2024年5月9日发(作者:)
TR069协议向导
1. 为什么需要TR069
随着VoIP、IPTV等越来越多IP终端设备的普及(尤其在家庭中的普及),大量设备的
配置和维护变得越来越困难,大大提高了网络产品运营商的成本,传统的基于SNMP的网
管系统面对众多的终端设备时显得力不从心,限制了宽带接入市场的发展速度和规模。
TR069定义了一套全新的网管体系结构,包括“管理模型”,“交互接口”,“管理参数”,在
很大程度上减少了网络产品的运为成本。
2. 什么是TR069协议
TR069是数字用户线(DSL)论坛(以改名为Broadband Forum)制定的一个面向终端设
备的网管协议,称为“用户终端设备广域网管理协议(CWMP)”,DSL论坛的文档编号为
TR069。
3. TR069协议发展现状
自2004年5月DSL论坛推出该协议以来,各大运营商纷纷部署基于TR069的终端设备。
但从协议的发展情况看,TR069仍然处于不断完善的过程中。
4. TR069协议网络架构
ACS为自动配置服务器,负责对终端设备CPE进行管理。ACS与CPE间的接口为南向
接口,ACS与管理系统间的接口为北向接口。TR069协议主要定义了南向接口。
5. TR069的实现(协议栈)
1) TR069协议基于TCP/IP;
2) 标准的Internet传输安全协议,SSL3.0 OR TLS1.0 ,使用SSL/TLS并不强制要求,确
保CPE和ACS之间基于证书的鉴权
3) ACS与CPE间的消息传输使用HTTP1.1
4) 消息的具体内容使用SOAP包进行封装,SOAP包是一个包含SOAP Head(SOAP头)
和 SOAP Body (SOAP体)组成的XML文档
5) ACS与CPE之间通过TR069协议特有的RPC方法进行互操作。
ACS远程调用CPE上的RPC函数,用来对CPE进行管理如:设置CPE参数、获取CPE
参数、硬件升级、重启设备等;因此需要向CPE传输要调用的函数名及参数,这些内容包
含在SOAP体中。ACS并不直接对设备本身的接口进行调用 ,ACS所调用的函数为TR069
的标准函数(称作TR-069 RPC Methods),CPE需要通过一个设备上的中间层解析出RPC
方法,再由这个中间层调用设备自身的接口,这个中间层就是TR069 Agent。
CPE调用ACS的方法,用来向ACS上报状态信息,请求硬件镜像文件下载(用来升级
硬件)等等。
TR069协议的RPC函数(或称RPC方法),如下表:
6. CPE函数参数(TR069协议的数据模型)
网络架构上包含两种设备类型,因此包含两套数据模型:
i.
TR-106: Data Model Template for TR-069-Enabled Devices, [13]
ii.
TR-098: Internet Gateway Device Data Model for TR-069, [24]
iii.
TR-104: Provisioning Parameters for VoIP CPE, [25]
Each Parameter consists of a name-value pair. The name identifies the particular Parameter, and has a
hierarchical structure similar to files in a directory, with each level separated by a “.” (dot). The value
of a Parameter may be one of several defined data types (see [13]).
参数名 :使用由类似树型的点分层关系组织起来。树干为需要配置的对象,树叶为具
体的配置参数,所有配置参数都具有是否可读写属性。
如:ace
参数类型:基于SOAP的数据类型
参数有只读、只写两种状态。且可扩展
TR069协议就是一个基于TCP/IP,通过HTTP或者HTTPS发送SOAP消息来远程调用CPE
或者ACS RPC方法,从而可以达到获取配置和业务信息,监控状态,故障诊断等目的的一种
协议。
7. 详解TR069规则:CPE和ACS都可以发起会话,ACS发起的会话是异步的。
A. 建立连接
CPE发起的连接: CPE必需满足如下任何一个条件的情况下向ACS地址发起连接,并调
用ACS的Inform方法。
• The first time the CPE establishes a connection to the access network on initial installation
• On power-up or reset
• Once every PeriodicInformInterval (for example, every 24-hours)
• When so instructed by the optional ScheduleInform method
• Whenever the CPE receives a valid Connection Request from an ACS (see section 3.2.2)
• Whenever the URL of the ACS changes
• Whenever a parameter is modified that is required to initiate an Inform on change.
