This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC1352P7: Wi-SUN security

Part Number: CC1352P7
Other Parts Discussed in Thread: UNIFLASH

Tool/software:

Hi,

I was looking at Wi-SUN specification and would like to ask some quetions about security.

I have already read the Stack User Guide, specially the Join Process, but I still got a few questions:

1. As I could understand, the node while in the process of joining the network is capable of detecting all available networks. Is it possible for the node to list all of them so an user can see?

2. The network name is the only necessary configuration to a node connect to network or is there any other necessary configuration (credentials, password, etc)?

3. The Join Process documentation does not specify where the Network Name and any other possible configuration is used, could you please clarify?

4. As I could understand from spinel interface, the revokeDevice command is used to remove an unwanted device from the network, correct? Is it possible to use it only when the device has already joined the network or can I use it to avoid its connection?

5. Is there anything similar to the revokeDevice command but instead of listing unwanted nodes I could configure a list of allowed devices?

Thank you in advance.

  • Hi Eduardo,

    the Wi-SUN spec is not public so I can't give out this information on the public forum.

    1. This feature is not implemented in our stack.

    2. The network name is used to generate coexisting Wi-SUN networks and has to be set before the stack is started. In this case the router node will only join the network specified by the network name. 

    3. I will check how much more information I can give out about that.

    4. The revokeDevice command can only be used from the authentification server implemented with the border router after a device joined the network. 

    5. There is an implementation of allow and deny list based on the mac address of the router node. Please read this part of the latest Wi-SUN user's guide: https://dev.ti.com/tirex/explore/node?node=A__ADg-OA1lkmNpV7sMfCNnZA__com.ti.SIMPLELINK_CC13XX_CC26XX_SDK__BSEc4rl__LATEST In the router node application you need to search for: "COAP_PANID_LIST"


    I recommend you to implement your application using the option of different network names and the Allow/Deny list feature.

    Kind regards,
    Theo

  • Hi Theo,

    2. So it is possible to have 2 or more networks with same name, correct? The only difference between them would be the PAN ID? Also, the node would automatically select the network to join based on signal quality?

    3. Okay. I need a secure network, so it is important to know where are the weakness of the joining process and how it is possible to improve them. I can send you a direct message to discuss this topic, what do you think?

    5. I do not know if I correctly understood this feature. When I set the PAN ID list and save it to the border router, this list defines which nodes will be allowed to join the network from this border router, or the border router will tell the node which of the PAN IDs the node is allowed to connect? If the second case is the correct one, then I would not be limiting which devices are allowed to join the network, but just be controlling which device connects to which border router, correct?

    Best regards,
    Eduardo.

  • Hi Eduardo,

    2. if you have multiple border routers using the same network name positioned at the two opposite sites of a room and multiple router nodes trying to connect to a network with this name they will select the network to join based on the routing cost. If you want to ensure that a subset of the router nodes joins a specific border router you must use different network names or the PAN ID allow/deny list feature.

    3. Wi-SUN is a certified secure network. The protocol is developed by the Wi-SUN alliance and its members. You can find the certified products on their website: https://wi-sun.org/certified-products-list/ 

    In our User's Guide we visualize the join process: https://dev.ti.com/tirex/explore/content/simplelink_cc13xx_cc26xx_sdk_7_41_00_17/docs/ti_wisunfan/html/wisun-stack/join_process.html and provide more information about the correct usage of keys and certificates: https://dev.ti.com/tirex/explore/content/simplelink_cc13xx_cc26xx_sdk_7_41_00_17/docs/ti_wisunfan/html/wisun-stack/networklayer.html# 

    Please let us take it from here. Which further questions do you have?

    5. The implementation of the allow list/ deny list feature allows you to store a list of mac addresses of nodes on the border router and for each of them you store a allow and deny list containing the network PAN id's that they are allowed or denied to join. When de node joins a network it will request the allow/deny list from the border router and afterwards it checks if it is allowed to join this network. If it is not allowed to join the network if wil notify the border router that rediscover is  necessary and with that look for another network to join. You can try this feature as explained in the User's Guide with pyspinel (https://dev.ti.com/tirex/explore/content/simplelink_cc13xx_cc26xx_sdk_7_41_00_17/docs/ti_wisunfan/html/wisun-guide/network-management.html#pan-id-allow-deny-list). 

    When you look in the "application.c" file of the coap node project for "COAP_PANID_LIST_ALLOW_URI" you will see that there is a allow list and a deny list defined if "COAP_PANID_LIST" is defined. At the next usage in the file you will find the application code for it.

    It would be great if you could explain me in detail what you want to achieve so that I can assist you in choosing the best suited features.

    Kind regards,
    Theo

  • Hi Theo,

    thank you for the detailed description.

    It would be great if you could explain me in detail what you want to achieve so that I can assist you in choosing the best suited features.

    I need to be able to control which nodes are allowed to join a network in an attempt to prevent entry from an unknown device (in a possible case of an unwanted user trying to join the network or something like that).

