Transaction on IoT and Cloud Computing 2015
A Survey on Application Layer Protocols for the
Internet of Things
Vasileios Karagiannis1, Periklis Chatzimisios1, Francisco Vazquez-Gallego2, Jesus Alonso-Zarate2
1CSSN Research Lab, Department of Informatics, Alexander TEI of Thessaloniki, Greece
basilkaragiannis@ gmail.com, firstname.lastname@example.org
2Centre Tecnologic de Telecomunicacions de Catalunya (CTTC), Spain
It has been more than ﬁfteen years since the term Internet of Things (IoT) was in-
troduced to the public. However, despite the eﬀorts of research groups and innovative
corporations, still today it is not possible to say that IoT is upon us. This is mainly due
to the fact that a uniﬁed IoT architecture has not been yet clearly deﬁned and there is
no common agreement in deﬁning protocols and standards for all IoT parts. The frame-
work that current IoT platforms use consists mostly in technologies that partially fulﬁll
some of the IoT requirements. While developers employ existing technologies to build the
IoT, research groups are working on adapting protocols to the IoT in order to optimize
communications. In this paper, we present and compare existing IoT application layer
protocols as well as protocols that are utilized to connect the things but also end-user
applications to the Internet. We highlight IETFs CoAP, IBMs MQTT, HTML 5s Web
socket among others, and we argue their suitability for the IoT by considering reliability,
security, and energy consumption aspects. Finally, we provide our conclusions for the IoT
application layer communications based on the study that we have conducted.
Keywords:Internet of Things (IoT), Application Layer Protocols, Request/Response,
The IoT envisions hundreds or thousands of end-devices with sensing, actuating, pro-
cessing, and communication capabilities able to be connected to the Internet . These
devices can be directly connected using cellular technologies such as 2G/3G/Long Ter-
m Evolution and beyond (5G) or they can be connected through a gateway, forming
a local area network, to get connection to the Internet. The latter is the case where
the end-devices usually form Machine to Machine (M2M) networks using various radio
technologies, such as Zigbee (based on the IEEE 802.15.4 Standard), Wi-Fi (based on
the IEEE 802.11 Standard), 6LowPAN over Zigbee (IPv6 over Low Power Personal Area
ISSN: 2331-4753 (Print)
ISSN: 2331-4761 (Online)
Networks), or Bluetooth (based on the IEEE 802.15.1).
Regardless the speciﬁc wireless technology used to deploy the M2M network, all the
end-devices should make their data available to the Internet . This can be achieved
either by sending the information to a proprietary web server accessible from the Internet
or by employing the cloud. Onlineplatforms such as ThingSpeak.com or Open.Sen.se,
among any other alternatives, are virtual clouds able to receive, store, and process data.
Besides acting as remote data bases, M2M clouds also oﬀer the following key services:
1. They oﬀer Application Programming Interfaces (API) with built-in functions for
end-users, thus providing the option to monitor and control end-devices remotely
2. They act as asynchronous intermediate nodes between the end-devices and ﬁnal
applications running on devices such as smart phones, tablets or desktops.
Our paper focuses on the protocols that handle the communication between the gateways,
the public Internet, and the ﬁnal applications (Figure 1). They are application layer
protocols that are used to update online servers with the latest end-device values but also
to carry commands from applications to the end-device actuators.
The rest of the paper is organized as follows. Section 2 describes our research motiva-
tion whereas each of the other sections is dedicated to a speciﬁc application layer protocol.
At the ﬁrst part of each section we introduce each application layer protocol, we present
its usage, we discuss the reliability and security features it oﬀers and we then compare
its suitability for the IoT with other application layer protocols. Finally, in Section 9, we
present overall conclusions based on the previous sections and we provide further research
2 Research motivation
The IoT is a term used for a huge wave of innovation originated in industries, but
currently heading to urban centers, in-home environments, and individuals.
Figure 1. IoT architecture
Our main motivation was to create an IoT test-bed where to test communications
protocols and also innovative applications that could be applied to a gamut of scenarios.
While searching for the appropriate application layer protocols to use, we found out that
while comparisons can be found between two protocols, there is no paper overviewing all
the possible alternatives with pros and cons.
The main motivation of this paper is to ﬁll this gap and provide a brief yet accurate
description of the key protocols that are being used today to implement the IoT. More
speciﬁcally, we will discuss on the following list of protocols being used alternatively or
jointly to solve diﬀerent needs of the communication between machines:
1) CoAP: Constrained Application Protocol.
