A Survey on Application Layer Protocols for the Internet of Things

It has been more than ﬁfteen years since the term Internet of Things (IoT) was introduced to the public. However, despite the eﬀorts of research groups and innovative corporations, still today it is not possible to say that IoT is upon us. This is mainly due to the fact that a uniﬁed IoT architecture has not been yet clearly deﬁned and there is no common agreement in deﬁning protocols and standards for all IoT parts. The framework that current IoT platforms use consists mostly in technologies that partially fulﬁll some of the IoT requirements. While developers employ existing technologies to build the IoT, research groups are working on adapting protocols to the IoT in order to optimize communications. In this paper, we present and compare existing IoT application layer protocols as well as protocols that are utilized to connect the things but also end-user applications to the Internet. We highlight IETFs CoAP, IBMs MQTT, HTML 5s Web socket among others, and we argue their suitability for the IoT by considering reliability, security, and energy consumption aspects. Finally, we provide our conclusions for the IoT application layer communications based on the study that we have conducted.


Introduction
The IoT envisions hundreds or thousands of end-devices with sensing, actuating, processing, and communication capabilities able to be connected to the Internet [1].These devices can be directly connected using cellular technologies such as 2G/3G/Long Term Evolution and beyond (5G) or they can be connected through a gateway, forming a local area network, to get connection to the Internet.The latter is the case where the end-devices usually form Machine to Machine (M2M) networks using various radio technologies, such as Zigbee (based on the IEEE 802.15.4 Standard), Wi-Fi (based on the IEEE 802.11Standard), 6LowPAN over Zigbee (IPv6 over Low Power Personal Area Networks), or Bluetooth (based on the IEEE 802.15.1).
Regardless the specific wireless technology used to deploy the M2M network, all the end-devices should make their data available to the Internet [2].This can be achieved either by sending the information to a proprietary web server accessible from the Internet or by employing the cloud.Online platforms such as ThingSpeak.com or Open.Sen.se,among any other alternatives, are virtual clouds able to receive, store, and process data.Besides acting as remote data bases, M2M clouds also offer the following key services: 1.They offer Application Programming Interfaces (API) with built-in functions for end-users, thus providing the option to monitor and control end-devices remotely from a client device.
2. They act as asynchronous intermediate nodes between the end-devices and final applications running on devices such as smart phones, tablets or desktops.
Our paper focuses on the protocols that handle the communication between the gateways, the public Internet, and the final applications (Figure 1).They are application layer protocols that are used to update online servers with the latest end-device values but also to carry commands from applications to the end-device actuators.
The rest of the paper is organized as follows.Section 2 describes our research motivation whereas each of the other sections is dedicated to a specific application layer protocol.At the first part of each section we introduce each application layer protocol, we present its usage, we discuss the reliability and security features it offers and we then compare its suitability for the IoT with other application layer protocols.Finally, in Section 9, we present overall conclusions based on the previous sections and we provide further research areas.

Research motivation
The IoT is a term used for a huge wave of innovation originated in industries, but currently heading to urban centers, in-home environments, and individuals.

Figure 1. IoT architecture
Our main motivation was to create an IoT test-bed where to test communications protocols and also innovative applications that could be applied to a gamut of scenarios.While searching for the appropriate application layer protocols to use, we found out that while comparisons can be found between two protocols, there is no paper overviewing all the possible alternatives with pros and cons.
The main motivation of this paper is to fill this gap and provide a brief yet accurate description of the key protocols that are being used today to implement the IoT.More specifically, we will discuss on the following list of protocols being used alternatively or jointly to solve different needs of the communication between machines: 1) CoAP: Constrained Application Protocol.

