How LoRaWAN Works: Long-Range IoT Networking with Chirp Spread Spectrum

LoRaWAN (Long Range Wide Area Network) is a low-power, wide-area networking protocol designed for wirelessly connecting battery-operated devices to the internet over distances of up to 15 kilometers in rural environments and several kilometers in dense urban areas. Unlike WiFi, which trades range for throughput, LoRaWAN is built for IoT sensors that transmit small payloads -- a few bytes of temperature data, a GPS coordinate, a water level reading -- at data rates measured in kilobits per second. The protocol is defined by the LoRa Alliance and operates on top of the LoRa physical layer, a proprietary chirp spread spectrum modulation developed by Semtech.

LoRaWAN occupies a specific niche in the wireless landscape: applications where devices must run for years on a single battery, where the data payloads are small and infrequent, and where cellular connectivity is either too expensive or unavailable. Smart agriculture sensors, water meters, parking sensors, environmental monitors, and asset trackers are canonical LoRaWAN use cases. Understanding the protocol requires examining both the LoRa physical layer and the LoRaWAN MAC layer that sits on top of it.

LoRa Physical Layer: Chirp Spread Spectrum

The foundation of LoRaWAN's range advantage is the LoRa modulation at the physical layer. LoRa uses a technique called Chirp Spread Spectrum (CSS), where each symbol is encoded as a frequency chirp -- a signal that sweeps linearly across the entire bandwidth of the channel over a fixed time period. An "up-chirp" sweeps from the lowest frequency to the highest; a "down-chirp" sweeps in the opposite direction.

In LoRa, data is encoded by varying the starting frequency of each chirp. A symbol with value 0 starts at the base frequency, a symbol with value 1 starts one step higher, and so on. The number of possible starting frequencies -- and therefore the number of distinct symbols -- is determined by the Spreading Factor (SF). With SF7, each chirp encodes 7 bits (128 possible symbols). With SF12, each chirp encodes 12 bits (4096 possible symbols), but the chirp takes much longer to transmit, reducing the data rate dramatically while increasing range and noise immunity.

The key properties of CSS that make it suitable for long-range IoT communication:

• Noise immunity -- Because the energy of each symbol is spread across the entire channel bandwidth, the receiver can demodulate signals that are well below the noise floor. At SF12, LoRa achieves a sensitivity of approximately -137 dBm, meaning it can decode signals that are 20 dB below the noise floor.
• Multipath robustness -- Chirp signals are inherently resistant to multipath fading because the frequency is constantly changing. Reflections that arrive at slightly different times produce chirps with different frequency offsets, which the receiver can distinguish from the intended signal.
• Orthogonal spreading factors -- Transmissions using different spreading factors are orthogonal to each other. A gateway can simultaneously receive a SF7 packet and a SF12 packet on the same channel without interference. This is critical for network capacity.
• Doppler tolerance -- CSS is relatively immune to Doppler shift, making it suitable for tracking mobile assets (vehicles, livestock, shipping containers) at speeds relevant to IoT applications.

Spreading Factors and the Range-Rate Tradeoff

LoRa defines spreading factors from SF5 to SF12 (though SF5 and SF6 are only used in specific configurations). Each step up in SF doubles the airtime of a packet while increasing the link budget by approximately 2.5 dB. This creates a clear tradeoff:

SF   Chips/Symbol   Bit Rate (125kHz BW)   Sensitivity    Max Payload   Airtime (10 bytes)
SF7     128           5,470 bps             -123 dBm       242 bytes     ~36 ms
SF8     256           3,125 bps             -126 dBm       242 bytes     ~64 ms
SF9     512           1,760 bps             -129 dBm       115 bytes     ~113 ms
SF10   1024             977 bps             -132 dBm       51 bytes      ~206 ms
SF11   2048             537 bps             -134.5 dBm     51 bytes      ~372 ms
SF12   4096             293 bps             -137 dBm       51 bytes      ~682 ms

A device using SF12 can reach a gateway several times farther away than one using SF7, but its packet takes nearly 20 times longer to transmit. This has direct implications for battery life and duty cycle compliance: longer airtime means more energy consumed per transmission and more time occupying the channel. The LoRaWAN MAC layer uses Adaptive Data Rate (ADR) to automatically select the optimal SF for each device based on its observed signal quality.

