Validate dev-nonce error

Why confirm that dev nonce can only be used once, and that such a device can’t be accessed more than 65535 times.
source code

Please see the LoRaWAN specification. A dev-none must not be re-used as a re-used value will compromise the security of your network (e.g. it allows for replay-attacks).

@brocaar I’ve faced the same problem and read LoRaWAN spesification then. dev-nonce is persistent data and stored in postgresql. It’s enforced to prevent replay attacks. Our problem is that:

  • End node sends join request and it’s relayed to network server successfully.
  • Network server sends join accept then.
  • Our device is in faulty situation( cannot activate), sends join -request again.
  • This cycle repeats itself.

The main problem is our device. We fixed it and sent it to the field but dev-nonce values are still there. Postgresql has stored nearly 20000 dev-nonce values (per faulty device) and failure rate for activation will be around 30%. Some values are from 4 months ago.

My suggestion is that dev-nonce values older than a certain age (1 month) can be deleted automatically. This will make the stack more self-sufficient and not compromise security also.

1 Like

@brocaar I think a per device or device-profile configuration should be possible.
A button to Clear All Dev-Nonces with a warning in the UI could be a compromise. It’s accepting the reality of the devices on the market. We already do it manually with SQL queries. It should be fixed in the newer specs, but giving us the operators an easy way to deal with reality goes a 1000 miles.

:slight_smile:

1 Like

Connect to the Network-Server postgresql database

DELETE FROM device_activation where E'\\x<REPLACE_ME_DEV_EUI>'=dev_eui;

this should delete all accepted/generated JOINs (also the current one) for the device

USE THIS AS A LAST RESORT AND AT YOUR OWN RISK

2 Likes

@chopmann, I agree that adding this as an option would be a good idea. Please feel free to create a GitHub issue for this. Currently I’m working on some refactoring and cleanup of the code (not yet public) which is the reason why I’m pushing back on adding new features at this moment. With a GitHub issue it stays on the list :slight_smile:

2 Likes

@brocaar @chopmann

I have added this feature for testing purpose with the help of OFFSET in Network Server and created REST API in the Application server

DELETE FROM device_activation WHERE id IN (SELECT id from device_activation WHERE dev_eui = <DEV_EUI> ORDER BY id DESC OFFSET 20)

if you would like to contribute to this feature then I can submit PR for this feature…

Thanks

1 Like

@sagarpatel :+1: I could add the UI Part

1 Like

@chopmann Thanks for your opinion. I also added UI I’ll share screenshot here for your review

@chopmann @brocaar

Please check the below screenshot of UI par of clear dev-nonce. Can you please review I’m waiting for your suggestion…

This confirmation again alerts you when you click on the YES button for double confirmation…

2 Likes

It looks superb! :+1: :partying_face:

If you upload the code, I can do spell checking.
Maybe using the same Icons as “Delete” (for example when you delete an application) and the color would make it consistent with the rest. I’d put the button on the Activation Tab, that way you can reuse the Trash-bin icon.

The delete button uses an “alert”, I like the way you did it, is just different then the rest.

1 Like

Hi @chopmann

Thanks for your reply. I will make PR with your changes and let you know here…

@chopmann @brocaar
I will put the clear dev-nonce button on Activation Tab but it will show if the device is activated or not…

I have make PR for chirpstack-api for Network Server and Application Server changes I will make PR for other changes once API is approved and merged.

https://github.com/brocaar/chirpstack-api/pull/49

Hello,
I have same problem with Axioma E3, thia are restarting after about 32 Uplink messages or about 7 days,
after restart Device try to Join with same dev_nonce.
Can you please give instructions to install in ChirpStack the action button to clear old dev_nonce ?,
I have tested to select rows from PostgreSQL regarding specific devEUI and sort by date created,
I think all record can be deleted and left only last one which is activ.

SELECT * FROM device_activation WHERE id IN (SELECT id from device_activation WHERE dev_eui = ‘devEUI that you want’ ORDER BY id DESC) ORDER BY created_at DESC;

This give output sorted by time created.

Will be very nice to have this code run automatically just using chek button.

Thanks for UI help.

Finally last SQL command
DELETE FROM device_activation WHERE id IN (SELECT id from device_activation WHERE dev_eui = ‘devEUI that you want’ ORDER BY id DESC OFFSET 2);

This will leave 2 last records, since the rejoin start from zero to 41, this will delete older record of dev_nonce.

How can I insert button with this command in UI ?
Thanks

Is not yet released. Please be patient. @brocaar is working on a refactor, that is probably :wink: going to make contributing easier.

1 Like

Is it possible to run this delete via an pgAdmin console? I’m struggling with the bytea types.

I have around 5 inaccesible nodes with this issue and being able to run your update would be a life saver.

Thanks

Hello guys,

I’m facing the same problem “Validate dev-nonce error”.
I already cleared the device from device_activation table on database. But still join request after join request. Can you help please?

The best way is to do this using the web-interface. Have you tried that?

Hello brocaar, thanks for your help
No ideia how to do it using web-interface.
Can you give some tips please?