Whenever the value of a parameter that the ACS has marked for “active notification” via the
SetParameterAttributes method is modified by an external cause (a cause other than the ACS
itself).
Whenever an unsuccessfully terminated session is retried according to the session retry policy
specified in section 3.2.1.1.
…….
ACS发起的连接:满足如下条件
• The Connection Request MUST use an HTTP 1.1 GET to a specific URL designated by the CPE.
TheURL value is available as read-only Parameter on the CPE. The path of this URL value SHOULD
be randomly generated by the CPE so that it is unique per CPE.
• The Connection Request MUST make use of HTTP, not HTTPS. The associated URL MUST be an
HTTP URL.
• No data is conveyed in the Connection Request HTTP GET. Any data that might be contained
SHOULD be ignored by the CPE.
• The CPE MUST use digest-authentication to authenticate the ACS before proceeding—the CPE
MUST NOT initiate a connection to the ACS due to an unsuccessfully authenticated request.
• The CPE MUST accept Connection Requests from any source that has the correct authentication
parameters for the target CPE.
• The CPE’s response to a successfully authenticated Connection Request MUST use either a “200
(OK)” or a “204 (No Content)” HTTP status code. The CPE MUST send this response immediately
upon successful authentication, prior to it initiating the resulting session. The length of the
messagebody in the HTTP response MUST be zero.
• The CPE SHOULD restrict the number of Connection Requests it accepts during a given period of
time in order to further reduce the possibility of a denial of service attack. If the CPE chooses to reject
a Connection Request for this reason, the CPE MUST respond to that Connection Request with an
HTTP 503 status code (Service Unavailable). In this case, the CPE SHOULD NOT include the HTTP
Retry-After header in the response.
• If the CPE successfully authenticates and responds to a Connection Request as described above, and
if it is not already in a session, then it MUST, within 30 seconds of sending the response, attempt to
establish a session with the pre-determined ACS address (see section 3.1) in which it includes the
“6 CONNECTION REQUEST” EventCode in the Inform.
Note – in practice there might be exceptional circumstances that would cause a CPE to fail to
meet this requirement on rare occasions.
• If the ACS receives a successful response to a Connection Request but after at least 30 seconds the
CPE has not successfully established a session that includes the “6 CONNECTION REQUEST”
EventCode in the Inform, the ACS MAY retry the Connection Request to that CPE.
• If, once the CPE successfully authenticates and responds to a Connection Request, but before it
establishes a session to the ACS, it receives one or more successfully authenticated Connection
Requests, the CPE MUST return a successful response for each of those Connection Requests, but
MUST NOT initiate any additional sessions as a result of these additional Connection Requests,
regardless of how many it receives during this time.
• If the CPE is already in a session with the ACS when it receives one or more Connection Requests, it
MUST NOT terminate that session prematurely as a result. The CPE MUST instead take one of the
following alternative actions:
• Reject each Connection Request by responding with an HTTP 503 status code (Service
Unavailable). In this case, the CPE SHOULD NOT include the HTTP Retry-After header in the
response.
• Following the completion of the session, initiate exactly one new session (regardless of how
many Connection Requests had been received during the previous session) in which it includes the
CPE WAN Management Protocol v1.1 TR-069 Issue 1 Amendment 2 “6 CONNECTION
REQUEST” EventCode in the Inform. In this case, the CPE MUST initiate the session immediately
after the existing session is complete and all changes from that session have been applied.
This requirement holds for Connection Requests received any time during the interval that the CPE
considers itself in a session, including the period in which the CPE is in the process of establishing the
session.
• The CPE MUST NOT reject a properly authenticated Connection Request for any reason other than
those described above. If the CPE rejects a Connection Request for any of the reasons described
above, it MUST NOT initiate a session with the ACS as a result of that Connection Request.
