Tr 069

How do you test TR-069 enabled devices?

Are you developing a device or deployment that uses the CPE WAN Management Protocol (TR-069), like managed Wifi or other services? When testing TR-069, what should you test for? What are the benefits of automating it with a dedicated test platform? What are the benefits of getting certified or asking your vendors to certify? Join the QA Cafe team as we show you: The different parts of TR-069 and what can and should be tested. Read more...

Automated home gateway security testing

Test your devices before attackers do. It’s no question now - malicious attackers are targeting the home network, and the gateway in particular. Testing for security vulnerabilities can be tedious and ineffective if you don’t have a controlled, repeatable, and fully automated test environment. Join the CDRouter team as we show you: How to test the functional performance of your security tools like parental controls, firewalls, and the security of your user interfaces. Read more...

Verifying TR-069 real-world scenarios with a native ACS

When it comes to testing TR-069, there are three main stages: Testing that your device handles CWMP and the underlying protocols Testing that your data model objects and parameters are valid Testing that your CPE will behave as expected in production CDRouter’s automation platform can make it very easy to do all of these, and do them repeatedly from firmware to firmware. However, this third point involves two things: verifying that your device makes the internal changes that were configured via CWMP, and testing in your actual production network. Read more...

CDRouter Release 10.3 - DOCSIS, DUT Control, and More

CDRouter 10.3 is now available! We recently teased the release of CDRouter DOCSIS, and 10.3 contains that plus much more. Introducing CDRouter DOCSIS Testing both your cable modem and eRouter together in an automated, repeatable way has never been easy. With our new DOCSIS add-on, we’ve added all of the common DOCSIS configuration services so you can flex CDRouter’s power with both cable modems and complex eRouters that include Wifi, firewalls, and other user-critical services - all at once, all overnight, and completely automated. Read more...

CDRouter Release 10.4 - GRE, Application Latency, TR-069 Bootstrap, and more

CDRouter 10.4 is now available! With some major features and upgrades to performance, TR-069, and more, it’s a great time to upgrade your CDRouter system. Application Latency Performance Testing When it comes to performance testing, layer 2 throughput testing is what most tools stick to. But is it enough? No - “line rate” can only mean so much. CDRouter 10.4 introduces application specific latency test cases for DHCP, DNS, and ICMP, to help you exercise how your devices will actually behave from an end user’s perspective. Read more...

Best Practices for Securing TR-069

For our article on the alleged TR-069 vulnerability during the Mirai bot scare, go here. As one of the most largely deployed broadband management protocols in the world, TR-069 has quite a footprint, and a compromised system could potentially affect many broadband subscribers adversely. Luckily, TR-069 is built to operate on secure transport protocols. While there is nothing inherently insecure to the protocol itself, improper implementation of TR-069 clients and servers may expose problems that can be exploited by malicious attackers, as is the case with any web service. Read more...

Testing TR-069 Devices in CDRouter 10

As the official test platform for TR-069 certification, CDRouter’s TR-069 add-on turns CDRouter into a scriptable ACS simulator with test cases for protocol functionality, data model validation, and security. Join the QA Cafe team as we show you: Building a configuration to run TR-069 testing The different TR-069 test cases CDRouter TR-069 vs. BBF.069 tests Testing the different TR-069 data models Setting up SSL certificates for testing

TR-069 Connection Request Timing

In CWMP, the CPE is always the initiator of sessions. It begins each session with a call to the Inform RPC, which contains EVENT codes that specify to the ACS the reason for the session. One way the that ACS can entice a CPE to begin a session is with the Connection Request mechanism. In TR-069 Amendment 4 and earlier, this was done exclusively with HTTP, though an option for XMPP Connection Requests was added in Amendment 5. Read more...

Is your TR-069 implementation vulnerable to code injection attacks?

Updates in CDRouter 10.3 The scenarios below are serious, and so we’ve added a series of tests to our tr60_conn_req.tcl module to cover your DUT’s TR-069 security and tests for code injection in TR-069 parameters. More on the Mirai worm attack in 2016 In 2016, a distributed denial of service (DDoS) attack dubbed the “Mirai worm” expanded its reach by exploiting a vulnerability in an exposed Broadband Forum TR-064 service (a deprecated service which we’ve written about here). Read more...

