Technical Specs
Table Of Contents
- Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS)
- Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS)
- Hardware Overview
- WPAN Antennas, Connectors, and Cables
- Installing and Removing the Module
- Technical Specifications
- Information About Cisco Resilient Mesh and WPAN
- Configuring Cisco Resilient Mesh and the WPAN Module
- Configuring the WPAN Interface
- Configuring the CGM WPAN OFDM Module
- Configuring Adaptive Modulation
- Configuring Group Multicast
- Configuring RPL
- Configuring IPv6
- Configuring PON RPL
- Configuring the Power Outage Server
- Configuring QoS
- Configuring Cisco Resilient Mesh Security
- Configuring IPv6 Multicast Agent
- Configuring Dual-PHY WPAN
- Configuring DTLS Relay for EST
- Configuring Wi-SUN Mode
- Verifying Connectivity to the CGR
- show Command Examples
- Debugging the WPAN Module
- Sample Router Configuration
- Sample CGR and ASR Configuration
- Checking and Upgrading the WPAN Firmware Version
- Related Documentation
- Obtaining Documentation and Submitting a Service Request
Certificate Management with EST Protocol
The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes a certificate management protocol targeting
public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates.
EST uses Public-Key Cryptography Standards (PKCS) 10 for certificate requests.
With the EST support enabled, the operational certificates do not need to depend on the manufacturer's PKI. The manufacturer-installed
certificate is used only once for initial bootstrapping. After that, all certificates used by the endpoint can be managed using the
customer's PKI only. The management of customer-installed certificates does not require manually installing the certificates and keys
on the endpoints.
EST is supported on IR510 WPAN Gateway and IR530 WPAN Range Extender with Cisco Resilient Mesh Release 6.1.
Note
The following certificates are supported:
• Manufacturer IDevID (birth certificate) − Installed by the manufacturer, using the manufacturer’s PKI, only used for bootstrapping,
and immutable.
• Utility IDevID (passport certificate) − Managed by Utility PKI, enrolled using Manufacturer IDevID, and used only for enrolling
the LDevID.
• LDevID (visa certificate) − Managed by Utility PKI, enrolled using Utility IDevID, and used for 802.1X authentication as
operational certificate.
When the endpoint comes with a manufacturer IDevID, after onboarding it acquires a passport and a visa cert from the customer PKI
domain. The manufacturer IDevID and passport certificates are used to authenticate and authorize the endpoint when it enrolls for a
visa certificate. The visa cert is used to authenticate and authorize the endpoint when it joins the network (802.1x, EAP-TLS).
The Cisco Resilient Mesh uses EST over CoAP/DTLS/UDP for certificate enrollment. During the initial bootstrapping process, nodes
that have already joined the network (enrolled and authenticated) act as DTLS relays for nodes being bootstrapped.
DTLS relay can be configured by CLI with the following parameters:
• enabled flag, allows to disable the entire relay functionality when not needed
• EST server IP address and port
• maximum number of sessions
• maximum session lifetime
For more information on DTLS relay configuration, see Configuring DTLS Relay for EST, on page 52.
DTLS relay should only be enabled during the enrollment windows.
Note
When nodes that are one hop away from the Border Router (BR) are being enrolled, they need to go through the DTLS relay running
on the BR. On the BR, layer 1 and layer 2 run on the bridge (running Resilient Mesh) while layer 3 and above run in IOS. The relay
operates at layer 3 and layer 4, therefore it is implemented in IOS as well. The relay on the BR will support the same configuration
that is supported by the relay running on endpoints. On the BR, the configuration will be done using IOS CLIs.
The relay on the node can be set by TLV170 DtlsRelaySettings. Each node supports at most two relay sessions at the same time.
Because each DTLS packet will refresh the relay session, the timeout of each session is 30 seconds.
22
REVIEW DRAFT - CISCO CONFIDENTIAL