ACS发起的连接还必需依赖 CPE之前已经和ACS建立过会话,因为只有这样ACS才能
知道CPE的连接URL。
B.
Encoding SOAP Over HTTP
• A SOAP request from an ACS to a CPE is sent over an HTTP response, while the CPE’s SOAP
response to an ACS request is sent over a subsequent HTTP POST.
• When there is a SOAP response in an HTTP Request, or when there is a SOAP Fault response in
an HTTP Request, the SOAPAction header in the HTTP Request MUST have no value (with no
quotes), indicating that this header provides no information as to the intent of the message. That
is, it MUST appear as follows:
SOAPAction:
• When an HTTP Request or Response contains a SOAP Envelope, the HTTP Content-Type header
MUST have a type/subtype of “text/xml”.
• An empty HTTP POST MUST NOT contain a SOAPAction header.
• An empty HTTP POST MUST NOT contain a Content-Type header.
• An HTTP response that contains any CPE WAN Management Protocol payload (a SOAP request
to the CPE, a successful SOAP response to the CPE, or a SOAP fault response containing a Fault
element defined in section 3.5) MUST use the HTTP status code 200 (OK).
Below is an example HTTP Response from an ACS containing a SOAP Request:
HTTP/1.1 200 OK
Content-Type: text/xml; charset="utf-8"
Content-Length: xyz
xmlns:soap="/soap/envelope/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
Note – in the above example, the XML namespace prefixes used are only examples. The actual
namespace prefix values are arbitrary, and are used only to refer to a namespace declaration.
Note – in the above example, the CWMP namespace identifier “urn:dslforum-org:cwmp-1-0” is
only an example and is not necessarily the version that is defined by this specification.
C.
Transaction Sessions
For a sequence of transactions forming a single session, a CPE SHOULD maintain a TCP connection
that persists throughout the duration of the session. However, if the TCP connection is cleanly closed
after an HTTP request/response round trip, and if the session has not otherwise terminated (either
successfully or unsuccessfully) at the time of the last HTTP response, the CPE MUST continue the
session by sending the next HTTP request in a new TCP connection.
After receiving an authentication challenge, the CPE MUST send the next HTTP request (including the
"Authorization" HTTP header) in the same TCP connection unless the ACS specifically requested, via
a "Connection: close" HTTP header, that the TCP connection be closed.
3
In the latter case, the CPE
MUST honor the ACS request, close the TCP connection, and send the next HTTP request (including
the "Authorization" HTTP header) in a new TCP connection.
If the CPE for any reason fails to establish a TCP connection, fails to send an HTTP message, or fails
to receive an HTTP response, the CPE MUST consider the session unsuccessfully terminated. The CPE
MUST wait a minimum of 30 seconds before declaring a failure to establish a TCP connection, or
failure to receive an HTTP response.
The ACS SHOULD make use of a session cookie to maintain session state as described in [7]. The
ACS MAY make use of old-style “Netscape” cookies as well as, or instead of, the new-style cookies of
[7]. The ACS SHOULD use only cookies marked for Discard, and SHOULD NOT assume that a CPE
will maintain a cookie beyond the duration of the session.
To ensure that an ACS can make use of a session cookie, a CPE MUST support the use of cookies as
defined in [7] including the return of the cookie value in each subsequent HTTP POST, with the
exception that a CPE need not support storage of cookies beyond the duration of a session. In particular,
because the ACS might send old-style, new-style, or a mixture of old-style and new-style cookies, the
CPE MUST support the compatibility requirements of section 9.1 of [7]. The CPE MUST support the
use of multiple cookies by the ACS, and MUST make available at least 512 bytes for storage of
cookies.
When a transaction session is completed successfully or terminated unsuccessfully, a CPE MUST close
the associated TCP connection to the ACS and discard all cookies marked for Discard.
