When OTAA is used, the DevEUI, AppEUI and AppKey are needed to register the device on the network. The NwkSKey and AppSKey are derived when joining the network. The advice for the frequency of periodically rejoining depends on the number of messages sent by the end device and the level of security required.
A device should re-join:
Every time it has lost the session context information.
Every x days
Every y messages
The x and y values may differ depending on the level of security required; appropriate values could be once a month or maybe once every 2-3 months. The security risk depends on the application: metering applications sending a low amount of values typically do not need very frequent re-keying, while critical applications (e.g. alarms) would require more frequent re-keying. Currently KPN has no precise defined time or number of messages when a rejoin will be forced. Customers should make sure their device and application can still work and build a connection when a rejoin is required.
During the OTAA join, the network:
Generates a NwkSKey and AppSKey and stores them as long as there is no new join procedure initiated.
Forms a Join response payload that will allow the end device to compute a NwkSKey and AppSKey.
As part of the Join procedure, the network also allocates a DevAddr to the end device.