Internet DRAFT - draft-grayson-radext-rabble
draft-grayson-radext-rabble
RADEXT Working Group M. Grayson
Internet-Draft E. Lear
Intended status: Standards Track Cisco Systems
Expires: 31 August 2023 27 February 2023
RADIUS profile for Bonded Bluetooth Low Energy peripherals
draft-grayson-radext-rabble-00
Abstract
This document specifies an extension to the Remote Authentication
Dial-In User Service (RADIUS) protocol that enables a Bluetooth Low
Energy (BLE) peripheral device that has previously formed a bonded,
secure trusted relationship with a first "home" Bluetooth Low Energy
Central device to operate with a second "visited" Bluetooth Low
Energy Central device.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 31 August 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Grayson & Lear Expires 31 August 2023 [Page 1]
�
Internet-Draft RABBLE February 2023
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. BLE Roaming Overview . . . . . . . . . . . . . . . . . . . . 6
3. RADIUS Profile for BLE . . . . . . . . . . . . . . . . . . . 8
3.1. User-Name . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. User-Password . . . . . . . . . . . . . . . . . . . . . . 9
3.3. CHAP-Password, CHAP-Challenge . . . . . . . . . . . . . . 9
3.4. NAS-IP-Address, NAS-IPv6-Address . . . . . . . . . . . . 9
3.5. NAS-Port . . . . . . . . . . . . . . . . . . . . . . . . 9
3.6. Service-Type . . . . . . . . . . . . . . . . . . . . . . 9
3.7. Framed-Protocol . . . . . . . . . . . . . . . . . . . . . 9
3.8. Framed-IP-Address, Framed-IP-Netmask . . . . . . . . . . 9
3.9. Framed-Routing . . . . . . . . . . . . . . . . . . . . . 9
3.10. Filter-ID . . . . . . . . . . . . . . . . . . . . . . . . 9
3.11. Framed-MTU . . . . . . . . . . . . . . . . . . . . . . . 9
3.12. Framed-Compression . . . . . . . . . . . . . . . . . . . 10
3.13. Displayable Messages . . . . . . . . . . . . . . . . . . 10
3.14. Callback-Number, Callback-ID . . . . . . . . . . . . . . 10
3.15. Framed-Route, Framed-IPv6-Route . . . . . . . . . . . . . 10
3.16. State, Class, Proxy-State . . . . . . . . . . . . . . . . 10
3.17. Vendor-Specific . . . . . . . . . . . . . . . . . . . . . 10
3.18. Session-Timeout . . . . . . . . . . . . . . . . . . . . . 10
3.19. Idle-Timeout . . . . . . . . . . . . . . . . . . . . . . 10
3.20. Termination-Action . . . . . . . . . . . . . . . . . . . 10
3.21. Called-Station-Id . . . . . . . . . . . . . . . . . . . . 11
3.22. Calling-Station-Id . . . . . . . . . . . . . . . . . . . 11
3.23. NAS-Identifier . . . . . . . . . . . . . . . . . . . . . 11
3.24. NAS-Port-Type . . . . . . . . . . . . . . . . . . . . . . 11
3.25. Port-Limit . . . . . . . . . . . . . . . . . . . . . . . 11
3.26. Password-Retry . . . . . . . . . . . . . . . . . . . . . 11
3.27. Message-Authenticator . . . . . . . . . . . . . . . . . . 11
3.28. GATT-Service-Profile . . . . . . . . . . . . . . . . . . 11
3.29. BLE-Keying-Material . . . . . . . . . . . . . . . . . . . 12
3.30. Forwarding Bluetooth Messages . . . . . . . . . . . . . . 15
3.30.1. MQTT-Broker-URI . . . . . . . . . . . . . . . . . . 15
3.30.2. MQTT-Token . . . . . . . . . . . . . . . . . . . . . 16
3.31. RADIUS Accounting Attributes . . . . . . . . . . . . . . 16
3.31.1. Acct-Input-Octets and Acct-Output-Octets . . . . . . 16
3.31.2. Acct-Input-Packets . . . . . . . . . . . . . . . . . 17
3.31.3. Acct-Output-Packets . . . . . . . . . . . . . . . . 17
3.31.4. Acct-Terminate-Cause . . . . . . . . . . . . . . . . 17
3.31.5. Acct-Multi-Session-Id . . . . . . . . . . . . . . . 17
4. BLE RADIUS Exchange . . . . . . . . . . . . . . . . . . . . . 17
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 21
6. Security Considerations . . . . . . . . . . . . . . . . . . . 22
Grayson & Lear Expires 31 August 2023 [Page 2]
�
Internet-Draft RABBLE February 2023
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
8.1. Normative References . . . . . . . . . . . . . . . . . . 23
8.2. Informative References . . . . . . . . . . . . . . . . . 24
Appendix A. MQTT Interworking . . . . . . . . . . . . . . . . . 25
A.1. Establishing a Session to a MQTT-Broker-URI . . . . . . . 25
A.2. MQTT topics . . . . . . . . . . . . . . . . . . . . . . . 26
A.3. MQTT Exchange for Non-Connectable BLE Peripherals . . . . 27
A.4. Initial MQTT Exchange for Connectable BLE Peripherals . . 29
A.5. MQTT Exchange for Reading a GATT Attribute . . . . . . . 30
A.6. MQTT Exchange for Writing a GATT Attribute . . . . . . . 31
A.7. MQTT Exchange for BLE Peripheral initiated
Notifications . . . . . . . . . . . . . . . . . . . . . 31
A.8. MQTT Exchange for BLE Peripheral initiated Indications . 32
A.9. MQTT Exchange for dealing with NAS Mobility . . . . . . . 34
A.10. MQTT Exchange for ending a session for a connected BLE
Peripheral . . . . . . . . . . . . . . . . . . . . . . . 35
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction
This document specifies an extension to the Remote Authentication
Dial-In User Service (RADIUS) protocol [RFC2865] that enables a
Bluetooth Low Energy (BLE) peripheral device that has previously
formed a bonded, secure trusted relationship with a first "home"
Bluetooth Low Energy Central device to operate with a second
"visited" Bluetooth Low Energy Central device that is integrated with
a Network Access Server.
After being successfully authenticated, a signalling link is
established that enables Bluetooth messages advertized by the BLE
Peripheral to be forwarded from the Visited Bluetooth Low Energy
Central device to a Home MQTT Broker. For connectable BLE
Peripherals, the signalling link enables the Home MQTT Broker to send
BLE Requests or Commands to the Visited Bluetooth Low Energy Central
device that is then responsible for forwarding to the BLE peripheral.
The extensions allow administrative entities to collaborate to enable
RADIUS authentication of BLE devices onto their respective networks,
without requiring the peripheral to perform a re-pairing on the
visited network.
Grayson & Lear Expires 31 August 2023 [Page 3]
�
Internet-Draft RABBLE February 2023
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Terminology
BLE Central Controller:
The BLE entity that implements the Bluetooth Link Layer and interacts
with the Bluetooth Radio Hardware.