A CPE MUST support the use of HTTP redirection by the ACS. The CPE and ACS requirements
associated with the use of HTTP redirection are as follows:
All transaction sessions MUST begin with an Inform message from the CPE contained in the initial
HTTP POST. This serves to initiate the set of transactions and communicate the limitations of the CPE
with regard to message encoding. An Inform message MUST NOT occur more than once during a
session
The session ceases when both the ACS and CPE have no more requests to send and no responses
remain due from either the ACS or the CPE. At such time, the CPE MUST close the connection.
No more than one transaction session between a CPE and its associated ACS can exist at a time.
D. Authentication
1.、如果CPE没有经过SSL/TLS认证,那么ACS必须使用HTTP对CPE进行认证,并且必须是
摘要认证,如果经过SSL/TLS认证,则基本认证和摘要认证都可以。
2、CPE必须支持基本认证和摘要认证
3、CPE收到质询后,必须带认证头,而且以后的请求都必须带。
4、HTTP认证的userid必须是如下两种格式中的一种:
5、userid是数字和字母的组合,如果不是需要使用RFC3986之URI percent encoding进行转码.
即如下形式符合:
012345-
012345-STB-
012345-Set%2DTop%2DBox-
6、每个CPE的密码应该是唯一,此密码为共享密码,ACS和CPE应该都知道。
7、
This section outlines requirements for use of digest authentication within the CPE WAN
Management Protocol.
The CPE and the ACS MUST support the RFC 2617 “qop” option containing the value “auth”.
According to RFC 2617, this means that the HTTP client MUST use a new style digest mechanism
when this option is provided to it by the HTTP server.
When using digest authentication, for each new TCP connection opened, the ACS SHOULD use a new
nonce value and the CPE SHOULD use a new cnonce value.
The CPE and the ACS MUST support the MD5 digest algorithm. The CPE MUST additionally support
the MD5-sess digest algorithm.
E. Use of SOAP
The following describes the mapping of RPC methods to SOAP encoding:
• The encoding MUST use the standard SOAP 1.1 envelope and serialization namespaces:
• Envelope namespace identifier "/soap/envelope/"
• Serialization namespace identifier "/soap/encoding/"
• All elements and attributes defined as part of this version of the CPE WAN Management Protocol
are associated with the following namespace identifier:
• “urn:dslforum-org:cwmp-1-1”
• The namespace identifier for CPE WAN Management Protocol version 1.n is always
“urn:dslforumorg:cwmp:1-n”, e.g. for v1.0 it was “urn:dslforum-org:cwmp:1-0” and for v1.42 it will be
“urn:dslforum-org:cwmp:1-42”.
• The data types used in Annex A correspond directly to the data types defined in the SOAP 1.1
serialization namespace. (In general, the types used in Annex A are restricted subsets of the
corresponding SOAP types.) 【/uddi3/ncad5bd9d/】
• For an array argument, the argument name specified in the table in which the array is defined MUST
be used as the name of the overall array element. The name of the member elements of an array
MUST be the data type of the array as specified in the table in which the array is defined (excluding
the brackets and any length limitation given in parentheses), and MUST NOT be namespace qualified.
For example, an argument named ParameterList, which is an array of ParameterValueStruct structures,
would be encoded as:
As a second example, the MethodList array in the GetRPCMethodsResponse would be encoded as:
• The RPC methods defined use the standard SOAP naming convention whereby the response
message corresponding to a given method is named by adding the “Response” suffix to the name of the
method.
• A SOAP Envelope MUST contain exactly one Body element.
• A CPE MUST be able to accept a SOAP request with a total envelope size of at least 32 kilobytes
(32768 bytes) without resulting in a “Resources Exceeded” response.
• A CPE MUST be able to generate a SOAP response of any required length without resulting in a
“Resources Exceeded” response, i.e. there is no maximum CPE SOAP response length.
• An ACS MUST be able to accept a SOAP request with a total envelope size of at least 32 kilobytes
(32768 bytes) without resulting in a “Resources Exceeded” response.
• An ACS MUST be able to generate a SOAP response of any required length without resulting in a
“Resources Exceeded” response, i.e. there is no maximum ACS SOAP response length.
