• State Not Answered
  • Replies 11 replies
  • Subscribers 86 subscribers
  • Views 2753 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 274143
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Use of GATT security (peer_manager) when using the MESH_PROXY feature of a mesh/ble coexistence.

ccasebeer

Our original BLE stack application on the nrf52840 has integrated encryption. It uses LESC with MITM and bonding.

I have gotten a certain level of run time success with BLE and MESH coexistance on our platform.

nrf5_SDK_17.0.2

nrf5_SDK_for_Mesh_v5.0.0

I can successfully provosion the device and retrieve mesh model values from the provisioned device.

If I enabled MESH_FEATURE_GATT_PROXY_ENABLED in the mesh SDK, I can see GATT before and after provisioning (however after provisioning gets dicey, with the GATT coming in and out of being seen by nrf connect IOS)

We are working on adding mesh alongside our standard BLE GATT program.

My questions are:

If I want to access all the BLE GATT characteristics that I had setup originally in strict BLE with BLE/MESH coexistance, do I need the

MESH_FEATURE_GATT_PROXY_ENABLED as defined in nef_mesh_config_app.h

It certainly feels like it. If I successfully mesh provision the device and I don't have MESH_FEATURE_GATT_PROXY_ENABLED, the device seems
to no longer advertise all the standard GATT characteristics we've setup.

If I want GATT after mesh provisioning, do I need MESH_FEATURE_GATT_PROXY_ENABLED?

Second question:

If I have turned bonding/pairing/encryption on multiple GATT characteristics in standard BLE, can I still use this encryption in mesh coexistence with mesh proxy enabled?
Do I need it?

It appears that pairing/bonding might not be supported with mesh proxy as indicated by this area of source code in mesh_gatt.c

        case BLE_GAP_EVT_SEC_PARAMS_REQUEST:
            NRF_MESH_ERROR_CHECK(sd_ble_gap_sec_params_reply(p_ble_evt->evt.gap_evt.conn_handle,
                                                             BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP,
                                                             NULL,
                                                             NULL));

So far, I can access unencrypted characteristics before and after provisioning the mesh stack, but error out if access any of the characteristics with enhanced security are accessed at any time.

This is the previous definition of security on the characteristics in question:

////This is the init state of peer_manger.
#define SEC_PARAM_BOND                  1                                           /**< Perform bonding. */
#define SEC_PARAM_MITM                  1                                           /**< Man In The Middle protection required (applicable when display module is detected). */
#define SEC_PARAM_LESC                  1                                           /**< LE Secure Connections enabled. */
#define SEC_PARAM_KEYPRESS              0                                           /**< Keypress notifications not enabled. */
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_DISPLAY_ONLY                /**< Display I/O capabilities. */
#define SEC_PARAM_OOB                   0                                           /**< Out Of Band data not available. */
#define SEC_PARAM_MIN_KEY_SIZE          7                                           /**< Minimum encryption key size. */
#define SEC_PARAM_MAX_KEY_SIZE          16                                          /**< Maximum encryption key size. */
  
  
////This is the init state of peer_manger.
// Security parameters to be used for all security procedures.
sec_param.bond           = SEC_PARAM_BOND;
sec_param.mitm           = SEC_PARAM_MITM;
sec_param.lesc           = SEC_PARAM_LESC;
sec_param.keypress       = SEC_PARAM_KEYPRESS;
sec_param.io_caps        = SEC_PARAM_IO_CAPABILITIES;
sec_param.oob            = SEC_PARAM_OOB;
sec_param.min_key_size   = SEC_PARAM_MIN_KEY_SIZE;
sec_param.max_key_size   = SEC_PARAM_MAX_KEY_SIZE;
sec_param.kdist_own.enc  = 1;
sec_param.kdist_own.id   = 1;
sec_param.kdist_peer.enc = 1;
sec_param.kdist_peer.id  = 1;


//The characteristics attribute read and write permissions are set with
BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM()

I referenced the example of PB-GATT turn on in the example provided here:

https://devzone.nordicsemi.com/f/nordic-q-a/53837/including-nrf5-sdk-for-mesh-functionality-in-an-nrf5-sdk-example/235538#235538

We also need PB-GATT as we want to provision via phone.