Mirai attack on home routers and alleged TR-069 vulnerability

Update: Learn more about how this attack could be used against TR-069 devices here. The week of November 28 2016 saw a massive attack on certain home routers deployed by several European service providers. The attack was based on the Mirai Malware attack several weeks previous that affected the dynamic DNS services provided by Dyn, Inc.. The attack focused on sending certain SOAP commands based on the Broadband Forum’s older TR-064 protocol, through port 7547. Read more...

How Should an ACS Treat Missing CWMP Data Model Objects?

TR-069 (CWMP) provides a mechanism for service providers to remotely provision a subscriber’s home network devices, including home gateways, set-top boxes, WiFi, etc. It does this by allowing the service provider’s ACS (Auto Configuration Server) to operate on a device’s “data model” - a conceptual framework containing the set of objects and parameters that describe the CPE’s configuration and capabilities. What happens when those objects or parameters aren’t implemented or don’t exist? Read more...

How do I get a device TR-069 Certified?

Is your device TR-069 certified? CDRouter is the official test platform of the certification program for TR-069, called BBF.069. You can perform this testing using CDRouter before seeking certification at an approved test laboratory. What does certification mean? TR-069 certified devices can claim complete conformance to the TR-069 protocol. If the device supports one or more optional features, those tests are performed and included when the device is listed on the Broadband Forum certified device list. Read more...

TR-069 Training Series - Data Model Parameters

Most objects contain a set of elements containing sub-objects and parameters. Parameters are defined using the parameter element, and, like Objects, have a set of attributes and elements that describe how the parameter is to be used and its requirements. Data Model attributes for Parameter Elements include: Name: Unlike object names, the parameter name is just the literal name of the parameter, not the full path. Access: Describes whether or not a parameter can be the subject of the SetParameterValues RPC. Read more...

TR-069 Training Series - Looking at Data Models and Objects

Every data model in TR-069 contains the objects and parameters that represent the functions of a broadband CPE or other device. This includes their addressable name, syntax, data types, and a normative description of how they are to be used. The Data Model Document Let’s look at an actual data model XML document for Device:2. First you’ll see a set of comments. These will name the most recent editors and give you an overview of the updates in each version. Read more...

TR-069 Training Series - Navigating Broadband Forum Data Models

Intrinsic to the operation of CWMP are the objects and parameters made available to an ACS by a CWMP endpoint. These maps of a CPE’s capabilities and state are referred to as “data models”. This term is somewhat overloaded. The term “data model” refers to both the representation of the state of a CWMP endpoint, or its “instantiated data model”, and to the official, standardized set of objects and parameters defined by the Broadband Forum. Read more...

TR-069 Training Series - Reboot and FactoryReset

The Reboot RPC is used by the ACS to explicitly cause the device hardware to restart. This could be for any number of reasons, though should never be used as a means to force the CPE to upgrade itself. The Reboot RPC takes only one argument - CommandKey - used as it is elsewhere. The response contains no arguments. When the device reboots, it must initiate a session with the ACS as soon as it is able to do so. Read more...

TR-069 Training Series - Upgrading CPE Firmware with the Download and TransferComplete RPCs

Perhaps the biggest use case for TR-069 is managing a CPE’s firmware, allowing service providers to remotely upgrade their install base without needing to send the firmware to the customer or send an engineer. TR-069 has several mechanism for doing this - the first is using the Download RPC to directly upload firmware. Optional RPCs that extend this capability include RequestDownload and ScheduleDownload. There is also a newer “firmware bank” mechanism in TR-069 Amendment 6. Read more...

TR-069 Training Series - AddObject and DeleteObject

An “object” in a CPE data model is an element of functionality that can be configured by an ACS. While an object’s parameters are configured using the SetParameterValues RPC, Objects that are able to be created by the ACS can be added to a device using the AddObject RPC, and removed using the DeleteObject RPC. AddObject The AddObject RPC takes two arguments. The first is Object name, which must contain a path reference to an Object; that is a path that ends in a “dot”. Read more...

TR-069 Training - Parameter Attributes

Every parameter a CPE’s CWMP data model contains metadata known as “attributes”. These attributes include the “Notification” attribute and “AccessList” attribute. The access attribute was defined early on in TR-069 to provide a method for assigning an access control rule identifier to each individual parameter, but this was never defined to more than one value, “Subscriber”, meaning that the subscriber is allowed to change the parameter through some other mechanism. Read more...