• A fault response MUST make use of the SOAP Fault element using the following conventions:
Below is an example envelope containing a fault response:
Below is an example envelope containing a fault response for a SetParameterValues method call:
A fault response MUST only be sent in response to a SOAP request. A fault response MUST NOT be
sent in response to a SOAP response or another fault response.
If a fault response does not follow all of the above requirements, the SOAP message MUST be deemed
invalid by the recipient. The consequences of invalid SOAP on the CPE WAN Management Protocol
session are described in section 3.7.
• When processing a received envelope, both ACS and CPE MAY ignore: (a) any unknown XML
elements
4
and their sub elements or content, (b) any unknown XML attributes and their values, (c) any
embedded XML comments, and (d) any XML processing instructions. Alternatively the ACS and CPE
MAY explicitly validate the received XML and reject an envelope that includes unknown elements.
Note that this precludes extending existing messages by including additional arguments without
changing the name of the message.
• If an RPC method requires references to XML Schema namespaces (for example for the “type”
attribute, or for references to XML Schema data types), these references MUST be to the 2001
versions of these namespace definitions, specifically, /2001/XMLSchema-instance
and /2001/XMLSchema. The recipient
The CPE WAN Management Protocol defines a series of SOAP Header elements as specified in Table
4.
F. CPE Operation
i.
Session Initiation
:CPE通过上面所说的发起连接,鉴权通过后,CPE向ACS发出
Inform请求,当ACS响应一个InfromResponse后,CPE才认为会话建立。
ii.
Incoming Requests
:在一个正常的会话当中,如果CPE接收了ACS的一个请求,
则CPE必需在下一个发送给ACS 的 HTTP POST 中响应这个请求。
iii. Outgoing Requests:
如果CPE还有一个或者多个请求需要发送给ACS,那么CPE
只有满足下面所有条件才可以发送下一个请求:
• The most recently received HTTP response from the ACS did not contain a SOAP
request.
• The ACS has indicated that HoldRequests is false (see section 3.5). This condition is met
if and only if the most recently received HTTP response from the ACS contained one of the
following:
o A SOAP envelope with the HoldRequests header set to a value of false.
o A SOAP envelope with no HoldRequests header.
o No SOAP envelope (an empty HTTP response).
• At any prior time during the current session, the CPE has not sent an empty HTTP POST
at a time that the ACS had indicated that HoldRequests is false (as described above).
While in a session, if any of the above conditions are not met or if the CPE has no requests to
send to the ACS, and if the most recent HTTP response from the ACS did not contain a SOAP
request, the CPE MUST send an empty HTTP POST.
Once the CPE has sent an empty HTTP POST when the most recent HoldRequests was false (see
section 3.5), the CPE MUST NOT send any further requests for the remainder of the session. In
this case, if the CPE has additional requests to send to the ACS, the CPE MUST wait until a
subsequent session to send these requests.
iv. Session Termination:
满足下面所有条件才能终止会话:
1) The ACS has no further requests to send the CPE. The CPE concludes this if and only if the most
recent HTTP response from the ACS was empty.
2) The CPE has no further requests to send to the ACS and the CPE has issued an empty HTTP
POST to the ACS while HoldRequests is false (which indicates to the ACS that the CPE has no
further requests for the remainder of the session). As defined in Table 6, if this condition has not
been met but the CPE has no further requests or responses, it MUST send an empty HTTP POST,
which will then fulfill this condition.
3) The CPE has received all outstanding response messages from the ACS.
4) The CPE has sent all outstanding response messages to the ACS resulting from prior requests.
还有一些非正常的情况下,需关闭会话, 比如超时,收到了无效的SOAP格式,CPE HTTP POST
Inform 时出现了非错误码8005,在这些以外情况下终止了会话,那么CPE必需在重试规则下
重建会话
G. Events
The CPE MUST attempt to deliver every event at leastonce.
If the CPE is not currently in a session with the ACS, it MUST attempt to deliver events immediately;
otherwise, it MUST attempt to deliver them after the current session terminates.
The CPE MUST receive confirmation from the ACS for it to consider an event successfully delivered.