CoAP
The Constrained Application Protocol (CoAP) is a synchronous request/response applicationlayer protocol that was designed by the Internet Engineering Task Force (IETF) to target constrained-recourse devices.It was designed by using a subset of the HTTP methods making it interoperable with HTTP [3].
CoAP runs over UDP to keep the overall implementation lightweight.It uses the HTTP commands GET, POST, PUT, and DELETE to provide resource-oriented interactions in a client-server architecture.CoAP is a request/response protocol that utilizes both synchronous and asynchronous responses.The reason for designing a UDP-based application layer protocol to manage the resources is to remove the TCP overhead and reduce bandwidth requirements [4].Additionally, CoAP supports unicast as well as multicast, as opposed to TCP, which is by its nature not multicast-oriented.
Running on the unreliable UDP, CoAP integrated its own mechanisms for achieving reliability.Two bits in the header of each packet state the type of message and the required Quality of Service (QoS) level.There are 4 message types: 1. Confirmable: A request message that requires an acknowledgement (ACK).The response can be sent either synchronously (within the ACK) or if it needs more computational time, it can be sent asynchronously with a separate message.

Non-Confirmable:
A message that does not need to be acknowledged.

Acknowledgment:
It confirms the reception of a confirmable message.

Reset:
It confirms the reception of a message that could not be processed.
There is also a simple Stop-and-Wait retransmission mechanism for confirmable messages and a 16-bit header field in each CoAP packet called Message ID which is unique and used for detecting duplicates.
CoAPCHTTP Mapping enables CoAP clients to access resources on HTTP servers through a reverse proxy that translates the HTTP Status codes to the Response codes of CoAP [5].
Even though CoAP was created for the IoT and for M2M communications, it does not include any built-in security features.The protocol that is proposed to secure CoAP transactions is the Datagram Transport Layer Security (DTLS).DTLS runs on top of UDP and is the analogous of TLS for the TCP.It provides authentication, data integrity, confidentiality, automatic key management, and cryptographic algorithms [6].Even though DTLS secures UDP transfers, it was not designed for the IoT, thus its suitability can be argued.To begin with, DTLS does not support multicast [6], which is a prime advantage of CoAP compared to other application layer protocols.DTLS handshakes [7] require additional packets that increase the network traffic, occupy additional computational resources, and shorten the lifespan of mobile devices that run on batteries, an essential part of the IoT.Being designed for the IoT, CoAP is HTTP-compatible, but CoAP over DTLS might create additional confusion to the HTTP servers due to its diverse packet structure.Other protocols for securing CoAP can be found in the literature including approaches that are still being under research [6]- [7].

MQTT
Message Queue Telemetry Transport (MQTT) was released by IBM and targets lightweight M2M communications.It is an asynchronous publish/subscribe protocol that runs on top of the TCP stack.Publish/subscribe protocols meet better the IoT requirements than request/response since clients do not have to request updates thus, the network bandwidth is decreasing and the need for using computational resources is dropping.
In MQTT there is a broker (server) [8] that contains topics.Each client can be a publisher that sends information to the broker at a specific topic or/and a subscriber that receives automatic messages every time there is a new update in a topic he is subscribed.The MQTT protocol is designed to use bandwidth and battery usage sparingly, which is why, for example, it is currently used by Facebook Messenger [9].
MQTT ensures reliability by providing the option of three QoS levels: 1. Fire and forget: A message is sent once and no acknowledgement is required.

Delivered at least once:
A message is sent at least once and an acknowledgement is required.

Delivered exactly once:
A four-way handshake mechanism is used to ensure the message is delivered exactly one time.
Even though MQTT runs on TCP, it is designed to have low overhead compared to other TCP-based application layer protocols [10].Moreover, the publish/subscribe architecture that it used, is more suitable for the IoT than request/response of CoAP, for example, because messages do need to be responded.This means lower network bandwidth and less message processing that actually extends the lifetime of battery-run devices.
To ensure security, MQTT brokers may require username/password authentication which is handled by TLS/SSL (Secure Sockets Layer), i.e., the same security protocols that ensure privacy for HTTP transactions all over the Internet.
By comparing MQTT with the aforementioned CoAP, it is possible to see that the UDP-based CoAP has lower overhead than the TCP-based MQTT.However, due to the lack of TCPs retransmission mechanisms, packet loss is more likely to happen when using CoAP.According to a recent research study [10], MQTT experiences lower delays that CoAP for low packet losses, but CoAP generates less extra traffic for ensuring reliability.However, results can vary depending on the network conditions.Additionally packet loss and delays depend on the QoS of the messages.In both protocols, packet loss degrades and delays increase when the QoS level is higher.

