahead and create a new request to [2001:db8:f0::1]:5683 with Uri-Path sensors and temp, the full resolution steps for insertion into and retrieval from the RD without any shortcuts are as follows.¶

B.2. A Slightly More Complex Example

Omitting the rt=temperature filter, the discovery query would have given some more links in the payload:¶

Req: GET coap://[ff02::fd]:5683/.well-known/core

Res: 2.05 Content
Payload:
</sensors/temp>;rt=temperature;ct=0,
</sensors/light>;rt=light-lux;ct=0,
</t>;anchor="/sensors/temp";rel=alternate,
<http://www.example.com/sensors/t123>;anchor="/sensors/temp";
    rel=describedby

Parsing the third link, the client encounters the "anchor" parameter. It is a URI relative to the base URI of the request and is thus resolved to coap://[2001:db8:f0::1]/sensors/temp. That is the context resource of the link, so the "rel" statement is not about the target and the base URI any more but about the target and the resolved URI. Thus, the third link could be read as:¶

coap://[2001:db8:f0::1]/sensors/temp has an alternate representation at coap://[2001:db8:f0::1]/t.¶

Following the same resolution steps, the fourth link can be read as coap://[2001:db8:f0::1]/sensors/temp is described by http://www.example.com/sensors/t123.¶

B.3. Enter the Resource Directory

The RD tries to carry the semantics obtainable by classical CoAP discovery over to the resource lookup interface as faithfully as possible.¶

For the following queries, we will assume that the simple host has used simple registration to register at the RD that was announced to it, sending this request from its UDP port [2001:db8:f0::1]:6553:¶

Req: POST coap://[2001:db8:f0::ff]/.well-known/rd?ep=simple-host1

Res: 2.04 Changed

The RD would have accepted the registration and queried the simple host's /.well-known/core by itself. As a result, the host is registered as an endpoint in the RD with the name "simple-host1". The registration is active for 90000 seconds, and the endpoint registration base URI is coap://[2001:db8:f0::1], following the resolution steps described in Appendix B.1.1. It should be remarked that the base URI constructed that way always yields a URI of the form scheme://authority without path suffix.¶

If the client now queries the RD as it would previously have issued a multicast request, it would go through the RD discovery steps by fetching coap://[2001:db8:f0::ff]/.well-known/core?rt=core.rd-lookup-res, obtain coap://[2001:db8:f0::ff]/rd-lookup/res as the resource lookup endpoint, and ask it for all temperature resources:¶

Req: GET coap://[2001:db8:f0::ff]/rd-lookup/res?rt=temperature

Res: 2.05 Content
Payload:
<coap://[2001:db8:f0::1]/sensors/temp>;rt=temperature;ct=0

This is not literally the same response that it would have received from a multicast request, but it contains the equivalent statement:¶

coap://[2001:db8:f0::1] is hosting the resource coap://[2001:db8:f0::1]/sensors/temp, which is of the resource type "temperature" and can be accessed using the text/plain content format.¶

To complete the examples, the client could also query all resources hosted at the endpoint with the known endpoint name "simple-host1":¶

Req: GET coap://[2001:db8:f0::ff]/rd-lookup/res?ep=simple-host1

Res: 2.05 Content
Payload:
<coap://[2001:db8:f0::1]/sensors/temp>;rt=temperature;ct=0,
<coap://[2001:db8:f0::1]/sensors/light>;rt=light-lux;ct=0,
<coap://[2001:db8:f0::1]/t>;
    anchor="coap://[2001:db8:f0::1]/sensors/temp";rel=alternate,
<http://www.example.com/sensors/t123>;
    anchor="coap://[2001:db8:f0::1]/sensors/temp";rel=describedby

All the target and anchor references are already in absolute form there, which don't need to be resolved any further.¶

Had the simple host done an equivalent full registration with a base= parameter (e.g., ?ep=simple-host1&base=coap+tcp://sh1.example.com), that context would have been used to resolve the relative anchor values instead, giving the following and analogous links:¶

<coap+tcp://sh1.example.com/sensors/temp>;rt=temperature;ct=0

B.4. A Note on Differences between Link-Format and Link Header Fields

While link-format and Link header fields look very similar and are based on the same model of typed links, there are some differences between [RFC6690] and [RFC8288]. When implementing an RD or interacting with an RD, care must be taken to follow the behavior described in [RFC6690] whenever application/link-format representations are used.¶

• "Default value of anchor": Under both [RFC6690] and [RFC8288], relative references in the term inside the angle brackets (the target) and the anchor attribute are resolved against the relevant base URI (which usually is the URI used to retrieve the entity) and independent of each other.¶

  When, in a Link header [RFC8288], the anchor attribute is absent, the link's context is the URI of the selected representation (and usually equal to the base URI).¶

  In links per [RFC6690], if the anchor attribute is absent, the default value is the Origin of (for all relevant cases, the URI reference / resolved against) the link's target.¶

• There is no percent encoding in link-format documents.¶

  A link-format document is a UTF-8-encoded string of Unicode characters and does not have percent encoding, while Link header fields are practically ASCII strings that use percent encoding for non-ASCII characters, stating the encoding explicitly when required.¶

  For example, while a Link header field in a page about a Swedish city might read:¶

  Link: </temperature/Malm%C3%B6>;rel=live-environment-data
  

  ¶

  a link-format document from the same source might describe the link as:¶

  </temperature/Malmö>;rel=live-environment-data
  

  ¶