Training

What's new in the TR-181 Device 2.13 data model for TR-069 and USP

5 min read

More about USP and Device:2 in the industry With the release of Device:2.13 and USP 1.1, QA Cafe gave a webinar alongside industry experts from Axiros, Domos, Arris/CommScope, Incognito, and Greenwave Systems covering these updates and more. Request the video More about USP and Device:2 in the industry With the release of Device:2.13 and USP 1.1, QA Cafe gave a webinar alongside industry experts from Axiros, Domos, Arris/CommScope, Incognito, and Greenwave Systems covering these updates and more. Keep reading

Training

Using allow_partial and required_parameter flags

3 min read

Flexible create, update, and delete with allow_partial There are three USP messages that are used to change the state of an Agent’s service elements: Add, Set, and Delete. Since these messages can be used for a number of different use cases, they contain mechanisms to ensure that the Controller is able to configure service elements through the Agent in a way that guarantees the state it is trying to achieve. Keep reading

Training

The USP Add Message

3 min read

The Add Message in USP is used to create new instances of multi-instance objects in the Agent’s instantiated data model. This is used for a wide variety of service configurations such as creating new Wi-Fi networks. In USP, perhaps the most critical use of the Add message is with the Device.LocalAgent.Subscription. table, which lets a controller manage the notifications it wishes to receive from the Agent. The Add Request The protocol buffers definition of the Add Request, described in the usp-msg. Keep reading

Training

USP Records and USP Messages

4 min read

Communications between a USP Controller and USP Agent are delivered using two separate constructs: the USP Message, and its container, the USP Record. Both the USP Record and the USP Message are encoded in transit using “protocol buffers”. Protocol buffers is a standard developed by Google to allow protocol endpoints to easily understand the fields and values of messages transported between them using a clearly defined schema. Keep reading

Training

Using path names to address service elements

5 min read

Service Elements that are defined in the USP Data Model are addressed in USP Messages with a particular syntax called Path Names. Path Names are called such because they describe the “path” within the data model’s tree of objects used to reference a particular object or elements of that object to operate upon. Addressing Objects Object Paths directly address objects in the Agent’s Instantiated or Supported Data model. Keep reading

Training

Features of the Device 2.12 data model for TR-069 and USP

6 min read

In alignment with the release of TR-069 Amendment 6 and the User Services Platform/TR-369, the Broadband Forum updated its comprehensive data model that describes CWMP endpoints or USP agents. There’s a number of new features, some of which are tied to updates to CWMP, as well as new interfaces and applications that are managed by CWMP or USP. Here’s a short overview of the changes in Device:2.12. How do data models work? Keep reading

Training

USP Data Models

3 min read

The functions of service elements are described in a set of xml documents known as the USP data model. A data model describes how things like network interfaces, device functions, IoT objects, and more are exposed to controllers. You can find the USP data models at: https://usp-data-models.broadband-forum.org The current root USP data model is known as “Device:2”, otherwise known as TR-181. The earliest version of Device:2 that supports USP is Device:2. Keep reading

Training

USP Architecture and Use Cases

4 min read

The User Services Platform is a system for managing, monitoring, deploying, troubleshooting, and controlling any kind of network connected electronics or virtual services. Developed by the Broadband Forum in TR-369, it’s intended for application developers, consumer electronics and networking manufacturers, and service providers to deploy on end-user devices including: Broadband gateways, virtual gateways, and uCPE Wi-Fi APs and other consumer networking gear Set-top-boxes, voice endpoints, and other communication applications Smart devices and smart hubs that enable the Internet of Things Using USP, connected devices can be deployed and onboarded without the need for on-site support. Keep reading

Training

USP Architecture and Use Cases

2 min read

There are two kinds of endpoints in USP: Agents, and Controllers. A USP Agent is an Endpoint that exposes functions represented by a set of service elements. It is mostly designed to receive and respond to messages from a USP Controller, or send Notifications about activity that the Controller has subscribed to. A USP Controller allows users and applications to manipulate the functions exposed by an Agent. Keep reading

Training

Managed IoT, security, and the User Services Platform

2 min read

The team here at QA Cafe is deeply involved in networking standards, especially the Broadband Forum and the TR-069 protocol. The Broadband Forum is expanding the reach of TR-069 with its User Services Platform, representing an evolution of TR-069 to managed a more varied and greater number of connected devices. As consumer electronics vendors enter the world of network connected devices, and networking vendors begin to enter the world of smart devices, there’s a lot of new challenges that management systems can solve. Keep reading

Training

Are your devices user interfaces vulnerable to common attack vectors?

