Connection Establishment in Bluetooth

 

Connection Establishment in Bluetooth

---

Aman Kansal 

---

This section describes the basic procedures to be followed by two or moreBluetooth devices to start a connection between themselves. Consider the following scenario: A person walks in to a hotel lobby and wants to access her email over herBluetooth enabled device, which could be a laptop or a Personal Digital Assistant. What would she have to do? Depending on the implementation., she would be clicking on a menu or an email application icon. The device would automatically carry out the following steps, (except perhaps for the authentication step if the evice has come to the environment for the first time): 
 

1. Inquiry: The device on reaching a new environment would automatically initiated an inquiry to find out what access points are within its range. (If not, it'll do so when the email application asks for alink.) This will result in the following events:

1. 1. All nearby access points respond with their addresses.
   2. The device picks one out the responding devices.
2. Paging: The device will invoke a baseband procedure called paging. This results in synchronization of the device with the access point, in terms of its clock offset and phase in the frequency hop, among other required initializations.
3. Link establishment: The LMP will now establish alink with the access point. As the application in this case is email, an ACLlink will be used. Various setup steps will be carried out as described below.
4. Service Discovery: The LMP will use the SDP(Service Discovery Protocol) to discover what services are available from the access point, in particular whether email access or access to the relevant host is possible from this access point or not. Let us assume that the service is available, otherwise, the application cannot proceed further. The information regarding the other services offered at the access point may be presented to the user.
5. L2CAP channel: With information obtained from SDP, the device will create an L2CAP channel to the access point. This may be directly used by the application or another protocol like RFCOMM may be run over it.
6. RFCOMM channel: Depending on the need of the email application an RFCOMM or other channel(in case of other applications) will be created over the L2CAP channel. This feature allows existing applications developed for serial ports to run without modification over Bluetooth platforms.
7. Security: If the access point restricts its access to a particular set of users or otherwise offers secure mode communications to people having some prior registration with it, then at this stage, the access point will send a security request for "pairing". This will be successful if the user knows the correct PIN code to access the service. Note that the PIN is not transmitted over the wireless channel but another key generated from it is used, so that the PIN is difficult to compromise. Encryption will be invoked if secure mode is used.
8. PPP: Assuming that a PPP link is used over serial modem as in dial up networking, the same application will now be able to run PPP over RFCOMM(which emulates the serial port). Thislink will allow the user to login to his email account.
9. Network Protocols: The network protocols like TCP/IP, IPX, Appletalk can now send and receive data over thelink.

In the above procedure, user interaction is required only at the usual login for his email and additionally for the security to be implemented. The remaining steps are automatic. The above procedures now be described in detail to demonstrate the connection establishment process. The explanation of the above procedures requires a brief description the device clocks inBluetooth.

Clock: Every Bluetooth unit has an internal system clock which determines the timing and hopping of the transceiver. TheBluetooth clock is derived from a free running native clock which is never adjusted and is never turned off. For synchronization with other units, only offsets are used that, added to the native clock, provide temporary Bluetooth clocks which are mutually synchronized. TheBluetooth clock has no relation to the time of day. TheBluetooth clock is very important for theBluetooth transceiver as it is involved in timing a number of important events without which communication is not possible. Its resolution is at least half the TX or RX slot length, or 312.5 microseconds. The clock has a cycle of about a day. If the clock is implemented with a counter, a 28-bit counter is required that wraps around at 2²⁸ -1. The LSB ticks in units of 312.5 microseconds, giving a clock rate of 3.2 kHz.

The timing and the frequency hopping on the channel of a piconet is determined by theBluetooth clock of the master. When the piconet is established, the master clock is communicated to the slaves. The slaves store the required offset to be used while communicating with the particular master and use it to synchronize to the channel. As the local clock itself is not modified, different offsets can be used to participate in various piconets.

The minimum clock accuracy required is +/- 20ppm in active mode and +/-250ppm in low power states like Hold, Sniff, Standby and Park.

