Other Parts Discussed in Thread: Z-STACK
I've turned on network-layer security/encryption for our router and coordinator running Z-Stack v1.2.2a using a pre-shared key and no link-layer security.
#define SECURE = 1 defaultKey = DEFAULT_KEY; zgPreConfigKeys = TRUE; zgApsLinkKeyType = ZG_GLOBAL_LINK_KEY; don't define TC_LINKKEY_JOIN.
The secure router can associate with the coordinator and then performs Device Announcement using network-layer encryption. The coordinator begins talking to it with network-layer encrypted packets. That's great. However, a router with security turned off also can associate with the same secure coordinator and then just hangs out. It performs Device Announcement unsecured, the coordinator sends it an encrypted Transport Key message (all zeros because zgPreConfigKeys==TRUE) and then the coordinator keeps sending it network-level encrypted packets, which the un-secure router can't understand. But by being associated with the coordinator, it's taking up space in the routing/neighbor tables and could be used to attack the coordinator by exhausting the coordinator's allocated address tables.
At the network layer, how can my coordinator differentiate association requests from devices which are capable or not capable of secure communication before every accepting the association request?
Looking at Wireshark captures, the Beacon Request -> Beacon -> Association Request -> Data Request -> Association Response sequence doesn't include capability information about the network layer I guess because they're MAC-layer messages. The Frame Control Fields for them indicate Security=0/false and I assume that would later be used for the link layer security that ZigBee supports.
Side note:
* ZDApp_ProcessSecEvent->ZDSecMgrNewDeviceEvent->ZDSecMgrAssocDevAuth appears to automatically authenticate device association requests without verifying that the device requesting association actually is capable of secure communication. I thought the sequence was supposed to be Associate (unsecure) and then Authenticate?