2) MQTT: Message Queue Telemetry Transport.
3) XMPP: Extensible Messaging and Presence Protocol.
4) RESTFUL Services: Representational State Transfer.
5) AMQP: Advanced Message Queuing Protocol
The Constrained Application Protocol (CoAP) is a synchronous request/response application-
layer protocol that was designed by the Internet Engineering Task Force (IETF) to target
constrained-recourse devices. It was designed by using a subset of the HTTP methods
making it interoperable with HTTP .
CoAP runs over UDP to keep the overall implementation lightweight. It uses the
HTTP commands GET, POST, PUT, and DELETE to provide resource-oriented inter-
actions in a client-server architecture. CoAP is a request/response protocol that utilizes
both synchronous and asynchronous responses. The reason for designing a UDP-based
application layer protocol to manage the resources is to remove the TCP overhead and
reduce bandwidth requirements . Additionally, CoAP supports unicast as well as mul-
ticast, as opposed to TCP, which is by its nature not multicast-oriented.
Running on the unreliable UDP, CoAP integrated its own mechanisms for achieving
reliability. Two bits in the header of each packet state the type of message and the
required Quality of Service (QoS) level. There are 4 message types:
1. Conﬁrmable: A request message that requires an acknowledgement (ACK). The
response can be sent either synchronously (within the ACK) or if it needs more
computational time, it can be sent asynchronously with a separate message.
2. Non-Conﬁrmable: A message that does not need to be acknowledged.
3. Acknowledgment: It conﬁrms the reception of a conﬁrmable message.
4. Reset: It conﬁrms the reception of a message that could not be processed.
There is also a simple Stop-and-Wait retransmission mechanism for conﬁrmable mes-
sages and a 16-bit header ﬁeld in each CoAP packet called Message ID which is unique
and used for detecting duplicates.
CoAPCHTTP Mapping enables CoAP clients to access resources on HTTP servers
through a reverse proxy that translates the HTTP Status codes to the Response codes of
Even though CoAP was created for the IoT and for M2M communications, it does
not include any built-in security features. The protocol that is proposed to secure CoAP
transactions is the Datagram Transport Layer Security (DTLS). DTLS runs on top of
UDP and is the analogous of TLS for the TCP. It provides authentication, data integri-
ty, conﬁdentiality, automatic key management, and cryptographic algorithms . Even
though DTLS secures UDP transfers, it was not designed for the IoT, thus its suitability
can be argued. To begin with, DTLS does not support multicast , which is a prime
advantage of CoAP compared to other application layer protocols. DTLS handshakes
 require additional packets that increase the network traﬃc, occupy additional compu-
tational resources, and shorten the lifespan of mobile devices that run on batteries, an
essential part of the IoT. Being designed for the IoT, CoAP is HTTP-compatible, but
CoAP over DTLS might create additional confusion to the HTTP servers due to its di-
verse packet structure. Other protocols for securing CoAP can be found in the literature
including approaches that are still being under research -.
Message Queue Telemetry Transport (MQTT) was released by IBM and targets lightweight
M2M communications. It is an asynchronous publish/subscribe protocol that runs on top
of the TCP stack. Publish/subscribe protocols meet better the IoT requirements than re-
quest/response since clients do not have to request updates thus, the network bandwidth
is decreasing and the need for using computational resources is dropping.
In MQTT there is a broker (server)  that contains topics. Each client can be a
publisher that sends information to the broker at a speciﬁc topic or/and a subscriber that
receives automatic messages every time there is a new update in a topic he is subscribed.
The MQTT protocol is designed to use bandwidth and battery usage sparingly, which is
why, for example, it is currently used by Facebook Messenger .
MQTT ensures reliability by providing the option of three QoS levels:
1. Fire and forget: A message is sent once and no acknowledgement is required.
2. Delivered at least once: A message is sent at least once and an acknowledgement is
3. Delivered exactly once: A four-way handshake mechanism is used to ensure the
message is delivered exactly one time.
Even though MQTT runs on TCP, it is designed to have low overhead compared
to other TCP-based application layer protocols . Moreover, the publish/subscribe
architecture that it used, is more suitable for the IoT than request/response of CoAP,
for example, because messages do need to be responded. This means lower network
bandwidth and less message processing that actually extends the lifetime of battery-run
To ensure security, MQTT brokers may require username/password authentication
which is handled by TLS/SSL (Secure Sockets Layer), i.e., the same security protocols
that ensure privacy for HTTP transactions all over the Internet.
