Internet Engineering Task Force (IETF) S. Farrell, Ed. Request for Comments: 8376 Trinity College Dublin Category: Informational May 2018 ISSN: 2070-1721 Low-Power Wide Area Network (LPWAN) Overview
AbstractLow-Power Wide Area Networks (LPWANs) are wireless technologies with characteristics such as large coverage areas, low bandwidth, possibly very small packet and application-layer data sizes, and long battery life operation. This memo is an informational overview of the set of LPWAN technologies being considered in the IETF and of the gaps that exist between the needs of those technologies and the goal of running IP in LPWANs. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8376. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. LPWAN Technologies . . . . . . . . . . . . . . . . . . . . . 3 2.1. LoRaWAN . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1. Provenance and Documents . . . . . . . . . . . . . . 4 2.1.2. Characteristics . . . . . . . . . . . . . . . . . . . 4 2.2. Narrowband IoT (NB-IoT) . . . . . . . . . . . . . . . . . 10 2.2.1. Provenance and Documents . . . . . . . . . . . . . . 10 2.2.2. Characteristics . . . . . . . . . . . . . . . . . . . 11 2.3. Sigfox . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3.1. Provenance and Documents . . . . . . . . . . . . . . 15 2.3.2. Characteristics . . . . . . . . . . . . . . . . . . . 16 2.4. Wi-SUN Alliance Field Area Network (FAN) . . . . . . . . 20 2.4.1. Provenance and Documents . . . . . . . . . . . . . . 20 2.4.2. Characteristics . . . . . . . . . . . . . . . . . . . 21 3. Generic Terminology . . . . . . . . . . . . . . . . . . . . . 24 4. Gap Analysis . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1. Naive Application of IPv6 . . . . . . . . . . . . . . . . 26 4.2. 6LoWPAN . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2.1. Header Compression . . . . . . . . . . . . . . . . . 27 4.2.2. Address Autoconfiguration . . . . . . . . . . . . . . 27 4.2.3. Fragmentation . . . . . . . . . . . . . . . . . . . . 27 4.2.4. Neighbor Discovery . . . . . . . . . . . . . . . . . 28 4.3. 6lo . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.4. 6tisch . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.5. RoHC . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.6. ROLL . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.7. CoAP . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.8. Mobility . . . . . . . . . . . . . . . . . . . . . . . . 31 4.9. DNS and LPWAN . . . . . . . . . . . . . . . . . . . . . . 31 5. Security Considerations . . . . . . . . . . . . . . . . . . . 31 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 7. Informative References . . . . . . . . . . . . . . . . . . . 32 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 39 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 43
Most technologies in this space aim for a similar goal of supporting large numbers of very low-cost, low-throughput devices with very low power consumption, so that even battery-powered devices can be deployed for years. LPWAN devices also tend to be constrained in their use of bandwidth, for example, with limited frequencies being allowed to be used within limited duty cycles (usually expressed as a percentage of time per hour that the device is allowed to transmit). As the name implies, coverage of large areas is also a common goal. So, by and large, the different technologies aim for deployment in very similar circumstances. While all constrained networks must balance power consumption / battery life, cost, and bandwidth, LPWANs prioritize power and cost benefits by accepting severe bandwidth and duty cycle constraints when making the required trade-offs. This prioritization is made in order to get the multiple-kilometer radio links implied by "Wide Area" in LPWAN's name. Existing pilot deployments have shown huge potential and created much industrial interest in these technologies. At the time of writing, essentially no LPWAN end devices (other than for Wi-SUN) have IP capabilities. Connecting LPWANs to the Internet would provide significant benefits to these networks in terms of interoperability, application deployment, and management (among others). The goal of the LPWAN WG is to, where necessary, adapt IETF-defined protocols, addressing schemes, and naming conventions to this particular constrained environment. This document is largely the work of the people listed in the Contributors section.