Inquiry and Paging

These are the initial steps in starting a connection. The device before, during and after these procedures can be viewed to be in different states shown in Fig. 1.

Figure 1: Statediagram of thelink controller. 

The device is in Standby state by default.In this state only the native clock is running and power consumption is very low. It may leave thisstate to go to Inquiry, Inquiry Scan, Page or Page Scan states. These states are described below:

  Inquiry

In this state, the device sends an Inquiry packet addressed to either the General Inquiry Access Code(GIAC) or Dedicated Inquiry Access code(DIAC) which refers to a particular class of devices, say printers. The transmission is repeated at 16 frequencies which form the inquiry hop sequence, called a train. A device which is allowing itself to be inquired will be listening at one of these frequencies. The transmission is carried out in every alternate slot and the intermediate slots are used for listening to responses if any. There are two trains of hop frequencies- A and B. Each train must be repeated 256 times to collect all responses in an error free environment. The total time required for doing this is 10.24 seconds. However, if enough responses are collected in a smaller interval, inquiry may be aborted in between. If the inquiry procedure is automatically initiated, say once every minute, then the interval between successive inquiries must be random to avoid synchronization and hence a collision with another device involved in inquiry.

Inquiry Scan

A device which allows itself to be discovered will periodically enter the inquiry scan substate and listen for inquiry packets at a single frequency, which it will chose out of the 16 frequencies in the inquiry hop sequence depending on its device address. It will stay in thatstate long enough for an enquiring device to cover 16 different frequencies. A device may be entering inquiry scanstate from standby or connected states. If it is entering from the connectionstate, the SCO links in operation will be maintained while the ACLlinks will be suspended. The presence of SCO inks may prolong the inquiry procedures.

Inquiry Response

When an inquiry message is received in the inquiry scanstate, a response packet containing the responding device address must be sent. However it is not sent in the immediately following slot after the slot in which inquiry is received as that might cause many devices listening at a given frequency to respond simultaneously, resulting in a collision. So the responding device waits for a random number of slots and then sends its FHS packet to the inquirer. The FHS packet contains the device address, its clock and information about when the device enters its page scan states. After responding to an inquiry, the device continues its inquiry scan at another frequency, without waiting for an acknowledgement.

The inquiring device on receiving an inquiry does not acknowledge the response but continues its inquiry procedure as long as it wishes to. Only when the inquiring device wants to page the device that responded, say at a later time when a connection is required, it will use the response information to page.

After the inquiry has been successfully carried out, or the device address of the device to which a connection has to be made has been determined by some other means like information from previous connections, the device will start a paging procedure if a connection is desired. Paging requires only the address of the device to be paged but the clock information, from the FHS response packet may be used to speed up the procedure. The device starting the paging procedure is called the master, and it will be the master of the piconet consisting of itself and the paged device if the paged device accepts the connection. Before starting data communications however, the devices may exchange their roles.

This procedure will usually occur whenever the Bluetooth device enters a new environment or some older links become unavaillable. Now, when the application is invoked,  the device will start paging procedures.

Page

This state requires the master to do the following:

1. The master uses the clock information, if any, about the slave to be paged, to determine where in the hop sequence, the slave might be listening in the page scan mode. This estimate may be totally wrong.
2. The master calculates the Device Access Code(DAC) of the slave from the device address of the slave using a well defined procedure.
3. The master sends a page message. The master transmits this page message at a number of frequencies in the page hop sequence, starting with the frequency at which it had estimated the slave to be listening. The page hop sequence consists of 32 frequencies divided into two trains of 16 each. The train A includes the 16 frequencies surrounding the predicted frequency and train B the remaining ones. If the clock estimate is within -8x1.28 to +7x1.28 seconds then the slave will be able to respond within the train A itself. (Since the slave is listening for 16 alternate slots, a drift of 32 x 625ms = 16 x 1.28s,which translates to -8x1.28 to +7x1.28 is allowed.) The master does not know when the slave enters the page scan mode, so the page train is repeated N_page times, unless a response is received earlier. N_page is determined such that slaves using any of the allowed scanning intervals may be covered. If train A fails, train B is tried, again N_page times. If train A is successful, the paging procedure will be over in 1.28 seconds, else it will take 2.56 seconds.