By comparing MQTT with the aforementioned CoAP, it is possible to see that the
UDP-based CoAP has lower overhead than the TCP-based MQTT. However, due to the
lack of TCPs retransmission mechanisms, packet loss is more likely to happen when using
CoAP. According to a recent research study , MQTT experiences lower delays that
CoAP for low packet losses, but CoAP generates less extra traﬃc for ensuring reliability.
However, results can vary depending on the network conditions. Additionally packet loss
and delays depend on the QoS of the messages. In both protocols, packet loss degrades
and delays increase when the QoS level is higher.
The Extensible Messaging and Presence Protocol (XMPP) was designed for chatting
and message exchanging. It was standardized by the IETF over a decade ago, thus being
a well-proven protocol that has been used widely all over the Internet. However, being an
old protocol, it falls short to provide the required services for some of the new arising data
applications. For this reason, last year, Google stopped supporting the XMPP standard
due to the lack of worldwide support . However, lately XMPP has re-gained a lot of
attention as a communication protocol suitable for the IoT.
XMPP runs over TCP and provides publish/subscribe (asynchronous) and also re-
quest/response (synchronous) messaging systems. It is designed for near real-time com-
munications and thus, it supports small message footprint and low latency message ex-
change . As the name explicitly states, XMPP is extensible and allows the speciﬁcation
of XMPP Extension Protocols (XEP) that increase its functionality.
XMPP has TLS/SSL security built in the core of the speciﬁcation. However, it does
not provide QoS options that make it impractical for M2M communications. Only the
inherited mechanisms of TCP ensure reliability.
XMPP supports the publish/subscribe architecture that is more suitable for the IoT in
contrast to CoAPs request/response approach. Furthermore, it is an already established
protocol that is supported all over the Internet as a plus with regard to the relatively new
MQTT . However, XMPP uses XML messages (eXtensible Markup Language) that
create additional overhead due to unnecessary tags and require XML parsing that needs
additional computational ability which increases power consumption.
6 RESTFUL SERVICES
The Representational State Transfer (REST) is not really a protocol but an architec-
tural style. It was ﬁrst introduced by Roy Fielding in 2000 , and it is being widely
used ever since.
REST uses the HTTP methods GET, POST, PUT, and DELETE to provide a resource-
oriented messaging system where all actions can be performed simply by using the syn-
chronous request/response HTTP commands. It uses the built-in accept header of HTTP
to indicate the format of the data that it contains. The content type can be XML or
tion. REST is already an important part of the IoT because it is supported by all the
commercial M2M cloud platforms. Moreover it can be implemented in smartphone and
tablet applications easily because it only requires an HTTP library which is available for
all the Operative Systems (OS) distributions. The features of HTTP can be completely
utilized in the REST architecture including cashing, authentication, and content type
RESTful services use the secure and reliable HTTP which is the proven worldwide
Internet language. It can make use of TLS/SSL for security. However, today most
commercial M2M platforms do not support HTTPS requests. Instead, they provide unique
authentication keys that need to be in the header of each request to achieve some level of
Even though REST is already used widely in commercial M2M platforms, it is unlikely
that it will become a dominant protocol due to not being easily implementable. It us-
es HTTP which means no compatibility with constrained-communication devices. This
leaves its use for ﬁnal applications.
Given the current tendency for applications running on smartphones, tablets and pads,
the additional overhead associated to request/response protocols aﬀect battery usage, as
it also does the continuous polling or long polling for values especially when there are
no new updates and the overhead becomes useless. Issues that can be avoided if a pub-
lish/subscribe protocol is used such as MQTT or XMPP. CoAP on the other hand, which
is the lightweight version of REST, bears the same disadvantages of the request/response
architecture. However it is designed to run over UDP making it capable of being used by
constrained resource devices, counter to REST.
The Advanced Message Queuing Protocol (AMQP) is a protocol that arose from the
ﬁnancial industry. It can utilize diﬀerent transport protocols but it assumes an underlying
reliable transport protocol such as TCP .
AMQP provides asynchronous publish/subscribe communication with messaging. Its
main advantage is its store-and-forward feature that ensures reliability even after network
disruptions . It ensures reliability with the following message-delivery guarantees :
1. At most once: means that a message is sent once either if it is delivered or not.
2. At least once : means that a message will be deﬁnitely delivered one time, possibly
3. Exactly once : means that a message will be delivered only one time.
Security is handled with the use of the TLS/SSL protocols over TCP.
