TR069: CPE WAN Management Protocol

/*
* A summary about TR069 during my projects
*/

TR69是由DSL论坛定义的用户终端广域网管理协议。

最新的TR069标准：
TR-069 Amendment2
http://www.dslforum.org/techwork/tr/TR-069Amendment2.pdf

与TR069相关的几个技术报告：
TR098 - Internet Gateway Device Data Model for TR-069 (used for QoS)
http://www.dslforum.org/techwork/tr/TR-098%20Amendment%201.pdf
TR104 - DSLHomeTM Provisioning Parameters for VoIP CPE
http://www.dslforum.org/techwork/tr/TR-104.pdf
TR106 - Data Model Template for TR-069 Enabled Devices
http://www.dslforum.org/techwork/tr/TR-106%20Amendment%201.pdf
TR140 - TR-069 Data Model for Storage Service Enabled Devices
http://www.dslforum.org/techwork/tr/TR-140.pdf
TR111 - DSLHome^TMApplying TR-069 to Remote Management of Home Networking Devices
http://www.dslforum.org/techwork/tr/TR-111.pdf

DSL论坛定义的其他技术报告：
http://www.dslforum.org/trlist/trlist.php


+++ Introduction +++

A protocol for communication between a CPE and Auto-Configuration Server (ACS) that encompasses secure auto-configuration as well as other CPE management functions within a common framework.

TR069的主要功能:

• Auto-configuration and dynamic service provisioning

• Software/firmware image management

• Status and performance monitoring

• Diagnostics

The position of TR069 in the Auto-Configuration Architecture:


The position of TR069 in the End-to-End Architecture:


TR069 Family:



Connectivity model of TR069:
• Allow both CPE and ACS initiated connection establishment, avoiding the need for a persistent connection to be maintained between each CPE and an ACS.
• The functional interactions between the ACS and CPE should be independent of which end initiated the establishment of the connection. In particular, even where ACS initiated connectivity is not supported, all ACS initiated transactions should be able to take place over a connection initiated by the CPE.
• Allow one or more ACS servers to serve a population of CPE, which may be associated with one or more service providers.
• Optimize the use of connections that are established to minimize connection overhead by allowing multiple bi-directional transactions to occur over a single connection.



+++ Architecture +++

Protocol Stack of TR069:




Security Mechanisms:
The following security mechanisms are incorporated in this protocol:
• The protocol supports the use of SSL/TLS for communications transport between CPE and ACS. This provides transaction confidentiality, data integrity, and allows certificate-based authentication between the CPE and ACS.
• The HTTP layer provides an alternative means of CPE and ACS authentication based on shared secrets. Note that the protocol does not specify how the shared secrets are learned by the CPE and ACS.

CPE Initiated Sessions/
Asynchronous ACS Initiated Sessions:
The basic mechanism defined in the CPE WAN Management Protocol to enable asynchronous ACS initiated communication assumes direct IP addressability of the CPE from the ACS. An alternative mechanism is defined in Annex G, which accommodates CPE operating behind a NAT gateway that are not directly addressable by the ACS.



+++ Procedures/Requirements +++

ACS Discovery:
1. The CPE MAY be configured locally with the URL of the ACS. For example, via TR064.
2. As part of the IP layer auto-configuration, a DHCP server on the access network MAY be configured to include the ACS URL as a DHCP option.
3. The CPE MAY have a default ACS URL that it MAY use if no other URL is provided to it.

Connection Establishment:
1. The CPE MAY at any time initiate a connection to the ACS using the pre-determined ACS address. A CPE MUST establish a connection to the ACS and issue the Inform RPC method
under some specific conditions (see TR069).
2. The ACS MAY at any time request that the CPE initiate a connection to the ACS using the Connection Request mechanism. Support for this mechanism is REQUIRED in a CPE, and is RECOMMENDED in an ACS.
(This mechanism relies on the ACS having had at least one prior communication with the CPE via a CPE initiatedinteraction. During this interaction, if the ACS wishes to allow future ACS-initiated transactions, it would use the value of the "ManagementServer.ConnectionRequestURL" Parameter. If the URL used for management access changes, the CPE MUST notify the ACS by issuing an Inform message indicating the new management IP address, thus keeping the ACS up-to-date.)