Get/Set Parameter Values and the Status argument

The fundamental purpose of TR-069 is to allow an ACS to interact with the CPE’s instantiated data model, that is, the representation of its current state. The RPCs that form the basis of this include the Get and Set Parameter Values methods. The SetParameterValues RPC takes two arguments. The first is a ParameterList, an array of ParameterValueStruct, a collection of name/value pairs. These list the parameters an ACS wants to change, and the new values for those parameters. Read more...

TR-069 Training - GetParameterNames and Parameter Paths

When an ACS wants to learn what objects exist on a CPE and what parameters they support, it can use the GetParameterNames RPC. Like other RPCs, GetParameterNames makes use of the ParameterPaths argument, so let’s take a minute to understand parameter paths. All of the objects and parameters in a CWMP endpoint’s data model are addressed by a parameter path. A parameter path includes objects, sub-objects, identifiers for multi-instance objects, and the parameters of those objects. Read more...

TR-069 Training - The GetRPCMethods RPC

The GetRPCMethods argument is used by both the CPE and the ACS to request a list of the RPCs supported by either endpoint to better understand the endpoint’s capabilities. It’s one of the simpler RPCs in that it contains no arguments. In the response, the ACS or CPE MUST include all of the required RPCs specified in TR-069, and may include additional optional RPCs or vendor defined RPCs. Read more...

TR-069 Training - The Inform RPC

TR-069 uses several remote procedure calls whose definition determine the types of TR-069 messages that are sent and received by an ACS or CPE. Every RPC is defined in the TR-069 base XML schema which can be found on the Broadband Forum website. Each one consists of the call itself, with a number of defined arguments that may or may not be required, and the appropriate response, with its required arguments. Read more...

TR-069 Training Series - Session Retry Mechanism

Every TR-069 session is initiated by a CWMP endpoint that is looking to deliver an event. These events have different delivery requirements, using language such as “must not discard”, “must retry until reboot”, “may retry” and “must not retry”. What happens when the CPE tries to deliver an event but cannot reach the ACS? TR-069 defines an explicit session retry policy to deal with this scenario. An unsuccessful session is considered equivalent with an undelivered event. Read more...

TR-069 Training Series - Notifications

In TR-069, the 4 Value Change event code is used when a parameter set for notification is changed by any mechanism other than the ACS. These conditions are set using the SetParameterAttributes RPC. There are three different notification states. None, Passive, and Active. As arguments in the SetParameterAttributes RPC, these are noted as 0, 1, and 2, respectively. Setting a parameter for “None” or “No” notification removes any previous notification settings. Read more...

TR-069 Training Series - XML and SOAP in TR-069

TR-069 uses the extensible markup language in three different ways: To define the syntax of its message calls and responses, message ID, and faults To define its remote procedure calls and their arguments and To define the data model of CWMP endpoint objects While XML is used most often to define and describe information, TR-069 also uses it directly over the wire when transmitting messages. This means that the ACS and CPE pass XML documents back and forth over HTTP during a TR-069 session. Read more...

TR-069 Training Series - XMPP Connection Request Mechanism

There’s one caveat to ConnectionRequests - they require that the CPE can be reached by the ACS over HTTP. For endpoints that may reside behind a Gateway, this is not the case, thanks to Network Address Translation or Firewall rules. To get around this, TR-069 Annex K defines a way to perform Connection Requests over XMPP. To enable the XMPP Connection Request feature on the CPE, the ACS first configures a new XMPP. Read more...

TR-069 Training Series - Connection Request Basics

Though every TR-069 session is initiated by the CPE endpoint, sometimes it’s necessary for the ACS to request that the CPE contact it immediately. To do this, TR-069 defines a Connection Request mechanism in CWMP, which allows the ACS to stimulate the CPE to begin a session. The most basic Connection Request is a simple HTTP GET on a URL defined by the CPE, defined in the ConnectionRequestURL parameter of the ManagementServer object in the CPE data model. Read more...

TR-069 Training - ACS Discovery

In TR-069, the CPE is always initiates a session. When making first contact with an ACS, how does it know the ACS URL it is supposed to contact? There are 3 mechanisms suggested in TR-069 to do this. The first is that the CPE has its bootstrap ACS pre-configured by factory default. This is usually the case with CPE that are deployed by a service provider. The second mechanism involves the ACS URL being configured through a local protocol that has access to the CWMP data model, such as UPnP as defined in TR-064. Read more...

TR-069 Training Series - Event Basics

Every TR-069 session is initiated by a CWMP Endpoint on a CPE. These sessions always occur for a specific reason, called an “Event”. All of the Events that have yet to be delivered to the ACS are contained as arguments in the Inform RPC at the start of every TR-069 session. Here’s a CDRouter Log of a TR-069 session. You can see that the Inform sent by the CPE contains an array of type “EventStruct”. Read more...