Frequency Bands and Regional Parameters

LoRaWAN operates in unlicensed ISM bands, but the specific frequencies and regulatory constraints vary by region:

• EU868 (Europe) -- 868.0-868.6 MHz, with a strict 1% duty cycle per sub-band. Devices can only transmit for 1% of any given hour, which limits each device to about 36 seconds of airtime per hour. Additional sub-bands at 867 MHz and 869.525 MHz provide extra capacity.
• US915 (North America) -- 902-928 MHz, with 64 uplink channels (125 kHz BW) and 8 uplink channels (500 kHz BW). No duty cycle restriction, but FCC limits transmit power to 30 dBm (1 watt) with a frequency-hopping requirement.
• AU915 (Australia) -- 915-928 MHz, similar channel plan to US915.
• AS923 (Asia) -- 923 MHz, with regional variants (AS923-1 through AS923-4) for different countries.
• CN470 (China) -- 470-510 MHz, with 96 uplink channels.

The choice of sub-GHz frequencies is deliberate. Lower frequencies propagate farther, diffract around obstacles more effectively, and penetrate buildings better than the 2.4 GHz and 5 GHz bands used by WiFi. A LoRa signal at 868 MHz can travel 5-15 km in line-of-sight conditions and 2-5 km in urban environments with significant building penetration.

LoRaWAN Network Architecture

LoRaWAN uses a star-of-stars topology. End devices do not communicate with each other or form mesh networks. Instead, every uplink message is received by one or more gateways and forwarded to a central network server.

The four components of a LoRaWAN network:

• End Devices -- Sensors, meters, trackers, and actuators. Each device has a unique 64-bit DevEUI identifier and a set of cryptographic keys. End devices communicate exclusively over LoRa radio; they have no IP stack and no awareness of the IP network behind the gateways.
• Gateways -- Multi-channel, multi-spreading-factor receivers that listen on all LoRa channels simultaneously. A typical gateway has 8 receive channels and can demodulate packets on multiple SFs concurrently. Gateways are transparent bridges: they receive LoRa packets over the air and forward them as-is (with metadata like RSSI, SNR, and timestamp) to the network server over a standard IP connection (Ethernet, WiFi, or cellular backhaul). Gateways do not decrypt or inspect payload data.
• Network Server -- The central intelligence of the network. It performs deduplication (when multiple gateways receive the same uplink, only one copy is forwarded to the application), MAC command processing, adaptive data rate (ADR) management, downlink scheduling, and frame counter validation. The network server also handles the LoRaWAN MAC layer, including device address management and MAC command insertion.
• Join Server -- Manages Over-The-Air Activation (OTAA). When a device first joins the network, the join server authenticates it using root keys (AppKey, NwkKey) and derives the session keys used to encrypt and authenticate subsequent traffic. The join server can be operated independently from the network server, allowing device owners to maintain control of their root keys.

A critical design decision in LoRaWAN is that gateways are dumb forwarders. All intelligence resides in the network server. This simplifies gateway deployment enormously: you can place gateways on rooftops, lamp posts, or cell towers without worrying about configuring device associations, managing keys, or handling routing. Any device's uplink can be received by any gateway; the network server sorts out the rest.

Device Classes: A, B, and C

LoRaWAN defines three device classes that represent different tradeoffs between downlink latency and power consumption:

Class A (All devices)

Class A is the baseline and the most energy-efficient mode. A Class A device sleeps most of the time. When it has data to send, it wakes up, transmits an uplink, and then opens two short receive windows (RX1 and RX2) at precisely defined delays after the uplink transmission. RX1 opens 1 second after the uplink ends (configurable via the RX1Delay parameter); RX2 opens 1 second after RX1 closes (typically 2 seconds after uplink). Each window is open for just a few hundred milliseconds.

If the network server has a downlink message queued for the device, it must transmit it during one of these windows. If neither window is used, the device goes back to sleep. There is no way to reach a Class A device outside of these windows. The server must wait until the device sends its next uplink, which might be minutes, hours, or days later depending on the application.

Class A is ideal for sensors that report periodically (every 15 minutes, every hour) and rarely or never need to receive commands from the server.

