Professional Documents
Culture Documents
Document 053474r13
1
2
3
4
5
6
7
8
9
10
11
ZIGBEE SPECIFICATION 12
13
14
15
16
17
18
19
ZigBee Document 053474r13
20
December 1, 2006 3:10 pm 21
Sponsored by: ZigBee Alliance 22
23
Accepted by This document has not been accepted by the Alliance BOD. 24
Abstract The ZigBee Specification describes the infrastructure and services 25
available to applications operating on the ZigBee platform. 26
Keywords ZigBee, Stack, Network, Application, Profile, Framework, Device 27
description, Binding, Security 28
29
30
31
32
33
34
December 1, 2006 35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 iii
DOCUMENT HISTORY 1
2
3
4
5
6
7
8
ZigBee Specification History 9
10
Version
Number Date Comments 11
12
December 14, 2004 ZigBee v.1.0 draft ratified 13
r06 February 17, 2006 ZigBee Specification (ZigBee document 14
number 053474r06/07) incorporating errata 15
and clarifications: ZigBee document 16
numbers 053920r02, 053954r02, 06084r00, 17
053474r07
18
r07 April 28, 2006 Changes made per Editorial comments on 19
spreadsheet, 20
r13 December 1, 2006 3:08 pm ZigBee-2006 Specification (see letter ballot 21
comments and resolution in ZigBee 22
document 064112) 23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
iv Document History
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 v
TABLE OF CONTENTS 1
2
3
4
Notice of Use and Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i 5
Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii 6
7
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 8
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix 9
10
Chapter 1 ZigBee Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . 1 11
1.1 Protocol Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 12
1.1.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 13
1.1.2 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 14
1.1.3 Stack Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 15
16
1.1.4 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
17
1.2 Conventions and Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 18
1.2.1 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 19
1.3 Acronyms and Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 20
1.4 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 21
1.4.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 22
23
1.5 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
24
1.5.1 ZigBee/IEEE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 25
1.5.2 Normative References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 26
1.5.3 Informative References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 27
28
Chapter 2 Application Layer Specification . . . . . . . . . . . . . . . . . . . 19
29
2.1 General Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 30
2.1.1 Application Support Sub-Layer . . . . . . . . . . . . . . . . . . . . . . . 20 31
2.1.2 Application Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 32
2.1.3 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 33
2.1.4 Application Communication Fundamentals . . . . . . . . . . . . . 22 34
35
2.1.5 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
36
2.1.6 Binding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 37
2.1.7 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 38
2.1.8 ZigBee Device Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 39
2.2 ZigBee Application Support (APS) Sub-Layer . . . . . . . . . . . . . . . 29 40
2.2.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 41
42
2.2.2 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
43
2.2.3 Application Support (APS) Sub-Layer Overview . . . . . . . . . 29 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
vi Table of Contents
LIST OF TABLES 1
2
3
4
Table 2.1 APSDE-SAP Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5
Table 2.2 APSDE-DATA.request Parameters . . . . . . . . . . . . . . . . . . 33 6
Table 2.3 APSDE-DATA.confirm Parameters . . . . . . . . . . . . . . . . . 37 7
Table 2.4 APSDE-DATA.indication Parameters . . . . . . . . . . . . . . . . 39 8
Table 2.5 Summary of the Primitives Accessed Through the APSME-SAP 9
10
41
11
Table 2.6 APSME-BIND.request Parameters . . . . . . . . . . . . . . . . . . 42 12
Table 2.7 APSME-BIND.confirm Parameters . . . . . . . . . . . . . . . . . . 44 13
Table 2.8 APSME-UNBIND.request Parameters . . . . . . . . . . . . . . . 45 14
Table 2.9 APSME-UNBIND.confirm Parameters . . . . . . . . . . . . . . . 47 15
Table 2.10 APSME-GET.request Parameters . . . . . . . . . . . . . . . . . . 49 16
17
Table 2.11 APSME-GET.confirm Parameters . . . . . . . . . . . . . . . . . . 50
18
Table 2.12 APSME-SET.request Parameters . . . . . . . . . . . . . . . . . . . 51 19
Table 2.13 APSME-SET.confirm Parameters . . . . . . . . . . . . . . . . . . 52 20
Table 2.14 APSME-ADD-GROUP.request Parameters . . . . . . . . . . 53 21
Table 2.15 APSME-ADD-GROUP.confirm Parameters . . . . . . . . . . 54 22
Table 2.16 APSME-REMOVE-GROUP.request Parameters . . . . . . 55 23
24
Table 2.17 APSME-REMOVE-GROUP.confirm Parameters . . . . . . 56
25
Table 2.18 APSME-REMOVE-ALL-GROUPS.request Parameters . 57 26
Table 2.19 APSME-REMOVE-ALL-GROUPS.confirm Parameters 58 27
Table 2.20 Values of the Frame Type Sub-field . . . . . . . . . . . . . . . . 60 28
Table 2.21 Values of the Delivery Mode Sub-field . . . . . . . . . . . . . . 60 29
Table 2.22 APS Sub-layer Constants . . . . . . . . . . . . . . . . . . . . . . . . . 66 30
31
Table 2.23 APS IB Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
32
Table 2.24 Address Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 33
Table 2.25 ZigBee Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 34
Table 2.26 Fields of the Node Descriptor . . . . . . . . . . . . . . . . . . . . . 80 35
Table 2.27 Values of the Logical Type Field . . . . . . . . . . . . . . . . . . . 80 36
Table 2.28 Values of the Frequency Band Field . . . . . . . . . . . . . . . . 81 37
38
Table 2.29 Server Mask Bit Assignments . . . . . . . . . . . . . . . . . . . . . 83
39
Table 2.30 Fields of the Node Power Descriptor . . . . . . . . . . . . . . . . 83 40
Table 2.31 Values of the Current Power Mode Field . . . . . . . . . . . . 84 41
Table 2.32 Values of the Available Power Sources Field . . . . . . . . . 84 42
Table 2.33 Values of the Current Power Sources Field . . . . . . . . . . . 85 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
xii List of Tables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 xix
LIST OF FIGURES 1
2
3
4
Figure 1.1 Outline of the ZigBee Stack Architecture . . . . . . . . . . . . 3 5
Figure 2.1 Multiple Subunits in a Single Node . . . . . . . . . . . . . . . . . 21 6
Figure 2.2 ZigBee Binding and the Binding Table . . . . . . . . . . . . . . 25 7
Figure 2.3 The APS Sub-Layer Reference Model . . . . . . . . . . . . . . . 31 8
Figure 2.4 General APS Frame Format . . . . . . . . . . . . . . . . . . . . . . . 59 9
10
Figure 2.5 Format of the Frame Control Field . . . . . . . . . . . . . . . . . . 59
11
Figure 2.6 Data Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 12
Figure 2.7 APS Command Frame Format. . . . . . . . . . . . . . . . . . . . . 64 13
Figure 2.8 Acknowledgement Frame Format . . . . . . . . . . . . . . . . . . 64 14
Figure 2.9 Direct Binding on a Device Supporting a Binding Table . 69 15
Figure 2.10 Successful Data Transmission Without an Acknowledgement 16
17
73
18
Figure 2.11 Successful Data Transmission With an Acknowledgement 74 19
Figure 2.12 Format of the Complex Descriptor . . . . . . . . . . . . . . . . . 78 20
Figure 2.13 Format of an Individual Complex Descriptor Field . . . . 78 21
Figure 2.14 Format of the MAC Capability Flags Field . . . . . . . . . . 81 22
Figure 2.15 Format of the Language and Character Set Field . . . . . . 88 23
24
Figure 2.16 Format of the ZDP Frame . . . . . . . . . . . . . . . . . . . . . . . . 96
25
Figure 2.17 Format of the NWK_addr_req Command . . . . . . . . . . . 98 26
Figure 2.18 Format of the IEEE_addr_req_Command Frame . . . . . . 99 27
Figure 2.19 Format of the Node_Desc_req Command Frame . . . . . . 100 28
Figure 2.20 Format of the Power_Desc_req Command Frame . . . . . 101 29
Figure 2.21 Format of the Simple_Desc_req Command Frame . . . . 102 30
31
Figure 2.22 Format of the Active_EP_req Command Frame . . . . . . 102
32
Figure 2.23 Format of the Match_Desc_req Command Frame . . . . . 103 33
Figure 2.24 Format of the Complex_Desc_req Command Frame . . 105 34
Figure 2.25 Format of the User_Desc_req Command Frame . . . . . . 106 35
Figure 2.26 Format of the Discovery_Cache_req Command Frame . 107 36
Figure 2.27 Format of the End_Device_annce Command Frame . . . 107 37
38
Figure 2.28 Format of the User_Desc_set Command Frame . . . . . . 108
39
Figure 2.29 Format of the System_Server_Discovery_req 40
Command Frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 41
Figure 2.30 Format of the Discovery_Store_req Command Frame . 110 42
Figure 2.31 Format of the Node_Desc_store_req Command Frame . 112 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
xx List of Figures
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 1
C H A P T E R
1
1
2
3
4
5
6
7
8
9
Each service entity exposes an interface to the upper layer through a service
access point (SAP), and each SAP supports a number of service primitives to 1
achieve the required functionality. 2
3
The ZigBee stack architecture, depicted in Figure 1.1, is based on the standard 4
Open Systems Interconnection (OSI) seven-layer model (see [B14]) but defines 5
only those layers relevant to achieving functionality in the intended market space. 6
The IEEE 802.15.4-2003 standard defines the two lower layers: the physical 7
(PHY) layer and the medium access control (MAC) sub-layer. The ZigBee 8
Alliance builds on this foundation by providing the network (NWK) layer and the 9
framework for the application layer. The application layer framework is 10
comprised of the application support sub-layer (APS), the ZigBee device objects 11
(ZDO) and the manufacturer-defined application objects. 12
IEEE 802.15.4-2003 has two PHY layers that operate in two separate frequency 13
ranges: 868/915 MHz and 2.4 GHz. The lower frequency PHY layer covers both 14
the 868 MHz European band and the 915 MHz band, used in countries such as the 15
United States and Australia. The higher frequency PHY layer is used virtually 16
worldwide. A complete description of the IEEE 802.15.4-2003 PHY layers can be 17
found in [B1]. 18
19
The IEEE 802.15.4-2003 MAC sub-layer controls access to the radio channel 20
using a CSMA-CA mechanism. Its responsibilities may also include transmitting 21
beacon frames, synchronization and providing a reliable transmission mechanism. 22
A complete description of the IEEE 802.15.4-2003 MAC sub-layer can be found 23
in [B1]. 24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 3
ZDO Public
Application Application
Interfaces
Object 240
… Object 1 5
6
Endpoint 240
APSDE-SAP
Endpoint 1
APSDE-SAP
Endpoint 0
APSDE-SAP
7
8
NLME-SAP
IEEE 802.15.4
NWK Security NWK Message Routing Network 12
defined
TM
Management Broker Management Management
13
ZigBee Alliance
defined MLDE-SAP MLME-SAP 14
Medium Access Control (MAC) Layer
End manufacturer 15
defined
PLME-SAP
16
PD-SAP
Layer
Physical (PHY) Layer 17
function
2.4 GHz Radio 868/915 MHz 18
Layer di
interface 19
20
Figure 1.1 Outline of the ZigBee Stack Architecture 21
22
The responsibilities of the ZigBee NWK layer shall include mechanisms used to: 23
24
• Join and leave a network 25
• Apply security to frames 26
27
• Route frames to their intended destinations 28
• Discover and maintain routes between devices 29
30
• Discover one-hop neighbors 31
• Store of pertinent neighbor information 32
33
The NWK layer of a ZigBee coordinator (see “Network Topology”) is responsible 34
for starting a new network, when appropriate, and assigning addresses to newly 35
associated devices. 36
The ZigBee application layer consists of the APS, the Application Framework 37
(AF), the ZDO and the manufacturer-defined application objects. 38
39
The responsibilities of the APS sub-layer include: 40
• Maintaining tables for binding, defined as the ability to match two devices 41
together based on their services and their needs 42
43
• Forwarding messages between bound devices 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 1
4 ZigBee Protocol Overview
1.2.1.3 Entities
1
Throughout this specification, each entity shall be a DEV and shall be uniquely 2
identified by its 64-bit IEEE device address [B1]. The parameter entlen shall have 3
the integer value 64. 4
5
1.2.1.4 Transmission Order 6
7
Unless otherwise indicated, the transmission order of all frames in this 8
specification follow the conventions used in IEEE Std. 802.15.4-2003 [B1]): 9
• Frame formats are depicted in the order in which they are transmitted by the 10
PHY layer—from left to right—where the leftmost bit is transmitted first in 11
time. 12
13
• Bits within each field are numbered from 0 (leftmost, and least significant) to k- 14
1 (rightmost, and most significant), where the length of the field is k bits. 15
• Fields that are longer than a single octet are sent to the PHY in the order from 16
the octet containing the lowest numbered bits to the octet containing the highest 17
numbered bits. 18
19
1.2.1.5 Strings and String Operations 20
21
A string is a sequence of symbols over a specific set (e.g., the binary alphabet 22
{0,1} or the set of all octets). The length of a string is the number of symbols it 23
contains (over the same alphabet). The empty string has length 0. The right- 24
concatenation of two strings x and y of length m and n respectively (notation: x || 25
y), is the string z of length m+n that coincides with x on its leftmost m symbols 26
and with y on its rightmost n symbols. An octet is a symbol string of length 8. In 27
our context, all octets are strings over the binary alphabet. 28
29
1.3 Acronyms and Abbreviations 30
31
32
For the purposes of this standard, the following acronyms and abbreviations 33
apply: 34
AIB Application support layer information base 35
36
AF Application framework 37
APDU Application support sub-layer protocol data unit 38
APL Application layer
39
40
APS Application support sub-layer 41
APSDE Application support sub-layer data entity 42
43
APSDE-SAP Application support sub-layer data entity – service access point
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 1
6 ZigBee Protocol Overview
that carry a protocol version sub-field value other than 0x0 or 0x02, and shall
process only protocol versions of 0x01 or 0x02, consistent with the protocol 1
version of the network that the device participates within. 2
3
Strings and string operations: A string is a sequence of symbols over a 4
specific set (e.g., the binary alphabet {0,1} or the set of all octets). The length 5
of a string is the number of symbols it contains (over the same alphabet). The 6
empty string has length 0. The right-concatenation of two strings x and y of 7
length m and n respectively (notation: x || y), is the string z of length m+n that 8
coincides with x on its leftmost m symbols and with y on its rightmost n 9
symbols. An octet is a symbol string of length 8. In our context, all octets are 10
strings over the binary alphabet. 11
12
1.4.1.2 ZigBee Definitions 13
For the purposes of this standard, the following terms and definitions apply. Terms 14
not defined in this clause can be found in IEEE P802.15.4 §3 [B1] or in ANSI 15
X9.63-2001 §2.1 [B7]. 16
17
Access control list: a table used by a device to determine which devices are 18
authorized to perform a specific function. This table may also store the security 19
material (e.g., cryptographic keys, frame counts, key counts, security level 20
information) used for securely communicating with other devices. 21
Active network key: the key used by a ZigBee device to secure outgoing 22
NWK frames and that is available for use to process incoming NWK frames. 23
24
Alternate network key: a key available for use in lieu of the active Network 25
key to process incoming NWK frames. 26
Application domain: this describes a broad area of applications, such as 27
building automation. 28
29
Application object: a component of the top portion of the application layer 30
defined by the manufacturer that actually implements the application. 31
Application support sub-layer protocol data unit: a unit of data that is 32
exchanged between the application support sub-layers of two peer entities. 33
34
APS command frame: an APS frame that contains neither source nor 35
endpoints. 36
Association: the service provided by the IEEE 802.15.4-2003 MAC sub-layer 37
that is used to establish membership in a network. 38
39
Attribute: a data entity which represents a physical quantity or state. This data 40
is communicated to other devices using commands. 41
Beacon-enabled personal area network: a personal area network containing 42
at least one device that transmits beacon frames at a regular interval. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 1
10 ZigBee Protocol Overview
Network address: the address assigned to a device by the network layer and
used by the network layer for routing messages between devices. 1
2
Network broadcast delivery time: time duration required by a broadcast 3
transaction to reach every device of a given network. 4
Network protocol data unit: a unit of data that is exchanged between the 5
network layers of two peer entities. 6
7
Network service data unit: Information that is delivered as a unit through a 8
network service access point. 9
Node: a collection of independent device descriptions and applications residing 10
in a single unit and sharing a common 802.15.4 radio. 11
12
Normal operating state: processing which occurs after all startup and 13
initialization processing has occurred and prior to initiation of shutdown 14
processing. 15
NULL: A parameter or variable value that mean unspecified, undefined or 16
unknown. The exact value of NULL is implementation specific, and must not 17
conflict with any other parameters or values. 18
19
Octet: eight bits of data, used as a synonym for a byte. 20
One-way function: A function that is a much easier computation to perform 21
than its inverse. 22
23
Orphaned device: a device that has lost communication contact with or 24
information about the ZigBee device through which it has its PAN 25
membership. 26
PAN coordinator: The principal controller of an IEEE 802.15.4-2003-based 27
network that is responsible for network formation and maintenance. The PAN 28
coordinator must be a full function device (FFD). 29
30
PAN information base: A collection of variables in the IEEE 802.15.4-2003 31
standard that are passed between layers, in order to exchange information. This 32
database may include the access control list, which stores the security material. 33
Personal operating space: the area within reception range of a single device. 34
35
Private method: attributes which are accessible to ZigBee device objects only 36
and unavailable to the end applications. 37
Profile: a collection of device descriptions, which together form a cooperative 38
application. For instance, a thermostat on one node communicates with a 39
furnace on another node. Together, they cooperatively form a heating 40
application profile. 41
42
Protocol data unit: the unit of data that is exchanged between two peer 43
entities. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 1
14 ZigBee Protocol Overview
Proxy binding: the procedure through which a device can create or remove a
binding link on the ZigBee coordinator between two devices (none of which 1
may be the device itself). 2
3
Public method: attributes which are accessible to End Applications. 4
Radio: the IEEE 802.15.4-2003 radio that is part of every ZigBee device. 5
6
Remote device: A ZigBee Coordinator, ZigBee Router or ZigBee End Device 7
which receives a ZigBee Device Object request message. The Remote device is 8
the server in the message exchange and the message processing description 9
within the ZigBee Device Profile refers to server processing from the 10
perspective of the “Remote device”. 11
Route discovery: an operation in which a ZigBee coordinator or ZigBee router 12
attempts to discover a route to a remote device by issuing a route request 13
command frame. 14
15
Route discovery table: a table used by a ZigBee coordinator or ZigBee router 16
to store temporary information used during route discovery. 17
Route reply: a ZigBee network layer command frame used to reply to route 18
requests. 19
20
Route request: a ZigBee network layer command frame used to discover paths 21
through the network over which subsequent messages may be delivered. 22
Routing table: a table in which a ZigBee coordinator or ZigBee router stores 23
information required to participate in the routing of frames. 24
25
Service discovery: the ability of a device to locate services of interest. 26
Symmetric-key key establishment: a mechanism by which two parties 27
establish a shared secret, based on a pre-shared secret (a so-called master key). 28
29
Trust center: the device trusted by devices within a ZigBee network to 30
distribute keys for the purpose of network and end-to-end application 31
configuration management. 32
Unicast: the transmission of a message to a single device in a network. 33
34
Unit: a component or collection of components that share a single ZigBee 35
radio. Each unit has a unique 64-bit IEEE address and a 16-bit network address. 36
ZigBee coordinator: an IEEE 802.15.4-2003 PAN coordinator. 37
38
ZigBee device object: the portion of the application layer responsible for 39
defining the role of the device within the network (e.g., ZigBee coordinator or 40
end device), initiating and/or responding to binding and discovery requests and 41
establishing a secure relationship between network devices. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 19
C H A P T E R
1
2
2
3
4
5
6
7
8
9
APSDE-SAP usage: endpoint 0 is reserved for the data interface to the ZDO and
endpoint 255 is reserved for the data interface function to broadcast data to all 1
application objects. Endpoints 241-254 are reserved for future use. 2
3
4
2.1.3 Addressing 5
6
2.1.3.1 Node Addressing 7
8
In Figure 2.1, there are two nodes, each containing a single radio. One node
9
contains two switches and the other contains four lamps.
10
11
12
13
Lamps 14
Radio
1 2 3 4 15
16
17
18
19
20
Radio
21
22
23
24
Switch 1 25
26
27
Switch 2 28
29
30
31
32
Figure 2.1 Multiple Subunits in a Single Node 33
34
A node contains one or more device descriptions and has a single IEEE 802.15.4 35
radio. In Figure 2.1, the individual parts of the nodes (the switches and lamps) are 36
subunits containing one device description in each subunit. Each node is given an 37
address when it joins the ZigBee network. 38
39
2.1.3.2 Endpoint Addressing 40
41
In Figure 2.1, it is required that switch 1 should control lamps 1, 2 and 3, while 42
switch 2 should control only lamp 4. However, as the only addressable component 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
22 Application Layer Specification
process commands and requests. For instance, a thermostat on one node can
communicate with a furnace on another node. Together, they cooperatively form a 1
heating application profile. ZigBee vendors develop application profiles to 2
provide solutions to specific technology needs. 3
4
Application profiles are simultaneously a means of unifying interoperable 5
technical solutions within the ZigBee standard, as well as focusing usability 6
efforts within a given marketing area. For example, it is expected that vendors of 7
lighting equipment will want to provide ZigBee profiles that interoperate with 8
several varieties of lighting types or controller types. Additional information on 9
profiles is provided in clause 2.2 of this document. 10
11
2.1.4.2 Clusters 12
Clusters are identified by a cluster identifier, which is associated with data 13
flowing out of, or into, the device. Cluster identifiers are unique within the scope 14
of a particular profile. Binding decisions are taken by matching an output cluster 15
identifier to an input cluster identifier, assuming both are within the same profile. 16
In the thermostat example above, binding takes place on temperature, between a 17
device with a temperature cluster identifier as output and a device with a 18
temperature cluster identifier as input. The binding table contains the identifier for 19
temperature along with the address of the source and destination devices. 20
21
22
2.1.5 Discovery 23
24
2.1.5.1 Device Discovery 25
26
Device discovery is the process whereby a ZigBee device can discover other 27
ZigBee devices by initiating queries that are broadcast (of any broadcast address 28
type) or unicast addressed. There are two forms of device discover requests: IEEE 29
address requests and NWK address requests. The IEEE address request is unicast 30
and assumes the NWK address is known. The NWK address request is broadcast 31
to all RxOnWhenIdle devices and carries the known IEEE address as data 32
payload. 33
Responses to the broadcast or unicast device discovery messages vary by logical 34
device type as follows: 35
36
• ZigBee end device: responds to the device discovery query by sending its IEEE 37
or NWK address (depending on the request). 38
• ZigBee coordinator device: responds to the query by sending its IEEE or NWK 39
addresses and the NWK addresses of all devices that are associated with the 40
ZigBee coordinator (depending on the request). 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
24 Application Layer Specification
• ZigBee router device: responds to the query by sending its IEEE or NWK
addresses and the NWK addresses of all devices that are associated with the 1
ZigBee router (depending on the request). 2
3
A description of the procedure details, primitive calls, and applicable parameters 4
is given in clause 2.4. 5
Discovery information may also be cached within the devices in the network 6
designated as the Primary Discovery Cache device. The protocol for identifying 7
these devices, requesting storage on them, and uploading discovery information is 8
supplied in clause 1.5. The mechanics of this type of proxy discovery are as 9
follows: 10
11
1 Discovery requests utilizing broadcast messaging are processed by discovery 12
cache devices or the target devices themselves and those devices respond either 13
on behalf of device information held in the cache or from their local descriptor 14
information. 15
2 For unicast discovery requests, the request is directed either to the destination 16
network address of the discovery cache or the device of interest and the 17
network address of interest field is filled in to reflect the target of the discovery 18
request. 19
20
3 A discovery command is also provided to enable a device to locate where 21
discovery information can be obtained for a specified network address. The 22
location of the discovery information can either be the device itself or a 23
discovery cache device. 24
25
2.1.5.2 Service Discovery 26
Service discovery is the process whereby services available on endpoints at the 27
receiving device are discovered by external devices. Service discovery can be 28
accomplished by issuing a query for each endpoint on a given device or by using a 29
match service feature (either broadcast or unicast). Service discovery utilizes the 30
complex, user, node or power descriptors plus the simple descriptor further 31
addressed by the endpoint (for the connected application object). 32
33
The service discovery process in ZigBee is key to interfacing devices within the 34
network. Through specific requests for descriptors on specified nodes, broadcast 35
requests for service matching and the ability to ask a device which endpoints 36
support application objects, a range of options are available for commissioning 37
tools and applications. See clause 2.4 for details on service discovery. 38
Service discovery information may also be cached in the network within the 39
Primary discovery cache device. The protocol for identifying these devices, 40
requesting storage on them, and uploading discovery information is supplied in 41
Sub-clause 2.5.2.1. The mechanics of this type of proxy discovery are the same as 42
those described in Sub-clause 2.5.2.1 for device discovery. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 25
2.1.6 Binding 1
2
In ZigBee, there is an application level concept using cluster identifiers (and the
3
attributes contained in them) on the individual endpoints or group addresses in
4
different nodes. This is referred to as binding – the creation of logical links
5
between complementary application devices and endpoints or group addresses In
6
the example of sub-clause 2.1.3.2, a binding could be made between thermostat
7
and the furnace controller. In Figure 2.2, switch 1 is bound with lamps 1-3, while
8
switch 2 is bound with lamp 4 only.
9
The information about which cluster is bound between nodes is stored in a binding 10
table. This is described fully in sub-clause 2.1.6 and is illustrated in Figure 2.2. 11
12
13
14
Radio Lamps 15
Z2 1 2 3 4 16
EP5 EP7 EP8 EP17
17
18
19
20
21
Radio 22
Z1
23
Binding Table
24
Switch 1 25
EP3 26
27
Switch 2 28
EP21 29
30
31
Figure 2.2 ZigBee Binding and the Binding Table 32
33
The use of a list of three entries in the binding table for switch 1 allows it to 34
control three lamps, which could also be in separate nodes (with their own ZigBee 35
radios). It is also possible for one lamp to be controlled by several switches: in this 36
case there would be entries for each switch, all linked to the same lamp. 37
38
As an alternative, the endpoints describing the three lamps could have been 39
assigned to a single group address in which case a single binding entry could be 40
used. The choice of creating separate binding entries for individual destination 41
application devices and endpoints or grouping the destination devices and 42
endpoints into a single group address is left to the application. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
26 Application Layer Specification
this information, nor the software for acquiring this information. For these
devices, indirect addressing will be more appropriate. 1
2
When a source device wishes to send a command to a destination using indirect 3
addressing, instead of including the address of the destination device (which it 4
does not know and has not stored), it omits the address and specifies indirect 5
addressing via the APSDE-SAP. The included source address, source endpoint 6
and cluster identifier in the indirect addressed message are translated via the 7
binding table to those of the destination device(s) and the messages are relayed to 8
each indicated destination. 9
Where a cluster contains several attributes, the cluster identifier is used for 10
addressing and the attribute identifier is used in the command itself to identify a 11
particular attribute within the cluster. The applications, however, can parse and 12
utilize the attributes as defined within their profile. 13
14
2.1.7.3 Broadcast Addressing 15
16
An application may broadcast messages to all endpoints on a given destination 17
device. This form of broadcast addressing is called application broadcast. The 18
destination address shall be one of the 16-bit network broadcast addresses and the 19
broadcast flag shall be set in the APS frame control field. The source shall include 20
the cluster identifier, profile identifier and source endpoint fields in the APS frame 21
(see sub-clause 2.2.5). 22
23
2.1.7.4 Group Addressing 24
An application may designate a collection of devices and specific endpoints on 25
those devices to a single group address. The group address may then be used to 26
direct outgoing clusters (and the attributes contained in them) to each of the 27
devices and endpoints assigned to the group. The destination address shall be a 28
16-bit group address and the group address flag shall be set in the APS frame 29
control field. The source shall include the cluster identifier, profile identifier and 30
source endpoint fields in the APS frame. 31
32
33
2.1.8 ZigBee Device Objects 34
35
The ZigBee device objects (ZDO), represents a base class of functionality that 36
provides an interface between the application objects, the device profile and the 37
APS. The ZDO is located between the application framework and the application 38
support sub-layer. It satisfies common requirements of all applications operating 39
in a ZigBee protocol stack. The ZDO is responsible for the following: 40
• Initializing the application support sub-layer (APS), the network layer (NWK), 41
the Security Service Provider. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
28 Application Layer Specification
• Binding: This is the ability to match two devices together based on their
services and their needs. Once two devices are bound, the APSDE shall be able 1
to transfer a message received from one bound device over to the second 2
device. 3
4
• Group Address Filtering: This provides the ability to filter group addressed 5
messages based on whether the device is a member of the group or not. 6
• Reliable transport: This increases the reliability of transactions above that 7
available from the NWK layer alone by employing end-to-end retries. 8
9
• Duplicate rejection: Messages offered for transmission will not be received 10
more than once. 11
12
2.2.3.2 Application Support Sub-Layer Management Entity 13
(APSME) 14
15
The APSME shall provide a management service to allow an application to 16
interact with the stack. 17
The APSME shall provide the ability to match two devices together based on their 18
services and their needs. This service is called the binding service and the APSME 19
shall be able to construct and maintain a table to store this information. 20
21
In addition, the APSME will provide the following services: 22
• AIB Management: The ability to get and set attributes in the device’s AIB. 23
24
• Security: The ability to set up authentic relationships with other devices 25
through the use of secure keys. 26
• Group Management: This provides the ability to declare a single address 27
shared by multiple devices, to add devices to the group, and to remove devices 28
from the group. 29
30
31
2.2.4 Service Specification 32
33
The APS sub-layer provides an interface between a next higher layer entity 34
(NHLE) and the NWK layer. The APS sub-layer conceptually includes a 35
management entity called the APS sub-layer management entity (APSME). This 36
entity provides the service interfaces through which sub-layer management 37
functions may be invoked. The APSME is also responsible for maintaining a 38
database of managed objects pertaining to the APS sub-layer. This database is 39
referred to as the APS sub-layer information base (AIB). Figure 2.3 depicts the 40
components and interfaces of the APS sub-layer. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 31
1
Next Higher Layer Entity 2
3
4
APSDE-SAP APSME-SAP 5
6
APSME 7
8
APSDE
APS 9
IB 10
11
12
NLDE-SAP NLME-SAP 13
14
NWK Layer Entity 15
16
17
Figure 2.3 The APS Sub-Layer Reference Model 18
19
The APS sub-layer provides two services, accessed through two service access 20
points (SAPs). These are the APS data service, accessed through the APS sub- 21
layer data entity SAP (APSDE-SAP), and the APS management service, accessed 22
though the APS sub-layer management entity SAP (APSME-SAP). These two 23
services provide the interface between the NHLE and the NWK layer, via the 24
NLDE-SAP and NLME-SAP interfaces (see sub-clause 3.2). In addition to these 25
external interfaces, there is also an implicit interface between the APSME and the 26
APSDE that allows the APSME to use the APS data service. 27
28
2.2.4.1 APS Data Service 29
30
The APS sub-layer data entity SAP (APSDE-SAP) supports the transport of 31
application protocol data units between peer application entities. Table 2.1 lists 32
the primitives supported by the APSDE-SAP. Each of these primitives will be 33
discussed in the following subclauses. 34
Table 2.1 APSDE-SAP Primitives 35
36
APSDE-
SAP 37
Primitive Request Confirm Indication 38
39
APSDE- 2.2.4.1.1 2.2.4.1.2 2.2.4.1.3 40
DATA
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
32 Application Layer Specification
2.2.4.1.1 APSDE-DATA.request
1
This primitive requests the transfer of a NHLE PDU (ASDU) from the local 2
NHLE to a single peer NHLE entity. 3
4
2.2.4.1.1.1 Semantics of the Service Primitive 5
6
This semantics of this primitive are as follows:
7
APSDE-DATA.request { 8
DstAddrMode, 9
DstAddress, 10
DstEndpoint, 11
ProfileId,
12
13
ClusterId,
14
SrcEndpoint,
15
asduLength, 16
asdu, 17
TxOptions, 18
RadiusCounter 19
} 20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 33
broadcast to all devices address, will be supplied for the DstAddr parameter of the
NLDE-DATA.request that is used to transmit the frame. 1
2
If the TxOptions parameter specifies that secured transmission is required, the 3
APS sub-layer shall use the security service provider (see sub-clause 4.2.4) to 4
secure the ASDU. If the security processing fails, the APSDE shall issue the 5
APSDE-DATA.confirm primitive with a status of SECURITY_FAIL. 6
The APSDE will ensure that route discovery is always enabled at the network 7
layer by setting the DiscoverRoute parameter of the NLDE-DATA.request 8
primitive to 0x01, each time it is issued. 9
10
If the ASDU to be transmitted is larger than will fit in a single frame then the 11
ASDU is not transmitted and the APSDE shall issue the APSDE-DATA.confirm 12
primitive with a status of INVALID_REQUEST. 13
2.2.4.1.2 APSDE-DATA.confirm 14
15
This primitive reports the results of a request to transfer a data PDU (ASDU) from 16
a local NHLE to a single peer NHLE. 17
18
2.2.4.1.2.1 Semantics of the Service Primitive 19
20
This semantics of this primitive are as follows:
21
APSDE-DATA.confirm { 22
DstAddrMode, 23
DstAddress, 24
DstEndpoint, 25
SrcEndpoint,
26
27
Status
28
}
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 37
2.2.4.3.4 APSME-UNBIND.confirm
1
This primitive allows the next higher layer to be notified of the results of its 2
request to unbind two devices directly or by proxy. 3
4
2.2.4.3.4.1 Semantics of the Service Primitive 5
6
The semantics of this primitive are as follows:
7
APSME-UNBIND.confirm { 8
Status, 9
SrcAddr, 10
SrcEndpoint, 11
ClusterId,
12
13
DstAddrMode,
14
DstAddr,
15
DstEndpoint 16
} 17
18
Table 2.9 specifies the parameters for the APSME-UNBIND.confirm primitive. 19
Table 2.9 APSME-UNBIND.confirm Parameters 20
21
Name Type ValidRange Description 22
23
Status Enumeration SUCCESS, The results of the unbind
ILLEGAL_DEVICE, request 24
ILLEGAL_REQUEST, 25
INVALID_BINDING 26
SrcAddr IEEE address A valid 64-bit IEEE The source IEEE address for 27
address the binding entry 28
29
SrcEndpoint Integer 0x01 – 0xff The source endpoint for the
binding entry 30
31
ClusterId Integer 0x0000 – 0xffff The identifier of the cluster on 32
the source device that is bound
to the destination device 33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
48 Application Layer Specification
2.2.4.5.4 APSME-REMOVE-GROUP.confirm
1
This primitive allows the next higher layer to be informed of the results of its 2
request to remove a group from an endpoint. 3
4
2.2.4.5.4.1 Semantics of the Service Primitive 5
6
The semantics of the service primitive are as follows:
7
APSME-REMOVE-GROUP.confirm { 8
Status, 9
GroupAddress, 10
Endpoint 11
}
12
13
14
Table 2.17 specifies the parameters for this primitive. 15
Table 2.17 APSME-REMOVE-GROUP.confirm Parameters 16
17
Name Type Valid Range Description 18
Status Enumeration SUCCESS or The status of the request to 19
INVALID_PARAMETER remove a group. 20
GroupAddress 16-bit group 0x0000 - 0xfff7 The 16-bit address of the 21
address group being removed 22
23
Endpoint Integer 0x01 - 0xf0 The endpoint which is to
be removed from the 24
group 25
26
27
2.2.4.5.4.2 When Generated
28
This primitive is generated by the APSME and issued to the next higher layer in 29
response to an APMSE-REMOVE-GROUP.request primitive. If the APSME- 30
REMOVE-GROUP.request was successful, the Status parameter value will be 31
SUCCESS. If one of the parameters of the APMSE-REMOVE-GROUP.request 32
primitive had an invalid value then the Status value will be 33
INVALID_PARAMETER. 34
35
2.2.4.5.4.3 Effect on Receipt 36
37
On receipt of this primitive, the next higher layer is informed of the status of its 38
request to remove a group. The Status parameter values will be as described 39
above. 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 57
2.2.4.5.5 APSME-REMOVE-ALL-GROUPS.request
1
This primitive is generated by the next higher layer when it wants to remove 2
membership in all groups from an endpoint, so that no group addressed frames 3
will be delivered to that endpoint. 4
5
2.2.4.5.5.1 Semantics of the Service Primitive 6
7
The semantics of the service primitive are as follows:
8
APSME-REMOVE-ALL-GROUPS.request { 9
Endpoint 10
} 11
12
13
Table 2.18 specifies the parameters for this primitive.
14
Table 2.18 APSME-REMOVE-ALL-GROUPS.request Parameters 15
16
Name Type Valid Range Description
17
Endpoint Integer 0x01 - 0xf0 The endpoint to which the 18
given group is being 19
removed
20
21
2.2.4.5.5.2 When Generated 22
23
This primitive is generated by the next higher layer when it wants to remove
24
membership in all groups from an endpoint so that no group addressed frames will
25
be delivered to that endpoint.
26
27
2.2.4.5.5.3 Effect on Receipt 28
If, on receipt of this primitive, the Endpoint parameter has a value of 0x00 or else 29
enumerates an endpoint that is not implemented on the current device the APSME 30
will issue the APSME-REMOVE-ALL-GROUPS.confirm primitive with a Status 31
of INVALID_PARAMETER. 32
33
After checking the Endpoint parameter as described above, the APSME will 34
remove all entries from the group table, related to this endpoint, and will issue the 35
APSME-REMOVE-ALL-GROUPS.confirm primitive to the next higher layer 36
with a Status value of SUCCESS. 37
2.2.4.5.6 APSME-REMOVE-ALL-GROUPS.confirm 38
39
This primitive allows the next higher layer to be informed of the results of its 40
request to remove all groups from an endpoint. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
58 Application Layer Specification
The frames in the APS sub-layer are described as a sequence of fields in a specific
order. All frame formats in this subclause are depicted in the order in which they 1
are transmitted by the NWK layer, from left to right, where the left-most bit is 2
transmitted first in time. Bits within each field are numbered from 0 (left-most and 3
least significant) to k-1 (rightmost and most significant), where the length of the 4
field is k bits. Fields that are longer than a single octet are sent to the NWK layer 5
in the order from the octet containing the lowest numbered bits to the octet 6
containing the highest numbered bits. 7
8
2.2.5.1 General APDU Frame Format 9
10
The APS frame format is composed of an APS header and an APS payload. The 11
fields of the APS header appear in a fixed order, however, the addressing fields 12
may not be included in all frames. The general APS frame shall be formatted as 13
illustrated in Figure 2.4. 14
15
Octets:
1 0/1 0/2 0/2 0/2 0/1 1 Variable 16
17
Frame Destination Group Cluster Profile Source APS Frame 18
control endpoint address identifier Identifier endpoint counter payload 19
Addressing fields 20
21
APS header APS
payload 22
23
Figure 2.4 General APS Frame Format 24
25
2.2.5.1.1 Frame Control Field 26
27
The frame control field is 8-bits in length and contains information defining the 28
frame type, addressing fields and other control flags. The frame control field shall 29
be formatted as illustrated in Figure 2.5. 30
Bits: 0-1 2-3 4 5 6 7 31
32
Frame type Delivery mode Indirect address mode Security Ack. request Reserved 33
34
Figure 2.5 Format of the Frame Control Field 35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
60 Application Layer Specification
The order of the fields of the acknowledgement frame shall conform to the order
of the general APS frame as illustrated in Figure 2.8. 1
2
2.2.5.2.3.1 Acknowledgement Frame APS Header Field 3
4
The APS header field for an acknowledgement frame shall contain the frame 5
control, cluster identifier, profile identifier and APS counter fields. If the delivery 6
mode indicates direct addressing both the source and destination endpoint fields 7
shall be included in an acknowledgement frame. If the delivery mode indicates 8
indirect addressing the source and destination endpoint fields shall be included in 9
an acknowledgement frame according to the value of the indirect address mode 10
sub-field of the frame control field. 11
In the frame control field, the frame type sub-field shall contain the value that 12
indicates an acknowledgement frame, as shown in Table 2.20. All other sub-fields 13
shall be set appropriately according to the intended use of the acknowledgement 14
frame. 15
16
Where present, the source endpoint field shall reflect the value in the destination 17
endpoint field of the frame that is being acknowledged. Similarly, where present, 18
the destination endpoint field shall reflect the value in the source endpoint field of 19
the frame that is being acknowledged. 20
The APS counter field shall contain the same value as the frame to which this 21
frame is an acknowledgment. 22
23
24
2.2.6 Command Frames 25
26
This specification defines no command frames. Refer to sub-clause 4.5.8 for a 27
thorough description of the APS command frames and primitives related to 28
security. 29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
66 Application Layer Specification
comprises of some additional attributes that are required to manage the security
service provider. These attributes are listed in sub-clause 4.5.9. 1
2
Table 2.23 APS IB Attributes
3
Attribute Identifier Type Range Description Default 4
5
apsAddressMap 0xc0 Set Variable The current set of 64 bit Null set 6
IEEE to 16 bit NWK
address maps (see 7
Table 2.24) 8
9
apsBindingTable 0xc1 Set Variable The current set of Null set
binding table entries in 10
the device (see sub- 11
clause 2.2.8.1.1) 12
apsGroupTable 0x0c2 Set Variable The current set of group Null set 13
table entries (see Sub- 14
clause 2.2.8.2) 15
16
17
18
Table 2.24 Address Map 19
16 bit NWK 20
Entry Number 64 bit IEEE address Address 21
22
0x00 - apscMaxAddrMapEntries A valid 64-bit IEEE address 0x0000 – 0xffff
23
24
2.2.8 Functional Description 25
26
27
2.2.8.1 Binding
28
The APS may maintain a binding table, which allows ZigBee devices to establish 29
a designated destination for frames from a given source endpoint and with a given 30
cluster ID. This table is employed by the indirect addressing mechanism. 31
32
2.2.8.1.1 Binding Table Implementation 33
A ZigBee coordinator or a device designated as containing a binding table shall be 34
able to support a binding table of implementation specific length. The binding 35
table shall implement the following mapping: 36
37
( as, es, cs ) = {( ad1|, ed1| ), ( ad2|, ed2| ) … ( adn|, edn |)} 38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
68 Application Layer Specification
Where:
1
as = the address of the device as the source of the binding link 2
es = the endpoint identifier of the device as the source of the binding link 3
4
cs = the cluster identifier used in the binding link
5
adi = the ith destination address or destination group address associated with the binding link 6
edi = the ith optional destination endpoint identifier associated with the binding link. Note that 7
edi will only be present when adi is a device address 8
9
2.2.8.1.2 Binding 10
11
The APSME-BIND.request or APSME-UNBIND.request primitive initiates the 12
procedure for creating or removing a binding link. Only the ZigBee coordinator, a 13
device supporting a binding table cache, or a device that wishes to store source 14
bindings, shall initiate this procedure. This is achieved by issuing the APSME- 15
BIND.confirm or APSME-UNBIND.confirm primitive with the Status parameter 16
set to ILLEGAL_REQUEST. 17
18
When this procedure is initiated, the APSME shall first extract the address and
19
endpoint for both the source and destination of the binding link. The 64-bit IEEE
20
address shall be mapped to the 16-bit NWK address using the apsAddressMap
21
attribute of the APS IB (see Table 2.23.) If the DstAddrMode parameter has a
22
value of 0x01, indicating group addressing, then only the source address is treated
23
in the way just described. The 16-bit group address is used directly as a
24
destination address and, in this case, no destination endpoint is specified. With
25
this information, the APSME shall either create a new entry or remove the
26
corresponding entry from its binding table, depending on whether the bind or
27
unbind procedure, respectively, was initiated.
28
If a bind operation was requested, the APSME shall create a new entry in the 29
binding table. The device shall only create a new entry in the binding table if it has 30
the capacity to do so. This is achieved by issuing the APSME-BIND.confirm 31
primitive with the Status parameter set to TABLE_FULL. 32
33
If an unbind operation was requested, the APSME shall search the binding table
34
for an existing entry that matches the information contained in the initiation
35
request. If an entry was not found, the APSME shall terminate the procedure and
36
notify the NHLE of the invalid binding. This is achieved by issuing the APSME-
37
UNBIND.confirm primitive with the Status parameter set to
38
INVALID_BINDING. If an entry was found, the APSME shall remove the entry
39
in the binding table.
40
If the binding link is successfully created or removed, the APSME shall notify the 41
NHLE of the results of the direct binding attempt and the success of the 42
procedure. This is achieved by issuing the APSME-BIND.confirm primitive with 43
the binding results and the status parameter set to SUCCESS. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 69
The procedure for a successful direct binding is illustrated in the MSC shown in
Figure 2.9. 1
2
3
4
APL APS NWK 5
6
APSME- 7
(UN)BIND.request 8
9
Create a new entry or 10
remove an existing entry 11
in the binding table 12
APSME- 13
(UN)BIND.confirm 14
15
16
17
Figure 2.9 Direct Binding on a Device Supporting a Binding Table 18
19
2.2.8.2 Group Addressing 20
21
The APS shall maintain a group table, which allows endpoints to be associated 22
with groups and allows group addressed frames to be delivered selectively to 23
those endpoints that are associated in the table with a particular group. 24
2.2.8.2.1 The Group Table 25
26
The group table shall be viewed as a set of associations between groups and 27
endpoints as follows: 28
29
{(g1 - ep11, ep12…ep1n), (g2 - ep21, ep22… ep2m)… (gi - epi1, epi2… epik)} 30
31
where : 32
33
gi = the ith group represented in the table.
