OpenWeave Application Layer
An application layer for building thoughtful products
Robert Szewczyk Weave Team / Google 12/3/2018 Weave was born at Nest from the desire to deliver thoughtful products Features are driven by requirements for very specific consumer experiences Weave started with our first products Weave is enabling an ecosystem of products Weave features shine in the Nest Secure system Outline
◎ Weave: What? Why? How? ◎ Internet Connectivity, Border Routers ◎ Pairing ◎ Security ◎ Device Communications ◎ Distributed Data Model ◎ Cloud ◎ Ecosystem of Devices Weave What? Why? How? What is Weave?
Weave is a set of application-level networking protocols built around a common addressing and naming architecture with low overhead serialization protocols and modern security.
OpenWeave is an implementation of the above available on http://openweave.io Why Weave? Goals ◎ Secure ◎ Low Overhead and Pervasive ○ End-to-end application security, independent of Architecture underlying network ○ Scales up, rather than down ◎ Versatile ○ Support for small devices (64K RAM, ○ Low to mid-100s of devices 512K code) ○ Support for variety of interaction models / ◎ Easy to Use patterns: Device-to-device, device-to service, ○ Simple setup and administration for the device-to-mobile/PC (remote and local) end user ◎ Developer- and Partner-friendly ○ Straightforward but capable platform for ○ Thoughtful network application definition; not the application developer designed by committee ◎ Robust ○ Self-organizing / -healing network Why Weave Competitive Survey ○ MQTT ● We looked at over 20 connectivity ○ ModBus solutions, including: ○ OIC / OCF ○ AllJoyn / AllSeen ○ ONELINK ○ BACNET ○ SNMP ○ CoAP ○ UPnP ○ Dust ○ USB ○ EEBUS ○ X10 ○ EnOcean ○ Z-Wave ○ HTTP ○ ZigBee ○ INSTEON ● We could not find a single solution that met all ○ JenNet-IP of the goals and requirements. ○ KNX ○ LonWorks How? Where does Weave SDK fit in the device software stack
Core Application Core Application Core Application
Weave Profiles / Weave Platform / Cloud SDK Application SDK
Weave Core SDK Legend
Required Component Embedded Communications Platform SDK Optional Component Network Manager WPAN Choice of device Components
Embedded Core Platform SDK
OS Services Network Stack Thread Stack
Hardware Platform
System-on-Chip with System-on-Chip Network Interface Thread WiFi Network Chip Network Chip System Stack and Simplified Data Plane
Core Application Core Application Core Application
Weave Traits Weave Platform Adaptation Weave Application Profiles and Traits
Weave Core
Network Control Plane Weave Core Core Platform
OS Services Network Stack TCP UDP
Hardware Platform
System-on-Chip with System-on-Chip IPv4 / IPv6 BLE Network Interface(s)
Network Chip Network Chip Thread Cellular Ethernet WiFi 802.15.4
System Stack Simplified Data Plane View Weave Profiles
Set of concepts and definitions that support a particular area of application functionality
Protocols Protocol Roles Message Encoding Message Tags Types Schema Status Codes Published Data Weave Core Stack
Weave Application Profiles and Traits
CASE Engine PASE Engine
Security Manager
Context Pool Profile Profile Profile Pairing Profiles
Reliable Messaging DirectoryService Bulk Data Transfer Data Management
Exchange Manager TLV
Connections Tunnels
Message Layer
Group Keys Session Keys Echo Profile
Fabric State Security Profile Common Profile Software Update Weave Core
TCP UDP BLE OpenWeave Internet Connectivity, Border Routers Target Environments and Configurations
● Customer home and surrounding area ○ Single-family, townhouse, apartment ○ Front / back / side yards, detached garage, guest house ● Customer Ethernet or WiFi network ○ Customer owned / administered ○ Shared multi-tenant ● Non-WiFi networks ○ Thread 1 2 3 ○ 45 6 Power Line 7 8 9 ➜0 ⌂ ● Remote Access ○ Mobile / web Weave Fabric
Collection of Weave-enabled devices, located in and around a user’s home, that cooperate to provide services to the user, their family and their guests. Secured by a shared Fabric Id.
