https://devzone.nordicsemi.com/f/nordic-q-a/122058/is-there-any-way-to-reject-gzp-system-address-requestI&#39;m using the nRF52840 and Gazell Pairing (GZP) to develop a device network. Because I need bi-directional communication, I am not using GZP&#39;s encryption feature, as it does not support host-to-device communication when encryption is enabled. When encryptionen-USTelligent Community 13Wed, 18 Jun 2025 11:11:55 GMThttps://devzone.nordicsemi.com/thread/539690?ContentTypeID=1Wed, 18 Jun 2025 11:11:55 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f42408a7-1689-407f-b560-9d7b30154e93Hung Bui<p>Hi, <br />Glad that you find a solution. Feel free to reopen this ticket or create a new ticket if you have further question.&nbsp;</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/539671?ContentTypeID=1Wed, 18 Jun 2025 09:04:41 GMT137ad170-7792-4731-bb38-c0d22fbe4515:8588be14-d5f6-489c-8bc1-5f023fb2720bkiterai<p>You have helped me a lot. I decided to implement pairing layer on Gazell Link Layer by oneself.</p> <p>Thank you!</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/538975?ContentTypeID=1Thu, 12 Jun 2025 09:01:56 GMT137ad170-7792-4731-bb38-c0d22fbe4515:6d494cac-0ca5-4bd7-8020-dfefa93682f8Hung Bui<p>Hi Kiterai,&nbsp;</p> [quote user="kiterai"]But if I understand correctly, you&#39;re saying that rejecting packets from unpaired devices requires encryption. Is that correct?[/quote] <p>Correct, without encryption the GZL will accept any host that has correct address and use the correct channel in the correct time.&nbsp;<br /><br /><br /></p> [quote user="kiterai"]- Would it be built on top of the Gazell Link Layer, or on top of GZP? Would I need to manage the pipes manually, such as by setting base addresses?[/quote] <p>You can choose to build it on top of GZP or GZL (note that GZP code is available and you can modify it). But I am afraid the Gazel link layer will just send ACK back on any packet sent to the correct host address and correct pipe.&nbsp;</p> [quote user="kiterai"]- Are packets automatically filtered by Gazell, or would the added layer need to inspect packets and forward only the valid ones? Would the host still send ACKs to invalid devices?[/quote] <p>As I mentioned above GZL link layer will just ack to any packet.&nbsp;</p> <p>Note that you can not control ACK but you can stil control of the packet is from a valid device or not using your own proprietary encryption/pairing.&nbsp;</p> <p>To be able to control the ACK, I think you would need to start your own protocol based on top of ESB (which Gazel based on top). ESB doesn&#39;t have encryption or channel hopping.&nbsp;<br /><br />Another option you can look at is BLE. Gazel is quite old protocol and it&#39;s made focusing heavily on mouse&amp;keyboard application.&nbsp;<br /><br /></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/538771?ContentTypeID=1Wed, 11 Jun 2025 09:00:13 GMT137ad170-7792-4731-bb38-c0d22fbe4515:62c2f37b-9e11-40f8-8282-652eafe2551dkiterai<p>Thanks for your answer.<br /><br />Since I&#39;m using GZP, I believe it assigns pipes automatically. Although I don&#39;t fully understand the internal implementation of GZP, I can ignore packets from devices that haven&#39;t been paired.<br /><br />My main requirements are bi-directional communication, support for multiple devices, and the ability to reject packets from unpaired devices. I&#39;m not particularly interested in encryption itself. But if I understand correctly, you&#39;re saying that rejecting packets from unpaired devices requires encryption. Is that correct?<br /><br />I&#39;m also not sure how I could implement another encryption layer. If I were to do that, how would it work?<br /><br />- Would it be built on top of the Gazell Link Layer, or on top of GZP? Would I need to manage the pipes manually, such as by setting base addresses?<br /><br />- Are packets automatically filtered by Gazell, or would the added layer need to inspect packets and forward only the valid ones? Would the host still send ACKs to invalid devices?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/538251?ContentTypeID=1Thu, 05 Jun 2025 13:54:13 GMT137ad170-7792-4731-bb38-c0d22fbe4515:381c5ff3-fee1-425b-b24a-99cd112776e8Hung Bui<p>Hi Kiterai,&nbsp;<br />You are correct that when using encryption it&#39;s not possible to send ACK back as the ACK is used to send the AES counter. See here:&nbsp;<a href="https://devzone.nordicsemi.com/f/nordic-q-a/32865/gazell-bi-directional-communication-between-paired-devices">Gazell bi-directional communication between paired devices</a></p> <p>As far as I remember in the HID application (the main use case for Gazell pairing) we use a unencrypted channel to send data from the host to the device , for example to turn on Caplock.&nbsp;</p> <p>How do you assign the unencrypted pipe to the devices ? Can you reject a packet&nbsp;from a pipe that has not been assigned ?&nbsp;<br /><br />As far as I know there is no encryption or protection in Gazell link layer to avoid unwanted device to send a message or to know the channel mapping. So it doesn&#39;t mater if you can reject&nbsp;System Address Request, an attacker an always listen to a channel and get the address and the timing of the channel to transmit data.&nbsp;<br /><br /></p> <p>I&#39;m thinking of you may need to implement another layer of encryption on the unencrypted pipe. We didn&#39;t have this problem because on the HID application the opposite direction was not very critical (to send CAPLOCK, NUMLOCK to the keyboad).&nbsp;</p><div style="clear:both;"></div>