https://www.lora-alliance.org/>. This document is based on Version 1.0.2 of the LoRa specification [LoRaSpec]. That specification is publicly available and has already seen several deployments across the globe. Figure 1 shows the entities involved in a LoRaWAN network. +----------+ |End Device| * * * +----------+ * +---------+ * | Gateway +---+ +----------+ * +---------+ | +---------+ |End Device| * * * +---+ Network +--- Application +----------+ * | | Server | * +---------+ | +---------+ +----------+ * | Gateway +---+ |End Device| * * * * +---------+ +----------+ Key: * LoRaWAN Radio +---+ IP connectivity Figure 1: LoRaWAN Architecture
o End Device: a LoRa client device, sometimes called a "mote". Communicates with Gateways. o Gateway: a radio on the infrastructure side, sometimes called a "concentrator" or "base station". Communicates with end devices and, via IP, with a network server. o Network Server: The Network Server (NS) terminates the LoRaWAN Medium Access Control (MAC) layer for the end devices connected to the network. It is the center of the star topology. o Join Server: The Join Server (JS) is a server on the Internet side of an NS that processes join requests from an end devices. o Uplink message: refers to communications from an end device to a network server or application via one or more Gateways. o Downlink message: refers to communications from a network server or application via one Gateway to a single end device or a group of end devices (considering multicasting). o Application: refers to application-layer code both on the end device and running "behind" the NS. For LoRaWAN, there will generally only be one application running on most end devices. Interfaces between the NS and the application are not further described here. In LoRaWAN networks, end device transmissions may be received at multiple Gateways, so, during nominal operation, a network server may see multiple instances of the same uplink message from an end device. The LoRaWAN network infrastructure manages the data rate and Radio Frequency (RF) output power for each end device individually by means of an Adaptive Data Rate (ADR) scheme. End devices may transmit on any channel allowed by local regulation at any time. LoRaWAN radios make use of ISM bands, for example, 433 MHz and 868 MHz within the European Union and 915 MHz in the Americas. The end device changes channels in a pseudorandom fashion for every transmission to help make the system more robust to interference and/ or to conform to local regulations.
Figure 2 shows that after a transmission slot, a Class A device turns on its receiver for two short receive windows that are offset from the end of the transmission window. End devices can only transmit a subsequent uplink frame after the end of the associated receive windows. When a device joins a LoRaWAN network, there are similar timeouts on parts of that process. |----------------------------| |--------| |--------| | Tx | | Rx | | Rx | |----------------------------| |--------| |--------| |---------| Rx delay 1 |------------------------| Rx delay 2 Figure 2: LoRaWAN Class A Transmission and Reception Window Given the different regional requirements, the detailed specification for the LoRaWAN Physical layer (PHY) (taking up more than 30 pages of the specification) is not reproduced here. Instead, and mainly to illustrate the kinds of issue encountered, Table 1 presents some of the default settings for one ISM band (without fully explaining those here); Table 2 describes maxima and minima for some parameters of interest to those defining ways to use IETF protocols over the LoRaWAN MAC layer. +-----------------------+-------------------------------------------+ | Parameters | Default Value | +-----------------------+-------------------------------------------+ | Rx delay 1 | 1 s | | | | | Rx delay 2 | 2 s (must be RECEIVE_DELAY1 + 1 s) | | | | | join delay 1 | 5 s | | | | | join delay 2 | 6 s | | | | | 868MHz Default | 3 (868.1,868.2,868.3), data rate: 0.3-50 | | channels | kbit/s | +-----------------------+-------------------------------------------+ Table 1: Default Settings for EU 868 MHz Band
+------------------------------------------------+--------+---------+ | Parameter/Notes | Min | Max | +------------------------------------------------+--------+---------+ | Duty Cycle: some but not all ISM bands impose | 1% | no | | a limit in terms of how often an end device | | limit | | can transmit. In some cases, LoRaWAN is more | | | | restrictive in an attempt to avoid congestion. | | | | | | | | EU 868 MHz band data rate/frame size | 250 | 50000 | | | bits/s | bits/s | | | : 59 | : 250 | | | octets | octets | | | | | | US 915 MHz band data rate/frame size | 980 | 21900 | | | bits/s | bits/s | | | : 19 | : 250 | | | octets | octets | +------------------------------------------------+--------+---------+ Table 2: Minima and Maxima for Various LoRaWAN Parameters Note that, in the case of the smallest frame size (19 octets), 8 octets are required for LoRa MAC layer headers, leaving only 11 octets for payload (including MAC layer options). However, those settings do not apply for the join procedure -- end devices are required to use a channel and data rate that can send the 23-byte Join-Request message for the join procedure. Uplink and downlink higher-layer data is carried in a MACPayload. There is a concept of "ports" (an optional 8-bit value) to handle different applications on an end device. Port zero is reserved for LoRaWAN-specific messaging, such as the configuration of the end device's network parameters (available channels, data rates, ADR parameters, Rx Delay 1 and 2, etc.). In addition to carrying higher-layer PDUs, there are Join-Request and Join-Response (aka Join-Accept) messages for handling network access. And so-called "MAC commands" (see below) up to 15 bytes long can be piggybacked in an options field ("FOpts"). There are a number of MAC commands for link and device status checking, ADR and duty cycle negotiation, and managing the RX windows and radio channel settings. For example, the link check response message allows the NS (in response to a request from an end device) to inform an end device about the signal attenuation seen most recently at a Gateway and to tell the end device how many Gateways received the corresponding link request MAC command.