Cloud Services
Weave Fabric 1 Weave Fabric 3 Weave Fabric 2 Weave Network Architecture
Weave Service Endpoints Cellular Network
Router
Ethernet / WiFi “Hub” Network BLE Thread (802.15.4/6LoWPAN) Peripheral Network BLE BLE R AP
R R Future Peripheral Networks (e.g. powerline)
BLE
R = routing device AP = WiFi access point / gateway Weave Fabric BLE - Bluetooth smart / low energy Fabric Routing
Service Core Router
IPv6 Tunnel
IPv6 Border Router
Service Core Router
BR Weave IPv6 Address Format
Fabric ID
FD Global ID Subnet Interface ID
IPv6 ULA Weave Tunnel and NAT Weave Tunnels provide a redundant extension of the Weave IPv6 fabric from the premise to the cloud and provide a generalized asynchronous ingress path from the cloud back to the premise.
One or more redundant Cloud Service Weave Tunnels
Weave Fabric 3 Weave Fabric 1
Weave Fabric 2 OpenWeave Pairing Pairing
Pairing, or out of box (OOB), is the process of setting up and configuring a device for a user
Weave provisioning is a key aspect of the pairing flow
Weave creates a virtual private network between the devices in the home
This network is called a Weave fabric
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Establishing Device Communication
The first step is to establish communication with the new device. The rendezvous protocols have several mechanisms depending on the hardware capabilities of that device. The Pairing process and protocols are largely the same regardless of the communication mechanism chosen. Three supported mechanisms ◎ Soft AP ◎ Bluetooth Low Energy (BLE) ◎ 802.15.4/Thread (a.k.a. Thread Assisted Pairing)
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Soft AP
Process ◎ Wake device Internet Service ◎ Connect to device WiFi ◎ Establish IPv6 addresses Gateway ◎ Connect device with TCP
Features
◎ WiFi-enabled devices only AP
◎ Requires manual WiFi configuration on iOS ◎ Mobile disconnected from home network / Internet during pairing.
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation BLE
Process ◎ Wake device Internet Service ◎ Device advertises as unpaired device ◎ Mobile scans for and connects to device Gateway Features ◎ No manual WiFi configuration required ◎ No loss of WiFi connectivity BL
◎ Uses existing Weave pairing protocols E ◎ Slow (low data rate) ◎ Can be used to bootstrap other networks
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Thread Assisted
Process ◎ Connect to existing device over home WiFi Internet Service ◎ Enable 15.4 joining on existing device ◎ Press button on new device Gateway ◎ New device hunts for joinable PAN ◎ New device provisionally joins existing PAN ◎ Existing device forwards comm. to/from new device WiFi 15. 15. 4 4
Features
◎ Supports 15.4 only devices Existing Device New Device ◎ No manual WiFi config / loss of connectivity ◎ Cannot be used for first device
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Device authentication
After establishing communication, the device must be authenticated. Purpose: ◎ Establish ownership ◎ Identify type of device, serial number, capabilities, etc. ◎ Authenticate device ◎ Establish secure channel for pairing Security Goals ◎ Prevent unauthorized access to user's account / personal data ◎ Block device ‘spoofing’ attacks ◎ Prevent leak of user's network credentials ◎ Protect the pairing code ◎ Ensure device authenticity
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Password Authenticated Session Establishment (PASE)
Weave PASE Protocol ◎ Based on J-PAKE crypto protocol ◎ Mutual authentication w/low-entropy secret (pairing code) PASEInitiatorStep1 ◎ Resistant to man-in-the-middle attacks PASEResponderStep1 ◎ Perfect forward secrecy PASEResponderStep2 ◎ Integer field math now, EC soon PASEInitiatorStep2 ◎ Recently completed crypto proof PASEResponderKeyConfirm Session Session Features Established Established ◎ Proves to device that user has physical possession ◎ Proves to user that phone is talking to correct device ◎ Establishes secure channel for rest of pairing Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Network Provisioning
Once the device is authenticated, the next step is to get it connected to a network.