For most events, delivery is confirmed when the CPE receives a successful InformResponse. Four
standard event types (KICKED, TRANSFER COMPLETE, AUTONOMOUS TRANSFER
COMPLETE,REQUEST DOWNLOAD) indicate that one or more methods (Kicked [section A.4.2.1],
TransferComplete [section A.3.3.2], AutonomousTransferComplete [section A.3.3.3],
RequestDownload [section A.4.2.2] respectively) will be called later in the session, and it is the
successful response to these methods that indicates event delivery
一旦CPE成功的发送了某事件,那么他将不能再重复的发送改事件,同时ACS也要准备多次接
收同一事件,因为有可能CPE由于收不到响应结果而重试。事件一次可以提交一个或多个。
具体事件可以见因为版本 TR069
H. ACS Operation
i. Session Initiation
:
Upon receiving the initial Inform request from the CPE, if the ACS wishes to allow the initiation
of the session, it MUST respond with an Inform response.
If the ACS receives an initial Inform request from the CPE in which the namespace identifier
indicates that the CPE supports only v1.0 of the CPE WAN Management Protocol, the ACS
MUST revert to v1.0 for the entire session.
ii.
While in a session (after the session was successfully initiated, but before the session termination
criteria described in 3.7.2.4 have been met), on reception of a SOAP request from the CPE, the ACS
MUST respond to that request in the next HTTP response sent to the CPE.
If the ACS wishes to prevent the CPE sending requests during some portion of the session, it MAY do
so by setting the HoldRequests header to true in each envelope transmitted to the CPE until the ACS
again wishes to allow requests from the CPE. The ACS MUST allow CPE requests before completion
of a session (this MAY be done either explicitly via the HoldRequests header or implicitly by sending
an empty HTTP response).
Incoming Requests
iii. Outgoing Requests
iv. Session Termination
:
ACS
满足下面所有条件才认为会话终止
1) The CPE has no further requests to send the ACS. The ACS concludes this if and only if it has
received an empty HTTP POST from the CPE while HoldRequests is false.
2) The ACS has no further requests to send the CPE and the most recent HTTP response the ACS
sent to the CPE was empty (which indicates to the CPE that the ACS has no further requests).
3) The ACS has sent all outstanding response messages to the CPE resulting from prior requests.
4) The ACS has received all outstanding response messages from the CPE.
If all of the above criteria have been met before the ACS has sent its final HTTP response, the final
HTTP response from the ACS MUST be empty.
I. Transaction Examples
In the example shown in Figure 4, the ACS first initiates a file download, and the CPE sends a
TransferComplete later in the same session. Note that this scenario could occur only if the file
download is very short and the CPE is capable of performing it in parallel with the ongoing CPE WAN
Management Protocol session (which a CPE is not required to do). To allow this possibility, the ACS
sets HoldRequests equal to true until it has completed sending requests to the CPE.
注意点:
1.一旦ACS发送了一个空的HTTP响应,它必须使用HTTP状态码 “204无内容”
2.一旦CPE发送了一个空的HTTP请求,HTTP消息体的长度必须为0
通过状态码“200(OK)”或“204(NO Content)”来响应一个经过正确认证的连接请
求,同时HTTP响应中消息体 的长度必须为0
4.如果ACS受到了一个连接请求的成功响应,但是在30S内CPE还是无法根据inform里面的
“6 CONNECTION REQUEST” EventCode中包含的ACS地址成功连接,则ACS可以给CPE
重新发送这个连接请求。
5.如果一个HTTP请求报文或响应报文里面还有一个SOAP封装的(envelope),这个HTTP的
content-type头必须包含一个 “text/xml”的类型/子类型
6.一个空的HTTP POST不得包含SOAPAction头 和 content-type头。
7.会话事务:会话必须由CPE发送的Inform请求开始,且在一个会话中不能出现多次Inform请
求,除http认证401外。
8.会话结束的条件是即没有发送的请求,也没有需要等待接受的响应。
9.在同一时间只允许CPE和一个ACS交互
发布评论