    2. And what is expected if I bring up 2 border routers with same network name and PAN ID?

    3. How are these keys and certificates handled? I mean, who must "create" them and update these keys when necessary? I have read the EAPOL Layer documentation and understood that I can enable this feature modifying some lines in the code but could not understand who is in charge of creating the keys and who gives the "final word" if a device is allowed to join the network.

    5. What happens if a node tries to join a network and its MAC is not in the JSON list? It will join the network or the border router refuses its connection? Based on the description about the allow/deny lists, it seems like the node is responsible for controlling if it will or not join the network, not the border router. In a situation where someone is trying to invade the network it will just ignore this list and force its own connection.

    How do you think I can handle my requirements?

    Best regards,
    Eduardo.

  • Hi Eduardo,

    2. You should in general not do this as it is not following the expected setup of each boarder router having a unique network name. In this case all the nodes that are looking for the network name would decide the border router to join only on the routing cost.

    3. The root certificates are deployed with the device and can be generated by all members of the Wi-SUN alliance. Please have a look here: https://wi-sun.org/cyber-security-certificates/ Our software contains such test certificates. These are checked when joining a network to ensure the device is a certified Wi-SUN device. Following the encryption keys are exchanged.

    5. It will join the network and nothing more will happen. If you follow the implementation of the allow/deny list, the CoAP node will request the list from the border router, the border router will send it over CoAP if there exist one for the nodes mac address and then the node will check if it is allowed to join this boarder router. If it is not it will tell the border router to trigger a rediscover and it will not try to join this boarder router again.

    In general you can manage the network access in that sense only on application layer as everything else is not Wi-SUN spec compliant. It would be possible to implement a list of mac addresses of allowed devices on the border router and after a node joined the network you could check it's mac address. If it is not in the list of allowed mac addresses you could use the revoke access option to kick them out of the network. But you can not prevent joining.

    I will follow up with R&D if there is a better option.

    Kind regards,
    Theo

  • Hi Theo,

    2. I have read that if I leave the border router's PAN ID with value 0xFFFF it will start with a random value between 0x0000 and 0xFFFE. Let's suppose I have a network that is already up and working correctly. If I bring up a second border router also with default 0xFFFF, will it detect if there is already a network with same name and avoids using the same PAN ID or is it possible that it randomly selects the same PAN ID? I'm just curious if this could possibly cause any interference in the existing network since I've already faced similar situation with another 6lowpan network.

    I'd appreciate if you could follow up with R&D team if is there a better option than using the revoke option. The best scenario would be that I could avoid the connection of an unwanted device instead of letting it connect and then removing it later, let's say I cannot guarantee that it won't cause any damage during this connection->being revoked period.

    Although, evaluating the revokeDevice feature seems to be the best option I have for now. Is this feature also available using wfantund or only supported by pyspinel?
    I have a second MCU (ESP32) as host and it uses Wi-SUN chip to send data to the network. Is it possible that I could use the ESP32 address in this feature instead of the CC's MAC address? Also, when look at the device's MAC address using hwaddress command in CLI, it shows an address with 8 groups of 2 hexadecimal digits. Shouldn't the MAC address have only 6 groups? I got a little confused in this topic.

    I appreciate for all support you have been given, Theo!

    Best regards,
    Eduardo.

  • Hi Eduardo,

    The border router does not check for any existing networks so this is theoretically possible. Following the spec the best approach would be to work with different network names as otherwise you end up in the situation explained before were a router node decides the border router to join only on the routing cost. So it would not cause interference but you can't predict the network architecture.

    Following up with R&D I got the confirmation that there is no option to prevent a router node from joining the network as that would not be Wi-SUN spec compliant. Instead all further authentication has to be implemented on application layer. Mac address whitelisting on the border router or using the pan id allow/deny list feature are the recommended approaches. 

    Kind regards,
    Theo

  • Hi Theo,

    Thank you for the recommendations.

    Is the revokeDevice feature also available using wfantund or only supported by pyspinel?
    I have a second MCU (ESP32) as host and it uses Wi-SUN chip to send data to the network. Is it possible that I could use the ESP32 address in this feature instead of the CC's MAC address? Also, when look at the device's MAC address using hwaddress command in CLI, it shows an address with 8 groups of 2 hexadecimal digits. Shouldn't the MAC address have only 6 groups? I got a little confused in this topic.

    Best regards,
    Eduardo.

  • Hi Eduardo,

    the implementation of the command is made for pyspinel but you can also add it to wfantund. You can also change the application so that instead of the router nodes mac address the mac address of the host is sent but you need to request send this information from the application layer.

    I will come back to you regarding the mac address.

    Kind regards,
    Theo

  • Hi Eduardo,

    the hardware address is a IEEE 802.15.4 Extended Address which is a 2 byte format.

    You can view it either using the pyspinel hwaddress command or using UniFlash -> select device -> Setting & Utilities -> Primary IEEE Address

    Kind regards,
    Theo

  • Hi Eduardo,

    I need to correct and add on my previous answers.

    The connection to a Wi-SUN network is only possible when the devices share the same root certificate.
    This means that the easiest way to secure your Wi-SUN network is to generate your own root certificates and not to share them with anyone.
    In that case only your devices can join the network. 

    The MAC filtering can still be used to force network topologies if needed.

    Kind regards;
    Theo