Currently supported networks: ◎ Wi-Fi ◎ Thread
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Weave Network Provisioning Profile
Generalized protocol for network configuration / management ScanNetworks ◎ Supports both WiFi and Thread Individual requests for each operation AddNetwork
Can be used outside of pairing EnableNetwork ◎ WiFi password change TestNetwork ◎ Retrieving credentials from existing device GetNetworks Future support for bulk password change
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation WiFi Network Provisioning
Process ◎ Scan WiFi networks Internet ◎ Select WiFi network and enter Nest Service credentials (1st device pairing only) ◎ Connect to home network Gateway ◎ Test connectivity to Internet / service Features WiFi
◎ P A Based on Weave Network Provisioning Profile ◎ Good UX in case of bad password ◎ Requires simultaneous station/AP mode when using Soft AP for pairing Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Thread Network Provisioning
Process (1st device) ◎ Energy scan / channel selection Internet ◎ Form new Thread PAN Nest Service ◎ PAN name derived from Weave Fabric id NEST-PAN-6F4B Gateway ◎ Unique PAN extended id ◎ Random network key
Features 15. 4 P A
◎ Occurs automatically at time of fabric provisioning (details below) ◎ Channel fixed for lifetime of PAN
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Thread Network Provisioning
Process (2nd device) ◎ GetNetworks (from assisting device) Internet ◎ AddNetwork (using info from assisting device) Nest Service ◎ EnableNetwork (results in device joining PAN) Gateway Features ◎ New device scans for PAN to determine channel 15. 15. 4 4 P A
◎ Assisting device must be active at time of join ◎ Commissioner must have extracted network info from existing device prior to provisioning New Device Assisting Device
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Weave Provisioning
Even though it's on a network, the device isn't able to communicate through Weave messages until it's been provisioned for the fabric. Creating a fabric: ◎ Generating a unique Fabric Id (64-bit global id) ◎ Generating fabric shared keys for message transmission ◎ Persisting above in durable storage Joining a fabric: ◎ Acquiring and persisting fabric configuration Performed via Fabric Provisioning Profile
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Weave Fabric Provisioning Profile
Protocol for managing membership in a fabric CreateFabric Defines fabric config as transportable container of information about a fabric GetFabricConfig
◎ Fabric ID JoinExistingFabric ◎ Fabric Keys ◎ Key Lifetime / Rotation Scheme LeaveFabric
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Weave Provisioning
Process (1st device) ◎ CreateFabric Internet Nest Service Process (2nd device) Gateway ◎ GetFabricConfig (from assisting device) ◎ JoinExistingFabric (passing fabric config) Features P A
◎ - No direct communication required between Assisting New Device devices Device
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Service Provisioning
The last step to get the device 'connected' is to provision it with cloud services and the user's account. Configure device to talk to the Nest service Establishes the first contact point for service Provides information allowing device to auth service Supports directing devices to different service instances ◎ e.g. production, field-test, QA, etc. Uses pairing token to authorize device to user's account Allows service to confirm authenticity of device Performed via Service Provisioning Profile Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Weave Service Provisioning Profile
Manages device’s relationship with service and account Defines service config as standard container of UpdateService information about a service UnregisterService ◎ Address (host/port) of service directory endpoint PairDeviceToAccount ◎ List of trusted CA certificates for service Service UnpairDeviceFromAccount Includes commissioner-to-device, and device-to-service interactions UpdateService Supports a single device having relationships UnregisterService with multiple services ◎ E.g. Nest service and partner service Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Weave Service Provisioning Process
