-
Notifications
You must be signed in to change notification settings - Fork 28
NetJoin
The Network Joining Protocol used by XIA devices for joining networks is built with extensibility in mind. It allows for a network access point, router or SDN controller to advertise their network and allow devices to join the advertised network.
The protocol is comprised of two distinct protocols - NDAP and JACP
This protocol allows a network entity such as access point, router or SDN controller to announce the available networks that clients can join. These announcements describe the available networks (XIA and others) and the credentials needed to join each of them in the form of a directed acyclic graph. The announcement beacons are broadcast periodically.
For a very detailed description of the NDAP Protocol please visit NDAP Message Spec. Link only available to developers.
After a client receives a JACP beacon described above, it can review its capabilities and user-defined policy to decide if it can join the network. Once a decision to join is made, the JACP is used to establish all necessary connectivity between the joining client and the network advertiser. We typically complete client authentication, layer-2 association and configuration and layer-3 configuration within four handshake messages in two round-trip time.
The user-defined policy is currently very simple and is available in the Netjoin Policy Module. The join_sender_of_beacon() function is the entry point for the module. When a network announcement is received, it is forwarded to this function and a decision is made whether to join the network or not. Link only available to developers.
For a very detailed specification please visit JACP Message Spec. Link only available to developers.
The network joining protocol provides a very significant improvement in terms of mobility. Devices are able to associate, authenticate and join a network with as little as two round trip times between a client and an access point. This allows scenarios such as moving cars joining access points along the road. All this is accomplished with a high level of security because these connections are backed by trusted credentials between the devices and every handshake message being encrypted.
We use Diffie-Hellman key-exchange with elliptic curve 25519 to establish a secure connection between connecting devices using ephemeral key-pairs, from the very first message. The first message (request) also includes a response to a challenge that was presented in the network announcement by the network. The authentication between joining entities depends on client and gateway credentials that the devices present to each other. We assume that the credentials are obtained or derived via an out-of-band relationship such as an ISP service agreement.
The only message in the network joining protocol that is not encrypted is the network announcement.
We establish a unique network joining session for each interface on a given host. So a multi-homed host can establish and maintain separate connections to multiple routers. For example, a mobile router in a car may have WiFi and DSRC interfaces, with each connecting to a WiFi and DSRC access points as they become available during a drive.
Not yet available in XIA v2.0 as of Feb 2017
The network joining protocol also works among routers and an SDN controller. This allows for bringing up ad-hoc networks or test network topologies without administrator configuration on each router. The message exchange for connection establishment between routers is simpler than that between a host and an access-point and can be accomplished in as little as one round-trip time. Once layer-2 and layer-3 connectivity is established, the network joining protocol defers the actual routing setup to the routing services running on the routers.
Network joining for routers differs from a host joining an access point by the following ways:
- An SDN controller initiates the initial network announcement.
- The routers that are peers of the SDN controller join it via network joining for routers.
- During each such network joining, the SDN controller's address (FID backed DAG), the name server address and any available rendezvous service addresses are exchanged. Hosts never receive the SDN controller's address.
- After joining the network, a router starts announcing it to its peers. Thus creating a chain of routers joining other routers until all the routers in the domain are part of the network. In case of hosts, they never re-advertise the network.