BLE Central Host:
A BLE entity that interacts with the BLE Central Controller to enable
applications to communicate with peer BLE devices in a standard and
interoperable way.
BLE Peripheral Device:
A BLE device that is configured to repeatedly send advertizing
messages.
BLE Security Database:
A database that stores the keying material associated with a bonded
Bluetooth Connection.
Bluetooth Low Energy (BLE):
A wireless technology designed for low power operation and specified
by the Bluetooth Special Interest Group.
Bonding:
A Bluetooth [BLUETOOTH] defined process that creates a relation
between a Bluetooth Central device and a Bluetooth Peripheral device
which generates session keying material that is expected to be stored
by both Bluetooth devices, to be used for future authentication.
hash:
Grayson & Lear Expires 31 August 2023 [Page 4]
�
Internet-Draft RABBLE February 2023
A Bluetooth [BLUETOOTH] specified 24-bit hash value which is
calculated using a hash function operating on IRK and prand as its
input parameters. The hash is encoded in the 24 least significant
bits of a Resolvable Private Address.
home:
A network that has access to the keying material necessary to support
the pairing of a BLE peripheral and that is able to expose the keys
generated as part of the BLE bonding process.
Identity Address (IA):
The 48-bit global (public) MAC address of a Bluetooth device.
Identity Resolving Key (IRK):
A Bluetooth [BLUETOOTH] specified key used in the Bluetooth privacy
feature. The Resolvable Private Address hash value is calculated
using a hash function of prand and the IRK.
Long-Term key (LTK):
A symmetric key which is generated during the Bluetooth bonding
procedure and used to generate the session key used to encrypt a
communication session between Bluetooth devices.
prand:
A 24-bit random number used by a BLE device to generate a Resolvable
Private Address. The prand is encoded in the 24 most significant
bits of a Resolvable Private Address.
Resolvable Private Address (RPA):
A Bluetooth [BLUETOOTH] specified private 48-bit address that can be
resolved to a permanent Bluetooth Identity Address through the use of
an Identity Resolving Key.
Visited:
A network that does not have access to the keying material necessary
to support the pairing of a BLE peripheral, but that is able to
support the RADIUS authentication of an already bonded BLE
Peripheral.
Grayson & Lear Expires 31 August 2023 [Page 5]
�
Internet-Draft RABBLE February 2023
2. BLE Roaming Overview
This section provides an overview of the RADIUS BLE mechanism, which
is supported by the extensions described in this document. The
RADIUS profile is intended to be used between a Visited BLE Central
Host that is enhanced with Network Access Server (NAS) functionality
which enables it to exchange messages with a RADIUS server.
+------------+ +-----------+
+------------+ | BLE | | BLE |
| BLE |---| Central#1 |---| Home |
| Peripheral | | Controller | | Central#1 |
+------------+ | | | Host |
+------------+ +-----------+
| |
| |
| +-------------------------+
| | BLE Security Database |
| | Peripheral: IA, IRK |
| | AP: IA, IRK |
| | Peripheral+AP: LTK |
| +-------------------------+
| |
| Bonded BLE |
| Peripheral +-------------+
| moves |RADIUS Server|
| +-------------+
\|/ |
- |
+------------+ +-----------+
+------------+ | BLE | | NAS/BLE |
| BLE |---| Central#2 |---| Visited |
| Peripheral | | Controller | | Central#2 |
+------------+ | | | Host |
+------------+ +-----------+
Figure 1: BLE RADIUS Authentication Overview
A BLE Peripheral is paired and bonded with the BLE Home Central Host.
The pairing requires the BLE Home Central Host to have access to the
keying material necessary to support the pairing of a BLE peripheral,
e.g., by using techniques described in
[I-D.shahzad-scim-device-model].
The bonding process generates new session specific keying material
that MUST be exposed by the BLE Home Central Host to a RADIUS server,
e.g., stored in a BLE Security Database which is accessible by the
RADIUS server. The keying material MUST include the peripheral's IA
Grayson & Lear Expires 31 August 2023 [Page 6]
�
Internet-Draft RABBLE February 2023
and IRK, indicating that the BLE Peripheral has enabled the Bluetooth
privacy feature and is operating with a Resolvable Private Address
(RPA).
The BLE Peripheral then moves into the coverage of a second BLE
Central device which comprises a second BLE Central Controller and a
second BLE (Visited) Central Host which has been enhanced with
Network Access Server (NAS) functionality. The BLE Peripheral MUST
be configured to send low duty cycle advertising events using the BLE
Peripheral's RPA that are detected by the NAS/BLE Visited Central
Host. The NAS/BLE Visited Central Host decodes the Advertisement(s)
sent by the BLE Peripheral and MAY use the presence and/or contents
of specific Advertising Elements to decide whether to trigger a
RADIUS exchange with a RADIUS Server which has access to the keying
material exposed by the BLE Home Central Host.
The successful authentication of the BLE Peripheral onto the BLE
Visited Central Host MUST include the signalling of the keying
material exposed by the BLE Home Central Host to enable the re-
establishment of the secured communication session with the BLE
Peripheral. Bluetooth advertisements received from an authenticated
BLE Peripheral are forwarded between the BLE Visited Central Host and
a Home MQTT message broker.
If the BLE Peripheral is connectable, the Home MQTT Broker MAY send
BLE Requests or Commands to the Visited Bluetooth Low Energy Central
device that is then responsible for forwarding to the authenticated
BLE peripheral. The Home MQTT Broker MAY be configured to forward
the messages to/from a Bluetooth Application associated with the
authenticated BLE Peripheral, either directly, or via the first Home
Bluetooth Low Energy Central device.
Grayson & Lear Expires 31 August 2023 [Page 7]
�
Internet-Draft RABBLE February 2023
+-----------+
| BLE |
+--------|Application|
| +-----------+
| |
| |
| +-----------+
Optional direct | | BLE Home |
signalling between | | Central#1 |
broker and BLE | | Host |
application | +-----------+
| |
| |
| +-----------+
| | Home |
+--------| MQTT |
| Broker |
+-----------+
| -
| /|\
MQTT Publish | |
application | | MQTT Publish
to peripheral | | peripheral to
messages | | application
| | messages
\|/ |
- |
+------------+ +-----------+
+------------+ | BLE | | NAS/BLE |
| BLE |---| Central#2 |----| Visited |
| Peripheral | | Controller | | Central#2 |
+------------+ | | | Host |
+------------+ +-----------+
Figure 2: BLE Message Forwarding Overview
3. RADIUS Profile for BLE
3.1. User-Name
Contains a 6 character ASCII upper-case string corresponding to the
hexadecimal encoding of the 22-bit prand value derived from the
Bluetooth Resolvable Private Address, where the first string
character represents the most significant hexadecimal digit, i.e., a
prand value of 0x035fb2 is encoded as "035FB2".
Grayson & Lear Expires 31 August 2023 [Page 8]
�
Internet-Draft RABBLE February 2023
3.2. User-Password
Contains a 6 character ASCII upper-case string corresponding to the
hexadecimal encoding of the 24 bit hash derived from the Bluetooth
Resolvable Private Address, where the first string character
represents the most significant hexadecimal digit. The 6 character
string is hidden using techniques specified in RFC 2865 [RFC2865].