Page Scan

The page scan substate can be entered from the standbystate or the connectionstate. In this state, the slave listens to page packets addressed to its DAC for an interval T_w-page-scan at a frequency it chooses out of the page scan sequence. This window is long enough to cover 16 frequency hops of a paging device. These listening periods are separated by time interval of T_page-scan. This interval may be zero(continuous scan). Three different scan modes, that is values of T_page-scan are fixed. Other values may be used by a slave after informing the master. Thus one of the standard values is used for the firstlink.

  Page Response

On receiving the page message, the slave enters the slave page response substate. It sends back a page response consisting of its ID packet which contains its DAC, at the frequency for the next slot from the one in which page message was received. The master on receiving this packet enters the master page response substate. At this point, it knows which frequency the slave had been listening. The master sends its FHS packet to the slave informing the slave of the master clock, still using the slave DAC, at the slave's listening frequency. The FHS packet also assigns a three bit active member address to the slave. The slave acknowledges this packet again sending its ID packet at its slave response frequency. The slave now uses the FHS packet received from the master to determine the channel access code for the piconet newly formed, or to which this slave has newly entered. It also calculates the clock offset to be used while communicating over this piconet. The next packet from the master to slave, which is the POLL packet addressed to the active member address of the slave, is at the master clock dependent frequency hop and uses the channel access code. The slave may respond to this packet with any packet, say a NULL packet(containing only channel header), but it must respond. If the response procedure is successful, the paging is over, and the slave is in connectedstate. Otherwise, paging is considered to have failed and the error procedures are followed.

 
Figure 2: Initial message exchanges during startup.

After the page procedure, that is in the connected state, the devices are in a position to establish a link. 
 

The Link Managers of the devices in connectionstate now exchange vital information for starting up thelink, which will be described below. They may later detach thelink, in which case the address and clock information will stay valid after detachment, or thelink may get snapped due to other reasons in which case all information related to thelink is reset. 
 

The Bluetooth units can be in several modes of operation during the connectionstate: active mode, sniff mode, hold mode, and park mode. These modes are now described.

  Active mode

In this mode, theBluetooth unit actively participates on the channel. Master and slaves transmit in alternate slots. The master transmits in all even numbered slots and the addressed slave transmits in the subsequent slot. Regular transmissions are made by the master to keep the slaves synchronized to the channel. Various optimizations are provided to save power. For instance if the master informs the slave when it will be addressed, the slave may sleep until then. The active slaves are polled by the master for transmissions.

  Sniff Mode

This is a low power mode in which the listening activity of the slave is reduced. The LMP in the master issues a command to the slave to enter the Sniff mode giving it a sniff interval T_sniff,an offset D_sniff, and number of attempts N_sniff. In the sniff mode, the slave listens for transmissions only at fixed intervals T_sniff, at the offset slot D_sniff for N_snifftimes.

  Hold Mode

In this mode the ACLlink to a slave is put on hold. This means that the slave temporarily does not support ACL packets on the channel any more (possible SCO links will still be supported). With the hold mode, capacity can be made free to do other things like scanning, paging, inquiring, or attending another piconet. The unit in hold mode can also enter a low-power sleep mode. During the hold mode, the slave unit keeps its active member address (AM_ADDR). The master and slave agree upon a duration for the hold interval, after which the slave comes out of hold mode.

  Park Mode

This is a very low power mode. The slave has very little activity in this mode. It gives up its active member address and is given an eight bit parked member address and an eight bit access request address. The parked member address can be used by the master to unpark a slave while the access request address is used by the slave to ask the master to unpark it. The slave however, stays synchronized to the channel. Any message to be sent to a parked member are sent over the broadcast channel, that is the active member address of all zeros. The parked slave has to be informed about this transmission in a beacon channel which is supported by the master to keep parked saves in synchronization and send them any other information. The parked slaves regularly listen for beacon signals at intervals decided by the beacon structure communicated to the slave during the start of parking. Apart from saving power, the park mode helps the master to have more than seven slaves(limited by the three bit active member address space) in the piconet.

