Joost Demarest explains how media couplers with KNX Security Proxy functionality can be used to integrate non-KNX-Secure installations with KNX Secure RF products.
KNX Secure covers several use cases where KNX communication is limited to a group of authenticated devices, or the system communication as a whole is protected against eavesdropping or manipulation.
In particular, it secures the following use cases:
- Remote access to the installation (KNX IP Secure Tunnelling).
- The configuration of devices in the installation (KNX Data Security, KNX IP Secure Device Management).
- Run-time communication of certain applications (KNX Data Security).
- KNX communication in open IP networks (KNX IP Secure Routing).
- KNX communication in open Subnetworks (KNX Data Security). The last use case covers the common scenario where a (possibly already-existing) wired KNX installation, i.e., a KNX TP (twisted-pair) installation, is extended with KNX RF S-Mode devices via a media coupler.
In contrast to twisted-pair cable that is hidden behind walls and ceilings, and thereby provides basic security against outside attack, the KNX RF wireless spectrum is an open medium that can be easily accessed anonymously from outside the installation.
It is therefore a legitimate requirement to secure all communication within this KNX RF subnetwork, but at the same time, allow integration of KNX RF Secure devices into applications that exist unsecured on the KNX TP segment. An example of this would be adding a secured KNX RF pushbutton that participates in the same group as unsecured KNX TP pushbuttons and an unsecured KNX TP light switch actuator.
To achieve this, the coupler device that separates the to-be secured subnetwork from the unsecured subnetwork, must act as a middleperson when routing KNX Frames from one subnetwork to the other, and transparently add or remove the KNX Data Security to or from the KNX Frame. A coupler device with an optional security proxy functionality thus allows for a Group Address to be configured securely for one of its subnetworks, but without security (i.e., ‘plainly’) for its other subnetwork. In other words, it can transparently translate between secure and plain communication, making runtime communication between devices in different subnetworks via this Group Address possible.
Translating unicast (point-to-point) runtime communication between secure and plain is not supported by a KNX Security Proxy, neither is (system) broadcast runtime communication. However, the security proxy includes methods to temporarily enable unicast and (system) broadcast routing between specific Individual Addresses.
The security proxy is applicable only for segment couplers, line couplers and backbone couplers.
Joost Demarest is the CTO/CFO of KNX Association, the creator and owner of KNX technology – the worldwide standard for all applications in home and building control.