7 min read

Security in home networking devices, particular home Wi-Fi routers, has come to the forefront in the last few years. While many of the discovered vulnerabilities are zero-day (meaning they are new vulnerabilities that can be exploited before they are known), some of the more recent attacks including VPNFilter, are exploiting common weaknesses in consumer router design that have been well known for some time. Security requirements vs. best practices Keep reading

Training

What is IR-181 and how does it apply to TR-069 testing?

4 min read

Critical to testing TR-069 implementations is the ability to demonstrate that the underlying code that configures settings on the device interacts correctly with the commands sent via CWMP. We discussed this in another training article on setting up Wi-Fi using TR-069, but there are many more valuable tests of this kind to consider. Consequently, TR-069 testing should include some manner of “real-world” testing that can be used to demonstrate the interoperability of the deployment of an ACS and TR-069 enabled CPE. Keep reading

Training

Cloudflare's 1.1.1.1 DNS service and the effect on broadband gateways

4 min read

In the world of the Internet, it’s vitally important that technologies keep evolving. Change is a rule of all technology, even if it comes slowly to fundamental systems like DNS (Domain Name Service). The company Cloudflare is an infrastructure provider for web applications and networks that has solutions for performance, security, and reliability - including DNS. In April of 2018, Cloudflare launched a new publicly facing DNS resolver at 1. Keep reading

Training

Using TR-143 performance diagnostics

5 min read

There’s many use cases for TR-069 from a service provider’s perspective. Beyond onboarding, firmware upgrades, and service configuration, however, is the ability to monitor various statistics on devices and network interfaces to help troubleshoot an end-user’s service. Nearly all of the interfaces in the TR-069 Data Models have statistics on the amount of data sent and received through them, which can be used for this kind of troubleshooting. This is particularly true for the data models that cover Set Top Boxes, which is comprised mostly of this kind of status information. Keep reading

Training

Does your device correctly configure Wi-Fi using TR-069?

4 min read

Testing a TR-069 Wi-Fi setup One of the most important use cases of TR-069 (and its evolution protocol, USP) is in the autoconfiguration, management, and troubleshooting of Wi-Fi networks. Often the source of the most customer service problems, being able to set up an end user’s Wi-Fi and make sure it’s working is critical for a satisfactory “carrier grade” home network. TR-069 testing often revolves around ensuring the conformance of a device’s CWMP stack to the protocol specification, including the tests that provide certification metrics as part of the Broadband Forum’s official TR-069 certification program. Keep reading

Training

How do you test TR-069 enabled devices?

3 min read

If you’re developing a device or deployment that uses the CPE WAN Management Protocol (TR-069), like managed Wifi or other services, what should you test for? What are the benefits of automating it with a dedicated test platform? What are the benefits of getting certified or asking your vendors to certify? Basic components of TR-069 If you’ve been through our TR-069 training series, you’ve seen an in-depth look at all of the pieces that make CWMP work. Keep reading

Testing tips

Testing ARP issues in CDRouter

11 min read

Earlier we posted about new issues we’ve discovered with ARP implementations in the areas of security and robustness. In CDRouter 10.5 we added new tests to handle these discoveries. Here’s how they work: Testing These Issues with CDRouter Basic Tests The first three tests in the new ARP module, arp_1, arp_2, and arp_3, are basic tests that are designed to verify that the Device Under Test (DUT) responds to different types of ARP requests from clients on the LAN. Keep reading

Training

Revisiting ARP for security and robustness

3 min read

by Joe McEachern & Matt Langlois What is old is new again In today’s security-focused world, every protocol is a potential attack point, even a protocol as old and localized as ARP. ARP was originally defined in 1982 as RFC 826. Despite its age, Linux kernel code for ARP is still being actively developed. There have been more than 10 commits (11 as of October 2017) made to the net/ipv4/arp. Keep reading

Training

What should you look for when testing broadband CPE or Wifi performance?

4 min read

If you are developing or deploying broadband CPE, routers, or Wifi devices, what are the things you should look for when testing performance? Hint - it’s more than just throughput, and having a fully automated system to exercise the entire system is key to ensuring true performance. What is performance testing? What do we mean when we talk about performance testing on a broadband gateway or access point? Keep reading

Training

Automated home gateway security testing

1 min read

Test your devices before attackers do. It’s no question now - malicious attackers are targeting the home network, and the gateway in particular. Testing for security vulnerabilities can be tedious and ineffective if you don’t have a controlled, repeatable, and fully automated test environment. Join the CDRouter team as we show you: How to test the functional performance of your security tools like parental controls, firewalls, and the security of your user interfaces. Keep reading