3.3. CHAP-Password, CHAP-Challenge
These attributes are not used by BLE Authenticators.
3.4. NAS-IP-Address, NAS-IPv6-Address
The NAS-IP-Address contains the IPv4 address of the BLE Central Host
acting as an Authenticator, and the NAS-IPv6-Address contains the
IPv6 address.
3.5. NAS-Port
For use with BLE the NAS-Port will contain the port number of the BLE
Central Host, if this is available.
3.6. Service-Type
For use with BLE, the Service-Type of Authenticate Only (8) is used.
3.7. Framed-Protocol
The Framed-Protocol attribute is not used by BLE Authenticators.
3.8. Framed-IP-Address, Framed-IP-Netmask
The Framed-IP-Address and Framed-IP-Netmask attributes are not used
by BLE Authenticators.
3.9. Framed-Routing
The Framed-Routing attribute is not used by BLE Authenticators.
3.10. Filter-ID
The Filter-ID attribute is not used by BLE Authenticators.
3.11. Framed-MTU
The Framed-MTU attribute is not used by BLE Authenticators.
Grayson & Lear Expires 31 August 2023 [Page 9]
�
Internet-Draft RABBLE February 2023
3.12. Framed-Compression
The Framed-Compression attribute is not used by BLE Authenticators.
3.13. Displayable Messages
The Displayable Messages attribute is not used by BLE Authenticators.
3.14. Callback-Number, Callback-ID
These attributes are not not used by BLE Authenticators.
3.15. Framed-Route, Framed-IPv6-Route
These attributes are not not used by BLE Authenticators.
3.16. State, Class, Proxy-State
These attributes are used for the same purposes as described in
[RFC2865].
3.17. Vendor-Specific
Vendor-specific attributes are used for the same purposes as
described in [RFC2865].
3.18. Session-Timeout
When sent along in an Access-Accept without a Termination-Action
attribute or with a Termination-Action attribute set to Default, the
Session-Timeout attribute specifies the maximum number of seconds of
service provided prior to session termination.
3.19. Idle-Timeout
The Idle-Timeout attribute indicates the maximum time that the BLE
wireless device may remain idle.
3.20. Termination-Action
This attribute indicates what action should be taken when the service
is completed. The value Default (0) indicates that the session
should terminate.
Grayson & Lear Expires 31 August 2023 [Page 10]
�
Internet-Draft RABBLE February 2023
3.21. Called-Station-Id
For NAS/BLE Visited Host Authenticators, this attribute is used to
store the public Identity Address (BD_ADDR) of the Bluetooth Access
Point in ASCII format (upper case only), with octet values separated
by a "-". Example: "88-15-44-23-19-C0".
3.22. Calling-Station-Id
This attribute is not not used by BLE Authenticators.
3.23. NAS-Identifier
This attribute contains a string identifying the BLE Central Host
originating the Access-Request.
3.24. NAS-Port-Type
TBA1: "Wireless - Bluetooth Low Energy"
3.25. Port-Limit
This attribute is not not used by BLE Authenticators.
3.26. Password-Retry
This attribute is not not used by BLE Authenticators.
3.27. Message-Authenticator
The Message-Authenticator attribute MUST be used to protect any
packets that include the BLE-Keying-Material attribute.
3.28. GATT-Service-Profile
Description
The GATT-Service-Profile (TBA2) Attribute allows a RADIUS client to
include one or more GATT Service Profiles which are advertised by the
BLE Peripheral.
Zero or more GATT-Service-Profile Attributes MAY be included in an
Access-Request packet.
A summary of the GATT-Service-Profile Attribute format is shown
below. The fields are transmitted from left to right.
Grayson & Lear Expires 31 August 2023 [Page 11]
�
Internet-Draft RABBLE February 2023
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Encoding GATT-Service-Profile Attribute
Type
TBA2
Length
6 octet
Value
The field is 4 octets, containing a 32-bit unsigned integer that
represents a GATT Service Profile.
3.29. BLE-Keying-Material
Description
The BLE-Keying-Material (TBA3) Attribute allows the transfer of
Identity Address(es) and cryptographic keying material from a RADIUS
Server to the BLE Visited Central Host.
Any packet that contains a BLE-Keying-Material Attribute MUST also
include the Message-Authenticator attribute.
A single BLE-Keying-Material Attributes MUST be included in an
Access-Accept packet.
A summary of the BLE-Keying-Material Attribute format is shown below.
The fields are transmitted from left to right.
Grayson & Lear Expires 31 August 2023 [Page 12]
�
Internet-Draft RABBLE February 2023
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Peripheral IA
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Peripheral Identity Address (cont'd) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Central Identity Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Central IA (cont'd) | KM Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| KEK ID
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
KEK ID (cont'd)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
KEK ID (cont'd)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
KEK ID (cont'd) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IV
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
IV (cont'd) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Keying Material Data
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Encoding BLE-Keying-Material Attribute
Type
TBA3
Length
>=56 octet
Peripheral Identity Address
The Peripheral Identity Address field is 6 octets in length and
contains the Peripheral's 6-octet Identity Address.
Central Identity Address
The Central Identity Address field is 6 octets in length and
contains the Central's 6-octet Identity Address. If the Central
Identity Address is not used, it is set to 0.
KM Type
Grayson & Lear Expires 31 August 2023 [Page 13]
�
Internet-Draft RABBLE February 2023
The KM Type field is 2 octets in length and identifies the type of
keying material included in the Keying Material Data field. This
allows for multiple keys for different purposes to be present in
the same attribute. This document defines three values for the KM
Type:
0 The Keying Material Data field contains the 16-octet
Peripheral Identity Resolving Key encrypted using the AES
key wrapping process with 128-bit KEK defined in [RFC3394]
1 The Keying Material Data field contains the encrypted
16-octet Peripheral Identity Resolving Key and the 16-octet
Long Term Key generated during an LE Secure Connection
bonding procedure. The Peripheral IRK is passed as input P1
and P2 and the Long Term Key is passed as input P3 and P4 in
the AES key wrapping process with 128-bit KEK defined in
[RFC3394].
2 The Keying Material Data field contains the 16-octet
Peripheral Identity Resolving Key, the 16-octet Long Term
Key generated during an LE Secure Connection bonding
procedure and the 16-octet Central Identity Resolving Key.
The Peripheral IRK is passed as input P1 and P2, the Long
Term Key is passed as input P3 and P4 and the Central IRK is
passed as input P5 and P6 in the AES key wrapping process
with 128-bit KEK defined in [RFC3394].
KEK ID
The KEK ID field is 16 octets in length. The combination of the
KEK ID and the RADIUS client and server IP addresses together
uniquely identify a key shared between the RADIUS client and
server. As a result, the KEK ID need not be globally unique. The
KEK ID MUST refer to an encryption key for use with the AES Key
Wrap with 128-bit KEK algorithm [RFC3394] . This key is used to
protect the contents of the Keying Material Data field (below).