Commissioner gets pairing token from service RegisterServicePairAccount sent to device
◎ Service config Internet ◎ Pairing token Nest Service ◎ Initial device configuration Gateway Device persists service config Device connects to service ◎ Device authenticates service (via server certificate) ◎ WiFi
Service authenticates device (via device certificate) P A
Device sends PairDeviceToAccount to service ◎ Pairing token ◎ Initial device configuration Service verifies pairing token EstablishingService associates deviceDevice with accountNetwork Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Service stores initial device configuration Setup & Installation
At this point the pairing process is complete, but most products require additional configuration before they can be useful. Product specific configuration is the last phase of OOB Product and device-type specific phase Includes ◎ Initial settings configuration ◎ Installation, wiring walk-through ◎ Sensor calibration ◎ Product feature education
Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation OpenWeave Security OpenWeave Security Goals
Secure device communication ◎ Independent of the underlying transport ○ Thread, Wi-Fi, Ethernet, Cellular, BTLE ◎ For different types of devices ○ Constrained power (coin cell), memory (as little as 64kB RAM), CPU. Unconstrained ◎ For different types of operations ○ Pairing, device-to-device, device-to-service, service-to-device ◎ Across application domains ○ HVAC, safety, security, sensors Overview
Most messages encrypted with shared key crypto leverage ubiquitous AES HW acceleration Sparing use of public key crypto emphasis on memory-efficient elliptic curve methods Strong identity tied to a certificate Different session establishment protocols human friendly -- use passcode machine friendly -- certificates Application keys -- long lived, secure key management for groups of devices OpenWeave Message Encryption / Authentication
Encryption / Authentication is built-in to Weave Message Architecture ○ AES-128 encryption ○ CTR-mode stream cipher ○ HMAC-SHA1 integrity ○ Separate keys for encryption / integrity ○ Key sources: ◉ Short-term peer-to-peer session keys ◉ Long-term group keys ○ Extensible OpenWeave Message Encryption / Authentication
◎ Fields Subject to Encryption Message Length ○ Message Header message type and profile Message Id ○ exchange information Source Node Id ○ message acknowledgment info ○ message integrity code Destination Node Id Key Id ○ application payload Payload Length Initialization Vector Message Exch. Header ◎ Fields Subject to Integrity ExchangeType Id ○ application payload Message Profile Id Acknowledged Message Id ○ message type and profile Application Payload ○ exchange information Message Integrity Check Padding ○ message acknowledgment info Grey denotes optional or conditional fields. Blue denotes fields subject to encryption. ○ source / destination node ids ○ message version OpenWeave Message Encryption / Authentication
Categories of keys used to secure messages Weave Service Endpoints ◎ Session keys ○ Negotiated on as-needed basis ○ Generated via session establish- ment protocols (CASE, PASE) ○ Two-party only ○ Generally short lived ◎ Group / fabric keys ○ Established at joining time ○ Shared by all / some nodes in fabric
○ Long lived Legend ○ Subject to rotation Short-term session (PASE) ○ Session key support well developed Short-term session (CASE) Key exchange (TAKE) ○ Group key support rudimentary Long-term group (Application) Password Authenticated Session Establishment (PASE)
◎ Weave protocol for mutual authentication / session establishment based on low-entropy passwords ◎ Based on J-PAKE cryptographic protocol (finite-field and EC) ◎ Crypto features ○ Resistant to man-in-the-middle attacks ○ Does not reveal any part of password ○ Perfect forward security ◎ Uses ○ App-to-device (Weave pairing, thread commissioning) ○ Device-to-device (Nest Thermostat to HeatLink pairing) ○ Crypto-proof completed by Google security team Certificate Authenticated Session Establishment (CASE)
