In this context, a “fabric” is a group of networked devices that share the same security domain enabling secure communications within the fabric. Devices in each fabric share the same top-level certificate authority (CA), a Root of Trust determined by the CA, and have a unique (usually 64-bit) identifier called the Fabric ID. To add a node to an existing fabric requires the assignment of unique security credentials to the device, establishing its Fabric ID and enabling it to communicate with other devices on the fabric (Figure 1).
This FAQ reviews how fabrics are administered in a Matter ecosystem, how a Matter device can operate on more than one fabric, and how Matter uses bridges to connect with non-Matter fabrics.
Each node on a Matter network has a node operational certificate (NOC) based on the International Telecommunications Union (ITU) X.509 standard, which defines the format of public key infrastructure (PKI) certificates. X.509 certificates are used to manage identities and security in internet communications and computer networks. Matter uses PKI to facilitate identity.
A Matter node can be part of multiple Matter networks. When that happens, the node has one NOC for each network, also called a Matter fabric. The available compute and memory resources of a node determine how many Matter fabrics can be supported at one time. Each fabric has a unique root CA certificate that’s used to validate the identities of the NOCs of the nodes on the fabric. The nodes use the root CA certificate to validate that a request has been validly issued within a fabric.
Where do the NOC and root CA certificates come from?
Matter nodes join a fabric through the process of commissioning. Commissioning sets the initial configuration for the device using another device called a commissioner, often an app on a smartphone. To add a node, the commissioner sends the NOC and the trusted root CA certificate.
To add a node to a second Mater fabric, the administrator tells the device to open its commissioning routine after it has been commissioned the first time. This allows the node to be commissioned to a second Matter fabric.
What are the ten steps of commissioning?
The complete commissioning process is complex and can be broken down into a series of nine stages (Figure 2):
- Device discovery starts the process with the Commissionee advertising itself. The Commissionee can use one of three Commissionable Discovery methods detailed in the Matter specification and must also provide its onboarding information.
- Connect to device. After seeing the advertisement, the Commissioner uses the passcode from the onboarding information provided by the Commissionee to do passcode authenticated session establishment (PASE) to connect to the device. PASE establishes the security keys that both devices use for communication. The Commissioner also sets up a fail-safe that provides a way to roll back the Commissionee to its original state if commissioning isn’t completed successfully.
- Get Commissionee information reading all the descriptors. The Commissioner reads all the descriptors from the clusters on the commissionee. Examples include:
- Basic information cluster includes information like the Vendor ID, Product ID, Product Name, and Serial Number, and firmware version.
- Access control list cluster supports configuration of the access control lists for this node.
- Network commissioning cluster supports configuration of a network (Wi-Fi, Ethernet, or Thread) on the node.
- Regulatory configuration information is configured by the Commissioner. Regulatory information includes things like configuring the location (indoor/outdoor/both) of the device or setting up the country code.
- Commissionee attestation is used to determine whether a device has been certified and is a genuine Matter device. The commissioner obtains the Device Attestation Certificate (DAC) and the Product Attestation Intermediate (PAI) certificate from the Commissionee. Once the certificates are received, the Commissioner does a challenge request that should be signed by the Attestation Private Key and uses that to establish the authenticity of the Commissionee.
- Certificate Signing Request (CSR) is sent by the Commissioner to the Commissionee. The Commissionee creates a unique operational key pair that will be used in a Certificate Authenticated Session Establishment (CASE) in the final step of commissioning and sends the information to the Commissioner.
- Node Operational Certificate (NOC) is obtained by the Commissioner using the CSR information. The Commissioner passes the CSR information to the Administrative Domain Manager (ADM) to generate a trusted NOC. The Commissioner installs the Root Certificate on the Commissionee, then installs the NOC.
- Network provisioning is performed for Thread or Wi-Fi devices when the Commissioner configures the operational network on the Commissionee. Network provisioning is not needed for Ethernet Devices since the device is already connected to the network.
- Operational discovery occurs when the newly commissioned node is connected to the network. Operational discovery is the process used by Commissioners to find commissioned nodes on the network and know which IP address and port the Commissionee is using.
- CASE session is initiated by the Commissioner with the Commissionee. The Commissionee responds operational certificates are exchanged, and a shared trust is established by confirming that both devices are in the same logical fabric. At this point, the commissioning process is complete, the Commissioner removes the fail-safe, and the Commissionee can interact normally with all the other nodes on the fabric.
What are Matter bridges and border routers about?
Bridging is about connecting non-Matter devices and fabrics to a Matter fabric. A key benefit of using Matter is that existing devices on Zigbee, Z-Wave, and other wireless networks don’t become obsolete, they can be absorbed into the collective led by Matter. Bridges are important because they enable users to keep existing investments in smart home networks while adding new Matter fabrics over the top. Bridges can be established by upgrading existing devices or with a dedicated bridge device.
If an existing device has sufficient memory and computing resources, it can be upgraded to add bridging functionality. Upgrading existing devices can bring challenges related to latencies and network stability. Suppliers of wireless network ICs are developing bridging devices that combine Matter connectivity with support for already deployed networks like Zigbee and Z-Wave.
Matter and runs over Wi-Fi, Ethernet, and Thread protocols and uses Bluetooth Low Energy (LE) for commissioning of Thread devices. Thread is an important development related to Matter. It combines the IPv6 internet protocol with IEEE 802.15.4 radio technology and is designed to be secure and future-proof. Thread uses a layer called 6LoWPAN to unify IPv6 and 802.15.4 technologies. A Thread border router is used to connect a Thread network to other Matter fabrics like Wi-Fi or Ethernet. The border router provides services for the Thread fabric devices, like routing services for off-network operation and bidirectional connectivity over IPv6 infrastructure. Bridges and Thread border routers combine to maximize the benefits of Matter and embrace existing wireless fabrics (Figure 3). In addition, on top of a Matter fabric, a Gateway device can provide access to the wider internet and the cloud.
Matter was designed from the ground up to support multiple fabrics. A Matter network itself can include both Wi-Fi and Thread fabrics connected using a Thread border router. Bridges have been developed for connecting Matter fabrics to non-Matter fabrics like Zigbee and Z-Wave and help users retain the value in existing wireless smart home networks while at the same time supporting the deployment of new Matter devices and fabrics.