Class B (Beacon)

Class B extends Class A by adding scheduled receive windows at regular intervals, synchronized by beacons broadcast by the gateway. The gateway transmits a beacon every 128 seconds, and Class B devices use this beacon to align their internal clocks and open "ping slots" at predetermined times. The network server knows when each device's ping slots are open and can schedule downlinks accordingly.

This provides a predictable downlink latency (configurable from about 1 second to 128 seconds) at the cost of additional power consumption. The device must wake up periodically to receive beacons and keep its ping slot windows open. Class B is useful for actuators that need to respond to server commands within a bounded time -- for example, a valve controller that must respond within 30 seconds of a command.

Class C (Continuous)

Class C devices keep their receive window open continuously whenever they are not transmitting. This provides the lowest possible downlink latency (the server can reach the device almost immediately) but at the highest power cost. Class C devices typically require mains power, since continuously listening to the radio channel drains batteries quickly.

Class C is used for devices like streetlight controllers, industrial actuators, or gateway-like concentrators that need to receive commands at any time and are connected to permanent power supplies.

Security: End-to-End Encryption

LoRaWAN provides two layers of encryption, ensuring that neither the gateway nor the network server can read application data in transit:

• Network Session Key (NwkSKey) -- Used to compute and verify the Message Integrity Code (MIC) on every frame. The MIC is a 4-byte CMAC (AES-128) appended to the frame, ensuring that the frame has not been tampered with and that it originated from a legitimate device. The network server uses this key for MAC-layer processing.
• Application Session Key (AppSKey) -- Used to encrypt and decrypt the application payload using AES-128 in CTR mode. Only the end device and the application server possess this key. The network server never sees the plaintext application data -- it processes MAC headers and commands using the NwkSKey but forwards the encrypted payload untouched to the appropriate application server.

This separation of keys is fundamental to the LoRaWAN security model. A network operator can run the network server and manage device connectivity without being able to read the data those devices are sending. This enables multi-tenant network deployments where multiple organizations share the same infrastructure.

OTAA vs ABP: Device Activation

LoRaWAN supports two methods for devices to establish session keys and join the network:

Over-The-Air Activation (OTAA)

OTAA is the recommended method for production deployments. The device is provisioned with three root identifiers:

• DevEUI -- A globally unique 64-bit device identifier (like a MAC address)
• JoinEUI (AppEUI) -- Identifies the join server that will authenticate this device
• AppKey (NwkKey in LoRaWAN 1.1) -- A 128-bit AES root key shared between the device and the join server

When the device powers on, it sends a Join Request containing its DevEUI, JoinEUI, and a random DevNonce. The join server verifies the request by computing a CMAC over the Join Request using the device's AppKey. If valid, the join server responds with a Join Accept message containing a network-assigned DevAddr (32-bit device address) and parameters like the RX delays and channel configuration. Both the device and the join server independently derive the NwkSKey and AppSKey from the AppKey and the nonces exchanged during the join procedure.

OTAA provides forward secrecy: each time a device re-joins (after a reset, a firmware update, or at regular intervals), new session keys are derived. If an attacker captures session keys from one session, they cannot decrypt traffic from previous or future sessions without the root AppKey.

Activation By Personalization (ABP)

ABP bypasses the join procedure entirely. The DevAddr, NwkSKey, and AppSKey are hardcoded into the device at manufacturing time. The device can start transmitting immediately without a join handshake.

ABP is simpler to implement but has significant drawbacks: there is no key rotation, no forward secrecy, and the device cannot roam to a different network server (since the session keys are permanently bound to a specific server). ABP also creates risks if frame counters are reset (e.g., after a battery replacement), as the network server may reject frames with lower-than-expected counters as replay attacks. For these reasons, OTAA is strongly preferred for any deployment where security matters.

Adaptive Data Rate (ADR)

ADR is a critical mechanism for optimizing network capacity and device battery life. Without ADR, every device would need to be manually configured with an appropriate spreading factor and transmit power -- an impractical task for deployments with thousands of devices at varying distances from gateways.

ADR works as follows: the network server monitors the signal quality (SNR) of each device's recent uplinks. If a device is consistently received with high SNR margin -- meaning it is transmitting with more power or a higher SF than necessary -- the network server sends a MAC command (LinkADRReq) instructing the device to reduce its SF, transmit power, or both. Conversely, if the device experiences packet loss (detected via frame counter gaps), it can autonomously increase its SF to improve range.