 Link Establishment

Once the device is in connectionstate, the LMP can start with thelink establishment. The LMP uses its fixed LMP packets for this, which are sent by the baseband in its payload, in place of L2CAP packets with higher priority. The LMP packet consists of an opcode, transaction ID and some content(depending on the opcode). The LMP packets received by a device can be recognized from a field L_CH in the baseband packet header. These packets are then sent to LMP rather than to L2CAP and higher layers. The basic steps in setting up the connection can be summarized as:

1. The POLL packets and response are used to pass configuration information without host interaction.
2. The packet LMP_host_connect_request is sent.
3. The remote device responds with either a LMP_not_accepted, if the application requested by the first device does not want to or cannot respond. Otherwise, an LMP_accepted is sent as a response.
4. The responding slave may ask for a role switch if required for some reason. The first device responds with the appropriate packet for accepting or not accepting the request.

The link has now been established at the Link Manager level.

The application may not be knowing what services are available on the slave it paged and will use the SDP to discover those.

SDP

The Bluetooth environment changes rapidly and thus the available services have to be discovered with this in view. The SDP provides a means for the application to discover which services are available and the characteristics of these as described in  the core specifications. 
A Bluetooth device which is willing to allow its services to be discovered runs a SDP server. A device that wants to discover services on other devices runs a SDP client. One client may be run for each application but one device runs only one SDP server. The SDP server maintains a service record of each service that the device is allowing to get discovered. A client sends a request to the server. The request may be a search for a particular class of services or a browsing attempt to see all the classes of services available. The server responds with the appropriate response. If the server device had a few services only, they may not be divided into classes and their service handles are sent to the slave. Otherwise class descriptors are sent and the client may further search for details within a class. The SDP only allows services to be discovered. The access has to be through other protocols, based on L2CAP.

L2CAPlink

The information obtained over the LMPlink and through SDP will be used by L2CAP to establish a channel for the application. L2CAP establishes only ACL links, for SCO links the application uses the baseband directly. 
 

The L2CAP links are based on the concept of channels, which are identified by channel identifiers, analogous to sockets in TCP-IP. The channel, distinct from the piconet channel, is identified by the device address to which thelink is made and a channel identifier alloted to the remote device for the particular connection for one instance of an application. Each channel is assumed to be full duplex, with a QoS specification in each direction. Further the channel can be point to point or multipoint. L2CAP establishes links when a demand for alink is expressed by an application and alink to the required device has not already been set up. The request from lower layers regarding connections demanded by applications on remote devices are also handled by L2CAP, in consultation with the application involved.

The link is datagram based, with no streaming. SCO links do not go through L2CAP but send their data directly to Baseband. L2CAP establishes a separate signalling channel for connection request, configuration, disconnection and echo(for testing). L2CAP packets have been designed with low overhead and do not provide CRC or other error checks. It relies on baseband for data security and ordered delivery.

The interaction of this protocol with upper and lower layers is viewed in terms of events and actions. Events are all messages received by L2CAP from lower or higher layers while the actions are the responses produced for them. The lower layer may be LMP or HCI, while higher layer could be any application. A typical sequence of events and actions for establishing a connection could be as follows:

1. Event and Action 0: The event is a connection request from a higher layer. The action is that the device L2CAP sends a connection request packet to remote L2CAP. This packet is carried by baseband to the remote device.
2. Event and Action 1: The remote L2CAP receives this packet and responds with a connection response packet. Before doing so, that L2CAP would have contacted the referred application to check if the demanded request would actually be handled by that application.
3. Event and Action 2: The reception of the response packet is an event for the local device L2CAP. The reciprocal action is to ask for configuration parameters like maximum payload unit and timeout limit. These may include QoS among other things.
4. Event and Action 3: The configuration request is an event for the remote L2CAP. Its action is the configuration response. Also, it may send its own configuration request for additional parameters.
5. Event and Action 4: The above packet is an event for the local device. It replies with the configuration response.

