OpenWeave Application Layer An application layer for building thoughtful products Robert Szewczyk Weave Team / Google 12/3/2018 Weave was born at Nest from the desire to deliver thoughtful products Features are driven by requirements for very specific consumer experiences Weave started with our first products Weave is enabling an ecosystem of products Weave features shine in the Nest Secure system Outline ◎ Weave: What? Why? How? ◎ Internet Connectivity, Border Routers ◎ Pairing ◎ Security ◎ Device Communications ◎ Distributed Data Model ◎ Cloud ◎ Ecosystem of Devices Weave What? Why? How? What is Weave? Weave is a set of application-level networking protocols built around a common addressing and naming architecture with low overhead serialization protocols and modern security. OpenWeave is an implementation of the above available on http://openweave.io Why Weave? Goals ◎ Secure ◎ Low Overhead and Pervasive ○ End-to-end application security, independent of Architecture underlying network ○ Scales up, rather than down ◎ Versatile ○ Support for small devices (64K RAM, ○ Low to mid-100s of devices 512K code) ○ Support for variety of interaction models / ◎ Easy to Use patterns: Device-to-device, device-to service, ○ Simple setup and administration for the device-to-mobile/PC (remote and local) end user ◎ Developer- and Partner-friendly ○ Straightforward but capable platform for ○ Thoughtful network application definition; not the application developer designed by committee ◎ Robust ○ Self-organizing / -healing network Why Weave Competitive Survey ○ MQTT ● We looked at over 20 connectivity ○ ModBus solutions, including: ○ OIC / OCF ○ AllJoyn / AllSeen ○ ONELINK ○ BACNET ○ SNMP ○ CoAP ○ UPnP ○ Dust ○ USB ○ EEBUS ○ X10 ○ EnOcean ○ Z-Wave ○ HTTP ○ ZigBee ○ INSTEON ● We could not find a single solution that met all ○ JenNet-IP of the goals and requirements. ○ KNX ○ LonWorks How? Where does Weave SDK fit in the device software stack Core Application Core Application Core Application Weave Profiles / Weave Platform / Cloud SDK Application SDK Weave Core SDK Legend Required Component Embedded Communications Platform SDK Optional Component Network Manager WPAN Choice of device Components Embedded Core Platform SDK OS Services Network Stack Thread Stack Hardware Platform System-on-Chip with System-on-Chip Network Interface Thread WiFi Network Chip Network Chip System Stack and Simplified Data Plane Core Application Core Application Core Application Weave Traits Weave Platform Adaptation Weave Application Profiles and Traits Weave Core Network Control Plane Weave Core Core Platform OS Services Network Stack TCP UDP Hardware Platform System-on-Chip with System-on-Chip IPv4 / IPv6 BLE Network Interface(s) Network Chip Network Chip Thread Cellular Ethernet WiFi 802.15.4 System Stack Simplified Data Plane View Weave Profiles Set of concepts and definitions that support a particular area of application functionality Protocols Protocol Roles Message Encoding Message Tags Types Schema Status Codes Published Data Weave Core Stack Weave Application Profiles and Traits CASE Engine PASE Engine Security Manager Context Pool Profile Profile Profile Pairing Profiles Pairing Reliable Messaging Service Directory Bulk Data Transfer Transfer Bulk Data Data Management Exchange Manager TLV Connections Tunnels Message Layer Group Keys Session Keys Echo Profile Echo Fabric State Security Profile Common Profile Software Update Software Weave Core TCP UDP BLE OpenWeave Internet Connectivity, Border Routers Target Environments and Configurations ● Customer home and surrounding area ○ Single-family, townhouse, apartment ○ Front / back / side yards, detached garage, guest house ● Customer Ethernet or WiFi network ○ Customer owned / administered ○ Shared multi-tenant ● Non-WiFi networks ○ Thread 1 2 3 ○ 45 6 Power Line 7 8 9 ➜0 ⌂ ● Remote Access ○ Mobile / web Weave Fabric Collection of Weave-enabled devices, located in and around a user’s home, that cooperate to provide services to the user, their family and their guests. Secured by a shared Fabric Id. Cloud Services Weave Fabric 1 Weave Fabric 3 Weave Fabric 2 Weave Network Architecture Weave Service Endpoints Cellular Network Router Ethernet / WiFi “Hub” Network BLE Thread (802.15.4/6LoWPAN) Peripheral Network BLE BLE R AP R R Future Peripheral Networks (e.g. powerline) BLE R = routing device AP = WiFi access point / gateway Weave Fabric BLE - Bluetooth smart / low energy Fabric Routing Service Core Router