The ADR algorithm typically maintains a margin of about 10-15 dB above the demodulation threshold to account for fading. A device received at SF12 with an SNR of +10 dB might be instructed to switch to SF9 or SF10, dramatically reducing its airtime and battery consumption while freeing up network capacity for other devices.

ADR should only be enabled for stationary devices. Mobile devices (asset trackers, vehicles) experience rapidly changing link conditions, and ADR's averaging algorithm cannot adapt fast enough. Mobile devices should use a fixed, conservative SF (typically SF10 or SF11).

Duty Cycle and Fair Access

In many regions (particularly Europe under ETSI regulations), LoRaWAN devices must comply with strict duty cycle limits. The EU868 band imposes a 1% duty cycle on the default channels, meaning a device can only transmit for 1% of the time. For a packet that takes 1 second to transmit, the device must then wait 99 seconds before transmitting again on that channel.

This has profound implications for application design:

• A SF12 packet carrying 51 bytes on a 125 kHz channel takes approximately 2.4 seconds to transmit. With a 1% duty cycle, the device must wait 240 seconds (4 minutes) before sending another packet on that channel.
• Devices can spread their transmissions across multiple sub-bands, each with its own independent duty cycle counter.
• The 869.525 MHz band in Europe allows a 10% duty cycle, making it suitable for higher-throughput downlink traffic from the network server.
• In the US915 band, there is no duty cycle restriction, but FCC regulations impose dwell time limits (400 ms per channel for frequency-hopping systems) and maximum transmit power.

Network operators deploying large-scale LoRaWAN networks must carefully model their airtime budget. A gateway serving 10,000 devices, each sending one 20-byte uplink per hour at SF10, must handle approximately 2,000 seconds of airtime per hour distributed across its 8 channels. This is well within the capacity of a single gateway, but as device density or reporting frequency increases, additional gateways must be deployed to absorb the load.

LoRaWAN Frame Structure

A LoRaWAN uplink frame consists of the following fields:

+----------+------+----------+---------+-----------+-----+
| MHDR     | DevAddr | FCtrl | FCnt    | FPort     | FRMPayload | MIC  |
| (1 byte) | (4 B)   | (1 B) | (2 B)  | (0-1 B)   | (0-N B)    | (4 B)|
+----------+---------+-------+--------+-----------+------------+------+
                                                     ^
                                                     |
                                          Encrypted with AppSKey

• MHDR (MAC Header) -- Specifies the message type (join request, join accept, unconfirmed data up, confirmed data up, etc.) and the LoRaWAN major version.
• DevAddr -- The 32-bit device address assigned during activation. Unlike DevEUI, DevAddr is network-scoped and may be reused across different networks.
• FCtrl -- Control byte containing the ADR bit, ADR acknowledgment bit, frame pending bit (indicating the server has more data queued), and the FOptsLen field (length of MAC commands piggybacked in the frame header).
• FCnt -- Frame counter, incremented with each uplink. The network server tracks each device's expected frame counter and rejects frames with counters that are lower than expected (replay protection). In LoRaWAN 1.0, the counter is 16 bits in the frame but tracked as 32 bits by the server. In LoRaWAN 1.1, separate uplink and downlink counters are maintained.
• FPort -- Identifies the destination application. Port 0 is reserved for MAC commands; ports 1-223 are application-defined; port 224 is reserved for LoRaWAN certification testing.
• FRMPayload -- The application payload, encrypted with the AppSKey (for FPort > 0) or NwkSKey (for FPort 0).
• MIC -- 4-byte Message Integrity Code computed over the entire frame using the NwkSKey.

Roaming and Network Interoperability

LoRaWAN 1.1 and the LoRa Alliance's roaming specification define mechanisms for devices to roam between networks operated by different organizations. Two roaming modes are supported:

• Passive roaming -- A visiting network's gateway receives the device's uplink and forwards it (via the roaming hub or bilateral agreement) to the device's home network server for processing. The visiting network acts purely as a transparent relay.
• Handover roaming -- The device's session is fully transferred to the visiting network server, which takes over MAC-layer management, ADR, and downlink scheduling. The application traffic is still forwarded to the home application server.

Roaming is particularly important for asset tracking use cases where devices (shipping containers, pallets, vehicles) cross national boundaries and encounter different LoRaWAN operators in each country.