Training

Verifying TR-069 real-world scenarios with a native ACS

3 min read

When it comes to testing TR-069, there are three main stages: Testing that your device handles CWMP and the underlying protocols Testing that your data model objects and parameters are valid Testing that your CPE will behave as expected in production CDRouter’s automation platform can make it very easy to do all of these, and do them repeatedly from firmware to firmware. However, this third point involves two things: verifying that your device makes the internal changes that were configured via CWMP, and testing in your actual production network. Keep reading

Training

DOCSIS Cable Gateway Testing in a Shared Lab Enviroment

8 min read

With the DOCSIS add-on, CDRouter is perfectly suited for testing and verifying the higher layer network functionality of a DOCSIS-based device under test (DUT). The basic CDRouter test setup for cable gateways is very similar to the test setup for DSL-based gateways. Like the DSL test setup, CDRouter does not have the ability to terminate a cable gateway’s HFC WAN connection directly. As a result, a CMTS must be included in a cable gateway test setup, as opposed to a DSLAM for DSL gateways. Keep reading

Training

Best Practices for Securing TR-069

4 min read

For our article on the alleged TR-069 vulnerability during the Mirai bot scare, go here. As one of the most largely deployed broadband management protocols in the world, TR-069 has quite a footprint, and a compromised system could potentially affect many broadband subscribers adversely. Luckily, TR-069 is built to operate on secure transport protocols. While there is nothing inherently insecure to the protocol itself, improper implementation of TR-069 clients and servers may expose problems that can be exploited by malicious attackers, as is the case with any web service. Keep reading

Training

TR-069 Connection Request Timing

2 min read

In CWMP, the CPE is always the initiator of sessions. It begins each session with a call to the Inform RPC, which contains EVENT codes that specify to the ACS the reason for the session. One way the that ACS can entice a CPE to begin a session is with the Connection Request mechanism. In TR-069 Amendment 4 and earlier, this was done exclusively with HTTP, though an option for XMPP Connection Requests was added in Amendment 5. Keep reading

Training

Is your TR-069 implementation vulnerable to code injection attacks?

3 min read

Updates in CDRouter 10.3 The scenarios below are serious, and so we’ve added a series of tests to our tr69_conn_req.tcl module to cover your DUT’s TR-069 security and tests for code injection in TR-069 parameters. More on the Mirai worm attack in 2016 In 2016, a distributed denial of service (DDoS) attack dubbed the “Mirai worm” expanded its reach by exploiting a vulnerability in an exposed Broadband Forum TR-064 service (a deprecated service which we’ve written about here). Keep reading

Training

Experimenting with SIP and call timing on a gateway

4 min read

One of the fundamental functions of many home and business gateways is to act as a SIP ALG (Application Layer Gateway) for setting up, routing, and terminating VoIP telephone calls. This presents some difficulty with Network Address Translation (NAT) functionality that we’ve covered before. However, there’s other functional behavior when it comes to SIP call setup and the resulting RTP streams that can be missed without some rigorous experimentation. Keep reading

Training

Mirai attack on home routers and alleged TR-069 vulnerability

5 min read

Update: Learn more about how this attack could be used against TR-069 devices here. The week of November 28 2016 saw a massive attack on certain home routers deployed by several European service providers. The attack was based on the Mirai Malware attack several weeks previous that affected the dynamic DNS services provided by Dyn, Inc.. The attack focused on sending certain SOAP commands based on the Broadband Forum’s older TR-064 protocol, through port 7547. Keep reading

Training

Testing LAN clients with Public IP addresses in CDRouter

6 min read

In a typical home network, the ISP assigns a single Public IPv4 address to the CPE device that can be reached from the global Internet. The device assigns Private IPv4 addresses to CDRouter’s LAN clients and acts as an Internet gateway to them by mapping all of the Private addresses to the one Public address using Network Address Translation (NAT). (Private IPv4 addresses are described in RFC 1918, eg. 192. Keep reading

Training

Testing SIP Aware Routers

8 min read

Testing SIP aware CPE routers is a critical part of an over-all Voice over IP test strategy. CDRouter is perfect for testing SIP aware routers using a real world test setup. Using the CDRouter SIP test module, network and QA engineers can quickly verify the behavior of a SIP aware device and avoid costly interoperability problems. SIP and NAT SIP has become the leading signaling protocol for establishing Voice over IP calls between soft-phones and other VoIP applications. Keep reading

Training

Testing devices with wireless WAN connections

3 min read

At QA Cafe we continuously see new consumer broadband and home network devices come into the market and into our lab. One of the newest class of devices are “travel routers” - routers that are popular with people who frequently connect to public Wifi networks or those offered by hotels, restaurants, or hospitals. These devices let you preserve network settings that your devices need, let you set up default connections to VPNs or other secure networks, and act as an additional level of firewall security when connecting to public networks. Keep reading

Training

How Should an ACS Treat Missing CWMP Data Model Objects?