Recent research has shown that AMQP has low success rate at low bandwidths, but
it increases as bandwidth increases . Another study shows that comparing AMQP
with the aforementioned REST, AMQP can send a larger amount of messages per second
. Additionally, it has been reported that an AMQP environment with 2,000 users
spread across ﬁve continents can process 300 million messages per day . Furthermore,
JPMorgan which is an American banking and ﬁnancial services company uses AMQP to
send 1 billion messages per day .
The Websocket protocol was developed as part of the HTML 5 initiative to facili-
tate communications channels over TCP. Websocket is neither a request/response nor a
publish/subscribe protocol. In Websocket a client initializes a handshake with a server to
establish a Websocket session. The handshake itself is similar to HTTP so that web servers
can handle Websocket sessions as well as HTTP connections through the same port .
However, what comes after the handshake does not conform to the HTTP rules. In fact,
during a session, the HTTP headers are removed and clients and servers can exchange
messages in an asynchronous full-duplex connection. The session can be terminated when
it is no longer needed from either the server or the client side. Websocket was creat-
ed to reduce the Internet communication overhead while providing real-time full-duplex
communications. There is also a Websocket sub-protocol called Websocket Application
Messaging Protocol (WAMP) that provides publish/subscribe messaging systems.
Websocket runs over the reliable TCP and implements no reliability mechanisms by
its own. If needed, the sessions can be secured using the Websocket over TLS/SSL.
During the session, Websocket messages have only 2 bytes of overhead. As reported
by relevant studies , the HTTP polling (in REST) repeats header information when
the data transmission rate increases, thus increasing latency. Websocket is estimated
to provide a three-to-one reduction in latency against the half-duplex HTTP polling.
Websocket is not designed for resource constrained devices as the previous protocols and
its client/server based architecture does not suit IoT applications. However it is designed
for real-time communication, it is secure, it minimizes overhead and with the use of WAMP
it can provide eﬃcient messaging systems. Thus, it can compete any other protocol
running over TCP.
9 Conclusions & future work
In this paper, we have presented a common IoT architecture by describing the parts
where application layer protocols are needed to handle communication. We have present-
ed the most representative application layer protocols that have gained attention for IoT
while providing a comparison among each other and argue about their suitability for the
future of the IoT. Among them, we have identiﬁed IETFs CoAP as the only one that runs
over UDP, thus making it the most lightweight, followed by HTML 5s Websocket that
signiﬁcantly reduces the communications overhead. The computational and communica-
tion ability of the devices involved must also be taken into consideration when choosing
the most appropriate protocol. If constrained communication and battery consumption
is not an issue, RESTful services can be easily implemented and interact with the In-
ternet using the worldwide HTTP. This can be proved very useful in testbeds as it can
Protocol Transport QoS options Architecture Security
CoAP UDP YES Request/Response DTLS
MQTT TCP YES Publish/Subscribe TLS/SSL
XMPP TCP NO Request/Response
REST HTTP NO Request/Response HTTPS
AMQP TCP YES Publish/Subscribe TLS/SSL
Web socket TCP NO Client/Server
Table 1: Major diﬀerences among protocols
work as proof of concept for ﬁnal applications. On the contrary, MQTT which is used by
Facebook Messenger is not as widely used as HTTP but has proved to be more eﬃcient
for battery-run devices. Additionally if the targeted ﬁnal applications require massive
updates of the same value, publish/subscribe protocols are more suitable. To sum up,
there are several factors that inﬂuence the selection of an application layer protocol the
most important of which are the computational and communication ability of the devices,
battery consumption and ﬁnal application in mind. For this reason opinions diﬀer. An
overview of major diﬀerences among the aforementioned protocols can be found below
Having seen this paper purely qualitatively, future work will be aimed at implementing
all these protocols and obtain an experimental and quantiﬁable comparison among them.
Moreover, we plan to explore the possibility of creating a server that supports multiple
application layer protocols and dynamically chooses the most appropriate according to
the networks conditions. Such an innovative approach not designed so far, would optimize
the overall performance of the IoT in various application scenarios.
 Tasos Kaukalias and Periklis Chatzimisios, Internet of Things (IoT) C Enabling tech-
nologies, applications and open issues, Encyclopedia of Information Science and Tech-
nology (3rd Ed.), IGI Global Press, 2014.
 Periklis Chatzimisios, Industry Forum & Exhibition Panel on Internet of Humans
and Machines, IEEE Global Communications Conference (Globecom 2013), Atlanta,
USA, December 2013.