34
epij = the jth endpoint associated with the ith group. 35
36
Implementers of this specification are free to implement the group table in any 37
manner that is convenient and efficient to them as long as it represents the 38
associations just described. 39
40
2.2.8.3 Transmission, Reception and Acknowledgement 41
42
This subclause describes the fundamental procedures for transmission, reception 43
and acknowledgement. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
70 Application Layer Specification
2.2.8.3.1 Transmission
1
Only those devices that are currently part of a network shall send frames from the 2
APS sub-layer. If any other device receives a request to transmit a frame it shall 3
discard the frame and notify the instigating layer of the error. An APSDE- 4
DATA.confirm primitive with a status of CHANNEL_ACCESS_FAILURE 5
indicates that the attempt at transmission of the frame was unsuccessful due to the 6
channel being busy. 7
All frames handled by or generated within the APS sub-layer shall be constructed 8
according to the general frame format specified in sub-clause 2.2.5.1 and 9
transmitted using the NWK layer data service 10
11
Transmissions may be direct, indirect or group addressed. Direct transmissions 12
shall include both destination and source endpoint fields. In this case, the delivery 13
mode sub-field of the frame control field shall be set to either 0b00 (Normal 14
Unicast) or 0b10 (Broadcast). Group addressed transmissions, having a delivery 15
mode sub-field value of 0b11 shall contain a source endpoint field and group 16
address field but no destination endpoint field. Note that other endpoints on the 17
source device are legal group members and possible destinations for group 18
addressed frames. 19
The APS layer of the device originating an indirect transmission where the 20
binding table entry is stored at the ZigBee coordinator shall direct the 21
transmission to the ZigBee coordinator, which shall handle the task of message 22
reflection. 23
24
Indirect transmissions (i.e., those in which the delivery mode sub-field is set to 25
0b01) shall include only either the source endpoint field or the destination 26
endpoint field, depending on the direction of transmission with respect to the 27
ZigBee coordinator. If the indirect transmission is directed to the ZigBee 28
coordinator, the indirect address mode sub-field shall be set to 1 and the 29
destination endpoint field shall be omitted from the frame. Conversely, if the 30
indirect transmission is directed from the ZigBee coordinator after message 31
reflection, the indirect address mode sub-field shall be set to 0 and the source 32
endpoint field shall be omitted from the frame. 33
For all devices where the binding table is stored on the source device, the APS 34
layer of the source device originating the transmission shall employ direct 35
transmission to the destination addresses indicated by the corresponding binding 36
table entries in the case where the binding table entry contains a unicast 37
destination device address. In this case, the delivery mode sub-field of the frame 38
control field shall be set to 0b00. In the case where the binding table entry 39
contains a destination group address, the delivery mode subfield of the frame 40
control field shall have a value of 0b11 and the destination group address shall be 41
placed in the APS header in place of the destination endpoint. The frame shall 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 71
shall assume that the transmission of the frame was successful. Figure 2.10 shows
the scenario for transmitting a single frame of data from an originator to a 1
recipient without requiring an acknowledgement. In this case, the originator 2
transmits the data frame with the AR sub-field equal to 0. 3
4
5
Originator Recipient 6
next higher Originator Recipient next higher
layer APS APS layer 7
8
APSDE-DATA.request (AR=0)
Data (AR=0) 9
APSDE-DATA.confirm APSDE-DATA.indication 10
11
12
13
14
Figure 2.10 Successful Data Transmission Without an Acknowledgement 15
16
2.2.8.3.3.2 Acknowledgement 17
A frame that is received by its intended recipient with its acknowledgement 18
request (AR) sub-field set to 1 shall be acknowledged. If the intended recipient 19
correctly receives the frame, it shall generate and send an acknowledgement 20
frame to the originator of the frame that is being acknowledged. 21
22
If the original transmission used indirect addressing, the ZigBee coordinator shall 23
send an acknowledgement to the originator then, for each reflected message, shall 24
indicate to the recipient that it requires an acknowledgement by transmitting the 25
data frame with the acknowledgement request sub-field of the frame control field 26
set to 1. 27
The transmission of an acknowledgement frame shall commence when the APS 28
sub-layer determines that the frame is valid. 29
30
Figure 2.11 shows the scenario for transmitting a single frame of data from an 31
originator to a recipient with an acknowledgement. In this case, the originator 32
indicates to the recipient that it requires an acknowledgement by transmitting the 33
data frame with the AR sub-field set to 1. 34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
74 Application Layer Specification
Originator Recipient 1
next higher Originator Recipient next higher
layer APS APS layer 2
APSDE-DATA.request (AR=1)
3
Data (AR=1) 4
5
Acknowldgement
6
APSDE-DATA.indication
7
APSDE-DATA.confirm 8
9
10
11
Figure 2.11 Successful Data Transmission With an Acknowledgement 12
13
2.2.8.3.4 Retransmissions 14
A device that sends a frame with its acknowledgement request sub-field set to 0 15
shall assume that the transmission was successfully received and shall hence not 16
perform the retransmission procedure. 17
18
A device that sends a frame with its acknowledgement request sub-field set to 1 19
shall wait for at most apscAckWaitDuration seconds for the corresponding 20
acknowledgement frame to be received. 21
If an acknowledgement frame is received within apscAckWaitDuration seconds 22
containing the same cluster identifier and APS counter as the original frame and 23
has a source endpoint equal to the destination endpoint to which the original frame 24
was transmitted, the transmission shall be considered successful and no further 25
action shall be taken by the device. If an acknowledgement is not received within 26
apscAckWaitDuration seconds or an acknowledgement is received within 27
apscAckWaitDuration seconds but contains an unexpected cluster identifier or 28
APS counter or has a source endpoint that is not equal to the destination endpoint 29
to which the original frame was transmitted, the device shall conclude that the 30
single transmission attempt has failed. 31
32
If a single transmission attempt has failed, the device shall repeat the process of 33
transmitting the frame and waiting for the acknowledgement, up to a maximum of 34
apscMaxFrameRetries times. If an acknowledgement is still not received after 35
apscMaxFrameRetries retransmissions, the APS sub-layer shall assume the 36
transmission has failed and notify the next higher layer of the failure. 37
Retransmissions of a secured frame shall use the same frame counter as the 38
original frame. 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 75
The fields of the node descriptor are shown in Table 2.26 in their order of
transmission. 1
2
Table 2.26 Fields of the Node Descriptor
3
Field Name Length (bits) 4
5
Logical type 3 6
Complex descriptor available 1 7
User descriptor available 1 8
9
Reserved 3 10
APS flags 3 11
12
Frequency band 5
13
MAC capability flags 8 14
Manufacturer code 16 15
16
Maximum buffer size 8
17
Maximum transfer size 16 18
Server Mask 16 19
20
21
2.3.2.4.1 Logical Type Field
22
The logical type field of the node descriptor is three bits in length and specifies the 23
device type of the ZigBee node. The logical type field shall be set to one of the 24
non-reserved values listed in Table 2.27. 25
26
Table 2.27 Values of the Logical Type Field
27
Logical Type Value 28
b 2b1b0 Description 29
000 ZigBee coordinator 30
31
001 ZigBee router 32
010 ZigBee end device 33
34
011-111 Reserved
35
36
2.3.2.4.2 Complex Descriptor Available Field 37
The complex descriptor available field of the node descriptor is one bit in length 38
and specifies whether a complex descriptor is available on this device. If this 39
field is set to 1, a complex descriptor is available. If this field is set to 0, a complex 40
descriptor is not available. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 81
The alternate PAN coordinator sub-field is one bit in length and shall be set to 1 if
this node is capable of becoming a PAN coordinator. Otherwise the alternative 1
PAN coordinator sub-field shall be set to 0. 2
3
The device type sub-field is one bit in length and shall be set to 1 if this node is a 4
full function device (FFD). Otherwise the device type sub-field shall be set to 0, 5
indicating a reduced function device (RFD). 6
The power source sub-field is one bit in length and shall be set to 1 if the current 7
power source is mains power. Otherwise the power source sub-field shall be set to 8
0. This information is derived from the node current power source field of the 9
node power descriptor. 10
11
The receiver on when idle sub-field is one bit in length and shall be set to 1 if the 12
device does not disable its receiver to conserve power during idle periods. 13
Otherwise the receiver on when idle sub-field shall be set to 0 (see also sub- 14
clause 2.3.2.5.) 15
The security capability sub-field is one bit in length and shall be set to 1 if the 16
device is capable of sending and receiving frames secured using the security suite 17
specified in [B1]. Otherwise the security capability sub-field shall be set to 0. 18
19
The allocate address sub-field is one bit in length and shall always be set to 1. 20
2.3.2.4.7 Manufacturer Code Field 21
22
The manufacturer code field of the node descriptor is sixteen bits in length and 23
specifies a manufacturer code that is allocated by the ZigBee Alliance, relating the 24
manufacturer to the device. 25
2.3.2.4.8 Maximum Buffer Size Field 26
27
The maximum buffer size field of the node descriptor is eight bits in length, with a 28
valid range of 0x00-0x7f, and specifies the maximum size, in octets, of the 29
application support sub-layer data unit (ASDU) for this node. This is the 30
maximum size of data or commands passed to or from the application by the 31
application support sub-layer, before any fragmentation or re-assembly 32
(fragmentation is not currently supported). 33
This field can be used as a high-level indication for network management. 34
35
2.3.2.4.9 Maximum Transfer Size Field 36
37
The maximum transfer size field of the node descriptor is sixteen bits in length,
38
with a valid range of 0x0000-0x7fff, and specifies the maximum size, in octets,
39
that can be transferred to or from this node in one single message transfer. This
40
value can exceed the value of the node maximum buffer size field (see sub-
41
clause 2.3.2.4.8).
42
This field is currently not supported and shall be set to zero. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 83
power source selected, the corresponding bit of the current power source field, as
listed in Table 2.33, shall be set to 1. All other bits shall be set to 0. 1
2
Table 2.33 Values of the Current Power Sources Field
3
Current Power Source 4
Field Bit Number Current Power Source 5
6
0 Constant (mains) power
7
1 Rechargeable battery 8
2 Disposable battery 9
10
3 Reserved
11
12
2.3.2.5.4 Current Power Source Level Field 13
The current power source level field of the node power descriptor is four bits in 14
length and specifies the level of charge of the power source. The current power 15
source level field shall be set to one of the non-reserved values listed in 16
Table 2.34. 17
18
Table 2.34 Values of the Current Power Source Level Field 19
Current Power Source 20
Level Field b3b2b1b0 Charge Level 21
22
0000 Critical 23
0100 33% 24
1000 66%
25
26
1100 100% 27
All other values Reserved 28
29
30
2.3.2.6 Simple Descriptor 31
The simple descriptor contains information specific to each endpoint contained in 32
this node. The simple descriptor is mandatory for each endpoint present in the 33
node. 34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
86 Application Layer Specification
The fields of the simple descriptor are shown in Table 2.35 in their order of
transmission. As this descriptor needs to be transmitted over air, the overall length 1
of the simple descriptor shall be less than or equal to maxCommandSize. 2
3
Table 2.35 Fields of the Simple Descriptor
4
Field Name Length (Bits) 5
6
Endpoint 8 7
Application profile identifier 16 8
Application device identifier 16 9
10
Application device version 4 11
Reserved 4 12
13
Application input cluster count 8
14
Application input cluster list 16*i (where i is the value of the application 15
input cluster count) 16
Application output cluster count 8 17
Application output cluster list 16*o (where o is the value of the application 18
output cluster count) 19
20
21
2.3.2.6.1 Endpoint Field
22
The endpoint field of the simple descriptor is eight bits in length and specifies the 23
endpoint within the node to which this description refers. Applications shall only 24
use endpoints 1-240. 25
26
2.3.2.6.2 Application Profile Identifier Field
27
The application profile identifier field of the simple descriptor is sixteen bits in 28
length and specifies the profile that is supported on this endpoint. Profile 29
identifiers shall be obtained from the ZigBee Alliance. 30
31
2.3.2.6.3 Application Device Identifier Field 32
The application device identifier field of the simple descriptor is sixteen bits in 33
length and specifies the device description supported on this endpoint. Device 34
description identifiers shall be obtained from the ZigBee Alliance. 35
36
2.3.2.6.4 Application Device Version Field 37
The application device version field of the simple descriptor is four bits in length 38
and specifies the version of the device description supported on this endpoint. The 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 87
application device version field shall be set to one of the non-reserved values
listed in Table 2.36. 1
2
Table 2.36 Values of the Application Device Version Field
3
Application Device Version 4
Value b3b2b1b0 Description 5
6
0000 Version 1.0
7
0001–1111 Reserved 8
9
2.3.2.6.5 Application Input Cluster Count Field 10
11
The application input cluster count field of the simple descriptor is eight bits in 12
length and specifies the number of input clusters, supported on this endpoint, that 13
will appear in the application input cluster list field. If the value of this field is 14
zero, the application input cluster list field shall not be included. 15
2.3.2.6.6 Application Input Cluster List 16
17
The application input cluster list of the simple descriptor is 16*i bits in length , 18
where i is the value of the application input cluster count field, and specifies the 19
list of input clusters supported on this endpoint, used during the binding 20
procedure. 21
The application input cluster list field shall be included only if the value of the 22
application input cluster count field is greater than zero. 23
24
2.3.2.6.7 Application Output Cluster Count Field 25
The application output cluster count field of the simple descriptor is eight bits in 26
length and specifies the number of output clusters, supported on this endpoint, that 27
will appear in the application output cluster list field. If the value of this field is 28
zero, the application output cluster list field shall not be included. 29
30
2.3.2.6.8 Application Output Cluster List 31
32
The application output cluster list of the simple descriptor is 16*o bits in length,
33
where o is the value of the application output cluster count field, and specifies the
34
list of output clusters supported on this endpoint, used during the binding
35
procedure.
36
The application output cluster list field shall be included only if the value of the 37
application output cluster count field is greater than zero. 38
39
2.3.2.7 Complex Descriptor 40
41
The complex descriptor contains extended information for each of the device
42
descriptions contained in this node. The use of the complex descriptor is optional.
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
88 Application Layer Specification
Due to the extended and complex nature of the data in this descriptor it is
presented in XML form using compressed XML tags. Each field of the descriptor, 1
shown in Table 2.37, can therefore be transmitted in any order. As this descriptor 2
needs to be transmitted over air, the overall length of the complex descriptor shall 3
be less than or equal to maxCommandSize. 4
5
Table 2.37 Fields of the Complex Descriptor
6
Compressed 7
XML Tag 8
Value 9
Field Name XML Tag b 3 b 2b 1 b 0 Data Type 10
Reserved - 0000 - 11
12
Language and character set <languageChar> 0001 See sub-
clause 2.3.2.7.1 13
14
Manufacturer name <manufacturerName> 0010 Character string 15
Model name <modelName> 0011 Character string 16
17
Serial number <serialNumber> 0100 Character string
18
Device URL <deviceURL> 0101 Character string 19
Icon <icon> 0110 Octet string 20
21
Icon URL <outliner> 0111 Character string
22
Reserved - 1000 – 1111 - 23
24
2.3.2.7.1 Language and Character Set Field 25
26
The language and character set field is three octets in length and specifies the 27
language and character set used by the character strings in the complex descriptor. 28
The format of the language and character set field is illustrated in Figure 2.15. 29
30
Octets: 2 1 31
ISO 639-1 language code Character set identifier 32
33
34
Figure 2.15 Format of the Language and Character Set Field 35
36
The ISO 639-1 language code sub-field is two octets in length and specifies the
37
language used for character strings, as defined in [B5].
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 89
The character set identifier sub-field is one octet in length and specifies the
encoding used by the characters in the character set. This sub-field shall be set to 1
one of the non-reserved values listed in Table 2.38. 2
3
Table 2.38 Values of the Character Set Identifier Sub-field
4
Character Set Bits Per 5
Identifier Value Character Description 6
7
0x00 8 ISO 646, ASCII character set. Each character is fitted into
the least significant 7 bits of an octet with the most 8
significant bit set to zero (see also [B6]) 9
10
0x01 – 0xff - Reserved
11
12
If the language and character sets have not been specified, the language shall 13
default to English (language code = “EN”) and the character set to ISO 646. 14
2.3.2.7.2 Manufacturer Name Field 15
16
The manufacturer name field has a variable length and contains a character string 17
representing the name of the manufacturer of the device. 18
2.3.2.7.3 Model Name Field 19
20
The model name field has a variable length and contains a character string 21
representing the name of the manufacturers model of the device. 22
23
2.3.2.7.4 Serial Number Field
24
The serial number field has a variable length and contains a character string 25
representing the manufacturers serial number of the device. 26
27
2.3.2.7.5 Device URL Field
28
The device URL field has a variable length and contains a character string 29
representing the URL through which more information relating to the device can 30
be obtained. 31
32
2.3.2.7.6 Icon Field 33
The icon field has a variable length and contains an octet string which carries the 34
data for an icon that can represent the device on a computer, gateway or PDA. The 35
format of the icon shall be a 32-by-32-pixel PNG image. 36
37
2.3.2.7.7 Icon URL Field 38
The icon URL field has a variable length and contains a character string 39
representing the URL through which the icon for the device can be obtained. 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
90 Application Layer Specification
implemented within ZigBee Device Objects. The ZigBee Device Profile operates
like any ZigBee profile by defining Device Descriptions and Clusters. Unlike 1
application specific profiles, the Device Descriptions and Clusters within the 2
ZigBee Device Profile define capabilities supported in all ZigBee devices. As 3
with any profile document, this document details the mandatory and/or optional 4
clusters. 5
6
7
2.4.2 Device Profile Overview 8
9
The Device Profile supports four key inter-device communication functions 10
within the ZigBee protocol. These functions are explained in the following 11
sections: 12
• Device and Service Discovery Overview 13
14
• End Device Bind Overview 15
• Bind and Unbind Overview 16
17
• Binding Table Management Overview 18
19
2.4.2.1 Device and Service Discovery Overview 20
Device Discovery is a distributed operation where individual devices or 21
designated discovery cache devices respond to discovery requests. The “device 22
address of interest” field enables response from either the device itself or a 23
discovery cache device. In selected cases where the discovery cache device and 24
the “device address of interest” device also responds, the response from the 25
“device address of interest” shall be used. 26
27
Service Discovery is a distributed operation where individual devices or 28
designated discovery cache devices respond to discovery requests. The “device 29
address of interest” field enables responses from either the device itself or a 30
discovery cache device. In cases, where both the discovery cache device and the 31
“device address of interest” devices respond, the response from the “device 32
address of interest” shall be used. 33
The following capabilities exist for device and service discovery: 34
35
• Device Discovery: Provides the ability for a device to determine the identity of 36
other devices on the PAN. Device Discovery is supported for both the 64 bit 37
IEEE address and the 16 bit Network address. 38
• Device Discovery messages can be used in one of two ways: 39
40
—Broadcast addressed: All devices on the network shall respond accord- 41
ing to the Logical Device Type and match criteria. ZigBee End Devices 42
shall respond with just their address. ZigBee Coordinators and ZigBee 43
Routers with associated devices shall respond with their address as the 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
92 Application Layer Specification
2.4.3.1.1 NWK_addr_req
1
The NWK_addr_req command (ClusterID=0x0000) shall be formatted as 2
illustrated in Figure 2.17 . 3
Octets: 8 1 1
4
5
IEEEAddress RequestType StartIndex 6
7
Figure 2.17 Format of the NWK_addr_req Command 8
9
Table 2.41 specifies the fields of the NWK_addr_req Command Frame.
10
Table 2.41 Fields of the NWK_addr_req Command 11
12
Name Type Valid Range Description
13
IEEEAddr IEEE A valid 64-bit IEEE The IEEE address to be matched by the 14
Address address Remote Device 15
RequestType Integer 0x00-0xff Request type for this command: 16
17
0x00 – Single device response
18
0x01 – Extended response 19
0x02-0xFF – reserved 20
21
StartIndex Integer 0x00-0xff If the Request type for this command is
Extended response, the StartIndex 22
provides the starting index for the 23
requested elements of the associated 24
devices list 25
26
2.4.3.1.1.1 When Generated 27
28
The NWK_addr_req is generated from a Local Device wishing to inquire as to the 29
16 bit address of the Remote Device based on its known IEEE address. The 30
destination addressing on this command shall be broadcast to all RxOnWhenIdle 31
devices. 32
For future upgrade ability, the destination addressing may be permitted to be 33
unicast. This would permit directing the message to a well-known destination that 34
supports centralized or agent-based device discovery. 35
36
2.4.3.1.1.2 Effect on Receipt 37
38
Upon receipt, a Remote Device shall compare the IEEEAddr to its local IEEE 39
address or any IEEE address held in its local discovery cache. If there is no match, 40
the request shall be discarded and no response generated. If a match is detected 41
between the contained IEEEAddr and the Remote Device's IEEE address or one 42
held in the discovery cache, the RequestType shall be used to create a response. If 43
the RequestType is one of the reserved values, a NWK_addr_resp command shall 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 99
The local device shall generate the Node_Desc_req command using the format
illustrated in Table 2.43. The NWKAddrOfInterest field shall contain the network 1
address of the remote device for which the node descriptor is required. 2
3
2.4.3.1.3.2 Effect on Receipt 4
5
Upon receipt of this command, the recipient device shall process the command 6
and generate a Node_Desc_rsp command in response, according to the 7
description in sub-clause 2.4.4.1.3.1. 8
2.4.3.1.4 Power_Desc_req 9
10
The Power_Desc_req command (ClusterID=0x0003) shall be formatted as 11
illustrated in Figure 2.20. 12
13
Octets: 2 14
NWKAddrOfInterest 15
16
Figure 2.20 Format of the Power_Desc_req Command Frame 17
18
Table 2.44 specifies the fields of the Power_Desc_req command frame. 19
Table 2.44 Fields of the Power_Desc_req Command 20
21
Name Type Valid Range Description 22
23
NWKAddrOfInterest Device 16-bit NWK address NWK address for the request
Address 24
25
26
2.4.3.1.4.1 When Generated 27
The Power_Desc_req command is generated from a local device wishing to 28
inquire as to the power descriptor of a remote device. This command shall be 29
unicast either to the remote device itself or to an alternative device that contains 30
the discovery information of the remote device. 31
32
The local device shall generate the Power_Desc_req command using the format 33
illustrated in Table 2.44. The NWKAddrOfInterest field shall contain the network 34
address of the remote device for which the power descriptor is required. 35
36
2.4.3.1.4.2 Effect on Receipt 37
Upon receipt of this command, the recipient device shall process the command 38
and generate a Power_Desc_rsp command in response, according to the 39
description in sub-clause 2.4.4.1.4.1. 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
102 Application Layer Specification
2.4.3.1.5 Simple_Desc_req
1
The Simple_Desc_req command (ClusterID=0x0004) shall be formatted as 2
illustrated in Figure 2.21. 3
4
Octets: 2 1
5
NWKAddrOfInterest EndPoint 6
7
Figure 2.21 Format of the Simple_Desc_req Command Frame 8
9
Table 2.45 specifies the fields of the Simple_Desc_req command frame. 10
Table 2.45 Fields of the Simple_Desc_req Command 11
12
Name Type Valid Range Description 13
NWKAddrOfInterest Device 16-bit NWK address NWK address for the request 14
Address 15
16
endpoint 8 bits 1-240 The endpoint on the destination
17
18
2.4.3.1.5.1 When Generated 19
The Simple_Desc_req command is generated from a local device wishing to 20
inquire as to the simple descriptor of a remote device on a specified endpoint. This 21
command shall be unicast either to the remote device itself or to an alternative 22
device that contains the discovery information of the remote device. 23
24
The local device shall generate the Simple_Desc_req command using the format 25
illustrated in Table 2.45. The NWKAddrOfInterest field shall contain the network 26
address of the remote device for which the simple descriptor is required and the 27
endpoint field shall contain the endpoint identifier from which to obtain the 28
required simple descriptor. 29
30
2.4.3.1.5.2 Effect on Receipt 31
32
Upon receipt of this command, the recipient device shall process the command
33
and generate a Simple_Desc_rsp command in response, according to the
34
description in sub-clause 2.4.4.1.5.1.
35
2.4.3.1.6 Active_EP_req 36
37
The Active_EP_req command (ClusterID=0x0005) shall be formatted as 38
illustrated in Figure 2.22. 39
Octets: 2 40
41
NWKAddrOfInterest 42
43
Figure 2.22 Format of the Active_EP_req Command Frame 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 103
The remaining fields shall contain the required criterion for which the simple
descriptor match is requested. The ProfileID field shall contain the identifier of 1
the profile for which the match is being sought. 2
3
The NumInClusters field shall contain the number of elements in the InClusterList 4
field. If the value of this field is 0, the InClusterList field shall not be included. If 5
the value of the NumInClusters field is not equal to 0, the InClusterList field shall 6
contain the list of input cluster identifiers for which the match is being sought. 7
The NumOutClusters field shall contain the number of elements in the 8
OutClusterList field. If the value of this field is 0, the OutClusterList field shall 9
not be included. If the value of the NumOutClusters field is not equal to 0, the 10
OutClusterList field shall contain the list of output cluster identifiers for which the 11
match is being sought. 12
13
2.4.3.1.7.2 Effect on Receipt 14
15
Upon receipt of this command, the recipient device shall process the command 16
and generate a Match_Desc_rsp command in response, according to the 17
description in sub-clause 2.4.4.1.7.1. 18
2.4.3.1.8 Complex_Desc_req 19
20
The Complex_Desc_req command (ClusterID=0x0010) shall be formatted as 21
illustrated in Figure 2.24. 22
23
Octets: 2 24
NWKAddrOfInterest 25
26
Figure 2.24 Format of the Complex_Desc_req Command Frame 27
28
Table 2.48 specifies the fields of the Complex_Desc_req command frame. 29
Table 2.48 Fields of the Complex_Desc_req Command 30
31
Name Type Valid Range Description 32
33
NWKAddrOfInterest Device 16 bit NWK address NWK address for the request
Address 34
35
36
2.4.3.1.8.1 When Generated 37
The Complex_Desc_req command is generated from a local device wishing to 38
inquire as to the complex descriptor of a remote device. This command shall be 39
unicast either to the remote device itself or to an alternative device that contains 40
the discovery information of the remote device. 41
42
The local device shall generate the Complex_Desc_req command using the 43
format illustrated in Table 2.48. The NWKAddrOfInterest field shall contain the 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
106 Application Layer Specification
network address of the remote device for which the complex descriptor is
required. 1
2
2.4.3.1.8.2 Effect on Receipt 3
4
Upon receipt of this command, the recipient device shall process the command 5
and generate a Complex_Desc_rsp command in response, according to the 6
description in sub-clause 2.4.4.1.8.1. 7
2.4.3.1.9 User_Desc_req 8
9
The User_Desc_req (ClusterID=0x0011) command shall be formatted as 10
illustrated in Figure 2.25. 11
12
Octets: 2 13
NWKAddrOfInterest 14
15
Figure 2.25 Format of the User_Desc_req Command Frame 16
17
Table 2.49 specifies the fields of the User_Desc_req command frame. 18
Table 2.49 Fields of the User_Desc_req Command 19
20
Name Type Valid Range Description 21
22
NWKAddrOfInterest Device Address 16-bit NWK address NWK address for the request
23
24
2.4.3.1.9.1 When Generated 25
The User_Desc_req command is generated from a local device wishing to inquire 26
as to the user descriptor of a remote device. This command shall be unicast either 27
to the remote device itself or to an alternative device that contains the discovery 28
information of the remote device. 29
30
The local device shall generate the User_Desc_req command using the format 31
illustrated in Table 2.49. The NWKAddrOfInterest field shall contain the network 32
address of the remote device for which the user descriptor is required. 33
34
2.4.3.1.9.2 Effect on Receipt 35
36
Upon receipt of this command, the recipient device shall process the command
37
and generate a User_Desc_rsp command in response, according to the description
38
in sub-clause 2.4.4.1.9.1.
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 107
2.4.3.1.10 Discovery_Cache_req
1
The Discovery_Cache_req command (ClusterID=0x0012) shall be formatted as 2
illustrated in Figure 2.26. 3
4
Octets: 2 8
5
NWKAddr IEEEAddr 6
7
Figure 2.26 Format of the Discovery_Cache_req Command Frame 8
9
Table 2.50 specifies the parameters for the Discovery_Cache_req command 10
frame. 11
Table 2.50 Fields of the Discovery_Cache_req Command 12
13
Name Type Valid Range Description 14
NWKAddr Device Address 16-bit NWK address NWK address for the Local Device 15
16
IEEEAddr Device Address 64-bit IEEE address IEEE address for the Local Device
17
18
2.4.3.1.10.1 When Generated 19
20
The Discovery_Cache_req is provided to enable devices on the network to locate
21
a Primary Discovery Cache device on the network. The destination addressing on
22
this primitive shall be broadcast to all RxOnWhenIdle devices.
23
24
2.4.3.1.10.2 Effect on Receipt 25
Upon receipt, if the Remote Device does not support the Discovery_Cache_req, 26
the request shall be dropped and no further processing performed. If the 27
Discovery_Cache_req is supported, the Remote Device shall create a unicast 28
Discovery_Cache_rsp message to the source indicated by the 29
Discovery_Cache_req and include a SUCCESS status. 30
31
2.4.3.1.11 End_Device_annce 32
The End_Device_annce command (ClusterID=0x0013) shall be formatted as 33
illustrated in Figure 2.27. 34
35
Octets: 2 8 1 36
37
NWKAddr IEEEAddr Capability
38
39
Figure 2.27 Format of the End_Device_annce Command Frame
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
108 Application Layer Specification
2.4.3.1.15 Node_Desc_store_req
1
The Node_Desc_store_req command (ClusterID=0x0017) shall be formatted as 2
illustrated in Figure 2.31. 3
4
Octets: 2 8 Variable
5
NWKAddr IEEEAddr NodeDescriptor 6
7
Figure 2.31 Format of the Node_Desc_store_req Command Frame 8
9
Table 2.55 specifies the fields of the Node_Desc_store_req command frame. . 10
Table 2.55 Fields of the Node_Desc_store_req Command 11
12
Name Type Valid Range Description 13
NWKAddr Device 16-bit NWK Address NWK Address for the Local Device 14
Address 15
16
IEEEAddr Device 64-bit IEEE Address IEEE address for the Local Device
Address 17
18
NodeDescriptor Node See the Node Descriptor format in sub- 19
Descriptor clause 2.3.2.4
20
21
2.4.3.1.15.1 When Generated 22
The Node_Desc_store_req is provided to enable ZigBee end devices on the 23
network to request storage of their Node Descriptor on a Primary Discovery 24
Cache device which has previously received a SUCCESS status from a 25
Discovery_store_req to the same Primary Discovery Cache device. Included in 26
this request is the Node Descriptor the Local Device wishes to cache. 27
28
29
2.4.3.1.15.2 Effect on Receipt
30
Upon receipt, the Remote Device shall determine whether it is a Primary 31
Discovery Cache device. If it is not a Primary Discovery Cache device, the 32
Remote Device shall return a status of NOT_SUPPORTED. Next, the Remote 33
Device shall determine whether it has previously processed a 34
Discovery_store_req for the Local Device and returned a status of SUCCESS. If a 35
previous Discovery_store_req has not been processed with a SUCCESS status, 36
the Remote Device shall return NOT_PERMITTED. Next, the Remote Device 37
shall determine if enough space is available to store the Node Descriptor for the 38
Local Device. If not, the Remote Device shall return INSUFFICIENT_SPACE. 39
Finally, the Remote Device shall store the Node Descriptor for the Local Device 40
and return SUCCESS. If the request returned a status of SUCCESS and the 41
NWKAddr and IEEEAddr in the request referred to addresses already held in the 42
Primary Discovery Cache, the descriptor in this request shall overwrite the 43
previously held entry. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 113
2.4.3.1.16 Power_Desc_store_req
1
The Power_Desc_store_req command (ClusterID=0x0018) shall be formatted as 2
illustrated in Figure 2.32. 3
4
Octets: 2 8 Variable
5
NWKAddr IEEEAddr PowerDescriptor 6
7
Figure 2.32 Format of the Power_Desc_store_req Command Frame 8
9
Table 2.56 specifies the fields of the Power_Desc_store_req command frame. 10
Table 2.56 Fields of the Power_Desc_store_req Command 11
12
Name Type Valid Range Description 13
NWKAddr Device 16-bit NWK Address NWK Address for the Local Device 14
Address 15
16
IEEEAddr Device 64-bit Address IEEE address for the Local Device
Address 17
18
PowerDescriptor Power See the Power Descriptor format in 19
Descriptor sub-clause 2.3.2.5; This field shall only
be included in the frame if the status 20
field is equal to SUCCESS 21
22
23
2.4.3.1.16.1 When Generated
24
The Power_Desc_store_req is provided to enable ZigBee end devices on the 25
network to request storage of their Power Descriptor on a Primary Discovery 26
Cache device which has previously received a SUCCESS status from a 27
Discovery_store_req to the same Primary Discovery Cache device. Included in 28
this request is the Power Descriptor the Local Device wishes to cache. 29
30
2.4.3.1.16.2 Effect on Receipt 31
32
Upon receipt, the Remote Device shall determine whether it is a Primary 33
Discovery Cache device. If it is not a Primary Discovery Cache device, the 34
Remote Device shall return a status of NOT_SUPPORTED. Next, the Remote 35
Device shall determine whether it has previously processed a 36
Discovery_store_req for the Local Device and returned a status of SUCCESS. If a 37
previous Discovery_store_req has not been processed with a SUCCESS status, 38
the Remote Device shall return NOT_PERMITTED. Next, the Remote Device 39
shall determine if enough space is available to store the Power Descriptor for the 40
Local Device. If not, the Remote Device shall return INSUFFICIENT_SPACE. 41
Finally, the Remote Device shall store the Power Descriptor for the Local Device 42
and return SUCCESS. If the request returned a status of SUCCESS and the 43
NWKAddr and IEEEAddr in the request referred to addresses already held in the 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
114 Application Layer Specification
Primary Discovery Cache, the descriptor in this request shall overwrite the
previously held entry. 1
2
2.4.3.1.17 Active_EP_store_req 3
The Active_EP_store_req command (ClusterID=0x0019) shall be formatted as 4
illustrated in Figure 2.33 . 5
6
Octets: 2 8 1 Variable 7
8
NWKAddr IEEEAddr ActiveEPCount ActiveEPList
9
10
Figure 2.33 Format of the Active_EP_store_req Command Frame
11
Table 2.57 specifies the fields of the Active_EP_store_req command frame 12
13
Table 2.57 Fields of the Active_EP_store_req Command 14
Name Type Valid Range Description 15
16
NWKAddr Device 16-bit NWK NWK Address for the Local Device 17
Address Address
18
IEEEAddr Device 64-bit IEEE IEEE Address for the Local Device 19
Address Address 20
ActiveEPCount Integer 0x00-0xff The count of active endpoints on the 21
Local Device 22
ActiveEPList List of bytes, each of which represents 23
an 8-bit endpoint number 24
25
26
2.4.3.1.17.1 When Generated
27
The Active_EP_store_req is provided to enable ZigBee end devices on the 28
network to request storage of their list of Active Endpoints on a Primary 29
Discovery Cache device which has previously received a SUCCESS status from a 30
Discovery_store_req to the same Primary Discovery Cache device. Included in 31
this request is the count of Active Endpoints the Local Device wishes to cache and 32
the endpoint list itself. 33
34
2.4.3.1.17.2 Effect on Receipt 35
36
Upon receipt, the Remote Device shall determine whether it is a Primary 37
Discovery Cache device. If it is not a Primary Discovery Cache device, the 38
Remote Device shall return a status of NOT_SUPPORTED. Next, the Remote 39
Device shall determine whether it has previously processed a 40
Discovery_store_req for the Local Device and returned a status of SUCCESS. If a 41
previous Discovery_store_req has not been processed with a SUCCESS status, 42
the Remote Device shall return NOT_PERMITTED. Next, the Remote Device 43
shall determine if enough space is available to store the Active Endpoint count 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 115
and list for the Local Device. If not, the Remote Device shall return
INSUFFICIENT_SPACE. Finally, the Remote Device shall store the Active 1
Endpoint count and list for the Local Device and return SUCCESS. If the request 2
returned a status of SUCCESS and the NWKAddr and the IEEEAddr in the 3
request referred to addresses already held in the Primary Discovery Cache, the 4
descriptor in this request shall overwrite the previously held entry. 5
6
2.4.3.1.18 Simple_Desc_store_req 7
The Simple_Desc_store_req command (ClusterID=0x001a) shall be formatted as 8
illustrated in Figure 2.34. 9
10
Octets: 2 8 1 Variable 11
12
NWKAddr IEEEAddr Length SimpleDescriptor
13
14
Figure 2.34 Format of the Simple_Desc_store_req Command Frame
15
Table 2.58 specifies the fields of the Simple_Desc_store_req command frame . 16
17
Table 2.58 Fields of the Simple_Desc_store_req Command 18
Name Type Valid Range Description 19
20
NWKAddr Device 16-bit NWK Address NWK Address for the Local 21
Address Device
22
IEEEAddr Device 64-bit IEEE Address IEEE Address for the Local 23
Address Device 24
Length Device 0x00 - 0xff The length in bytes of the 25
Address Simple Descriptor to follow 26
SimpleDescriptor Simple See the Simple Descriptor 27
Descriptor format in sub-clause 2.3.2.6 28
29
30
2.4.3.1.18.1 When Generated
31
The Simple_desc_store_req is provided to enable ZigBee end devices on the 32
network to request storage of their list of Simple Descriptors on a Primary 33
Discovery Cache device which has previously received a SUCCESS status from a 34
Discovery_store_req to the same Primary Discovery Cache device. Note that each 35
Simple Descriptor for every active endpoint on the Local Device must be 36
individually uploaded to the Primary Discovery Cache device via this command 37
to enable cached discovery. Included in this request is the length of the Simple 38
Descriptor the Local Device wishes to cache and the Simple Descriptor itself. The 39
endpoint is a field within the Simple Descriptor and is accessed by the Remote 40
Device to manage the discovery cache information for the Local Device. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
116 Application Layer Specification
cache information for the device of interest. If it is not the device of interest or a
Primary Discovery Cache device, and does not hold discovery cache information 1
for the device of interest, the Remote Device shall cease processing the request 2
and not supply a response. If the Remote Device is the device of interest, or a 3
Primary Discovery Cache device, and, if the device holds discovery information 4
for the indicated device of interest, the Remote Device shall return SUCCESS to 5
the Local Device along with the NWKAddr and IEEEaddr for the device of 6
interest. 7
8
2.4.3.2 End Device Bind, Bind, Unbind and Bind 9
Management Client Services Primitives 10
11
Table 2.61 lists the primitives supported by Device Profile: End Device Bind, 12
Bind and Unbind Client Services. Each of these commands will be discussed in 13
the following subclauses. 14
Table 2.61 End Device Bind, Bind, Unbind and Bind
15
Management Client Service Commands 16
17
End Device Bind, Bind and 18
Unbind Client Server 19
Client Services Transmission Processing
20
End_Device_Bind_req O O 21
Bind_req O O 22
23
Unbind_req O O 24
Bind_Register_req O O 25
26
Replace_Device_req O O
27
Store_Bkup_Bind_Entry_req O O 28
Remove_Bkup_Bind_Entry_req O O 29
30
Backup_Bind_Table_req O O
31
Recover_Bind_Table_req O O 32
Backup_Source_Bind_req O O 33
34
Recover_Source_Bind_req O O
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 119
2.4.3.2.1 End_Device_Bind_req
1
The End_Device_Bind_req command (ClusterID=0x0020) shall be formatted as 2
illustrated in Figure 2.37. 3
4
Octets:
2 8 1 2 1 Variable 1 Variable 5
6
Binding SrcIEEE Src Profile Num InCluster Num OutCluster 7
Target Address Endpoint ID InClusters List OutClusters List 8
9
Figure 2.37 Format of the End_Device_Bind_req Command Frame
10
11
Table 2.62 specifies the fields of the End_Device_Bind_req command frame.
12
Table 2.62 Fields of the End_Device_Bind_req Command 13
14
Name Type Valid Range Description
15
BindingTarget Device Address 16-bit NWK The address of the target for the binding. 16
address This can be either the primary binding 17
cache device or the short address of the
18
local device.a
19
SrcIEEEAddre IEEE Address A valid 64-bit The IEEE address of the device 20
ss IEEE Address generating the request
21
SrcEndpoint 8 bits 1-240 The endpoint on the device generating 22
the request 23
ProfileID Integer 0x0000-0xffff ProfileID which is to be matched 24
between two End_Device_Bind_req 25
received at the ZigBee Coordinator 26
within the timeout value pre-configured 27
in the ZigBee Coordinator
28
NumInClusters Integer 0x00-0xff The number of Input Clusters provided 29
for end device binding within the 30
InClusterList
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
120 Application Layer Specification
If no match of the ProfileID is detected or if the ProfileID matches but none of the
InClusterList or OutClusterList elements match, a status of NO_MATCH shall be 1
supplied to both Local Devices via End_Device_Bind_rsp to each device. If a 2
match of Profile ID and at least one input or output clusterID is detected, an 3
End_Device_Bind_rsp with status SUCCESS shall be issued to each Local 4
Device which generated the End_Device_Bind_req. 5
6
The ZigBee coordinator shall then determine the 64-bit IEEE address of each 7
local device. If these addresses are not known, the ZigBee coordinator shall 8
determine them by using the IEEE_Addr_req command and corresponding 9
IEEE_Addr_rsp command. 10
In order to facilitate a toggle action the ZigBee Coordinator shall then issue an 11
Unbind_req command to the BindingTarget, specifying any one of the matched 12
ClusterID values. If the returned status value is NO_ENTRY, the ZigBee 13
Coordinator shall issue a Bind_req command for each matched ClusterID value. 14
Otherwise the ZigBee Coordinator shall conclude that the binding records are 15
instead to be removed and shall issue an Unbind_req command for any further 16
matched ClusterID values. 17
18
The initial Unbind_req and any subsequent Bind_reqs or Unbind_reqs, containing 19
the matched clusters shall be directed to one of the BindingTargets specified by 20
the generating devices. The BindingTarget is selected on an individual basis for 21
each matched cluster, as the Binding Target selected by the generating device 22
having that cluster as an output cluster. The SrcAddress field shall contain the 64- 23
bit IEEE address of that same generating device and the SrcEndp field shall 24
contain its endpoint. The DstAddress field shall contain the 64-bit IEEE address 25
of the generating device having the matched cluster in its input cluster list and the 26
DstEndp field shall contain its endpoint. 27
2.4.3.2.2 Bind_req 28
29
The Bind_req command (ClusterID=0x0021) shall be formatted as illustrated in 30
Figure 2.38. 31
32
Octets: 8 1 2 1 2/8 0/1
33
SrcAddress SrcEndp ClusterID DstAddrMode DstAddress DstEndp 34
35
Figure 2.38 Format of the Bind_req Command Frame 36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
122 Application Layer Specification
2.4.3.2.4 Bind_Register_req
1
The Bind_Register_req command (ClusterID=0x0023) shall be formatted as 2
illustrated in Figure 2.40. 3
4
Octets: 8
5
NodeAddress 6
7
Figure 2.40 Format of the Bind_Register_req Command Frame 8
9
Table 2.65 specifies the fields for the Bind_Register_req command frame. 10
Table 2.65 Fields of the Bind_Register_req Command 11
12
Name Type Valid Range Description 13
NodeAddress IEEE A valid 64-bit IEEE The address of the node wishing to hold 14
Address address its own binding table 15
16
17
2.4.3.2.4.1 When Generated
18
The Bind_Register_req is generated from a Local Device and sent to a primary 19
binding table cache device to register that the local device wishes to hold its own 20
binding table entries. The destination addressing mode for this request is unicast. 21
22
2.4.3.2.4.2 Effect on Receipt 23
24
If the remote device is not a primary binding table cache it shall return a status of 25
NOT_SUPPORTED. Otherwise, the primary binding table cache shall add the 26
NodeAddress given by the parameter to its table of source devices which have 27
chosen to store their own binding table. If this fails it shall return a status of 28
TABLE_FULL. Otherwise it returns a status of SUCCESS. (If an entry for the 29
NodeAddress already exists in the table of source devices, the behavior will be the 30
same as if it had been newly added.). The source device should clear its source 31
binding table before issuing this command to avoid synchronization problems. In 32
the successful case, any existing bind entries from the binding table whose source 33
address is NodeAddress will be sent to the requesting device for inclusion in its 34
source bind table. See Bind_Register_rsp for further details. Subsequent bind 35
entries written to the binding list will cause copies to be written to the source 36
device using Bind_req. 37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
126 Application Layer Specification
2.4.3.2.5 Replace_Device_req
1
The Replace_Device_req command (ClusterID=0x0024) shall be formatted as 2
illustrated in Figure 2.41. 3
4
Octets: 8 1 8 1
5
OldAddress OldEndpoint NewAddress NewEndpoint 6
7
Figure 2.41 Format of the Replace_Device_req Command Frame 8
9
Table 2.66 specifies the fields for the Replace_Device_req command frame. 10
Table 2.66 Fields of the Replace_Device_req Command 11
12
Name Type Valid Range Description 13
OldAddress IEEE Address A valid 64-bit IEEE The address of the node being 14
replaced 15
16
OldEndpoint Integer 0x01 - 0xf0 The endpoint being replaced
17
NewAddress IEEE Address A valid 64-bit IEEE The replacement address 18
NewEndpoint Integer 0x01 - 0xf0 The replacement endpoint 19
20
21
2.4.3.2.5.1 When Generated
22
The Replace_Device_req is intended for use by a special device such as a 23
Commissioning tool and is sent to a primary binding table cache device to change 24
all binding table entries which match OldAddress and OldEndpoint as specified. 25
(Note that OldEndpoint = 0 has special meaning and signifies that only the 26
address needs to be matched. The endpoint in the binding table will not be 27
changed in this case and so NewEndpoint is ignored.) The processing changes all 28
binding table entries for which the source address is the same as OldAddress and, 29
if OldEndpoint is non-zero, for which the source endpoint is the same as 30
OldEndpoint. It shall also change all binding table entries which have the 31
destination address the same as OldAddress and, if OldEndpoint is non-zero, the 32
destination endpoint the same as OldEndpoint. The destination addressing mode 33
for this request is unicast. 34
35
2.4.3.2.5.2 Effect on Receipt 36
37
If the remote device is not a primary binding table cache, it shall return a status of 38
NOT_SUPPORTED. The primary binding table cache shall check if its 39
OldAddress is non-zero and, if so, shall search its binding table for entries of 40
source addresses and source entries, or destination addresses and source 41
addresses, that are set the same as OldAddress and OldEndpoint. It shall change 42
these entries to have NewAddress and NewEndpoint. In the case that OldEndpoint 43
is zero, the primary binding table cache shall search its binding table for entries 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 127
2.4.3.2.7 Remove_Bkup_Bind_Entry_req
1
The Remove_Bkup_Bind_Entry_req command (ClusterID=0x0026) shall be 2
formatted as illustrated in Figure 2.43. 3
Figure 2.43 Format of the Remove_Bkup_Bind_Entry_req Command Frame 4
5
Octets: 8 1 2 1 2/8 0/1 6
7
SrcAddress SrcEndp ClusterID DstAddrMode DstAddress DstEndpa 8
a. CCB #601
9
10
Table 2.67 specifies the fields of the Remove_Bkup_Bind_Entry_req command 11
frame. 12
13
Table 2.68 Fields of the Remove_Bkup_Bind_Entry_req Command 14
Name Type Valid Range Description 15
16
SrcAddress IEEE A valid 64-bit The IEEE address for the source 17
Address IEEE address 18
SrcEndpoint Integer 0x01 - 0xf0 The IEEE address for the binding entry 19
ClusterId Integer 0x0000 - 0xffff The identifier of the cluster on the source
20
device that is bound to the destination 21
22
DstAddrMode Integer 0x00-0xff The addressing mode for the destination
23
address used in this command. This field can
take one of the non-reserved values from the 24
following list: 25
26
0x00 = reserved
27
0x01 = 16-bit group address for DstAddress
and DstEndp not present 28
29
0x02 = reserved
30
0x03 = 64-bit extended address for
DstAddress and DstEndp present 31
32
0x04 – 0xff = reserveda
33
DstAddress Address As specified by The destination address for the binding 34
the entry.
