• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 54 subscribers
  • Views 196 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC1352P7: DTLS over CoAP implementation using Wi-SUN

Eduardo Viel
Intellectual 598 points
Part Number: CC1352P7

Tool/software:

Hi,

I have a Wi-SUN network running pretty well, and I'm trying to add DTLS over CoAP to it. I have a CoAP node connected to a border router and I use wfantund on a linux host.

I needed to change some defines under a few header files so I could compile the CoAP node project so mbed supports DTLS. Then I initialize the coap_service using:
coap_service_initialize(interface_id, COAPS_PORT, COAP_SERVICE_OPTIONS_SECURE, NULL, NULL);
where COPAS_PORT is 5684.

Then I use coap_service_certificate_set(service_id, cert, cert_len, priv_key, priv_key_len) to set certificate and key.

When I see that device is connected to border router, I send a coap request using:
coap_service_request_send(service_id, COAP_SERVICE_OPTIONS_SECURE, root_unicast_addr, COAPS_PORT, COAP_MSG_TYPE_CONFIRMABLE, SG_CODE_REQUEST_GET, COAP_TIMESTAMP_URI, COAP_CT_TEXT_PLAIN, NULL, 0, coap_client_response_timestamp);

The response of this request is a non zero value, so I know that it does not report an error to perform this request. I also know that the root_unicast_addr is the address of the border router.

Despite all these infos, I see no packets reaching the border router's side (I am tracking the wfantund outputs).

Could you please provide any correction on this flow or any help to debug this?
Thank you.

Best regards,
Eduardo.

  • 0
    TI__Expert 7645 points

    Hi Eduardo,

    could you give me some more details on how you modified the border router and CoAP node projects to support DTLS?

    Could you try to do the same with PySpinel so that we can work on a minimal example eliminating first network interface layers of wfantund?

    Kind regards,
    Theo

  • 0 in reply to Theo Lange
    Intellectual 598 points

    Hi Theo,

    sure! I am using Simplelink SDK 8.30.01.01. These are the modifications I have made to build the projects:

    1. ti/ti_wisunfan/apps/udp_nanostack_mesh_tirf/mbedtls_wisun_config.h: 
    - Commented #undef MBEDTLS_SSL_SRV_C, line 26;
    - Commented #undef MBEDTLS_SSL_PROTO_DTLS, line 192;
    - Commented #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY, line 193;

    2. ti/ti_wisunfan/mbed_config/ws_border_router/mbed_config.h
    - Uncommented #define NS_USE_EXTERNAL_MBED_TLS, line 67;

    3. ti/ti_wisunfan/mbed_config/ws_router/mbed_config.h
    - Uncommented #define NS_USE_EXTERNAL_MBED_TLS, line 48.

    Then I am using the CoAP functions as mentioned previously.

    Using PySpinel, I have implemented some modifications on spinel-cli.py, I'll send you some snipets so you can see the modifications I have done, but please let me know if you need more details:

    COAP_TIMESTAMP_URI = "device_timestamp"

...

elif option.option_val == str.encode(COAP_TIMESTAMP_URI):
                                        # Handle ev timestamp request CoAP message
                                        # The coap message type is a coap get request.
                                        coap_packet_type = "DEVICE_TIMESTAMP_SEND"
                                        

...

elif coap_packet_type == "DEVICE_TIMESTAMP_SEND":
                            # Handle ev device data CoAP message
                            if h.code == ipv6.COAP_METHOD_CODE_GET:
                                print("Device requesting timestamp")
                                current_timestamp = str(int(time.time()))
                                print(current_timestamp)
                                # print("Done at " + t)
                                if h.type == ipv6.COAP_TYPE_CON:
                                    try:
                                        srcIPAddress = pkt.ipv6_header.destination_address
                                        # Send an acknowledgement to the CoAP Node
                                        coap_req = self.ipv6_factory.build_coap_request(format(srcIPAddress), pkt.ipv6_header.source_address, ipv6.COAP_TYPE_ACK,
                                            ipv6.COAP_RSP_CODE_CONTENT, None, payload=bytes(current_timestamp, encoding="utf-8"), msg_id=(h.msg_id+1), tkl=h.tkl, token=h.token)
                                        print("Send acknowledgement")
                                        self.wpan_api.ip_send(coap_req)
                                    except:
                                        print("Failed to send acknowledgement")
                                        print(traceback.format_exc())

    I still do not see any print on spinel side (in this case I was expecting the "Device requesting timestamp" message). Do I need to do any other modification so it can actually receive an encrypted message?

    Please let me know if you need more details.

    Best regards,
    Eduardo.

  • 0 in reply to Eduardo Viel
    TI__Expert 7645 points

    Hi Eduardo,

    I will ask R&D for further advise on this topic.

    Can you see that a message is send when you use a packet sniffer or is the message never sent on the air?

    Kind regards,
    Theo

  • 0 in reply to Theo Lange
    Intellectual 598 points

    Hi Theo,

    It looks like the message is never sent on the air, the packet sniffer only detects PAN Configuration and PAN Advertisement packets, nothing more.

    Please let me know when you get an answer from R&D team.

    Best regards,
    Eduardo.

  • +1 in reply to Eduardo Viel
    TI__Expert 7645 points

    Hi Eduardo,

    I discussed it with our experts internally and theoretically you can try to implement DTLS over CoAP but for that you will need to implement it on your own. The issue that you are describing seems to be related to conflicts occurring between our application session and the feature code. You would need to ensure that the DTLS implementation generates an independent instance to encrypt the message payload on application layer while keeping the message format intact.

    The reason that we are not planning to implement this feature is that the Wi-SUN network is already fully secured by the security exchange (using the certificates). This means that all communication in the network is already encrypted.

    If you add additional application layer encryption e.g. DTLS on top of that you are basically encrypting the message contend before it gets a second time encrypted by the Wi-SUN stack and then transmitted. 

    We strongly recommend to trust the security that the Wi-SUN stack provides as this is what it was developed for. If you really must implement additional encryption please ensure that everything happens on application layer only modifying the message payload before passing it over to the stack.

    Kind regards,
    Theo