Shared Flashcard Set

Details

TR069 - XMPP implementation
Basic to advanced questions regarding XMPP implementation within TR069 protocol
19
Computer Science
Undergraduate 1
03/15/2021

Additional Computer Science Flashcards

 


 

Cards

Term
What is the purpose of XMPP implementation within TR-069 device management?
Definition
To traverse NAT.
Term
Does XMPP require that both the managed gateway and the gateway through which the managed device is connected be TR069 capable?
Definition
No. It's enough if the managed device supports TR069.
Term
What are the prerequisites for the XMPP Connection Request Equivalent (CNRE)?
Definition
CPE must be able to perform secure and authenticated connection to XMPP server. The CPE must be able to maintain the connection to the XMPP server through which the XMPP server cand send unsolicited messages from an ACS-defined set of allowed addresses.
Term
Describe the procedures to issue a CNRE via XMPP.
Definition
1. ACS establishes connection to the XMPP server
2. Upon device initialization, either via SPV or AddObject, the cpe's XMPP.Connection object is modified, optionally specifying the list of allowed Jabber ID's. This can be skipped if XMPP settings are already available (baked into the FW)
3. The cpe establishes a connection to the XMPP server.
4. To send a CNRE, the ACS sends an XMPP IQ Stanza to the XMPP server, using "to" address correspondent to the CPE's address and "from" address equivalent to one of the allowed Jabber ID's.
5. The XMPP server sends the IQ Stanza to the requested device.
6. The CPE sends in a 6 Connection Request Inform.
Term
What are the data model-related requirements on the CPE side and where are they specified?
Definition
XMPPBasic:1 and XMPPConnReq:1 profiles as defined in tr-157-1-8.xml.
Term
What procedures must be adhered to by the CPE to follow XMPP standards?
Definition
The cpe must:
- Determine the XMPP server's public IP address
- Open an XML Stream to the XMPP Server and accept an XML Stream from the Server. As these streams are unidirectional, it is recommended that they be realized as two streams within one TCP connection.
- Use TLS to establish a secure connection with the XMPP Server.
- Use SASL to authenticate with the XMPP Server.
- Ensure that the value of the ManagementServer.ConnReqJabberID Parameter contains the same value as the contents of the JabberID Parameter contained within the XMPP.Connection instance referenced by the ConnReqXMPP-Connection Parameter.
- Maintain the TCP connection to the XMPP Server by keeping the so-called "whitespace keepalive".
- Listen for XMPP Messages and act on them when they arrive:)
- If the connection to the XMPP Server is ever lost, reestablish it according to RFC 6120.
Term
What should cpe do whenever the MangementServer.ConnReqXMPPConnection Parameter references an enabled instance of the XMPP.Connection table?
Definition
Establish the XMPP Connection Request connection BEFORE establishing the CWMP session where 1 BOOT or 13 WAKEUP messages would be delivered. If the ConnRequestJabberID is changed, this will allow the CPE to deliver the 4 Value Change message accordingly.
Term
Explain XMPP Channel Authentication.
Definition
When the ManagementServer.ConnReqXMPPConnection Parameter references an enabled instance of the XMPP.Connection table, CPE following the requirements of this Annex MUST authenticate with the XMPP Server after establishing an XMPP connection. The XMPP connection is authenticated using the Simple Authentication and Security Layer (SASL) protocol as defined in Section 6/RFC 6120 [40]. The Username and Password parameters of the XMPP.Connection object are used as the credentials for the SASL authentication procedure.
Term
Briefly explain XMPP Connection Request Equivalent (CNRE).
Definition
The cpe must listen for XMPP messages coming from a list of allowed Jabbed ID's. It must also keep listening to "standard" HTTP-based CNR's.
The incoming XMPP CNRE's must be both authenticated AND validated.
Following are the validation criteria:
- The CNRE must be delivered via an XML Stream over a TLS connection and authenticated via SASL.
- XML must be well-formed.
- the "from" address must match one from the list-based parameter of ManagementServer.ConnReq-AllowedJabberIDs parameter.
- The value of the "username" within the connectionrequest object must match the anagementServer.ConnectionRequestUsername
The authentication criterium is the following:
- the "password" field of the connectionrequest object must be identical to ManagementServer.ConnectionRequestPassword

After the CNRE is successfully accepted, validated, authenticated and responded to, the CPE must connect to the ACS.
Term
How must a CPE respond to a CNRE if it decides to reject it as a measure against DoS attack?
Definition
503 Service Unavailable
Term
How must a CPE act if it already is in a session with ACS and it receives (at least) one additional CNRE?
Definition
The cpe must NOT break the session. It can either return a 503 to the additional request, or follow up with another session sending a 6 Connection Request Inform message. If the incoming CNRE is for an endpoint currently not in session with ACS, the cpe may establish a parallel session in addition to the existing one.
Term
What if the CNRE cannot be validated or authenticated?
Definition
The cpe must return an XMPP IQ Stanza with type: "error" and must ignore the CNRE.
Term
What are the ACS requirements for XMPP implementation?
Definition
The ability to modify/set XMPP related params on device. The ability to open and accept XML streams to and from the XMPP Server. Use TLS and SASL for secure communication with the XMPP Server. And the capability to send CNRE to CPE's via XMPP.;-)
Term
What standards must the ACS adhere to when initiating CNRE's via XMPP Server?
Definition
The CNRE must be:
- secured via TLS and authenticated;
- delivered by the XMPP IQ Stanza;
- well-formed XML;
- containing a valid "from" address (i.e. is within the allowed Jabber ID's)
- containing a matching CNR Username and Password
Term
What is the correct response to a successful CNRE?
Definition
An empty IQ Stanza of type "result".
Term
What is this?
Definition
The first line of a CNRE IQ Stanza from an XMPP Server.
Term
Besides the CPE being actually unavailable, what are other reasons for the service-unavailable error child being returned?
Definition
The CPE shuts down the CNRE because it is already in a session with ACS as a means of DoS prevention. Or it doesn't support the “urn:broadband-forum-org:cwmp:xmppConnReq-1-0”.
Term
What type of message is returned if the CNRE is not authenticated?
Definition
username password
Term
To adhere to the recommended security settings, which measures should and must be adopted?
Definition
TLS is made "mandatory-to-negotiate" for both client-server and server-server communications. Also, the list of allowed JabberID's is configured on the CPE's.
Supporting users have an ad free experience!