◎ Weave protocol for mutual authentication / session establishment based on peer certificates ◎ Based on ECDH and ECDSA (Weave certificates) ◎ Support for NIST-192, 224 and 256 bit curves ◎ Simplified (but flexible) certificate path validation ◎ No support for CRLs ◎ Uses ○ App-to-device (pairing) ○ Device-to-service (all interactions) ○ Device-to-device (in-field joining) Certificates
Simplified / Compact X.509 v3 Certificates ◎ Constrained features ○ 1-level distinguished name ○ EUI-64s used as naming attributes ○ Limited support for extensions ◎ Compressed encoding using Weave TLV ○ 30% smaller than X.509 DER form ○ lossless conversion to/from X.509 ◎ CA signature based on X.509 DER form, not TLV form ◎ Can be used in standard protocols (TLS) ◎ Design optimizes code and data space on devices Certificates for Devices and Authentication
Weave Certificates for Devices ◎ Certificate subject name is Weave device id (802.15.4 MAC) /WeaveDeviceId=18B4300000000001 ◎ Signed by Nest Device CA certificate ◎ Certificate and private key provisioned onto device during manufacturing ◎ Used by devices to prove their identity to service, mobile apps ◎ Also provides proof of device authenticity ◎ Peers trust device certificate based on trusting Nest root certificate Certificates for Service Endpoints
Weave Certificates for Services ◎ Certificate subject name is service endpoint id (EUI-64) /WeaveServiceEndpointId=18B4300200000003 ◎ Signed by Nest Service Endpoint CA certificate ◎ Installed on server instances in Nest service ◎ Used by servers to prove their identity to devices ◎ Also provides proof of device authenticity ◎ Peers (devices) trust service endpoint certificates based on trusting the service root certificate contained in the service config Certificates for Firmware Signing
Weave Certificates for Software Publishers ◎ Certificate subject name is service endpoint id (EUI-64) /WeaveSoftwarePublisherId=18B4300302000001 ◎ Signed by Nest Firmware Signing CA certificate ◎ Installed on official build machines ◎ Firmware images include signing certificate + CA certificate ◎ Devices trust firmware images based on trusting the Nest root certificate Nest Trust Domain
◎ Nest X.509-based PK Hierarchy ○ Fairly typical organization ○ Single root certificate ◎ 3 CA certificates: device, service endpoint and firmware signing ○ EC keys (NIST P-224) ○ Administered by Nest ○ Multi-party key ceremonies Application Keys
Symmetric Group Key Framework ◎ Generation/dissemination/management of shared group keys ◎ Flexible membership rules based on application security requirements ◎ Groups can include (or exclude): devices, mobiles and service ◎ Strong enforcement of group membership (with siloed administration) ◎ Common mechanism for key dissemination (WDM) ◎ Built-in key rotation scheme ◎ Uses ○ Device-to-device messaging (home security communication) ○ Mobile-to-device data encryption (passcodes) ○ Mobile-to-device commands (physical access control) OpenWeave Device Communications Weave Core Stack
Weave Application Profiles and Traits
CASE Engine PASE Engine
Security Manager Profile Profile Context Pool Profile
Reliable Messaging DirectoryService Bulk Data Transfer Data Management
Exchange Manager TLV
Connections Tunnels
Message Layer
Group Keys Session Keys Echo Profile
Fabric State Security Profile Common Profile Weave Core
TCP UDP BLE WDM Overview
Weave Data Management (WDM) profile is an eventually-consistent versioned data model publish-subscribe with coordinated eventing and commands.
● Basic protocol roles ● Basic protocol operations ○ Publisher ○ View ○ Subscriber / Client ○ Update ● Subscriptions ○ Subscribe ○ One-way ○ Notify ○ Two-way (Mutual) ○ Custom Command(s) Data Model Mutation
Data model will be mutated by updates and may be updated by commands
Updates Commands
Update Command
Update (E2E Authenticated) Command (E2E Authenticated)
Update (Timeout) Command (Timeout)
Update (E2E Authenticated, Timeout) Command (E2E Authenticated, Timeout) Data Model Mutation: Updates versus Commands
Update Command
Schema path(s) and value(s) with Identifier with optional optional parameters parameters
Examples: Examples:
● Set the target temperature to 72° F ● Advance to the next track.
● Set the state of the light to on ● Set the state of the light to on ramping over 1500 milliseconds from light blue to warm white.
