This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2642R: Understanding RPA

Part Number: CC2642R
Other Parts Discussed in Thread: SYSCONFIG

Hello.
Help me figure out the RPA and the following issues:

The role is a peripheral device.
Project - SimplePeripheral, SDK - simplelink_cc13x2_26x2_sdk_5_20_00_52.
Configuration:
-DGAP_BOND_MGR
DBLE_V42_FEATURES=PRIVACY_1_2_CFG
#define DEFAULT_ADDRESS_MODE ADDRMODE_RP_WITH_PUBLIC_ID
#define MAX_NUM_BLE_CONNS 1
uint8_t pairMode = GAPBOND_PAIRING_MODE_WAIT_FOR_REQ;
uint8_t mitm = true;
uint8_t ioCap = GAPBOND_IO_CAP_DISPLAY_ONLY;
uint8_t bonding = true;
uint8_t secureConnection = GAPBOND_SECURE_CONNECTION_ONLY;//
uint8_t authenPairingOnly = true;

Read and write permission all characteristics have the GATT_PERMIT_ENCRYPT_READ level.

1. How to make requests filtered at the controller level, i.e. address resolution took place at the stack level?

Now in the SimplePeripheral project I filter at the application level (GAP_LINK_ESTABLISHED_EVENT: GAPBondMgr_FindAddr()). And in this case, how to discard scanning requests? One good thing is that in this mode you can bind devices :)
The manual says that ADDRMODE_RP_WITH_PUBLIC_ID - the local device will always use an RPA that can be resolved to a Public Identity Address. The device will only accept requests from peers who use its RPA over the air. It will not accept requests if the request is being directed to its identity address. Why does the device still receive requests from unbound devices?

2. Why when setting the ADDRMODE_RP_WITH_RANDOM_ID mode in the SimplePeripheral project, the GAP_DEVICE_INIT_DONE_EVENT event does not occur! Tell me where to dig?
What are the differences between ADDRMODE_RP_WITH_PUBLIC_ID and ADDRMODE_RP_WITH_RANDOM_ID and what are the features of using both. 

As a result, I want to implement two modes of operation: 1. Pairing, advertising is visible to everyone, key exchange including IRK. 2. The main mode in which requests to the device are not available for unbound devices, for security and power consumption reasons.
I assume that RPA just implements mode 2. But how to bind devices with RPA? Or I just don't understand the purpose of RPA ..
I have read BLE5-Stack User’s Guide - Privacy, but there is not enough information, there are not enough examples for what and how to use this or that ...
Please help me in which direction to move or in words how to implement what I want?

  • Hey John,

    I've assigned your post to a colleague to comment on. In the meantime, I would highly recommend going through our User's Guide section on the GapBondMgr as well as our Privacy section.

  • Hi John,

    1. How to make requests filtered at the controller level, i.e. address resolution took place at the stack level?

    Could you please specify which requests you are referring to? Are you talking about GATT read/write requests or connection requests? I am not sure to understand the relation between address resolution and address filtering? Additionally, from the application point of view I do not understand the distinction between the "stack" and the "controller level". Could you provide more details?

    Now in the SimplePeripheral project I filter at the application level (GAP_LINK_ESTABLISHED_EVENT: GAPBondMgr_FindAddr()). And in this case, how to discard scanning requests?

    You can use the allow/deny list (also called white list). This option can be enabled through SysConfig in RF STACK > BLE Z Broadcaster Configuration > Filter Policy.
    I guess this will also answer the question about the receiving requests from unbound devices.

    2. Why when setting the ADDRMODE_RP_WITH_RANDOM_ID mode in the SimplePeripheral project, the GAP_DEVICE_INIT_DONE_EVENT event does not occur! Tell me where to dig?

    This is quite unexpected.
    The device may crash somewhere. I would recommend to first confirm the device crashes (e.g. check if it is advertising). Then use the debugger to identify which call leads to this crash. You can review the debugging guide for help.

    there are not enough examples for what and how to use this or that

    RPA is enabled by default in our simple_peripheral example.
    As you mentioned, when RPA is used, the first connection has to be established without relying on the address used by the device. Afterward, once the devices have been paired and bounded the IRK (identity resolving keys) are stored and the public address of the device can be found. To finish, the white list can be used for following connections.

    I want to implement two modes of operation: 1. Pairing, advertising is visible to everyone, key exchange including IRK. 2. The main mode in which requests to the device are not available for unbound devices, for security and power consumption reasons.
    I assume that RPA just implements mode 2.

    RPA is just an address mode ensuring privacy (not security). It ensures that the device cannot be tracked by non-trusted devices.
    White List should be used to implement the two modes you are referring to.

    To finish, make sure to review the user's guide and the SimpleLink Academy labs for Bluetooth 5.

    I hope this will help,

    Best regards,

  • Hello, Clement.
    Thanks for the clarification. I'm going to use a whitelist with RPA. 

    RPA is enabled by default in our simple_peripheral example.
    As you mentioned, when RPA is used, the first connection has to be established without relying on the address used by the device. Afterward, once the devices have been paired and bounded the IRK (identity resolving keys) are stored and the public address of the device can be found. To finish, the white list can be used for following connections

    In this case, even after pairing, the application itself must resolve the address (GAPBondMgr_FindAddr()) of the device sending the connection request in order to decide whether to accept or reject it? It turns out that only the "white list" will pass this function to the controller?

    RPA is just an address mode ensuring privacy (not security). It ensures that the device cannot be tracked by non-trusted devices.
    White List should be used to implement the two modes you are referring to.

    How can RPA without whitelisting protect a device from being tracked? After all, only the address changes, and the other of the fields do not change, for example, the name of the device, etc., by which you can identify the device. Of course, in advertising packages, you can provide a minimum of information, but scan requests are not discarded.

    Is there something like a blacklist to reject frequent requests from an unwanted device?:)

  • Hi,

    How can RPA without whitelisting protect a device from being tracked?

    I guess you are mixing "privacy" and "security". As you explain, RPA is a good way to avoid tracking (i.e. to ensure privacy).

    If you want to avoid connection requests from unwanted devices, you should use directed advertisements. Please use SysConfig > RF Stacks > BLE > Broadcaster Configuration > Advertisement Set 1 > Advertisements Parameters 1 for more details.

    Is there something like a blacklist to reject frequent requests from an unwanted device?

    This feature does not exist in the Bluetooth specifications.

    I hope this will help,

    Best regards,