2 min read

TR-069 (CWMP) provides a mechanism for service providers to remotely provision a subscriber’s home network devices, including home gateways, set-top boxes, WiFi, etc. It does this by allowing the service provider’s ACS (Auto Configuration Server) to operate on a device’s “data model” - a conceptual framework containing the set of objects and parameters that describe the CPE’s configuration and capabilities. What happens when those objects or parameters aren’t implemented or don’t exist? Keep reading

Training

How do I get a device TR-069 Certified?

3 min read

Is your device TR-069 certified? CDRouter is the official test platform of the certification program for TR-069, called BBF.069. You can perform this testing using CDRouter before seeking certification at an approved test laboratory. What does certification mean? TR-069 certified devices can claim complete conformance to the TR-069 protocol. If the device supports one or more optional features, those tests are performed and included when the device is listed on the Broadband Forum certified device list. Keep reading

Training

9 Most Common Router Bugs

5 min read

QA Cafe has been testing CPE routers since 2002 trying to test as many routers as we can find. During this time we have learned that the quality level of home and business routers/gateways on the market varies considerably. The following are some of the common problems that are exposed by testing with the CDRouter test suite. Packet Loss During the DHCP Renewal Process The CDRouter test suite can force a router to renew its DHCP lease at short intervals. Keep reading

Training

Known Gateway Bugs - Ignoring Credentials

3 min read

Holes in home gateway security allow for a malicious hacker to take over a gateway in the way they would any other computer system. While the holes in most cases have been complex and deep seated bugs that would be hard to find without a lot of work, there are some easy to find bugs that seem obvious but would be missed without negative testing. The Problem Most application protocols use some method of authentication to ensure security and control identity management of users of the service. Keep reading

Training

DHCPv6 Prefix Delegation in Edge Routers

4 min read

In the course of developing the test suite for DHCPv6 prefix delegation, QA Cafe encountered a number of implementation issues that impact the functionality of IPv6 connectivity. Some of these potential implementation issues are discussed below. Implementation Issues with IPv6 Prefix Delegation in DHCP Now that IPv6 is moving out of the core and into residential networks, DHCPv6 prefix delegation has emerged as the leading technique to provision IPv6 CPE devices. Keep reading

Training

Webinar - Testing Wifi Guest Mode

5 min read

One of the most common use cases for Wifi is the ability to set up a guest network alongside another network that is used by the home user, business, or other organization. It’s also a source of a lot of problems: guaranteeing that the Wifi router or AP can handle the number of clients connecting; making sure that the security in place for the guest network and other networks works correctly; and ensuring the policies you’ve put in place for guest access vs. Keep reading

Training

Data Model Parameters

2 min read

Most objects contain a set of elements containing sub-objects and parameters. Parameters are defined using the parameter element, and, like Objects, have a set of attributes and elements that describe how the parameter is to be used and its requirements. Data Model attributes for Parameter Elements include: Name: Unlike object names, the parameter name is just the literal name of the parameter, not the full path. Access: Describes whether or not a parameter can be the subject of the SetParameterValues RPC. Keep reading

Training

Looking at Data Models and Objects

3 min read

Every data model in TR-069 contains the objects and parameters that represent the functions of a broadband CPE or other device. This includes their addressable name, syntax, data types, and a normative description of how they are to be used. The Data Model Document Let’s look at an actual data model XML document for Device:2. First you’ll see a set of comments. These will name the most recent editors and give you an overview of the updates in each version. Keep reading

Training

Navigating Broadband Forum Data Models

3 min read

Intrinsic to the operation of CWMP are the objects and parameters made available to an ACS by a CWMP endpoint. These maps of a CPE’s capabilities and state are referred to as “data models”. This term is somewhat overloaded. The term “data model” refers to both the representation of the state of a CWMP endpoint, or its “instantiated data model”, and to the official, standardized set of objects and parameters defined by the Broadband Forum. Keep reading

Training

Exploring scaling tests - Is your home gateway IoT ready?