Some MAC commands are initiated by the network server. For example, one command allows the network server to ask an end device to reduce its duty cycle to only use a proportion of the maximum allowed in a region. Another allows the network server to query the end device's power status with the response from the end device specifying whether it has an external power source or is battery powered (in which case, a relative battery level is also sent to the network server). In order to operate nominally on a LoRaWAN network, a device needs a 32-bit device address, which is assigned when the device "joins" the network (see below for the join procedure) or that is pre-provisioned into the device. In case of roaming devices, the device address is assigned based on the 24-bit network identifier (NetID) that is allocated to the network by the LoRa Alliance. Non-roaming devices can be assigned device addresses by the network without relying on a NetID assigned by the LoRa Alliance. End devices are assumed to work with one or quite a limited number of applications, identified by a 64-bit AppEUI, which is assumed to be a registered IEEE EUI64 value [EUI64]. In addition, a device needs to have two symmetric session keys, one for protecting network artifacts (port=0), the NwkSKey, and another for protecting application-layer traffic, the AppSKey. Both keys are used for 128-bit AES cryptographic operations. So, one option is for an end device to have all of the above plus channel information, somehow (pre-)provisioned; in that case, the end device can simply start transmitting. This is achievable in many cases via out-of-band means given the nature of LoRaWAN networks. Table 3 summarizes these values. +---------+---------------------------------------------------------+ | Value | Description | +---------+---------------------------------------------------------+ | DevAddr | DevAddr (32 bits) = device-specific network address | | | generated from the NetID | | | | | AppEUI | IEEE EUI64 value corresponding to the join server for | | | an application | | | | | NwkSKey | 128-bit network session key used with AES-CMAC | | | | | AppSKey | 128-bit application session key used with AES-CTR | | | | | AppKey | 128-bit application session key used with AES-ECB | +---------+---------------------------------------------------------+ Table 3: Values Required for Nominal Operation
As an alternative, end devices can use the LoRaWAN join procedure with a join server behind the NS in order to set up some of these values and dynamically gain access to the network. To use the join procedure, an end device must still know the AppEUI and a different (long-term) symmetric key that is bound to the AppEUI (this is the application key (AppKey), and it is distinct from the application session key (AppSKey)). The AppKey is required to be specific to the device; that is, each end device should have a different AppKey value. Finally, the end device also needs a long-term identifier for itself, which is syntactically also an EUI-64 and is known as the device EUI or DevEUI. Table 4 summarizes these values. +---------+----------------------------------------------------+ | Value | Description | +---------+----------------------------------------------------+ | DevEUI | IEEE EUI64 naming the device | | | | | AppEUI | IEEE EUI64 naming the application | | | | | AppKey | 128-bit long-term application key for use with AES | +---------+----------------------------------------------------+ Table 4: Values Required for Join Procedure The join procedure involves a special exchange where the end device asserts the AppEUI and DevEUI (integrity protected with the long-term AppKey, but not encrypted) in a Join-Request uplink message. This is then routed to the network server, which interacts with an entity that knows that AppKey to verify the Join-Request. If all is going well, a Join-Accept downlink message is returned from the network server to the end device. That message specifies the 24-bit NetID, 32-bit DevAddr, and channel information and from which the AppSKey and NwkSKey can be derived based on knowledge of the AppKey. This provides the end device with all the values listed in Table 3. All payloads are encrypted and have data integrity. MAC commands, when sent as a payload (port zero), are therefore protected. However, MAC commands piggybacked as frame options ("FOpts") are sent in clear. Any MAC commands sent as frame options and not only as payload, are visible to a passive attacker, but they are not malleable for an active attacker due to the use of the Message Integrity Check (MIC) described below. For LoRaWAN version 1.0.x, the NwkSKey session key is used to provide data integrity between the end device and the network server. The AppSKey is used to provide data confidentiality between the end device and network server, or to the application "behind" the network server, depending on the implementation of the network.