LoRaWAN vs Other LPWAN Technologies

LoRaWAN competes with several other low-power wide-area technologies, each with distinct characteristics:

• NB-IoT (Narrowband IoT) -- A 3GPP cellular technology deployed on licensed spectrum by mobile operators. NB-IoT offers better downlink support, higher data rates (~250 kbps), and carrier-grade QoS, but requires a SIM card and a cellular subscription. It is better suited for applications that need reliable two-way communication (smart meters with firmware updates) or that must operate in deep indoor environments (basement water meters).
• Sigfox -- An ultra-narrowband technology that uses 100 Hz channels to achieve extreme range and noise immunity. Sigfox limits uplink payloads to 12 bytes and allows only 140 messages per day, making it the most constrained (and most power-efficient) option. Unlike LoRaWAN, Sigfox operates on a proprietary network -- you cannot deploy your own Sigfox base stations.
• LTE-M (Cat-M1) -- Another 3GPP technology, positioned between NB-IoT and traditional LTE. LTE-M supports higher data rates (~1 Mbps), VoLTE for voice calls, and mobility handover. It is more expensive and power-hungry than LoRaWAN but suitable for applications that need guaranteed QoS or voice capability (e.g., personal emergency response devices).

LoRaWAN's primary advantage is that it operates on unlicensed spectrum, allowing anyone to deploy their own network without depending on a telecom carrier. This makes it attractive for agricultural deployments, smart building projects, industrial monitoring, and municipal infrastructure where the deployer wants to control the entire stack.

Practical Deployment Considerations

Deploying a LoRaWAN network involves several engineering decisions that directly affect coverage, capacity, and battery life:

• Gateway placement -- Elevation is the single most important factor for LoRa range. A gateway mounted at 30 meters (on a building rooftop or cell tower) can cover a radius of 5-10 km in suburban environments. A gateway at ground level may only achieve 1-2 km. Dense urban areas with tall buildings may require multiple gateways placed every 1-2 km.
• Channel plan -- In EU868, the three mandatory channels (868.1, 868.3, 868.5 MHz) are shared by all devices. Adding the five additional 867 MHz channels (configurable via MAC commands after join) increases capacity by distributing traffic across more channels.
• Payload optimization -- Every byte costs airtime and battery. Applications should use compact binary encodings (Cayenne LPP, custom packed structs) rather than text formats like JSON. A temperature reading needs 2 bytes, not 20.
• Confirmed vs unconfirmed messages -- Confirmed uplinks require a server acknowledgment in the next RX window, which consumes downlink airtime and forces the device to retransmit if no ACK is received. For most sensor applications, unconfirmed messages with application-level checksums are preferable.
• Frame counter management -- ABP devices that lose power and reset their frame counter will be rejected by the network server. Solutions include persisting the frame counter to non-volatile storage (EEPROM/flash) or using OTAA with rejoin.

LoRaWAN and IP Networks

LoRaWAN end devices do not have IP addresses. They are identified by DevEUI and DevAddr within the LoRaWAN network, and their traffic is encapsulated and forwarded over IP only between gateways and the network server. The gateway-to-network-server link typically uses UDP (the Semtech Packet Forwarder protocol) or, in newer implementations, the LoRa Basics Station protocol over WebSocket/TLS.

This means LoRaWAN devices do not participate in IP routing, BGP, DNS, or any of the protocols that form the internet's backbone. The network and application servers act as protocol translators, exposing device data to the IP world via MQTT, HTTP webhooks, gRPC, or other application-layer protocols. From the perspective of internet routing, a LoRaWAN deployment is invisible -- it exists entirely behind the network server's IP address.

However, the backhaul connectivity between gateways and the network server is critical. If a gateway's internet connection goes down -- whether due to a BGP routing issue, a DNS failure, or a physical link problem -- all devices communicating through that gateway lose connectivity. This is why production deployments often provision gateways with redundant backhaul (e.g., Ethernet primary, cellular backup) and deploy sufficient gateway density that every device is within range of at least two gateways.

Try It Yourself

LoRaWAN devices ultimately connect to backend services over the internet, and understanding the routing infrastructure that carries that traffic is essential for building reliable IoT systems. Use the god.ad BGP Looking Glass to explore the BGP routes and autonomous systems that connect LoRaWAN network servers, cloud platforms, and application backends to the global internet.