[riot-devel] at86rf2xx and PHR filtering

Wachtler, Axel Axel.Wachtler at atmel.com
Fri Apr 1 11:17:02 CEST 2016


Hi Alex,

weird things on air result mostly in a damaged CRC. However malicious frames can always
generated by any SDR. My vote would be, because RIOT targets to 15.4 to drop any 
invalid length frame early on PHY level and don't bother the upper layers to handle the junk. 
(part of the junk handling is already done in RF23x HW, e.g. when RX_AACK drops invalid CRC 
frames, or if the framefilter rejects frames with none matching addresses.)

... just my two cents on this ...

But anyway good that you found this potential vulnerability!

Best Regards, Axel.


> -----Original Message-----
> From: devel [mailto:devel-bounces at riot-os.org] On Behalf Of Alexander Aring
> Sent: Freitag, 1. April 2016 10:58
> To: RIOT OS kernel developers <devel at riot-os.org>
> Subject: Re: [riot-devel] at86rf2xx and PHR filtering
> 
> On Fri, Apr 01, 2016 at 08:45:48AM +0000, Wachtler, Axel wrote:
> > > Most datasheets doesn't say anything what they filter on PHR or not.
> >
> >
> >
> > The MSB in the PHR field is reserved, see at86rf230 DS:
> >
> >
> >
> > [cid:image001.png at 01D18C02.AB62FEF0]
> >
> >
> >
> > At and after RF231 this Bit could be sent by the transceiver and can then be
> seen at the receiver site as well.
> >
> >
> >
> > Also the standard tells that this bit is reserved, so proper
> > implementations needs to mask this out in order
> >
> > to get the correct frame length at the receiving site.
> >
> 
> Okay, then all transceivers need to do that and mostly at driver layer because
> at the tail are mostly LQI/RSSI information.
> 
> But it's not just the MSB bit, there are also some other "len" values which are
> reserved:
> 
> 256  *      0-4     Reserved
> 257  *      5       MPDU (Acknowledgment)
> 258  *      6-8     Reserved
> 259  *      9-127   MPDU
> 
> 
> If you received one which is reserved then you know:
> 
> "It's an invalid 802.15.4 frame".
> 
> Question is how to react on that, already drop then on driver layer -> because
> it's part of phy layer and not mac layer. Or simple do what we do with deliver
> the full 127 byte frame to mac layer.
> 
> We assume then something weird happend on the air. :-)
> 
> - Alex
> _______________________________________________
> devel mailing list
> devel at riot-os.org
> https://lists.riot-os.org/mailman/listinfo/devel


More information about the devel mailing list