● Unlock the front door. Language Change Update Example
locales = [ locales = [ locales = [ en_US, en_US, en_US, es_US, View es_US, View es_US, en_UK, en_UK, en_UK, fr_FR fr_FR fr_FR ]; ]; ];
Locale Capabilities Trait Locale Capabilities Trait Locale Capabilities Trait
Subscribe Subscribe
locale = en_US; locale = en_US; locale = en_US; Notify Update Locale Settings Trait Locale Settings Trait Locale Settings Trait Device-based Service-based Mobile-based Resource Resource Resource Weave Data Management
Linus Unlock Command Example
1 2 3 45 6 7 8 9 Mutual Subscription One-way Subscription ➜0 ⌂
Subscribe Request Subscribe Request Notify/ies Notify/ies Subscription and Subscribe Response Initial State Subscription and Subscribe Response Synchronization Initial State Subscribe Request Synchronization Notify/ies
Subscribe Response User Manipulates UI to Unlock the Door Unlock Command Request Unlock Command Request
Device Moves Its Actuator to Unlock Notify Notify Unlock Command Response Unlock Command Response Unified Data Representation and Event Notification
◎ Notifications may contain one Notification Data List
or both of: Data Element ○ Data model property Data model Path Version Data property Data Element changes changes ...
Data Element ○ Correlated events ... ◎ Allows for correlation of events Event List to a data model change that Event Element Source ID Importance Type Data may have precipitated the Correlated events Event Element event ... Event Element ... Example Event Element
Notification Data List ∅
Event List Event Element
Source: 0x18B43000000BEEFF Resource: 0x18B43000000BEEFF ID: 1236 Related ID: 1234 Importance: Production UTC Timestamp: 2017-02-24 13:00:08.567 ±00:00 System Timestamp: 1209780 Type: Battery Power Source Replacement Condition: Critical Condition Replacement Indicator: Soon Data: Remaining Time: 1 month
Event Element ... Weave Data Management
Client Publisher Trait Trait Trait Trait Trait Trait Trait Trait Data Data Data Data Data Data Data Data Sink Sink Sink Sink Source Source Source Source schema schema schema schema schema schema schema schema
Trait Sink Catalog Trait Source Catalog Trait Data Management (TDM)
Client Sub View Update Cmd Sub View Update Notify Cmd Notify Client Client Client Client Engine Handler Handler Engine Handler Handler
Weave Data Management (WDM) Profile Weave Core
TCP UDP BLE Weave Distributed Data Model Distributed Resource Model
Traits of a resource may be distributed across device and service hosts ◎ Offloading of traits the device doesn't need ◎ Upleveling of simple traits ◎ Server validation of eventually consistent settings ◎ Virtualized capabilities ◎ Trait replication to another resource ◎ Fanout management Upleveling a simple device trait
Schedule controller Lock device App Lock #1 Lock #1 *Complete Schedule Simple Schedule *Simple Schedule
Bridging gap between user app and constrained device Proxy for sleepy/low power devices
Lock device Resource Proxy Schedule controller App Lock #1 Lock #1 Lock #1 *Complete Schedule Simple Schedule Simple Schedule *Simple Schedule *Temp Sensor Temp Sensor *User label
Proxy handles queries for constrained devices Controllers
◎ Arbiter / Intelligence Agent (Occupancy) ◎ Complexity (Schedule) ◎ Fanout (Lighting Group, Pincodes) ◎ Coordinator (HVAC Controller, Guest Accounts) ◎ Adapters (Hue, Homekit) ◎ Proxy (Remote Temp) Common Schema
The data model of the platform
◎ Formal definition of capabilities, used for all day-to-day interactions across the platform ◎ Composable semantic layers ◎ Not restricted by constraints of apps, services, or devices ◎ Extendable and version tracking ◎ Basis of codegen for devices, services, and clients Protocols
Define the various classes of device interaction ◎ Schema interaction protocols ○ Everyday operation atop the data model ◎ Bulk Data Transfer ◎ Pairing ◎ Time sync ◎ Heartbeat ◎ Software Update Trait
Basic unit of capability ◎ E.g. Light - on/off, dim, color, bolt lock, location, user, etc… ◎ Type + semantic information ◎ Definition of: ○ Properties ○ Commands ○ Events ○ Enumerations, statuses, and composite types Interfaces
Description of a semantic capability composed of multiple trait instances ◎ An extensible form of "Device Type" enum ◎ Logical construct ◎ Hierarchical ◎ Multiple interfaces can reference same trait ◎ Enables apps to build to a standard trait view Resource
