• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 91 subscribers
  • Views 1125 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 287935
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LWM2M Carrier Library Limitations

wh-eric

Questions regarding the limitations w/ the nRF9160 when using the lwm2m carrier library. From my understanding this library is required by certain carriers. Reading through the requirements and application limitations section there are these lines:
The LwM2M carrier library uses the TLS socket for FOTA.

    If the application is using the TLS socket, it must immediately close it when the LWM2M_CARRIER_EVENT_FOTA_START event is received.

    If the application needs a TLS socket at all times, it can use Mbed TLS.

The LwM2M carrier library uses both the DTLS sessions made available through the modem. Therefore, the application cannot run any DTLS sessions.


1. If we have to include this library, how can we also include application code for our lwm2m client w/ DTLS? Are there specific configs that need to be enabled/modified?
2. Where can I find information on the IP stack capabilities of the modem and how they are allocated? I have searched through the docs and modem firmware/library changelogs but came up empty unfortunately

Parents
  • +1

    Hi,

    2. Where can I find information on the IP stack capabilities of the modem and how they are allocated? I have searched through the docs and modem firmware/library changelogs but came up empty unfortunately

    What exactly are you looking for?

    The modem FW release notes (inside the modem FW .zip) and the modem_lib documentation are the best places to look for information about the modem.

    Perhaps the most relevant for this ticket is this section from the modem release notes:

    - TLS/DTLS
    - Up to three simultaneous TLS/DTLS connections are possible.
    - Maximum server certificate chain size has a limit of 4kB.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.
    - DTLS supports PSK authentication only.
    - 2kB secure socket buffer size.

    Note that the maximum number of simultaneous TLS/DTLS connections depends on the mix of TLS and DTLS connections. However, I could not find a place listing the different combinations.

    1. If we have to include this library, how can we also include application code for our lwm2m client w/ DTLS? Are there specific configs that need to be enabled/modified?

    Not with the TLS/DTLS stack in the modem.

    However, it is possible to not offload the TLS/DTLS stack, though at a significant flash and RAM cost in the application. We don't have any samples showing this for DTLS, but you can see how it is done for TLS (the procedure should be similar for DTLS) in the https_client sample: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.9.0/nrf/samples/nrf9160/https_client/README.html#using-mbed-tls-and-tf-m 

    Best regards,

    Didrik

Reply
  • +1

    Hi,

    2. Where can I find information on the IP stack capabilities of the modem and how they are allocated? I have searched through the docs and modem firmware/library changelogs but came up empty unfortunately

    What exactly are you looking for?

    The modem FW release notes (inside the modem FW .zip) and the modem_lib documentation are the best places to look for information about the modem.

    Perhaps the most relevant for this ticket is this section from the modem release notes:

    - TLS/DTLS
    - Up to three simultaneous TLS/DTLS connections are possible.
    - Maximum server certificate chain size has a limit of 4kB.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.
    - DTLS supports PSK authentication only.
    - 2kB secure socket buffer size.

    Note that the maximum number of simultaneous TLS/DTLS connections depends on the mix of TLS and DTLS connections. However, I could not find a place listing the different combinations.

    1. If we have to include this library, how can we also include application code for our lwm2m client w/ DTLS? Are there specific configs that need to be enabled/modified?

    Not with the TLS/DTLS stack in the modem.

    However, it is possible to not offload the TLS/DTLS stack, though at a significant flash and RAM cost in the application. We don't have any samples showing this for DTLS, but you can see how it is done for TLS (the procedure should be similar for DTLS) in the https_client sample: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.9.0/nrf/samples/nrf9160/https_client/README.html#using-mbed-tls-and-tf-m 

    Best regards,

    Didrik

Children
  • 0 in reply to Didrik Rokhaug

    Awesome, thank you for digging that up for me. I'm sorry I was not able to find that on my own. Based on this, I think I have a better understanding. I will do some digging into the sample you pointed to and see if I have any more questions.

  • 0 in reply to Didrik Rokhaug

    I think I have one last related question. Is it possible to use a mix of offloaded and non-offloaded sockets? As in 1 TLS connection is offloaded to the modem and handled as specified by the carrier library limitations, while additional TLS/DTLS connections are handled on the application core?

    I ask more out of understanding the technical limitations, I think for simplicity we would keep the TLS/DTLS all non-offloaded with an application which required the LWM2M carrier library.

  • 0 in reply to wh-eric
    wh-eric said:
    Is it possible to use a mix of offloaded and non-offloaded sockets? As in 1 TLS connection is offloaded to the modem and handled as specified by the carrier library limitations, while additional TLS/DTLS connections are handled on the application core?

    I haven't tried this myself, but I believe it is possible with the use of the SOCK_NATIVE_TLS socket flag. For the offloaded sockets, you simply don't use the flag, while you do use it for the non-offloaded/native sockets.

    From the modem perspective, it should be just the same as you opening a mix of TLS/DTLS and unencrypted TCP/UDP sockets.

Related
Terms of service