Question

6. Write a threat model for a desktop computer with a wired Internet connection. (25 points) Ans:

Answer 1

Ans:

Thread network topology. For this exercise, we'll emulate the two nodes within the green circle: a Thread Leader and Thread Router with a single connection between them.

O End Device (child) Thread Leader (parent) Thread Router (parent) Border Router Thread Link

Ping a node

1. Start Node 1

If you haven't done so already, enter the VM from a terminal window:

$ cd ~/openthread/etc/vagrant
$ vagrant ssh

Navigate to the openthread directory and spawn the CLI process for an emulated Thread device using the ot-cli-ftd binary.

$ cd ~/src/openthread
$ ./output/x86_64-unknown-linux-gnu/bin/ot-cli-ftd 1

x86_64-unknown-linux-gnu represents the platform of VM used for this Codelab. When using a different OS image, OpenThread processes will be found under a different path. For example, on Mac OS X, the platform would be x86_64-apple-darwin. Check the ~/src/openthread/output folder for the correct platform value to use.

This binary implements an OpenThread device emulated on top of POSIX. The IEEE 802.15.4 radio driver is implemented on top of UDP (IEEE 802.15.4 frames are passed within UDP payloads).

The argument of 1 is a file descriptor that represents the least-significant bits of the "factory-assigned" IEEE EUI-64 for the emulated device. This value is also used when binding to a UDP port for IEEE 802.15.4 radio emulation (port = 9000 + file descriptor). Each instance of an emulated Thread device in this Codelab will use a different file descriptor.

Note: Only use file descriptors of 1 or greater as noted in this Codelab when spawning the process for an emulated device. A file descriptor of 0 is reserved for other use.

If you don't see the > prompt after running this command, press enter.

Set the Personal Area Network (PAN) ID. This is the identifier for Thread network you are creating. PANs are short-distance networks reserved for personal use.

> panid 0x1234
Done

Bring up the IPv6 interface:

> ifconfig up
Done

Start Thread protocol operation:

> thread start
Done

Wait a few seconds and verify that the device has become the Thread Leader. The Leader is the device responsible for managing router ID assignment.

> state
leader
Done

View the IPv6 addresses assigned to Node 1's Thread interface (your output will be different):

> ipaddr
fdde:ad00:beef:0:0:ff:fe00:fc00
fdde:ad00:beef:0:0:ff:fe00:5800
fdde:ad00:beef:0:d41:e070:730d:ad2f
fe80:0:0:0:804b:ad57:9ad4:40f3
Done

Note the specific IPv6 address types:

• Begins with fd = mesh-local
• Begins with fe80 = link-local

Mesh-local address types are classified further:

• Contains ff:fe00 = Router Locator (RLOC)
• Does not contain ff:fe00 = Endpoint Identifier (EID)

Identify the EID in your console output make a note of it for later use. In the sample output above, the EID is:

fdde:ad00:beef:0:d41:e070:730d:ad2f

The RLOC will change as the network topology changes and a Thread device switches between states. The EID is independent of topology changes and will remain static.

2. Start Node 2

Open a new terminal and ssh into another VM instance to use for Node 2.

$ cd ~/openthread/etc/vagrant
$ vagrant ssh

In this new VM, navigate to the openthread directory and spawn the CLI process. This is your second emulated Thread device:

$ cd ~/src/openthread
$ ./output/x86_64-unknown-linux-gnu/bin/ot-cli-ftd 2

If you don't see the > prompt after running this command, press enter.

Set the PAN ID, using the same value as Node 1.

> panid 0x1234
Done

Bring up the IPv6 interface:

> ifconfig up
Done

Start Thread protocol operation:

> thread start
Done

The device will initialize itself as a Child. A Thread Child is equivalent to an End Device, which is a Thread device that transmits and receives unicast traffic only with a Parent device.

> state
child
Done

Within 2 minutes you should see the state switch from child to router. A Thread Router is capable of routing traffic between Thread devices. It is also referred to as a Parent.

> state
router
Done

Verify the mesh

An easy way to verify the mesh network is to look at the router table.

1. Check connectivity

On Node 2, get the RLOC16. The RLOC16 is the last 16 bits of the device's RLOC IPv6 address.

> rloc16
a800
Done

On Node 1, check the router table for Node 2's RLOC16. Make sure Node 2 has switched to the router state first.

> router table
| ID | RLOC16 | Next Hop | Path Cost | LQI In | LQI Out | Age | Extended MAC     |
+----+--------+----------+-----------+--------+---------+-----+------------------+
| 42 | 0xa800 |       63 |         0 |      3 |       3 |  12 | 06110017a9f6f2c4 |
| 52 | 0xd000 |       52 |         0 |      0 |       0 |  21 | 02e4d04fae41de50 |

Node 1's RLOC of 0xa800 is found in the table, confirming that it is connected to the mesh.

2. Ping Node 1 from Node 2

Verify connectivity between the two emulated Thread devices. In Node 2, ping the EID assigned to Node 1:

> ping fdde:ad00:beef:0:d41:e070:730d:ad2f
8 bytes from fdde:ad00:beef:0:d41:e070:730d:ad2f: icmp_seq=1 hlim=64 time=1ms

Press enter to return to the > CLI prompt.

Test the mesh

Now that you can successfully ping between two emulated Thread devices, test the mesh by taking one node offline.

Return to Node 1 and stop Thread:

> thread stop
Done

Switch to Node 2 and check the state. Within two minutes, Node 2 detects that the leader (Node 1) is offline, and you should see Node 2 transition to be the leader of the network:

> state
router
Done
...
> state
leader
Done

Once confirmed, stop Thread and factory reset Node 2 before exiting. A factory reset is done to ensure that the Thread network credentials we used in this exercise are not carried over to the next exercise.

> thread stop
Done
> factoryreset
>
> exit

Also factory reset and exit Node 1:

> factoryreset
>
> exit