DTLS replay protection

[chrysn]

Many CoAP users are unaware of DTLS not mandating replay protection.

We may want to consider requiring it for CoAP it at the next possible point. (RD is about to do so on its own, as it came up there).

[boaks]

requiring it for CoAP it at the next possible point.

I'm not sure, if this will be the right way.
Doesn't it depend on the use-case?
There are users, who don't use the "replay protection" by intention, because they use e.g. SMS and with that it's very hard. If their application doesn't suffer from replay, why should it be required?
And just to say, if the application requires even more protection, e.g. timeshift attack (e.g. delay the "open the door request" by 5 Minutes, so that the authorized person give up an the attacker takes the open door), then this doesn't help.

I would more emphasis on the possibility and use-cases than on making it mandatory.

[chrysn]

It does depend on the use case, and going all replay-protect may be overkill. In particular, the path of replay protection was not taken in RD eventually, and more explicit request freshness terminology introduced instead (in core-wg/resource-directory#291) that makes DTLS replay protection optional again.

The very least thing that would resolve the misalignment issue of people being surprised by the replay protection being optional would be to point out explicitly in the clarifications that it is optional, and outline consequences and mitigation.