4 min read

By now we’ve all heard of the coming flood of network aware devices collectively referred to as the “Internet of Things”. While the term encompasses a wide variety of use cases that are not all clearly defined, we can come up with some rudimentary expectations on how this influx of connections will affect networks. For the home gateway, the most significant impact is how to handle an order of magnitude more connections than most are traditionally designed for - how well does it scale? Keep reading

Training

Reboot and FactoryReset

1 min read

The Reboot RPC is used by the ACS to explicitly cause the device hardware to restart. This could be for any number of reasons, though should never be used as a means to force the CPE to upgrade itself. The Reboot RPC takes only one argument - CommandKey - used as it is elsewhere. The response contains no arguments. When the device reboots, it must initiate a session with the ACS as soon as it is able to do so. Keep reading

Training

Upgrading CPE Firmware with the Download and TransferComplete RPCs

5 min read

Perhaps the biggest use case for TR-069 is managing a CPE’s firmware, allowing service providers to remotely upgrade their install base without needing to send the firmware to the customer or send an engineer. TR-069 has several mechanism for doing this - the first is using the Download RPC to directly upload firmware. Optional RPCs that extend this capability include RequestDownload and ScheduleDownload. There is also a newer “firmware bank” mechanism in TR-069 Amendment 6. Keep reading

Training

AddObject and DeleteObject

3 min read

An “object” in a CPE data model is an element of functionality that can be configured by an ACS. While an object’s parameters are configured using the SetParameterValues RPC, Objects that are able to be created by the ACS can be added to a device using the AddObject RPC, and removed using the DeleteObject RPC. AddObject The AddObject RPC takes two arguments. The first is Object name, which must contain a path reference to an Object; that is a path that ends in a “dot”. Keep reading

Training

Multi-service gateway testing with CDRouter

6 min read

Multi-service gateways are typically configured with two or more independent, logical WAN connections, or channels, for different services, such as voice, video, and data. These service channels are then aggregated onto a single physical WAN connection through the use of VLANs. This allows operators to easily manage, route, and prioritize traffic from a large number of subscribers. CDRouter can easily test gateways that are configured for multiple services, ensuring that your products can deliver them effectively to subscribers and businesses. Keep reading

Training

TR-069 Training - Parameter Attributes

2 min read

Every parameter a CPE’s CWMP data model contains metadata known as “attributes”. These attributes include the “Notification” attribute and “AccessList” attribute. The access attribute was defined early on in TR-069 to provide a method for assigning an access control rule identifier to each individual parameter, but this was never defined to more than one value, “Subscriber”, meaning that the subscriber is allowed to change the parameter through some other mechanism. Keep reading

Training

Get/Set Parameter Values and the Status argument

2 min read

The fundamental purpose of TR-069 is to allow an ACS to interact with the CPE’s instantiated data model, that is, the representation of its current state. The RPCs that form the basis of this include the Get and Set Parameter Values methods. The SetParameterValues RPC takes two arguments. The first is a ParameterList, an array of ParameterValueStruct, a collection of name/value pairs. These list the parameters an ACS wants to change, and the new values for those parameters. Keep reading

Training

TR-069 Training - GetParameterNames and Parameter Paths

3 min read

When an ACS wants to learn what objects exist on a CPE and what parameters they support, it can use the GetParameterNames RPC. Like other RPCs, GetParameterNames makes use of the ParameterPaths argument, so let’s take a minute to understand parameter paths. All of the objects and parameters in a CWMP endpoint’s data model are addressed by a parameter path. A parameter path includes objects, sub-objects, identifiers for multi-instance objects, and the parameters of those objects. Keep reading

Training

IP Multicast Testing with CDRouter

8 min read

This guide describes the IP multicast testing features in CDRouter and the role of IGMP (Internet Group Management Protocol) in CPE networks. CDRouter supports multicast testing using IGMP version 3. Although many CPE devices have support for IP multicast and IGMP, new functional requirements for set-top boxes and other IPTV multicast applications are pushing the adoption of IGMPv3 into the CPE networking space. IGMPv3 in CPE Networks Several different industry technology bodies including the Broadband Forum and CableLabs (DOCSIS) have defined the use of IGMPv3 for CPE devices. Keep reading

Training

TR-069 Training - The GetRPCMethods RPC

1 min read

The GetRPCMethods argument is used by both the CPE and the ACS to request a list of the RPCs supported by either endpoint to better understand the endpoint’s capabilities. It’s one of the simpler RPCs in that it contains no arguments. In the response, the ACS or CPE MUST include all of the required RPCs specified in TR-069, and may include additional optional RPCs or vendor defined RPCs. Keep reading

Training

Understanding Performance Results

4 min read

We get a lot of feedback from our users discovering new and interesting results when combining functional testing with throughput, latency, and loss testing. Having a good understanding of how performance tests work and the caveats around their results can help you determine how your functional tests are impacting performance, and visa-versa. Understanding the theoretical maximum of application data What is “line rate”? CDRouter Performance is designed to measure “application level” throughput. Keep reading