All MAC-layer messages have an outer 32-bit MIC calculated using AES- CMAC with the input being the ciphertext payload and other headers and using the NwkSkey. Payloads are encrypted using AES-128, with a counter-mode derived from [IEEE.802.15.4] using the AppSKey. Gateways are not expected to be provided with the AppSKey or NwkSKey, all of the infrastructure-side cryptography happens in (or "behind") the network server. When session keys are derived from the AppKey as a result of the join procedure, the Join-Accept message payload is specially handled. The long-term AppKey is directly used to protect the Join-Accept message content, but the function used is not an AES-encrypt operation, but rather an AES-decrypt operation. The justification is that this means that the end device only needs to implement the AES- encrypt operation. (The counter-mode variant used for payload decryption means the end device doesn't need an AES-decrypt primitive.) The Join-Accept plaintext is always less than 16 bytes long, so Electronic Code Book (ECB) mode is used for protecting Join-Accept messages. The Join-Accept message contains an AppNonce (a 24-bit value) that is recovered on the end device along with the other Join- Accept content (e.g., DevAddr) using the AES-encrypt operation. Once the Join-Accept payload is available to the end device, the session keys are derived from the AppKey, AppNonce, and other values, again using an ECB mode AES-encrypt operation, with the plaintext input being a maximum of 16 octets. TGPP36300] provides an overview and overall description of the Evolved Universal Terrestrial Radio Access Network (E-UTRAN) radio interface protocol architecture, while specifications 36.321 [TGPP36321], 36.322 [TGPP36322], 36.323 [TGPP36323], and 36.331 [TGPP36331] give more detailed descriptions
of MAC, Radio Link Control (RLC), Packet Data Convergence Protocol (PDCP), and Radio Resource Control (RRC) protocol layers, respectively. Note that the description below assumes familiarity with numerous 3GPP terms. For a general overview of NB-IoT, see [nbiot-ov]. Figure 4 for the protocol structure), which is the highest layer in the user plane, as explained later. Any packet size up to the said MTU size can be passed to the NB-IoT stack from higher layers, segmentation of the packet is performed in the RLC layer, which can segment the data to transmission blocks with a size as small as 16 bits. As the name suggests, NB-IoT uses narrowbands with bandwidth of 180 kHz in both downlink and uplink. The multiple access scheme used in the downlink is Orthogonal Frequency-Division Multiplex (OFDMA) with 15 kHz sub-carrier spacing. In uplink, Sub-Carrier Frequency-Division Multiplex (SC-FDMA) single tone with either 15kHz or 3.75 kHz tone spacing is used, or optionally multi-tone SC-FDMA can be used with 15 kHz tone spacing. NB-IoT can be deployed in three ways. In-band deployment means that the narrowband is deployed inside the LTE band and radio resources are flexibly shared between NB-IoT and normal LTE carrier. In Guard- band deployment, the narrowband uses the unused resource blocks between two adjacent LTE carriers. Standalone deployment is also supported, where the narrowband can be located alone in dedicated spectrum, which makes it possible, for example, to reframe a GSM carrier at 850/900 MHz for NB-IoT. All three deployment modes are used in licensed frequency bands. The maximum transmission power is either 20 or 23 dBm for uplink transmissions, while for downlink transmission the eNodeB may use higher transmission power, up to 46 dBm depending on the deployment. A Maximum Coupling Loss (MCL) target for NB-IoT coverage enhancements defined by 3GPP is 164 dB. With this MCL, the performance of NB-IoT in downlink varies between 200 bps and 2-3 kbit/s, depending on the deployment mode. Stand-alone operation may achieve the highest data
rates, up to a few kbit/s, while in-band and guard-band operations may reach several hundreds of bps. NB-IoT may even operate with an MCL higher than 170 dB with very low bit rates. For signaling optimization, two options are introduced in addition to the legacy LTE RRC connection setup; mandatory Data-over-NAS (Control Plane optimization, solution 2 in [TGPP23720]) and optional RRC Suspend/Resume (User Plane optimization, solution 18 in [TGPP23720]). In the control-plane optimization, the data is sent over Non-Access Stratum (NAS), directly to/from the Mobile Management Entity (MME) (see Figure 3 for the network architecture) in the core network to the User Equipment (UE) without interaction from the base station. This means there is no Access Stratum security or header compression provided by the PDCP layer in the eNodeB, as the Access Stratum is bypassed, and only limited RRC procedures. Header compression based on Robust Header Compression (RoHC) may still optionally be provided and terminated in the MME. The RRC Suspend/Resume procedures reduce the signaling overhead required for UE state transition from RRC Idle to RRC Connected mode compared to a legacy LTE operation in order to have quicker user- plane transaction with the network and return to RRC Idle mode faster. In order to prolong device battery life, both Power-Saving Mode (PSM) and extended DRX (eDRX) are available to NB-IoT. With eDRX, the RRC Connected mode DRX cycle is up to 10.24 seconds; in RRC Idle, the eDRX cycle can be up to 3 hours. In PSM, the device is in a deep sleep state and only wakes up for uplink reporting. After the reporting, there is a window (configured by the network) during which the device receiver is open for downlink connectivity or for periodical "keep-alive" signaling (PSM uses periodic TAU signaling with additional reception windows for downlink reachability). Since NB-IoT operates in a licensed spectrum, it has no channel access restrictions allowing up to a 100% duty cycle. 3GPP access security is specified in [TGPP33203].