35
DstAddrMode
field 36
37
DstEndp Integer 0x01-0xf0 This field shall be present only if the 38
DstAddrMode field has a value of 0x03 and,
if present, shall be the destination endpoint 39
for the binding entry. 40
41
a. CCB #601
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
130 Application Layer Specification
2.4.3.2.9 Recover_Bind_Table_req
1
The Recover_Bind_Table_req command (ClusterID=0x0028) shall be formatted 2
as illustrated in Figure 2.45. 3
4
Octets: 2
5
StartIndex 6
7
Figure 2.45 Fields of the Recover_Bind_Table_req Command Frame 8
9
Table 2.70 specifies the fields of the Recover_Bind_Table_req command frame. 10
Table 2.70 Fields of the Recover_Bind_Table_req Command 11
12
Name Type Valid Range Description 13
StartIndex Integer 0x0000 - 0xffff Starting index for the requested 14
elements of the binding table 15
16
17
2.4.3.2.9.1 When Generated
18
The Recover_Bind_Table_req is generated from a local primary binding table 19
cache and sent to a remote backup binding table cache device when it wants a 20
complete restore of the binding table. The destination addressing mode for this 21
request is unicast. 22
23
2.4.3.2.9.2 Effect on Receipt 24
25
If the remote device is not the backup binding table cache it shall return a status of 26
NOT_SUPPORTED. If it does not recognize the sending device as a primary 27
binding table cache it shall return a status of INV_REQUESTTYPE. Otherwise, 28
the backup binding table cache shall prepare a list of binding table entries from its 29
backup beginning with StartIndex. It will fit in as many entries as possible into a 30
Recover_Bind_Table_rsp command and return a status of SUCCESS. 31
2.4.3.2.10 Backup_Source_Bind_req 32
33
The Backup_Source_Bind_req command (ClusterID=0x0029) shall be formatted 34
as illustrated in Figure 2.46. 35
36
Octets: 2 2 2 Variable
37
SourceTableEntries StartIndex SourceTableListCount SourceTableList 38
39
Figure 2.46 Fields of the Backup_Source_Bind_req Command Frame 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 133
2.4.3.2.11 Recover_Source_Bind_req
1
The Recover_Source_Bind_req command (ClusterID=0x002a) shall be formatted 2
as illustrated in Figure 2.47. 3
4
Octets: 2
5
StartIndex 6
7
Figure 2.47 Format of the Recover_Source_Bind_req Command Frame 8
9
Table 2.72 specifies the fields of the Recover_Source_Bind_req command frame. 10
Table 2.72 Fields of the Recover_Source_Bind_req Command 11
12
Name Type Valid Range Description 13
StartIndex Integer 0x0000 - 0xffff Starting index for the requested 14
elements of the binding table 15
16
17
2.4.3.2.11.1 When Generated
18
The Recover_Source_Bind_req is generated from a local primary binding table 19
cache and sent to the remote backup binding table cache device when it wants a 20
complete restore of the source bind table. The destination addressing mode for 21
this request is unicast. 22
23
2.4.3.2.11.2 Effect on Receipt 24
25
If the remote device is not the backup binding table cache it shall return a status of 26
NOT_SUPPORTED. If it does not recognize the sending device as a primary 27
binding table cache it shall return a status of INV_REQUESTTYPE. Otherwise, 28
the backup binding table cache shall prepare a list of source bind table entries 29
from its backup beginning with StartIndex. It will fit in as many entries as 30
possible into a Recover_Source_Bind_rsp command and return a status of 31
SUCCESS. 32
33
2.4.3.3 Network Management Client Services 34
Table 2.73 lists the commands supported by Device Profile: Network 35
Management Client Services. Each of these primitives will be discussed in the 36
following subclauses. 37
38
Table 2.73 Network Management Client Services Commands 39
Network Management Client Server 40
Client Services Transmission Processing 41
42
Mgmt_NWK_Disc_req O O
43
Mgmt_Lqi_req O O 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 135
of the leave attempt shall be reported back to the local device via the
Mgmt_Leave_rsp command. 1
2
If the remote device does not support this optional management request, it shall 3
return a status of NOT_SUPPORTED. If the leave attempt was executed 4
successfully, the Mgmt_Leave_rsp command shall contain a status of SUCCESS. 5
If the leave attempt was not executed successfully, the Mgmt_Leave_rsp 6
command shall contain the error code reported in the NLME-LEAVE.confirm 7
primitive. 8
2.4.3.3.6 Mgmt_Direct_Join_req 9
10
The Mgmt_Direct_Join_req command (ClusterID=0x0035) shall be formatted as 11
illustrated in Figure 2.53. 12
13
Octets: 8 1
14
Device Address Capability 15
Information 16
17
Figure 2.53 Format of the Mgmt_Direct_Join _reqCommand Frame 18
19
Table 2.79 specifies the fields for the Mgmt_Direct_Join_req command frame. 20
Table 2.79 Fields of the Mgmt_Direct_Join_req Command 21
22
Name Type Valid Range Description 23
DeviceAddress Device An extended 64 bit, See sub-clause 3.3.6.1 for details 24
Address IEEE address on the DeviceAddress parameter 25
within NLME-JOIN.request 26
CapabilityInformation Bitmap See Table 3.17 The operating capabilities of the 27
device being directly joined 28
29
2.4.3.3.6.1 When Generated 30
31
The Mgmt_Direct_Join_req is generated from a Local Device requesting that a 32
Remote Device permit a device designated by DeviceAddress to join the network 33
directly. The Mgmt_Direct_Join_req is generated by a management application 34
which directs the request to a Remote Device where the NLME-DIRECT- 35
JOIN.request is to be executed using the parameter supplied by 36
Mgmt_Direct_Join_req. 37
38
2.4.3.3.6.2 Effect on Receipt 39
40
Upon receipt, the remote device shall issue the NLME-DIRECT-JOIN.request
41
primitive using the DeviceAddress and CapabilityInformation parameters
42
supplied with the Mgmt_Direct_Join_req command. The results of the direct join
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 141
attempt shall be reported back to the local device via the Mgmt_Direct_Join_rsp
command. 1
2
If the remote device does not support this optional management request, it shall 3
return a status of NOT_SUPPORTED. If the direct join attempt was executed 4
successfully, the Mgmt_Direct_Join_rsp command shall contain a status of 5
SUCCESS. If the direct join attempt was not executed successfully, the 6
Mgmt_Direct_Join_rsp command shall contain the error code reported in the 7
NLME-DIRECT-JOIN.confirm primitive. 8
2.4.3.3.7 Mgmt_Permit_Joining_req 9
10
The Mgmt_Permit_Joining_req command (ClusterID=0x0036) shall be formatted 11
as illustrated in Figure 2.54. 12
13
Octets: 1 1
14
PermitDuration TC_Significance 15
16
Figure 2.54 Format of the Mgmt_Permit_Joining_req Command Frame 17
18
Table 2.80 specifies the fields of the Mgmt_Permit_Joining_req command frame. 19
Table 2.80 Fields of the Mgmt_Permit_Joining_req Command 20
21
Name Type Valid Range Description 22
PermitDuration Integer 0x00 - 0xff See sub-clause 3.3.4.1 for details on the 23
PermitDuration parameter within NLME- 24
PERMIT-JOINING.request 25
TC_Significance Boolean 0x00 - 0x01 If this is set to 0x01 and the remote device is 26
Integer the trust center, the command affects the trust 27
center authentication policy as described in 28
the sub-clauses below; If this is set to 0x00, 29
there is no effect on the trust center
30
31
2.4.3.3.7.1 When Generated 32
33
The Mgmt_Permit_Joining_req is generated from a Local Device requesting that
34
a remote device or devices allow or disallow association. The
35
Mgmt_Permit_Joining_req is generated by a management application or
36
commissioning tool which directs the request to a remote device(s) where the
37
NLME-PERMIT-JOINING.request is executed using the PermitDuration
38
parameter supplied by Mgmt_Permit_Joining_req. Additionally, if the remote
39
device is the Trust Center and TC_Significance is set to 1, the trust center
40
authentication policy will be affected. The addressing may be unicast or
41
‘broadcast to all RxOnWhenIdle devices’.
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
142 Application Layer Specification
2.4.4.1.1 NWK_addr_rsp
1
The NWK_addr_rsp command (ClusterID=0x8000) shall be formatted as 2
illustrated in Figure 2.56. 3
4
Octets: 1 8 2 1 1 Variable
5
Status IEEEAddr NWKAddr Num StartIndex NWKAddr 6
RemoteDev RemoteDev AssocDev AssocDevList 7
8
Figure 2.56 Format of the NWK_addr_rsp Command Frame 9
10
Table 2.83 specifies the fields of the NWK_addr_rsp command frame. 11
Table 2.83 Fields of the NWK_addr_rsp Command 12
13
Name Type Valid Range Description 14
Status Integer SUCCESS, The status of the 15
INV_REQUESTTYPE or NWK_addr_req command 16
DEVICE_NOT_FOUND 17
IEEEAddrRemoteDev Device An extended 64-bit, IEEE 64-bit address for the Remote 18
Address address Device 19
NWKAddrRemoteDev Device A 16-bit, NWK address 16-bit address for the Remote 20
Address Device 21
22
NumAssocDev Integer 0x00-0xff Count of the number of
associated devices to the 23
Remote Device and the 24
number of 16-bit short 25
addresses to follow; 26
If the RequestType in the 27
request is Extended Response 28
and there are no associated 29
devices on the Remote 30
Device, this field shall be set
to 0; 31
32
If the RequestType in the 33
request is for a Single Device
Response, this field shall not 34
be included in the frame 35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
146 Application Layer Specification
SUCCESS and include its node descriptor (see sub-clause 2.3.2.4) in the
NodeDescriptor field. 1
2
If the NWKAddrOfInterest field does not match the network address of the 3
remote device and it is an end device, it shall set the Status field to 4
INV_REQUESTTYPE and not include the NodeDescriptor field. If the 5
NWKAddrOfInterest field does not match the network address of the remote 6
device and it is the coordinator or a router, it shall determine whether the 7
NWKAddrOfInterest field matches the network address is one of its children. If 8
the NWKAddrOfInterest field does not match the network address of one of the 9
children of the remote device, it shall set the Status field to 10
DEVICE_NOT_FOUND and not include the NodeDescriptor field. If the 11
NWKAddrOfInterest matches the network address of one of the children of the 12
remote device, it shall determine whether a node descriptor for that device is 13
available. If a node descriptor is not available for the child indicated by the 14
NWKAddrOfInterest field, the remote device shall set the Status field to 15
NO_DESCRIPTOR and not include the NodeDescriptor field. If a node descriptor 16
is available for the child indicated by the NWKAddrOfInterest field, the remote 17
device shall set the Status field to SUCCESS and include the node descriptor (see 18
sub-clause 2.3.2.4) of the matching child device in the NodeDescriptor field. 19
20
2.4.4.1.3.2 Effect on Receipt 21
On receipt of the Node_Desc_rsp command, the recipient is either notified of the 22
node descriptor of the remote device indicated in the original Node_Desc_req 23
command or notified of an error. If the Node_Desc_rsp command is received with 24
a Status of SUCCESS, the NodeDescriptor field shall contain the requested node 25
descriptor. Otherwise, the Status field indicates the error and the NodeDescriptor 26
field shall not be included. 27
28
2.4.4.1.4 Power_Desc_rsp 29
30
The Power_Desc_rsp command (ClusterID=0x8003) shall be formatted as
31
illustrated in Figure 2.59.
32
See sub- 33
Octet: 1 2 clause 2.3.2.5 34
35
Status NWKAddr Power
OfInterest Descriptor
36
37
Figure 2.59 Format of the Power_Desc_rsp Command Frame 38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
152 Application Layer Specification
the remote device shall set the Status field to SUCCESS and include the power
descriptor (see sub-clause 2.3.2.5) of the matching child device in the 1
PowerDescriptor field. 2
3
2.4.4.1.4.2 Effect on Receipt 4
5
On receipt of the Power_Desc_rsp command, the recipient is either notified of the 6
power descriptor of the remote device indicated in the original Power_Desc_req 7
command or notified of an error. If the Power_Desc_rsp command is received 8
with a Status of SUCCESS, the PowerDescriptor field shall contain the requested 9
power descriptor. Otherwise, the Status field indicates the error and the 10
PowerDescriptor field shall not be included. 11
2.4.4.1.5 Simple_Desc_rsp 12
13
The Simple_Desc_rsp command (ClusterID=0x8004) shall be formatted as 14
illustrated in Figure 2.60. 15
16
Octet: 1 2 1 Variable 17
Status NWKAddr Length Simple 18
OfInterest Descriptor 19
20
Figure 2.60 Format of the Simple_Desc_rsp Command Frame 21
22
Table 2.87 specifies the fields of the Simple_Desc_rsp command frame. 23
Table 2.87 Fields of the Simple_Desc_rsp Command 24
25
Name Type Valid Range Description 26
Status Integer SUCCESS, The status of the 27
INVALID_EP, Simple_Desc_req command 28
NOT_ACTIVE, 29
DEVICE_NOT_FOUND, 30
INV_REQUESTTYPE or
31
NO_DESCRIPTOR
32
NWKAddrOfInterest Device 16-bit NWK address NWK address for the request 33
Address
34
Length Integer 0x00-0xff Length in bytes of the Simple 35
Descriptor to follow 36
SimpleDescriptor Simple See the Simple Descriptor 37
Descriptor format in sub-clause 2.3.2.6. 38
This field shall only be 39
included in the frame if the 40
status field is equal to
SUCCESS 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
154 Application Layer Specification
SUCCESS, set the ActiveEPCount field to the number of active endpoints on that
device and include an ascending list of all the identifiers of the active endpoints on 1
that device in the ActiveEPList field. 2
3
If the NWKAddrOfInterest field does not match the network address of the remote device 4
and it is an end device, it shall set the Status field to INV_REQUESTTYPE, set the 5
ActiveEPCount field to 0 and not include the ActiveEPList field. If the 6
NWKAddrOfInterest field does not match the network address of the remote device and it 7
is the coordinator or a router, it shall determine whether the NWKAddrOfInterest field 8
matches the network address of a device it holds in a discovery cache. If the 9
NWKAddrOfInterest field does not match the network address of a device it holds in a 10
discovery cache, it shall set the Status field to DEVICE_NOT_FOUND, set the 11
ActiveEPCount field to 0 and not include the ActiveEPList field. If the 12
NWKAddrOfInterest matches the network address of a device held in a discovery cache 13
on the remote device, it shall determine whether that device has any active endpoints. If 14
the discovery information corresponding to the ActiveEP request has not yet been 15
uploaded to the discovery cache, the remote device shall set the Status field to 16
NO_DESCRIPTOR, set the ActiveEPCount field to 0 and not include the ActiveEPList 17
field. If the cached device has no active endpoints, the remote device shall set the Status 18
field to SUCCESS, set the ActiveEPCount field to 0 and not include the ActiveEPList 19
field. If the cached device has active endpoints, the remote device shall set the Status field 20
to SUCCESS, set the ActiveEPCount field to the number of active endpoints on that 21
device and include an ascending list of all the identifiers of the active endpoints on that 22
device in the ActiveEPList field. 23
24
2.4.4.1.6.2 Effect on Receipt 25
On receipt of the Active_EP_rsp command, the recipient is either notified of the 26
active endpoints of the remote device indicated in the original Active_EP_req 27
command or notified of an error. If the Active_EP_rsp command is received with 28
a Status of SUCCESS, the ActiveEPCount field indicates the number of entries in 29
the ActiveEPList field. Otherwise, the Status field indicates the error and the 30
ActiveEPList field shall not be included. 31
32
2.4.4.1.7 Match_Desc_rsp 33
34
The Match_Desc_rsp command (ClusterID=0x8006) shall be formatted as
35
illustrated in Figure 2.62.
36
Octet: 1 2 1 Variable 37
38
Status NWKAddr Match Match 39
OfInterest Length List
40
41
Figure 2.62 Format of the Match_Desc_rsp Command Frame
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 157
children. If the NWKAddrOfInterest field does not match the network address of
one of the children of the remote device, it shall set the Status field to 1
DEVICE_NOT_FOUND, set the MatchLength field to 0 and not include the 2
MatchList field. 3
4
If the NWKAddrOfInterest matches the network address of one of the children of 5
the remote device, it shall determine whether any simple descriptors for that 6
device are available. If no simple descriptors are available for the child indicated 7
by the NWKAddrOfInterest field, the remote device shall set the Status field to 8
NO_DESCRIPTOR, set the MatchLength field to 0 and not include the MatchList 9
field. If any simple descriptors are available for the child indicated by the 10
NWKAddrOfInterest field, the remote device shall apply the match criterion, as 11
described below, that was specified in the original Match_Desc_req command to 12
each of these simple descriptors. 13
The remote device shall apply the match criteria to each simple descriptor (see 14
sub-clause 2.3.2.6) as follows. The remote device shall first check that the 15
ProfileID field matches the application profile identifier field of the simple 16
descriptor. If the profile identifiers do not match, the remote device shall assume 17
the match to be unsuccessful and perform no further matching. 18
19
If the profile identifiers match, the remote device shall determine whether the 20
match criteria contains a list of input clusters (the NumInClusters field is not equal 21
to 0). If the match criteria contains a list of input clusters, the remote device shall 22
check that at least one of the cluster identifiers listed in the InClusterList field 23
matches one of the cluster identifiers in the application input cluster list field of 24
the simple descriptor. If at least one matching input cluster is found, the remote 25
device shall assume the match to be successful, note the identifier of the endpoint 26
to which this simple descriptor refers and perform no further matching. 27
If the remote device is unable to find any matching input clusters, it shall 28
determine whether the match criterion contains a list of output clusters (the 29
NumOutClusters field is not equal to 0). If the match criterion contains a list of 30
output clusters, the remote device shall check that at least one of the cluster 31
identifiers listed in the OutClusterList field matches one of the cluster identifiers 32
in the application output cluster list field of the simple descriptor. If at least one 33
matching output cluster is found, the remote device shall assume the match to be 34
successful and note the identifier of the endpoint to which this simple descriptor 35
refers. If the remote device is unable to find any output matching clusters, it shall 36
assume to be unsuccessful. 37
38
If the above procedure produces one or more matches, the remote device shall 39
construct a separate Match_Desc_rsp command for each matching device 40
(including itself). For each response, the Status field shall be set to SUCCESS, the 41
NWKAddrOfInterest field shall be set to the address of the appropriate matching 42
device, the MatchLength field shall be set to the number of simple descriptors that 43
matched the criteria for the appropriate matching device and the MatchList field 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 159
2.4.4.1.9 User_Desc_rsp
1
The User_Desc_rsp command (ClusterID=0x8011) shall be formatted as 2
illustrated in Figure 2.64. 3
4
Octet: 1 2 1 Variable
5
Status NWKAddr Length User 6
OfInterest Descriptor 7
8
Figure 2.64 Format of the User_Desc_rsp Command Frame 9
10
Table 2.91 specifies the fields of the User_Desc_rsp command frame. 11
Table 2.91 Fields of the User_Desc_rsp Command 12
13
Name Type Valid Range Description 14
Status Integer SUCCESS, The status of the 15
NOT_SUPPORTED, User_Desc_req 16
DEVICE_NOT_FOUND, command 17
INV_REQUESTTYPE or
18
NO_DESCRIPTOR
19
NWKAddrOfInterest Device 16-bit NWK address NWK address for the 20
Address request
21
Length Integer 0x00-0x10 Length in bytes of the 22
UserDescriptor field 23
UserDescriptor User See the User Descriptor 24
Descriptor format in sub- 25
clause 2.3.2.8. This 26
field shall only be 27
included in the frame if
the status field is equal 28
to SUCCESS 29
30
31
2.4.4.1.9.1 When Generated
32
The User_Desc_rsp is generated by a remote device in response to a 33
User_Desc_req directed to the remote device. This command shall be unicast to 34
the originator of the User_Desc_req command. 35
36
The remote device shall generate the User_Desc_rsp command using the format 37
illustrated in Table 2.91. The NWKAddrOfInterest field shall match that specified 38
in the original User_Desc_req command. If the NWKAddrOfInterest field 39
matches the network address of the remote device but a user descriptor does not 40
exist, it shall set the Status field to NO_DESCRIPTOR, set the Length field to 0 41
and not include the UserDescriptor field. If the NWKAddrOfInterest field 42
matches the network address of the remote device and a user descriptor exists, it 43
shall set the Status field to SUCCESS, set the Length field to the length of the user 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
162 Application Layer Specification
descriptor and include its user descriptor (see sub-clause 2.3.2.8) in the
UserDescriptor field. 1
2
If the NWKAddrOfInterest field does not match the network address of the 3
remote device and it is an end device, it shall set the Status field to 4
INV_REQUESTTYPE, set the Length field to 0 and not include the 5
UserDescriptor field. If the NWKAddrOfInterest field does not match the network 6
address of the remote device and it is the coordinator or a router, it shall determine 7
whether the NWKAddrOfInterest field matches the network address is one of its 8
children. If the NWKAddrOfInterest field does not match the network address of 9
one of the children of the remote device, it shall set the Status field to 10
DEVICE_NOT_FOUND, set the Length field to 0 and not include the 11
UserDescriptor field. If the NWKAddrOfInterest matches the network address of 12
one of the children of the remote device, it shall determine whether a user 13
descriptor for that device is available. If a user descriptor is not available for the 14
child indicated by the NWKAddrOfInterest field, the remote device shall set the 15
Status field to NO_DESCRIPTOR, set the Length field to 0 and not include the 16
UserDescriptor field. If a user descriptor is available for the child indicated by the 17
NWKAddrOfInterest field, the remote device shall set the Status field to 18
SUCCESS, set the Length field to the length of the user descriptor for that device 19
and include the user descriptor (see sub-clause 2.3.2.8) of the matching child 20
device in the UserDescriptor field. 21
22
2.4.4.1.9.2 Effect on Receipt 23
On receipt of the User_Desc_rsp command, the recipient is either notified of the 24
user descriptor of the remote device indicated in the original User_Desc_req 25
command or notified of an error. If the User_Desc_rsp command is received with 26
a Status of SUCCESS, the UserDescriptor field shall contain the requested user 27
descriptor. Otherwise, the Status field indicates the error and the UserDescriptor 28
field shall not be included. 29
30
2.4.4.1.10 System_Server_Discovery_rsp 31
32
The System_Server_Discovery_rsp command (ClusterID=0x8015) shall be
33
formatted as illustrated in Figure 2.68.
34
Octet: 1 2 35
36
Status ServerMask 37
38
Figure 2.65 System_Server_Discovery_rsp Command Frame
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 163
2.4.4.1.13 Discovery_store_rsp
1
The Discovery_store_rsp command (ClusterID=0x8016) shall be formatted as 2
illustrated in Figure 2.68. 3
4
Octets: 1
5
Status 6
7
Figure 2.68 Format of the Discovery_store_rsp Command Frame 8
9
Table 2.95 specifies the fields of the Discovery_store_rsp command frame 10
Table 2.95 Fields of the Discovery_store_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the 14
INSUFFICIENT_SPACE Discovery_store_req command 15
or NOT_SUPPORTED 16
17
2.4.4.1.13.1 When Generated 18
19
The Discovery_store_rsp is provided to notify a Local Device of the request status 20
from a Primary Discovery Cache device. Included in the response is a status code 21
to notify the Local Device whether the request is successful (the Primary Cache 22
Device has space to store the discovery cache data for the Local Device), whether 23
the request is unsupported (meaning the Remote Device is not a Primary 24
Discovery Cache device) or whether insufficient space exists. 25
26
2.4.4.1.13.2 Effect on Receipt 27
28
Upon receipt, the Local Device shall determine whether the response status
29
indicates that the Remote Device is not a Primary Cache Device as indicated by a
30
NOT_SUPPORTED status. If a NOT_SUPPORTED status is returned, the Local
31
Device should process any other Discovery_store_rsp devices from other Remote
32
Devices or re-perform the Discovery_Cache_req to determine the address of
33
another Primary Discovery Cache device (eliminating the address of the Remote
34
Device that responded with NOT_SUPPORTED if it responds again to the
35
Discovery_Cache_req). If an INSUFFICIENT_SPACE status is returned, the
36
Local Device should also process any other Discovery_store_rsp and re-perform
37
the Discovery_Cache_req if none of the responses indicate SUCCESS (with the
38
radius field increased to include more Remote Devices). If a SUCCESS status is
39
returned, the Local Device shall upload its discovery cache information to the
40
Remote Device via the Node_Desc_store_req, Power_Desc_store_req,
41
Active_EP_store_req and Simple_Desc_store_req.
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 167
2.4.4.1.14 Node_Desc_store_rsp
1
The Node_Desc_store_rsp command (ClusterID=0x8017) shall be formatted as 2
illustrated in Figure 2.69. 3
4
Octets: 1
5
Status 6
7
Figure 2.69 Format of the Node_Desc_store_rsp Command Frame 8
9
Table 2.96 specifies the fields of the Node_Desc_store_rsp command frame. 10
Table 2.96 Fields of the Node_Desc_store_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the Node_store_rsp 14
INSUFFICIENT_SPACE command 15
or NOT_SUPPORTED 16
17
2.4.4.1.14.1 When Generated 18
19
The Node_store_rsp is provided to notify a Local Device of the request status 20
from a Primary Discovery Cache device. Included in the response is a status code 21
to notify the Local Device whether the request is successful (the Primary Cache 22
Device has space to store the discovery cache data for the Local Device), whether 23
the request is not supported (meaning the Remote Device is not a Primary 24
Discovery Cache device) or whether insufficient space exists. 25
26
2.4.4.1.14.2 Effect on Receipt 27
28
Upon receipt, the Local Device shall determine whether the response status
29
indicates that the Remote Device is not a Primary Cache Device as indicated by a
30
NOT_SUPPORTED status. If a NOT_SUPPORTED status is returned, the Local
31
Device should re-perform discovery of the Primary Discovery Cache device. If
32
an INSUFFICIENT_SPACE status is returned, the Local Device shall also send
33
the Remote Device a Remove_node_cache_req. If a SUCCESS status is returned,
34
the Local Device should continue to upload its remaining discovery cache
35
information to the Remote Device via the Power_Desc_store_req,
36
Active_EP_store_req and Simple_Desc_store_req.
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
168 Application Layer Specification
2.4.4.1.15 Power_Desc_store_rsp
1
The Power_Desc_store_rsp command (ClusterID=0x8018) shall be formatted as 2
illustrated in Figure 2.70. 3
4
Octets: 1 8 Variable
5
Status IEEEAddr PowerDescriptor 6
7
Figure 2.70 Format of the Power_Desc_store_rsp Command Frame 8
9
Table 2.97 specifies the fields of the Power_Desc_store_rsp command frame. 10
Table 2.97 Fields of the Power_Desc_store_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the Power_store_rsp 14
INSUFFICIENT_SPACE command 15
or NOT_SUPPORTED 16
17
2.4.4.1.15.1 When Generated 18
19
The Power_Desc_store_rsp is provided to notify a Local Device of the request 20
status from a Primary Discovery Cache device. Included in the response is a status 21
code to notify the Local Device whether the request is successful (the Primary 22
Cache Device has space to store the discovery cache data for the Local Device), 23
whether the request is not supported (meaning the Remote Device is not a Primary 24
Discovery Cache device) or whether insufficient space exists. 25
26
2.4.4.1.15.2 Effect on Receipt 27
28
Upon receipt, the Local Device shall determine whether the response status
29
indicates that the Remote Device is not a Primary Cache Device as indicated by a
30
NOT_SUPPORTED status. If a NOT_SUPPORTED status is returned, the Local
31
Device should re-perform discovery on the Primary Discovery Cache. If an
32
INSUFFICIENT_SPACE status is returned, the Local Device shall discontinue
33
upload of discovery information, issue a Remove_node_cache_req (citing the
34
Local Device) and cease attempts to upload discovery information to the Remote
35
Device.
36
If a SUCCESS status is returned, the Local Device should continue to upload its 37
remaining discovery cache information to the Remote Device via the 38
Active_EP_store_req and Simple_Desc_store_req. 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 169
2.4.4.1.16 Active_EP_store_rsp
1
The Active_EP_store_rsp command (ClusterID=0x8019) shall be formatted as 2
illustrated in Figure 2.71. 3
4
Octets: 1
5
Status 6
7
Figure 2.71 Format of the Active_EP_store_rsp Command Frame 8
9
Table 2.98 specifies the fields of the Active_EP_store_rsp command frame. 10
Table 2.98 Fields of the Active_EP_store_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the 14
INSUFFICIENT_SPACE Active_EP_store_rsp command 15
or NOT_SUPPORTED 16
17
2.4.4.1.16.1 When Generated 18
19
The Active_EP_store_rsp is provided to notify a Local Device of the request 20
status from a Primary Discovery Cache device. Included in the response is a status 21
code to notify the Local Device whether the request is successful (the Primary 22
Cache Device has space to store the discovery cache data for the Local Device), 23
whether the request is not supported (meaning the Remote Device is not a Primary 24
Discovery Cache device) or whether insufficient space exists. 25
26
2.4.4.1.16.2 Effect on Receipt 27
28
Upon receipt, the Local Device shall determine whether the response status
29
indicates that the Remote Device is not a Primary Cache Device as indicated by a
30
NOT_SUPPORTED status. If a NOT_SUPPORTED status is returned, the Local
31
Device should re-perform discovery on the Primary Discovery Cache. If an
32
INSUFFICIENT_SPACE status is returned, the Local Device shall discontinue
33
upload of discovery information, issue a Remove_node_cache_req (citing the
34
Local Device) and cease attempts to upload discovery information to the Remote
35
Device. If a SUCCESS status is returned, the Local Device should continue to
36
upload its remaining discovery cache information to the Remote Device via the
37
Simple_Desc_store_req.
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
170 Application Layer Specification
2.4.4.1.17 Simple_Desc_store_rsp
1
The Simple_Desc_store_rsp command (ClusterID=0x801a) shall be formatted as 2
illustrated in Figure 2.72. 3
4
Octets: 1
5
Status 6
7
Figure 2.72 Format of the Simple_Desc_store_rsp Command Frame 8
9
Table 2.99 specifies the fields of the Simple_Desc_store_rsp command frame. 10
Table 2.99 Fields of the Simple_Desc_store_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the 14
INSUFFICIENT_SPACE Simple_desc_store_rsp 15
or NOT_SUPPORTED command 16
17
2.4.4.1.17.1 When Generated 18
19
The Simple_Desc_store_rsp is provided to notify a Local Device of the request 20
status from a Primary Discovery Cache device. Included in the response is a status 21
code to notify the Local Device whether the request is successful (the Primary 22
Cache Device has space to store the discovery cache data for the Local Device), 23
whether the request is not supported (meaning the Remote Device is not a Primary 24
Discovery Cache device) or whether insufficient space exists. 25
26
2.4.4.1.17.2 Effect on Receipt 27
28
Upon receipt, the Local Device shall determine whether the response status
29
indicates that the Remote Device is not a Primary Cache Device as indicated by a
30
NOT_SUPPORTED status. If a NOT_SUPPORTED status is returned, the Local
31
Device should re-perform discovery on the Primary Discovery Cache. If an
32
INSUFFICIENT_SPACE status is returned, the Local Device shall discontinue
33
upload of discovery information, issue a Remove_node_cache_req (citing the
34
Local Device) and cease attempts to upload discovery information to the Remote
35
Device. If a SUCCESS status is returned, the Local Device should continue to
36
upload its remaining discovery cache information to the Remote Device via the
37
Simple_Desc_store_req for other endpoints on the Local Device.
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 171
2.4.4.1.18 Remove_node_cache_rsp
1
The Remove_node_cache_rsp command (ClusterID=0x801b) shall be formatted 2
as illustrated in Figure 2.73. 3
4
Octets: 1
5
Status 6
7
Figure 2.73 Format of the Remove_node_cache_rsp Command Frame 8
9
Table 2.100 specifies the fields of the Remove_node_cache_rsp command frame. 10
Table 2.100 Fields of the Remove_node_cache_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the 14
DEVICE_NOT_FOUND Remove_node_cache_rsp 15
or NOT_SUPPORTED command 16
17
2.4.4.1.18.1 When Generated 18
19
The Remove_node_cache_rsp is provided to notify a Local Device of the request 20
status from a Primary Discovery Cache device. Included in the response is a status 21
code to notify the Local Device whether the request is successful (the Primary 22
Cache Device has removed the discovery cache data for the indicated device of 23
interest) or whether the request is not supported (meaning the Remote Device is 24
not a Primary Discovery Cache device). 25
26
2.4.4.1.18.2 Effect on Receipt 27
28
Upon receipt, the Local Device shall determine whether the response status
29
indicates that the Remote Device is not a Primary Cache Device as indicated by a
30
NOT_SUPPORTED status. If a NOT_SUPPORTED status is returned, the Local
31
Device should re-perform Find_node_cache_req to locate the Primary Discovery
32
Cache device holding the discovery cache information for the indicated device of
33
interest. When the Primary Discovery Cache device holding the discovery
34
information for the device of interest is located, the Local Device should repeat
35
the Remove_node_cache_req to successfully remove the discovery information. If
36
a status of DEVICE_NOT_FOUND is received, this indicates that the Remote
37
Device is the Primary Discovery Cache but does not hold the discovery
38
information for the NWKAddr and the IEEEAddr presented in the request. The
39
Local Device should employ the device discovery commands NWK_Addr_req
40
and IEEE_Addr_req to determine the correct values for NWKAddr and
41
IEEEAddr. If a SUCCESS status is returned, the Local Device has successfully
42
removed the discovery cache information for the indicated device of interest
43
within the request.
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
172 Application Layer Specification
2.4.4.1.19 Find_node_cache_rsp
1
The Find_node_cache_rsp command (ClusterID=0x801c) shall be formatted as 2
illustrated in Figure 2.74. 3
4
Octets: 2 2 8
5
CacheNWKAddress NWKAddr IEEEAddr 6
7
Figure 2.74 Format of the Find_node_cache_rsp Command Frame 8
9
Table 2.101 specifies the fields of the Find_node_cache_rsp command frame. 10
Table 2.101 Fields of the Find_node_cache_rsp Command 11
12
Name Type Valid Range Description 13
CacheNWKAddr Device 16-bit NWK Address NWK Address for the Primary 14
Address Discovery Cache device holding 15
the discovery information (or the 16
device of interest if it responded to 17
the request directly)
18
NWKAddr Device 16-bit NWK Address NWK Address for the device of 19
Address interest 20
IEEEAddr Device 64-bit IEEE Address IEEE address for the device of 21
Address interest 22
23
2.4.4.1.19.1 When Generated 24
25
The Find_node_cache_rsp is provided to notify a Local Device of the successful 26
discovery of the Primary Discovery Cache device for the given NWKAddr and 27
IEEEAddr fields supplied in the request, or to signify that the device of interest is 28
capable of responding to discovery requests. The Find_node_cache_rsp shall be 29
generated only by Primary Discovery Cache devices holding discovery 30
information for the NWKAddr and IEEEAddr in the request or the device of 31
interest itself and all other Remote Devices shall not supply a response. 32
33
2.4.4.1.19.2 Effect on Receipt 34
35
Upon receipt, the Local Device shall utilize the CacheNWKAddr as the Remote 36
Device address for subsequent discovery requests relative to the NWKAddr and 37
IEEEAddr in the response. 38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 173
2.4.4.2.2 Bind_rsp
1
The Bind_rsp command (ClusterID=0x8021) shall be formatted as illustrated in 2
Figure 2.76. 3
4
Octets: 1
5
Status 6
7
Figure 2.76 Format of the Bind_rsp Command Frame 8
9
Table 2.104 specifies the fields of the Bind_rsp command frame. 10
Table 2.104 Fields of the Bind_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the Bind_req command 14
NOT_SUPPORTED, 15
16
INVALID_EP or
TABLE_FULL 17
18
19
2.4.4.2.2.1 When Generated 20
The Bind_rsp is generated in response to a Bind_req. If the Bind_req is processed 21
and the Binding Table entry committed on the Remote Device, a Status of 22
SUCCESS is returned. If the Remote Device is not the a Primary binding table 23
cache or the SrcAddress, a Status of NOT_SUPPORTED is returned. The 24
supplied endpoint shall be checked to determine whether it falls within the 25
specified range. If it does not, a Status of INVALID_EP shall be returned.11 If the 26
Remote Device is the Primary binding table cache or SrcAddress but does not 27
have Binding Table resources for the request, a Status of TABLE_FULL is 28
returned. 29
30
2.4.4.2.2.2 Effect on Receipt 31
32
Upon receipt, error checking is performed on the request as described in the 33
previous section. Assuming the Status is SUCCESS, the parameters from the 34
Bind_req are entered into the Binding Table at the Remote Device via the 35
APSME-BIND.request primitive. 36
37
38
39
40
41
42
10. CCB #518 43
11. CCB #531 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
176 Application Layer Specification
2.4.4.2.3 Unbind_rsp
1
The Unbind_rsp command (ClusterID=0x8022) shall be formatted as illustrated in 2
Figure 2.77. 3
4
Octets: 1
5
Status 6
7
Figure 2.77 Format of the Unbind_rsp Command Frame 8
9
Table 2.105 specifies the fields of the Unbind_rsp command frame. 10
Table 2.105 Fields of the Unbind_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the Unbind_req command 14
NOT_SUPPORTED, 15
16
INVALID_EP or
NO_ENTRY 17
18
19
2.4.4.2.3.1 When Generated 20
The Unbind_rsp is generated in response to an Unbind_req. If the Unbind_req is 21
processed and the corresponding Binding Table entry is removed from the Remote 22
Device, a Status of SUCCESS is returned. If the Remote Device is not the ZigBee 23
Coordinator or the SrcAddress, a Status of NOT_SUPPORTED is returned. The 24
supplied endpoint shall be checked to determine whether it falls within the 25
specified range. If it does not, a Status of INVALID_EP shall be returned.12 If the 26
Remote Device is the ZigBee Coordinator or SrcAddress but does not have a 27
Binding Table entry corresponding to the parameters received in the request, a 28
Status of NO_ENTRY is returned. 29
30
2.4.4.2.3.2 Effect on Receipt 31
32
Upon receipt, error checking is performed on the response. If the status is 33
SUCCESS, the device has successfully removed the binding entry for the 34
parameters specified in the Unbind_req. 35
36
37
38
39
40
41
42
43
12. CCB #531 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 177
2.4.4.2.4 Bind_Register_rsp
1
The Bind_Register_rsp command (ClusterID=0x8023) shall be formatted as 2
illustrated in Figure 2.78. 3
4
Octets: 1 2 2 Variable
5
Status BindingTableEntries BindingTableListCount BindingTableList 6
7
Figure 2.78 Format of the Bind_Register_rsp Command Frame 8
9
Table 2.106 specifies the fields of the Bind_Register_rsp command frame. 10
Table 2.106 Fields of the Bind_Register_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the Bind_Register_reg 14
NOT_SUPPORTED, command 15
TABLE_FULL 16
BindingTable Integer 0x0000 - 0ffff Number of binding table entries for 17
Entries the requesting device held by the 18
primary binding table cache 19
BindingTable Integer 0x0000 - 0xffff Number of source binding table 20
ListCount entries contained in this response 21
22
BindingTable List of This list shall contain the A list of source binding
List source number of elements 23
binding given by the 24
descriptors BindingTableListCount 25
26
2.4.4.2.4.1 When Generated 27
28
The Bind_Register_rsp is generated from a primary binding table cache device in 29
response to a Bind_Register_req and contains the status of the request. This 30
command shall be unicast to the requesting device. 31
32
If the device receiving the Bind_Register_req is not a primary binding table cache
33
a Status of NOT_SUPPORTED is returned. If its list of devices which choose to
34
store their own binding table entries is full a status of TABLE_FULL is returned.
35
In these error cases, BindingTableEntries and BindingTableListCount shall be
36
zero and BindingTableList shall be empty. A Status of SUCCESS indicates that
37
the requesting device has been successfully registered.
38
In the successful case, the primary binding table cache device shall search its 39
cache for existing entries whose source address is the same as the parameter 40
supplied in the Bind_Register_req command. The number of such entries is given 41
in the response as BindingTableEntries. The entries are used to generate 42
BindingTableList up to the maximum that can be contained in the response. The 43
actual number of entries is given in the response as BindingTableListCount and 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
178 Application Layer Specification
may be less than BindingTableEntries if this is too large. In this case (which is
expected to be rare) the primary binding table cache device shall use Bind_req 1
commands to send the rest of the entries to the requesting device. 2
3
2.4.4.2.4.2 Effect on Receipt 4
5
The requesting device is notified of the results of its attempt to register. If 6
successful, it shall store the source binding table entries from the response into its 7
source binding table. 8
2.4.4.2.5 Replace_Device_rsp 9
10
The Replace_Device_rsp command (ClusterID=0x8024) shall be formatted as 11
illustrated in Figure 2.79. 12
13
Octets: 1 14
Status 15
16
Figure 2.79 Format of the Replace_Device_rsp Command Frame 17
18
Table 2.107 specifies the fields of the Replace_Device_rsp command frame 19
Table 2.107 Fields of the Replace_Device_rsp Command 20
21
Name Type Valid Range Description 22
23
Status Integer NOT_SUPPORTED, The status of the Replace_Device_req
INV_REQUESTTYPE command 24
25
26
2.4.4.2.5.1 When Generated 27
The Replace_Device_rsp is generated from a primary binding table cache device 28
in response to a Replace_Device_req and contains the status of the request. This 29
command shall be unicast to the requesting device. If the device receiving the 30
Replace_Device_req is not a primary binding table cache a Status of 31
NOT_SUPPORTED is returned. The primary binding table cache shall search its 32
binding table for entries whose source address and source endpoint, or whose 33
destination address and destination endpoint match OldAddress and OldEndpoint, 34
as described in the text for Replace_Device_req. It shall change these entries to 35
have NewAddress and possibly NewEndpoint. It shall then return a response of 36
SUCCESS. 37
38
2.4.4.2.5.2 Effect on Receipt 39
40
The requesting device is notified of the status of its Replace_Device_req 41
command. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 179
2.4.4.2.6 Store_Bkup_Bind_Entry_rsp
1
The Store_Bkup_Bind_Entry_rsp command (ClusterID=0x8025) shall be 2
formatted as illustrated in Figure 2.80. 3
4
Octets: 1
5
Status 6
7
Figure 2.80 Format of the Store_Bkup_Bind_Entry_rsp Command Frame 8
9
Table 2.108 specifies the fields of the Store_Bkup_Bind_Entry_rsp command 10
frame. 11
Table 2.108 Fields of the Store_Bkup_Bind_Entry_rsp Command 12
13
Name Type Valid Range Description 14
Status Integer SUCCESS, The status of the 15
NOT_SUPPORTED, Store_Bkup_Bind_Entry_rsp command 16
INV_REQUESTTYPE. 17
TABLE_FULL 18
19
2.4.4.2.6.1 When Generated 20
21
The Store_Bkup_Bind_Entry_rsp is generated from a backup binding table cache 22
device in response to a Store_Bkup_Bind_Entry_req from a primary binding table 23
cache and contains the status of the request. This command shall be unicast to the 24
requesting device. If the remote device is not a backup binding table cache it shall 25
return a status of NOT_SUPPORTED. If the originator of the request is not 26
recognized as a primary binding table cache it shall return a status of 27
INV_REQUESTTYPE. Otherwise, the backup binding table cache shall add the 28
binding entry to its binding table and return a status of SUCCESS. If there is no 29
room it shall return a status of TABLE_FULL. 30
31
2.4.4.2.6.2 Effect on Receipt 32
The requesting device is notified of the status of its attempt to store a bind entry. 33
34
2.4.4.2.7 Remove_Bkup_Bind_Entry_rsp 35
36
The Remove_Bkup_Bind_Entry_rsp command (ClusterID=0x8026) shall be
37
formatted as illustrated in Figure 2.81.
38
Octets: 1 39
40
Status 41
42
Figure 2.81 Format of the Remove_Bkup_Bind_Entry_rsp Command Frame
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
180 Application Layer Specification
2.4.4.2.10 Backup_Source_Bind_rsp
1
The Backup_Source_Bind_rsp command (ClusterID=0x8029) shall be formatted 2
as illustrated in Figure 2.84. 3
4
Octets: 1
5
Status 6
7
Figure 2.84 Format of the Backup_Source_Bind_rsp Command Frame 8
9
Table 2.112 specifies the fields of the Backup_Source_Bind_rsp command frame. 10
Table 2.112 Fields of the Backup_Source_Bind_rsp Command 11
12
Name Type Valid Range Description 13
Status Integer SUCCESS, The status of the 14
NOT_SUPPORTED, Backup_Source_Bind_rsp 15
TABLE_FULL, command 16
INV_REQUESTTYPE 17
18
2.4.4.2.10.1 When Generated 19
20
The Backup_Source_Bind_rsp is generated from a backup binding table cache 21
device in response to a Backup_Source_Bind_req from a primary binding table 22
cache and contains the status of the request. This command shall be unicast to the 23
requesting device. If the remote device is not a backup binding table cache it shall 24
return a status of NOT_SUPPORTED. If the originator of the request is not 25
recognized as a primary binding table cache it shall return a status of 26
INV_REQUESTTYPE. Otherwise, the backup binding table cache shall 27
overwrite its backup source bind table starting with StartIndex and continuing for 28
BindingTableListCount entries. If this exceeds its table size it shall return a status 29
of TABLE_FULL. Otherwise it shall return a status of SUCCESS. 30
31
2.4.4.2.10.2 Effect on Receipt 32
The requesting device is notified of the status of its attempt to backup the source 33
bind table. 34
35
2.4.4.2.11 Recover_Source_Bind_rsp 36
37
The Recover_Source_Bind_rsp command (ClusterID=0x802a) shall be formatted
38
as illustrated in Figure 2.85.
39
Octets: 1 2 2 2 Variable 40
41
Status SourceTableEntries StartIndex SourceTableListCount SourceTableList 42
43
Figure 2.85 Format of the Recover_Source_Bind_rsp Command Frame
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
184 Application Layer Specification
2.4.4.3.2 Mgmt_Lqi_rsp
1
The Mgmt_Lqi_rsp command (ClusterID=0x8031) shall be formatted as 2
illustrated in Figure 2.87. 3
4
Octets: 1 1 1 1 Variable
5
Status NeighborTable Start NeighborTable NeighborTable 6
Entries Index ListCount List 7
8
Figure 2.87 Format of the Mgmt_Lqi_rsp Command Frame 9
10
Table 2.117 specifies the fields of the Mgmt_Lqi_rsp command frame. 11
Table 2.117 Fields of the Mgmt_Lqi_rsp Command 12
13
Name Type Valid Range Description 14
Status Integer NOT_SUPPORTED or The status of the 15
any status code returned Mgmt_Lqi_req command 16
from the NLME- 17
GET.confirm primitive
18
NeighborTableEntries Integer 0x00-0x02 Total number of Neighbor 19
Table entries within the 20
Remote Device
21
StartIndex Integer 0x00-0xff Starting index within the 22
Neighbor Table to begin 23
reporting for the 24
NeighborTableList.
