KNX IP Secure - preparation
These are the recommended IP-related measures to be taken before setting up KNX IP Secure:
- Filter frames based on MAC addresses
- Do not use the default KNXnet/IP multicast address (126.96.36.199)
- Never expose IP ports used for KNX
- Set the default gateway of KNXnet/IP routers to 0
- Use firewalls
- For internet access: use VPN
- Closely check wireless access points
- Add the certificate
- Set the secure mode
- Configure accordingly
1 Add the certificate
A certificate is made available as QR-code and as 25 human readable character code. The 25 character can be used if the ETS computer has no camera onboard in order to scan the QR-code.
For further details about the workflow see here.
2 Set the secure mode
In order to activate the secure mode of a device its so called 'Secure Commissioning' attribute in ETS needs to be set. At this point it is very important to know whether the device's secure mode was already activated (e.g. it was used in an other project before) or not (i.e. it's still in the box).
- If its secure mode is not active then its Tool Key = FDSK, i.e. enter/scan its certificate
- If its secure mode is active then either make sure to use the ETS project via which the device was commissioned before or accomplish a master reset, which will set its Tool Key back to its FDSK
3 Configure accordingly
- Set the Individual Address
- Set the parameters
- Link the Group Addresses
Especially the interface and couplers of the installation need to be taken into account: i.e. both for configuration and runtime it shall be ensured that the interface and all couplers between this interface and the target device support extended frames, this because of the fact that an encrypted is longer than its plain representative, in nearly all cases this means that the encrypted telegrams does not fit within a standard frame.