Definition of a logical or physical thing, such as device, structure, user ◎ Comprised of: ○ Flat set of of trait instances ○ Set of interface instances linked to implementing trait instances ○ Information about how traits are distributed ◎ May be be connected via relationships ○ Member-of (location hierarchy) ○ Connected-to (door connecting 2 rooms) ◎ One instance per physical device ○ Addressed by its Resource Id Composing Resources from Traits
Physical Device Traits Interfaces Apps UI Resource ● Hardware Description ● Software Device Definition Device ● User Label ● Locale ● Power Source Power Source Power Source ○ Battery ● Lock Lock Keypad Lock ● Lock Capabilities ● Pincodes Pincodes ● Pincodes Input ● Schedule Concrete resource example: Lock : Generic device traits
// Device description weave.trait.description.LabelSettingsTrait label = 1 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false}]; weave.trait.description.DeviceIdentityTrait device_identity = 2 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; weave.trait.description.SoftwareComponentTrait software_components = 53 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; nest.trait.service.DeviceInfoTrait device_info = 50 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false}]; // Localization: language and time zone weave.trait.locale.LocaleSettingsTrait locale_settings = 3 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: true,prop_refinement: [{property: "active_locale", initial_string_value: "en-US"}]}]; weave.trait.locale.LocaleCapabilitiesTrait locale_capabilities = 4 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; weave.trait.time.TimezoneTrait timezone = 12 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: true}]; Concrete resource example: Lock : Diagnostics/telemetry traits
// Battery info, status and diagnostics weave.trait.power.BatteryPowerSourceTrait battery_power_source = 15 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; // Thread network telemetry nest.trait.network.TelemetryNetworkWpanTrait telemetry_wpan_trait = 55 [(wdl.traitconfig) = {published_by: SELF, proxied: false, subscribed: false}]; // Crash info/Reset reason/stack traces/breadcrumbs nest.trait.firmware.FirmwareTrait firmware_info = 57 [(wdl.traitconfig) = {published_by: SELF, proxied: false, subscribed: false}]; // Software Update Trait nest.trait.firmware.SoftwareUpdateTrait software_update_trait = 58 [(wdl.traitconfig) = {published_by: SELF, proxied: false, subscribed: false}]; // Device liveness. Note: published by someone else (the service) weave.trait.heartbeat.LivenessTrait liveness = 5 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false}]; Concrete resource example: Lock : OOBE/setup traits
// Placement nest.trait.located.DeviceLocatedSettingsTrait device_located_settings = 6 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false}]; nest.trait.located.DeviceLocatedCapabilitiesTrait device_located_capabilities = 7 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; // Flag to signal complete OOBE weave.trait.pairing.ConfigurationDoneTrait configuration_done = 49 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false}]; Concrete resource example: Lock : Basic lock features
// Application Keys. Locks have an app key component for the physical security group weave.trait.auth.ApplicationKeysTrait application_keys = 16 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: true}]; // Bolt Lock traits weave.trait.security.BoltLockTrait bolt_lock = 17 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; weave.trait.security.BoltLockSettingsTrait bolt_lock_settings = 18 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false,prop_refinement: [{property: "auto_relock_on", initial_bool_value: false},{property: "auto_relock_duration", initial_duration_value: {seconds: 60}}]}]; weave.trait.security.BoltLockCapabilitiesTrait bolt_lock_capabilities = 19 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; // Tamper trait for tamper detection weave.trait.security.TamperTrait tamper = 20 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; Concrete resource example: Lock : Smart lock features
