How to configure DTLS and CoAP idle timeout in nRF9160?

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

StefanHri — Mon, 25 Jul 2022 21:44:42 GMT

An alternative solution is to exchange DTLS with EDHOC and OSCORE which are new standards from IETF. You can find a free open source implementation of EDHOC and OSCORE suitable for constrained devices under uoscore-uedhoc and more background in our paper.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Achim Kraus — Mon, 25 Jul 2022 16:04:23 GMT

In difference to one year ago, DTLS 1.2 Connection ID is published as RFC9146.

I spent some time last year in implementing the feature as well for Eclipse/tinyDtls - feature branch Connection ID. And since June this year (2022), I also published a simple demonstration client for zephyr and the Thingy:91 see zephyr-coaps-client. It also considers the "RRC connection" delays (mainly happens with NB-IoT) for the DTLS and CoAP timeouts. All together very efficient and reliable.

It still only works, if the device initiates the communication. And it's not LwM2M, only CoAP.

Anyway, if you're interested in a preview of DTLS 1.2 CID, try it out.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

MehdiChelouah — Mon, 25 Jul 2022 15:38:55 GMT

Hello Björn,

Did you find a way to make it work ?

I'm facing exactly the same issue 2 years later.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Achim Kraus — Fri, 21 May 2021 10:22:20 GMT

Yes, if that's the requirement, your device will never sleep :-).

(AFAIK, some providers offers "private network setups", where the addresses are more sticky/static. But that depends on your provider and your contracts.)

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Tiago Costa — Fri, 21 May 2021 10:16:01 GMT

Thanks for clarifying. Yes, that is the issue I'm facing, as the server initiates communication after the quiet period. I've wrongly interpreted that the connection id could be implemented at the NAT infrastructure somehow and overcome this limitation. But since that's not the case and because I need my clients to be always reachable by the server at all times, I'll need to keep sending packets to prevent the NAT timeout unfortunately.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Achim Kraus — Fri, 21 May 2021 10:08:21 GMT

Using CID "replaces the resumptions". Nothing in the middle must support it, only the clients and servers. As long, as the client starts the communication after a quiet period, the server will be able to "update the client's ip-address" and send messages back.

Only, if the server initiates the communication after the quiet period, that doesn't work. That seems to be a general issue for IP, even for TCP. Once the "route/connection" is gone, you can't reestablish it from the server, if the client has no known reachable address.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Tiago Costa — Fri, 21 May 2021 09:52:33 GMT

Thanks for pointing that out! I'm not sure if connection ids also apply to server-to-client interactions as I could only find examples of client-to-server session resumption.

In case connection ids should work for server-to-client interactions, after some tests, it seems that my current Mobile Network Operator NAT does not seem to support handling of connection ids, so after the NAT timeout period my nrf9160 client can no longer receive requests from the LwM2M server until the next registration update.

I believe DTLS session resumption is enabled in the nrf9160 SDK 1.4.2 that I'm currently using for testing, although I'm not entirely sure, and I have enabled connection ids in my Leshan test server.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Achim Kraus — Thu, 20 May 2021 18:01:19 GMT

Just as outlook:

Once draft-ietf-tls-dtls-connection-id may get more adopted, many DTLS/CoAP problems caused by NATs will disappear. Using Eclipse/Californium you may have a preview of that (if you use Eclipse/Leshan its a question to configure it). The downside of today is, that this requires to use an application level client and the modem just for UDP transfer.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Tiago Costa — Thu, 20 May 2021 12:04:59 GMT

I've have recently ran into the same issue: since the mobile network operator is implementing a timeout for UDP NAT rules, I could not extend the LwM2M register update beyond 120 seconds in my case. However, this would mean the nrf9160 would consume a significant amount of overhead data just to keep the connection alive.

The best solution, as far as I'm aware at the moment, is to increase the LwM2M register update period to save mobile data and periodically send UDP packets (with no payload) to the socket less than 120 seconds apart (or whatever the UDP NAT timeout period is for a given operator). This seems to be enough to keep the socket alive at the operator side and avoid the NAT timeout issue, while minimizing the overhead data usage.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Didrik Rokhaug — Mon, 06 Apr 2020 14:07:56 GMT

According to the modem team, the modem team makes no assumptions about the validity of the session.