The KEK ID is a constant that is configured through an out-of-band
mechanism. The same value is configured on both the RADIUS client
and server. If no KEK ID is configured, then the field is set to
0. If only a single KEK is configured for use between a given
RADIUS client and server, then 0 can be used as the default value.
IV
The IV field is 8-octets in length and its value MUST be as
specified in [RFC3394] .
Keying Material Data
Grayson & Lear Expires 31 August 2023 [Page 14]
�
Internet-Draft RABBLE February 2023
The Keying Material Data field is of variable length and contains
the actual encrypted keying material as identified using the KM
Type field.
3.30. Forwarding Bluetooth Messages
RADIUS attributes described in this section are used to exchange
information to allow non-IP Bluetooth messages to be transferred
between the BLE Visited Central Host and a Home MQTT Broker.
3.30.1. MQTT-Broker-URI
Description
The MQTT-Broker-URI (TBA4) Attribute allows a RADIUS server to
specify the URI of the MQTT Broker. A single MQTT-Broker-URI
Attributes MAY be included in an Access-Accept packet.
If the RADIUS server operates with NAS/BLE Visited Hosts that are
deployed behind firewalls or NAT gateways, MQTT Messages SHOULD be
transported using WebSocket [RFC6455] as a network transport as
defined in MQTT [MQTT] and the the attribute SHOULd specify the URI
of a WebSocket server that supports the 'mqtt' Sec-WebSocket-
Protocol.
A summary of the MQTT-Broker-URI Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Encoding MQTT-Broker-URI Attribute
Type
TBA4
Length
>=3 octet
String
The String field is encoded in UTF-8 and contains a URI where the
MQTT service can be accessed, e.g., "wss://broker.example.com:443".
Grayson & Lear Expires 31 August 2023 [Page 15]
�
Internet-Draft RABBLE February 2023
3.30.2. MQTT-Token
Description
The MQTT-Token (TBA5) Attribute allows a RADIUS server signal a token
for use by an MQTT client in an MQTT CONNECT packet [MQTT]. The
token can be used by an MQTT Broker to associate an MQTT Connection
from an MQTT Client with a Network Access Server.
A MQTT-Token Attributes MAY be included in an Access-Accept packet.
A summary of the MQTT-Token Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Encoding MQTT-Token Attribute
Type
TBA5
Length
>=3 octet
String
The String field is encoded in UTF-8 and contains a token for use
with an MQTT CONNECT packet.
3.31. RADIUS Accounting Attributes
With a few exceptions, the RADIUS accounting attributes defined in
[RFC2866] have the same meaning within BLE sessions as they do in
dialup sessions and therefore no additional commentary is needed.
3.31.1. Acct-Input-Octets and Acct-Output-Octets
These attributes are not not used by BLE Authenticators.
Grayson & Lear Expires 31 August 2023 [Page 16]
�
Internet-Draft RABBLE February 2023
3.31.2. Acct-Input-Packets
This attribute is used to indicate how many MQTT messages that
include the Peripheral Identity Address signalled in
the BLE-Keying-Material attribute have been sent by the BLE Central
Host.
3.31.3. Acct-Output-Packets
This attribute is used to indicate how many MQTT messages that
include the Peripheral Identity Address signalled in
the BLE-Keying-Material attribute have been received by the BLE
Central Host.
3.31.4. Acct-Terminate-Cause
This attribute indicates how the session was terminated, as described
in [RFC2866]. When the idle-timeout attribute is used by the NAS/BLE
Visited Host to terminate a RADIUS Accounting session, it MUST set
the Acct-Terminate-Cause set to Lost Carrier (2).
3.31.5. Acct-Multi-Session-Id
This attribute is not not used by BLE Authenticators.
4. BLE RADIUS Exchange
The BLE Peripheral uses techniques defined in Bluetooth Core
Specifications [BLUETOOTH] to establish a bonded, secure, trusted
relationship with a BLE Home Central device in the network. The
bonding procedure generates session specific keying material. The
BLE Peripheral sends low duty cycle advertising events.
The BLE Peripheral moves into coverage of a second BLE Central device
that is integrated with a NAS.
The BLE Peripheral sends Advertisements using its Resolvable Public
Address. The contents of the Advertizements are signalled to a BLE
Visited Central Host associated with the second BLE Central device.
The decoded Advertisements sent by the BLE Peripheral, are used by
the BLE Visited Central Host to decide whether to trigger a RADIUS
exchange, e.g., using the presence and/or contents of specific
Advertising Elements.
The NAS associated with the BLE Visited Central Host is provisioned
with the identity of the RADIUS server. The NAS/BLE Visited Host MAY
be statically configured with the identity of a RADIUS Server.
Alternatively, the NAS/BLE Visited Host MAY use the contents of an
Grayson & Lear Expires 31 August 2023 [Page 17]
�
Internet-Draft RABBLE February 2023
Advertizement Element received from the BLE Peripheral to derive an
FQDN of the RADIUS sever and use RFC 7585 [RFC7585] to dynamically
resolve the address of the RADIUS server. For example, the Bluetooth
URI data type Advertizement Element (0x24) can be used to encode a
hostname that identifies the network which operates the BLE Home
Central Host.
The NAS/BLE Host generates a RADIUS Access-Request message using the
prand from the RPA as the User-Name attribute and the hash from the
RPA as the User-Password attribute. The NAS-Port-Type is set to
"Wireless - Bluetooth Low Energy".
On receiving the RADIUS Access-Request message, the RADIUS Server
uses the keying material exposed by the BLE Home Central Host and
attempts to resolve the User-Name and User-Password to a known BLE
Identity Address (IA). If the RADIUS Server cannot resolve the User-
Name and User-Password to a known BLE Identity Address, the RADIUS
server MUST reject the Access-Request.
If the RADIUS Server resolves the User-Name and User-Password to a
known BLE Identity Address, and the BLE Identity Address is
authorized to access via the BLE Visited Host, the RADIUS server
recovers the session specific keying material exposed by the BLE Home
Central Host.
If the BLE Peripheral is not connectable or connections are not
authorized, the RADIUS server encodes the Peripheral Identity Address
and the Peripheral Identity Resolving Key in the BLE-Keying-Material
attribute and sets the KM Type to 0. If the BLE Peripheral is
connectable and connections are authorized via the BLE Visited Host,
the RADIUS server additionally includes the Central Identity Address
and the Long Term Key in the BLE-Keying-Material attribute and sets
the KM Type to 1. Finally, if the BLE Peripheral is connectable and
connections are authorized via the BLE Visited Host and the security
database indicates that the BLE Home Central Host operates using
Bluetooth privacy, then the RADIUS server additionally includes the
Central Identity Resolving Key in the BLE-Keying-Material attribute
and sets the KM Type to 2.
The RADIUS Server SHOULD include the MQTT-Broker-URI attribute and
MAY include the MQTT-Token attribute by which an MQTT client
associated with the BLE Visited Host can establish an MQTT connection
with a Home MQTT Broker for forwarding messages received to/from the
BLE peripheral.