IPv6 Tunnel IPv6 Border Router Service Core Router BR Weave IPv6 Address Format Fabric ID FD Global ID Subnet Interface ID IPv6 ULA Weave Tunnel and NAT Weave Tunnels provide a redundant extension of the Weave IPv6 fabric from the premise to the cloud and provide a generalized asynchronous ingress path from the cloud back to the premise. One or more redundant Cloud Service Weave Tunnels Weave Fabric 3 Weave Fabric 1 Weave Fabric 2 OpenWeave Pairing Pairing Pairing, or out of box (OOB), is the process of setting up and configuring a device for a user Weave provisioning is a key aspect of the pairing flow Weave creates a virtual private network between the devices in the home This network is called a Weave fabric Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Establishing Device Communication The first step is to establish communication with the new device. The rendezvous protocols have several mechanisms depending on the hardware capabilities of that device. The Pairing process and protocols are largely the same regardless of the communication mechanism chosen. Three supported mechanisms ◎ Soft AP ◎ Bluetooth Low Energy (BLE) ◎ 802.15.4/Thread (a.k.a. Thread Assisted Pairing) Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Soft AP Process ◎ Wake device Internet Service ◎ Connect to device WiFi ◎ Establish IPv6 addresses Gateway ◎ Connect device with TCP Features ◎ WiFi-enabled devices only AP ◎ Requires manual WiFi configuration on iOS ◎ Mobile disconnected from home network / Internet during pairing. Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation BLE Process ◎ Wake device Internet Service ◎ Device advertises as unpaired device ◎ Mobile scans for and connects to device Gateway Features ◎ No manual WiFi configuration required ◎ No loss of WiFi connectivity BL ◎ Uses existing Weave pairing protocols E ◎ Slow (low data rate) ◎ Can be used to bootstrap other networks Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Thread Assisted Process ◎ Connect to existing device over home WiFi Internet Service ◎ Enable 15.4 joining on existing device ◎ Press button on new device Gateway ◎ New device hunts for joinable PAN ◎ New device provisionally joins existing PAN ◎ Existing device forwards comm. to/from new device WiFi 15. 15. 4 4 Features ◎ Supports 15.4 only devices Existing Device New Device ◎ No manual WiFi config / loss of connectivity ◎ Cannot be used for first device Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Device authentication After establishing communication, the device must be authenticated. Purpose: ◎ Establish ownership ◎ Identify type of device, serial number, capabilities, etc. ◎ Authenticate device ◎ Establish secure channel for pairing Security Goals ◎ Prevent unauthorized access to user's account / personal data ◎ Block device ‘spoofing’ attacks ◎ Prevent leak of user's network credentials ◎ Protect the pairing code ◎ Ensure device authenticity Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Password Authenticated Session Establishment (PASE) Weave PASE Protocol ◎ Based on J-PAKE crypto protocol ◎ Mutual authentication w/low-entropy secret (pairing code) PASEInitiatorStep1 ◎ Resistant to man-in-the-middle attacks PASEResponderStep1 ◎ Perfect forward secrecy PASEResponderStep2 ◎ Integer field math now, EC soon PASEInitiatorStep2 ◎ Recently completed crypto proof PASEResponderKeyConfirm Session Session Features Established Established ◎ Proves to device that user has physical possession ◎ Proves to user that phone is talking to correct device ◎ Establishes secure channel for rest of pairing Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Network Provisioning Once the device is authenticated, the next step is to get it connected to a network. Currently supported networks: ◎ Wi-Fi ◎ Thread Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation Weave Network Provisioning Profile Generalized protocol for network configuration / management ScanNetworks ◎ Supports both WiFi and Thread Individual requests for each operation AddNetwork Can be used outside of pairing EnableNetwork ◎ WiFi password change TestNetwork ◎ Retrieving credentials from existing device GetNetworks Future support for bulk password change Establishing Device Network Weave Service communication authentication provisioning provisioning provisioning Setup & Installation WiFi Network Provisioning Process ◎ Scan WiFi networks Internet ◎ Select WiFi network and enter Nest Service credentials (1st device pairing