Term
| What is the purpose of XMPP implementation within TR-069 device management? |
|
Definition
|
|
Term
| Does XMPP require that both the managed gateway and the gateway through which the managed device is connected be TR069 capable? |
|
Definition
| No. It's enough if the managed device supports TR069. |
|
|
Term
| What are the prerequisites for the XMPP Connection Request Equivalent (CNRE)? |
|
Definition
| CPE must be able to perform secure and authenticated connection to XMPP server. The CPE must be able to maintain the connection to the XMPP server through which the XMPP server cand send unsolicited messages from an ACS-defined set of allowed addresses. |
|
|
Term
| Describe the procedures to issue a CNRE via XMPP. |
|
Definition
1. ACS establishes connection to the XMPP server
2. Upon device initialization, either via SPV or AddObject, the cpe's XMPP.Connection object is modified, optionally specifying the list of allowed Jabber ID's. This can be skipped if XMPP settings are already available (baked into the FW)
3. The cpe establishes a connection to the XMPP server.
4. To send a CNRE, the ACS sends an XMPP IQ Stanza to the XMPP server, using "to" address correspondent to the CPE's address and "from" address equivalent to one of the allowed Jabber ID's.
5. The XMPP server sends the IQ Stanza to the requested device.
6. The CPE sends in a 6 Connection Request Inform. |
|
|
Term
| What are the data model-related requirements on the CPE side and where are they specified? |
|
Definition
| XMPPBasic:1 and XMPPConnReq:1 profiles as defined in tr-157-1-8.xml. |
|
|
Term
| What procedures must be adhered to by the CPE to follow XMPP standards? |
|
Definition
The cpe must:
- Determine the XMPP server's public IP address
- Open an XML Stream to the XMPP Server and accept an XML Stream from the Server. As these streams are unidirectional, it is recommended that they be realized as two streams within one TCP connection.
- Use TLS to establish a secure connection with the XMPP Server.
- Use SASL to authenticate with the XMPP Server.
- Ensure that the value of the ManagementServer.ConnReqJabberID Parameter contains the same value as the contents of the JabberID Parameter contained within the XMPP.Connection instance referenced by the ConnReqXMPP-Connection Parameter.
- Maintain the TCP connection to the XMPP Server by keeping the so-called "whitespace keepalive".
- Listen for XMPP Messages and act on them when they arrive:)
- If the connection to the XMPP Server is ever lost, reestablish it according to RFC 6120. |
|
|
Term
| What should cpe do whenever the MangementServer.ConnReqXMPPConnection Parameter references an enabled instance of the XMPP.Connection table? |
|
Definition
| Establish the XMPP Connection Request connection BEFORE establishing the CWMP session where 1 BOOT or 13 WAKEUP messages would be delivered. If the ConnRequestJabberID is changed, this will allow the CPE to deliver the 4 Value Change message accordingly. |
|
|
Term
| Explain XMPP Channel Authentication. |
|
Definition
| When the ManagementServer.ConnReqXMPPConnection Parameter references an enabled instance of the XMPP.Connection table, CPE following the requirements of this Annex MUST authenticate with the XMPP Server after establishing an XMPP connection. The XMPP connection is authenticated using the Simple Authentication and Security Layer (SASL) protocol as defined in Section 6/RFC 6120 [40]. The Username and Password parameters of the XMPP.Connection object are used as the credentials for the SASL authentication procedure. |
|
|
Term
| Briefly explain XMPP Connection Request Equivalent (CNRE). |
|
Definition
The cpe must listen for XMPP messages coming from a list of allowed Jabbed ID's. It must also keep listening to "standard" HTTP-based CNR's.
The incoming XMPP CNRE's must be both authenticated AND validated.
Following are the validation criteria:
- The CNRE must be delivered via an XML Stream over a TLS connection and authenticated via SASL.
- XML must be well-formed.
- the "from" address must match one from the list-based parameter of ManagementServer.ConnReq-AllowedJabberIDs parameter.
- The value of the "username" within the connectionrequest object must match the anagementServer.ConnectionRequestUsername
The authentication criterium is the following:
- the "password" field of the connectionrequest object must be identical to ManagementServer.ConnectionRequestPassword
After the CNRE is successfully accepted, validated, authenticated and responded to, the CPE must connect to the ACS. |
|
|
Term
| How must a CPE respond to a CNRE if it decides to reject it as a measure against DoS attack? |
|
Definition
|
|
Term
| How must a CPE act if it already is in a session with ACS and it receives (at least) one additional CNRE? |
|
Definition
| The cpe must NOT break the session. It can either return a 503 to the additional request, or follow up with another session sending a 6 Connection Request Inform message. If the incoming CNRE is for an endpoint currently not in session with ACS, the cpe may establish a parallel session in addition to the existing one. |
|
|
Term
| What if the CNRE cannot be validated or authenticated? |
|
Definition
| The cpe must return an XMPP IQ Stanza with type: "error" and must ignore the CNRE. |
|
|
Term
| What are the ACS requirements for XMPP implementation? |
|
Definition
| The ability to modify/set XMPP related params on device. The ability to open and accept XML streams to and from the XMPP Server. Use TLS and SASL for secure communication with the XMPP Server. And the capability to send CNRE to CPE's via XMPP.;-) |
|
|
Term
| What standards must the ACS adhere to when initiating CNRE's via XMPP Server? |
|
Definition
The CNRE must be:
- secured via TLS and authenticated;
- delivered by the XMPP IQ Stanza;
- well-formed XML;
- containing a valid "from" address (i.e. is within the allowed Jabber ID's)
- containing a matching CNR Username and Password |
|
|
Term
| What is the correct response to a successful CNRE? |
|
Definition
| An empty IQ Stanza of type "result". |
|
|
Term
|
Definition
| The first line of a CNRE IQ Stanza from an XMPP Server. |
|
|
Term
| Besides the CPE being actually unavailable, what are other reasons for the service-unavailable error child being returned? |
|
Definition
| The CPE shuts down the CNRE because it is already in a session with ACS as a means of DoS prevention. Or it doesn't support the “urn:broadband-forum-org:cwmp:xmppConnReq-1-0”. |
|
|
Term
| What type of message is returned if the CNRE is not authenticated? |
|
Definition
|
|
Term
| To adhere to the recommended security settings, which measures should and must be adopted? |
|
Definition
| TLS is made "mandatory-to-negotiate" for both client-server and server-server communications. Also, the list of allowed JabberID's is configured on the CPE's. |
|
|
