CC2652P: Questions about incoming/outcoming frame counter

Hi Ryan,

So the device will initiate a NWK key update request if the frame counter exceeds 0x80000000? And does this apply to both incoming and outcoming frame counters?

Any comments for question 3 and 4?

Best regards,

Shuyang

Hi Ryan,

I find only one FrameCounter in nwkSecMaterialDesc_t, which I believe is the outgoing frame counter stored in ZCD_NV_EX_NWK_SEC_MATERIAL_TABLE? I did not find where the incoming frame counter is stored.

Also I read from swpb022 that "Neighbor devices on a network have a neighbor table entry for the network frame counter value that a device had when it was last on the network", does that mean a device only stores the incoming frame counters for its neighbors in the neighbor table?

I also had trouble finding the NVID for the neighbor table? Is the neighbor table stored in the NV or in RAM? If the neighbor table is in RAM, does that mean the incoming frame counters are also stored in RAM and are not consistent between power cycles?

BR,

Shuyang

You are correct that outgoing frame counters are stored in ZCD_NV_EX_NWK_SEC_MATERIAL_TABLE and I have revised my original response as such.  The TC stores incoming and outgoing frame counters in APSME_TCLinkKeyNVEntry_t as part of ZCD_NV_EX_TCLK_TABLE.  I believe the sentence you are quoting from SWPB022 was made in error, as coordinator and router devices will rejoin the network and resume operations as if they never left.  The difference is if they have lost the networks security material (ex. factory reset) and wish to join the network, at which point the document says "If a device joins a network for a second time with new security material and an outgoing network frame counter of zero, the devices in that network will reject those frames as a security measure."  Thus the ZC monitors which devices are allowed in the network to avoid replay attacks.  Keep in mind that the frame counter should be persistence across factory new resets.  Also note that SSP_Info_t contains a frmCntr to validate incoming packets but that this is cleared when a router device resets.

Regards,
Ryan

Hi Ryan,

I think we are talking about different things. The frame counters in APSME_TCLinkKeyNVEntry_t are frame counters of the key, what I would like to know is the frame counter in the NWK auxiluary header, which is in the linkInfo_t struct.

I found that linkInfo_t is included in both associated_devices_t and neighborEntry_t, so the incoming frame counter is saved in both association table and neighbor table. My question is which table is used to check the incoming frame counter for a data indication? The association table is saved to NV while the neighbor table is not, if ZStack use the neighbor table to check the incoming frame counter, is there a risk of replay attack because it is not consistent between power cycles?

And I have another question about the outgoing frame counter, after the outing frame counter exceeds 0x8000000, is there follow-up actions from the stack except stopping the outing data being sent? For example, will the application layer know about it?

BR,

Shuyang