25
NeighborTableListCount Integer 0x00-0xff Number of Neighbor Table 26
entries included within 27
NeighborTableList.
28
NeighborTableList List of The list shall contain the A list of descriptors, 29
Neighbor number elements given beginning with the 30
Descripto by the StartIndex element and
rs NeighborTableListCount continuing for 31
NeighborTableListCount, 32
of the elements in the 33
Remote Device's Neighbor 34
Table including the device 35
address and associated LQI
(see Table 2.118 for 36
details). 37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 189
1
Table 2.122 BindingTableList Record Format
2
Size 3
Name (Bits) Valid Range Description 4
5
SrcAddr 64 A valid 64-bit IEEE The source IEEE address for the
address binding entry. 6
7
SrcEndpoint 8 0x01 - 0xff The source endpoint for the binding 8
entry.
9
ClusterId 16a 0x0000 - 0xffff The identifier of the cluster on the 10
source device that is bound to the 11
destination device.
12
DstAddrMode 8 0x00 - 0xff The addressing mode for the 13
destination address. This field can 14
take one of the non-reserved values
from the following list:
15
16
0x00 = reserved 17
0x01 = 16-bit group address for 18
DstAddr and DstEndpoint not 19
present
20
0x02 = reserved
21
0x03 = 64-bit extended address for 22
DstAddr and DstEndp present
23
0x04 – 0xff = reserved
24
DstAddr 16/64 As specified by the The destination address for the 25
DstAddrMode field binding entry. 26
DstEndpoint 0/8 0x01 - 0xff This field shall be present only if 27
the DstAddrMode field has a value 28
of 0x03 and, if present, shall be the 29
destination endpoint for the binding
30
entry.
31
a. CCB #603 32
33
2.4.4.3.4.1 When Generated 34
35
The Mgmt_Bind_rsp is generated in response to a Mgmt_Bind_req. If this 36
management command is not supported, a status of NOT_SUPPORTED shall be 37
returned and all parameter fields after the Status field shall be omitted. Otherwise, 38
the Remote Device shall implement the following processing. 39
Upon receipt of and after support for the Mgmt_Bind_req has been verified, the 40
Remote Device shall perform an APSME-GET.request (for the apsBindingTable 41
attribute) and process the resulting APSME-GET.confirm (containing the 42
apsBindingTable attribute) to create the Mgmt_Bind_rsp command. The 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 195
Mgmt_Bind_rsp command shall contain the same status that was contained in the
APSME-GET.confirm primitive and if this was not SUCCESS, all parameter 1
fields after the status field shall be omitted. 2
3
From the apsBindingTable attribute, the binding table shall be accessed, starting 4
with the index specified by StartIndex, and moved to the BindingTableList field of 5
the Mgmt_Bind_rsp command. The entries reported from the binding table shall 6
be those, starting with StartIndex and including whole BindingTableList records 7
(see Table 2.122) until the MSDU size limit, i.e. aMaxMACFrameSize (see [B1]), 8
is reached. Within the Mgmt_Bind_Rsp command, the BindingTableEntries field 9
shall represent the total number of Binding Table entries in the Remote Device. 10
The BindingTableListCount field shall be the number of entries reported in the 11
BindingTableList field of the Mgmt_Bind_req command. 12
13
2.4.4.3.4.2 Effect on Receipt 14
The local device is notified of the results of its attempt to obtain the binding table. 15
16
2.4.4.3.5 Mgmt_Leave_rsp 17
18
The Mgmt_Leave_rsp command (ClusterID=0x8034) shall be formatted as
19
illustrated in Figure 2.90.
20
Octets: 1 21
22
Status 23
24
Figure 2.90 Format of the Mgmt_Leave_rsp Command Frame
25
26
Table 2.123 specifies the fields of the Mgmt_Leave_rsp command frame.
27
Table 2.123 Fields of the Mgmt_Leave_rsp Command 28
29
Name Type Valid Range Description
30
Status Integer NOT_SUPPORTED or The status of the 31
any status code returned Mgmt_Leave_req 32
from the NLME- command.
33
LEAVE.confirm primitive
34
35
2.4.4.3.5.1 When Generated 36
The Mgmt_Leave_rsp is generated in response to a Mgmt_Leave_req. If this 37
management command is not supported, a status of NOT_SUPPORTED shall be 38
returned. Otherwise, the Remote Device shall implement the following 39
processing. 40
41
Upon receipt of and after support for the Mgmt_Leave_req has been verified, the 42
Remote Device shall execute the NLME-LEAVE.request to disassociate from the 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
196 Application Layer Specification
currently associated network. The Mgmt_Leave_rsp shall contain the same status
that was contained in the NLME-LEAVE.confirm primitive. 1
2
Once a device has disassociated, it may13 execute pre-programmed logic to 3
perform NLME-NETWORK-DISCOVERY and NLME-JOIN to join/re-join a 4
network. 5
6
2.4.4.3.5.2 Effect on Receipt 7
The local device is notified of the results of its attempt to cause a remote device to 8
leave the network. 9
10
2.4.4.3.6 Mgmt_Direct_Join_rsp 11
12
The Mgmt_Direct_Join_rsp (ClusterID=0x8035) shall be formatted as illustrated
13
in Figure 2.91.
14
Octets: 1 15
16
Status 17
18
Figure 2.91 Format of the Mgmt_Direct_Join_rsp Command Frame
19
20
Table 2.124 specifies the fields of the Mgmt_Direct_Join_rsp command frame.
21
Table 2.124 Fields of the Mgmt_Direct_Join_rsp Command 22
23
Name Type Valid Range Description
24
Status Integer NOT_SUPPORTED or any The status of the 25
status code returned from the Mgmt_Direct_Join_req 26
NLME-DIRECT-JOIN.confirm command.
27
primitive
28
29
2.4.4.3.6.1 When Generated 30
The Mgmt_Direct_Join_rsp is generated in response to a Mgmt_Direct_Join_req. 31
If this management command is not supported, a status of NOT_SUPPORTED 32
shall be returned. Otherwise, the Remote Device shall implement the following 33
processing. 34
35
Upon receipt of and after support for the Mgmt_Direct_Join_req has been 36
verified, the Remote Device shall execute the NLME-DIRECT-JOIN.request to 37
directly associate the DeviceAddress contained in the Mgmt_Direct_Join_req to 38
the network. The Mgmt_Direct_Join_rsp shall contain the same status that was 39
contained in the NLME-DIRECT-JOIN.confirm primitive. 40
41
42
43
13. CCB #553 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 197
2.4.4.3.8 Mgmt_Cache_rsp
1
The Mgmt_Cache_rsp command (ClusterID=0x8037) shall be formatted as 2
illustrated in Figure 2.93 3
4
Octets: 1 1 1 1 Variable
5
Status DiscoveryCacheEntr StartIndex DiscoveryCacheList DiscoveryCacheList 6
ies Count 7
8
Figure 2.93 Format of the Mgmt_Cache_rsp Command Frame 9
10
Table 2.126 specifies the fields of the Mgmt_Cache_rsp command frame. 11
Table 2.126 Fields of the Mgmt_Cache_rsp Command 12
13
Name Type Valid Range Description 14
Status Integer SUCCESS or The status of the 15
NOT_SUPPORTED Mgmt_Cache_rsp command 16
DiscoveryCacheEntri Integer 0x00 - 0xff DiscoveryCacheEntries 17
es 18
19
StartIndex Integer 0x00 - 0xff StartIndex
20
DiscoveryCacheListC Integer 0x00 - 0xff The list shall contain the number 21
ount of elements given by the 22
DiscoveryCacheListCount
parameter 23
24
DiscoveryCacheList Integer List of DiscoveryCache A list of descriptors, one for each 25
descriptors of the Discovery cache devices
registered, beginning with the 26
StartIndex element and continuing 27
for DiscoveryCacheListCount, of 28
the registered devices in the 29
Primary Discovery Cache. Each 30
entry shall be formatted as
illustrated in sub-clause . 31
32
33
34
Table 2.127 DiscoveryCacheList Record Format 35
36
Size
Name (Bits) Valid Range Description 37
38
Extended 64 An extended 64-bit IEEE 64-bit IEEE Address of 39
Address Address the cached device 40
Network 16 Network address The 16-bit network 41
Address address of the cached 42
device 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 199
• The client employs the unicast Discovery cache request directed to the
Discovery Cache device containing the sizes of the discovery cache 1
information it wishes to store. The Discovery Cache Device will respond 2
with a SUCCESS or TABLE_FULL. 3
4
• Registered: 5
• This state is reached when a SUCCESS status was received by the client 6
from the Discovery Cache device from a previous Discovery cache request. 7
The client must now upload its discovery information using the Node 8
Descriptor store request, Power Descriptor store request, Active Endpoint 9
store request and Simple Descriptor store requests to enable the Primary 10
Discovery Cache device to fully respond on its behalf. 11
12
• Unregistered: 13
• The client (or any other device) may request to be unregistered. The Remove 14
Node Cache request removes the device from the Primary Discovery Cache 15
device. 16
17
The Primary Cache Device responds to device and service discovery requests for 18
all registered clients it supports. The Find Node Cache request is employed by 19
clients wanting to locate the device and service discovery location for a given 20
device of interest. Note that if the discovery information is held by the device 21
itself, that device must also respond to identify itself as the repository of discovery 22
information. See Figure 2.94 for details on state machine processing for the 23
Primary Discovery Cache device. 24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 203
Discovery_cache_req 1
2
Discovery_cache_rsp 3
Until (STATUS)
STATUS is
4
SUCCESS Discovery_store_req 5
6
Discovery_store_rsp (STATUS) 7
8
Node_Desc_store_req 9
If STATUS is not SUCCESS for 10
any descriptor storage request, Node_Desc_store_rsp (STATUS) 11
then Remove_node_cache_req 12
Repeat for:
Power_Desc_store_req, 13
Active_EP_store_req,
Simple Desc_store_req
14
15
16
17
End Device Sleeps and 18
Primary Discovery Cache
handles any discovery 19
requests for the device 20
End Device (client) Primary Discovery Cache 21
(server)
22
Figure 2.94 Primary Discovery Cache State Machine 23
24
2.5.2.2 Device and Service Discovery 25
26
This function shall support device and service discovery within a single PAN. 27
Additionally, for ZigBee Coordinator, ZigBee Router and ZigBee End Device 28
types, this function shall perform the following: 29
30
• Within each network employing sleeping ZigBee End Devices, some ZigBee
31
Routers (or the ZigBee Coordinator) must be designated as Primary Discovery
32
Cache Devices as described by their Node Descriptor. These Primary Cache
33
Devices are themselves discoverable and provide server services to upload and
34
store discovery information on behalf of sleeping ZigBee End Devices.
35
Additionally, the Primary Cache Devices respond to discovery requests on
36
behalf of the sleeping ZigBee End Devices. Each Primary Discovery Cache
37
Device shall be either a ZigBee Router or the ZigBee Coordinator.
38
• For ZigBee End Devices which intend to sleep as indicated by 39
:Config_Node_Power, Device and Service Discovery shall manage upload and 40
storage of the NWK Address, IEEE Address, Active Endpoints, Simple 41
Descriptors, Node Descriptor and Power Descriptor onto a Primary Discovery 42
Cache device selected by the ZigBee End Device to permit device and service 43
discovery operations on these sleeping devices. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
204 Application Layer Specification
matches are provided in the response with the list of endpoints on the
device providing the match. The responding device shall employ APS 1
acknowledged service for the unicast response to the broadcast inquiry. 2
3
In cases where the application profiles wish to enumerate input clusters
4
and their resulting response output clusters with the same cluster identi- 5
fier, the application profile shall list only the input cluster within the 6
Simple Descriptor for the purposes of Service Discovery. It shall be 7
assumed, in these cases, that the application profile provides details 8
about the use of the cluster identifier for both inputs and response out- 9
put. 10
11
—NWK address plus Node Descriptor or Power Descriptor query type – 12
Specified device shall return the Node or Power Descriptor for the 13
device. 14
—NWK address, Endpoint Number plus Simple Descriptor query type – 15
Specified address shall return the Simple Descriptor associated with that 16
17
Endpoint for the device.
18
—Optionally, NWK address plus Complex or User Descriptor query type 19
– If supported, specified address shall return the Complex or User 20
Descriptor for the device 21
22
2.5.2.3 Security Manager 23
24
This function determines whether security is enabled or disabled and, if enabled, 25
shall perform the following: 26
• Establish Key 27
28
• Transport Key 29
• Request Key 30
31
• Update Device 32
• Remove Device 33
34
• Switch Key 35
The Security Manager function addresses the Security Services Specification 36
(Chapter 4). Security Management, implemented by APSME primitive calls by 37
ZDO, performs the following: 38
39
• Contacts the Trust Center (assumed to be located on the ZigBee Coordinator) 40
to obtain the Master Key between this device and the Trust Center (step is 41
omitted if this device is the ZigBee Coordinator or the Master Key with the 42
Trust Center has been pre-configured). This step employs the Transport Key 43
primitive. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
206 Application Layer Specification
• Establishes a Link Key with the Trust Center. This step employs the APSME-
Establish-Key primitive. 1
2
• Obtains the NWK Key from the Trust Center using secured communication 3
with the Trust Center. This step employs the APSME-TRANSPORT-KEY 4
primitive. 5
• Establishes Link Keys and master keys, as required, with specific devices in the 6
network identified as messaging destinations. These steps employ the APSME- 7
ESTABLISH-KEY and/or APSME-REQUEST-KEY primitives. 8
9
• Informs the trust center of any devices that join the network using the APSME- 10
DEVICE-UPDATE primitives. This function is only performed if the device is 11
a ZigBee router. 12
• Permits devices to obtain keys from the Trust Center using the APSME- 13
REQUEST-KEY primitives. 14
15
• Permits the Trust Center to remove devices from the network using the 16
APSME-REMOVE-DEVICE primitives. 17
• Permits the Trust Center to switch the active network key using the APSME- 18
SWITCH-KEY primitives. 19
20
2.5.2.4 Network Manager 21
22
This function shall implement the ZigBee Coordinator, ZigBee Router or ZigBee 23
End Device logical device types according to configuration settings established 24
either via a programmed application or during installation. If the device type is a 25
ZigBee Router or ZigBee End Device, this function shall provide the ability to 26
select an existing PAN to join and implement procedures which permit the device 27
to rejoin if network communication is lost. If the device type is a ZigBee 28
Coordinator or ZigBee Router, this function shall provide the ability to select an 29
unused channel for creation of a new PAN. Note that it is possible to deploy a 30
network without a device pre-designated as ZigBee Coordinator where the first 31
Full Function Device (FFD) activated assumes the role of ZigBee Coordinator. 32
The following description covers processing addressed by Network Management: 33
• Permits specification of a channel list for network scan procedures. Default is 34
to specify use of all channels in the selected band of operation. 35
36
• Manages network scan procedures to determine neighboring networks and the 37
identity of their ZigBee coordinators and routers. 38
• Permits selection of a channel to start a PAN (ZigBee Coordinator) or selection 39
of an existing PAN to join (ZigBee Router or ZigBee End Device). 40
41
• Supports orphaning and extended procedures to rejoin the network, including 42
support for intra_PAN portability. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 207
• May support direct join and join by proxy features provided by the Network
Layer. For ZigBee Coordinators and ZigBee Routers, a local version of direct 1
join may be supported to enable the device to join via the orphaning or rejoin 2
procedures. 3
4
• May support Management Entities that permit external network management. 5
6
2.5.2.5 Binding Manager 7
The Binding Manager performs the following: 8
9
• Establishes resource size for the Binding Table. The size of this resource is 10
determined via a programmed application or via a configuration parameter 11
defined during installation. 12
• Processes bind requests for adding or deleting entries from the APS binding 13
table. 14
15
• Supports Bind and Unbind commands from external applications such as those 16
that may be hosted on a PDA to support assisted binding. Bind and Unbind 17
commands shall be supported via the ZigBee Device Profile (see clause 2.4). 18
• For the ZigBee Coordinator, supports the End Device Bind that permits binding 19
on the basis of button presses or other manual means. 20
21
2.5.2.6 Node Manager 22
23
For ZigBee Coordinators and ZigBee Routers, the Node Management function 24
performs the following: 25
• Permits remote management commands to perform network discovery 26
27
• Provides remote management commands to retrieve the routing table 28
• Provides remote management commands to retrieve the binding table 29
30
• Provides a remote management command to have the device leave the network 31
or to direct that another device leave the network 32
• Provides a remote management command to retrieve the LQI for neighbors of 33
the remote device 34
35
• Permits source devices to register with a primary binding table cache their 36
ability to hold their own binding table 37
• Permits configuration tools to exchange one device for another in all of the 38
binding table entries which refer to it 39
40
• Permits the primary binding table cache to backup and recover individual bind 41
entries or the entire binding table or the table of source devices holding their 42
own binding tables 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
208 Application Layer Specification
55
56
1
57
58
59
Binding Manager Object
Optional
Network Manager Object
Mandatory 2
3
60
61 Mandatory Attributes Mandatory Attributes
62
4
63
64 NLME-NETWORK-
65 DISCOVERY.request
Optional Attributes
66
5
NLME-NETWORK-
67 DISCOVERY.confirm
End_Device_Bind_req
68
69 End_Device_Bind_rsp NLME-GET.request
70
71
72 Bind_rsp
Bind_req NLME-GET.confirm
NLME-SET.request 6
7
73 Unbind_req NLME-SET.confirm
74
Unbind_rsp
75
Optional Attributes
8
76 Bind_Register_req
77 Bind_Register_rsp NLME-NETWORK-
78 FORMATION.request
Replace_Device_req
9
79
80 NLME-NETWORK-
Replace_Device_rsp FORMATION.confirm
81
82 Store_Bkup_ NLME-DIRECT-
10
83 Bind Entry req JOIN.request
Store_Bkup_
112
84 NLME-DIRECT- 113
85 Bind Entry rsp JOIN.confirm Configuration Attributes
11
86 Backup_Bind_ 114
NLME-JOIN.request
87 Table req 115 Mandatory
88 NLME-JOIN.confirm
Backup_Bind_ 116
12
89 Table rsp NLME-JOIN.indication
90
117 :Config_Node_Descriptor
91 Recover_Bind_ 118
NLME-START-
ROUTER.request
119 :Config_Power_Descriptor
13
92 Table req
93 Recover_Bind_ NLME-START- 120
ROUTER.confirm
:Config_Simple_Descriptors
94 Table rsp 121 :Config_NWK_Mode_and_Params
95
14
Backup_Source_Bind_req NLME-LEAVE.request
96 122
NLME-LEAVE.confirm :Config_NWK_Scan_Attempts
97 Backup_Source_Bind_rsp 123
98 NLME-LEAVE.indication
124 :Config_NWK_Time_btwn_Scans
99
100
101
Recover_Source_Bind_req
Recover_Source_Bind_rsp
NLME-SYNC.request
125
126
NLME-SYNC.indication
15
Optional
16
102 127
NLME-PERMIT-
103 128
JOINING.request
104 NLME-PERMIT-129 :Config_Complex_Descriptor
17
105 JOINING.confirm
106
130 :Config_User_Descriptor
NLME-RESET.request
107 131
NLME-RESET.confirm :Config_Max_Bind
132
18
108
109 133 :Config_Master_Key
110
134 :Config_NWK_Join_Direct_Addrs
135
136
137
:Config_Max_Assoc 19
:Config_EndDev_Bind_Timeout
:Config_Permit_Join_Duration 20
21
111 :Config_Nwk_Security_Level
Node Manager Object :Config_Nwk_Secure_All_Frames
Security Manager Object
Optional
Mandatory Attributes
Optional
:Config_NWK_Leave_removeChildren
:Config_NWK_BroadcastDeliveryTime 22
23
Mandatory Attributes :Config_NWK_TransactionPersistenceTim
:Config_NWK_indirectPollRate
:Config_NWK_Alt_protocol_version
24
Optional Attributes 25
APSME-ESTABLISH-
KEY.request
APSME-ESTABLISH-
26
Optional Attributes
KEY.indication
APSME-ESTABLISH-
KEY.response
27
Mgmt_NWK_Disc_req
Mgmt_NWK_Disc_rsp
APSME-ESTABLISH-
KEY.confirm 28
Mgmt_Lqi_req
Mgmt_Lqi_rsp
APSME-TRANSPORT-
KEY.request
APSME-TRANSPORT-
29
30
Mgmt_Rtg_req KEY.indication
Mgmt_Rtg_rsp APSME-UPDATE-
DEVICE.request
31
Mgmt_Bind_req
APSME-UPDATE-
Mgmt_Bind_rsp
DEVICE.indication
Mgmt_Leave_req
32
APSME-REMOVE-
Mgmt_Leave_rsp DEVICE.request
Mgmt_Direct_Join_req APSME-REMOVE-
Mgmt_Direct_Join_rsp
Mgmt_Cache_req
DEVICE.indication
APSME-REQUEST-
KEY.request
33
Mgmt_Cache_rsp APSME-REQUEST-
KEY.indication 34
35
APSME-SWITCH-
KEY.request
APSME-SWITCH-
36
KEY.indication
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 211
tion control. Conditions that lead to removal of associated devices may include
1
lack of security credentials, removal of the device via a privileged application or 2
detection of exception. When a ZigBee end device is asked to leave the network, 3
the ReuseAddress parameter of the NLME-LEAVE.request primitive should have 4
5
a value of TRUE indicating that the NWK layer may give the address formerly in
6
use by the leaving device to another end device that joins subsequently.14 7
8
The ZigBee coordinator shall maintain a list of currently associated devices and
9
facilitate support of orphan scan and rejoin processing to enable previously
10
associated devices to rejoin the network. The ZigBee coordinator may support the
11
ability for devices to be directly included in the network via the NLME-DIRECT-
12
JOIN.request and NLME-DIRECT-JOIN.confirm. This feature shall permit lists
13
of ZigBee IEEE addresses to be provided to the ZigBee coordinator and for those
14
addresses to be included as previously associated devices. It shall be possible for
15
ZigBee devices with those addresses to directly join the network via orphaning or
16
rejoin procedures rather than associating directly.
17
The ZigBee coordinator shall process End_Device_Bind_req from ZigBee 18
Routers and ZigBee End Devices. Upon receipt of an End_Device_Bind_req, the 19
ZigBee Coordinator shall use the :Config_EndDev_Bind_Timeout value in the 20
attribute and await a second End_Device_Bind_req. Should the second indication 21
arrive within the timeout period, the ZigBee coordinator shall match the Profile 22
ID in the two indications. If the Profile IDs in the two indications do not match, an 23
appropriate error status is returned to each device via End_Device_Bind_rsp. 24
Should the Profile IDs match, the ZigBee Coordinator shall match the 25
AppInClusterLists and AppOutClusterLists in the two indications. Cluster IDs in 26
the AppInClusterList of the first indication which match Cluster IDs in the 27
AppOutClusterList of the second indication shall be saved in a list for inclusion in 28
the End_Dev_Bind_rsp. 29
30
The ZigBee coordinator shall process End_Device_annce messages from ZigBee
31
End Devices. Upon receipt of an End_Device_annce, the ZigBee coordinator shall
32
check all internal tables holding 64 bit IEEE addresses for devices within the PAN
33
for a match with the address supplied in the End_Device_annce message. At
34
minimum, the Binding Table and Trust Center tables shall be checked. If a match
35
is detected, the ZigBee coordinator shall update its APS Information Block
36
address map entries corresponding to the matched 64 bit IEEE address to reflect
37
the updated 16 bit NWK address contained in the End_Device_annce.
38
39
40
41
42
43
14. CCB #675 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 215
• Inform the rest of the network - if the short address changed than an
End_Device_annce ZDO command is broadcast to indicate the updated short 1
address. (See clause 2.4.3.1.11) 2
3
These steps are described in detail in the subsections below. The mechanism is 4
illustrated for a ZED and ZR in Figure 2.96 and Figure 2.97, respectively. 5
6
Child’s Child’s
New New
Trust 7
Old parent parent’s parent’s
NWK ZDO
NWK ZDO
Centre 8
9
10
NO_ACK (x12) 11
ROUTE-ERROR. 12
indication 13
Optional active scan. Select parent, eg: by 14
EPID. If rejoin fails then retry later. 15
JOIN.request 16
(RejoinNetwork=2)
Rejoin request
17
(unsecured, from IEEE address) JOIN.indication 18
Rejoin response (unsecured, to IEEE Update device
address, includes short address)
(rejoin) 19
JOIN.confirm
Key transport 20
(dummy key)
(SUCCESS)
SET and GET Alternatively 21
Remove device.
(relationship) 22
Key transport (dummy key, unsecured)
23
Entity authentication [if required]
24
End_Device_annce 25
(if short address changed) End_Device_annce 26
27
Figure 2.96 Portability Message Sequence Chart: ZED Rejoin 28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 221
Z R 1 ’s Z R 1 ’s Z R 2 ’s Z R 2 ’s T ru st
1
NW K ZDO NW K ZDO C en tre
2
3
S o m e m e ssa ge (e g: a b ro a d c ast M A N Y -T O -O N E -R O U T IN G u p d a te )
4
If w e h a ve n ’t h e ard a n y m essag e fro m th e 5
tru st c e n tre fo r tim e o u t p e rio d T (se t b y
sta c k p ro file ), th e n c a rry o u t a n a c tive sc a n . 6
N o te e a c h n e igh b o r th a t in d ic a te s in its 7
b e a c o n th at it c a n h ea r th e T C . S e le c t o n e
(e g: b y E P ID ). If re jo in fa ils th e n re try la te r. 8
9
JO IN .re q u e st
(R e jo in N e tw o rk = 2 ) 10
R ejo in re q u e st (u n se c u re d , fro m IE E E 11
a d d re ss, in c lu d e e x istin g sh o rt a d d re ss) JO IN .in d ic a tio n
R e jo in resp o n se (rejo in ) U p d a te d e vic e 12
(u n se c u re d , to IE E E a d d re ss)
K e y tran sp o rt 13
JO IN .c o n firm
(S U C C E S S )
(d u m m y k e y) 14
SET and G E T A lte rn a tive ly
(re la tio n sh ip ) R e m o ve d e vic e . 15
K e y tra n sp o rt (d u m m y k e y , u n se c u re d ) 16
E n tity a u th e n tic atio n [if re q u ire d ] 17
18
19
20
Figure 2.97 Portability Message Sequence Chart: ZR Rejoin 21
22
2.5.5.5.4.2 Description of Operations for Security Verification 23
24
As for MAC association, a ZigBee Coordinator or ZigBee Router device is 25
informed of a rejoined device when the NLME issues an NLME-JOIN.indication 26
primitive. This shall be handled in the same way as for an association indication. 27
28
Note that due to the absence of an entity authentication this child status is initially
29
provisional, and full network operation shall not be permitted until the verification
30
steps described below have been carried out.
31
Measures shall be taken by a newly (re-)joined node and by its new parent to 32
verify that it is really allowed to be on this network. Two cases are envisaged: 33
34
• One or other device is not implemented according to this specification, and
35
should not have joined. The measures described here allow both sides to revoke
36
the join in this case.
37
• One or other device is a compromised/hacked device. In the case that security 38
is enabled, the measures in sub-clause 4.7.3.6 are additionally applied so that 39
an unauthorized join is revoked. 40
41
This verification is carried out using existing commands. Sub-clause 2.5.5.5.4.3
42
below describes the transmission of an End_Device_annce command to the new
43
parent. The new parent shall check that this or some other message is correctly
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
222 Application Layer Specification
formed and contains the addressing fields corresponding to the orphaned device.
If security is enabled then this command shall be secured with the network key, 1
and the new parent shall verify that all security processing is carried out correctly. 2
If all these checks succeed then the orphaned device shall become joined to the 3
network, otherwise it shall not become joined to the network at this time. As 4
normal, messages sent from a device not joined to the network shall not be 5
forwarded across the network, and commands shall not be carried out. 6
Correspondingly the orphaned device shall only become joined to the network 7
once it receives at least one correctly formed ZigBee message from the new 8
parent. If security is enabled this message must be secured with the network key 9
and all security processing must be carried out correctly. If messages cannot be 10
exchanged in protocol then the orphaned device shall not become joined to the 11
network at this time. 12
13
2.5.5.5.4.3 Description of Operations for Informing the Rest of the Network 14
15
If the ZigBee End Device gets a new short address after rejoining a new parent 16
using the orphaning process, it shall issue an End_Device_annce providing its 64 17
bit IEEE address, new 16 bit NWK address and its capability information. The 18
message is broadcast to all devices in the network. Upon receiving the 19
End_Device_annce all devices shall check their internal tables holding 64 bit 20
IEEE addresses for devices within the PAN for a match with the address supplied 21
in the End_Device_annce message. At minimum, any Binding Table shall be 22
checked. If a match is detected, the device shall update its APS Information Block 23
address map entries corresponding to the matched 64 bit IEEE address to reflect 24
the updated 16 bit NWK address contained in the End_Device_annce. In 25
addition, all devices shall use the NLME-SET and NLME-GET primitives to 26
update the nwkNeighborTable in the NWK NIB. The previous parent of this ZED 27
shall remove the ZED as one of its children by changing the Relationship field of 28
the nwkNeighborTable to 0x04, "previous child". Note that any unicast message 29
sent to an address with this status shall result in an NLME-ROUTE- 30
ERROR.indication primitive with status code of "Target Device Unavailable", 31
(see sub-clause 3.3.12.1). As address conflict detection is not provided, parent 32
devices are not permitted, following intra-PAN portability, remove device or any 33
other operation, to reissue a short address for use by a child with a different IEEE 34
address. Also, the ZDO shall arrange that any IEEE address to short address 35
mappings which have become known to applications running on this device be 36
updated. This behavior is mandatory but the mechanism by which it is achieved is 37
outside the scope of this specification. 38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 223
single ZigBee PAN shall consist of devices employing only a single protocol
version number (networks with devices employing different protocol version 1
numbers and frame formats within the same PAN are not permitted). An optional 2
configuration attribute, :Config_NWK_alt_protocol_version, provides the 3
protocol version numbers which the device may choose to employ other than the 4
current protocol version number. Once the ZigBee end device chooses a PAN and 5
a specific protocol version number, it shall modify its 6
:Config_NWK_Mode_and_Params protocol version number field and employ 7
that protocol version number as its nwkcProtocolVersion. Additionally, the 8
ZigBee end device shall then adhere to all frame formats and processing rules 9
supplied by the version of the ZigBee Specification employing that protocol 10
version number. 11
12
Once the PAN to join is identified, the device application shall employ the 13
NLME-JOIN. request to join the PAN on that channel. The device application 14
shall check the return status via the NLME-JOIN.confirm to verify association to 15
the selected ZigBee Router or ZigBee Coordinator on that PAN. The Extended 16
PAN ID field from the beacon payload of the PAN shall also be set within 17
nwkExtendedPANID. 18
If the device application sets the NLME-JOIN RxOnWhenIdle parameter to 19
FALSE, the :Config_NWK_indirectPollRate shall be used to determine the 20
polling rate for indirect message requests. The :Config_NWK_indirectPollRate 21
shall be set according to the value established by the application profile(s) 22
supported on the device. Once polling for indirect message requests is initiated, if 23
communications failure with the parent is detected determined by failure of 24
indirect message requests :Config_Parent_Link_Threshold_Retry consecutive 25
attempts, the device application shall employ the network rejoin procedure. 26
27
Once the End Device has successfully joined a network, the device shall issue an 28
End_Device_annce providing its 64 bit IEEE address and 16 bit NWK address. 29
Provision shall be made to ensure APS primitive calls from the end applications 30
over EP 1 through EP 240 return appropriate error status values prior to 31
completion of the Initialization state by ZigBee Device Objects and transition to 32
the normal operating state. 33
34
If the network has security enabled, the device shall wait for the trust center to 35
supply it with a master key via the APSME-TRANSPORT-KEY.indication and 36
then respond to a request from the trust center to establish a link key using the 37
APSME-ESTABLISH-KEY.response. The device shall then wait for the trust 38
center to provide it with a NWK key using APSME-TRANSPORT- 39
KEY.indication. Upon successful acquisition of the NWK key, the device is 40
joined and authenticated. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 225
The rejoin process mirrors the MAC association process very closely, however a
device is permitted to rejoin a parent that is not accepting new associations. The 1
ZDO may use the NLME-NETWORK-DISCOVERY.request primitive to detect 2
potential alternative parents, and in order to optimize recovery latency and 3
reliability, shall select an appropriate new parent based on the following 4
information from that device's beacon: 5
6
• PAN ID 7
• EPID (Extended PAN ID) 8
9
• Channel 10
• Signal strength 11
12
• Whether the potential parent indicates that it is currently able to communicate 13
with its trust center 14
• Whether this device has recently failed to join this parent, or this network. 15
16
Once a potential parent has been selected the ZDO shall issue an NLME- 17
JOIN.request primitive with RejoinNetwork set to 0x02. 18
The start time of the rejoin process is determined by the time the last NLME- 19
JOIN.request primitive was sent and by the attribute :Config_Rejoin_Interval. 20
Only if the interval between the current and the previous NLME-JOIN.request 21
sent time is longer than the :Config_Rejoin_Interval shall a new NLME- 22
JOIN.request primitive be sent. The application may want to gradually increase 23
the :Config_Rejoin_Interval if a certain number of retries have been done (or a 24
certain period of time has passed) but none of them were successful. The 25
:Config_Rejoin_Interval should not exceed the :Config_Max_Rejoin_Interval. 26
Every time an NLME-JOIN.confirm has been successfully received, the ZDO 27
shall reset its failure counter to zero and the :Config_Rejoin_Interval attribute to 28
its initial value. The choice of the default initial value and the algorithm of 29
increasing the rejoin interval shall be determined by the application and is out of 30
the scope of this document. 31
32
If the ZigBee End Device gets a new short address after rejoining a new parent 33
using the rejoin process, it shall issue an End_Device_annce providing its 64 bit 34
IEEE address, new 16 bit NWK address and its capability information. The 35
message is broadcast to all devices in the network. 36
37
2.5.5.6 Device and Service Discovery 38
The Device and Service Discovery function supports: 39
40
• Device Discovery 41
• Service Discovery 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 227
Device Management performs the above functions with the ZigBee Device Profile
(See clause 2.4). 1
2
2.5.5.6.1 Optional and Mandatory Attributes Within Device and Service 3
Discovery 4
All of the request attributes within the Device and Service Discovery Object are 5
optional for all ZigBee logical device types. The responses listed in Table 2.130 as 6
mandatory are mandatory for all ZigBee logical device types and the responses 7
listed as optional are optional for all ZigBee logical device types. See clause 2.4 8
for a description of any of these attributes. 9
10
Table 2.130 Device and Service Discovery Attributes 11
Attribute M/O Type 12
13
NWK_addr_req O Public 14
NWK_addr_rsp M Public 15
16
IEEE_addr_req O Public
17
IEEE_addr_rsp M Public 18
Node_Desc_req O Public 19
20
Node_Desc_rsp M Public
21
Power_Desc_req O Public 22
Power_Desc_rsp M Public 23
24
Simple_Desc_req O Public 25
Simple_Desc_rsp M Public 26
Active_EP_req O Public
27
28
Active_EP_rsp M Public 29
Match_Desc_req O Public 30
31
Match_Desc_rsp M Public
32
Complex_Desc_req O Public 33
Complex_Desc_rsp O Public 34
35
User_Desc_req O Public
36
User_Desc_rsp O Public 37
End_Device_annce O Public 38
39
User_Desc_set O Public 40
User_Desc_conf O Public 41
System_Server_Discovery_req O Public 42
43
System_Server_Discovery_rsp O Public 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
228 Application Layer Specification
in the Security Manager are present for any ZigBee logical device type. See
clause 2.4 for a description of any of the primitives listed in Table 2.131. 1
2
Table 2.131 Security Manager Attributes
3
Attribute M/O Type 4
5
APSME-ESTABLISH-KEY.request O Public 6
APSME-ESTABLISH-KEY.response O Public 7
APSME-ESTABLISH-KEY. indication O Public 8
9
APSME-ESTABLISH-KEY.confirm O Public 10
APSME-TRANSPORT-KEY.request O Public 11
12
APSME-TRANSPORT-KEY.indication O Public
13
APSME-UPDATE-DEVICE.request O Public 14
APSME-UPDATE-DEVICE.indication O Public 15
16
APSME-REMOVE-DEVICE.request O Public
17
APSME-REMOVE-DEVICE.indication O Public 18
APSME-REQUEST-KEY.request O Public 19
20
APSME-REQUEST-KEY.indication O Public
21
APSME-SWITCH-KEY.request O Public 22
APSME-SWITCH-KEY.indication O Public 23
24
25
2.5.5.8 Binding Manager 26
The Binding Management function supports: 27
28
• End Device Binding 29
• Bind and Unbind 30
31
Binding Management performs the above functions with ZigBee Device Profile 32
commands plus APSME-SAP primitives to commit/remove binding table entries 33
once the indication arrives on the Zigbee coordinator or router, supporting the 34
binding table. 35
2.5.5.8.1 Optional and Mandatory Attributes Within Binding Manager 36
37
The Binding Manager is an optional object for all ZigBee Device Types. 38
If the Binding Manager is present, all requests are optional for all ZigBee logical 39
device types. Additionally, responses shall be supported on the ZigBee 40
Coordinator or responses shall be supported on ZigBee Routers and ZigBee End 41
Devices which correspond to the source address for the binding table entries held 42
on those devices. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 2
230 Application Layer Specification
If the Binding Manager is not present, all requests and all responses for all ZigBee
logical device types shall not be supported. Table 2.132 summarizes Binding 1
Manager attributes. 2
3
Table 2.132 Binding Manager Attributes
4
Attribute Method M/O Type 5
6
End_Device_Bind_req See clause 2.4. O Public 7
End_Device_Bind_rsp See clause 2.4. O Public 8
Bind_req See clause 2.4. O Public 9
10
Bind_rsp See clause 2.4. O Public 11
Unbind_req See clause 2.4. O Public 12
13
Unbind_rsp See clause 2.4. O Public
14
Bind_Register_req See clause 2.4. O Public 15
Bind_Register_rsp See clause 2.4. O Public 16
17
Replace_Device_req See clause 2.4. O Public
18
Replace_Device_rsp See clause 2.4. O Public 19
Store_Bkup_Bind_Entry_req See clause 2.4. O Public 20
21
Store_Bkup_Bind_Entry_rsp See clause 2.4. O Public
22
Remove_Bkup_Bind_req See clause 2.4. O Public 23
Remove_Bkup_Bind_rsp See clause 2.4. O Public 24
25
Backup_Bind_Table_req See clause 2.4. O Public 26
Backup_Bind_Table_rsp See clause 2.4. O Public 27
Recover_Bind_Table_req See clause 2.4. O Public
28
29
Recover_Bind_Table_rsp See clause 2.4. O Public 30
Backup_Source_Bind_req See clause 2.4. O Public 31
32
Backup_Source_Bind_rsp See clause 2.4. O Public
33
Recover_Source_Bind_req See clause 2.4. O Public 34
Recover_Source_Bind_rsp See clause 2.4. O Public 35
36
APSME-BIND.request See clause 2.2. O Private
37
APSME-BIND.confirm See clause 2.2. O Private 38
APSME-UNBIND.request See clause 2.2. O Private 39
40
APSME-UNBIND.confirm See clause 2.2. O Private
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 231
For all ZigBee logical devices types, the NWK Sync request, indication and
confirm plus NWK reset request and confirm plus NWK route discovery request 1
and confirm shall be optional. Table 2.133 summarizes Network Manager 2
Attributes. See Chapter 3 for a description of any of the primitives listed in 3
Table 2.133. 4
5
For all ZigBee logical device types, reception of the NWK Route Error indication 6
shall be supported, but no action is required in this version of the specification. 7
Table 2.133 Network Manager Attributes 8
9
Attribute M/O Type 10
NLME-GET.request M Private 11
12
NLME-GET.confirm M Private
13
NLME-SET.request M Private 14
NLME-SET.confirm M Private 15
16
NLME-NETWORK-DISCOVERY.request M Public
17
NLME-NETWORK-DISCOVERY.confirm M Public 18
NLME-NETWORK-FORMATION.request O Private 19
20
NLME-NETWORK- O Private 21
FORMATION.confirm
22
NLME-START-ROUTER.request O Private 23
NLME-START-ROUTER.confirm a O Private 24
25
NLME-JOIN.request O Private
26
NLME-JOIN.confirm O Private 27
NLME-PERMIT-JOINING.request O Public 28
29
NLME-PERMIT-JOINING.confirmb O Public 30
NLME-DIRECT-JOIN.request O Public 31
NLME-DIRECT-JOIN.confirm O Public 32
33
NLME_LEAVE.request M Public 34
NLME-LEAVE.confirm M Public 35
36
NLME-RESET.request O Private
37
NLME-RESET.confirm O Private 38
NLME-SYNC.request O Public 39
40
NLME-SYNC.indication O Public
41
NLME-SYNC.confirm O Public 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 233
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 243
C H A P T E R
1
3
2
3
4
5
6
7
8
9
management entity (NLME) provides the management service via its associated
SAP, the NLME-SAP. The NLME utilizes the NLDE to achieve some of its 1
management tasks and it also maintains a database of managed objects known as 2
the network information base (NIB). 3
4
3.2.1.1 Network Layer Data Entity (NLDE) 5
6
The NLDE shall provide a data service to allow an application to transport 7
application protocol data units (APDU) between two or more devices. The 8
devices themselves must be located on the same network. 9
The NLDE will provide the following services: 10
11
• Generation of the Network level PDU (NPDU): The NLDE shall be capable 12
of generating an NPDU from an application support sub-layer PDU through the 13
addition of an appropriate protocol header. 14
• Topology specific routing: The NLDE shall be able to transmit an NPDU to 15
an appropriate device that is either the final destination of the communication 16
or the next step toward the final destination in the communication chain. 17
18
• Security: The ability to ensure both the authenticity and confidentiality of a 19
transmission. 20
21
3.2.1.2 Network Layer Management Entity (NLME) 22
The NLME shall provide a management service to allow an application to interact 23
with the stack. 24
25
The NLME shall provide the following services: 26
• Configuring a new device: The ability to sufficiently configure the stack for 27
operation as required. Configuration options include beginning an operation as 28
a ZigBee coordinator or joining an existing network. 29
30
• Starting a network: The ability to establish a new network. 31
• Joining and leaving a network: The ability to join or leave a network as well 32
as the ability for a ZigBee coordinator or ZigBee router to request that a device 33
leave the network. 34
35
• Addressing: The ability of ZigBee coordinators and routers to assign addresses 36
to devices joining the network. 37
• Neighbor discovery: The ability to discover, record, and report information 38
pertaining to the one-hop neighbors of a device. 39
40
• Route discovery: The ability to discover and record paths through the network, 41
whereby messages may be efficiently routed. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
246 Network Specification
• Reception control: The ability for a device to control when the receiver is
activated and for how long, enabling MAC sub-layer synchronization or direct 1
reception. 2
3
4
3.3 Service Specification 5
6
Figure 3.1 depicts the components and interfaces of the NWK layer. 7
8
The NWK layer provides two services, accessed through two service access 9
points (SAPs). These are the NWK data service, accessed through the NWK layer 10
data entity SAP (NLDE-SAP) and the NWK management service, accessed 11
though the NWK layer management entity SAP (NLME-SAP). These two 12
services provide the interface between the application and the MAC sub-layer, via 13
the MCPS-SAP and MLME-SAP interfaces. (See [B1]). In addition to these 14
external interfaces, there is also an implicit interface between the NLME and the 15
NLDE that allows the NLME to use the NWK data service. 16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Figure 3.1 The NWK Layer Reference Model 33
34
3.3.1 NWK Data Service 35
36
The NWK layer data entity SAP (NLDE-SAP) supports the transport of 37
application protocol data units (APDUs) between peer application entities. 38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 247
Table 3.2 lists the primitives supported by the NLDE-SAP and the sub-clauses in
which these primitives are discussed. 1
2
Table 3.2 NLDE-SAP Primitives
3
NLDE-SAP Primitive Request Confirm Indication 4
5
NLDE-DATA 3.3.1.1 3.3.1.2 3.3.1.3 6
7
3.3.1.1 NLDE-DATA.request 8
9
This primitive requests the transfer of a data PDU (NSDU) from the local APS 10
sub-layer entity to a single or multiple peer APS sub-layer entities. 11
3.3.1.1.1 Semantics of the Service Primitive 12
13
The semantics of this primitive are as follows: 14
NLDE-DATA.request { 15
16
DstAddrMode,
17
DstAddr,
18
NsduLength,
19
Nsdu, 20
NsduHandle, 21
Radius, 22
NonmemberRadius, 23
DiscoverRoute, 24
SecurityEnable 25
} 26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
248 Network Specification
sub-clause 3.7.2.1. The sequence number value shall be inserted into the sequence
number field of the NWK header of the frame. The multicast flag field of the 1
NWK header will be set according to the value of the DstAddrMode parameter. If 2
the DstAddrMode parameter has a value of 0x01, the NWK header will contain a 3
multicast control field whose fields will be set as follows: 4
5
• The multicast mode field will be set to 0x01 if this node is a member of the 6
group specified in the DstAddr parameter 7
• Otherwise, the multicast mode field will be set to 0x00 8
9
• The non-member radius and the max non-member radius fields will be set to 10
the value of the NonmemberRadius parameter 11
Once the NPDU is constructed, the NSDU is routed using the procedure described 12
in sub-clause 3.7.3.3, if it is a unicast; sub-clause 3.7.5 if it is a broadcast; or sub- 13
clause 3.7.6.1 if it is a multicast. When the routing procedure specifies that the 14
NSDU is to be transmitted, this is accomplished by issuing the MCPS- 15
DATA.request primitive with both the SrcAddrMode and DstAddrMode 16
parameters set to 0x02, indicating the use of 16-bit network addresses. The 17
SrcPANId and DstPANId parameters should be set to the current value of 18
macPANId from the MAC PIB. The SrcAddr parameter will be set to the value of 19
macShortAddr from the MAC PIB. The value of the DstAddr parameter is the 20
next hop address determined by the routing procedure. The TxOptions parameter 21
should always be non-zero when bitwise ANDed with the value 0x01, denoting 22
that acknowledged transmission is required. On receipt of the MCPS- 23
DATA.confirm primitive, the NLDE issues the NLDE-DATA.confirm primitive 24
with a status equal to that received from the MAC sub-layer. 25
26
If the network-wide security level specified in the NIB has a non-zero value and 27
the SecurityEnable parameter has a value of TRUE, then NWK layer security 28
processing will be applied to the frame before transmission as described in 29
clause 4.4. Otherwise, no security processing will be performed at the NWK layer 30
for this frame. If security processing is done and it fails for any reason, then the 31
frame is discarded and the NLDE issues the NLDE-DATA.confirm primitive with 32
a status parameter value equal to that returned by the security suite. 33
34
3.3.1.2 NLDE-DATA.confirm 35
This primitive reports the results of a request to transfer a data PDU (NSDU) from 36
a local APS sub-layer entity to a single peer APS sub-layer entity. 37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 251
3.3.2.1 NLME-NETWORK-DISCOVERY.request
1
This primitive allows the next higher layer to request that the NWK layer discover 2
networks currently operating within the POS. 3
4
3.3.2.1.1 Semantics of the Service Primitive
5
The semantics of this primitive are as follows: 6
7
NLME-NETWORK-DISCOVERY.request { 8
ScanChannels, 9
ScanDuration 10
} 11
12
Table 3.7 specifies the parameters for the NLME-NETWORK- 13
DISCOVERY.request primitive. 14
15
Table 3.7 NLME-NETWORK-DISCOVERY.request Parameters
16
Name Type Valid Range Description 17
18
ScanChannels Bitmap 32-bit field The five most significant bits (b27,...,
19
b31) are reserved; the 27 least significant
bits (b0, b1,... b26) indicate which 20
channels are to be scanned (1 = scan, 0 = 21
do not scan) for each of the 27 valid 22
channels (see [B1]) 23
ScanDuration Integer 0x00 – 0x0e A value used to calculate the length of 24
time to spend scanning each channel; 25
The time spent scanning each channel is 26
(aBaseSuperframeDuration * (2n + 1)) 27
symbols, where n is the value of the 28
ScanDuration parameter; for more 29
information on MAC sub-layer scanning
30
(see [B1])
31
32
3.3.2.1.2 When Generated 33
This primitive is generated by the next higher layer of a ZigBee device and issued 34
to its NLME to request the discovery of networks operating within the device’s 35
personal operating space (POS). 36
37
3.3.2.1.3 Effect on Receipt 38
On receipt of this primitive, the NWK layer will attempt to discover networks 39
operating within the device’s POS by scanning over the channels specified in the 40
ScanChannels argument for the period specified in the ScanDuration parameter. 41
42
If the device is an IEEE 802.15.4-2003 FFD [B1], then it will perform an active 43
scan. If it is an RFD, it will perform an active scan provided that the device 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 255
implements active scan. Otherwise, it will perform a passive scan using the
MLME-SCAN.request primitive. On receipt of the MLME-SCAN.confirm 1
primitive is assembled and the NLME issues the NLME-NETWORK- 2
DISCOVERY.confirm primitive containing the information about the discovered 3
networks with a Status parameter value equal to that returned with the MLME- 4
SCAN.confirm. 5
6
3.3.2.2 NLME-NETWORK-DISCOVERY.confirm 7
8
This primitive reports the results of a network discovery operation. 9
3.3.2.2.1 Semantics of the Service Primitive 10
11
The semantics of this primitive are as follows: 12
13
NLME-NETWORK-DISCOVERY.confirm {
14
NetworkCount,
15
NetworkDescriptor, 16
Status 17
} 18
19
Table 3.8 describes the arguments of the NLME-NETWORK- 20
DISCOVERY.confirm primitive. 21
22
Table 3.8 NLME-NETWORK-DISCOVERY.confirm Parameters
23
Name Type Valid Range Description 24
25
NetworkCount Integer 0x00 – 0xff Gives the number of networks
discovered by the search 26
27
NetworkDescriptor List of The list contains the A list of descriptors, one for 28
network number of elements given each of the networks
descriptors by the NetworkCount discovered; Table 3.9 gives a 29
parameter detailed account of the contents 30
of each item 31
Status Status Any Status value returned See [B1]
32
with the MLME- 33
SCAN.confirm primitive 34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
256 Network Specification
Table 3.9 gives a detailed account of the contents of a network descriptor from the
NetworkDescriptor parameter. 1
2
Table 3.9 Network Descriptor Information Fields
3
Name Type Valid Range Description 4
5
PanID Integer 0x0000 – 0x3fff The 16-bit PAN identifier of the 6
discovered network; the 2 highest-
order bits of this parameter are 7
reserved and shall be set to 0 8
9
ExtendedPanID Integer 0x0000000000000001 - The 64-bit PAN identifier of the
0xfffffffffffffffe network. 10
11
LogicalChannel Integer Selected from the The current logical channel 12
available logical occupied by the network
channels supported by 13
the PHY (see [B1]) 14
15
StackProfile Integer 0x00 – 0x0f A ZigBee stack profile identifier
indicating the stack profile in use in
16
the discovered network 17
18
ZigBeeVersion Integer 0x00 – 0x0f The version of the ZigBee protocol
19
in use in the discovered network
20
BeaconOrder Integer 0x00 – 0x0f This specifies how often the MAC 21
sub-layer beacon is to be
22
transmitted by a given device on the
network; for a discussion of MAC 23
sub-layer beacon order (see [B1]) 24
25
SuperframeOrder Integer 0x00 – 0x0f For beacon-oriented networks, that
is, beacon order < 15, this specifies 26
the length of the active period of the 27
superframe; for a discussion of 28
MAC sub-layer superframe order 29
(see [B1]) 30
PermitJoining Boolean TRUE or FALSE A value of TRUE indicates that at 31
least one ZigBee router on the 32
network currently permits joining; 33
That is, its NWK has been issued an
NLME-PERMIT-JOINING 34
primitive and, the time limit if 35
given, has not yet expired 36
37
3.3.2.2.2 When Generated 38
39
This primitive is generated by the NLME and issued to its next higher layer on 40
completion of the discovery task initiated by an NLME-NETWORK- 41
DISCOVERY.request primitive. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 257
indicate an energy detection scan and then issues the primitive again with the
ScanType parameter set to indicate an active scan. After the completion of the 1
active scan, on receipt of the MLME-SCAN.confirm primitive from the MAC 2
sub-layer, the NLME selects a suitable channel. The NWK layer will pick a PAN 3
identifier that does not conflict with that of any network known to be operating on 4
the chosen channel. Once a suitable channel and PAN identifier are found, the 5
NLME will choose 0x0000 as the 16-bit short MAC address and inform the MAC 6
sub-layer. To do this, the NLME issues the MLME-SET.request primitive to the 7
MAC sub-layer to set the MAC PIB attribute macShortAddress. If the NIB 8
attribute nwkExtendedPANId is equal to 0x0000000000000000, this 9
attribute shall be initialized with the value of the MAC constant 10
aExtendedAddress. If no suitable channel or PAN identifier can be found, the 11
NLME issues the NLME-NETWORK-FORMATION.confirm primitive with the 12
Status parameter set to STARTUP_FAILURE. 13
14
To initialize a new superframe configuration or modify an existing one, the 15
NLME issues the MLME-START.request primitive to the MAC sub-layer. The 16
PANCoordinator parameter of the MLME-START.request primitive is set to 17
TRUE. The BeaconOrder and SuperframeOrder given to the MLME- 18
START.request primitive will be the same as those given to the NLME- 19
NETWORK-FORMATION.request. The CoordRealignment parameter in the 20
MLME-START.request primitive is set to FALSE if the primitive is issued to 21
initialize a new superframe. The CoordRealignment parameter is set to TRUE if 22
the primitive is issued to change any of the PAN configuration attributes. On 23
receipt of the associated MLME-START.confirm primitive, the NLME issues the 24
NLME-NETWORK-FORMATION.confirm primitive to the next higher layer 25
with the status returned from the MLME-START.confirm primitive. 26
27
3.3.3.2 NLME-NETWORK-FORMATION.confirm 28
This primitive reports the results of the request to initialize a ZigBee coordinator 29
in a network. 30
31
3.3.3.2.1 Semantics of the Service Primitive 32
The semantics of this primitive are as follows: 33
34
NLME-NETWORK-FORMATION.confirm { 35
Status 36
} 37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
260 Network Specification
NULL and the RemoveChildren parameter equal to FALSE, the NLME will
remove the device itself from the network using the procedure described in sub- 1
clause 3.7.1.8.1. The NLME will then clear its routing table and route discovery 2
table and issue an MLME-RESET.request primitive to the MAC sub-layer. If the 3
NLME receives an MLME-RESET.confirm primitive with the Status parameter 4
set to anything other than SUCCESS, the NLME may choose to re-issue the reset 5
request. The NLME will also set the relationship field of the neighbor table entry 6
corresponding to its former parent to 0x03, indicating no relationship. If the 7
NLME-LEAVE.request primitive is received with the DeviceAddress parameter 8
equal to NULL and the RemoveChildren parameter equal to TRUE, then the 9
NLME will attempt to remove the device's children, as described in sub- 10
clause 3.7.1.8.3. 11
12
On receipt of this primitive by a ZigBee coordinator or ZigBee router and with the 13
DeviceAddress parameter not equal to NULL, the NLME determines whether the 14
specified device is a child device. If the requested device does not exist, the 15
NLME issues the NLME-LEAVE.confirm primitive with a status of 16
UNKNOWN_DEVICE. If the requested device exists, the NLME will attempt to 17
remove it from the network using the procedure described in sub-clause 3.7.1.8.2. 18
If the RemoveChildren parameter is equal to TRUE then the device will be 19
requested to remove its children as well. Following the removal, the NLME will 20
issue the NLME-LEAVE.confirm primitive with the DeviceAddress equal to the 21
64-bit IEEE address of the removed device and the Status parameter equal to the 22
status delivered by the MCPS-DATA.confirm primitive. Then the relationship 23
field for the neighbor table entry corresponding to the removed device will be 24
updated. The relationship field will be updated according to the value of the 25
Rejoin parameter from the NLME-LEAVE.request. If Rejoin is equal to FALSE 26
then the relationship field is set to 0x03, indicating no relationship. If however 27
Rejoin is equal to TRUE then the relationship field is set to 0x04, indicating that 28
the address belonged to a previous child. 29
30
3.3.8.2 NLME-LEAVE.indication 31
This primitive allows the next higher layer of a ZigBee device to be notified if that 32
ZigBee device has left the network or if a neighboring device has left the network. 33
34
3.3.8.2.1 Semantics of the Service Primitive 35
The semantics of this primitive are as follows: 36
37
NLME-LEAVE.indication { 38
DeviceAddress, 39
Rejoin 40
} 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
278 Network Specification
3.3.9.1 NLME-RESET.request
1
This primitive allows the next higher layer to request that the NWK layer 2
performs a reset operation. 3
4
3.3.9.1.1 Semantics of the Service Primitive
5
The semantics of this primitive are as follows: 6
7
NLME-RESET.request { 8
} 9
10
This primitive has no parameters. 11
12
3.3.9.1.2 When Generated
13
This primitive is generated by the next higher layer and issued to its NLME to 14
request the reset of the NWK layer to its initial condition. 15
16
3.3.9.1.3 Effect on Receipt 17
On receipt of this primitive, the NLME issues the MLME-RESET.request 18
primitive to the MAC sub-layer with the SetDefaultPIB parameter set to TRUE. 19
On receipt of the corresponding MLME-RESET.confirm primitive, the NWK 20
layer resets itself by clearing all internal variables, routing table and route 21
discovery table entries and by setting all NIB attributes to their default values. 22
Once the NWK layer is reset, the NLME issues the NLME-RESET.confirm with 23
the Status parameter set to SUCCESS if the MAC sub-layer was successfully reset 24
or DISABLE_TRX_FAILURE otherwise. 25
26
If this primitive is issued to the NLME of a device that is currently joined to a 27
network, any required leave attempts using the NLME-LEAVE.request primitive 28
should be made a priori at the discretion of the next higher layer. 29
30
3.3.9.2 NLME-RESET.confirm 31
This primitive allows the next higher layer to be notified of the results of its 32
request to reset the NWK layer. 33
34
3.3.9.2.1 Semantics of the Service Primitive 35
The semantics of this primitive are as follows: 36
37
NLME-RESET.confirm { 38
Status 39
} 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 281
3.3.13.1 NLME-ROUTE-DISCOVERY.request
1
This primitive allows the next higher layer to initiate route discovery. 2
3
3.3.13.1.1 Semantics of the Service Primitive
4
The semantics of this primitive are as follows: 5
6
NLME-ROUTE-DISCOVERY.request { 7
DstAddrMode, 8
DstAddr, 9
Radius 10
} 11
12
Table 3.33 specifies the parameters for this primitive. 13
14
Table 3.33 NLME-ROUTE-DISCOVERY.request Parameters
15
Valid 16
Name Type Range Description 17
18
DstAddrMode Integer 0x00 – 0x02 A parameter specifying the kind of
destination address provided; The 19
DstAddrMode parameter may take one of the 20
following three values: 21
0x00 = No destination address 22
23
0x01 = 16-bit NWK address of a multicast
group 24
0x02 = 16-bit NWK address of an individual 25
device 26
27
DstAddr 16-bit Any NWK The destination of the route discovery.