XMPP
The Extensible Messaging and Presence Protocol (XMPP) was designed for chatting and message exchanging.It was standardized by the IETF over a decade ago, thus being a well-proven protocol that has been used widely all over the Internet.However, being an old protocol, it falls short to provide the required services for some of the new arising data applications.For this reason, last year, Google stopped supporting the XMPP standard due to the lack of worldwide support [11].However, lately XMPP has re-gained a lot of attention as a communication protocol suitable for the IoT.
XMPP runs over TCP and provides publish/subscribe (asynchronous) and also request/response (synchronous) messaging systems.It is designed for near real-time communications and thus, it supports small message footprint and low latency message exchange [12].As the name explicitly states, XMPP is extensible and allows the specification of XMPP Extension Protocols (XEP) that increase its functionality.
XMPP has TLS/SSL security built in the core of the specification.However, it does not provide QoS options that make it impractical for M2M communications.Only the inherited mechanisms of TCP ensure reliability.
XMPP supports the publish/subscribe architecture that is more suitable for the IoT in contrast to CoAPs request/response approach.Furthermore, it is an already established protocol that is supported all over the Internet as a plus with regard to the relatively new MQTT [13].However, XMPP uses XML messages (eXtensible Markup Language) that create additional overhead due to unnecessary tags and require XML parsing that needs additional computational ability which increases power consumption.

RESTFUL SERVICES
The Representational State Transfer (REST) is not really a protocol but an architectural style.It was first introduced by Roy Fielding in 2000 [14], and it is being widely used ever since.
REST uses the HTTP methods GET, POST, PUT, and DELETE to provide a resource-oriented messaging system where all actions can be performed simply by using the synchronous request/response HTTP commands.It uses the built-in accept header of HTTP to indicate the format of the data that it contains.The content type can be XML or JSON (JavaScript Object Notation) and depends on the HTTP server and its configuration.REST is already an important part of the IoT because it is supported by all the commercial M2M cloud platforms.Moreover it can be implemented in smartphone and tablet applications easily because it only requires an HTTP library which is available for all the Operative Systems (OS) distributions.The features of HTTP can be completely utilized in the REST architecture including cashing, authentication, and content type negotiation [15].RESTful services use the secure and reliable HTTP which is the proven worldwide Internet language.It can make use of TLS/SSL for security.However, today most commercial M2M platforms do not support HTTPS requests.Instead, they provide unique authentication keys that need to be in the header of each request to achieve some level of security.
Even though REST is already used widely in commercial M2M platforms, it is unlikely that it will become a dominant protocol due to not being easily implementable.It uses HTTP which means no compatibility with constrained-communication devices.This leaves its use for final applications.
Given the current tendency for applications running on smartphones, tablets and pads, the additional overhead associated to request/response protocols affect battery usage, as it also does the continuous polling or long polling for values especially when there are no new updates and the overhead becomes useless.Issues that can be avoided if a publish/subscribe protocol is used such as MQTT or XMPP.CoAP on the other hand, which is the lightweight version of REST, bears the same disadvantages of the request/response architecture.However it is designed to run over UDP making it capable of being used by constrained resource devices, counter to REST.

AMQP
The Advanced Message Queuing Protocol (AMQP) is a protocol that arose from the financial industry.It can utilize different transport protocols but it assumes an underlying reliable transport protocol such as TCP [16].
AMQP provides asynchronous publish/subscribe communication with messaging.Its main advantage is its store-and-forward feature that ensures reliability even after network disruptions [17].It ensures reliability with the following message-delivery guarantees [16]: 1.At most once: means that a message is sent once either if it is delivered or not.