  • 0

    Hi

    1. MESH_FEATURE_GATT_PROXY_ENABLED does indeed need to be enabled. You also need to include the gatt proxy header files and add the gatt proxy C files to your project, but please note that this is already done in most examples in the nRF Mesh SDK.

    2. Bluetooth Mesh does not use the same encryption as a BLE connection/bond does. Mesh uses the provisioning process as well as Key management for managing encryption keys known to each device.

    Best regards,

    Simon

  • 0 in reply to Simonr

    Thank You for the reply.

    That's interesting....

    Yeah, I suppose I don't follow. In the mesh coexistance examples, MESH_FEATURE_PB_GATT_ENABLED and MESH_FEATURE_GATT_PROXY_ENABLED are both not enabled, and services are started as usual and show up as usual. I only went down the MESH_FEATURE_GATT_PROXY_ENABLED path as I wanted MESH_FEATURE_PB_GATT_ENABLED to allow provisioning via a phone. I might not be following. I don't think I am.

    I guess I don't understand. I can still access GATT characteristics without provisioning when I have MESH_FEATURE_GATT_PROXY_ENABLED turned on. However, I start my services with unsecure characteristics regardless of whether the device is provisioned or not.

    Maybe I would only start these services and characteristics once the device is provisioned?

    So peer manager isn't used at all when using mesh coexistence with proxy to access BLE GATT characteristics? Initializing peer_manager is not needed?

    How could I restrict access to a GATT characteristic? Previously I had relied on Peer Manager and bonding/pairing/keys  to do this.

    I apalogize for my confusion. Working to get a better handle on it.

    I have also noticed that after I have provisioned my mesh coexistence device I am sometimes intermittently losing the devices advertised services as seen in ios NRF Connect application. I have a feeling this is due to radio sharing between BLE and MESH? Would it be possible to momentarily give BLE services full radio access when  BLE queries BLE services and resume mesh once the BLE devices disconnects? This could be related to something else as well, I'm not sure yet.

  • 0

    Hi

    Coexistence between BLE and mesh is a bit tricky, so I understand your confusion. 

    Yes, the GATT characteristics will be accessible even though a device is not provisioned, as BLE Mesh and "regular" BLE use separate security methods (provisioning for Mesh and pairing with encryption for BLE). I don't think the GATT characteristics will be secure if you provision devices before starting services/characteristics.

    ccasebeer said:
    I have also noticed that after I have provisioned my mesh coexistence device I am sometimes intermittently losing the devices advertised services as seen in ios NRF Connect application. I have a feeling this is due to radio sharing between BLE and MESH?

    Is this noticed while proxy is enabled? It sounds like it could be due to the radio sharing indeed. It should be possible to let the SoftDevice take over the radio when needed to my recollection. When it comes to sharing of the radio, please check out the user guide we have on the topic here.

    Best regards,

    Simon

  • 0 in reply to Simonr

    It is noticed when proxy is enabled.

    I'm still not 100% sure that I need proxy and I don't fully understand proxy.

    I don't need to transmit GATT within the mesh network, or over the mesh network. My understanding is proxy, proxies GATT through the mesh network. . I only need to access BLE GATT on the single node...the user will always walk up to that node with a phone.

    However, if I turn off proxy I lose all access to my GATT services altogether.

    Interesting. Again, I appreciate the help.

  • 0

    I'm not sure why you would lose access to your GATT services over regular BLE if proxy is disabled. How exactly have you set up your GATT services in this node? Are they related to the mesh network at all, because they shouldn't it seems to me. Also, what kind of connection are you using (and planning to use) between this node and the phone?

    Best regards,

    Simon

Related
Terms of service