These steps are summarized in Fig.3. The "initiator" is the L2CAP in the local device and the "target" is the L2CAP in the access point, or otherBluetooth device being contacted. Note that the packet names on arrows pointing towards  the initiator or target are events for L2CAP while the arrows pointing away are the actions.  The names beginning with L2CAP are communications between two L2CAPs on different devices. The vertical lines named LP are theLink Managers in the two devices. The names beginning with WA represent communication with the  higher layer application for which the channel is beig set up. 
 

 
Figure 3. The basic message sequence in L2CAP channel establishment.

The OPEN states mark the interval when the applications communicate. The last steps in the above figure refer to connection disconnect.

Application data may now be transfered or security procedures may be carried out, which are briefly described in the next subsection.

Security

The communicated data may have to be encrypted or the access to the device may have to be restricted by providing an authentication point. Both these functions are provided by theBluetooth baseband. The application may itself encrypt its data for added security. These procedures use four values: the device address(which is public), a private authentication key(128 bits), private encryption key(8-128 bits, configurable) and a random number. As the keys have to be secret, they cannot be obtained by inquiry. Elaborate procedures for the generation, management and exchange of keys are given in [,Part B,subsection 14]. The security procedure require a secret PIN to be known to the user(or stored by his application) for accessing a particular device. The main steps in the procedure are:

1. An initialization key is generated using the PIN, the length of the PIN, a random number and the device address. he dependence on the device address makes it more difficult for a fraudulent device to try a large number of PINs as each has now to be tried with different device addresses.
2. An authentication procedure is carried out using a challenge response scheme. The verifier unit sends a random number generated by a specific process for the authentication. This random number is such that a claimant device which has the correct initialization key (or a link key if the devices had exchanged that during an earlier communication) and the required device address, will be able to produce a response number which is known to the verifier. This response number is sent back and checked by the verifier.
3. The claimant may also carry out a verification on the verifier using a similar procedure as above.
4. Each Bluetooth unit has a unit key, installed in its non volatile memory. The device now uses the initialization key to encrypt this unit key and sends it to the other device which decrypts it using the initialization key exchanged earlier.
5. The second device may add its own unit key to the unit key of the first device and generate a combinationlink key if both the devices are capable of handling this. Otherwise the unit key of one of the devices is treated as thelink key. The link key is communicated to the first device. The initialization key is discarded.
6. An encryption key is now generated from the link key, a random number and another number obtained from a fixed procedure. Both the devices can generate this encryption key as all the required information is known to both devices. This key is used to encrypt data payloads.

The link key is remembered. If another link is to be established between the two devices at a later time, this link key can be directly used. This eliminates the need to send keys over the channel again. Thus, data can be transmitted securely with minimum user interaction.

Applicationlink

The application data will now be transmitted over thelink as all the Bluetooth specific link establishment procedures have been carried out. The application may need to run a higher level protocol over L2CAP. Three useful protocols have been defined byBluetooth to help port applications over theBluetooth stack. These are:

RFCOMM

This is an emulation of the serial port over wireless links.

SDP

This is the Service Discovery Protocol, which helps devices discover which services are available in the proximity.

TCS

This is the Telephony Control Protocol Specification and describes the call control and signaling of voice channels overBluetooth.

All user applications and other existing network access mechanisms like TCP-IP, PPP, IrDA OBEX, WAP and HomeRF can be implemented over the L2CAP layer or above the above three protocols if the application wants to use their services.

The application will finally indicate it no longer needs the link, if the link was not snapped during the application's running time. The LMP sends a packet LMP_detach packet to the remote device. There need not be any response to this. Thelink is then disconnected.

<!--

-->