At least once:
means that a message will be definitely delivered one time, possibly more.
3. Exactly once: means that a message will be delivered only one time.
Security is handled with the use of the TLS/SSL protocols over TCP.
Recent research has shown that AMQP has low success rate at low bandwidths, but it increases as bandwidth increases [17].Another study shows that comparing AMQP with the aforementioned REST, AMQP can send a larger amount of messages per second [18].Additionally, it has been reported that an AMQP environment with 2,000 users spread across five continents can process 300 million messages per day [18].Furthermore, JPMorgan which is an American banking and financial services company uses AMQP to send 1 billion messages per day [19].

WEBSOCKET
The Websocket protocol was developed as part of the HTML 5 initiative to facilitate communications channels over TCP.Websocket is neither a request/response nor a publish/subscribe protocol.In Websocket a client initializes a handshake with a server to establish a Websocket session.The handshake itself is similar to HTTP so that web servers can handle Websocket sessions as well as HTTP connections through the same port [20].However, what comes after the handshake does not conform to the HTTP rules.In fact, during a session, the HTTP headers are removed and clients and servers can exchange messages in an asynchronous full-duplex connection.The session can be terminated when it is no longer needed from either the server or the client side.Websocket was created to reduce the Internet communication overhead while providing real-time full-duplex communications.There is also a Websocket sub-protocol called Websocket Application Messaging Protocol (WAMP) that provides publish/subscribe messaging systems.
Websocket runs over the reliable TCP and implements no reliability mechanisms by its own.If needed, the sessions can be secured using the Websocket over TLS/SSL.
During the session, Websocket messages have only 2 bytes of overhead.As reported by relevant studies [21], the HTTP polling (in REST) repeats header information when the data transmission rate increases, thus increasing latency.Websocket is estimated to provide a three-to-one reduction in latency against the half-duplex HTTP polling.Websocket is not designed for resource constrained devices as the previous protocols and its client/server based architecture does not suit IoT applications.However it is designed for real-time communication, it is secure, it minimizes overhead and with the use of WAMP it can provide efficient messaging systems.Thus, it can compete any other protocol running over TCP.

Conclusions & future work
In this paper, we have presented a common IoT architecture by describing the parts where application layer protocols are needed to handle communication.We have presented the most representative application layer protocols that have gained attention for IoT while providing a comparison among each other and argue about their suitability for the future of the IoT.Among them, we have identified IETFs CoAP as the only one that runs over UDP, thus making it the most lightweight, followed by HTML 5s Websocket that significantly reduces the communications overhead.The computational and communication ability of the devices involved must also be taken into consideration when choosing the most appropriate protocol.If constrained communication and battery consumption is not an issue, RESTful services can be easily implemented and interact with the Internet using the worldwide HTTP.This can be proved very useful in testbeds as it can work as proof of concept for final applications.On the contrary, MQTT which is used by Facebook Messenger is not as widely used as HTTP but has proved to be more efficient for battery-run devices.Additionally if the targeted final applications require massive updates of the same value, publish/subscribe protocols are more suitable.To sum up, there are several factors that influence the selection of an application layer protocol the most important of which are the computational and communication ability of the devices, battery consumption and final application in mind.For this reason opinions differ.An overview of major differences among the aforementioned protocols can be found below (Table 1).
Having seen this paper purely qualitatively, future work will be aimed at implementing all these protocols and obtain an experimental and quantifiable comparison among them.Moreover, we plan to explore the possibility of creating a server that supports multiple application layer protocols and dynamically chooses the most appropriate according to the networks conditions.Such an innovative approach not designed so far, would optimize the overall performance of the IoT in various application scenarios.

Table 1 :
Major differences among protocols