On receiving the Access-Accept, the NAS/BLE Visited Host recovers the
keying material, including the BLE Peripheral's Identity Address and
then establishes an MQTT Connection with the Home MQTT Broker. The
Grayson & Lear Expires 31 August 2023 [Page 18]
�
Internet-Draft RABBLE February 2023
NAS/BLE Visited Host SHOULD include its NAS-Id in the User Name field
of the MQTT CONNECT message and MAY include an Operator Name, if for
example the NAS has been configured with the operator-name attribute
(#126) as specified in RFC5580 [RFC5580].
If the advertizement that triggered the RADIUS exchange corresponds
to an ADV_IND then the NAS/BLE Visited Host can subsequently
establish a secure connection with the BLE Peripheral.
Grayson & Lear Expires 31 August 2023 [Page 19]
�
Internet-Draft RABBLE February 2023
NAS/BLE
Visited Home Home
BLE Central#2 RADIUS MQTT
Peripheral Host Server Broker
| | | |
| | | |
|--BLE ----------->| | |
| Advertizement | | |
| | | |
|<---------------->| | |
| Active Scan |- Access-Request------->| |
| | user-name=prand | |
| | user-password=hash | |
| | NAS-Port-Type=BLE | |
| | GATT-Service-Profile | |
| | | |
| |< Access-Accept---------| |
| | Idle-Timeout | |
| | BLE-Keying-Material | |
| | MQTT-Broker-URI | |
| | MQTT-Token | |
| | | |
| |---Accounting-Request--->| |
| | Acct-Status-Type=Start | |
| | Session-Id | |
| | | |
| |---MQTT CONNECT------------------------>|
| | User Name=[operator_name:]nas-id |
| | Password=MQTT Token | |
| | | |
| |---MQTT PUBLISH------------------------>|
| | Advertizement(s) | |
| | | |
+-------------------------------------------------------------+
| Further MQTT and associated BLE Exchanges |
+-------------------------------------------------------------+
| | | |
|--BLE ----------->|--+ Resolve to | |
| Advertizement | | same Identity | |
| |<-+ Address | |
| +--| | |
| | | | |
| +->|Idle Timer Expiry | |
| | | |
| |---Accounting-Request--->| |
| | Acct-Status-Type=Stop | |
| | Session-Id | |
Grayson & Lear Expires 31 August 2023 [Page 20]
�
Internet-Draft RABBLE February 2023
Figure 7: BLE RADIUS Exchange
5. Table of Attributes
The following table provides a guide to which of the attribute
defined may be found in which kinds of packets, and in what quantity.
+=========+========+========+===========+=========+====+===========+
| Request | Accept | Reject | Challenge | Acct- |# | Attribute |
| | | | | Request | | |
+=========+========+========+===========+=========+====+===========+
| 0+ | 0 | 0 | 0 | 0 |TBA1| GATT- |
| | | | | | | Service- |
| | | | | | | Profile |
+---------+--------+--------+-----------+---------+----+-----------+
| 0 | 1 | 0 | 0 | 0 |TBA2| BLE- |
| | | | | | | Keying- |
| | | | | | | Material |
+---------+--------+--------+-----------+---------+----+-----------+
| 0 | 0-1 | 0 | 0 | 0 |TBA3| MQTT- |
| | | | | | | Broker- |
| | | | | | | URI |
+---------+--------+--------+-----------+---------+----+-----------+
| 0 | 0-1 | 0 | 0 | 0 |TBA4| MQTT- |
| | | | | | | Token |
+---------+--------+--------+-----------+---------+----+-----------+
Table 1: Table of Attributes
The following table defines the meaning of the above table entries.
+=======+===============================================+
| Entry | Meaning |
+=======+===============================================+
| 0 | This attribute MUST NOT be present in packet. |
+-------+-----------------------------------------------+
| 0+ | Zero or more instances of this attribute MAY |
| | be present in packet. |
+-------+-----------------------------------------------+
| 0-1 | Zero or one instance of this attribute MAY be |
| | present in packet. |
+-------+-----------------------------------------------+
| 1 | One instance of this attribute MUST be |
| | present in packet. |
+-------+-----------------------------------------------+
Table 2: Table of Attributes Entry Definition
Grayson & Lear Expires 31 August 2023 [Page 21]
�
Internet-Draft RABBLE February 2023
6. Security Considerations
Use of this RADIUS profile for BLE can be between a NAS/BLE Visited
Host and a RADIUS Server inside a secure network, or between a NAS/
BLE Visited Host and RADIUS server operated in different
administrative domains which are connected over the Internet. All
implementations MUST follow
[I-D.draft-dekok-radext-deprecating-radius].
The RADIUS profile for BLE devices is designed to operate when BLE
devices operate their physical links with BLE Secure Connections
[BLUETOOTH]. This approach uses a secure exchange of data over the
Bluetooth connection, together with Elliptic Curve Diffie-Hellman
(ECDH) public key cryptography, to create the session specific
symmetric Long Term Key (LTK) which is then exchanged using the BLE-
Keying-Material attribute in the RADIUS Access-Accept message.
Bluetooth [BLUETOOTH] specifies how an IRK can be generated from an
Identity Root (IR) key. Removing the Bluetooth bond in a device will
typically trigger the generation of a new IRK key for the device.
The RADIUS profile for BLE devices is designed to operate when BLE
devices are configured to operate with Bluetooth Privacy Mode enabled
[BLUETOOTH]. The BLE device defines the policy of how often it
should generate a new Resolvable Private Address. This can be
configured to be between every second and every hour, with a default
value of every 15 minutes [BLUETOOTH]. This mode mitigates risks
associated with a malicious third-party scanning for and collecting
Bluetooth addresses over time and using such to build a picture of
the movements of BLE devices and, by inference, the human users of
those devices.
The Home MQTT broker can observe the Bluetooth messages exchanged
with the BLE Peripheral. The Bluetooth GATT attributes SHOULD be
cryptographically protected at the application-layer. The Home MQTT
Broker MUST be configured with access control lists so that a NAS
cannot subscribe to a topic that is intended for another NAS.
The WebSocket connection MUST operate using a WebSocket Secure
connection. If the entropy of the MQTT-Token is known to be low, the
WebSocket Secure TLS connection SHOULD be secured with certificate-
based mutual TLS.
7. IANA Considerations
This document defines a new value of TBA1 for RADIUS Attribute Type
#61 (NAS-Port-Type) defined in https://www.iana.org/assignments/
radius-types/radius-types.xhtml#radius-types-13
Grayson & Lear Expires 31 August 2023 [Page 22]
�
Internet-Draft RABBLE February 2023
+=======+===================================+==============+
| Value | Description | Reference |
+=======+===================================+==============+
| TBA1 | "Wireless - Bluetooth Low Energy" | Section 3.24 |
+-------+-----------------------------------+--------------+
Table 3: New NAS-Port-Type value defined in this document
This document defines new RADIUS attributes, (see section Section 3),
and assigns values of TBA2, TBA3, TBA4, and TBA5 from the RADIUS
Attribute Type space https://www.iana.org/assignments/radius-types.