NWK address or 28
Address multicast If the DstAddrMode parameter has a value of 29
address 0x00 then no DstAddr will be supplied. This 30
indicates that the route discovery will be a
many-to-one discovery with the device 31
issuing the discovery command as a target. 32
33
If the DstAddrMode parameter has a value of
0x01, indicating multicast route discovery 34
then the destination shall be the 16-bit NWK 35
address of a multicast group. 36
If the DstAddrMode parameter has a value of 37
0x02, this indicates unicast route discovery. 38
The DstAddr will be the 16-bit NWK address 39
of a device to be discovered. 40
Radius Integer 0x00 – 0xff This optional parameter describes the number 41
of hops that the route request will travel 42
through the network. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 293
In each of the three cases of actual route discovery described above, the NLME
will initiate route discovery by attempting to transmit a route discovery command 1
frame using the MCPS-DATA.request primitive of the MAC sub-layer. If a value 2
has been supplied for the optional Radius parameter, that value will be placed in 3
the radius field of the NWK header of the outgoing frame. If a value has not been 4
supplied then the radius field of the NWK header will be set to twice the value of 5
the nwkMaxDepth attribute of the NWK IB as would be the case for data frame 6
transmissions. If the MAC sub-layer fails, for any reason, to transmit the route 7
request command frame, the NLME will issue the ROUTE-DISCOVERY.confirm 8
primitive to the next higher layer with a Status parameter value equal to that 9
returned by the MCPS-DATA.confirm. If the route discovery command frame is 10
sent successfully and if the DstAddrMode parameter has a value of 0x00, 11
indicating many-to-one route discovery, the NLME will immediately issue the 12
ROUTE-DISCOVERY.confirm primitive with a value of SUCCESS. Otherwise, 13
the NLME will wait until either a route reply command frame is received or else 14
the route discovery operation times out as described in sub-clause 3.7.3.4. If a 15
route reply command frame is received before the route discovery operation times 16
out, the NLME will issue the NLME-ROUTE-DISCOVERY.confirm primitive to 17
the next higher layer with a Status value of SUCCESS. If the operation times out, 18
it will issue the NLME_ROUTE-DISCOVERY.confirm primitive with a Status of 19
ROUTE_DISCOVERY_FAILED. 20
21
3.3.13.2 NLME-ROUTE-DISCOVERY.confirm 22
23
This primitive informs the next higher layer about the results of an attempt to 24
initiate route discovery. 25
3.3.13.2.1 Semantics of the Service Primitive 26
27
The semantics of this primitive are as follows: 28
29
NLME-ROUTE-DISCOVERY.confirm {
30
Status
31
} 32
33
Table 3.34 specifies the parameters for the NLME-ROUTE- 34
DISCOVERY.confirm primitive. 35
Table 3.34 NLME-ROUTE-DISCOVERY.confirm Parameters 36
37
Name Type Valid Range Description 38
Status Status Value INVALID_REQUEST, The status of an attempt to 39
NO_ROUTING_CAPACITY, initiate route discovery 40
ROUTE_DISCOVERY_FAILED 41
or any status value returned by the 42
MCPS-DATA.confirm primitive 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 295
For NWK layer command frames, the discover route sub-field shall be set to 0x00
indicating suppression of route discovery. 1
2
3.4.1.1.4 Multicast Flag Sub-field 3
The multicast flag sub-field is 1 bit in length and has the value 0 if the frame is a 4
unicast or broadcast frame and the value 1 if it is a multicast frame. 5
6
3.4.1.1.5 Security Sub-field 7
The security sub-field shall have a value of 1, if and only if, the frame is to have 8
NWK security operations enabled. If security for this frame is implemented at 9
another layer or disabled entirely, it shall have a value of 0. 10
11
3.4.1.1.6 Source Route Sub-field 12
13
The source route sub-field shall have a value of 1 if and only if a source route
14
subframe is present in the NWK header. If the source route subframe is not
15
present the source route sub-field shall have a value of 0.
16
3.4.1.1.7 Destination IEEE Address Sub-field 17
18
The Destination IEEE address shall have a value of 1, if and only if the network 19
header is to include the full IEEE address of the destination. 20
3.4.1.1.8 Source IEEE Address Sub-field 21
22
The Source IEEE address shall have a value of 1, if and only if the network header 23
is to include the full IEEE address of the source device. 24
25
3.4.1.2 Destination Address Field 26
The destination address field shall always be present and shall be 2 octets in 27
length. If the multicast flag sub-field of the frame control field has the value 0, the 28
destination address field shall hold the 16-bit network address of the destination 29
device or a broadcast address (see Table ). If the multicast flag sub-field has the 30
value 1, the destination address field shall hold the 16-bit Group ID of the 31
destination multicast group. Note that the network address of a device shall 32
always be the same as its IEEE 802.15.4-2003 MAC short address. 33
34
3.4.1.3 Source Address Field 35
36
The source address field shall always be present. It will always be 2 octets in 37
length and shall hold the network address of the source device of the frame. Note 38
that the network address of a device shall always be the same as its IEEE 39
802.15.4-2003 MAC short address. 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
298 Network Specification
member mode is used to transmit a multicast frame from a device that is not a
member of the multicast group to a device that is part of the multicast group. 1
2
Table 3.37 Values of the Multicast Mode Sub-field
3
Multicast Mode Field 4
Value: b0 b1 Field Meaning 5
6
00 Non-member mode
7
01 Member mode 8
10 Reserved 9
10
11 Reserved
11
12
3.4.1.8.2 NonmemberRadius Sub-field 13
The NonmemberRadius field indicates the range of a member mode multicast 14
when relayed by devices that are not members of the destination group. Receiving 15
devices that are members of the destination group will set this field to the value of 16
the MaxNonmemberRadius field. Receiving devices that are not members of the 17
destination group will discard the frame if the NonmemberRadius field has value 18
0 and will decrement the field if the NonmemberRadius field has a value in the 19
range 0x01 through 0x06. A value of 0x07 indicates an infinite range and is not 20
decremented. 21
22
3.4.1.8.3 MaxNonmemberRadius Sub-field 23
24
The maximum value of the NonmemberRadius field for this frame.
25
26
3.4.1.9 Source Route Subframe Field
27
The source route subframe field is only present if the source route sub-field of the 28
frame control field has a value of 1. It is divided into three sub-fields as illustrated 29
in Figure 3.8. 30
31
Octets: 1 1 Variable 32
Relay count Relay Relay list 33
index 34
35
36
Figure 3.8 Source Route Subframe Format
37
38
3.4.1.9.1 Relay Count Sub-field
39
The relay count sub-field indicates the number of relays contained in the relay list 40
sub-field of the source route subframe. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
300 Network Specification
which case the responder address field contains the Group ID of the desired
group. 1
2
3.5.2.3.1.2 Route Repair Sub-field 3
4
The route repair sub-field is a single-bit field. It shall have a value of 1 if and only 5
if the route reply command frame is being generated as part of a route repair 6
operation for mesh network topology (see sub-clause 3.7.3.6.1). 7
3.5.2.3.2 Route Request Identifier 8
9
The route request identifier is the 8-bit sequence number of the route request to 10
which this frame is a reply. 11
12
3.5.2.3.3 Originator Address
13
The originator address field shall be 2 octets in length and shall contain the 16-bit 14
network address of the originator of the route request command frame to which 15
this frame is a reply. 16
17
3.5.2.3.4 Responder Address 18
The responder address field shall be 2 octets in length and shall always be the 19
same as the value in the destination address field of the corresponding route 20
request command frame. 21
22
3.5.2.3.5 Path Cost 23
The path cost field is used to sum link cost as the route reply command frame 24
transits the network (see sub-clause 3.7.3.4.3). 25
26
27
3.5.3 Route Error Command 28
29
A device uses the route error command when it is unable to forward a data frame. 30
The command notifies the source device of the data frame about the failure in 31
forwarding the frame. The payload of a route error command shall be formatted as 32
illustrated in Figure 3.15. 33
34
Octets: 1 1 2
35
Command frame Error code Destination 36
identifier address 37
(see Table 3.38) 38
Figure 3.15 Route Error Command Frame Format 39
40
3.5.3.1 MAC Data Service Requirements 41
42
In order to transmit this command using the MAC data service, specified in IEEE 43
802.15.4-2003 [B1], the following information shall be provided: 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 307
• The destination MAC address and PAN identifier shall be set to the address and
PAN identifier, respectively, of the first hop in the path back to the source of 1
the data frame that encountered a forwarding failure. 2
3
• The source MAC address and PAN identifier shall be set to the address and 4
PAN identifier of the device sending the route error command. 5
• The frame control field shall be set to specify that the frame is a MAC data 6
frame with MAC security disabled, since any secured frame originating from 7
the NWK layer shall use NWK layer security. The implementer shall determine 8
whether an acknowledgment shall be requested. 9
10
• The addressing mode and intra-PAN flags shall be set to support the addressing 11
fields described here. 12
13
3.5.3.2 NWK Header Fields 14
In order to send the route error command frame, the destination address field in 15
the NWK header shall be set to the same value as the source address field of the 16
data frame that encountered a forwarding failure. 17
18
The source address in the NWK header shall be set to the address of the device 19
sending the route error command. 20
21
3.5.3.3 NWK Payload Fields 22
The NWK frame payload of the route error command frame contains a command 23
frame identifier field, an error code field and a destination address field as 24
described below. The command frame identifier shall be set so as to specify the 25
route error command frame as defined in Table 3.38. 26
27
3.5.3.3.1 Error Code 28
29
The error code shall be set to one of the non-reserved values shown in Table 3.39.
30
Table 3.39 Error Codes for Route Error Command Frame 31
Value Error Code 32
33
0x00 No route available 34
0x01 Tree link failure 35
36
0x02 Non-tree link failure
37
0x03 Low battery level 38
0x04 No routing capacity 39
40
0x05 No Indirect Capacity 41
0x06 Indirect Transaction Expiry 42
43
0x07 Target Device Unavailable
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
308 Network Specification
Table 3.39 Error Codes for Route Error Command Frame (Continued)
1
Value Error Code 2
0x08 Target Address Unallocated 3
4
0x09 Parent Link Failure
5
0x0a Validate route 6
0x0b Source route failure 7
8
0x0c Many-to-one route failure 9
0x0d – 0xff Reserved 10
11
These error codes are used both as values for the error code field of a route error 12
command frame and as values of the Status parameter of the NLME-ROUTE- 13
ERROR.indication primitive. A brief explanation of each follows: 14
15
• No route available: Route discovery and/or repair has been attempted and no 16
route to the intended destination address has been discovered. 17
• Tree link failure: The routing failure occurred as a result of the failure of an 18
attempt to route the frame along the tree. 19
20
• Non-tree link failure: The failure did not occur as a result of an attempt to 21
route along the tree. 22
• Low battery level: The frame was not relayed because the relaying device was 23
running low on battery power. 24
25
• No routing capacity: The failure occurred because the relaying device has no 26
routing capacity. 27
• No indirect capacity: The failure occurred as the result of an attempt to buffer 28
a frame for a sleeping end device child and the relaying device had no buffer 29
capacity to use. 30
31
• Indirect transaction expiry: A frame that was buffered on behalf of a sleeping 32
end device child has been dropped as a result of a time-out. 33
• Target device unavailable: An end device child of the relaying device is, for 34
some reason, unavailable. 35
36
• Target address unallocated: The frame was addressed to a non-existent end 37
device child of the relaying device. 38
• Parent link failure: The failure occurred as a result of a failure in the RF link 39
to the device’s parent. 40
41
• Validate route: The multicast route identified in the destination address field 42
should be validated. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 309
• Source route failure: Source routing has failed, probably indicating a link
failure in one of the source route’s links. 1
2
• Many-to-one route failure: A route established as a result of a many-to-one 3
route request has failed. 4
3.5.3.3.2 Destination Address 5
6
The destination address is 2 octets in length and shall contain the destination 7
address from the data frame that encountered the forwarding failure. 8
9
3.5.4 Leave Command 10
11
The leave command is used by the NLME to inform other devices on the network 12
that a device is leaving the network or else to request that a device leave the 13
network. The payload of the leave command shall be formatted as shown in 14
Figure 3.16 15
16
Octets: 1 1 17
18
Command frame identifier Command options
(see Table 3.38)
19
20
Figure 3.16 Leave Command Frame Format 21
22
3.5.4.1 MAC Data Service Requirement 23
24
In order to transmit this command using the MAC data service, specified in IEEE 25
802.15.4-2003 [B1], the following information shall be provided: 26
• The destination MAC address and PAN identifier shall be set to the address and 27
PAN identifier, respectively, of the neighbor device to which the frame is being 28
sent. 29
30
• The source MAC address and PAN identifier shall be set to the address and 31
PAN identifier of the device sending the leave command. 32
• The frame control field shall be set to specify that the frame is a MAC data 33
frame with MAC security disabled, since any secured frame originating from 34
the NWK layer shall use NWK layer security. Acknowledgment shall be 35
requested. 36
37
• The addressing mode and intra-PAN flags shall be set to support the addressing 38
fields described here. 39
40
3.5.4.2 NWK Header Fields 41
In order to send a leave command frame, if the request subfield is set to 1 then the 42
destination address field in the NWK header shall be set to the network address of 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
310 Network Specification
the child device being requested to leave, the destination IEEE address sub-field
of the frame control field shall be set to 1, and the destination IEEE address field 1
shall be set to the IEEE address of the device being requested to leave. If the 2
request subfield is set to 0 then the destination address field in the NWK header 3
shall be set to 0xFFFC so that the indication is received by all ZigBee Routers, the 4
source IEEE address sub-field of the frame control field shall be set to 1, and the 5
source IEEE address field shall be set to the IEEE address of the device leaving 6
the network. The radius field in the NWK header shall be set to 1. 7
8
3.5.4.3 NWK Payload Fields 9
10
The NWK payload of the leave command frame contains a command frame 11
identifier field and a command options field. The command frame identifier field 12
shall be set to specify the leave command frame as described in Table 3.38. 13
3.5.4.3.1 Command Options Field 14
15
The format of the 8-bit command options field is shown in Figure 3.17. 16
17
Bit: 0 – 4 5 6 7 18
Reserved Rejoin Request Remove children 19
20
Figure 3.17 Leave Command Options Field 21
22
3.5.4.3.1.1 Rejoin Sub-field 23
The Rejoin sub-field is a single-bit field located at bit 5. If the value of this sub- 24
field is 1, the device that is leaving from its current parent will rejoin the network. 25
If the value of this sub-field is 0, the device will not join the network again. 26
27
3.5.4.3.1.2 Request Sub-field 28
29
The request sub-field is a single bit field located at bit 6. If the value of this sub- 30
field is 1 then the leave command frame is a request for another device to leave 31
the network. If the value of this sub-field is 0 then the leave command frame is an 32
indication that the sending device plans to leave the network. 33
34
3.5.4.3.1.3 Remove Children Sub-field 35
36
The remove children sub-field is a single bit field located at bit 7. If this sub-field 37
has a value of 1 then the children of the device that is leaving the network will also 38
be removed. 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 311
• The addressing mode and intra-PAN flags shall be set to support the addressing
fields described here. The TXOptions will request 'indirect transmission' to be 1
used if the 'Receiver on when idle' bit of the 'Capability Information' byte 2
contained in the rejoin request command is equal to 0x00. Otherwise 'direct 3
transmission' will be used. 4
5
3.5.7.2 NWK Header Fields 6
7
When sending the rejoin response command frame, the NLME shall set the 8
destination address field of the NWK header to the previous short address of the 9
rejoining device. Both the destination IEEE address sub-field and the source IEEE 10
address sub-fields of the frame control field shall be set to 1. The destination IEEE 11
address field shall be set to the IEEE address of the rejoining device and the 12
source IEEE address field shall be set to the IEEE address of the parent. 13
14
3.5.7.3 NWK Payload Fields 15
The NWK frame payload contains a command identifier field, a short address 16
field, and a rejoin status field. The command frame identifier shall contain the 17
value indicating a rejoin response command frame. 18
19
3.5.7.3.1 Short Address Field 20
21
If the rejoin was successful this two-byte field contains the new short address
22
assigned to the rejoining device. If the rejoin was not successful this contains the
23
broadcast address (0xfffd).
24
3.5.7.3.2 Rejoin Status Field 25
26
This one-byte field shall contain one of the nonreserved association status values 27
specified in [B1]. 28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 315
If no suitable channel is found, the NLME shall terminate the procedure and
notify the next higher layer of the startup failure. This is achieved by issuing the 1
NLME-NETWORK-FORMATION.confirm primitive with the Status parameter 2
set to STARTUP_FAILURE. 3
4
If a suitable channel is found, the NLME shall select a PAN identifier for the new 5
network. To do this the device shall choose a random PAN identifier less than 6
0x3fff that is not already in use on the selected channel. Once the NLME makes 7
its choice, it shall set the macPANID attribute in the MAC sub-layer to this value 8
by issuing the MLME-SET.request primitive. 9
If no unique PAN identifier can be chosen, the NLME shall terminate the 10
procedure and notify the next higher layer of the startup failure by issuing the 11
NLME-NETWORK-FORMATION.confirm primitive with the Status parameter 12
set to STARTUP_FAILURE. 13
14
Once a PAN identifier is selected, the NLME shall select a 16-bit network address 15
equal to 0x0000 and set the macShortAddress PIB attribute in the MAC sub-layer 16
equal to the selected network address. 17
Once a network address is selected, the NLME shall check the value of the 18
nwkExtendedPANId attribute of the NIB. If this value is 0x0000000000000000 19
this attribute is initialized with the value of the MAC constant aExtendedAddress. 20
21
Once the value of the nwkExtendedPANId is checked, the NLME shall begin 22
operation of the new PAN by issuing the MLME-START.request primitive to the 23
MAC sub-layer. The parameters of the MLME-START.request primitive shall be 24
set according to those passed in the NLME-NETWORK-FORMATION.request, 25
the results of the channel scan, and the chosen PAN identifier. The status of the 26
PAN startup is communicated back via the MLME-START.confirm primitive. 27
On receipt of the status of the PAN startup, the NLME shall inform the next higher 28
layer of the status of its request to initialize the ZigBee coordinator. This is 29
achieved by issuing the NLME-NETWORK-FORMATION.confirm primitive 30
with the Status parameter set to the primitive returned in the MLME- 31
START.confirm from the MAC sub-layer. 32
33
The procedure to successfully start a new network is illustrated in the message 34
sequence chart (MSC) shown in Figure 3.21. 35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
326 Network Specification
When this procedure is initiated with the PermitDuration parameter set to a value
between 0x01 and 0xfe, the NLME shall set the macAssociationPermit PIB 1
attribute in the MAC sub-layer to TRUE. The NLME shall then start a timer to 2
expire after the specified duration. On expiry of this timer, the NLME shall set the 3
macAssociationPermit PIB attribute in the MAC sub-layer to FALSE. 4
5
When this procedure is initiated with the PermitDuration parameter set to 0xff, the 6
NLME shall set the macAssociationPermit PIB attribute in the MAC sub-layer to 7
TRUE for an unlimited amount of time, unless another NLME-PERMIT- 8
JOINING.request primitive is issued. 9
The procedure for permitting devices to join a network is illustrated in the MSC 10
shown in Figure 3.22. 11
12
13
Device Device Device 14
APL NWK MAC 15
16
NLME- 17
PERMIT-JOINING.request MLME-
SET.request 18
19
MLME- 20
SET.confirm
21
22
23
Duration to permit
joining 24
25
MLME- 26
SET.request
27
28
MLME- 29
NLME- SET.confirm
30
PERMIT-JOINING.confirm
31
32
Figure 3.22 Permitting Devices to Join a Network 33
34
3.7.1.3 Joining a Network 35
36
A parent-child relationship is formed when a device having membership in the 37
network allows a new device to join. The new device becomes the child, while the 38
first device becomes the parent. A child can be added to a network in the 39
following two ways: 40
• The child can join the network using the MAC layer association procedure 41
42
• Or, the child can be added to the network directly by a previously designated 43
parent device. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
328 Network Specification
Only those devices that are not already joined to a network shall initiate the join
procedure. If any other device initiates this procedure, the NLME shall terminate 1
the procedure and notify the next higher layer of the illegal request by issuing the 2
NLME-JOIN.confirm primitive with the Status parameter set to 3
INVALID_REQUEST. 4
5
For a device that is not already joined to a network, the NLME-JOIN.request 6
primitive shall cause the NWK layer to search its neighbor table for a suitable 7
parent device. A suitable parent device shall permit association and shall have a 8
link cost (see sub-clause 3.7.3.1 for details on link cost) of 3, at most. It shall also 9
have the potential parent field set to 1, if that field is present in the neighbor table 10
entry. 11
If the neighbor table contains no devices that are suitable parents, the NLME shall 12
respond with an NLME-JOIN.confirm with a status parameter of 13
NOT_PERMITTED. If the neighbor table has more than one device that could be 14
a suitable parent, the device which is at a minimum depth from the ZigBee 15
coordinator shall be chosen. If more than one device has a minimum depth, the 16
NWK layer is free to choose from among them. 17
18
Once a suitable parent is identified, the NLME shall issue an MLME- 19
ASSOCIATE.request primitive to the MAC sub-layer. The addressing parameters 20
in the MLME-ASSOCIATE.request primitive (see Chapter 2) shall be set to 21
contain the addressing information for the device chosen from the neighbor table. 22
The status of the association is communicated back to the NLME via the MLME- 23
ASSOCIATE.confirm primitive. 24
If the attempt to join was unsuccessful, the NWK layer shall receive an MLME- 25
ASSOCIATE.confirm primitive from the MAC sub-layer with the status 26
parameter indicating the error. If the status parameter indicates a refusal to permit 27
joining on the part of the neighboring device (that is, PAN at capacity or PAN 28
access denied), then the device attempting to join should set the Potential parent 29
bit to 0 in the corresponding neighbor table entry to indicate a failed join attempt. 30
Setting the Potential parent bit to 0 ensures that the NWK layer shall not issue 31
another request to associate to the same neighboring device. The Potential parent 32
bit should be set to 1 for every entry in the neighbor table each time an MLME- 33
SCAN.request primitive is issued. 34
35
A join request may also be unsuccessful, if the potential parent is not allowing 36
new routers to associate (for example, the max number of routers, 37
nwkMaxRouters may already have associated with the device) and the joining 38
device has set the JoinAsRouter parameter to TRUE. In this case the NLME- 39
JOIN.confirm primitive will indicate a status of NOT_PERMITTED. In this case 40
the child device’s application may wish to attempt to join again as an end device 41
instead, by issuing another NLME-JOIN.request with the JoinAsRouter parameter 42
set to FALSE. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
330 Network Specification
If the attempt to join was unsuccessful, the NLME shall attempt to find another
suitable parent from the neighbor table. If no such device could be found, the 1
NLME shall issue the NLME-JOIN.confirm primitive with the Status parameter 2
set to the value returned in the MLME-ASSOCIATE.confirm primitive. 3
4
If the attempt to join was unsuccessful and there is a second neighboring device 5
that could be a suitable parent, the NWK layer shall initiate the MAC sub-layer 6
association procedure with the second device. The NWK layer shall repeat this 7
procedure until it either joins the PAN successfully or exhausts its options to join 8
the PAN. 9
If the device cannot successfully join the PAN specified by the next higher layer, 10
the NLME shall terminate the procedure by issuing the NLME-JOIN.confirm 11
primitive with the Status parameter set to the value returned in the last received 12
MLME-ASSOCIATE.confirm primitive. In this case, the device shall not receive 13
a valid logical address and shall not be permitted to transmit on the network. 14
15
If the attempt to join was successful, the MLME-ASSOCIATE.confirm primitive 16
received by the NWK layer shall contain a 16-bit logical address unique to that 17
network that the child can use in future transmissions. The NWK layer shall then 18
set the Relationship field in the corresponding neighbor table entry to indicate that 19
the neighbor is its parent. By this time, the parent shall have each added the new 20
device to its neighbor table. Furthermore, the NWK layer will update the value of 21
nwkShortAddress in the NIB. 22
If the device is attempting to join a secure network and it is a router, it will need to 23
wait until its parent has authenticated it before transmitting beacons. The device 24
shall therefore wait for an NLME-START-ROUTER.request primitive to be 25
issued from the next higher layer. Upon receipt of this primitive, the NLME shall 26
issue an MLME-START.request primitive if it is a router. If the NLME-START- 27
ROUTER.request primitive is issued on an end device, the NWK layer shall issue 28
an NLME-START-ROUTER.confirm primitive with the status value set to 29
INVALID_REQUEST. 30
31
Once the device has successfully joined the network, if it is a router and the next 32
higher layer has issued a NLME-START-ROUTER.request, the NWK layer shall 33
issue the MLME-START.request primitive to its MAC sub-layer to setup its 34
superframe configuration and begin transmitting beacon frames, if applicable. 35
Beacon frames are only transmitted if the BeaconOrder parameter is not equal to 36
15 (See [B1]). The PANId, LogicalChannel, BeaconOrder and SuperframeOrder 37
parameters shall be set equal to the corresponding values held in the neighbor 38
table entry for its parent. The PANCoordinator and CoordRealignment parameters 39
shall both be set to FALSE. Upon receipt of the MLME-START.confirm 40
primitive, the NWK layer shall issue an NLME-START-ROUTER.confirm 41
primitive with the same status value. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 331
Every beacon frame received during the scan having a non-zero length payload
shall cause the MLME-BEACON-NOTIFY.indication primitive to be issued from 1
the MAC sub-layer of the scanning device to its NLME. The NLME of the 2
scanning device shall check the ExtendedPANId contained within the beacon 3
payload to see if it is of the correct value. If not, the beacon is ignored. Otherwise, 4
the device shall copy the relevant information from each received beacon (see 5
Figure 3.37 for the structure of the beacon payload) into its neighbor table (see 6
Table 3.43 and Table 3.44 for the contents of a neighbor table entry). 7
8
Once the MAC sub-layer signals the completion of the scan by issuing the 9
MLME-SCAN.confirm primitive to the NLME, the NWK layer shall search its 10
neighbor table for a suitable parent device. A suitable parent device shall advertise 11
device capacity of the type requested in the JoinAsRouter parameter and shall 12
have a link cost (see sub-clause 3.7.3.1) of 3, at most. If the neighbor table 13
contains no devices that are suitable parents, the NLME shall respond with an 14
NLME-JOIN.confirm with a status parameter of NOT_PERMITTED. If the 15
neighbor table has more than one device that could be a suitable parent and the 16
nwkUseTreeAddrAlloc NIG attribute has a value of TRUE, the device which is at 17
a minimum depth from the ZigBee coordinator shall be chosen. Once a suitable 18
parent is identified, the NLME shall construct a NWK rejoin request command 19
frame. The addressing parameters in the rejoin request command shall be set to 20
contain the addressing information for the device chosen from the neighbor table. 21
After the successful transmission of the rejoin request command using the MAC 22
data service the network layer will load a count down timer with a value of 23
aResponseWaitTime ([B1]), If the RxOnWhenIdle parameter is equal to FALSE, 24
when the timer expires the NWK layer will issue a MLME-POLL.request to the 25
potential parent, to retrieve the rejoin response command. 26
27
On receipt of a rejoin response command frame, after the above procedure or at 28
any other time, the device shall check the rejoining device IEEE address field and 29
the parent device IEEE address field of the command frame payload. If the 30
rejoining device IEEE address field is not equal in value to the IEEE address of 31
the receiving device or if the parent device IEEE address field is not equal in value 32
to the IEEE address of the most recent potential parent to which a rejoin request 33
command frame was sent, or the current parent in the case of an unsolicited rejoin 34
response, then the rejoin response command frame shall be discarded without 35
further processing. 36
If the rejoin status field within the rejoin response command frame indicates a 37
refusal to permit rejoining on the part of the neighboring device (that is, PAN at 38
capacity or PAN access denied), then the device attempting to rejoin should set the 39
potential parent bit to 0 in the corresponding neighbor table entry to indicate a 40
failed join attempt. Setting the potential parent bit to 0 ensures that the NWK layer 41
shall not issue another request to rejoin to the same neighboring device. If the 42
attempt to join was unsuccessful, the NLME shall attempt to find another suitable 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 335
parent from the neighbor table. If no such device could be found, the NLME shall
issue the NLME-JOIN.confirm primitive with the Status parameter set to 1
NOT_PERMITTED. If the attempt to join was unsuccessful and there is a second 2
neighboring device that could be a suitable parent, the NWK layer shall initiate 3
the NWK rejoin procedure with the second device. The NWK layer shall repeat 4
this procedure until it either rejoins the PAN successfully or exhausts its options to 5
rejoin the PAN. If the device cannot successfully rejoin the PAN specified by the 6
next higher layer, the NLME shall terminate the procedure by issuing the NLME- 7
JOIN.confirm primitive with the Status parameter set to NOT_PERMITTED. In 8
this case, the device shall not receive a valid logical address and shall not be 9
permitted to transmit on the network. If the attempt to rejoin was successful, the 10
NWK rejoin response command received by the NWK layer shall contain a 16-bit 11
logical address unique to that network that the child can use in future 12
transmissions. The NWK layer shall then set the relationship field in the 13
corresponding neighbor table entry to indicate that the neighbor is its parent. By 14
this time, the parent shall have each added the new device to its neighbor table. 15
Furthermore, the NWK layer will update the value of nwkShortAddress in the 16
NIB. 17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Figure 3.25 Child Rejoin Procedure 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
336 Network Specification
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Figure 3.26 Parent Rejoin Procedure 17
18
3.7.1.3.3 Joining a Network Directly 19
This sub-clause specifies how a device can be directly added to a network by a 20
previously designated parent device (ZigBee coordinator or router). In this case, 21
the parent device is preconfigured with the 64-bit address of the child device. The 22
following text describes how this prior address knowledge may be used to 23
establish the parent-child relationship. 24
25
The procedure for a ZigBee coordinator or router to directly join a device to its 26
network is initiated by issuing the NLME-DIRECT-JOIN.request primitive with 27
the DeviceAddress parameter set to the address of the device to be joined to the 28
network. Only those devices that are either a ZigBee coordinator or a ZigBee 29
router may initiate this procedure. If this procedure is initiated on any other 30
device, the NLME may terminate the procedure and notify the next higher layer of 31
the illegal request by issuing the NLME-DIRECT-JOIN.confirm primitive with 32
the Status parameter set to INVALID_REQUEST. 33
When this procedure is initiated, the NLME of the parent shall first determine 34
whether the specified device already exists on its network. To do this, the NLME 35
shall search its neighbor table in order to determine whether a matching 64-bit, 36
extended address can be found. If a match is found, the NLME shall terminate the 37
procedure and notify the next higher layer that the device is already present in the 38
device list by issuing the NLME-DIRECT-JOIN.confirm primitive with the Status 39
parameter set to ALREADY_PRESENT. 40
41
If a match is not found, the NLME shall, if possible, allocate a 16-bit network 42
address for the new device, which is unique to that network. A finite address space 43
is allocated to every potential parent device, and the potential parent shall create a 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
338 Network Specification
new entry for the device in its neighbor table only if it has sufficient capacity. If
capacity is not available, the NLME shall terminate the procedure and notify the 1
next higher layer of the unavailable capacity by issuing the NLME-DIRECT- 2
JOIN.confirm primitive with the Status parameter set to 3
NEIGHBOR_TABLE_FULL. If capacity is available, the NLME shall inform the 4
next higher layer that the device has joined the network by issuing the NLME- 5
DIRECT-JOIN.confirm primitive with the Status parameter set to SUCCESS. 6
7
The ZigBee coordinator determines the amount of address space given to every 8
potential parent device. See sub-clause 3.7.1.5 and sub-clause 3.7.1.6 for an 9
explanation of the address assignment mechanism. 10
Once the parent has added the child to its network, it is still necessary for the child 11
to make contact with the parent to complete the establishment of the parent-child 12
relationship. The child shall fulfill this requirement by initiating the orphaning 13
procedure, which is described in sub-clause 3.7.1.3.3.1. 14
15
A parent that supports direct joining shall follow the procedure illustrated in 16
Figure 3.27 to successfully join a device to the network directly. This procedure 17
does not require any over-the-air transmissions. 18
19
20
Parent Parent Parent 21
APL NWK MAC 22
23
NLME-DIRECT-
JOIN.request(DeviceAddress)
24
25
26
Check extended address and
assign logical address
27
28
NLME-DIRECT- 29
JOIN.confirm 30
31
32
Figure 3.27 Joining a Device to a Network Directly 33
34
3.7.1.3.3.1 Joining or Re-joining a Network Through Orphaning 35
36
This sub-clause specifies how the orphaning procedure can be initiated by a
37
device that has been directly joined to a network (joining through orphaning) or
38
by a device that was previously joined to a network but has lost contact with its
39
parent (re-joining through orphaning).
40
A device that has been added to a network directly shall initiate the orphan 41
procedure in order to complete the establishment of its relationship with its parent. 42
The application on the device will determine whether to initiate this procedure 43
and, if so, will notify the network layer upon power up. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 339
A device that was previously joined to a network has the option of initiating the
orphan procedure if its NLME repeatedly receives communications failure 1
notifications from its MAC sub-layer. 2
3
3.7.1.3.3.2 Child Procedure 4
5
The optional joining through orphaning procedure is initiated by a device using 6
the NLME-JOIN.request primitive with the RejoinNetwork parameter set to 0x01. 7
When this procedure is initiated, the NLME shall first request that the MAC sub- 8
layer perform an orphan scan over the over the set of channels given by the 9
ScanChannels parameter. An orphan scan is initiated by issuing the MLME- 10
SCAN.request primitive to the MAC sub-layer, and the result is communicated 11
back to the NLME via the MLME-SCAN.confirm primitive. 12
13
If the orphan scan was successful — that is, the child has found its parent — the 14
NLME shall inform the next higher layer of the success of its request to join or re- 15
join the network by issuing the NLME-JOIN.confirm primitive with the Status 16
parameter set to SUCCESS. 17
Note that if the child device is joining for the first time or if the child device has 18
previously been joined to the network but has failed to retain tree depth 19
information as prescribed in sub-clause 3.7.7.1, it may not be able to operate 20
correctly on the network without taking measures, outside the scope of this 21
specification, for the recovery of this information. 22
23
If the orphan scan was unsuccessful (the parent has not been found), the NLME 24
shall terminate the procedure and notify the next higher layer that no networks 25
were found. This is achieved by issuing the NLME-JOIN.confirm primitive with 26
the Status parameter set to NO_NETWORKS. 27
The procedure for a child to successfully join or re-join a network through 28
orphaning is illustrated in the MSC shown in Figure 3.28 29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
340 Network Specification
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Figure 3.29 Parent Procedure for Joining or Re-joining a Device to its Network
Through Orphaning 18
19
3.7.1.4 Neighbor Tables 20
21
The neighbor table of a device shall contain information on every device within 22
transmission range, up to some implementation-dependent limit. 23
24
The neighbor table is useful in two contexts. First of all, it is used during network
25
discovery or rejoining to store information about routers within RF reception
26
range that may be candidate parents. Second, after the device has joined a
27
network, it is used to store relationship and link-state information about
28
neighboring devices in that network. A table entry shall be updated every time a
29
device receives any frame from the corresponding neighbor.
