• State Not Answered
  • Replies 23 replies
  • Subscribers 74 subscribers
  • Views 5879 views
  • Users 0 members are here
Attachments (4) Download All
Nordic Case Info
  • Case ID: 249647
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

LWM2M + DTLS + NBIoT proper implementation

fastfox

Hi,

I am trying to implement energy efficient(batt powered) application for nrf9160, using UDP/DTLS/LWM2M as comm stack. Got "hello world" working, but now I am really confused about many details. Hope you can help me.

Question 1: Operator NAT/firewall rules and NRF9160 DTLS implementation

It looks like operator networks loose UDP port rules about after 1 minute of silence. This essentially means that UDP port number changes between consecutive packets sent from device to server if communications happens for example in every 10 minutes. This again means that DTLS connection would need to be resumed for it to work. It looks like resumption does not work in NRF or is not implemented at all? Effect is dramatic, you have to either ping server in <60s intervals or go through connection failure+re-register cycle every time you send anything.

Am I missing something here or how do people in general make things work? This ruins the whole idea of power save modes and LWM2M benefits. Is the only workaround to use MBED TLS stack instead?

Question 2: It looks like DTLS connection(to LWM2M bootstrap server) always ends to TLS ALERT sent by nrf91. Any idea why? Is this a feature? Other clients do not do that.

Question 3: Zephyr does not support QUEUE mode. If I understood the LWM2M spec correctly, QUEUE mode is exactly what low power NB-IoT application needs, but zephyr LWM2M stack does not support it. Do you have any idea how Nordic users tend to solve this? Implement queues as server side application on top of LWM2M? Use different LWM2M client?

Probably not the easiest questions and not all directly in Nordics domain, but I hope that you have some ideas how to make actual production quality app using NRF91. Thanks.

Parents
  • 0

    Hi.

     

    Question 1: Operator NAT/firewall rules and NRF9160 DTLS implementation

     In the DTLS header, there will be a session token indicating which DTLS session the packet belongs to.

    It is up to the server to decide if the session has timed out or not. So as long as all communication is initiated by the device, the NAT/firewall rules should not be a huge problem.

     

    It looks like resumption does not work in NRF or is not implemented at all?

     It is, but at the moment, there is a bug that can casue the modem to crash when (D)TLS session caching is enabled. The bug will be fixed in the next modem release.

     

    Question 2: It looks like DTLS connection(to LWM2M bootstrap server) always ends to TLS ALERT sent by nrf91. Any idea why? Is this a feature? Other clients do not do that.

     While I can not say for certain without more information (a modem trace is the most helpfull), I have two hyptohesis:

    1. The server's certificates are too large. The nRF9160 only supports TLS frames up to 2048 bytes.

    2. The nRF9160 does not support SNI at the moment. This will be added in the next modem release.

     

    Question 3: Zephyr does not support QUEUE mode. If I understood the LWM2M spec correctly, QUEUE mode is exactly what low power NB-IoT application needs, but zephyr LWM2M stack does not support it. Do you have any idea how Nordic users tend to solve this? Implement queues as server side application on top of LWM2M? Use different LWM2M client?

     Please take a look at https://github.com/NordicPlayground/fw-nrfconnect-nrf/pull/2252

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Thanks for clarifications. Just to make sure that I understood this correctly

    Didrik Rokhaug said:

                It is, but at the moment, there is a bug that can casue the modem to crash when (D)TLS session caching is enabled. The bug will be fixed in the next modem release.

    As I am not seeing session resumption, it means that I have to explicitly enable the session caching somehow, right? What is the API? I found this post where it says that you have to use nrf_setsock_opt https://devzone.nordicsemi.com/f/nordic-q-a/55335/dtls-session-resumption-on-nrf9160-modem-fw-v1-1-0

    And the ?random? crashes caused by activating the cache will be fixed in 1.3.0, which will be release at unknown date?

    And to make this work right now, the only option is to not use offloaded NRF sockets at all, but something else instead, right?

  • 0 in reply to fastfox

    Do you know what the DTLS timeout on the server is?

    The modem assumes that the connection is valid, and will not initiate a new DTLS session unless the server rejects the old one.

    So what might have happened is that the modem tries to use the "old" session, which is still valid. That means that a new DTLS handshake is unnecessary, hence no client hello.

  • 0 in reply to Didrik Rokhaug

    That is a good question, I need to investigate that.

    I thought that it is up to the client to decide that, but it might very well be that it is somehow negotiated in initial handshake. Is there any default values for this timeout in modem or can it be adjusted somehow?

    I am not even sure what is the term to look for here. I think RFCs are talking about "idle timeout" and "session timeout" both meaning that session is no longer valid. But what we need is "do resumption timeout", which is network depended and always smaller than "idle timeout"Thinking

  • 0 in reply to Didrik Rokhaug

    Hi Didrik, how can the server reject the DTLS session when the communication is coming from a different IP address, and it doesn't recognise the packet?

    Is there some way for the nRF9160 to invalidate the DTLS session?

    Thanks,
    John

  • 0 in reply to fastfox

    I've tried to read all the related RFCs bacwards and fowards, but can't really find any detail spec/timer/something about "When should client do session resumption" There are some hints e.g. in https://tools.ietf.org/html/rfc7925

    For the case where the IP address and port number
changes, it is necessary to recreate the record layer using
session resumption.

    and LWM2M spec itself http://openmobilealliance.org/release/LightweightM2M/V1_0_2-20180209-A/OMA-TS-LightweightM2M-V1_0_2-20180209-A.pdf

    Note: During
the time the LwM2M Client has been sleeping the IP address assigned to it may have been released and / or existing
NAT bindings may have been released. If this is the case, then the client needs to re-run the DTLS handshake with
the LwM2M Server since an IP address and/or port number change will destroy the existing security context. For
performance and efficiency reasons it is RECOMMENDED to utilize the DTLS session resumption.

    So my conclusion is that it is CLIENT side implementation detail about when to do resumption. And since client can't really know when IP address changes, I would assume that NRF91 has some internal logic to start the resumption. Whether it is a hardcoded timeout, configurable timeout or something else, I hope that can shed some more light here

  • 0 in reply to fastfox

    Yes, I think it needs to be a configurable timeout, as it is network dependent, and using the worst case of 20 seconds would cut short the access window from the server, if your network keeps the session for 2 minutes for example.

Reply Children
No Data
Related
Terms of service