+--+ |UE| \ +------+ +------+ +--+ \ | MME |------| HSS | \ / +------+ +------+ +--+ \+--------+ / | |UE| ----| eNodeB |- | +--+ /+--------+ \ | / \ +--------+ / \| | +------+ Service Packet +--+ / | S-GW |----| P-GW |---- Data Network (PDN) |UE| | | +------+ e.g., Internet +--+ +--------+ Figure 3: 3GPP Network Architecture Figure 3 shows the 3GPP network architecture, which applies to NB-IoT. The MME is responsible for handling the mobility of the UE. The MME tasks include tracking and paging UEs, session management, choosing the Serving Gateway for the UE during initial attachment and authenticating the user. At the MME, the NAS signaling from the UE is terminated. The Serving Gateway (S-GW) routes and forwards the user data packets through the access network and acts as a mobility anchor for UEs during handover between base stations known as eNodeBs and also during handovers between NB-IoT and other 3GPP technologies. The Packet Data Network Gateway (P-GW) works as an interface between the 3GPP network and external networks. The Home Subscriber Server (HSS) contains user-related and subscription-related information. It is a database that performs mobility management, session-establishment support, user authentication, and access authorization. E-UTRAN consists of components of a single type, eNodeB. eNodeB is a base station that controls the UEs in one or several cells. The 3GPP radio protocol architecture is illustrated in Figure 4.
+---------+ +---------+ | NAS |----|-----------------------------|----| NAS | +---------+ | +---------+---------+ | +---------+ | RRC |----|----| RRC | S1-AP |----|----| S1-AP | +---------+ | +---------+---------+ | +---------+ | PDCP |----|----| PDCP | SCTP |----|----| SCTP | +---------+ | +---------+---------+ | +---------+ | RLC |----|----| RLC | IP |----|----| IP | +---------+ | +---------+---------+ | +---------+ | MAC |----|----| MAC | L2 |----|----| L2 | +---------+ | +---------+---------+ | +---------+ | PHY |----|----| PHY | PHY |----|----| PHY | +---------+ +---------+---------+ +---------+ LTE-Uu S1-MME UE eNodeB MME Figure 4: 3GPP Radio Protocol Architecture for the Control Plane The radio protocol architecture of NB-IoT (and LTE) is separated into the control plane and the user plane. The control plane consists of protocols that control the radio-access bearers and the connection between the UE and the network. The highest layer of control plane is called the Non-Access Stratum (NAS), which conveys the radio signaling between the UE and the Evolved Packet Core (EPC), passing transparently through the radio network. The NAS is responsible for authentication, security control, mobility management, and bearer management. The Access Stratum (AS) is the functional layer below the NAS; in the control plane, it consists of the Radio Resource Control (RRC) protocol [TGPP36331], which handles connection establishment and release functions, broadcast of system information, radio-bearer establishment, reconfiguration, and release. The RRC configures the user and control planes according to the network status. There exist two RRC states, RRC_Idle or RRC_Connected, and the RRC entity controls the switching between these states. In RRC_Idle, the network knows that the UE is present in the network, and the UE can be reached in case of an incoming call/downlink data. In this state, the UE monitors paging, performs cell measurements and cell selection, and acquires system information. Also, the UE can receive broadcast and multicast data, but it is not expected to transmit or receive unicast data. In RRC_Connected state, the UE has a connection to the eNodeB, the network knows the UE location on the cell level, and the UE may receive and transmit unicast data. An RRC connection is established when the UE is expected to be active in the network, to transmit or receive data. The RRC connection is released, switching back to RRC_Idle, when there is no more traffic; this is in order to preserve UE battery life and radio resources.