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
342 Network Specification
Mandatory and optional data that are used in normal network operation are listed
in Table 3.43. 1
2
Table 3.43 Neighbor Table Entry Format
3
Field 4
Field Name Type Valid Range Description 5
6
Extended address Integer An extended 64-bit, 64-bit IEEE address that is unique
IEEE address to every device; This field shall be 7
present if the neighbor is a parent 8
or child of the device 9
Network address Network 0x0000 – 0xffff The 16-bit network address of the 10
address neighboring device. 11
12
This field shall be present in every
neighbor table entry 13
14
Device type Integer 0x00 – 0x02 The type of the neighbor device: 15
0x00 = ZigBee coordinator 16
0x01 = ZigBee router; 17
0x02 = ZigBee end device 18
This field shall be present in every 19
neighbor table entry 20
21
RxOnWhenIdle Boolean TRUE or FALSE Indicates if neighbor’s receiver is
enabled during idle portions of the 22
CAP: 23
24
TRUE = Receiver is on
25
FALSE = Receiver is off
26
This field should be present for 27
entries that record the parent or
children of a ZigBee router or 28
ZigBee coordinator 29
30
Relationship Integer 0x00 – 0x03 The relationship between the
neighbor and the current device: 31
32
0x00=neighbor is the parent 33
0x01=neighbor is a child 34
0x02=neighbor is a sibling 35
0x03=none of the above 36
0x04=previous child 37
This field shall be present in every 38
neighbor table entry 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 343
table entries corresponding to devices that are not members of the chosen network
should similarly be discarded. 1
2
Table 3.44 Additional Neighbor Table Fields
3
Field 4
Field Name Type Valid Range Description 5
6
Extended PAN ID Integer 0x00000000000000 The 64-bit unique identifier of the
01 - network to which the device 7
0xfffffffffffffffe belongs. 8
9
Logical channel Integer Selected from the The logical channel on which the
available logical network is operating. 10
channels supported 11
by the PHY. 12
Depth Integer 0x00 – The tree depth of the neighbor 13
nwkcMaxDepth device. 14
15
Beacon order Integer 0x00 – 0x0f The IEEE 802.15.4 beacon order
for the device.
16
17
Permit joining Boolean TRUE or FALSE An indication of whether the 18
device is accepting joining
19
requests.
20
TRUE = device is accepting join 21
requests.
22
FALSE - device is not accepting 23
join requests.
24
Potential parent Integer 0x00 – 0x01 An indication of whether the 25
device has been ruled out as a 26
potential parent.
27
0x00 indicates that the device is 28
not a potential parent. 29
0x01 indicates that the device is a 30
potential parent.
31
32
3.7.1.5 Distributed Address Assignment Mechanism 33
34
The default value for the NIB attribute nwkUseTreeAddrAlloc is TRUE, network 35
addresses are assigned using a distributed addressing scheme that is designed to 36
provide every potential parent with a finite sub-block of network addresses. These 37
addresses are unique within a particular network and are given by a parent to its 38
children. The ZigBee coordinator determines the maximum number of children 39
any device, within its network, is allowed. Of these children, a maximum of 40
nwkMaxRouters can be router-capable devices. The remaining devices shall be 41
reserved for end devices. Every device has an associated depth which indicates 42
the minimum number of hops a transmitted frame must travel, using only parent- 43
child links, to reach the ZigBee coordinator. The ZigBee coordinator itself has a 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 345
address of its parent device, indicating a MAC unicast. The request and remove
children sub-fields of the command options field of the leave command frame 1
shall be set to 0. After transmission of the leave command frame, it shall issue a 2
NWK-LEAVE.confirm primitive to the higher layer with the DeviceAddress 3
parameter equal to NULL. The status parameter shall be SUCCESS if the leave 4
command frame was transmitted successfully. Otherwise, the status parameter of 5
the NLME-LEAVE.confirm shall have the same value as the status parameter 6
returned by the MCPS-DATA.confirm primitive. 7
8
3.7.1.8.2 Method for a Device to Remove Its Child from the Network 9
This sub-clause describes how a device can initiate the removal from the network 10
of one of its child devices in response to the receipt of an NLME-LEAVE.request 11
primitive from the next higher layer as shown in Figure 3.32. 12
13
14
15
16
17
18
19
20
21
22
23
24
25
Figure 3.32 Procedure for a Device to Remove Its Child 26
27
On receipt, by the NWK layer of a ZigBee coordinator or ZigBee router, of the 28
NLME-LEAVE.request primitive with the DeviceAddress parameter equal to the 29
64-bit IEEE address of a child device, if the Silent parameter of the NLME- 30
LEAVE.request primitive has a value of FALSE, the device shall send a network 31
leave command frame using the MCPS-DATA.request primitive with the DstAddr 32
parameter set to the 16-bit network address of that child device. The request sub- 33
field of the command options field of the leave command frame shall have a value 34
of 1, indicating a request to leave the network. The value of the remove children 35
sub-field of the command options field of the leave command shall reflect the 36
value of the RemoveChildren parameter of the NLME-LEAVE.request primitive, 37
and the value of the Rejoin sub-field of the leave command shall reflect the value 38
of the Rejoin parameter of the NLME-LEAVE.request primitive. 39
40
If the Silent parameter has a value of TRUE the device shall not send a network 41
leave command frame. 42
The NWK layer shall then issue the NLME-LEAVE.confirm primitive with the 43
DeviceAddress parameter set to the 64-bit IEEE address of the child device being 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
350 Network Specification
removed and with a status of SUCCESS or, if a network leave command was
transmitted and the transition was unsuccessful, with the same value as the status 1
parameter returned by the MCPS-DATA.indication primitive. 2
3
After the child device has been removed, the NWK layer of the parent should 4
modify its neighbor table, and any other internal data structures that refer to the 5
child device, to indicate that the device is no longer on the network. It is an error 6
for the next higher layer to address and transmit frames to a child device after that 7
device has been removed. 8
If the ReuseAddress parameter of the NLME-LEAVE.request primitive has a 9
value of TRUE then the address formerly in use by the device being asked to leave 10
may be assigned to another device that joins subsequently. 11
12
ZigBee end devices have no child devices to remove and should not receive 13
NLME-LEAVE.request primitives with non-NULL DeviceAddress parameters. 14
3.7.1.8.3 Upon Receipt of the Leave Command Frame 15
16
Upon receipt of the leave command frame by the NWK layer via the MCPS- 17
DATA.indication primitive, as shown in Figure 3.33, the device shall check the 18
value of the request sub-field of the command options field of the command 19
frame. If the request sub-field has a value of 0 then the NWK layer shall issue the 20
NLME-LEAVE.indication primitive to the next higher layer with the device 21
address parameter equal to the value contained in the Leaving Device IEEE 22
Address subfield of the leave command frame. The device should also modify its 23
neighbor table, and any other internal data structures that refer to the leaving 24
device, to indicate that it is no longer on the network. It is an error for the next 25
higher layer to address and transmit frames to a device after that device has left 26
the network. 27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 351
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Figure 3.33 On Receipt of a Leave Command 16
17
If, on receipt, by the NWK layer of a ZigBee router, of a leave command frame as 18
described above, the SrcAddr parameter of the MCPS-DATA.indication that 19
delivered the command frame is the 16-bit network address of the parent of the 20
recipient, and either the value of the request sub-field of the command options 21
field is found to have a value of 1 or the value of the remove children sub-field of 22
the command options field is found to have a value of 1 then the recipient shall 23
send a leave command frame using the MCPS-DATA.request primitive with the 24
DstAddr parameter set to 0xffff indicating a MAC broadcast. The request subfield 25
of the command options field of the leave command frame shall be set to 0. 26
The value of the remove children sub-field of the command options field of the 27
outgoing leave command shall reflect the value of the same field for the incoming 28
leave command frame. After transmission of the leave command frame it shall 29
issue a NLME-LEAVE.indication primitive to the higher layer with 30
DeviceAddress parameter equal to NULL. 31
32
If the request sub-field has a value of 1 and the source of the leave command 33
frame is a device other than the parent of the recipient, the frame shall be 34
immediately and silently discarded. 35
If a ZigBee end device receives a leave command frame as described above and 36
the SrcAddr parameter of the MCPS-DATA.indication that delivered the 37
command frame is the 16-bit network address of the parent of the recipient, the 38
receiver shall issue a NLME-LEAVE.indication primitive to the higher layer with 39
DeviceAddress parameter equal to NULL. 40
41
The NWK layer may employ retry techniques, as described in sub-clause 3.7.5 to 42
enhance the reliability of the leave procedure but, beyond this note, these 43
mechanisms are outside the scope of this specification. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
352 Network Specification
All frames handled by or generated within the NWK layer shall be constructed
according to the general frame format specified in Figure 3.5 and transmitted 1
using the MAC sub-layer data service. 2
3
In addition to source address and destination address fields, all NWK layer 4
transmissions shall include a radius field and a sequence number field. For data 5
frames originating at a higher layer, the value of the radius field may be supplied 6
using the Radius parameter of the NLDE-DATA.request primitive. If a value is 7
not supplied, then the radius field of the NWK header shall be set to twice the 8
value of the nwkMaxDepth attribute of the NWK IB (see clause 3.6). The NWK 9
layer on every device shall maintain a sequence number that is initialized with a 10
random value. The sequence number shall be incremented by 1, each time the 11
NWK layer constructs a new NWK frame, either as a result of a request from the 12
next higher layer to transmit a new NWK data frame or when it needs to construct 13
a new NWK layer command frame. After being incremented, the value of the 14
sequence number shall be inserted into the sequence number field of the frame's 15
NWK header. 16
Once an NPDU is complete, if security is required for the frame, it shall be passed 17
to the security service provider for subsequent processing according to the 18
specified security suite (see sub-clause 4.2.3). Security processing is not required 19
if the SecurityEnable parameter of the NLDE-DATA.request is equal to FALSE. If 20
the NWK security level as specified in nwkSecurityLevel is equal to 0, or if the 21
frame originated at the higher layer and the nwkSecureAllFrames NIB attribute is 22
set to 0x00, then the security sub-field of the frame control field shall always be 23
set to 0. 24
25
On successful completion of the secure processing, the security suite returns the 26
frame to the NWK layer for transmission. The processed frame will have the 27
correct auxiliary header attached. If security processing of the frame fails and the 28
frame was a data frame, the frame will inform the higher layer of the NLDE- 29
DATA.confirm primitive’s status. If security processing of the frame fails and the 30
frame is a network command frame, it is discarded and no further processing shall 31
take place. 32
When the frame is constructed and ready for transmission, it shall be passed to the 33
MAC data service. An NPDU transmission is initiated by issuing the MCPS- 34
DATA.request primitive to the MAC sub-layer. The MCPS-DATA.confirm 35
primitive then returns the results of the transmission. 36
37
3.7.2.2 Reception and Rejection 38
39
In order to receive data, a device must enable its receiver. The next higher layer 40
may initiate reception using the NLME-SYNC.request primitive. On a beacon- 41
enabled network, receipt of this primitive by the NWK layer will cause a device to 42
synchronize with its parent’s next beacon and, optionally, to track future beacons. 43
The NWK layer shall accomplish this by issuing an MLME-SYNC.request to the 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
354 Network Specification
• Route reply command frames for which the destination address does not match
the device's network address shall be discarded immediately. Route error 1
command frames shall be handled in the same manner as data frames. 2
3
The NWK layer shall indicate the receipt of a data frame to the next higher layer 4
using the NLDE-DATA.indication primitive. 5
On receipt of a frame, the NLDE shall check the value of the security sub-field of 6
the frame control field. If this value is non-zero, the NLDE shall pass the frame to 7
the security service provider (see 4.2.3) for subsequent processing according to 8
the specified security suite. If the security sub-field is set to 0, the 9
nwkSecurityLevel attribute in the NIB is non-zero and the incoming frame is a 10
NWK command frame, the NLDE shall discard the frame. If the security sub-field 11
is set to 0, the nwkSecurityLevel attribute in the NIB is non-zero and the incoming 12
frame is a NWK data frame, the NLDE shall check the nwkSecureAllFrames NIB 13
attribute. If this attribute is set to 0x01, the NLDE shall only accept the frame if it 14
is destined to itself, that is, if it does not need to be forwarded to another device. 15
16
17
3.7.3 Routing 18
19
ZigBee coordinators and routers shall provide the following functionality: 20
• Relay data frames on behalf of higher layers 21
22
• Relay data frames on behalf of other ZigBee routers 23
• Participate in route discovery in order to establish routes for subsequent data 24
frames 25
26
• Participate in route discovery on behalf of end devices 27
• Participate in end-to-end route repair 28
29
• Participate in local route repair 30
• Employ the ZigBee path cost metric as specified in route discovery and route 31
repair 32
33
ZigBee coordinators or routers may provide the following functionality: 34
• Maintain routing tables in order to remember best available routes 35
36
• Initiate route discovery on behalf of higher layers 37
• Initiate route discovery on behalf of other ZigBee routers 38
39
• Initiate end-to-end route repair 40
• Initiate local route repair on behalf of other ZigBee routers 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
356 Network Specification
received the frame from the next higher layer, it shall check its source route table
for an entry corresponding to the routing destination. If such an entry is found, the 1
device shall transmit the frame using source routing as described in sub- 2
clause 3.7.3.3.1. If the device does not have a routing table entry for the routing 3
destination and it is not originating the frame using source routing, it shall 4
examine the discover route sub-field of the NWK header frame control field. If 5
the discover route sub-field has a value of 0x01, the device shall initiate route 6
discovery, as described in sub-clause 3.7.3.4.1. If the discover route sub-field has 7
a value of 0 and the NIB attribute nwkUseTreeRouting has a value of TRUE then 8
the device shall route along the tree using hierarchical routing. If the discover 9
route sub-field has a value of 0, the NIB attribute nwkUseTreeRouting has a value 10
of FALSE and there is no routing table corresponding to the routing destination of 11
the frame, the frame shall be discarded and the NLDE shall issue the NLDE- 12
DATA.confirm primitive with a Status value of ROUTE_ERROR. 13
14
A device without routing capacity shall route along the tree using hierarchical 15
routing provided that the value of the NIB attribute nwkUseTreeRouting is TRUE. 16
For hierarchical routing, if the destination is a descendant of the device, the device 17
shall route the frame to the appropriate child. If the destination is a child, and it is 18
also an end device, delivery of the frame can fail due to the macRxOnWhenIdle 19
state of the child device. If the child has macRxOnWhenIdle set to FALSE, 20
indirect transmission as described in IEEE 802.15.4-2003 [B1] may be used be 21
used to deliver the frame. If the destination is not a descendant, the device shall 22
route the frame to its parent. 23
24
Every other device in the network is a descendant of the ZigBee coordinator and 25
no device in the network is the descendant of any ZigBee end device. For a 26
ZigBee router with address A at depth d, if the following logical expression is true, 27
then a destination device with address D is a descendant: 28
A < D < A + Cskip ( d – 1 ) 29
30
For a definition of Cskip ( d ) , see sub-clause 3.7.1.5. 31
If it is determined that the destination is a descendant of the receiving device, the 32
address N of the next hop device is given by: 33
34
N = D 35
for ZigBee end devices, where D > A + Rm × Cskip ( d ) , and otherwise: 36
37
38
⎢ D − ( A + 1) ⎥ 39
N = A +1+ ⎢ ⎥ × Cskip (d ) 40
⎣ Cskip (d ) ⎦ 41
42
If the NWK layer on a ZigBee router or ZigBee coordinator fails to deliver a
43
unicast or multicast data frame for any reason, the router or coordinator shall
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 361
make its best effort to report the failure. This reporting may take one of two forms.
If the failed data frame was being relayed as a result of a request from the next 1
higher layer, then the NWK layer shall issue an NLME-ROUTE- 2
ERROR.indication to the next higher layer. The value of the ShortAddr parameter 3
of the primitive shall be the intended destination of the frame. If the frame was 4
being relayed on behalf of another device, then the relaying device shall both 5
issue the NLME-ROUTE-ERROR.indication primitive and send a route error 6
command frame back to the source of the data frame. The destination address 7
field of the route error command frame shall be taken from the destination address 8
field of the failed data frame. 9
10
In either case, the reasons for failure that may be reported appear in Table 3.39. 11
3.7.3.3.1 Originating a Source Routed Data Frame 12
13
On receipt of a data frame from the next higher layer, the device shall transmit the 14
frame using source routing under the conditions described in sub-clause 3.7.3.3. 15
The source route shall be retrieved from the source route table. 16
17
If there are no intermediate relay nodes, the frame shall be transmitted directly to 18
the routing destination without source routing by using the MCPS-DATA.request 19
primitive, with the DstAddr parameter value indicating the routing destination. 20
If there is at least one relay node, the source route flag of the NWK header frame 21
control field shall be set, and the NWK header source route subframe shall be 22
present. The relay count sub-field of the source route subframe shall have a value 23
equal to the number of relays in the relay list. The relay index sub-field shall have 24
a value equal to 1 less than the number of relays. The relay list sub-field shall 25
contain the list of relay addresses, least significant byte first. The relay closest to 26
the destination shall be listed first. The relay closest to the originator shall be 27
listed last. 28
29
The device shall relay the frame using the MCPS-DATA.request primitive. The 30
DstAddr parameter shall have the value of the final relay address in the relay list. 31
3.7.3.3.2 Relaying a Source Routed Data Frame 32
33
To relay a source routed data frame received from the MAC sub-layer as 34
described in sub-clause 3.7.3.3, the device shall search the relay list sub-field of 35
the NWK header source route subframe for its short address. If the short address is 36
not found, or if its index in the relay list does not match the value of the relay 37
index sub-field, the frame shall be discarded and no further action shall be taken. 38
If the relay index sub-field has a value of 0, the device shall relay the frame 39
directly to the NWK header destination using the MCPS-DATA.request primitive. 40
41
If the relay index sub-field has a value other than 0, the device shall decrement the 42
relay index sub-field by 1, and relay the frame to the address immediately prior to 43
its own address in the relay list sub-field. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
362 Network Specification
The many-to-one route discovery procedure shall be initiated by the NWK layer
of a ZigBee router or coordinator on receipt of an NLME-ROUTE- 1
DISCOVERY.request primitive from the next higher layer where the 2
DstAddrMode parameter has a value of 0x00. It is not necessary for the device to 3
create a route table entry in this case. A route request command frame with 4
destination address set to the broadcast address 0xffff shall be created and 5
broadcast as described in this sub-clause. 6
7
3.7.3.4.2 Upon Receipt of a Route Request Command Frame 8
Upon receipt of a route request command frame, if the device is an end-device, it 9
shall drop the frame. Otherwise, it shall determine if it has routing capacity. 10
11
If the device does not have routing capacity and the route request is a multicast 12
route request or a many-to-one-route request, the route request shall be discarded 13
and route request processing shall be terminated. 14
If the device does not have routing capacity and the route request is a unicast route 15
request, the device shall check if the frame was received along a valid path. A path 16
is valid if the frame was received from one of the device’s child devices and the 17
source device is a descendant of that child device, or if the frame was received 18
from the device’s parent device and the source device is not a descendant of the 19
device. If the route request command frame was not received along a valid path, it 20
shall be discarded. Otherwise, the device shall check if it is the intended 21
destination. It shall also check if the destination of the command frame is one of 22
its end-device children by comparing the destination address field of the route 23
request command frame payload with the address of each of its end-device 24
children, if any. If either the device or one of its end-device children is the 25
destination of the route request command frame, it shall reply with a route reply 26
command frame. When replying to a route request with a route reply command 27
frame, the device shall construct a frame with the frame type field set to 0x01. The 28
route reply’s source address shall be set to the 16-bit network address of the 29
device creating the route reply and the destination address shall be set to the 30
calculated next hop address, considering the originator of the route request as a 31
destination. The link cost from the next hop device to the current device shall be 32
computed as described in sub-clause 3.7.3.1 and inserted into the path cost field of 33
the route reply command frame. The route reply command frame shall be unicast 34
to the next hop device by issuing an MCPS-DATA.request primitive. 35
36
If the device is not the destination of the route request command frame, the device 37
shall compute the link cost from the previous device that transmitted the frame, as 38
described in sub-clause 3.7.3.1. This value shall be added to the path cost value 39
stored in the route request command frame. The route request command frame 40
shall then be unicast towards the destination using the MCPS-DATA.request 41
service primitive. The next hop for this unicast transmission is determined in the 42
same manner as if the frame were a data frame addressed to the device identified 43
by the destination address field in the payload. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 365
If the device does have routing capacity and the received request is a unicast route
request, the device shall check if it is the destination of the command frame by 1
comparing the destination address field of the route request command frame 2
payload with its own address. It shall also check if the destination of the command 3
frame is one of its end-device children by comparing the destination address field 4
of the route request command frame payload with the address of each of its end- 5
device children, if any. If either the device or one of its end-device children is the 6
destination of the route request command frame, the device shall determine if a 7
route discovery table (see Table 3.48) entry exists with the same route request 8
identifier and source address field. If no such entry exists, one shall be created. 9
10
If the device does have routing capacity and the multicast sub-field of route 11
request command options field of the received route request frame indicates a 12
multicast route request, the device shall determine whether an entry already exists 13
in the nwkGroupIDTable for which the GroupID field matches the destination 14
address field of the frame. If a matching entry is found, the device shall determine 15
if a route discovery table (see Table 3.48) entry exists with the same route request 16
identifier and source address field. If no such entry exists, one shall be created. 17
When creating the route discovery table entry, the fields are set to the 18
corresponding values in the route request command frame. The only exception is 19
the forward cost field, which is determined by using the previous sender of the 20
command frame to compute the link cost, as described in sub-clause 3.7.3.1, and 21
adding it to the path cost contained the route request command frame. The result 22
of the above calculation is stored in the forward cost field of the newly created 23
route discovery table entry. If the nwkSymLink attribute is set to TRUE, the device 24
shall also create a routing table entry with the destination address field set to the 25
source address of the route request command frame and the next hop field set to 26
the address of the previous device that transmitted the command frame. The status 27
field shall be set to ACTIVE. The device shall then issue a route reply command 28
frame to the source of the route request command frame. In the case that the 29
device already has a route discovery table entry for the source address and route 30
request identifier pair, the device shall determine if the path cost in the route 31
request command frame is less than the forward cost stored in the route discovery 32
table entry. The comparison is made by first computing the link cost from the 33
previous device that sent this frame, as described in sub-clause 3.7.3.1, and adding 34
it to the path cost value in the route request command frame. If this value is 35
greater than the value in the route discovery table entry, the frame shall be 36
dropped and no further processing is required. Otherwise, the forward cost and 37
sender address fields, in the route discovery table, are updated with the new cost 38
and the previous device address from the route request command frame. 39
40
If the nwkSymLink attribute is set to TRUE and the received route request 41
command frame is a unicast route request, the device shall also create a routing 42
table entry with the destination address field set to the source address of the route 43
request command frame and the next hop field set to the address of the previous 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
366 Network Specification
device that transmitted the command frame. The status field shall be set to
ACTIVE. The device shall then respond with a route reply command frame. In 1
either of these cases, if the device is responding on behalf of one of its end-device 2
children, the responder address in the route reply command frame payload shall 3
be set equal to the address of the end device child and not of the responding 4
device. 5
6
When a device with routing capacity is not the destination of the received route 7
request command frame, it shall determine if a route discovery table entry (see 8
Table 3.48) exists with the same route request identifier and source address field. 9
If no such entry exists, one shall be created. The route request timer shall be set to 10
expire in nwkcRouteDiscoveryTime milliseconds. If a routing table entry 11
corresponding to the routing address of the destination exists and its status is not 12
ACTIVE, the status shall be set to DISCOVERY_UNDERWAY. If no such entry 13
exists and the frame is a unicast route request, an entry shall be created and its 14
status set to DISCOVERY_UNDERWAY. If the nwkSymLink attribute is set to 15
TRUE, or the frame is a many-to-one route request, the device shall also create a 16
routing table entry with the destination address field equal to the source address of 17
the route request command frame by setting the next hop field to the address of 18
the previous device that transmitted the command frame. If the frame is a many- 19
to-one route request, the many-to-one field and route table entry shall be set to 20
TRUE, and if the next hop field changed, the route record required field shall be 21
set to TRUE. The status field shall be set to ACTIVE. When the route vrequest 22
timer expires, the device deletes the route request entry from the route discovery 23
table. When this happens, the routing table entry corresponding to the routing 24
address of the destination shall also be deleted, if its status field has a value of 25
DISCOVERY_UNDERWAY and there are no other entries in the route discovery 26
table created as a result of a route discovery for that destination address. If an 27
entry in the route discovery table already exists, the path cost in the route request 28
command frame shall be compared to the forward cost value in the route 29
discovery table entry. The comparison is made by computing the link cost from 30
the previous device, as described in sub-clause 3.7.3.1, and adding it to the path 31
cost value in the route request command frame. If this path cost is greater, the 32
route request command frame is dropped and no further processing is required. 33
Otherwise, the forward cost and sender address fields in the route discovery table 34
are updated with the new cost and the previous device address from the route 35
request command frame. Additionally, the path cost field in the route request 36
command frame shall be updated with the cost computed for comparison 37
purposes. If the nwkSymLink attribute is set to TRUE and the received route 38
request command frame is a unicast route request, the device shall also update any 39
routing table entry with the destination address field set to the source address of 40
the route request command frame and the next hop field set to the address of the 41
previous device that transmitted the command frame. The status field shall be set 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 367
to ACTIVE. The device shall then rebroadcast the route request command frame
using the MCPS-DATA.request primitive. 1
2
When rebroadcasting a route request command frame, the NWK layer shall delay 3
retransmission by a random jitter amount calculated using the formula: 4
2 × R [ nwkcMinRREQJitter ,nwkcMaxRREQJitter ] 5
6
where R [ a, b ] is a random function on the interval [ a, b ] . The units of this jitter 7
amount are milliseconds. Implementers may adjust the jitter amount so that route 8
request command frames arriving with large path cost are delayed more than 9
frames arriving with lower path cost. The NWK layer shall retry the broadcast 10
nwkcRREQRetries times after the original relay resulting in a maximum of 11
nwkcRREQRetries + 1 relays per relay attempt. Implementers may choose to 12
discard route request command frames awaiting retransmission in the case that a 13
frame with the same source and route request identifier arrives with a lower path 14
cost than the one awaiting retransmission. 15
The device shall also set the status field of the routing table entry corresponding to 16
the routing address of the destination field in the payload to 17
DISCOVERY_UNDERWAY. If no such entry exists, it shall be created. 18
19
When replying to a route request with a route reply command frame, a device that 20
has a route discovery table entry corresponding to the source address and route 21
request identifier of the route request shall construct a command frame with the 22
frame type field set to 0x01. The source address field of the network header shall 23
be set to the 16-bit network address of the current device and the destination 24
address field shall be set to the value of the sender address field from the 25
corresponding route discovery table entry. The device constructing the route reply 26
shall populate the payload fields in the following manner. The NWK command 27
identifier shall be set to route reply. The route request identifier field shall be set 28
to the same value found in the route request identifier field of the route request 29
command frame. The originator address field shall be set to the source address in 30
the network header of route request command frame. Using the sender address 31
field from the route discovery table entry corresponding to the source address in 32
the network header of route request command frame, the device shall compute the 33
link cost as described in sub-clause 3.7.3.1. This link cost shall be entered in the 34
path cost field. The route reply command frame is then unicast to the destination 35
by using MCPS-DATA.request primitive and the sender address obtained from the 36
route discovery table as the next hop. 37
3.7.3.4.3 Upon Receipt of a Route Reply Command Frame 38
39
On receipt of a route reply command frame, a device performs the following 40
procedure. 41
If the receiving device has no routing capacity and its NIB attribute 42
nwkUseTreeRouting has a value of TRUE, it shall forward the route reply using 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
368 Network Specification
tree routing. If the receiving device has no routing capacity and its NIB attribute
nwkUseTreeRouting has a value of FALSE, it shall discard the command frame. 1
Before forwarding the route reply command frame the device shall update the 2
path cost field in the payload by computing the link cost from the next hop device 3
to itself as described in sub-clause 3.7.3.1 and adding this to the value in the route 4
reply path cost field. 5
6
If the receiving device has routing capacity, it shall check whether it is the 7
destination of the route reply command frame by comparing the contents of the 8
originator address field of the command frame payload with its own address. If so, 9
it shall search its route discovery table for an entry corresponding to the route 10
request identifier in the route reply command frame payload. If there is no such 11
entry, the route reply command frame shall be discarded and route reply 12
processing shall be terminated. If a route discovery table entry exists, the device 13
shall search its routing table for an entry with a destination address field equal to 14
the routing address corresponding to the responder address in the route reply 15
command frame. If there is no such routing table entry the route reply command 16
frame shall be discarded and, if a route discovery table entry corresponding to the 17
route request identifier in the route reply command frame exists, it shall also be 18
removed, and route reply processing shall be terminated. If a routing table entry 19
and a route discovery table entry exist and if the status field of the routing table 20
entry is set to DISCOVERY_UNDERWAY, it shall be changed to 21
VALIDATION_UNDERWAY if the routing table entry’s GroupId flag is TRUE 22
and to ACTIVE otherwise; the next hop field in the routing table shall be set to the 23
previous device that forwarded the route reply command frame. The residual cost 24
field in the route discovery table entry shall be set to the path cost field in the route 25
reply payload. 26
If the status field was already set to ACTIVE or VALIDATION_UNDERWAY, the 27
device shall compare the path cost in the route reply command frame to the 28
residual cost recorded in the route discovery table entry, and update the residual 29
cost field and next hop field in the routing table entry if the cost in the route reply 30
command frame is smaller. If the path cost in the route reply is not smaller, the 31
route reply shall be discarded and no further processing shall take place. 32
33
If the device receiving the route reply is not the destination, the device shall find 34
the route discovery table entry corresponding to the originator address and route 35
request identifier in the route reply command frame payload. If no such route 36
discovery table entry exists, the route reply command frame shall be discarded. If 37
a route discovery table entry exists, the path cost value in the route reply 38
command frame and the residual cost field in the route discovery table entry shall 39
be compared. If the route discovery table entry value is less than the route reply 40
value, the route reply command frame shall be discarded. 41
Otherwise, the device shall find the routing table entry with a destination address 42
field equal to the routing address corresponding to the responder address in the 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 369
route reply command frame. It is an error here if the route discovery table entry
exists and there is no corresponding routing table entry, and the route reply 1
command frame should be discarded. The routing table entry shall be updated by 2
replacing the next hop field with the address of the previous device that forwarded 3
the route reply command frame. The route discovery table entry shall also be 4
updated by replacing the residual cost field with the value in the route reply 5
command frame. 6
7
Whenever the receipt of a route reply causes the next hop field of the 8
corresponding route table entry to be modified, and the route table entry's GroupId 9
flag is TRUE, the device shall set the expiration time field of the corresponding 10
route discovery table entry to expire in nwkcWaitBeforeValidation milliseconds if 11
the device is the destination of the route reply and nwkcRouteDiscoveryTime 12
milliseconds if it is not. 13
After updating its own route entry, the device shall forward the route reply to the 14
destination. Before forwarding the route reply, the path cost value shall be 15
updated. The sender shall find the next hop to the route reply’s destination by 16
searching its route discovery table for the entry matching the route request 17
identifier and the source address and extracting the sender address. It shall use this 18
next hop address to compute the link cost as described in sub-clause 3.7.3.1. This 19
cost shall be added to the path cost field in the route reply. The destination address 20
in the command frame network header shall be set to the next hop address and the 21
frame shall be unicast to the next hop device using the MCPS-DATA.request 22
primitive.The DstAddr parameter of the MCPS-DATA.request primitive shall be 23
set to the next-hop address from the route discovery table. 24
25
3.7.3.4.4 Initiation and Processing of a Route Record Command Frame 26
As described in sub-clause 3.7.3.3, if a device is forwarding a unicast data 27
message and the route record required field of the destination’s route table entry 28
has a value of TRUE, then the device shall unicast a route record command to the 29
destination, and if it is transmitted successfully to the next hop, the route record 30
required field of the routing table entry shall be set to FALSE. 31
32
Each relay node that receives the route record command shall append its network 33
address to the command payload, increment the relay count, and forward the 34
message. If the route record command is transmitted successfully to the next hop, 35
the route record required field of the destination’s route table entry shall be set to 36
FALSE. If no next hop is available, or if delivery to the next hop fails, or if there is 37
insufficient space in the payload for the id, the command frame shall be discarded 38
and the NWK will inform the next higher layer using the NLME-ROUTE- 39
ERROR.indication primitive. 40
Upon receipt of the route record command by the destination, the route shall be 41
stored in the source route table. Any existing source routes to the message source 42
or intermediary nodes shall be replaced by the new route information. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
370 Network Specification
expected to have a route table entry to the destination. Upon receipt of the route
error frame, if no route table entry for the destination is present, or if delivery of 1
the route error to the next hop in the route table entry fails, the route error shall 2
again be unicast to a random router neighbor using the MCPS-DATA.request 3
primitive. The radius counter in the NWK header will limit the maximum number 4
of times the route error is relayed. Upon receipt of the route error frame by the 5
destination, it shall be passed up to the next higher layer using the NLME- 6
ROUTE-ERROR.indication primitive. The route is not automatically 7
rediscovered by the NWK layer. 8
9
If a failed link is encountered that is not part of a many-to-one route and the frame 10
being forwarded is not source routed, the upstream device shall initiate route 11
repair. If the upstream device is unable to initiate route repair due to a lack of 12
routing capacity or some other limitation, the device shall issue a route error 13
command frame back to the source device with the error code indicating the 14
reason for the failure (see Table 3.39), and issue an NLME-ROUTE- 15
ERROR.indication to the next higher layer. 16
If the upstream device is able to initiate route repair, it shall do so by broadcasting 17
a route request command frame with the source address set to its own address and 18
the destination address set to the destination address of the frame that failed in 19
transmission. The route request command frame shall have the route repair sub- 20
field in the command options field of the command frame payload set to 1 21
indicating route repair. 22
23
While a device is performing route repair for a particular destination, a device 24
shall not forward frames to that destination. Any frames that it has pending for 25
that destination at the time route repair is initiated and any frames for that 26
destination that arrive before the completion of route repair shall either be 27
buffered until the completion of route repair or discarded depending on the 28
capabilities of the device. 29
On receipt of a route request command frame a routing node shall perform the 30
procedure outlined in sub-clause 3.7.3.4.2. If the routing node is the destination of 31
the route request command frame or the destination is one of its end-device 32
children, it shall reply with a route reply command frame. The route reply 33
command frame shall have the route repair sub-field in the command options field 34
of the command frame payload set to 1 indicating route repair. 35
36
If a route reply command frame does not arrive at the upstream device within 37
nwkcRouteDiscoveryTime milliseconds, the upstream device shall send a route 38
error command frame to the source device. If the upstream device does receive a 39
route reply within the designated time, it will forward any data that it may have 40
buffered pending the repair to the destination. 41
If the source device receiving a route error command frame does not have routing 42
capacity and its NIB attribute nwkUseTreeRouting has a value of TRUE, it shall 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
372 Network Specification
To counteract drift, the new device shall track the beacon of its parent and adjust
its own beacon transmission time such that the time offset between the two 1
remains constant. Therefore the beacon frames of every device in the network are 2
essentially synchronized with those of the ZigBee coordinator. Figure 3.35 3
illustrates the relationship between the active superframe portions of a parent and 4
its child. 5
6
7
8
9
10
11
Beacon Tracking 12
13
14
15
Beacon 16
Tx Offset 17
18
Figure 3.35 Parent-Child Superframe Positioning Relationship
19
20
The density of devices that can be supported in the network is inversely
21
proportional to the ratio of the superframe order to the beacon order. The smaller
22
the ratio, the longer the inactive period of each device and the more devices that
23
can transmit beacon frames in the same neighborhood. It is recommended that a
24
tree network utilize a superframe order of 0, which, when operating in the 2.4
25
GHz band, gives a superframe duration of 15.36 ms and a beacon order of
26
between 6 and 10, which, in the 2.4 GHz band, gives a beacon interval between
27
0.98304s and 15.72864s. Using these superframe and beacon order values, a
28
typical duty cycle for devices in the network will be between ~2% and ~0.1%
29
regardless of the frequency band.
30
3.7.4.2 MAC Enhancement 31
32
In order to employ the beacon scheduling algorithm just described, it is necessary 33
to implement the following enhancement to the IEEE Std 802.15.4-2003 MAC 34
sub-layer. 35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 375
frame. It shall then drop the frame. If no record is found, it shall create a new BTR
in its BTT and may mark the neighboring device as having relayed the broadcast. 1
The NWK layer shall then indicate to the higher layer that a new broadcast frame 2
has been received. If the radius field value is greater than 0 it shall retransmit the 3
frame. Otherwise it shall drop the frame. Before the retransmission, it shall wait 4
for a random time period called broadcast jitter. This time period shall be bounded 5
by the value of the nwkcMaxBroadcastJitter attribute. ZigBee end devices with 6
macRxOnWhenIdle equal to FALSE shall not participate in the relaying of 7
broadcast frames and need not maintain a BTT for broadcast frames that they 8
originate. 9
10
If, on receipt of a broadcast frame, the NWK layer finds that the BTT is full and 11
contains no expired entries, then the frame should be ignored. In this situation the 12
frame should not be retransmitted, nor should it be passed up to the next higher 13
layer. 14
A ZigBee coordinator or ZigBee router, operating in a non-beacon-enabled 15
ZigBee network, shall retransmit a previously broadcast frame at most 16
nwkMaxBroadcastRetries times. If the device does not support passive 17
acknowledgement then it shall retransmit the frame exactly 18
nwkMaxBroadcastRetries times. If the device supports passive acknowledgement 19
and any of its neighboring devices have not relayed the broadcast frame within 20
nwkPassiveAckTimeout seconds then it shall continue to retransmit the frame up 21
to a maximum of nwkMaxBroadcastRetries times. 22
23
A device should change the status of a BTT entry after 24
nwkNetworkBroadcastDeliveryTime seconds have elapsed since its creation. The 25
entry should change status to expired and thus the entry can be overwritten if 26
required when a new broadcast is received. 27
When a ZigBee router that has the macRxOnWhenIdle MAC PIB attribute set to 28
FALSE receives a broadcast transmission, it shall use a different procedure for 29
retransmission than the one outlined above. It shall retransmit the frame without 30
delay to each of its neighbors individually, using a MAC layer unicast, that is, 31
with the DstAddr parameter of the MCPS-DATA.request primitive set to the 32
address of the receiving device and not to the broadcast address. Similarly, a 33
router or coordinator with the macRxOnWhenIdle MAC PIB attribute set to 34
TRUE, which has one or more neighbors with the macRxOnWhenIdle MAC PIB 35
parameter set to FALSE, shall, in the case where the destination address is 0xffff 36
denoting broadcast to all devices, retransmit the broadcast frame to each of these 37
neighbors in turn as a MAC layer unicast in addition to performing the more 38
general broadcast procedure spelled out in the previous paragraphs. Indirect 39
transmission, as described in IEEE 802.15.4-2003 [B1], may be employed to 40
ensure that these unicasts reach their destination. 41
42
Every ZigBee router shall have the ability to buffer at least 1 frame at the NWK 43
layer in order to facilitate retransmission of broadcasts. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 3
378 Network Specification
Figure 3.36 shows a broadcast transaction between a device and two neighboring
devices. 1
2
3
Neighbor 1 Device Neigbor 2
4
NWK NWK NWK
5
6
Broadcast Transmission 7
Add new BTR 8
Mark neighbor 1 as having 9
relayed the message
10
Random 11
broadcast 12
delay 13
Broadcast Transmission 14
15
Mark device as having Add new BTR
relayed the message Mark device as having 16
relayed the message 17
Broadcast
18
Random 19
retry timer
broadcast
delay 20
21
Broadcast Transmission 22
23
Ignore
broadcast Mark neighbor 2 as having 24
relayed the message 25
26
27
28
29
30
Figure 3.36 Broadcast Transaction Message Sequence Chart
31
32
3.7.6 Multicast Communication 33
34
This sub-clause specifies how multicast transmission is accomplished within a 35
ZigBee network. Multicasts provide many-to-many routing. Multicast addressing 36
is done using 16-bit multicast group Ids. Each device has a multicast table 37
indicating which multicast groups that device is a member of. A multicast 38
message is sent to a particular destination group and is received by all devices that 39
list that group's ID in their multicast table. Only data frames are multicast; there 40
are no multicast command frames. Multicast frames have a mode flag that 41
indicates whether they are in non-member mode or member mode. Member mode 42
is used to propagate multicasts between the devices that are members of the 43
destination group. Member mode multicasts are recorded in the BTT as if they 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 379
field of the beacon frame of the device is set to 0 indicating that association is not
permitted. 1
2
Table 3.51 NWK Layer Information Fields
3
Name Type Valid Range Description 4
5
Protocol ID Integer 0x00 – 0xff This field identifies the network 6
layer protocols in use and, for
purposes of this specification 7
shall always be set to 0, indicating 8
the ZigBee protocols; The value 9
0xff shall also be reserved for 10
future use by the ZigBee Alliance 11
Stack profile Integer 0x00 – 0x0f A ZigBee stack profile identifier 12
nwkcProtocolVersio Integer 0x00 – 0x0f The version of the ZigBee 13
n protocol 14
15
Router capacity Boolean TRUE or FALSE This value is set to TRUE if this
device is capable of accepting
16
join requests from router-capable 17
devices and is set to FALSE 18
otherwise. 19
Device depth Integer 0x00 – nwkMaxDepth The tree depth of this device. A 20
value of 0x00 indicates that this 21
device is the ZigBee coordinator 22
for the network 23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 383
C H A P T E R
1
4
2
3
4
5
6
7
8
9
In summary:
1
• The provided security services cryptographically protect the interfaces between 2
different devices only; 3
• Separation of the interfaces between different stack layers on the same device 4
is arranged non-cryptographically, via proper design of security service access 5
points. 6
7
4.2.1.2 Security Design Choices 8
9
The open trust model (as described in sub-clause 4.2.1.1) on a device has far- 10
reaching consequences. It allows re-use of the same keying material among 11
different layers on the same device and it allows end-to-end security to be realized 12
on a device-to-device basis rather than between pairs of particular layers (or even 13
pairs of applications) on two communicating devices. 14
Another consideration is whether one is concerned with the ability of malevolent 15
network devices to use the network to transport frames across the network without 16
permission. 17
18
These observations lead to the following architectural design choices: 19
• First, the principle that “the layer that originates a frame is responsible for 20
initially securing it” is established. For example, if a MAC layer disassociate 21
frame needs protection, MAC layer security shall be used. Likewise, if a NWK 22
command frame needs protection, NWK layer security shall be used. 23
24
• Second, if protection from theft of service is required (that is, malevolent 25
network devices), NWK layer security shall be used for all frames, except those 26
passed between a router and a newly joined device (until the newly joined 27
device receives the Network key). Thus, only a device that has joined the 28
network and successfully received the Network key will be able to have its 29
messages communicated more than one hop across the network. 30
• Third, due to the open trust model, security can be based on the reuse of keys 31
by each layer. For example, the active Network key shall be used to secure APS 32
layer broadcast frames, NWK layer frames, or MAC layer commands. Reuse of 33
keys helps reduce storage costs. 34
35
• Fourth, end-to-end security is enabled such as to make it possible that only 36
source and destination devices have access to their shared key. This limits the 37
trust requirement to those devices whose information is at stake. Additionally, 38
this ensures that routing of messages between devices can be realized 39
independent of trust considerations (thus, facilitating considerable separation of 40
concern). 41
• Fifth, to simplify interoperability of devices, the security level used by all 42
devices in a given network, and by all layers of a device, shall be the same if 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
388 Security Services Specification
security is used. In particular, the security level indicated in the PIB and NIB
shall be the same. If an application needs more security for its payload than is 1
provided by a given network, it shall form its own separate network with a 2
higher security level. 3
4
There are several policy decisions which any real implementation must address 5
correctly. Application profiles should include policies to: 6
• Handle error conditions arising from securing and unsecuring packets. Some 7
error conditions may indicate loss of synchronization of security material, or 8
may indicate ongoing attacks; 9
10
• Detect and handle loss of counter synchronization and counter overflow; 11
• Detect and handle loss of key synchronization; 12
13
• Expire and periodically update keys, if desired. 14
15
4.2.1.3 Security Keys 16
Security amongst a network of ZigBee devices is based on ‘link’ keys and a 17
“network” key. Unicast communication between APL peer entities is secured by 18
means of a 128-bit link key shared by two devices, while broadcast 19
communications are secured by means of a 128-bit Network key shared amongst 20
all devices in the network. The intended recipient is always aware of the exact 21
security arrangement; that is, the recipient knows whether a frame is protected 22
with a link or a Network key. 23
24
A device shall acquire link keys either via key-transport, key-establishment, or 25
pre-installation (for example, during factory installation). A device shall acquire a 26
Network key via key-transport or pre-installation. The key-establishment 27
technique for acquiring a link key (see sub-clause 4.2.4.1) is based on a 'master' 28
key. A device shall acquire a master key (for purposes of establishing 29
corresponding link keys) via key-transport or pre-installation. Ultimately, security 30
between devices depends on the secure initialization and installation of these 31
keys. 32
In a secured network there are a variety of security services available. Prudence 33
dictates that one would like to avoid re-use of keys across different security 34
services, which otherwise may cause security leaks due to unwanted interactions. 35
As such, these different services use a key derived from a one-way function using 36
the link key (as specified in sub-clause 4.6.3). The use of uncorrelated keys 37
ensures the logical separation of executions of different security protocols. The 38
key-load key is used to protect transported master keys; the key-transport key is 39
used to protect other transported keys. The Network key may be used by the 40
MAC, NWK, and APL layers of ZigBee. As such, the same Network key and 41
associated outgoing and incoming frame counters shall be available to all of these 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 389
layers. The link and master keys may be used only by the APS sublayer. As such,
the link and master keys shall be available only to the APL layer. 1
2
4.2.1.4 ZigBee Security Architecture 3
4
ZigBee applications communicate using the IEEE 802.15.4 wireless standard 5
[B1], which specifies two layers, the Physical (PHY) and Medium Access Control 6
(MAC) layers. ZigBee builds on these layers a Network (NWK) layer and an 7
Application (APL) layer. The PHY layer provides the basic communication 8
capabilities of the physical radio. The MAC layer provides services to enable 9
reliable, single-hop communication links between devices. The ZigBee NWK 10
layer provides routing and multi-hop functions needed for creating different 11
network topologies; for example, star, tree, and mesh structures. The APL layer 12
includes an Application Support (APS) sublayer, the ZigBee Device 13
Object (ZDO), and applications. The ZDO is responsible for overall device 14
management. The APS layer provides a foundation for servicing the ZDO and 15
ZigBee applications. 16
The architecture includes security mechanisms at three layers of the protocol 17
stack. The MAC, NWK, and APS layers are responsible for the secure transport of 18
their respective frames. Furthermore, the APS sublayer provides services for the 19
establishment, and maintenance of security relationships. The ZigBee Device 20
Object (ZDO) manages the security policies and the security configuration of a 21
device. Figure 1.1 shows a complete view of the ZigBee protocol stack. The 22
security mechanisms provided by the APS and NWK layers are described in this 23
version of the specification, as is the processing of secure MAC frames. 24
25
26
4.2.2 MAC Layer Security 27
28
When a frame originating at the MAC layer needs to be secured, ZigBee shall use 29
MAC layer security as specified by the 802.15.4 specification [B1] and 30
augmented by clause 4.3. A security corrigendum proposal [B3] is being 31
developed to augment the MAC layer specification and include the security 32
elements needed by ZigBee. Specifically, at least one of ZigBee’s security needs 33
is the ability to protect incoming and outgoing frames using the security levels 34
based on CCM* (see sub-clause 4.6.2.1, and Table 4.30 for a description of 35
ZigBee security levels). CCM* is a minor modification of CCM specified in 36
Clause 7 and Annex B of the 802.15.4 MAC layer specification [B1]. CCM* 37
includes all of the features of CCM and additionally offers encryption-only and 38
integrity-only capabilities. These extra capabilities simplify security by 39
eliminating the need for CTR and CBC-MAC modes. Also, unlike other MAC 40
layer security modes which require a different key for every security level, the use 41
of CCM* enables the use of a single key for all CCM* security levels. With the 42
use of CCM* throughout the ZigBee stack, the MAC, NWK, and APS layers can 43
reuse the same key. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
390 Security Services Specification
The MAC layer is responsible for its own security processing, but the upper layers
shall determine which security level to use. For ZigBee, MAC layer frames 1
requiring security processing shall be processed using the security material from 2
the macDefaultSecurityMaterial or the macACLEntryDescriptorSet attributes of 3
the MAC PIB. The upper layer (for example, APL) shall set 4
macDefaultSecurityMaterial to coincide with the active Network key and 5
counters from the NWK layer and shall set macACLEntryDescriptorSet to 6
coincide with any link keys from the APS layer that are shared with neighboring 7
devices, for example, a parent and child. The security suite shall be CCM* and the 8
upper layers shall set the security level to coincide with the nwkSecurityLevel 9
attribute in the NIB. For ZigBee, MAC layer link keys shall be preferred, but if 10
not available, the default key (that is, macDefaultSecurityMaterial) shall be used. 11
Figure 4.1 shows an example of the security fields that may be included in an 12
outgoing frame with security applied at the MAC level. 13
14
15
Application of security suite adds auxiliary security 16
information, and may add an integrity code 17
18
PHY MAC Auxiliary 19
SYNC Encrypted MAC Payload MIC
HDR HDR HDR 20
21
22
When integrity protection is employed, the entire MAC frame is protected 23
24
Figure 4.1 ZigBee Frame with Security at the MAC Level 25
26
4.2.3 NWK Layer Security 27
28
When a frame originating at the NWK layer with nwkSecurityLevel > 0, or when 29
a frame originates at a higher layer and the nwkSecureAllFrames attribute in the 30
NIB is TRUE, ZigBee shall use the frame protection mechanism specified in sub- 31
clause 4.4.1 of this specification, unless the SecurityEnable parameter of the 32
NLDE-DATA.request primitive is FALSE, explicitly prohibiting security. Like the 33
MAC layer, the NWK layer's frame protection mechanism shall make use of the 34
Advanced Encryption Standard (AES) [B8] and use CCM* as specified in 35
Annex A. The security level applied to a NWK frame shall be given by the 36
nwkSecurityLevel attribute in the NIB. Upper layers manage NWK layer security 37
by setting up active and alternate Network keys and by determining which 38
security level to use. 39
40
One responsibility of the NWK layer is to route messages over multi-hop links.