+======+======================+================+
| Tag | Attribute | Reference |
+======+======================+================+
| TBA2 | GATT-Service-Profile | Section 3.28 |
+------+----------------------+----------------+
| TBA3 | BLE-Keying-Material | Section 3.29 |
+------+----------------------+----------------+
| TBA4 | MQTT-Broker-URI | Section 3.30.1 |
+------+----------------------+----------------+
| TBA5 | MQTT-Token | Section 3.30.2 |
+------+----------------------+----------------+
Table 4: New RADIUS attributes defined in
this document
8. References
8.1. Normative References
[I-D.draft-dekok-radext-deprecating-radius]
DeKok, A., "Deprecating RADIUS/UDP and RADIUS/TCP", Work
in Progress, Internet-Draft, draft-dekok-radext-
deprecating-radius-00, 4 October 2022,
<https://datatracker.ietf.org/doc/html/draft-dekok-radext-
deprecating-radius-00>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, DOI 10.17487/RFC2865, June 2000,
<https://www.rfc-editor.org/info/rfc2865>.
Grayson & Lear Expires 31 August 2023 [Page 23]
�
Internet-Draft RABBLE February 2023
[RFC5580] Tschofenig, H., Ed., Adrangi, F., Jones, M., Lior, A., and
B. Aboba, "Carrying Location Objects in RADIUS and
Diameter", RFC 5580, DOI 10.17487/RFC5580, August 2009,
<https://www.rfc-editor.org/info/rfc5580>.
[RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol",
RFC 6455, DOI 10.17487/RFC6455, December 2011,
<https://www.rfc-editor.org/info/rfc6455>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References
[BLUETOOTH]
Bluetooth Core Specification Working Group, "BLUETOOTH
CORE SPECIFICATION v5.3", 13 July 2021,
<https://www.bluetooth.com/specifications/bluetooth-core-
specification/>.
[I-D.shahzad-scim-device-model]
Shahzad, M., Hassan, H., and E. Lear, "Device Schema
Extensions to the SCIM model", Work in Progress, Internet-
Draft, draft-shahzad-scim-device-model-02, 10 January
2023, <https://datatracker.ietf.org/doc/html/draft-
shahzad-scim-device-model-02>.
[MQTT] OASIS, "MQTT Version 5.0", 7 March 2019,
<https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-
v5.0.html>.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866,
DOI 10.17487/RFC2866, June 2000,
<https://www.rfc-editor.org/info/rfc2866>.
[RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394,
September 2002, <https://www.rfc-editor.org/info/rfc3394>.
[RFC6218] Zorn, G., Zhang, T., Walker, J., and J. Salowey, "Cisco
Vendor-Specific RADIUS Attributes for the Delivery of
Keying Material", RFC 6218, DOI 10.17487/RFC6218, April
2011, <https://www.rfc-editor.org/info/rfc6218>.
Grayson & Lear Expires 31 August 2023 [Page 24]
�
Internet-Draft RABBLE February 2023
[RFC7585] Winter, S. and M. McCauley, "Dynamic Peer Discovery for
RADIUS/TLS and RADIUS/DTLS Based on the Network Access
Identifier (NAI)", RFC 7585, DOI 10.17487/RFC7585, October
2015, <https://www.rfc-editor.org/info/rfc7585>.
Appendix A. MQTT Interworking
This section describes how a NAS/BLE Visited Host supporting the BLE
RADIUS profile can interwork with a Home MQTT Message Broker in order
to use MQTT topics to deliver Bluetooth messages to/from a BLE
Peripheral. It is intended to move this material to another document
- but is included here to describe, at a high level, the MQTT
interworking established by the RADIUS exchange.
A.1. Establishing a Session to a MQTT-Broker-URI
If the NAS/BLE Visited Host is signalled a MQTT-Broker-URI in an
Access-Accept with which it does not have an established MQTT
connection, then it MUST establish an MQTT connection. It the NAS/
BLE Visited Host is behind a firewall or NAT gateway it MUST use
WebSocket transport for the MQTT connection. The user name in the
MQTT CONNECT message SHOULD include the NAS-ID and MAY include the
name of the operator of the NAS/BLE Visited Host.
Grayson & Lear Expires 31 August 2023 [Page 25]
�
Internet-Draft RABBLE February 2023
NAS/BLE
Visited Home Home
BLE Central#2 RADIUS MQTT
Peripheral Host Server Broker
| | | |
| | | |
| |---Accounting-Request--->| |
| | Acct-Status-Type=Start | |
| | Session-Id | |
| | Chargeable-User-Id | |
| | | |
| |---HTTP GET---------------------------->|
| | Upgrade:websocket | |
| | Connection:upgrade | |
| | Sec-WebSocket-Protocol=mqtt |
| | | |
| |<--HTTP 101--------------|--------------|
| | Upgrade:websocket | |
| | Connection:upgrade | |
| | Sec-WebSocket-Protocol=mqtt |
| | | |
| |---MQTT CONNECT------------------------>|
| | User Name=[operator_name:]nas-id |
| | Password=MQTT Token | |
| | | |
| |<--MQTT CONNACK-------------------------|
| | | |
| | | |
Figure 8: Establishing an MQTT connection to a Home Broker using
WebSocket transport
A.2. MQTT topics
The following topic is used by the MQTT client of the BLE Visited
Host to signal active and passive scan advertisements received from
BLE Peripherals to the home MQTT Broker.
1. {peripheral_identity_address}/gatt-ind/advertisement
If the BLE Peripheral is connectable, the MQTT client of the BLE
Visited Host SHOULD subscribe to the following message topics to be
able to receive GATT requests from the Home MQTT Broker:
1. {peripheral_identity_address}/gatt-req/connect : when publishing
a message on the {peripheral_identity_address}/gatt-req/connect
topic, an MQTT client SHOULD include the following as a response
topic {peripheral_identity_address}/gatt-res/connect
Grayson & Lear Expires 31 August 2023 [Page 26]
�
Internet-Draft RABBLE February 2023
2. {peripheral_identity_address}/gatt-req/disconnect : when
publishing a message on the {peripheral_identity_address}/gatt-
req/disconnect topic, an MQTT client SHOULD include the following
as a response topic {peripheral_identity_address}/gatt-res/
disconnect
3. {peripheral_identity_address}/gatt-req/read : when publishing a
message on the {peripheral_identity_address}/gatt-req/read topic,
an MQTT client SHOULD include the following as a response topic
{peripheral_identity_address}/gatt-res/read
4. {peripheral_identity_address}/gatt-req/write : when publishing a
message on the {peripheral_identity_address}/gatt-req/write
topic, an MQTT client SHOULD include the following as a response
topic {peripheral_identity_address}/gatt-res/write
5. {peripheral_identity_address}/gatt-req/service-discovery : when
publishing a message on the {peripheral_identity_address}/gatt-
req/service-discovery topic, an MQTT client SHOULD include the
following as a response topic {peripheral_identity_address}/gatt-
res/service-discovery
6. {peripheral_identity_address}/gatt-req/notification : when
publishing a message on the {peripheral_identity_address}/gatt-
req/notification topic, an MQTT client SHOULD include the
following as a response topic {peripheral_identity_address}/gatt-
res/notification. When sending notifications, the MQTT client of
the NAS/BLE Visited Host SHOULD publish the message using the
topic:{peripheral_identity_address}/gatt-ind/notification. When
sending indications, the MQTT client of the NAS/BLE Visited Host
SHOULD publish the message using the
topic:{peripheral_identity_address}/gatt-ind-req/indication and
SHOULD include the following as a response topic
{peripheral_identity_address}/gatt-ind-res/indication
A.3. MQTT Exchange for Non-Connectable BLE Peripherals
If the BLE Peripheral indicates in its scan that it is not
connectable, the NAS/BLE Visited Host is responsible for publishing
the received advertisements received from the authenticated BLE
Peripheral.