Training

TR-069 Training - The Inform RPC

2 min read

TR-069 uses several remote procedure calls whose definition determine the types of TR-069 messages that are sent and received by an ACS or CPE. Every RPC is defined in the TR-069 base XML schema which can be found on the Broadband Forum website. Each one consists of the call itself, with a number of defined arguments that may or may not be required, and the appropriate response, with its required arguments. Keep reading

Training

Session Retry Mechanism

2 min read

Every TR-069 session is initiated by a CWMP endpoint that is looking to deliver an event. These events have different delivery requirements, using language such as “must not discard”, “must retry until reboot”, “may retry” and “must not retry”. What happens when the CPE tries to deliver an event but cannot reach the ACS? TR-069 defines an explicit session retry policy to deal with this scenario. An unsuccessful session is considered equivalent with an undelivered event. Keep reading

Training

Notifications

2 min read

In TR-069, the 4 Value Change event code is used when a parameter set for notification is changed by any mechanism other than the ACS. These conditions are set using the SetParameterAttributes RPC. There are three different notification states. None, Passive, and Active. As arguments in the SetParameterAttributes RPC, these are noted as 0, 1, and 2, respectively. Setting a parameter for “None” or “No” notification removes any previous notification settings. Keep reading

Training

XML and SOAP in TR-069

3 min read

TR-069 uses the extensible markup language in three different ways: To define the syntax of its message calls and responses, message ID, and faults To define its remote procedure calls and their arguments and To define the data model of CWMP endpoint objects While XML is used most often to define and describe information, TR-069 also uses it directly over the wire when transmitting messages. This means that the ACS and CPE pass XML documents back and forth over HTTP during a TR-069 session. Keep reading

Training

XMPP Connection Request Mechanism

2 min read

There’s one caveat to ConnectionRequests - they require that the CPE can be reached by the ACS over HTTP. For endpoints that may reside behind a Gateway, this is not the case, thanks to Network Address Translation or Firewall rules. To get around this, TR-069 Annex K defines a way to perform Connection Requests over XMPP. To enable the XMPP Connection Request feature on the CPE, the ACS first configures a new XMPP. Keep reading

Training

Connection Request Basics

2 min read

Though every TR-069 session is initiated by the CPE endpoint, sometimes it’s necessary for the ACS to request that the CPE contact it immediately. To do this, TR-069 defines a Connection Request mechanism in CWMP, which allows the ACS to stimulate the CPE to begin a session. The most basic Connection Request is a simple HTTP GET on a URL defined by the CPE, defined in the ConnectionRequestURL parameter of the ManagementServer object in the CPE data model. Keep reading

Training

ACS Discovery

2 min read

In TR-069, the CPE is always initiates a session. When making first contact with an ACS, how does it know the ACS URL it is supposed to contact? There are 3 mechanisms suggested in TR-069 to do this. The first is that the CPE has its bootstrap ACS pre-configured by factory default. This is usually the case with CPE that are deployed by a service provider. The second mechanism involves the ACS URL being configured through a local protocol that has access to the CWMP data model, such as UPnP as defined in TR-064. Keep reading

Training

Event Basics

4 min read

Every TR-069 session is initiated by a CWMP Endpoint on a CPE. These sessions always occur for a specific reason, called an “Event”. All of the Events that have yet to be delivered to the ACS are contained as arguments in the Inform RPC at the start of every TR-069 session. Here’s a CDRouter Log of a TR-069 session. You can see that the Inform sent by the CPE contains an array of type “EventStruct”. Keep reading

Training

Overview of a TR-069 Session

3 min read

TR-069 refers to the Technical Report published by the Broadband Forum that defines the CPE WAN Management Protocol, or CWMP. CWMP was developed to allow providers of broadband services to deploy and manage customer premises equipment in home and business networks. In the beginning, TR-069 was targeted towards the home router or business gateway. It has evolved to cover all manner of home network devices, including enterprise VoIP products, video set top boxes, network attached storage, femto cells, and an unlimited number of network aware products through TR-069’s proxy function. Keep reading

Training

Protecting Against Vulnerabilities in SSL

1 min read

The IETF deprecated SSL version 3.0 in 2015. This means that it is no longer be standard to fall back to SSL 3.0 in protocol negotiations, and for good reason: there have been a host of vulnerabilities in Secure Socket Layer, some of which are of particular concern to home networking devices that have web-based configuration tools or support TR-069. We hadn’t brought up the POODLE vulnerability before, but it, along with other vulnerabilities found in older versions of SSL and TLS, can be exploited even if your DUT is using the most recent versions of these protocols. Keep reading