41
As part of this responsibility, the NWK layer will broadcast route request
42
messages and process received route reply messages. Route request messages are
43
simultaneously broadcast to nearby devices and route reply messages originate
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 391
from nearby devices. If the appropriate link key is available, the NWK layer shall
use the link key to secure outgoing NWK frames. If the appropriate link key is not 1
available, in order to secure messages against outsiders the NWK layer shall use 2
its active Network key to secure outgoing NWK frames and either its active 3
Network key or an alternate Network key to secure incoming NWK frames. 4
5
In this scenario, the frame format explicitly indicates the key used to protect the 6
frame; Thus, intended recipients can deduce which key to use for processing an 7
incoming frame and also determine if the message is readable by all network 8
devices, rather than just by itself. 9
Figure 4.2 shows an example of the security fields that may be included in a NWK 10
frame. 11
12
13
Application of security suite adds auxiliary header 14
and also an integrity code
15
16
PHY MAC NWK Auxiliary 17
SYNC Encrypted NWK Payload MIC 18
HDR HDR HDR HDR
19
20
All of the above NWK frame is integrity-protected 21
22
Figure 4.2 ZigBee Frame with Security on the NWK Level 23
24
4.2.4 APL Layer Security 25
26
When a frame originating at the APL layer needs to be secured, the APS sublayer 27
shall handle security. The APS layer's frame protection mechanism is specified in 28
sub-clause 4.5.1 of this specification. The APS layer allows frame security to be 29
based on link keys or the Network key. Figure 4.3 shows an example of the 30
security fields that may be included in an APL frame. Another security 31
responsibility of the APS layer is to provide applications and the ZDO with key 32
establishment, key transport, and device management services. 33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
392 Security Services Specification
octet representation of the integer 232-1 or any of this security material cannot
be determined, then security processing shall fail and no further security 1
processing shall be done on this frame. 2
3
a First, an attempt shall be made to retrieve the security material and security 4
level identifier associated with the destination address of the outgoing frame 5
from the macACLEntryDescriptorSet attribute in the MAC PIB. 6
b If the first attempt fails, then security material shall be obtained by using the 7
macDefaultSecurityMaterial attribute from the MAC PIB and the security 8
level identifier shall be obtained from the MacDefaultSecuritySuite attribute 9
from the MAC PIB. 10
11
2 The Security Control Field SecField is the 1-octet field formatted as in sub- 12
clause 4.6.1.1, with the following settings: 13
a The security level subfield shall be set to the security level obtained in 14
step 1; 15
16
b The key identifier subfield shall be set to the 2-bit field '00'; 17
c The extended nonce subfield shall be set to the 1-bit field '0'; 18
19
d The reserved bits shall be set to the 2-bit field '00'. 20
3 Execute the CCM* mode encryption and authentication operation, as specified 21
in Annex A, with the following instantiations: 22
23
a The parameter M shall be obtained from Table 4.30 corresponding to the 24
security level from step 1; 25
b The bit string Key shall be the key obtained from step 1; 26
27
c The nonce N shall be the 13-octet string constructed using the local device’s 28
64-bit extended address, SecField from step 1, and FrameCount from step 1 29
(see Figure 72 from [B1]); 30
d If the security level requires encryption, the octet string a shall be the string 31
MacHeader and the octet string m shall be the string Payload. Otherwise, 32
the octet string a shall be the string MacHeader || Payload and the octet 33
string m shall be a string of length zero. Note that ZigBee interprets IEEE 34
Std. 802.15.4 802 [B1] to mean that frame counters are authenticated. 35
36
4 If the CCM* mode invoked in step 3 outputs ‘invalid’, security processing shall 37
fail and no further security processing shall be done on this frame. 38
5 Let c be the output from step 4. If the security level requires encryption, the 39
secured outgoing frame shall be MacHeader || FrameCount || SeqCount || c, 40
otherwise the secured outgoing frame shall be MacHeader || FrameCount || 41
SeqCount || Payload || c. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
396 Security Services Specification
6 If the secured outgoing frame size is greater than aMaxPHYPacketSize (from [B1]),
security processing shall fail and no further security processing shall be done 1
on this frame. 2
3
7 The outgoing frame counter from step 1 shall be incremented by one and stored 4
in the location from which the security material was obtained in step 1 (that is, 5
either the macDefaultSecurityMaterial attribute or the 6
MacDefaultSecuritySuite attribute). 7
8
4.3.1.2 Security Processing of Incoming Frames 9
If the MAC layer receives a secured frame (consisting of a header MacHeader, 10
frame count ReceivedFrameCount, sequence count ReceivedSeqCount, and 11
payload SecuredPayload) it shall perform security processing as follows: 12
13
1 If ReceivedFrameCount has as value the 4-octet representation of the integer 14
232-1, security processing shall fail and no further security processing shall be 15
done on this frame. 16
2 Obtain the security material (as specified in sub-clause 4.3.2), including the 17
key, optional external frame counter FrameCount, optional key sequence count 18
SeqCount, and security level identifier (as specified in Table 4.30) from the 19
MAC PIB using the following procedure. If the security material cannot be 20
obtained or if SeqCount exists and does not match ReceivedSeqCount, security 21
processing shall fail and no further security processing shall be done on this 22
frame. 23
24
a First, an attempt shall be made to retrieve the security material and security 25
level identifier associated with the source address of the incoming frame 26
from the macACLEntryDescriptorSet attribute in the MAC PIB. 27
b If the first attempt fails, then security material shall be obtained by using the 28
macDefaultSecurityMaterial attribute from the MAC PIB and the security 29
level identifier shall be obtained from the MacDefaultSecuritySuite attribute 30
from the MAC PIB. 31
32
3 If FrameCount exists and if ReceivedFrameCount is less than FrameCount, 33
security processing shall fail and no further security processing shall be done 34
on this frame. 35
4 The Security Control Field SecField is the 1-octet field formatted as in sub- 36
clause 4.6.1.1, Table 4.17, with the following settings: 37
38
a The security level subfield shall be set to the security level from the 39
MACPIB (as specified in Table 4.30); 40
b The key identifier subfield shall be set to the 2-bit field '00'; 41
42
c The extended nonce subfield shall be set to the 1-bit field '0'; 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 397
For the macDefaultSecurityMaterial attribute from the MAC PIB, the upper layer
shall set the symmetric key, outgoing frame counter, and optional external key 1
sequence counter equal to the corresponding elements of the network security 2
material descriptor in the nwkSecurityMaterialSet of the NIB referenced by the 3
nwkActiveKeySeqNumber attribute of the NIB. The optional external frame 4
counter shall not be used and the optional external key sequence counter shall 5
correspond to the sequence number of the Network key. 6
7
For the macACLEntryDescriptorSet attribute from the MAC PIB, the upper layer 8
shall set the symmetric key, and outgoing frame counter equal to the 9
corresponding elements of the Network key-pair descriptor in the 10
apsDeviceKeyPairSet of the AIB. The optional external frame counter shall be set 11
to the incoming frame counter, The key sequence counter shall be set to 0x00, and 12
the optional external key sequence counter shall not be used. 13
14
15
4.4 NWK Layer Security 16
17
The NWK layer is responsible for the processing steps needed to securely transmit 18
outgoing frames and securely receive incoming frames. Upper layers control the 19
security processing operations, by setting up the appropriate keys and frame 20
counters and establishing which security level to use. 21
22
4.4.1 Frame Security 23
24
The detailed steps involved in security processing of outgoing and incoming 25
NWK frames are described in sub-clauses 4.4.1.1 and 4.4.1.2, respectively. 26
27
4.4.1.1 Security Processing of Outgoing Frames 28
29
If the NWK layer has a frame, consisting of a header NwkHeader and payload 30
Payload, that needs security protection and nwkSecurityLevel > 0, it shall apply 31
security as follows: 32
1 Obtain the nwkActiveKeySeqNumber from the NIB and use it to retrieve the 33
active Network key key, outgoing frame counter OutgoingFrameCounter, and 34
key sequence number KeySeqNumber from the nwkSecurityMaterialSet 35
attribute in the NIB. Obtain the security level from the nwkSecurityLevel 36
attribute from the NIB. If the outgoing frame counter has as its value the 4-octet 37
representation of the integer 232-1, or if the key cannot be obtained, security 38
processing shall fail and no further security processing shall be done on this 39
frame. 40
41
2 Construct auxiliary header AuxiliaryHeader (see sub-clause 4.6.1): 42
a The security control field shall be set as follows: 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 399
i The security level sub-field shall be the security level obtained from
step 1. 1
2
ii The key identifier sub-field shall be set to ‘01’ (that is, the Network key). 3
iii The extended nonce sub-field shall be set to 1. 4
5
iv The source address field shall be set to the 64-bit extended address of the 6
local device. 7
b The frame counter field shall be set to the outgoing frame counter from 8
step 1. 9
10
c The key sequence number field shall be set to the sequence number from 11
step 1. 12
3 Execute the CCM* mode encryption and authentication operation, as specified 13
in Annex A, with the following instantiations: 14
15
a The parameter M shall be obtained from Table 4.30 corresponding to the 16
security level from step 1; 17
b The bit string Key shall be the key obtained from step 1; 18
19
c The nonce N shall be the 13-octet string constructed using the security 20
control field from step a, the frame counter field from step c, and the source 21
address field from step b (see sub-clause 4.6.2.2); 22
d If the security level requires encryption, the octet string a shall be the string 23
NwkHeader || AuxiliaryHeader and the octet string m shall be the string 24
Payload. Otherwise, the octet string a shall be the string NwkHeader || 25
AuxiliaryHeader || Payload and the octet string m shall be a string of length 26
zero. 27
28
4 If the CCM* mode invoked in step 3 outputs ‘invalid’, security processing shall 29
fail and no further security processing shall be done on this frame. 30
5 Let c be the output from step 3. If the security level requires encryption, the 31
secured outgoing frame shall be NwkHeader || AuxiliaryHeader || c, otherwise 32
the secured outgoing frame shall be NwkHeader || AuxiliaryHeader || Payload || 33
c. 34
35
6 If the secured outgoing frame size is greater than aMaxMACFrameSize (see 36
IEEE Std. 802.15.4 802 [B1]), security processing shall fail and no further 37
security processing shall be done on this frame. 38
7 The outgoing frame counter from step 1 shall be incremented by one and stored 39
in the OutgoingFrameCounter element of the network security material 40
descriptor referenced by the nwkActiveKeySeqNumber in the NIB; that is, the 41
outgoing frame counter value associated with the key used to protect the frame 42
is updated. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
400 Security Services Specification
8 Over-write the security level subfield of the security control field by the 3-bit
all-zero string '000'. 1
2
4.4.1.2 Security Processing of Incoming Frames 3
4
If the NWK layer receives a secured frame (consisting of a header NwkHeader, 5
auxiliary header AuxiliaryHeader, and payload SecuredPayload) as indicated by 6
the security sub-field of the NWK header frame control field it shall perform 7
security processing as follows: 8
1 Determine the security level from the nwkSecurityLevel attribute from the NIB. 9
Over-write the 3-bit security level subfield of the security control field of the 10
AuxillaryHeader with this value. Determine the sequence number 11
SequenceNumber, sender address SenderAddress, and received frame count 12
ReceivedFrameCount from the auxiliary header AuxiliaryHeader (see sub- 13
clause 4.6.1). If ReceivedFrameCounter has as value the 4-octet representation 14
of the integer 232-1, security processing shall fail and no further security 15
processing shall be done on this frame. 16
17
2 Obtain the appropriate security material (consisting of the key and other 18
attributes) by matching SequenceNumber to the sequence number of any key in 19
the nwkSecurityMaterialSet attribute in the NIB. If the SequenceNumber does 20
not equal nwkActiveKeySeqNumber, the neighbor table entry corresponding to 21
SenderAddress shall be modified to show that the network key is stale. If the 22
security material cannot be obtained, security processing shall fail and no 23
further security processing shall be done on this frame.16 24
3 If there is an incoming frame count FrameCount corresponding to 25
SenderAddress from the security material obtained in step 2, and if 26
ReceivedFrameCount is less than FrameCount, security processing shall fail 27
and no further security processing shall be done on this frame. 28
29
4 Execute the CCM* mode decryption and authentication checking operation, as 30
specified in sub-clause A.2, with the following instantiations: 31
a The parameter M shall obtained from Table 4.30 corresponding to the 32
security level from step 1; 33
34
b The bit string Key shall be the key obtained from step 2; 35
c The nonce N shall be the 13-octet string constructed using the security 36
control, the frame counter, and the source address fields from 37
AuxiliaryHeader (see sub-clause 4.6.2.2). Note that the security level 38
subfield of the security control field has been overwritten in step 1 and now 39
contains the value determined from the nwkSecurityLevel attribute from the 40
NIB. 41
42
43
16. CCB #666 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 401
format of a secured NWK layer frame is shown in Figure 4.4. The auxiliary frame
header is situated between the NWK header and payload fields. 1
2
Octets: Variable 14 Variable 3
4
Original NWK Header Auxiliary Encrypted Encrypted Message Integrity Code
([B3], Clause 7.1) frame Payload (MIC) 5
header 6
Secure frame payload = Output of CCM* 7
Full NWK header Secured NWK payload 8
9
Figure 4.4 Secured NWK Layer Frame Format 10
11
4.4.3 Security-related NIB Attributes 12
13
The NWK PIB contains attributes that are required to manage security for the 14
NWK layer. Each of these attributes can be read and written using the NLME- 15
GET.request and NLME-SET.request primitives, respectively. The security- 16
related attributes contained in the NWK PIB are presented in Tables 4.1 through 17
4.3. 18
Table 4.1 NIB Security Attributes
19
20
Attribute Identifier Type Range Description Default 21
22
nwkSecurityLevel 0xa0 Octet 0x00-07 The security level for 0x06
outgoing and incoming 23
NWK frames; the 24
allowable security 25
level identifiers are 26
presented in Table 4.30 27
nwkSecurity- 0xa1 A set of 0, Variable Set of network security - 28
MaterialSet 1, or 2 material descriptors 29
network capable of maintaining 30
security an active and alternate
material Network key 31
descriptors 32
(See Table 33
4.2) 34
nwkActiveKey 0xa2 Octet 0x00- The sequence number 0x00 35
SeqNumber 0xFF of the active Network 36
key in 37
nwkSecurityMaterialSet 38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 403
1
Table 4.2 Elements of the Network Security Material Descriptor
2
Name Type Range Description Default 3
4
KeySeqNumber Octet 0x00-0xFF A sequence number assigned to a 00 5
Network key by the trust center
and used to distinguish Network 6
keys for purposes of key updates, 7
and incoming frame security 8
operations 9
OutgoingFrame Ordered 0x00000000- Outgoing frame counter used for 0x00000000 10
Counter set of 4 0xFFFFFFF outgoing frames 11
octets F 12
IncomingFrame Set of Variable Set of incoming frame counter Null set 13
CounterSet incoming values and corresponding device 14
frame addresses 15
counter 16
descriptor
values. 17
See Table 18
4.3. 19
Key Ordered - The actual value of the key -
20
set of 16 21
octets 22
23
24
4.5 APS Layer Security 25
26
Table 4.3 Elements of the Incoming Frame Counter Descriptor 27
28
Name Type Range Description Default 29
SenderAddress Device Any valid 64-bit Extended device Device 30
address address address specific 31
32
IncomingFrame Ordered set 0x00000000- Incoming frame 0x00000000
Counter of 4 octets 0xFFFFFFFF counter used for 33
incoming frames 34
35
The APS layer is responsible for the processing steps needed to securely transmit 36
outgoing frames, securely receive incoming frames, and securely establish and 37
manage cryptographic keys. Upper layers control the management of 38
cryptographic keys by issuing primitives to the APS layer. 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 405
Table 4.4 lists the primitives available for key management and maintenance.
Upper layers also determine which security level to use when protecting outgoing 1
frames. 2
3
Table 4.4 The APS Layer Security Primitives
4
APSME 5
Security 6
Primitives Request Confirm Indication Response Description 7
APSME- 4.5.2.1 4.5.2.2 4.5.2.3 4.5.2.4 Establishes link key 8
ESTABLISH with another ZigBee 9
-KEY device using the SKKE 10
method 11
APSME- 4.5.3.1 - 4.5.3.2 - Transports security 12
TRANSPOR material from one 13
T-KEY device to another 14
APSME- 4.5.4.1 - 4.5.4.2 - Notifies the trust center 15
UPDATE- when a new device has 16
DEVICE joined, or an existing 17
device has left the 18
network
19
APSME- 4.5.5.1 - 4.5.5.2 - Used by the trust 20
REMOVE- center to notify a router 21
DEVICE that one of the router’s
child devices should be
22
removed from the 23
network 24
25
APSME- 4.5.6.1 - 4.5.6.2 - Used by a device to
REQUEST- request that the trust 26
KEY center send an 27
application master key 28
or current Network key 29
APSME- 4.5.7.1 - 4.5.7.2 - Used by the trust 30
SWITCH- center to tell a device 31
KEY to switch to a new 32
Network key
33
34
4.5.1 Frame Security 35
36
The detailed steps involved in security processing of outgoing and incoming APS 37
frames are described in sub-clauses 4.5.1.1 and 4.5.1.2, respectively. 38
39
4.5.1.1 Security Processing of Outgoing Frames 40
41
If the APS layer has a frame, consisting of a header ApsHeader and payload 42
Payload, that needs security protection and nwkSecurityLevel > 0, it shall apply 43
security as follows: 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
406 Security Services Specification
1 Obtain the security material and key identifier KeyIdentifier using the
following procedure. If security material or key identifier cannot be 1
determined, then security processing shall fail and no further security 2
processing shall be done on this frame. 3
4
a If the frame is a result of a APSDE-DATA.request primitive: 5
i If the TxOptions parameter specifies that the NWK key is required to 6
secure the data frame, then security material shall be obtained by using 7
the nwkActiveKeySeqNumber from the NIB to retrieve the active Network 8
key, outgoing frame counter, and sequence number from the 9
nwkSecurityMaterialSet attribute in the NIB. KeyIdentifier shall be set to 10
‘01’ (that is, the Network key). 11
12
ii Otherwise, the security material associated with the destination address of 13
the outgoing frame shall be obtained from the apsDeviceKeyPairSet 14
attribute in the AIB. KeyIdentifier shall be set to ‘00’ (that is, a data key). 15
Note, if the frame is being transmitted using indirect addressing, the 16
destination address shall be the address of the binding manager. 17
b If the frame is a result of an APS command: 18
19
i First, an attempt shall be made to retrieve the security material associated 20
with the destination address of the outgoing frame from the 21
apsDeviceKeyPairSet attribute in the AIB. For all cases, except transport- 22
key commands, KeyIdentifier shall be set to ‘00’(that is, a data key). For 23
the case of transport-key commands, KeyIdentifier shall be set to ‘02’ 24
(that is, the key-transport key) when transporting a Network key and shall 25
be set to ‘03’ (that is, the key-load key) when transporting an application 26
link key, application master key, or trust center master key. See sub- 27
clause 4.6.3 for a description of the key-transport and key-load keys. 28
ii If the first attempt fails, then security material shall be obtained by using 29
the nwkActiveKeySeqNumber from the NIB to retrieve the active Network 30
key, outgoing frame counter, and sequence number from the 31
nwkSecurityMaterialSet attribute in the NIB. KeyIdentifier shall be set to 32
‘01’ (that is, the Network key). 33
34
2 If the key identifier is equal to 01 (that is, network key), the APS layer shall 35
first verify that the NWK layer is not also applying security. If the NWK layer 36
is applying security, then the APS layer shall not apply any security. The APS 37
layer can determine that the NWK layer is applying security by verifying that 38
the value of the nwkSecureAllFrames attribute of the NIB has a value of TRUE 39
and the nwkSecurityLevel NIB attribute has a non-zero value. 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 407
3 Extract the outgoing frame counter (and, if KeyIdentifier is 01, the key
sequence number) from the security material obtained from step 1. If the 1
outgoing frame counter has as its value the 4-octet representation of the integer 2
232-1, or if the key cannot be obtained, security processing shall fail and no 3
further security processing shall be done on this frame. 4
5
4 Obtain the security level from the nwkSecurityLevel attribute from the NIB. If 6
the frame is a result of an APS command, the security level identifier shall be 7
forced to 7 (ENC-MIC-128, as indicated in Table 4.30.) 8
5 Construct auxiliary header AuxiliaryHeader (see sub-clause 4.6.1): the security 9
control field shall be set as follows: 10
11
a The security level sub-field shall be the security level obtained from step 4. 12
i The key identifier sub-field shall be set to KeyIdentifier. 13
14
ii The extended nonce sub-field shall be set to 0. 15
b The frame counter field shall be set to the outgoing frame counter from 16
step 3. 17
18
c If KeyIdentifier is 1, the key sequence number field shall be present and set 19
to the key sequence number from step 3. Otherwise, the key sequence 20
number field shall not be present. 21
6 Execute the CCM* mode encryption and authentication operation, as specified 22
in sub-clause A.2, with the following instantiations: 23
24
a The parameter M shall obtained from Table 4.30 corresponding to the 25
security level from step 3; 26
b The bit string Key shall be the key obtained from step 1; 27
28
c The nonce N shall be the 13-octet string constructed using the security 29
control and frame counter fields from step 5 and the 64-bit extended address 30
of the local device (see sub-clause 4.6.2.2); 31
d If the security level requires encryption, the octet string a shall be the string 32
ApsHeader || AuxiliaryHeader and the octet string m shall be the string 33
Payload. Otherwise, the octet string a shall be the string ApsHeader || 34
AuxiliaryHeader || Payload and the octet string m shall be a string of length 35
zero. 36
37
7 If the CCM* mode invoked in step 6 outputs ‘invalid’, security processing shall 38
fail and no further security processing shall be done on this frame. 39
8 Let c be the output from step 6. If the security level requires encryption, the 40
secured outgoing frame shall be ApsHeader || AuxiliaryHeader || c, otherwise 41
the secured outgoing frame shall be ApsHeader || AuxiliaryHeader || Payload || 42
c. 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
408 Security Services Specification
9 If the secured outgoing frame size will result in the MSDU being greater than
aMaxMACFrameSize octets (see IEEE Std. 802.15.4 802 [B1]), security 1
processing shall fail and no further security processing shall be done on this 2
frame. 3
4
10 The outgoing frame counter from step 3 shall be incremented and stored in the 5
appropriate location(s) of the NIB, AIB, and MAC PIB corresponding to the 6
key that was used to protect the outgoing frame. 7
11 Over-write the security level subfield of the security control field by the 3-bit 8
all-zero string '000'. 9
10
4.5.1.2 Security Processing of Incoming Frames 11
12
If the APS layer receives a secured frame (consisting of a header ApsHeader, 13
auxiliary header AuxiliaryHeader, and payload SecuredPayload) as indicated by 14
the security sub-field of the APS header frame control field it shall perform 15
security processing as follows: 16
1 Determine the sequence number SequenceNumber, key identifier KeyIdentifier, 17
and received frame counter value ReceivedFrameCounter from the auxiliary 18
header AuxiliaryHeader. If ReceivedFrameCounter is the 4-octet 19
representation of the integer 232-1, security processing shall fail and no further 20
security processing shall be done on this frame. 21
22
2 Determine the source address SourceAddress from the address-map table in the 23
AIB, using the source address in the APS frame as the index. If the source 24
address is incomplete or unavailable, security processing shall fail and no 25
further security processing shall be done on this frame. If the delivery-mode 26
sub-field of the frame control field of ApsHeader has a value of 1 (that is, 27
indirect addressing), the source address shall be the address of the binding 28
manager, as described in the APS specification [B7]. 29
3 Obtain the appropriate security material in the following manner. If the security 30
material cannot be obtained, security processing shall fail and no further 31
security processing shall be done on this frame. 32
33
a If KeyIdentifier is ‘00’ (that is, data key), the security material associated 34
with the SourceAddress of the incoming frame shall be obtained from the 35
apsDeviceKeyPairSet attribute in the AIB. 36
b If KeyIdentifier is ‘01’ (that is, Network key), the security material shall be 37
obtained by matching SequenceNumber to the sequence number of any key 38
in the nwkSecurityMaterialSet attribute in the NIB. 39
40
c If KeyIdentifier is ‘02’ (that is, key-transport key), the security material 41
associated with the SourceAddress of the incoming frame shall be obtained 42
from the apsDeviceKeyPairSet attribute in the AIB; the key for this 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 409
b Let m be the output of step 6. If the security level requires encryption, set the
octet string UnsecuredApsFrame to the string ApsHeader || m. Otherwise, 1
set the octet string UnsecuredApsFrame to the string ApsHeader || Payload. 2
3
8 Set FrameCount to (ReceivedFrameCount + 1) and store both FrameCount and 4
SourceAddress in the appropriate security material as obtained in step 3. If 5
storing this frame count and address information will cause the memory 6
allocation for this type of information to be exceeded and the nwkAllFresh 7
attribute in the NIB is TRUE, then security processing shall fail and no further 8
security processing shall be done on this frame. Otherwise security processing 9
shall succeed. 10
9 If the sequence number of the received frame belongs to a newer entry in the 11
nwkSecurityMaterialSet, and the source address of the packet is the trust center, 12
then the nwkActiveKeySeqNumber may be set to received sequence number. If 13
the security material associated with the SourceAddress of the incoming frame 14
cannot be obtained from the attribute in the AIB, then security processing shall 15
fail and no further security processing shall be done on this frame. 16
17
18
4.5.2 Key-establishment Services 19
20
The APSME provides services that allow two devices to mutually establish a link 21
key. Initial trust information (for example, a master key) must be installed in each 22
device prior to running the key establishment protocol (see sub-clause 4.5.3 for 23
mechanisms to provision initial trust information). 24
25
4.5.2.1 APSME-ESTABLISH-KEY.request 26
The APSME-ESTABLISH-KEY request primitive is used for initiating a key- 27
establishment protocol. This primitive can be used when there is a need to 28
securely communicate with another device. 29
30
One device will act as an initiator device, and another device will act as the 31
responder. The initiator shall start the key-establishment protocol by issuing: 32
• The APSME-ESTABLISH-KEY.request with parameters indicating the 33
address of the responder device; 34
35
• An indication of which key-establishment protocol to use (that is, SKKE direct 36
or indirect). 37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 411
1
Table 4.14 TransportKeyData Parameter for a Network Key
2
Parameter Valid 3
Name Type Range Description 4
5
KeySeqNumber Octet 0x00-0xFF A sequence number assigned to a Network key by
the trust center and used to distinguish Network 6
keys for purposes of key updates, and incoming 7
frame security operations 8
NetworkKey Set of Variable The Network key 9
16 10
octets 11
UseParent Boolean TRUE | This parameter indicates if the destination device’s 12
FALSE parent shall be used to forward the key to the 13
destination device: 14
TRUE: Use parent 15
16
FALSE: Do not use parent
17
ParentAddress Device Any valid If the UseParent is TRUE, then ParentAddress 18
address 64-bit parameter shall contain the extended 64-bit address 19
address of the destination device’s parent device; otherwise,
this parameter is not used and need not be set 20
21
22
23
Table 4.15 TransportKeyData Parameter for an Application Master or Link Key 24
25
Parameter
Name Type Valid Range Description 26
27
PartnerAddress Device Any valid The extended 64-bit address of the device that 28
address 64-bit address was also sent this master key 29
Initiator Boolean TRUE | This parameter indicates if the destination 30
FALSE device of this master key requested it: 31
TRUE: If the destination requested the key 32
FALSE: Otherwise 33
34
Key Set of 16 Variable The master or link key (as indicated by the 35
octets KeyType parameter)
36
37
4.5.3.1.2 When Generated 38
The ZDO on an initiator device shall generate this primitive when it requires a key 39
to be transported to a responder device. 40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 423
• The initiator sub-field shall be set 1 (if the Initiator sub-parameter of the
TransportKeyData parameter is TRUE) or 0 (if the Initiator sub-parameter of 1
the TransportKeyData parameter is FALSE). 2
3
This command frame shall be security protected as specified in sub-clause 4.5.1.1 4
and then, if security processing succeeds, sent to the device specified by the 5
DestinationAddress parameter by issuing a NLDE-DATA.request primitive. 6
7
4.5.3.2 APSME-TRANSPORT-KEY.indication 8
The APSME-TRANSPORT-KEY.indication primitive is used to inform the ZDO 9
of the receipt of keying material. 10
11
4.5.3.2.1 Semantics of the Service Primitive 12
This primitive shall provide the following interface: 13
14
APSME-TRANSPORT-KEY.indication { 15
SrcAddress, 16
KeyType, 17
TransportKeyData 18
} 19
20
21
Table 4.16 specifies the parameters of the APSME-TRANSPORT-KEY.indication 22
primitive. 23
Table 4.16 APSME-TRANSPORT-KEY.indication Parameters 24
25
Name Type Valid Range Description
26
SrcAddress Device Any valid 64- The extended 64-bit address of the device 27
Address bit address that is the original source of the transported 28
key 29
KeyType Octet 0x00 – 0x03 Identifies the type of key material that was be 30
transported; see Table 4.12 31
TransportKeyData Variable Variable The key that was transported along with 32
identification and usage parameters; the type 33
of this parameter depends on the KeyType 34
parameter as follows: 35
KeyType = 0x00 see Table 4.17 36
KeyType = 0x01 see Table 4.18 37
KeyType = 0x02 see Table 4.19 38
KeyType = 0x03 see Table 4.20 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 425
parameter set to the key type field. The TransportKeyData parameter shall be set
as follows: 1
2
• The Key sub-parameter shall be set to the key field; 3
• The PartnerAddress sub-parameter shall be set to the partner address field; 4
5
• The Initiator parameter shall be set to TRUE, if the initiator field is 1, 6
otherwise 0. 7
If the key type field is set to 0 or 1 (that is, trust center master key or NWK key) 8
and the destination address field is equal to the local address, the APSME shall 9
issue the APSME-TRANSPORT-KEY.indication primitive, with the SrcAddress 10
parameter set to the source address field of the key-transport command and the 11
KeyType parameter set to the key type field. The TransportKeyData parameter 12
shall be set as follows: the Key sub-parameter shall be set to the key field and, in 13
the case of a Network key (that is, the key type field is set to 1), the 14
KeySeqNumber sub-parameter shall be set to the sequence number field. 15
16
If the key type field is set to 0 or 1 (that is, trust center master key or NWK key) 17
and the destination address field is not equal to the local address, the APSME 18
shall send the command to the address indicated by the destination address field 19
by issuing the NLDE-DATA.request primitive with security disabled. 20
Upon receipt of an unsecured transport-key command, the APSME shall check 21
the key type sub-field. If the key type field is set to 0 (that is, a trust center master 22
key), the destination address field is equal to the local address, and the device does 23
not have a trust center master key and address (that is, the apsTrustCenterAddress 24
in the AIB), then the APSME shall issue the APSME-TRANSPORT- 25
KEY.indication primitive. Also, if the key type field is set to 1 (that is, Network 26
key), the destination address field is equal to the local address, and the device does 27
not have a Network key, then the APSME shall issue the APSME-TRANSPORT- 28
KEY.indication primitive. If an APSME-TRANSPORT-KEY.indication primitive 29
is issued, the SrcAddress parameter shall be set to the source address field of the 30
key-transport command, and the KeyType parameter shall be set to the key type 31
field. The TransportKeyData parameter shall be set as follows: the Key sub- 32
parameter shall be set to the key field and, in the case of a Network key (that is, 33
the key type field is set to 1), the KeySeqNumber sub-parameter shall be set to the 34
sequence number field. 35
36
37
4.5.4 Update Device Services 38
39
The APSME provides services that allow a device (for example, a router) to 40
inform another device (for example, a trust center) that a third device has changed 41
its status (for example, joined or left the network). 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 427
4.5.4.1 APSME-UPDATE-DEVICE.request
1
The ZDO shall issue this primitive when it wants to inform a device (for example, 2
a trust center) that another device has a status that needs to be updated (for 3
example, the device joined or left the network). 4
5
4.5.4.1.1 Semantics of the Service Primitive
6
This primitive shall provide the following interface: 7
8
APSME-UPDATE-DEVICE.request { 9
DestAddress, 10
DeviceAddress, 11
Status, 12
DeviceShortAddress 13
} 14
15
Table 4.19 specifies the parameters for the APSME-UPDATE-DEVICE.request 16
primitive. 17
18
Table 4.19 APSME-UPDATE-DEVICE.request Parameters 19
Parameter 20
Name Type Valid Range Description 21
22
DestAddress Device Any valid The extended 64-bit address of the device
23
Address 64-bit address that shall be sent the update information
24
DeviceAddress Device Any valid The extended 64-bit address of the device 25
Address 64-bit address whose status is being updated
26
Status Integer 0x00 – 0x08 Indicates the updated status of the device 27
given by the DeviceAddress parameter: 28
0x00: device secured join 29
0x01: device unsecured join 30
0x02: device left 31
0x03-0x08 reserved
32
33
DeviceShortAd Network 0x0000 - 0xffff The 16-bit network address of the device 34
dress address whose status is being updated
35
36
4.5.4.1.2 When Generated 37
38
The ZDO (for example, on a router or ZigBee coordinator) shall initiate the
39
APSME-UPDATE-DEVICE.request primitive when it wants to send updated
40
device information to another device (for example, the trust center). Effect on
41
receipt
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
428 Security Services Specification
that the Network key referenced by the KeySeqNumber parameter become the
new active Network key. 1
2
4.5.7.3 Secured APDU Frame 3
4
The APS layer frame format consists of APS header and APS payload fields (see 5
Figure 2.4.) The APS header consists of frame control and addressing fields. 6
When security is applied to an APDU frame, the security bit in the APS frame 7
control field shall be set to 1 to indicate the presence of the auxiliary frame header. 8
The format for the auxiliary frame header is given in sub-clause 4.6.1. The format 9
of a secured APS layer frame is shown in Figure 4.6. The auxiliary frame header 10
is situated between the APS header and payload fields. 11
12
Octets: Variable 5 or 6 Variable
13
Original APS Header Auxiliary Encrypted Payload Encrypted Message 14
([B7], Clause 7.1) frame Integrity Code (MIC) 15
header 16
Secure frame payload = Output of CCM*
17
Full APS header Secured APS payload
18
Figure 4.6 Secured APS Layer Frame Format 19
20
21
4.5.8 Command Frames 22
23
The APS layer command frame formats are given in this clause. 24
Command identifier values are shown in Table 4.27. 25
26
Table 4.27 Command Identifier Values
27
Command Identifier Value 28
29
APS_CMD_SKKE_1 0X01
30
APS_CMD_SKKE_2 0X02 31
APS_CMD_SKKE_3 0X02 32
33
APS_CMD_SKKE_4 0X04 34
APS_CMD_TRANSPORT_KEY 0X05 35
APS_CMD_UPDATE_DEVICE 0X06 36
37
APS_CMD_REMOVE_DEVICE 0X07 38
APS_CMD_REQUEST_KEY 0X08 39
40
APS_CMD_SWITCH_KEY 0X09
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 437
Table 4.30 Security Levels Available to the MAC, NWK, and APS layers
1
Security Frame Integrity 2
Security Level Sub- (length M of MIC,
Level field Security Data in Number of 3
Identifier (Table 4.17) Attributes Encryption Octets) 4
5
0x04 ‘100’ ENC ON NO (M = 0) 6
0x05 ‘101’ ENC-MIC-32 ON YES (M=4) 7
8
0x06 ‘110’ ENC-MIC-64 ON YES (M=8)
9
0x07 ‘111’ ENC-MIC-128 ON YES (M=16) 10
11
4.6.1.1.2 Key Identifier Sub-field 12
13
The key identifier sub-field consists of two bits that are used to identify the key 14
used to protect the frame. The encoding for the key identifier sub-field shall be as 15
listed in Table 4.31. 16
Table 4.31 Encoding for the Key Identifier Sub-field 17
18
Key Identifier Sub-field
Key Identifier (Table 4.17) Description 19
20
0x00 ‘00’ A link key 21
0x01 ‘01’ A Network key 22
23
0x02 ‘10’ A key-transport key
24
0x03 ‘11’ A key-load key 25
26
4.6.1.1.3 Extended Nonce Sub-field 27
28
The extended nonce sub-field shall be set to 1 if the sender address field of the 29
auxiliary header is present. Otherwise, it shall be set to 0. 30
31
4.6.1.2 Source Address Field 32
The source address field shall only be present when the extended nonce sub-field 33
of the security control field is 1. When present, the source address field shall 34
indicate the extended 64-bit address of the device responsible for securing the 35
frame. 36
37
4.6.1.3 Counter Field 38
39
The counter field is used to provide for frame freshness and to prevent processing 40
of duplicate frames. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 447
Router Joiner
1
ZDO NWK MAC MAC NWK ZDO
2
NLME-PERMIT-JOINING.request NLME-NETWORK-DISCOVERY.request 3
MLME-SET.request(macAssociationPermit = TRUE) MLME-SCAN.request 4
Beacon request command (unsecured)
5
6
Beacon (unsecured)
MLME-SCAN.confirm 7
NLME-NETWORK-DISCOVERY.confirm
8
9
NLME-JOIN.request
10
MLME-ASSOCIATE.request
Association request command 11
MLME-ASSOCIATE.indication
12
13
NLME-JOIN.indication
14
MLME-ASSOCIATE.response
Association response command
15
MLME-ASSOCIATE.confirm
16
NLME-JOIN.confirm
17
18
Joined (unauthenticated) 19
20
Successful Authenticate Routine (see 8.3.2) 21
22
NLME-START-ROUTER.request (only if B is a router) 23
MLME-START.request (only if B is a router) 24
25
Joined (authenticated)
26
27
Figure 4.19 Example of Joining a Secured Network 28
29
The joiner device may begin the join procedure by issuing an NLME- 30
NETWORK-DISCOVERY.request primitive. This primitive will invoke an 31
MLME-SCAN.request primitive which may cause the transmission of an 32
unsecured beacon request frame (depending on whether the scan is an active or 33
passive scan). 34
The joiner device receives beacons from nearby routers and the NWK layer will 35
issue an NLME-NETWORK-DISCOVERY.confirm primitive. The NetworkList 36
parameter of this primitive will indicate all of the nearby PANs along with their 37
nwkSecurityLevel and nwkSecureAllFrames attributes. In Figure 4.19, the shown 38
router device has already been placed in a state such that its beacons have the 39
“association permit” sub-field set to “1” (permit association). 40
41
The joiner device shall decide which PAN to join (for example, based on the 42
security attributes received in NLME-NETWORK-DISCOVERY.confirm 43
primitive) and shall issue the NLME-JOIN.request primitive to join that PAN. If 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
452 Security Services Specification
the joiner already has a Network key for this PAN, the SecurityEnable parameter
for the NLME-JOIN.request primitive shall be set to TRUE; otherwise it shall be 1
set to FALSE. As shown in Figure 4.19, the NLME-JOIN.request primitive causes 2
an association request command to be sent to the router. 3
4
Upon receipt of the association request command, the router shall issue an 5
MLME-ASSOCIATE.indication primitive with the SecurityUse parameter set to 6
TRUE or FALSE, depending on whether or not the association request command 7
was secured. Next, the NWK layer will issue an NLME-JOIN.indication primitive 8
to the router’s ZDO. The router shall now know the joiner device’s address and 9
whether the Network key was used to secure the association request command. 10
The router will also issue an MLME-ASSOCIATE.response primitive with the 11
SecurityEnable parameter set to TRUE or FALSE, depending on whether or not 12
the association request command was secured or not, respectively. This primitive 13
will cause an association response command to be sent to the joiner. 14
Upon receipt of the association response command, the joiner shall issue the 15
NLME-JOIN.confirm primitive The joiner is now declared “joined, but 16
unauthenticated” to the network. The authentication routine (see sub- 17
clause 4.7.3.2) shall follow. 18
19
If the joiner is not a router, it is declared “joined and authenticated” immediately 20
following the successful completion of the authentication routine. 21
If the joiner is a router, it is declared “joined and authenticated” only after the 22
successful completion of the authentication routine followed by the initiation of 23
routing operations. Routing operations shall be initiated by the joiner’s ZDO 24
issuing the NLME-START.request primitive to cause the MLME-START.request 25
primitive to be sent to the MAC layer of the joiner. 26
27
If the router refuses the joiner, its association response frame shall contain the 28
association status field set to a value other than “0x00”, and, after this parameter 29
reaches the ZDO of the joiner in the NLME-JOIN.confirm primitive, the joiner 30
shall not begin the authentication routine. 31
32
4.7.3.2 Authentication 33
Once a device joins a secured network and is declared “joined but 34
unauthenticated”, it must be authenticated as specified in this sub-clause. 35
36
4.7.3.2.1 Router Operation 37
If the router is not the trust center, it shall begin the authentication procedure 38
immediately after receipt of the NLME-JOIN.indication primitive by issuing an 39
APSME-UPDATE-DEVICE.request primitive with the DestAddress parameter 40
set to the apsTrustCenterAddress in the AIB and the DeviceAddress parameter set 41
to the address of the newly joined device. The Status parameter of this primitive 42
shall be set to 0x00 (that is, secured join) if the newly joined device secured the 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 453
associate request command. Otherwise, the Status parameter shall be set to 0x01
(that is, unsecured join). 1
2
If the router is the trust center, it shall begin the authentication procedure by 3
simply operating as a trust center. 4
4.7.3.2.2 Trust Center Operation 5
6
The trust center role in the authentication procedure shall be activated upon 7
receipt of an incoming update-device command or immediately after receipt of the 8
NLME-JOIN.indication primitive (in the case where the router is the trust center). 9
The trust center behaves differently depending on at least five factors: 10
• Whether the trust center decides to allow the new device to join the network 11
(for example, the trust center is in a mode that allows new devices to join); 12
13
• Whether the trust center is operating in residential or commercial mode (see 14
sub-clause 4.7.2.1 and sub-clause 4.7.2.2, respectively); 15
• If in residential mode, whether the device is joining unsecured or secured (that 16
is, as indicated by the Status sub-field of the update-device command); 17
18
• If in commercial mode, whether the trust center has a master key corresponding 19
to the newly joined device; 20
• The nwkSecureAllFrames parameter of the NIB. 21
22
If, at any time during the authentication procedure, the trust center decides not to 23
allow the new device to join the network (for example, a policy decision or a 24
failed key-establishment protocol), it shall take actions to remove the device from 25
the network. If the trust center is not the router of the newly joined device, it shall 26
remove the device from the network by issuing the APSME-REMOVE- 27
DEVICE.request primitive with the ParentAddress parameter set to the address of 28
the router originating the update-device command and the ChildAddress 29
parameter set to the address of the joined (but unauthenticated) device. If the trust 30
center is the router of the newly joined device, it shall remove the device from the 31
network by issuing the NLME-LEAVE.request primitive with the DeviceAddress 32
parameter set to the address of the joined (but unauthenticated) device, the Rejoin 33
parameter set to 0, the SilentLeave parameter set to 1 and the ReuseAddress 34
parameter set to 1. Other fields are defined by the stack profile.19 35
36
4.7.3.2.2.1 Residential Mode 37
38
After being activated for the authentication procedure the trust center shall send
39
the device the active Network key by issuing the APSME-TRANSPORT-
40
KEY.request primitive with the DestAddress parameter set to the address of the
41
newly joined device, and the KeyType parameter to 0x01 (that is, Network key).