Overview of a TR-069 Session

TR-069 refers to the Technical Report published by the Broadband Forum that defines the CPE WAN Management Protocol, or CWMP. CWMP was developed to allow providers of broadband services to deploy and manage customer premises equipment in home and business networks. In the beginning, TR-069 was targeted towards the home router or business gateway. It has evolved to cover all manner of home network devices, including enterprise VoIP products, video set top boxes, network attached storage, femto cells, and an unlimited number of network aware products through TR-069’s proxy function. Read more...

Protecting Against Vulnerabilities in SSL

Well, it’s official, the IETF is deprecating SSL version 3.0. This means that it will no longer be standard to fall back to SSL 3.0 in protocol negotiations, and for good reason: there have been a host of vulnerabilities in Secure Socket Layer, some of which are of particular concern to home networking devices that have web-based configuration tools or support TR-069. We hadn’t brought up the POODLE vulnerability before, but it, along with other vulnerabilities found in older versions of SSL and TLS, can be exploited even if your DUT is using the most recent versions of these protocols. Read more...

Using XMPP for TR-069 Connection Requests

Watch our training on connection request basics and XMPP connection requests in our TR-069 training series. Though one of the fundamental principles of CWMP (TR-069) is that the CPE endpoint is always the one to initiate a connection, Autoconfiguration Servers (ACS) can use the TR-069 Connection Request feature to stimulate a CPE to begin a session. This is often used when the ACS must contact the CPE immediately, such as when configuring the device for a new service after it has already been bootstrapped by the system. Read more...

Is your device using valid TR-069 data models?

The CPE WAN Management Protocol described by Broadband Forum TR-069 is a remote procedure call (RPC) based protocol. That is, it consists of two applications that interact directly with each other through a set of defined methods - in the case of TR-069, this includes device functions like Reboot, Download, etc., as well as operations that affect the device’s data model - a set of objects and parameters and the metadata surrounding them. Read more...

Testing TR-069 LAN side CPE with CDRouter

The CDRouter TR-069 add-on module for CDRouter has the ability to test LAN-side devices, as defined in TR-181i1. TR-069 LAN-side devices are typically set-top boxes or VoIP endpoints that reside on the LAN side of the customer’s Internet Gateway Device (IGD) which may or may not support TR-069. The CDRouter TR-069 add-on supports automated testing for LAN-side devices. You can use this test setup to: Easily test TR-069 enabled LAN-side devices such as set-top boxes (STB) or voice-over-IP (VoIP) endpoints Can be used to test devices that are operating in both load-balancing mode or failover mode Automated PD-128 and data model profile testing for LAN-side devices CDRouter can test LAN devices that support Broadband Forum TR-104 (VoIPService data model), TR-135 (STBService data model), TR-196 (FAPService data model), TR-140 (StoargeService data model), and TR-181i1/i2 (Device root data models). Read more...

Common testing issues with TR-069 and SSL

Here are solutions to a few common TR-069 SSL-related issues. The CPE does not have a time source Some CPE devices will not validate a SSL/TLS certificate from the ACS until a time source is established. TR-069 states that devices should skip date validation of certificates if a time source is not established. However, in practice some CPE devices simple end the SSL connection. A common symptom of this problem are DNS requests to an NTP server which is not configured. Read more...

Leveraging the BBF.069 CPE Certification Program Using CDRouter

The Broadband Forum recently launched its BBF.069 CPE Certification Program for devices that support TR-069. This program is industry standard for qualifying products for use in TR-069 deployments, and is critical for ensuring that your products or service deployments will operate well. We’re happy to say that our flagship product, CDRouter, is the offical test platform for performing the TR-069 certification testing through its BBF.069 add-on. The Broadband Forum TR-069 CPE Certification Program, BBF. Read more...

CDRouter chosen as official tool for BBF.069 CPE Certification Program

Certification Program Test scripts to become available to CDRouter customers for pre-testing and troubleshooting Read the official press release here. October 16 2012, Amsterdam – QA Cafe, a leader in test and analysis solutions for the telecom and data communications industry, has had its flagship CDRouter test platform selected by the University of New Hampshire InterOperability Laboratory (UNH-IOL) for the performance of the Broadband Forum’s BBF.069 Certification program announced this week. Read more...