On idle-timeout the NAS/BLE Visited Host MUST send an Accounting-
Request message with Acct-Status-Type set to STOP and Acct-Terminate-
Cause set to Lost Carrier (2).
Grayson & Lear Expires 31 August 2023 [Page 27]
�
Internet-Draft RABBLE February 2023
NAS/BLE
Visited Home
BLE Central#2 RADIUS MQTT
Peripheral Host Server Broker
| | | |
|--BLE ----------->| | |
| Advertizement | | |
+----------------------+ | |
| | Active Scan | | | |
| |<-BLE SCAN_REQ----| | | |
| | | | | |
| |--BLE SCAN_RSP--->| | | |
+----------------------+ | |
| |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-ind/advertisement | |
| | msg:Advertising Report | |
| | | |
|--BLE ----------->| | |
| Advertizement |---MQTT PUBLISH------------------------>|
| +--| topic:{peripheral_identity_address}/ |
| | | gatt-ind/advertisement | |
| | | msg:Advertising Report | |
| | | | |
| | | | |
| | | | |
| +->|Idle Timer Expiry | |
| | | |
| |---Accounting-Request--->| |
| | Acct-Status-Type=Stop | |
| | Session-Id | |
| | | |
| +------------------------------------------------+
| | Last Session to MQTT Broker Stopped |
| +------------------------------------------------+
| | |
| |---MQTT DISCONNECT--------------------->|
| | |
| |---Close WebSocket--------------------->|
| | |
Figure 9: MQTT Exchange for Non-Connectable BLE Peripherals
Grayson & Lear Expires 31 August 2023 [Page 28]
�
Internet-Draft RABBLE February 2023
A.4. Initial MQTT Exchange for Connectable BLE Peripherals
If the BLE Peripheral indicates in its scan that it is connectable,
the NAS/BLE Visited Host is responsible for publishing the received
advertisements received from the authenticated BLE Peripheral and to
subscribing to the GATT requests published for the BLE Peripheral's
Identity Address.
NAS/BLE
Visited Home
BLE Central#2 MQTT
Peripheral Host Broker
| | |
|--BLE ----------->| |
| Advertizement |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-ind/advertisement |
| | msg:Advertising Report |
| | |
+---------------------------------------------------------------+
| GATT Subscription |
+---------------------------------------------------------------+
| | |
| |---MQTT SUBSCRIBE---------------------->|
| | topic:{peripheral_identity_address}/ |
| | gatt-req/# |
| | topic:{peripheral_identity_address}/ |
| | gatt-ind-res/# |
| | |
+---------------------------------------------------------------+
| GATT Connection and Service Discovery |
+---------------------------------------------------------------+
| | |
| |<--MQTT PUBLISH-------------------------|
| | topic:{peripheral_identity_address}/ |
|<-BLE PDU-------->| gatt-req/connect |
| Exchange | response topic: |
| | {peripheral_identity_address}/ |
| | gatt-res/connect |
| | correlation data:{binary_data} |
| | msg: |
| | |
| |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-res/connect |
| | correlation data:{binary data} |
| | msg: connect-id or error |
| | |
Grayson & Lear Expires 31 August 2023 [Page 29]
�
Internet-Draft RABBLE February 2023
| |<--MQTT PUBLISH-------------------------|
| | topic:{peripheral_identity_address}/ |
|<-BLE PDU-------->| gatt-req/service-discovery |
| Exchange | response topic: |
| | {peripheral_identity_address}/ |
| | gatt-res/service-discovery |
| | correlation data:{binary_data} |
| | msg: connect-id, optional UUID |
| | |
| |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-res/service-discovery |
| | correlation data:{binary data} |
| | msg: service UUID or error |
| | |
Figure 10: MQTT Exchange for GATT Service Discovery
A.5. MQTT Exchange for Reading a GATT Attribute
If the BLE Peripheral is connectable, a Bluetooth Application can
read GATT attributes.
NAS/BLE
Visited Home
BLE Central#2 MQTT
Peripheral Host Broker
| | |
+---------------------------------------------------------------+
| GATT Read Request |
+---------------------------------------------------------------+
| | |
| |<--MQTT PUBLISH-------------------------|
| | topic:{peripheral_identity_address}/ |
|<-BLE PDU-------->| gatt-req/read |
| Exchange | response topic: |
| | {peripheral_identity_address}/ |
| | gatt-res/read |
| | correlation data:{binary_data} |
| | msg: Characteristic optional offset, |
| | optional maxlen |
| | |
| |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-res/read |
| | correlation data:{binary data} |
| | msg: Handle, opcode, offset, value or |
| | error |
Grayson & Lear Expires 31 August 2023 [Page 30]
�
Internet-Draft RABBLE February 2023
Figure 11: MQTT Exchange for GATT Read Attribute
A.6. MQTT Exchange for Writing a GATT Attribute
If the BLE Peripheral is connectable, a Bluetooth Application can
write GATT attributes.
NAS/BLE
Visited Home
BLE Central#2 MQTT
Peripheral Host Broker
| | |
+---------------------------------------------------------------+
| GATT Write Request |
+---------------------------------------------------------------+
| | |
| |<--MQTT PUBLISH-------------------------|
| | topic:{peripheral_identity_address}/ |
|<-BLE PDU-------->| gatt-req/write |
| Exchange | response topic: |
| | {peripheral_identity_address}/ |
| | gatt-res/write |
| | correlation data:{binary_data} |
| | msg: characteristic, length, value |
| | |
| |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-res/write |
| | correlation data:{binary data} |
| | msg: success or error |
| | |
Figure 12: MQTT Exchange for GATT Write Attribute
A.7. MQTT Exchange for BLE Peripheral initiated Notifications
A Bluetooth Application can subscribe to receive Bluetooth
notifications sent by the BLE Peripheral.