42
43
19. CCB #676 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
454 Security Services Specification
If the joining device already has the Network key (that is, the Status sub-field of
the update-device command is 0x00), the TransportKeyData sub-parameters shall 1
be set as follows: the KeySeqNumber sub-parameter shall be set to 0, the 2
NetworkKey sub-parameter shall be set to all zeros, and the UseParent sub- 3
parameter shall be set to FALSE. 4
5
Otherwise, the KeySeqNumber sub-parameter shall be set to the sequence count 6
value for this Network key, the NetworkKey sub-parameter shall be set to Network 7
key. The UseParent sub-parameter shall be set to FALSE if the trust center is the 8
router; otherwise, the UseParent sub-parameter shall be set to TRUE and the 9
ParentAddress sub-parameter shall be set to the address of the router originating 10
the update-device command. 11
In the case of a joining device that is not pre-configured with a Network key, the 12
issuance of this transport-key primitive will cause the Network key to be sent 13
unsecured from the router to the newly joined device — security is assumed to be 14
present here via non-cryptographic means — such as only sending this key once, 15
at low power, immediately after external input to both router and joiner, that can 16
guarantee secrecy and authenticity. If the joining device did not receive the key 17
within apsSecurityTimeOutPeriod, it shall reset and may choose to start the 18
joining procedure again. 19
20
4.7.3.2.2.2 Commercial Mode 21
22
After being activated for the authentication procedure, the trust center operation in 23
commercial mode depends on if the device joining the network is preconfigured 24
with a trust center master key. 25
If the trust center does not already share a master key with the newly joined 26
device, it shall send the device a master key by issuing the APSME- 27
TRANSPORT-KEY.request primitive with the DestAddress parameter set to the 28
address of the newly joined device, and the KeyType parameter to 0x00 (that is, 29
trust center master key). The TransportKeyData sub-parameters shall be set as 30
follows: the TrustCenterMasterKey sub-parameter shall be set to trust center 31
master key, and the ParentAddress sub-parameter shall set to the address of the 32
local device if the trust center is the router. Otherwise, the ParentAddress sub- 33
parameter shall set to the address of the router originating the update-device 34
command. The issuance of this primitive will cause the master key to be sent 35
unsecured from the router to the newly joined device—security is assumed to be 36
present here via non-cryptographic means, such as only sending this key once, at 37
low power, immediately after external input to both router and joiner, etc. 38
39
The trust center shall initiate the establishment of a link key by issuing the 40
APSME-ESTABLISH-KEY.request primitive with the ResponderAddress 41
parameter set to the address of the newly joined device and the 42
KeyEstablishmentMethod set to 0x00 (that is, SKKE). Additionally, if the 43
nwkSecureAllFrames parameter of the NIB is FALSE or the trust center is the 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 455
router, the UseParent parameter shall be set to FALSE. Otherwise, the UseParent
parameter shall be set to TRUE and the ResponderParentAddress parameter shall 1
be set to the address of the router originating the update-device command. 2
3
Upon receipt of the corresponding APSME-ESTABLISH-KEY.confirm primitive 4
with Status equal to 0x00 (that is, success), the trust center shall send the new 5
device the Network key by issuing the APSME-TRANSPORT-KEY.request 6
primitive with the DestAddress parameter set to the address of the newly joined 7
device, and the KeyType parameter to 0x01 (that is, Network key). The 8
TransportKeyData sub-parameters shall be set as follows: 9
• The KeySeqNumber sub-parameter shall be set to the sequence count value for 10
this Network key; 11
12
• The NetworkKey sub-parameter shall be set to Network key; 13
• The UseParent sub-parameter shall be set to FALSE. 14
15
4.7.3.2.3 Joining Device Operation 16
After successfully associating to a secured network, the joining device shall 17
participate in the authentication procedure described in this sub-clause. Following 18
a successful authentication procedure, the joining device shall set the 19
nwkSecurityLevel and nwkSecureAllFrames attributes in the NIB to the values 20
indicated in the beacon from the router. 21
22
A joined and authenticated device in a secured network with nwkSecureAllFrames 23
equal to TRUE shall always apply NWK layer security to outgoing (incoming) 24
frames unless the frame is destined for (originated from) a newly joined but 25
unauthenticated child. No such restrictions exist if nwkSecureAllFrames is equal 26
to FALSE. 27
The joining device’s participation in the authentication procedure depends on the 28
state of the device. There are three possible initial states to consider: 29
30
• Preconfigured with a Network key (that is, residential mode) 31
• Preconfigured with a trust center master key and address (that is, commercial 32
mode) 33
34
• Not preconfigured (that is, undetermined mode – either residential or 35
commercial mode) 36
In a secured network, if the device does not become authenticated within a 37
preconfigured amount of time, it shall leave the network. 38
39
4.7.3.2.3.1 Preconfigured Network Key 40
41
If the joining device was preconfigured with just a Network key (and the 42
association was successful), it shall set the outgoing frame counter for this key to 43
zero, and empty the incoming frame counter set for this key, and wait to receive a 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
456 Security Services Specification
dummy (all zero) Network key from the trust center. Upon receipt of the APSME-
TRANSPORT-KEY.indication primitive with the KeyType parameter set to 0x01 1
(that is, the Network key), the joining device shall set the apsTrustCenterAddress 2
attribute in its AIB to the SrcAddress parameter of the APSME-TRANSPORT- 3
KEY.indication primitive. The joining device is now considered authenticated and 4
shall enter the normal operating state for residential mode. 5
6
4.7.3.2.3.2 Preconfigured Trust Center Key 7
8
If the joining device is preconfigured with a trust center master key and address 9
(that is, the apsTrustCenterAddress attribute in the AIB) it shall wait to establish a 10
link key and receive a Network key from the trust center. Therefore, upon receipt 11
of the APSME-ESTABLISH-KEY.indication primitive with the InitiatorAddress 12
parameter set to the trust center’s address and the KeyEstablishmentMethod 13
parameter set to SKKE, the joining device shall respond with the APSME- 14
ESTABLISH-KEY.response primitive with the InitiatorAddress parameter set to 15
the trust center’s address and the Accept parameter set to TRUE. After receipt of 16
the APSME-ESTABLISH-KEY.confirm primitive with the Address parameter set 17
to the trust center’s address and the Status parameter set to 0x00 (that is, success), 18
the joining device shall expect to receive the Network key. Upon receipt of the 19
APSME-TRANSPORT-KEY.indication primitive with SourceAddress parameter 20
set to the trust center’s address and with the KeyType parameter set to 0x01 (that 21
is, the Network key), the joining device shall use the data in the 22
TransportKeyData parameter for configuring the Network key. All incoming 23
frame counters and the outgoing frame counter of the Network key shall be set to 24
0.20 The joining device is now considered authenticated and shall enter the normal 25
operating state for commercial mode. If the joining device did not receive the 26
APSME-ESTABLISH-KEY.indication primitive with the InitiatorAddress 27
parameter set to the trust center’s address and the KeyEstablishmentMethod 28
parameter set to SKKE within apsSecurityTimeOutPeriod, it shall reset and may 29
choose to start the joining procedure again. 30
31
4.7.3.2.3.3 Not Preconfigured 32
33
If the joining device is not preconfigured with a Network key nor a trust center 34
master key and address (that is, the apsTrustCenterAddress attribute in the AIB) it 35
shall wait to receive either an unsecured trust center master key or a Network key. 36
Implementers should note that transmission of an unsecured key represents a 37
security risk and that if security is a concern, keys should be preconfigured – 38
preferable via an out-of-band mechanism that guarantees secrecy and authenticity. 39
If the joining device did not receive either of the keys within 40
apsSecurityTimeOutPeriod, it shall reset and may choose to start the joining 41
procedure again. 42
43
20. CCB #671 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 457
If the sequence count for the previously distributed Network key is represented as
N, then the sequence count for this new Network key shall be (N+1) mod 256. The 1
trust center may cause a switch with this new key by issuing the APSEME- 2
SWITCH-KEY.request primitive with the DestAddress parameter set to the 3
broadcast address and the KeySeqNumber parameter set to the sequence count 4
value for the updated Network key. 5
6
When operating in commercial mode, the trust center shall maintain a list of all 7
devices in the network. To update the Network key, the trust center shall first send 8
the new Network key to each device on this list and then ask each device to switch 9
to this new key. The new Network key shall be sent to a device on the list by 10
issuing the APSME-TRANSPORT-KEY.request primitive with the DestAddress 11
parameter set to the address of the device on the list and the KeyType parameter 12
set to 0x01 (that is, Network key). The TransportKeyData sub-parameters shall be 13
set as follows: 14
The KeySeqNumber sub-parameter shall be set to the sequence count value for 15
this Network key; 16
17
The NetworkKey sub-parameter shall be set to the Network key; 18
The UseParent sub-parameter shall be set to FALSE. 19
20
If the sequence count for the previously distributed Network key is represented as 21
N, then the sequence count for this new Network key shall be (N+1) mod 256. The 22
trust center shall ask a device to switch to this new key by issuing the APSME- 23
SWITCH-KEY.request primitive with the DestAddress parameter set to the 24
address of the device on the list and the KeySeqNumber parameter set to the 25
sequence count value for the updated Network key. 26
4.7.3.3.2 Network Device Operation 27
28
When in the normal operating state and upon receipt of a APSME-TRANSPORT- 29
KEY.indication primitive with the KeyType parameter set to 0x01 (that is, 30
Network key), a device shall accept the TransportKeyData parameters as a 31
Network key only if the SrcAddress parameter is the same as the trust center’s 32
address (as maintained in the apsTrustCenterAddress attribute of the AIB). If 33
accepted and if the device is capable of storing an alternate Network key, the key 34
and sequence number data contained in the TransportKeyData parameter shall 35
replace the alternate Network key. Otherwise, the key and sequence number data 36
contained in the TransportKeyData parameter shall replace the active Network 37
key. In either case, all incoming frame counters and the outgoing frame counter of 38
the Network key shall be set to 0.22 39
When in the normal operating state and upon receipt of a APSME-SWITCH- 40
KEY.indication primitive, a device shall switch its active Network key to the one 41
42
43
22. CCB #671 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 461
until it expires), the trust center shall discard any new request-key commands for
this pair of devices unless they are from the initiator. 1
2
The trust center shall now send transport-key commands containing the 3
application link or master key to the initiator and responder devices. Only the 4
initiator’s transport-key command will have the Initiator field set to 1 (that is, 5
TRUE), so if a master key was sent, only the initiator device will begin the key- 6
establishment protocol by sending the SKKE-1 command. If the responder 7
decides to accept establishing a key with the initiator, the SKKE protocol will 8
progress via the exchange of the SKKE-2, SKKE-3, and SKKE-4 commands. 9
Upon completion (or time-out), the status of the protocol is reported to the ZDOs 10
of the initiator and responder devices. If successful, the initiator and responder 11
will now share a link key and secure communications will be possible. 12
13
Initiator Trust Center Responder 14
15
Learn address of responder via discovery
or other means (e.g., preloaded) 16
Request-Key Command(key, responder address)
17
18
Start a timer and send a link or master key to initiator and responder. The 19
trust center shall discard new request-key commands for this pair of
devices, unless they are from the initiator, until after the timer expires.
20
21
Transport-Key Command(key, Initiator=TRUE,
PartnerAddress = Responder’s address) Transport-Key Command(key, Initiator=FALSE, 22
PartnerAddress = Initiator’s address) 23
24
Stores key and, if a master key,
initiates key establishment
Decides whether
to the store key
25
26
SKKE-1 Command 27
Responder decides whether to run
28
key-establishment protocol 29
SKKE-2 Command 30
31
SKKE-3 Command
32
SKKE-4 Command 33
34
Status of SKKE reported to ZDO Status of SKKE reported to ZDO
35
36
Figure 4.24 Example End-to-End Application Key Establishment Procedure 37
38
4.7.3.6 Network Leave 39
40
A device, its router, and the trust center shall follow the procedures described in 41
this sub-clause when the device is to leave the network. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
466 Security Services Specification
router. The router then sends a device-update command to the trust center. In a
secured network, the device-update command must be secured with the link key, 1
if present, or the Network key. 2
3
4
Trust Center Router
1
Device 5
Disassociation Notification Command
2
6
Update-Device Command 7
8
Note:
9
1. A device leaving the network shall send a disassociation command to its router. 10
2. Upon receipt of a valid disassociation command, a router shall send an update-device command to the trust center to inform it 11
that a device has left the network. 12
13
Figure 4.26 Example Device-Leave Procedure
14
15
4.7.3.7 Intra-PAN Portability 16
Devices shall follow the procedures described in this sub-clause as necessary to 17
support portability, in conjunction with the mechanism described in 2.5.5.5.2.2. 18
19
At present, the security support for intra-PAN portability is minimized. In most 20
cases security operation is not different from normal, as described in these 21
sections. 22
4.7.3.7.1 Router Operation 23
24
This text describes the security operations for support of intra-PAN security which 25
are to be carried out by the ZigBee Coordinator and by ZigBee Routers. 26
Following the steps described in 2.5.5.5.2.2, an orphaned device shall be 27
provisionally accepted onto the network for at least apsSecurityTimeOutPeriod 28
milliseconds. During this period it shall be required to send at least one correctly 29
formed ZigBee message to the new parent secured with the network key. If this 30
message successfully passes all the security processing steps described in this 31
document it shall be accepted as a member of the network. 32
33
This specification neither specifies nor requires any action from the parent in the 34
case that a message from an orphaned device fails security processing above that 35
required by text elsewhere in this document. 36
Entity authentication of (re-)joined devices is neither specified nor required by 37
this specification. 38
39
4.7.3.7.2 End-device Operation 40
Following the steps described in 2.5.5.5.2.2, an orphaned device shall be 41
provisionally accepted onto the network for at least apsSecurityTimeOutPeriod 42
milliseconds. During this period, it shall be required to send at least one ZigBee 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 469
message to the new parent secured with the network key. Further, it shall verify
that at least one ZigBee message is received from the new parent secured using 1
the current network key. If this message successfully passes all the security 2
processing steps described in this document, the device shall operate as a member 3
of the network. If this protocol cannot be completed correctly, the device shall 4
abandon its attempt to join this parent. 5
6
Entity authentication of the new parent is neither specified nor required by this 7
specification. 8
As normal, when operating in residential mode the end device shall not accept an 9
unsecured Network key from the trust center, except as required by this document 10
when activated to join a new network. Accordingly power cycling of devices 11
without persistent memory is not supported within this specification. 12
13
As normal, when operating in commercial mode the end device shall be 14
configured to accept an updated network key from the trust center, even when not 15
activated for the authentication procedure. In this case, the key shall be 16
transported using the APSME-TRANSPORT-KEY.request primitive, and 17
appropriate security shall be verified. 18
Note that a ZigBee router may also carry out an orphan scan as described in 19
2.5.5.5.2.2. In this case it shall, at this time, also follow the steps described in this 20
sub-section. 21
22
4.7.3.7.3 Trust Center Operation 23
In this specification, there is no special additional role for the trust center above 24
that of other routing devices. 25
26
As normal, when operating in residential mode the trust center shall not issue or 27
reissue the Network key unsecured to orphaned devices, except when activated 28
for the authentication procedure. 29
As normal, when operating in commercial mode the trust center may optionally 30
issue or reissue the current or an updated network key to orphaned devices when 31
not activated for the authentication procedure. In this case, the key shall be 32
transported using the APSME-TRANSPORT-KEY.request primitive, and shall be 33
secured appropriately. Initiation of such an update is beyond the scope of this 34
specification. 35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Chapter 4
470 Security Services Specification
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 471
A N N E X
1
A
2
3
4
5
6
7
8
9
Note that this definition ensures that all the Ai fields are distinct from the B0
fields that are actually used, as those have a Flags field with a non-zero 1
encoding of M in the positions where all Ai fields have an all-zero encoding of 2
the integer 0 (see sub-clause A.2.2, step 1). 3
4
Parse the message PlaintextData as M1 || ... ||Mt, where each message block Mi 5
is a 16-octet string. 6
The ciphertext blocks C1, ... , Ct are defined by: 7
8
Ci := E( Key, Ai ) ⊕ Mi for i=1, 2, ... , t 9
10
11
The string Ciphertext is the result of omitting all but the leftmost l(m) octets of
12
the string C1 || ... || Ct
13
Define the 16-octet encryption block S0 by: 14
15
S0:= E( Key, A0 ) 16
17
2 The encrypted authentication tag U is the result of XOR-ing the string 18
consisting of the leftmost M octets of S0 and the authentication tag T. 19
20
Output: If any of the above operations has failed, then output ‘invalid’. 21
Otherwise, output the right-concatenation of the encrypted message Ciphertext 22
and the encrypted authentication tag U. 23
24
25
A.3 CCM* Mode Decryption and Authentication 26
Checking Transformation 27
28
Input: The CCM* inverse transformation takes as inputs: 29
30
1 A bit string Key of length keylen bits to be used as the key. Each entity shall 31
have evidence that access to this key is restricted to the entity itself and its 32
intended key-sharing group member(s). 33
2 A nonce N of 15-L octets. Within the scope of any encryption key Key, the 34
nonce value shall be unique. 35
36
3 An octet string c of length l(c) octets, where 0 ≤ l(c)-M < 28L. 37
4 An octet string a of length l(a) octets, where 0 ≤ l(a) < 264. 38
39
40
A.3.1 Decryption Transformation 41
42
The decryption transformation involves the following steps, in order: 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex A
476 CCM* Mode of Operation
1 Parse the message c as C ||U, where the right-most string U is an M-octet string.
If this operation fails, output ‘invalid’ and stop. U is the purported encrypted 1
authentication tag. Note that the leftmost string C has length l(c)-M octets. 2
3
2 Form the padded message CiphertextData by right-concatenating the string C 4
with the smallest non-negative number of all-zero octets such that the octet 5
string CiphertextData has length divisible by 16. 6
3 Use the encryption transformation in sub-clause A.2.3, with as inputs the data 7
CipherTextData and the tag U. 8
9
4 Parse the output string resulting from applying this transformation as m || T, 10
where the right-most string T is an M-octet string. T is the purported 11
authentication tag. Note that the leftmost string m has length l(c)-M octets. 12
13
A.3.2 Authentication Checking Transformation 14
15
The authentication checking transformation involves the following steps: 16
17
1 Form the message AuthData using the input transformation in sub- 18
clause A.2.1, with as inputs the string a and the octet string m that was 19
established in sub-clause A.3.1 (step 4). 20
2 Use the authentication transformation in sub-clause A.2.2, with as input the 21
message AuthData. 22
23
3 Compare the output tag MACTag resulting from this transformation with the 24
tag T that was established in sub-clause A.3.1 (step 4). If MACTag=T, output 25
‘valid’; otherwise, output ‘invalid’ and stop. 26
Output: If any of the above verifications has failed, then output ‘invalid’ and 27
reject the octet string m. Otherwise, accept the octet string m and accept one of the 28
key sharing group member(s) as the source of m. 29
30
31
A.4 Restrictions 32
33
All implementations shall limit the total amount of data that is encrypted with a 34
single key. The CCM* encryption transformation shall invoke not more than 261 35
block-cipher encryption function operations in total, both for the CBC-MAC and 36
for the CTR encryption operations. 37
38
At CCM* decryption, one shall verify the (truncated) CBC-MAC before releasing 39
any information, such as, Plaintext. If the CBC-MAC verification fails, only the 40
fact that the CBC-MAC verification failed shall be exposed; all other information 41
shall be destroyed. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 477
A N N E X
1
B
2
3
4
5
6
7
8
9
1 A block-cipher encryption function E shall have been chosen, with a key size
that is equal to the block size. The Matyas-Meyer-Oseas hash function has a 1
message digest size that is equal to the block size of the established encryption 2
function. It operates on bit strings of length less than 2n, where n is the block 3
size, in octets, of the established block-cipher. 4
5
2 A fixed representation of integers as binary strings or octet strings shall have 6
been chosen. 7
Input: The input to the Matyas-Meyer-Oseas hash function is as follows: 8
9
1 A bit string M of length l bits, where 0≤ l < 2n. 10
Actions: The hash value shall be derived as follows: 11
12
1 Pad the message M according to the following method: 13
a Right-concatenate to the message M the binary consisting of the bit ‘1’ 14
followed by k ‘0’ bits, where k is the smallest non-negative solution to the 15
equation: 16
17
l+1+k ≡ 7n (mod 8n) (1) 18
19
b Form the padded message M’ by right-concatenating to the resulting string 20
the n-bit string that is equal to the binary representation of the integer l. 21
22
2 Parse the padded message M’ as M1 || M2|| … || Mt where each message block 23
Mi is an n-octet string. 24
3 The output Hasht is defined by 25
26
27
Hash0 =08n; Hashj =E(Hashj-1, Mj) ⊕ Mj for j=1,…,t (2) 28
29
Here, E(K, x) is the ciphertext that results from encryption of the plaintext x, 30
using the established block-cipher encryption function E with key K; the string 31
08n is the n-octet all-zero bit string. 32
Output: The bit string Hasht as the hash value. 33
34
Note that the cryptographic hash function operates on bit strength of length less 35
than 2n bits, where n is the block size (or key size) of the established block cipher, 36
in bytes. For example, the Matyas-Meyer-Oseas hash function with AES-128 37
operates on bit strings of length less than 216 bits. It is assumed that all hash 38
function calls are on bit strings of length less than 2n bits. Any scheme attempting 39
to call the hash function on a bit string exceeding 2n bits shall output ‘invalid’ and 40
stop. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex B
484 Security Building Blocks
2 Each entity shall have access to a bit string Key of length keylen bits to be used
as the key. Each party shall have evidence that access to this key is restricted to 1
the entity itself and the other entity involved in the symmetric-key 2
authenticated key agreement scheme. 3
4
3 Each entity shall be bound to a unique identifier (e.g., distinguished names). 5
All identifiers shall be bit strings of the same length entlen bits. Entity U’s 6
identifier will be denoted by the bit string U. Entity V’s identifier will be 7
denoted by the bit string V. 8
4 Each entity shall have decided which MAC scheme to use as specified in 9
Section 5.7 of ANSI X9.63-2001 [B7]. The length in bits of the keys used by 10
the chosen MAC scheme is denoted by mackeylen. 11
12
5 A cryptographic hash function shall have been chosen for use with the key 13
derivation function. 14
6 A specialized29 MAC scheme shall have been chosen for use with the secret 15
key generation primitive with tagging transformation as specified in Section 16
5.7.1 of ANSI X9.63-2001 [B7]. The length in bits of the keys used by the 17
specialized MAC scheme is denoted by keylen. 18
19
7 A fixed representation of octets as binary strings shall have been chosen. (e.g., 20
most-significant-bit-first order or least-significant-bit-first order). 21
22
B.7.1 Initiator Transformation 23
24
U shall execute the following transformation to agree on keying data with V if U is 25
the protocol’s initiator. U shall obtain an authentic copy of V’s identifier and an 26
authentic copy of the static secret key Key shared with V. 27
28
Input: The input to the initiator transformation is: 29
1 An integer keydatalen that is the length in bits of the keying data to be 30
generated. 31
32
2 (Optional) A bit string SharedData of length shareddatalen bits that consists of 33
some data shared by U and V. 34
3 (Optional) A bit string Text2 that consists of some additional data to be 35
provided from U to V. 36
37
Ingredients: The initiator transformation employs the challenge generation 38
primitive in Section 5.3 of ANSI X9.63-2001 [B7], the challenge validation 39
40
29. This refers to a MAC function with the additional property that it is also pre-image 41
and collision resistant for parties knowing the key (see also Remark 9.8 of [B18]. 42
Specialized MAC functions allow key derivation in contexts where unilateral key 43
control is undesirable. 44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex B
486 Security Building Blocks
primitive in sub-clause B.3.2, the SKG primitive in sub-clause B.5, the key
derivation function in Section 5.6.3 of ANSI X9.63-2001 [B7] , and one of the 1
MAC schemes in Section 5.7 of ANSI X9.63-2001 [B7]. 2
3
Actions: Keying data shall be derived as follows: 4
1 Use the challenge generation primitive in Section 5.3 of ANSI X9.63-2001 5
[B7] to generate a challenge QEU for the challenge domain parameters D. Send 6
QEU to V. 7
8
2 Then receive from V a challenge QEV’ purportedly owned by V. If this value is 9
not received, output ‘invalid’ and stop. 10
3 Verify that QEV’ is a valid challenge for the challenge domain parameters D as 11
specified in section sub-clause B.3.2. If the validation primitive rejects the 12
challenge, output ‘invalid’ and stop. 13
14
4 Use the SKG primitive in Chapter 1 to derive a shared secret bit string Z from 15
the challenges Q1=QEU owned by U and Q2=QEV’ owned by V, using as key 16
the shared key Key. If the SKG primitive outputs ‘invalid’, output ‘invalid’ and 17
stop. 18
5 Use the key derivation function in Section 5.6.3 of ANSI X9.63-2001 [B7] with 19
the established hash function to derive keying data KKeyData of length 20
mackeylen+keydatalen bits from the shared secret value Z and the shared data 21
[SharedData]. 22
23
6 Parse the leftmost mackeylen bits of KKeyData as a MAC key MacKey and the 24
remaining bits as keying data KeyData. 25
7 Form the bit string consisting of the octet 0216, V’s identifier, U’s identifier, the 26
bit string QEV’, the bit string QEU, and if present Text1: 27
28
MacData1 = 0216 || V || U || QEV’ || QEU || [Text1] 29
30
8 Verify that MacTag1’ is the tag for MacData1 under the key MacKey using the 31
tag checking transformation of the appropriate MAC scheme specified in 32
Section 5.7.2 of ANSI X9.63-2001 [B7]. If the tag checking transformation 33
outputs ‘invalid’, output ‘invalid’ and stop. 34
9 Form the bit string consisting of the octet 0316, U’s identifier, V’s identifier, the 35
bit string QEU corresponding to U’s challenge, the bit string QEV’ 36
corresponding to V’s challenge, and optionally a bit string Text2: 37
38
MacData2 = 0316 || U || V || QEU || QEV’ || [Text2] 39
40
10 Calculate the tag MacTag2 on MacData2 under the key MacKey using the 41
tagging transformation of the appropriate MAC scheme specified in Section 42
5.7.1 of ANSI X9.63-2001 [B7]: 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 487
4 Form the bit string consisting of the octet 0316, U’s identifier, V’s identifier, the
bit string QEU’ corresponding to U’s purported challenge, the bit string QEV 1
corresponding to V’s challenge, and the bit string Text2 (if present): 2
3
MacData2 = 0316 || U || V || QEU’ || QEV || [Text2] 4
5
5 Verify that MacTag2’ is the valid tag on MacData2 under the key MacKey 6
using the tag checking transformation of the appropriate MAC scheme 7
specified in Section 5.7 ANSI X9.63-2001 [B7]. If the tag checking 8
transformation outputs ‘invalid’, output ‘invalid’ and stop. 9
6 Use the SKG primitive in Chapter 1 to derive a shared secret bit string Z from 10
the challenges Q1=QEU’ owned by U and Q2=QEV owned by V, using as key 11
the shared key Key. If the SKG primitive outputs ‘invalid’, output ‘invalid’ and 12
stop. 13
14
7 Use the key derivation function in Section 5.6.3 of ANSI X9.63-2001 [B7] with 15
the established hash function to derive keying data KKeyData of length 16
mackeylen+keydatalen bits from the shared secret value Z and the shared data 17
[SharedData]. 18
8 Parse the leftmost mackeylen bits of KKeyData as a MAC key MacKey and the 19
remaining bits as keying data KeyData. 20
21
9 Form the bit string consisting of the octet 0216, V’s identifier, U’s identifier, the 22
bit string QEV, the bit string QEU’, and, optionally, a bit string Text1: 23
24
MacData1 = 0216 || V || U || QEV || QEU’ || [Text1] 25
26
10 Calculate the tag MacTag1 for MacData1 under the key MacKey using the 27
tagging transformation of the appropriate MAC scheme specified in Section 5.7 28
of ANSI X9.63-2001 [B7]: 29
30
MacTag1 = MACMacKey(MacData1) 31
32
33
If the tagging transformation outputs ‘invalid’, output ‘invalid’ and stop. Send to 34
U, if present the bit string Text1, and MacTag1. 35
Output: If any of the above verifications has failed, then output ‘invalid’ and 36
reject the bit strings KeyData and Text2. Otherwise, output ‘valid’, accept the bit 37
string KeyData as the keying data of length keydatalen bits shared with U and 38
accept U as the source of the bit string Text2 (if present). 39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 489
A N N E X
1
C
2
3
4
5
6
7
8
9
BUILDING BLOCKS
12
13
14
15
This annex provides sample test vectors for the ZigBee community, aimed at 16
assisting in building interoperable security implementations. The sample test 17
vectors are provided as is, pending independent validation. 18
19
20
C.1 Data Conversions 21
22
For test vectors, see Appendix J1 of ANSI X9.63-2001 [B7]. 23
24
25
C.2 AES Block Cipher 26
27
This annex provides sample test vectors for the block-cipher specified in sub- 28
clause B.1.1. 29
30
For test vectors, see FIPS Pub 197 [B8]. 31
32
33
C.3 CCM* Mode Encryption and Authentication 34
Transformation 35
36
37
This annex provides sample test vectors for the mode of operation as specified in
38
sub-clause B.1.2.
39
Prerequisites: The following prerequisites are established for the operation of the 40
mode of operation: 41
42
1 The parameter M shall have the integer value 8.
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex C
490 Test Vectors For Cryptographic Building
AuthData = 00 08 00 01 02 03 04 05 06 07 00 00 00 00 00 00 ||
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 1
18 19 1A 1B 1C 1D 1E 00 00 00 00 00 00 00 00 00 2
3
4
C.3.2 Authentication Transformation 5
6
The data AuthData that was established above shall be tagged using the tagging 7
transformation as follows: 8
1 Form the 1-octet Flags field as follows: 9
10
Flags = 59 11
12
2 Form the 16-octet B0 field as follows: 13
14
B0 = 59 || A0 A1 A2 A3 A4 A5 A6 A7 03 02 01 00 06 || 00 17 15
3 Parse the message AuthData as B1 || B2 ||B3, where each message block Bi is a 16
16-octet string. 17
18
4 The CBC-MAC value X4 is calculated as follows: 19
20
i Bi Xi 21
22
0 59 A0 A1 A2 A3 A4 A5 A6 A7 03 02 01 00 06 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
23
1 00 08 00 01 02 03 04 05 06 07 00 00 00 00 00 00 F7 74 D1 6E A7 2D C0 B3 E4 5E 36 CA 8F 24 3B 1A 24
25
2 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 90 2E 72 58 AE 5A 4B 5D 85 7A 25 19 F3 C7 3A B3
26
3 18 19 1A 1B 1C 1D 1E 00 00 00 00 00 00 00 00 00 5A B2 C8 6E 3E DA 23 D2 7C 49 7D DF 49 BB B4 09 27
28
4 æ B9 D7 89 67 04 BC FA 20 B2 10 36 74 45 F9 83 D6
29
30
The authentication tag T is the result of omitting all but the leftmost M=8 octets of 31
the CBC-MAC value X4: 32
33
T = B9 D7 89 67 04 BC FA 20 34
35
C.3.3 Encryption Transformation 36
37
The data PlaintextData shall be encrypted using the encryption transformation as 38
follows: 39
40
1 Form the 1-octet Flags field as follows: 41
42
Flags = 01 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex C
492 Test Vectors For Cryptographic Building
AuthData = 08 00 01 02 03 04 05 06 07 00 00 00 00 00 00 00 ||
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 1
18 19 1A 1B 1C 1D 1E 00 00 00 00 00 00 00 00 00 2
3
2 Use the authentication transformation in sub-clause C.3.2, with as input the 4
message AuthData to compute the authentication tag MACTag: 5
6
MACTag = B9 D7 89 67 04 BC FA 20 7
3 Compare the output tag MACTag resulting from this transformation with the 8
tag T that was established in sub-clause C.4.1 (step 9): 9
T = B9 D7 89 67 04 BC FA 20 = MACTag 10
11
Output: Since MACTag=T, output ‘valid’ and accept the octet string m and accept 12
one of the key sharing group member(s) as the source of m. 13
14
15
C.5 Cryptographic Hash Function 16
17
This annex provides sample test vectors for the cryptographic hash function 18
specified in clause C.5. 19
20
C.5.1 Test Vector Set 1 21
22
Input: The input to the cryptographic hash function is as follows: 23
24
1 The bit string M of length l=8 bits to be used: 25
26
M=C0 27
Actions: The hash value shall be derived as follows: 28
29
1 Pad the message M by right-concatenating to M the bit ‘1’ followed by the 30
smallest non-negative number of ‘0’ bits, such that the resulting string has 31
length 14 (mod 16) octets: 32
33
C0 || 80 00 00 00 00 00 00 00 00 00 00 00 00 34
2 Form the padded message M’ by right-concatenating to the resulting string the 35
16-bit string that is equal to the binary representation of the integer l: 36
37
M’ = C0 || 80 00 00 00 00 00 00 00 00 00 00 00 00 || 00 08 38
39
3 Parse the padded message M’ as M1, where each message block Mi is a 16-octet 40
string. 41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex C
496 Test Vectors For Cryptographic Building
7 Form the padded message M2 by right-concatenating the bit string Key2 with
the bit string Hash1: 1
2
M2 = Key2 || Hash1 = 1C 1D 1E 1F 18 19 1A 1B 14 15 16 17 10 11 12 13 || 3
3C 3D 53 75 29 A7 A9 A0 3F 66 9D CD 88 6C B5 2C 4
5
8 Compute the hash value Hash2 of the bit string M2: 6
7
Hash2 = 45 12 80 7B F9 4C B3 40 0F 0E 2C 25 FB 76 E9 99 8
Output: the 16-octet string HMAC = Hash2 = 45 12 80 7B F9 4C B3 40 0F 0E 2C 9
25 FB 76 E9 99 10
11
12
C.6.2 Test Vector Set 2 13
14
Input: The input to the keyed hash function is as follows: 15
1 The key Key of size keylen=256 bits to be used: 16
Key = 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F || 17
50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 18
19
2 The bit string M of length l=128 bits to be used: 20
21
M = C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 22
Actions: The keyed hash value shall be derived as follows: 23
24
1 Compute the hash value Key0 of the bit string Key: 25
26
Key0 = 22 F4 0C BE 15 66 AC CF EB 77 77 E1 C4 A9 BB 43 27
2 Create the 16-octet string ipad (inner pad) as follows: 28
29
ipad = 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 30
31
3 Form the inner key Key1 by XOR-ing the bit key Key0 and the octet string ipad: 32
33
Key1 = Key0 ⊕ ipad = 14 C2 3A 88 23 50 9A F9 DD 41 41 D7 F2 9F 8D 75 34
4 Form the padded message M1 by right-concatenating the bit string Key1 with 35
the bit string M: 36
37
M1 = Key1 || M = 14 C2 3A 88 23 50 9A F9 DD 41 41 D7 F2 9F 8D 75 || 38
C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF 39
40
5 Compute the hash value Hash1 of the bit string M1: 41
42
Hash1 = 42 65 BE 29 74 55 8C A2 7B 77 85 AC 73 F2 22 10 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 499
Z = 78 7C DE F6 80 13 12 CD 41 1B CD 62 14 91 F8 6D
1
5 Use the key derivation function in Section 5.6.3 of ANSI X9.63-2001 [B7] 2
with the Matyas-Meyer-Oseas hash function to derive keying data KKeyData 3
of length 256 bits from the shared secret value Z and the shared data 4
SharedData: 5
a The hash values Hash1, Hash2 are computed as follows: 6
7
i Hashi=H(Xi) Xi 8
9
E4 D4 5F 76 2A 36 B7 99 F9 5E C2 C6 FD E9 A1 78 7C DE F6 80 13 12 CD 41 1B CD 62 14 91 F8 6D || 00
1 50 00 00 01 || D0 D1 D2 D3 D4 D5 10
11
72 57 7D 02 CC E1 39 33 1A BF F4 0B C5 6E A3 78 7C DE F6 80 13 12 CD 41 1B CD 62 14 91 F8 6D || 00 12
2 7F 00 00 02 || D0 D1 D2 D3 D4 D5
13
14
b Set KKeyData=Hash1 || Hash2: 15
KKeyData = E4 D4 5F 76 2A 36 B7 99 F9 5E C2 C6 FD E9 A1 50 || 16
72 57 7D 02 CC E1 39 33 1A BF F4 0B C5 6E A3 7F 17
6 Parse the leftmost 128 bits of KKeyData as a MAC key MacKey and the 18
remaining bits as keying data KeyData. 19
20
MacKey = E4 D4 5F 76 2A 36 B7 99 F9 5E C2 C6 FD E9 A1 50;
21
KeyData = 72 57 7D 02 CC E1 39 33 1A BF F4 0B C5 6E A3 7F 22
7 Form the bit string MacData1 = 0216 || V || U || QEV’ || QEU || [Text1]: 23
MacData1 = 02 || 55 73 65 72 20 56 0D 0A || 55 73 65 72 20 55 0D 0A ||
24
BF 14 DF 94 94 39 D2 CE 24 C9 09 53 B5 72 D6 53 || 25
9E 3F 0C 19 05 4B 05 44 D5 A7 17 62 0A F2 7D 96 26
27
8 Verify that MacTag1’ is the tag for MacData1 under the key MacKey using the 28
tag checking transformation specified in Section 5.7.2 of ANSI X9.63- 29
2001 [B7]. If the tag checking transformation outputs ‘invalid’, output ‘invalid’ 30
and stop. 31
a Calculate MacTag1=MACMacKe y (MacData1) = E6 C3 DE 1F E8 63 15 B9 32
E6 A0 2B 44 FF 63 D8 D0 33
34
b Verify that MacTag1=MacTag1’ 35
9 Form the bit string MacData2 = 0316 || U || V || QEU || QEV’ || [Text2]: 36
MacData2 = 03 || 55 73 65 72 20 55 0D 0A || 55 73 65 72 20 56 0D 0A || 37
9E 3F 0C 19 05 4B 05 44 D5 A7 17 62 0A F2 7D 96 || 38
BF 14 DF 94 94 39 D2 CE 24 C9 09 53 B5 72 D6 53 39
40
10 Calculate the tag MacTag2 on MacData2 under the key MacKey using the 41
tagging transformation specified in Section 5.7.1 of ANSI X9.63-2001 [B7] 42
with the HMAC-Matyas-Meyer-Oseas MAC scheme: 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex C
502 Test Vectors For Cryptographic Building
MacData2 = 03 || 55 73 65 72 20 55 0D 0A || 55 73 65 72 20 56 0D 0A ||
9E 3F 0C 19 05 4B 05 44 D5 A7 17 62 0A F2 7D 96 || 1
BF 14 DF 94 94 39 D2 CE 24 C9 09 53 B5 72 D6 53 2
5 Verify that MacTag2’ is the valid tag on MacData2 under the key MacKey 3
using the tag checking transformation specified in Section 5.7 ANSI X9.63- 4
2001 [B7]. If the tag checking transformation outputs ‘invalid’, output ‘invalid’ 5
and stop. 6
7
a Calculate MacTag2=MACMacKey (MacData2) = 66 36 8D 61 0F E0 0B 7F 06 8
3E 74 C4 78 0A A3 6D 9
b Verify that MacTag2=MacTag2’ 10
11
6 Use the SKG primitive in clause B.5 to derive a shared secret bit string Z from 12
the challenges Q1=QEU’ owned by U and Q2=QEV owned by V, using as key 13
the shared key SharedKey. If the SKG primitive outputs ‘invalid’, output 14
‘invalid’ and stop. 15
a Form the bit string MACData=U || V || QEU’ || QEV: 16
17
MACData = 55 73 65 72 20 55 0D 0A || 55 73 65 72 20 56 0D 0A ||
9E 3F 0C 19 05 4B 05 44 D5 A7 17 62 0A F2 7D 96 ||
18
BF 14 DF 94 94 39 D2 CE 24 C9 09 53 B5 72 D6 53 19
20
b Calculate the MACTag for MACData under the key Key using the tagging 21
transformation of the HMAC-Matyas-Meyer-Oseas MAC scheme: 22
MACTag = MACKey (MACData) = 78 7C DE F6 80 13 12 CD 41 1B CD 62 14 23
91 F8 6D 24
c Set Z=MACTag: 25
26
Z = 78 7C DE F6 80 13 12 CD 41 1B CD 62 14 91 F8 6D
27
7 Use the key derivation function in Section 5.6.3 of ANSI X9.63-2001 [B7] 28
with the Matyas-Meyer-Oseas hash function to derive keying data KKeyData 29
of length 256 bits from the shared secret value Z and the shared data 30
SharedData: 31
32
a The hash values Hash1, Hash2 are computed as follows: 33
34
i Hashi=H(Xi) Xi
35
78 7C DE F6 80 13 12 CD 41 1B CD 62 14 91 F8 6D || 00 36
1 E4 D4 5F 76 2A 36 B7 99 F9 5E C2 C6 FD E9 A1 50
00 00 01 || D0 D1 D2 D3 D4 D5 37
78 7C DE F6 80 13 12 CD 41 1B CD 62 14 91 F8 6D || 00 38
2 72 57 7D 02 CC E1 39 33 1A BF F4 0B C5 6E A3 7F
00 00 02 || D0 D1 D2 D3 D4 D5 39
40
b Set KKeyData=Hash1 || Hash2: 41
KKeyData = E4 D4 5F 76 2A 36 B7 99 F9 5E C2 C6 FD E9 A1 50 ||
42
72 57 7D 02 CC E1 39 33 1A BF F4 0B C5 6E A3 7F 43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex C
504 Test Vectors For Cryptographic Building
8 Parse the leftmost 128 bits of KKeyData as a MAC key MacKey and the
remaining bits as keying data KeyData. 1
MacKey = E4 D4 5F 76 2A 36 B7 99 F9 5E C2 C6 FD E9 A1 50;
2
3
KeyData = 72 57 7D 02 CC E1 39 33 1A BF F4 0B C5 6E A3 7F
4
9 Form the bit string MacData1 = 0216 || V || U || QEV || QEU’ || [Text1]: 5
MacData1 = 02 || 55 73 65 72 20 56 0D 0A || 55 73 65 72 20 55 0D 0A || 6
BF 14 DF 94 94 39 D2 CE 24 C9 09 53 B5 72 D6 53 || 7
9E 3F 0C 19 05 4B 05 44 D5 A7 17 62 0A F2 7D 96 8
9
10 Calculate the tag MacTag1 for MacData1 under the key MacKey using the 10
tagging transformation specified in Section 5.7 of ANSI X9.63-2001 [B7] with 11
the HMAC-Matyas-Meyer-Oseas MAC scheme: 12
MacTag1 = MACMacKey(MacData1)= E6 C3 DE 1F E8 63 15 B9 E6 A0 2B 44 13
63 D8 D0 14
11 If the tagging transformation outputs ‘invalid’, output ‘invalid’ and stop. Send 15
to U, if present the bit string Text1, and MacTag1. 16
17
Output: output ‘valid’ and accept the 128-bit string KeyData = 72 57 7D 02 CC E1 39 18
33 1A BF F4 0B C5 6E A3 7F as the keying data shared with U. 19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 505
A N N E X
1
D
2
3
4
5
6
7
8
9
CLARIFICATIONS
12
13
14
15
D.1 Introduction 16
17
18
D.1.1 Scope 19
20
This Annex applies to the IEEE 802.15.4 2003 Medium Access Control sub-layer 21
(MAC) and Physical Layer (PHY) specification when used in conjunction with 22
higher layers defined by the ZigBee specification. Nothing is implied about the 23
usage under other circumstances. 24
25
26
D.1.2 Purpose 27
28
The current ZigBee specification assumes the use of the MAC and PHY sub- 29
layers defined in the IEEE 802.15.4 2003 specification. However, as developers 30
have put the MAC and PHY sub-layers into use, they have uncovered problems 31
that may or may not have been anticipated by the authors of the specification, or 32
are not covered in the IEEE 802.15.4 2003 specification. This document is 33
intended to provided solutions to such problems, for use by the ZigBee Alliance. 34
35
D.1.3 Stack Size Issues 36
37
Both MAC and ZigBee stack developers have discovered that implementation of a 38
full-blown MAC is a major undertaking and requires a great deal of code space. 39
Even with the optional GTS and MAC security features eliminated, it is not 40
surprising to find the MAC taking up more than 24K of code space on a processor 41
with 64K of available space. 42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex D
506 MAC and PHY Sub-Layer Clarifications
The ZigBee Alliance has adopted a compensating policy to declare MAC features
that are not required to support a particular stack profile, optional with respect to 1
that stack profile. In particular, any MAC feature that will not be exploited as a 2
result of platform compliance testing for a particular stack profile, need not be 3
present in order for an implementation to be declared platform compliant. Thus, 4
for example, since the HC stack profile relies on a beaconless network, the 5
platform compliance testing for the HS stack profile does not employ beaconing; 6
the code to support regular beaconing, beacon track, and so on, may be absent 7
from the code base of the device under test without the knowledge of the 8
testers — without presenting a problem with respect to platform compliance 9
certification. 10
11
12
D.1.4 MAC Association 13
14
At association time, according to the IEEE 802.15.4 2003 specification, a number 15
of frames, including an association request command, an associate response 16
command and a data request. There is some ambiguity in the specification 17
regarding the addressing fields in the headers for these frames. Tables D.1–D.3 18
outline the allowable options that shall be recognized by devices implementing 19
the ZigBee specification. In each case, the first option given is the preferred 20
option and should be used. 21
Table D.1 Associate Request Header Fields 22
23
DstPANId DstAddr SrcPANId SrcAddr 24
The PANId of the The 16-bit short 0xffff The 64-bit extended 25
destination device address of the address of the source 26
destination device device 27
PANId omitted 28
because the IntraPAN 29
sub-field in the frame 30
control field is set to 31
one
32
The PANId of the 33
destination device 34
Not present if the Not present if the 35
destination device is destination device is 36
the PAN coordinator the PAN coordinator 37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
ZigBee Specification
Document 053474r13 507
Note that in this case and the case below, the source of the command is the device
requesting association. 1
2
Table D.2 Data Request Header Fields
3
DstPANId DstAddr SrcPANId SrcAddr 4
5
The PANId of the The 16-bit short 0xffff The 64-bit extended 6
destination device address of the address of the source
destination device device 7
8
PANId omitted 9
because the IntraPAN
sub-field in the frame 10
control field is set to 11
one 12
The PANId of the 13
destination device 14
15
Not present if the Not present if the
destination device is destination device is
16
the PAN coordinator the PAN coordinator 17
18
19
20
Table D.3 Association Response Header Fields 21
22
DstPANId DstAddr SrcPANId SrcAddr
23
The PANId of the The 64-bit extended PANId omitted The 64-bit extended 24
destination device address of the because the IntraPAN address of the source 25
destination device sub-field in the frame device
26
control field is set to
one 27
28
The PANId of the
29
source device
30
0xffff 31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.
Annex D
508 MAC and PHY Sub-Layer Clarifications
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Copyright © 2006 ZigBee Standards Organization. All rights reserved.