// Audio settings weave.trait.audio.BasicVolumeTrait basic_volume = 13 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: true,prop_refinement: [{property: "volume", initial_uint_value: 100}, {property: "mute", initial_bool_value: false}]}]; weave.trait.audio.BasicVolumeCapabilitiesTrait basic_volume_capabilities = 14 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; // Schedule weave.trait.schedule.BasicUserSchedulesCapabilitiesTrait basic_user_schedules_capabilities = 25 [(wdl.traitconfig) = {published_by: SELF, proxied: true, subscribed: false}]; weave.trait.schedule.BasicUserSchedulesSettingsTrait basic_user_schedules_settings = 26 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: true}]; Concrete resource example: Lock : Smart lock features
// Enhanced lock features nest.trait.security.EnhancedBoltLockSettingsTrait enhanced_bolt_lock_settings = 52 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: true,prop_refinement: [{property: "auto_relock_on", initial_bool_value: false},{property: "auto_relock_duration", initial_duration_value: {seconds: 60}},{property: "one_touch_lock", initial_bool_value: true}]}]; // Interactions with security systems and occupancy tracking nest.trait.occupancy.StructureModeTrait structure_mode = 51 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: true}]; nest.trait.occupancy.OccupancyInputSettingsTrait occupancy_input_settings = 54 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false,prop_refinement: [{property: "device_activity_considered", initial_bool_value: true}]}]; nest.trait.security.SecurityActionOnUnlockSettingsTrait security_action_on_unlock_settings = 56 [(wdl.traitconfig) = {published_by: EXTERNAL, proxied: false, subscribed: false,prop_refinement: [{property: "enabled", initial_bool_value: false},{property: "action", initial_enum_value_name: "SECURITY_ACTION_DISARM_TO_SL0"}]}]; Example traits: Locale Settings: Trait declarations package weave.trait.locale; message LocaleSettingsTrait { option (wdl.message_type) = TRAIT; option (wdl.trait) = { stability: PROD, vendor_id: 0x0000, id: 0x0014, version: 1 }; Example traits: Locale Settings: Property definition
// ------PROPERTIES ------// /** * The Active Locale property is a IETF BCP 47-Formatted UTF-8 * String that indicates the current and active locale for * the trait instance. * * @note * This tag shall be kept in sync with the deprecated Locale * trait active_locale property. * */ string active_locale = 1; } Weave Cloud Cloud Services
◎ Real-time HAN ⇔ WAN client communications ◎ Management of non-device entities and their relationships ○ Users, structures, rooms, etc ◎ Hosts controllers ◎ Accounts and ACLs ◎ Large data services ○ History, notifications, algorithms, analytics ◎ Coordination with third party cloud services End-to-End Diagram
HAN HAN Device Device HTTP / gRPC
Mobile Browser Third-party App App Service Border Router Legend HTTP or gRPC Weave Weave Weave HTTP Weave over gRPC Tunnel gRPC gRPC
Weave Tunnel & Router Weave Service Endpoints Protocol and Software Log WDM HTTP/1.1 REST / JSON Representation API Gateway Update Upload Translator gRPC Adapter Translator Translation
Model TraitTrait / / ResourceTraitTrait / / Registry Resource Credentials Directory HandlerResourceResource Handler Management Resource HandlerHandlers Registry Two Protocol Sets
Weave ◎ Highly-optimized protocols used in the home Weave Web API ◎ Non-optimized protocols used outside the home ◎ gRPC protobuf-based API ◎ HTTP through gRPC proxy A common set of verbs for commands, events, and state interactions. OpenWeave Ecosystem of Devices Ecosystem of Devices Everybody is looking for the killer app for the connected home They have not found it because they are looking for the wrong thing It is not a single product ◎ It is about many products ◎ That can all be easily set up by regular people ◎ And that collaborate together with an overarching intelligence to manage the house automatically Openness is table stakes ◎ Current OpenWeave release is available on GitHub: http://openweave.io ◎ Today: platform-independent protocols implementations, simulated devices on POSIX and LwIP networking stacks, tests, orchestration ◎ Soon: complete SDK for RTOS-class platforms Many Parts of Weave
◎ Product-centric protocol, backed by Nest and Google
◎ IPv6 routing over Bluetooth, WiFi and Thread Applications and Profiles ◎ WDM Reliable Messaging (WRM) ◎ PASE, CASE, TAKE and end-to-end encryption Data Security Management ◎ (WDM) Straight-forward pairing Eventing and Logging ◎ Resources, Traits & Interfaces Data Representation ◎ (TLV) Schemas Routing and Software Update Tunneling Thank you! Weave is used in products today