Grayson & Lear Expires 31 August 2023 [Page 31]
�
Internet-Draft RABBLE February 2023
NAS/BLE
Visited Home
BLE Central#2 MQTT
Peripheral Host Broker
| | |
+---------------------------------------------------------------+
| GATT Set Notification Request |
+---------------------------------------------------------------+
| | |
| |<--MQTT PUBLISH-------------------------|
| | topic:{peripheral_identity_address}/ |
|<-BLE PDU-------->| gatt-req/notification |
| Exchange | response topic: |
| | {peripheral_identity_address}/ |
| | gatt-res/notification |
| | correlation data:{binary_data} |
| | msg: characteristic, enable/disable |
| | |
| |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-res/notification |
| | correlation data:{binary data} |
| | msg: success or error |
| | |
+---------------------------------------------------------------+
| GATT Notification |
+---------------------------------------------------------------+
| | |
|--BLE ----------->| |
| Notification |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-ind/notification |
| | msg:handle & value |
| | |
Figure 13: MQTT Exchange for BLE Peripheral Notifications
A.8. MQTT Exchange for BLE Peripheral initiated Indications
A Bluetooth Application can subscribe to receive Bluetooth
indications sent by the BLE Peripheral.
Grayson & Lear Expires 31 August 2023 [Page 32]
�
Internet-Draft RABBLE February 2023
NAS/BLE
Visited Home
BLE Central#2 MQTT
Peripheral Host Broker
| | |
+---------------------------------------------------------------+
| GATT Set Indication Request |
+---------------------------------------------------------------+
| | |
| |<--MQTT PUBLISH-------------------------|
| | topic:{peripheral_identity_address}/ |
|<-BLE PDU-------->| gatt-req/notification |
| Exchange | response topic: |
| | {peripheral_identity_address}/ |
| | gatt-res/notification |
| | correlation data:{binary_data} |
| | msg: identifier & handle |
| | |
| |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-res/notification |
| | correlation data:{binary data} |
| | msg: procedure complete |
| | |
+---------------------------------------------------------------+
| GATT Indication |
+---------------------------------------------------------------+
| | |
|--BLE ----------->| |
| Indication |---MQTT PUBLISH------------------------>|
| | topic:{peripheral_identity_address}/ |
| | gatt-ind-req/notification |
| | response topic: |
| | {peripheral_identity_address}/ |
| | gatt-ind-res/notification |
| | correlation data:{binary_data} |
| | msg: Indication |
| | |
| |<--MQTT PUBLISH-------------------------|
|<-BLE ------------| topic:{peripheral_identity_address}/ |
| Status | gatt-ind-res/notification |
| | correlation data:{binary data} |
| | msg: Indication confirmation |
| | |
Figure 14: MQTT Exchange for BLE Peripheral Indications
Grayson & Lear Expires 31 August 2023 [Page 33]
�
Internet-Draft RABBLE February 2023
A.9. MQTT Exchange for dealing with NAS Mobility
NAS/BLE NAS/BLE
Visited Visited Home
BLE Central#2 Central#3 MQTT
Peripheral Host Host Broker
| | | |
+---------------------------------------------------------------+
| Initial Authentication With Central#2 |
+---------------------------------------------------------------+
| | | |
| |--MQTT SUBSCRIBE --------------------------->|
| | topic:{periperal_identity_address}/ |
| | gatt-req/# |
| | | |
+---------------------------------------------------------------+
| NAS Mobility to Central#3 without MQTT unsubscription |
+---------------------------------------------------------------+
| | | |
| | |--MQTT SUBSCRIBE--------------> |
| | | topic: |
| | | {peripheral_identity_address}/ |
| | | gatt-req/# |
| | | |
+---------------------------------------------------------------+
| Example GATT Connection Request with NAS Mobility |
+---------------------------------------------------------------+
| | | |
| |<-MQTT PUBLISH-------------------------------|
| +--| topic:{peripheral_identity_address}/ |
| | | gatt-req/connect |
| | | response topic: |
| | | {peripheral_identity_address}/ |
| | | gatt-res/connect |
| | | correlation data:{binary_data} |
| | | msg: |
| | | | |
| | | |<--MQTT PUBLISH-----------------|
| | | | topic: |
| | | | {peripheral_identity_address}/ |
| | | | gatt-req/connect |
|<-BLE-----|-------------->| response topic: |
| PDU | | | {peripheral_identity_address}/ |
| Exchange| | | gatt-res/connect |
| | | | correlation data:{binary_data} |
| | | | msg: |
| | | | |
| | | |---MQTT PUBLISH---------------->|
Grayson & Lear Expires 31 August 2023 [Page 34]
�
Internet-Draft RABBLE February 2023
| | | | topic: |
| | | | {peripheral_identity_address}/ |
| Central#2| | | gatt-res/connect |
| BLE| | | correlation data:{binary data} |
| Timeout| | | msg: connect-id |
| +->| | |
| |---MQTT PUBLISH----------------------------->|
| | topic:{peripheral_identity_address}/ |
| | gatt-res/connect |
| | correlation data:{binary data} |
| | msg: procedure timeout |
| | | |
+---------------------------------------------------------------+
| MQTT Broker drops timeout message for PUBLISH |
| with duplicated correlation data |
+---------------------------------------------------------------+
Figure 15: MQTT Exchange for Inter-NAS Mobility without MQTT
Unsubscription
A.10. MQTT Exchange for ending a session for a connected BLE Peripheral
On idle-timeout the NAS/BLE Visited Host MUST un-subscribe from any
subscribed to topics and send an Accounting-Request message with
Acct-Status-Type set to STOP and Acct-Terminate-Cause set to Lost
Carrier (2).
Grayson & Lear Expires 31 August 2023 [Page 35]
�
Internet-Draft RABBLE February 2023
NAS/BLE
Visited Home Home
BLE Central#2 RADIUS MQTT
Peripheral Host Server Broker
| | | |
|--BLE ----------->| | |
| Advertizement |---MQTT PUBLISH------------------------>|
| +--| topic:{peripheral_identity_address}/ |
| | | gatt-ind/advertisement | |
| | | msg:Advertising Report | |
| | | | |
| | | | |
| +->|Idle Timer Expiry | |
| | | |
| |---Accounting-Request--->| |
| | Acct-Status-Type=Stop | |
| | | |
| |---MQTT UNSUBSCRIBE-------------------->|
| | topic:{peripheral_identity_address}/ |
| | gatt-req/# | |
| | topic:{peripheral_identity_address}/ |
| | gatt-ind-res/# | |
| | | |
| +------------------------------------------------+
| | Last Session to MQTT Broker Stopped |
| +------------------------------------------------+
| | | |
| |---MQTT DISCONNECT--------------------->|
| | | |
| |---Close WebSocket--------------------->|
| | | |
Figure 16: MQTT Exchange when disconnecting from a connected BLE
Peripheral
Acknowledgements
Thanks to Oleg Pekar and Eric Vyncke for their review comments. The
definition of the BLE-Keying-Material attribute has been inspired by
[RFC6218].
Authors' Addresses
Grayson & Lear Expires 31 August 2023 [Page 36]
�
Internet-Draft RABBLE February 2023
Mark Grayson
Cisco Systems
10 New Square Park
Feltham
TW14 8HA
United Kingdom
Email: mgrayson@cisco.com
Eliot Lear
Cisco Systems
Glatt-com
CH- CH-8301 Glattzentrum, Zurich
Switzerland
Email: elear@cisco.com
Grayson & Lear Expires 31 August 2023 [Page 37]
