Distributed security networks

In a traditional ZigBee network, security is implemented by a Trust Centre, which is normally the Coordinator - this uses a centralized security scheme. In a distributed security network, any Router node can manage security and so security management is distributed throughout the network. A distributed security network does not have a Coordinator/Trust Centre, and consists only of Routers and End Devices - any Router can create the network.

In a distributed security network, only network-level security can be implemented. A network key is generated by the Router that creates the network (as described in Section 6.8.3) and is passed on to other nodes, including other Routers, as the network grows. During this distribution, the network key is encrypted using a ‘Distributed Security Global Link Key’, which is a type of pre-configured global link key (see Section 6.8.2).

A distributed security network can be started on a Router node using the function zps_eAplFormDistributedNetworkRouter(). The start parameters are specified through a zps_tsAftsStartParamsDistributedstructure (see Section 8.2.3.7). These parameters include:

• PAN ID

• Extended PAN ID (EPID)

• Radio channel

• Pointer to a location to receive the network key

This first node of the network will generate the network key (saved to the above location) and pass this key to nodes that join it.

The function zps_eAplFormDistributedNetworkRouter() can also be called on other Router nodes to join them to the network. An End Device can be joined to a distributed network using the function zps_eAplInitEndDeviceDistributed().

However, these nodes are more likely to be introduced to the network via other commissioning methods, such as Touchlink and NFC commissioning.

Parent topic:Advanced features