Use of HTTP:
SOAP messages are carried between a CPE and an ACS using HTTP 1.1, where the CPE acts as the HTTP client and the ACS acts as the HTTP server.
The CPE WAN Management Protocol also uses HTTP for Connection Requests, where the ACS acts as the HTTP client and the CPE acts as the HTTP server.

Use of SOAP:
The CPE WAN Management Protocol defines SOAP 1.1 as the encoding syntax to transport the RPC method calls and responses.

Transaction Session Procedures：






+++ Signed Vouchers +++

An optional mechanism for securely enabling or disabling optional CPE capabilities.Unlike Parameters, the Voucher mechanism provides an additional layer of security for optional capabilities that require secure tracking (such as those involving payment).

A Voucher is a digitally signed data structure that instructs a CPE to enable or disable a set of Options. An Option is any optional capability of a CPE. When an Option is enabled, the Voucher can specify various characteristics that determine under what conditions that Option persists.



+++ Web Identity Management +++

To support web-based applications or other CPE-related web pages on a back-end web site for access from a browser within the CPE’s local network, the CPE WAN Management Protocol provides an optional mechanism that allows such web sites to customize their content with explicit knowledge of the customer associated with that CPE. That is, the location of users browsing from inside the CPE’s LAN can be automatically identified without any manual login process.

The protocol defines a set of optional interfaces that allow the web site to initiate communication between the CPE and ACS, which allows a web site in communication with that ACS to identify which CPE the user is operating behind. This allows the web site to customize its content to be specific to the associated broadband account, the particular type of CPE, or any other characteristic that is known to the ACS.

Note—this identification mechanism does not distinguish among different users on the same network behind a single CPE. In situations where identification of a specific user is required, a separate identity management mechanism, such as manual login, would be needed.
The CPE WAN Management Protocol defines an optional Kicked RPC method in Annex A, which can be used to support web identity management functionality.




+++ Signed Package Format +++

A signed package format that MAY used to securely download files into a recipient device.The format allows one or more files to be encapsulated within a single signed package. The package format allows the recipient to authenticate the source, and contains instructions for the
recipient to extract and install the contents.




+++ Device-Gateway Association +++

The CPE WAN Management Protocol can be used to remotely manage CPE Devices that are connected via a LAN through a Gateway. When an ACS manages both a Device and the Gateway through which the Device is connected, it can be useful for the ACS to be able to determine the identity of that particular Gateway.

The procedures defined in this Annex allow an ACS to determine the identity of the Gateway through which a given Device is connected.

The specific scenario that the defined mechanism is intended to accommodate is where both the Gateway and Device are managed via the CPE WAN Management Protocol, and both are managed by the same ACS (or by distinct ACSs that are appropriately coupled).

The defined mechanism relies on the Device’s use of DHCP.








+++ Connection Request via NAT Gateway +++

RFC3489 - STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) http://www.ietf.org/rfc/rfc3489.txt?number=3489 To accommodate the ability for an ACS to issue the equivalent of a Connection Request to CPE allocated a private address through a NAT Gateway that might not be CPE WAN Management Protocol capable, the following is required:

• The CPE MUST be able to discover that its connection to the ACS is via a NAT Gateway that has allocated a private IP address to the CPE.
• The CPE MUST be able to maintain an open NAT binding through which the ACS can send unsolicited packets.
• The CPE MUST be able to determine the public IP address and port associated with the open NATbinding, and communicate this information to the ACS.

The use of STUN for this purpose requires that a new UDP-based Connection Request mechanism be defined to augment the existing TCP-based Connection Request mechanism.












//