However, as mentioned earlier, a new feature was introduced for NB-IoT that allows data to be transmitted from the MME directly to the UE and then transparently to the eNodeB, thus bypassing AS functions. The PDCP's [TGPP36323] main services in the control plane are transfer of control-plane data, ciphering, and integrity protection. The RLC protocol [TGPP36322] performs transfer of upper-layer PDUs and, optionally, error correction with Automatic Repeat reQuest (ARQ), concatenation, segmentation, and reassembly of RLC Service Data Units (SDUs), in-sequence delivery of upper-layer PDUs, duplicate detection, RLC SDU discarding, RLC-re-establishment, and protocol error detection and recovery. The MAC protocol [TGPP36321] provides mapping between logical channels and transport channels, multiplexing of MAC SDUs, scheduling information reporting, error correction with Hybrid ARQ (HARQ), priority handling, and transport format selection. The PHY [TGPP36201] provides data-transport services to higher layers. These include error detection and indication to higher layers, Forward Error Correction (FEC) encoding, HARQ soft-combining, rate-matching, mapping of the transport channels onto physical channels, power-weighting and modulation of physical channels, frequency and time synchronization, and radio characteristics measurements. The user plane is responsible for transferring the user data through the Access Stratum. It interfaces with IP and the highest layer of the user plane is the PDCP, which, in the user plane, performs header compression using RoHC, transfer of user-plane data between eNodeB and the UE, ciphering, and integrity protection. Similar to the control plane, lower layers in the user plane include RLC, MAC, and the PHY performing the same tasks as they do in the control plane. etsi_unb]. As of today, Sigfox's network has been fully deployed in 12 countries, with ongoing deployments in 26 other countries, giving in total a geography of 2 million square kilometers, containing 512 million people.
fcc_ref] Spectrum allocation in Europe [etsi_ref1] [etsi_ref2] Spectrum allocation in Japan [arib_ref] The Sigfox radio interface is also compliant with the local regulations of the following countries: Australia, Brazil, Canada, Kenya, Lebanon, Mauritius, Mexico, New Zealand, Oman, Peru, Singapore, South Africa, South Korea, and Thailand. The radio interface is based on Ultra Narrow Band (UNB) communications, which allow an increased transmission range by spending a limited amount of energy at the device. Moreover, UNB allows a large number of devices to coexist in a given cell without significantly increasing the spectrum interference. Both uplink and downlink are supported, although the system is optimized for uplink communications. Due to spectrum optimizations, different uplink and downlink frames and time synchronization methods are needed. The main radio characteristics of the UNB uplink transmission are: o Channelization mask: 100 Hz / 600 Hz (depending on the region) o Uplink baud rate: 100 baud / 600 baud (depending on the region)
o Modulation scheme: DBPSK o Uplink transmission power: compliant with local regulation o Link budget: 155 dB (or better) o Central frequency accuracy: not relevant, provided there is no significant frequency drift within an uplink packet transmission For example, in Europe, the UNB uplink frequency band is limited to 868.00 to 868.60 MHz, with a maximum output power of 25 mW and a duty cycle of 1%. The format of the uplink frame is the following: +--------+--------+--------+------------------+-------------+-----+ |Preamble| Frame | Dev ID | Payload |Msg Auth Code| FCS | | | Sync | | | | | +--------+--------+--------+------------------+-------------+-----+ Figure 5: Uplink Frame Format The uplink frame is composed of the following fields: o Preamble: 19 bits o Frame sync and header: 29 bits o Device ID: 32 bits o Payload: 0-96 bits o Authentication: 16-40 bits o Frame check sequence: 16 bits (Cyclic Redundancy Check (CRC)) The main radio characteristics of the UNB downlink transmission are: o Channelization mask: 1.5 kHz o Downlink baud rate: 600 baud o Modulation scheme: GFSK o Downlink transmission power: 500 mW / 4W (depending on the region) o Link budget: 153 dB (or better)
o Central frequency accuracy: the center frequency of downlink transmission is set by the network according to the corresponding uplink transmission. For example, in Europe, the UNB downlink frequency band is limited to 869.40 to 869.65 MHz, with a maximum output power of 500 mW with 10% duty cycle. The format of the downlink frame is the following: +------------+-----+---------+------------------+-------------+-----+ | Preamble |Frame| ECC | Payload |Msg Auth Code| FCS | | |Sync | | | | | +------------+-----+---------+------------------+-------------+-----+ Figure 6: Downlink Frame Format The downlink frame is composed of the following fields: o Preamble: 91 bits o Frame sync and header: 13 bits o Error Correcting Code (ECC): 32 bits o Payload: 0-64 bits o Authentication: 16 bits o Frame check sequence: 8 bits (CRC) The radio interface is optimized for uplink transmissions, which are asynchronous. Downlink communications are achieved by devices querying the network for available data. A device willing to receive downlink messages opens a fixed window for reception after sending an uplink transmission. The delay and duration of this window have fixed values. The network transmits the downlink message for a given device during the reception window, and the network also selects the BS for transmitting the corresponding downlink message. Uplink and downlink transmissions are unbalanced due to the regulatory constraints on ISM bands. Under the strictest regulations, the system can allow a maximum of 140 uplink messages