 Angelo P. Castellani, Mattia Gheda, Nicola Bui, Michele Rossi, Michele Zorzi, We-
b Services for the Internet of Things through CoAP and EXI, IEEE International
Conference on Communications Workshops (ICC), 5-9 June 2011, pp. 1-6.
 Sye Loong Keoh, Sandeep S. Kumar, Hannes Tschofenig, Securing the Internet of
Things: A Standardization Perspective, Internet of Things Journal IEEE (Volume:
1, Issue: 3), June 2014, pp. 265-275.
 Maria Rita Palattella, Nicola Accettura, Xavier Vilajosana, Thomas Watteyne, Luigi
Alfredo Grieco, Gennaro Boggia, Mischa Dohler, Standardized Protocol Stack for the
Internet of (Important) Things, Communications Surveys & Tutorials IEEE 15(3),
2013, pp. 1389-1406.
 Thamer A. Alghamdi, Aboubaker Lasebae, Mahdi Aiash, Security Analysis of the
Constrained Application Protocol in the Internet of Things, Second International
Conference on Future Generation Communication Technology (FGCT), 12-14 Nov.
2013, pp. 163-168.
 Shahid Raza, Hossein Shafagh, Kasun Hewage, Ren Hummen, Thiemo Voigt, Lithe:
Lightweight Secure CoAP for the Internet of Things, Sensors Journal, IEEE 13(10),
Oct. 2013, pp. 3711-3720.
 Shinho Lee, Hyeonwoo Kim, Dong-kweon Hong, Hongtaek Ju, Correlation Analy-
sis of MQTT Loss and Delay According to QoS Level, International Conference on
Information Networking (ICOIN), 28-30 Jan. 2013, pp. 714-717.
 http://mqtt.org/2011/08/mqtt-used-by-facebook-messenger, cited 28 Jul 2014.
 Dinesh Thangavel, Xiaoping Ma, Alvin Valera, Hwee-Xian Tan, Colin Keng-Yan
Tan, Performance Evaluation of MQTT and CoAP via a Common Middleware, IEEE
Ninth International Conference on Intelligent Sensors, Sensor Networks and Informa-
tion Processing (ISSNIP), 21-24 April 2014, pp. 1-6.
standard-7000015918/, cited 28 Jul 2014.
 Sven Bendel, Thomas pringer, Daniel Schuster, Alexander Schill, Ralf Ackermann,
Michael Ameling, A Service Infrastructure for the Internet of Things based on XMPP,
IEEE International Conference on Pervasive Computing and Communications Work-
shops (PERCOM Workshops), 18-22 March 2013, pp. 385-388.
 Michael Kirsche, Ronny Klauck, Unify to Bridge Gaps: Bringing XMPP into the In-
ternet of Things, IEEE International Conference on Pervasive Computing and Com-
munications Workshops (PERCOM Workshops), 19-23 March 2012, pp. 455-458.
 Roy Thomas Fielding, Architectural Styles and the Design of Network-based Software
Architectures, PhD thesis, University of California, Irvine, USA, 2000.
 Bipin Upadhyaya, Ying Zou, Hua Xiao, Joanna Ng, Alex Lau, Migration of SOAP-
based Services to RESTful Services, 13th IEEE International Symposium on Web
Systems Evolution (WSE), 30 Sept. 2011, pp. 105-114.
 http://en.wikipedia.org/wiki/Advanced Message Queuing Protocol, cited 28 Jul
 Frank T. Johnsen, Trude H. Bloebaum, Morten Avlesen, Skage Spjelkavik, Bjørn
Vik, Evaluation of Transport Protocols for Web Services, Military Communications
and Information Systems Conference (MCC), 7-9 Oct. 2013, pp. 1-6.
 Joel L. Fernandes, Ivo C. Lopes, Joel J. P. C.Rodrigues, Sana Ullah, Performance
Evaluation of RESTful Web Services and AMQP Protocol, Fifth International Con-
ference on Ubiquitous and Future Networks (ICUFN), 2-5 July 2013, pp. 810-815.
 http://www.amqp.org/about/examples, cited 28 Jul 2014.
 http://en.wikipedia.org/wiki/WebSocket, cited 28 Jul 2014.
 Victoria Pimentel, Bradford G. Nickerson, Communicating and Displaying Real-Time
Data with WebSocket, Internet Computing IEEE 16(4), July-Aug. 2012, pp. 45-53.