Training

Testing Wifi Scalability with Wireless Station Virtualization

3 min read

Nearly every home device has Wifi capability, and with the emergence of the Internet of Things, that number is likely to increase exponentially. It will be more important than ever to ensure that Wifi routers and access points can handle the load and the applications that are likely to be accessed by all of these Wifi enabled devices. CDRouter 9.2 introduced the ability to simulate many wireless stations from a single wlan interface. Keep reading

Training

Using XMPP for TR-069 Connection Requests

3 min read

Watch our training on connection request basics and XMPP connection requests in our TR-069 training series. Though one of the fundamental principles of CWMP (TR-069) is that the CPE endpoint is always the one to initiate a connection, Autoconfiguration Servers (ACS) can use the TR-069 Connection Request feature to stimulate a CPE to begin a session. This is often used when the ACS must contact the CPE immediately, such as when configuring the device for a new service after it has already been bootstrapped by the system. Keep reading

Training

Is your device using valid TR-069 data models?

3 min read

The CPE WAN Management Protocol described by Broadband Forum TR-069 is a remote procedure call (RPC) based protocol. That is, it consists of two applications that interact directly with each other through a set of defined methods - in the case of TR-069, this includes device functions like Reboot, Download, etc., as well as operations that affect the device’s data model - a set of objects and parameters and the metadata surrounding them. Keep reading

Training

The Misfortune Cookie and Security in the Home Gateway

2 min read

DEFCON22 had a number of revelations concerning web server security of systems meant to deploy TR-069 in a subscriber network. Most of the investigation done surrounded vulnerable ACS - that is, malicious attackers gaining access to the auto-configuration server, allowing them to control many hundreds of thousands of home devices. Recently, the same investigators set their sights on the broadband CPE themselves, and discovered some interesting vulnerabilities, including one dubbed the “Misfortune Cookie”. Keep reading

Training

Testing to reduce the big three broadband customer support problems

4 min read

The most well understood case for product testing is in quality assurance while a home networking product is in development, or testing its integrity between firmware revisions. But testing before, during, and after deployment can also ensure that service providers reduce costly support calls and truck rolls. We asked some of our customers, some in the service provider world and others who develop management and support services for service providers, what the most common causes of service calls are. Keep reading

Training

Open SSL Heartbleed Bug in the Home Gateway

2 min read

You may have recently heard of a major bug in the OpenSSL implementation, widely used to provide secure communications on the web. This vulnerability is fairly widespread, but has been corrected and will be fixed as more systems are patched. We also made an example capture and explanation of the bug and a packet capture of the attack in action at our CloudShark Appliance website. The security community quickly moved on this vulnerability, and in addition to the OpenSSL patch that is available to fix the problem, there have been several tools built to test servers for the Heartbleed vulnerability. Keep reading

Training

Router Bugs - IKE NAT Traversal

2 min read

QA Cafe is constantly testing as many home networking devices as we can find, both to make sure CDRouter is the best testing product around and to find new and interesting tests to write. During that time, we have learned that the quality level of home and business routers/gateways on the market varies considerably. We know the world of networking protocols is complex and nuanced, and often a slight oversight in a standard or interpretation of a standard can mean the difference between a functioning home networking product and a high-tech paperweight. Keep reading

Training

Configuring CDRouter for 802.1x Authentication on the WAN

8 min read

CDRouter includes support for configurations involving 802.1X authentication on the WAN. 802.1X is typically used by service providers to authenticate a client or device and open a port on an 802.1X enabled DSLAM or switch for CPE traffic. CPE devices that support 802.1X on the WAN must include 802.1X supplicant functionality in addition to common IPv4 and IPv6 WAN connectivity options such as DHCP and PPPoE. About IEEE 802.1x IEEE 802. Keep reading

Training

Common testing issues with TR-069 and SSL

3 min read

Here are solutions to a few common TR-069 SSL-related issues. The CPE does not have a time source Some CPE devices will not validate a SSL/TLS certificate from the ACS until a time source is established. TR-069 states that devices should skip date validation of certificates if a time source is not established. However, in practice some CPE devices simple end the SSL connection. A common symptom of this problem are DNS requests to an NTP server which is not configured. Keep reading

Training

DHCP Server Testing with CDRouter

8 min read

CDRouter’s pre-defined test modules make it easy to quickly test and evaluate a CPE implementation’s integrated DHCP server. In addition, CDRouter’s flexible configuration options allow a wide variety of DHCP server scenarios to be simulated and tested in a consistent and repeatable fashion. The base version of CDRouter includes two test modules designed specifically for verifying a CPE’s DHCP server functionality. The first module, dhcp-s.tcl, includes targeted functional test cases while the second module, scaling. Keep reading

Training

How do I convert a certificate from .pem format to .der or .cer format?