and 4 downlink messages per device per day. These restrictions can be slightly relaxed depending on system conditions and the specific regulatory domain of operation. +---+ |DEV| * +------+ +---+ * | RA | * +------+ +---+ * | |DEV| * * * * | +---+ * +----+ | * | BS | \ +--------+ +---+ * +----+ \ | | DA -----|DEV| * * * | SC |----- NA +---+ * / | | * +----+ / +--------+ +---+ * | BS |/ |DEV| * * * * +----+ +---+ * * +---+ * |DEV| * * +---+ Figure 7: Sigfox Network Architecture Figure 7 depicts the different elements of the Sigfox network architecture. Sigfox has a "one-contract one-network" model allowing devices to connect in any country, without any need or notion of either roaming or handover. The architecture consists of a single cloud-based core network, which allows global connectivity with minimal impact on the end device and radio access network. The core network elements are the Service Center (SC) and the Registration Authority (RA). The SC is in charge of the data connectivity between the BS and the Internet, as well as the control and management of the BSs and End Points (EPs). The RA is in charge of the EP network access authorization. The radio access network is comprised of several BSs connected directly to the SC. Each BS performs complex L1/L2 functions, leaving some L2 and L3 functionalities to the SC. The Devices (DEVs) or EPs are the objects that communicate application data between local Device Applications (DAs) and Network Applications (NAs).
Devices (or EPs) can be static or nomadic, as they associate with the SC and they do not attach to any specific BS. Hence, they can communicate with the SC through one or multiple BSs. Due to constraints in the complexity of the Device, it is assumed that Devices host only one or very few device applications, which most of the time communicate each to a single network application at a time. The radio protocol authenticates and ensures the integrity of each message. This is achieved by using a unique device ID and an AES-128-based message authentication code, ensuring that the message has been generated and sent by the device with the ID claimed in the message. Application data can be encrypted at the application level or not, depending on the criticality of the use case, to provide a balance between cost and effort versus risk. AES-128 in counter mode is used for encryption. Cryptographic keys are independent for each device. These keys are associated with the device ID and separate integrity and confidentiality keys are pre-provisioned. A confidentiality key is only provisioned if confidentiality is to be used. At the time of writing, the algorithms and keying details for this are not published. https://www.wi-sun.org/> is an industry alliance for smart city, smart grid, smart utility, and a broad set of general IoT applications. The Wi-SUN Alliance Field Area Network (FAN) profile is open-standards based (primarily on IETF and IEEE 802 standards) and was developed to address applications like smart municipality/city infrastructure monitoring and management, Electric Vehicle (EV) infrastructure, Advanced Metering Infrastructure (AMI), Distribution Automation (DA), Supervisory Control and Data Acquisition (SCADA) protection/management, distributed generation monitoring and management, and many more IoT applications. Additionally, the Alliance has created a certification program to promote global multi-vendor interoperability. The FAN profile is specified within ANSI/TIA as an extension of work previously done on Smart Utility Networks [ANSI-4957-000]. Updates to those specifications intended to be published in 2017 will contain
details of the FAN profile. A current snapshot of the work to produce that profile is presented in [wisun-pressie1] and [wisun-pressie2]. FANOV], enables remote update and upgrade of devices so that they can handle new applications, extending their working life. Wi-SUN supports LPWAN IoT applications that require on-demand control by providing low link latency (0.02 s) and bidirectional communication. o Low-power consumption: FAN devices draw less than 2 uA when resting and only 8 mA when listening. Such devices can maintain a long lifetime, even if they are frequently listening. For instance, suppose the device transmits data for 10 ms once every 10 s; theoretically, a battery of 1000 mAh can last more than 10 years. o Scalability: Tens of millions of Wi-SUN FAN devices have been deployed in urban, suburban, and rural environments, including deployments with more than 1 million devices. A FAN contains one or more networks. Within a network, nodes assume one of three operational roles. First, each network contains a Border Router providing WAN connectivity to the network. The Border Router maintains source-routing tables for all nodes within its network, provides node authentication and key management services, and disseminates network-wide information such as broadcast schedules. Second, Router nodes, which provide upward and downward packet forwarding (within a network). A Router also provides
