IoT device with CoAP and NAT Traversal

Question

Context: Each customer can have 100-1000 IoT-devices behind NAT. We have multiple customers. The aim is to manage these devices from outside. Devices use CoAP protocol, which uses by default udp.

There are few constraints.

• It is not possible to activate Port-Forwarding.
• It is not possible to open a VPN connection.
• Any changes in local network of IoT devices are not possible.

Problem We'd like to open anytime a connection to device from outside. But there is the NAT which prevents it.

Options As I understand, the device has to open initial request in order to communicate.

Which of the following options is the best one regarding scalability and efficiency?

1. Each node sends udp pings in order to keep NAT connection open.
2. Each node uses TCP and sends keepalive to keep NAT connection open.
3. Each node communicates with udp to local proxy behind NAT. The proxy does mapping from coap to http. The proxy establishes connection to server with TCP and it sends keepalive in order to keep NAT connection open.
4. Same as option 3 but the local proxy uses WebSocket instead normal TCP.

Thank you very much

Answer 1

The official LWM2M answer to this is queuing mode, see slide 30 of https://www.slideshare.net/OpenMobileAlliance/oma-lwm2m-tutorial-by-arm-to-ietf-ace or slide 19 of https://mbed-media.mbed.com/filer_public/c1/c3/c1c35bec-5f0e-4a28-a422-115248c9a181/armmbed-lwm2m-webinar.pdf for more information. So the proposed solution is not listed under 1. to 4. above, but uses LWM2M protocol to send a "ping" in form of a registration update.

From a security viewpoint, if you deploy to public internet, I would suggest to:

a) you MUST use DTLS

b) you should support device firmware update and be able to deploy new firmware with patches very fast.

Personal view: LWM2M is broken by design by starting with the (wrong) idea that IoT devices are servers.