1 min read

The following openssl command can be used to convert a certificate in .pem format to .der format: # openssl x509 -in MYCERT.pem -inform PEM -out MYCERT.der -outform DER The following openssl command can be used to convert a certificate in .pem format to .cer format: # openssl x509 -in MYCERT.pem -inform PEM -out MYCERT.cer -outform DER For more information, please see the OpenSSL x509 documentation available here.

Training

How do I convert from a Java keystore certificate to .pem format?

1 min read

To convert a Java keystore certificate to .pem format, follow these steps: Download and run the KeyTool IUI. Export the private key and certificate chains file from the keystore to a .pem file. This can be done by selecting Export > Keystore’s Entry > Private Key from the KeyTool IUI. Choose a target private key file and a target certificate chains file, and select .pem as the export format for both. Keep reading

Training

How do I create a reliable test setup for wireless testing?

1 min read

When testing with a wireless interface, the link quality between the access point and the wireless adapter can impact test results. Some test cases are not tolerant of packet loss. Any packets dropped by the access point could lead to a test failure. When purely testing functionality and not the reliability of the over air connection, QA Cafe recommends directly connecting the antenna of the wireless card to the access point antenna using an adapter cable with the appropriate terminations. Keep reading

Training

Why does my 802.1x RADIUS session stop after the first packet?

1 min read

Some 802.1x/EAPOL authenticator implementations expect to find the RADIUS “State” attribute in any RADIUS response from the server. Some RADIUS servers use the State attribute to maintain sessions and some RADIUS clients check for it. However, when these implementations do not find the State attribute, the RADIUS packet may be dropped. The packet trace would look as follows: INFO(setup): 16:41:36' Sending EAP-Start to initiate authorization process O>>>(lan): 16:41:36' 00:15:e9:30:8b:7e 00:0c:41:6d:e8:09 EAPOL EAPOL-Start INFO(setup): 16:41:36' Starting DHCP client on LAN interface eth2 O>>>(lan): 16:41:36' 0. Keep reading

Training

Port Scanning Test Configuration for IPv4 and IPv6

6 min read

CDRouter includes port scanning test cases in the firewall.tcl module which will probe the WAN interface of the DUT for open TCP and UDP ports over IPv4. These open ports provide services either by the DUT or forwarded to internal LAN clients. Users of the CDRouter IPv6 add-on will find they can also perform similar tests over IPv6. Although there are certainly legitimate uses of port scanning, the vast majority of it occurs on the public Internet and is directed toward the WAN ports of random CPEs. Keep reading

Training

Storage name resolution methods and protocol caveats

3 min read

Several methods to resolve storage service hosts CDRouter Storage allows a test engineer to execute various storage protocol tests against a storage-enabled device. In order for CDRouter to know the IP address of the storage service to be tested, it must either be told with an explicit IP address, or be given a DNS or NetBIOS name, or discover it using multicast DNS (disabled by default, with instructions to enable it included below). Keep reading

Training

IPSEC pass through testing

2 min read

IPSEC pass through is a technique for allowing IPSEC packets to pass through a NAT router. By itself, IPSEC does not work when it travels through NAT. Newer IKE and IPSEC implementations support NAT-Traversal which is a technique to detect NAT and switch to UDP encapsultion for IPSEC ESP packets. However, many router vendors have developed a “pass through” technique that allows IPSEC packets to pass through NAT without NAT-T support. Keep reading

Training

Testing dual-stack lite (DS-Lite) B4 CPE devices

8 min read

CDRouter makes it easy to test dual-stack lite B4 CPE implementations on a functional level, and when combined with the many LAN modes of operation available, can help identify issues that are not visible by iterative conformance testing. Dealing with IPv6 transitioning Many IPv6 transition strategies have been provided. Some, such as 6to4, have been available to end users for years now, since ISPs have no prerequisite of IPv6 routing to support the 6to4 protocol. Keep reading

Training

Displaying the contents of an SSL certificate in Linux

2 min read

You can display the contents of a PEM formatted certificate under Linux, using openssl: # openssl x509 -in acs.qacafe.com.pem -text The output of the above command should look something like this: cdrouter@linux:/usr/share/doc/cdrouter> openssl x509 -in acs.qacafe.com.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 73:10:d8:99:cd:08:43:56:57:e0:56:17:84:87:8e:e3 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority Validity Not Before: Jun 9 00:00:00 2006 GMT Not After : Jun 9 23:59:59 2007 GMT Subject: C=US, ST=New Hampshire, L=Portsmouth, O=QA Cafe, OU=CDRouter, OU=Terms of use at www. Keep reading
ssl