It is up to the server to check if the session is still valid. If it is not, the server will respond with an error. However, that error might get lost due to the NAT timeout I have already mentioned.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Didrik Rokhaug — Fri, 03 Apr 2020 10:17:47 GMT

Hi.

First of all, I am sincerely sorry for the long wait (again).

As the modem is delivered as a compiled application, only runtime configuration is possible. FOr the LTE stack, this is done through AT commands, while for the IP stack it is done through socket options. You are therefore limited to the socket options that can be set through bsdlib.

When it comes to the application level protocols, those run on the application core and can be configured by Kconfig or replaced/rewritten partially or fully.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Bjorn191023 — Thu, 19 Mar 2020 12:30:59 GMT

Hi Didrik,

Thanks for your response.

[quote userid="81181" url="~/f/nordic-q-a/58730/how-to-configure-dtls-and-coap-idle-timeout-in-nrf9160/240623"]I have not gotten any answers to your questions from our developers yet.[/quote]

Ok, let me know when you hear something. I am interested in 1) what are the default timeouts in the modem and 2) can they be changed

[quote userid="81181" url="~/f/nordic-q-a/58730/how-to-configure-dtls-and-coap-idle-timeout-in-nrf9160/240623"]At the end of the last reply, I suggest a method that might let you use a non-offloaded IP stack. Note that we have not tested that, so I can not guarantee that it works.[/quote]

Sorry, this is not an option for us. We dont have enough flash.

[quote userid="81181" url="~/f/nordic-q-a/58730/how-to-configure-dtls-and-coap-idle-timeout-in-nrf9160/240623"]Did you get a reply from your network operator?[/quote]

[quote userid="81181" url="~/f/nordic-q-a/58730/how-to-configure-dtls-and-coap-idle-timeout-in-nrf9160/240623"]While they might have different timeouts, the timeouts we have seen are typical <1 minute. SO I would not dismiss the possibility that the problem is caused by the networks NAT policy[/quote]

Yes, you are right. I will approach them to rule out the possibility.

BR / Björn

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Didrik Rokhaug — Thu, 19 Mar 2020 12:09:14 GMT

Hi, and sorry for the long wait.

I have not gotten any answers to your questions from our developers yet.

However, you might be interested in this ticket: https://devzone.nordicsemi.com/f/nordic-q-a/58817/nrf9160-lwm2m-with-mbedtls

At the end of the last reply, I suggest a method that might let you use a non-offloaded IP stack. Note that we have not tested that, so I can not guarantee that it works.

But, if it does work, you should then be able to use the Kconfig options that you have found.

Did you get a reply from your network operator?

While they might have different timeouts, the timeouts we have seen are typical <1 minute. SO I would not dismiss the possibility that the problem is caused by the networks NAT policy.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Didrik Rokhaug — Fri, 06 Mar 2020 12:56:06 GMT

Hi.

I'll have to talk to the R&D team to be able to answer you properly.

However, I can confirm that CONFIG_NET_SOCKETS_DTLS_TIMEOUT will not affect anything when socket offloading is enabled.

I am not able to find any references to CONFIG_NET_APP_DTLS_TIMEOUT, so I can not comment on that.

I'd also appreciate a modem trace, so that we can rule out any network related problems.

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Bjorn191023 — Fri, 06 Mar 2020 08:41:29 GMT

Hi,

I have tested another operator with LTE-M and I see the same behavior. That indicates it's not an operator problem...of course, both operators could have the same problem, but less likely.

I hope Nordic can guide me how to configure the session idle timeout.

BR / Björn

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Bjorn191023 — Thu, 05 Mar 2020 15:03:36 GMT

Hi Markus,

No, I haven't. I will do that.

But still I would like to understand if idle timeout can be configured in Zephyr. I have found a config CONFIG_NET_APP_DTLS_TIMEOUT that looks promising, but I'm not sure it is applicable to the offloaded DTLS implementation. There is also CONFIG_NET_SOCKETS_DTLS_TIMEOUT, which has a different description.

BR / Björn

RE: How to configure DTLS and CoAP idle timeout in nRF9160?

Markus Tacker (he/him) — Thu, 05 Mar 2020 12:56:54 GMT

Have you confirmed with your network provider that they actually support the idle timeout times that you are looking to achieve?

Networks will keep the UDP NAT rules for bidirectional communication up only for a limited time and what you describe does actually look more like you are hitting these limitations.