RE: MQTTSN with DTLS

maxbachmann — Mon, 03 Dec 2018 21:57:30 GMT

Hello Lukasz,

Thank you for the fast response. I totally missed that the default version already uses AES-128 for encryption. I am totally with you that adding DTLS on top of that is unneeded.

Max

RE: MQTTSN with DTLS

Lukasz Duda — Mon, 03 Dec 2018 19:00:13 GMT

Hello Max,

Glad to hear that you use nRF5 SDK for Thread. As you correctly spotted there is no example that shows MQTT-SN example with DTLS. Moreover this is the thoughtful choice.

If you look at the MQTT-SN specification (which is free and open-source) you can see that there are two virtual paths.

1) from MQTT-SN clients (nRF52840) to a MQTT-SN Gateway (e.g. Raspberry pi) - over UDP

2) from MQTT-SN Gateway to a MQTT broker over TCP

The path number 1 is fully encrypted using AES-128 and Thread embedded encryption. So addition of DTLS between those MQTT-SN Clients and MQTT-SN Gateway seems to be unneeded and resource hungry.

The path number 2 is based on regular MQTT (and TCP) which as you said you have some experienced with. Moreover if you log in to the Thread Border Router you can modify MQTT-SN Gateway configuration and use your favorite MQTT-SN Broker. You can also set up proper encryption there (TLS). Our MQTT-SN Gateway is based on the open source project Paho - https://github.com/eclipse/paho.mqtt-sn.embedded-c

However if I haven't convinced you and you still want to use DTLS, this is possible but it would require significant changes both in MQTT-SN Gateway and in MQTT-SN Clients implementations. For later you would most likely need to expose DTLS API in OpenThread. Right now, there is public API for CoAPs only (you would like to cut it one line below - on plain UDP). Please see this file (github.com/.../coap_secure.cpp) to get understanding how to use internal DTLS API.

Hope that helps!