services for relaying security and address management protocols. Finally, Leaf nodes provide minimum capabilities: discovering and joining a network, sending/receiving IPv6 packets, etc. A low-power network may contain a mesh topology with Routers at the edges that construct a star topology with Leaf nodes. The FAN profile is based on various open standards developed by the IETF (including [RFC768], [RFC2460], [RFC4443], and [RFC6282]). Related IEEE 802 standards include [IEEE.802.15.4] and [IEEE.802.15.9]. For Low-Power and Lossy Networks (LLNs), see ANSI/ TIA [ANSI-4957-210]. The FAN profile specification provides an application-independent IPv6-based transport service. There are two possible methods for establishing IPv6 packet routing: the Routing Protocol for Low-Power and Lossy Networks (RPL) at the Network layer is mandatory, and Multi-Hop Delivery Service (MHDS) is optional at the Data Link layer. Figure 8 provides an overview of the FAN network stack. The Transport service is based on UDP (defined in [RFC768]) or TCP (defined in [RFC793]. The Network service is provided by IPv6 as defined in [RFC2460] with an IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN) adaptation as defined in [RFC4944] and [RFC6282]. ICMPv6, as defined in [RFC4443], is used for the control plane during information exchange. The Data Link service provides both control/management of the PHY and data transfer/management services to the Network layer. These services are divided into MAC and Logical Link Control (LLC) sub- layers. The LLC sub-layer provides a protocol dispatch service that supports 6LoWPAN and an optional MAC sub-layer mesh service. The MAC sub-layer is constructed using data structures defined in [IEEE.802.15.4]. Multiple modes of frequency hopping are defined. The entire MAC payload is encapsulated in an [IEEE.802.15.9] Information Element to enable LLC protocol dispatch between upper- layer 6LoWPAN processing and MAC sub-layer mesh processing, etc. These areas will be expanded once [IEEE.802.15.12] is completed. The PHY service is derived from a subset of the SUN FSK specification in [IEEE.802.15.4]. The 2-FSK modulation schemes, with a channel- spacing range from 200 to 600 kHz, are defined to provide data rates from 50 to 300 kbit/s, with FEC as an optional feature. Towards enabling ultra-low-power applications, the PHY layer design is also extendable to low-energy and critical infrastructure-monitoring networks.
+----------------------+--------------------------------------------+ | Layer | Description | +----------------------+--------------------------------------------+ | IPv6 protocol suite | TCP/UDP | | | | | | 6LoWPAN Adaptation + Header Compression | | | | | | DHCPv6 for IP address management | | | | | | Routing using RPL | | | | | | ICMPv6 | | | | | | Unicast and Multicast forwarding | +----------------------+--------------------------------------------+ | MAC based on | Frequency hopping | | [IEEE.802.15.4e] + | | | IE extensions | Discovery and Join | | | | | | Protocol Dispatch ([IEEE.802.15.9]) | | | | | | Several Frame Exchange patterns | | | | | | Optional Mesh Under routing | | | ([ANSI-4957-210]) | +----------------------+--------------------------------------------+ | PHY based on | Various data rates and regions | | [IEEE.802.15.4g] | | +----------------------+--------------------------------------------+ | Security | [IEEE.802.1x]/EAP-TLS/PKI Authentication | | | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | | | required for EAP-TLS | | | | | | 802.11i Group Key Management | | | | | | Frame security is implemented as AES-CCM* | | | as specified in [IEEE.802.15.4] | | | | | | Optional [ETSI-TS-102-887-2] Node 2 Node | | | Key Management | +----------------------+--------------------------------------------+ Figure 8: Wi-SUN Stack Overview
The FAN security supports Data Link layer network access control, mutual authentication, and establishment of a secure pairwise link between a FAN node and its Border Router, which is implemented with an adaptation of [IEEE.802.1x] and EAP-TLS as described in [RFC5216] using secure device identity as described in [IEEE.802.1AR]. Certificate formats are based upon [RFC5280]. A secure group link between a Border Router and a set of FAN nodes is established using an adaptation of the [IEEE.802.11] Four-Way Handshake. A set of four group keys are maintained within the network, one of which is the current transmit key. Secure node-to-node links are supported between one-hop FAN neighbors using an adaptation of [ETSI-TS-102-887-2]. FAN nodes implement Frame Security as specified in [IEEE.802.15.4].