What is TR-069?
The CPE WAN (CWMP) Management Protocol, published by The Broadband Forum as TR-069, specifies a standard communication mechanism for the remote management of end-user devices. It defines a protocol for the secure auto-configuration of a TR-069 device and incorporates other management functions into a common framework. This protocol simplifies device management by specifying the use of an auto configuration server (ACS) to perform remote, centralized management of customer premises equipment (CPE).
Who created TR-069 and why?
In 2004, The Broadband Forum (formerly The DSL Forum) released the CPE WAN Management Protocol, which is more commonly known as TR-069. This protocol standardizes the wide area network (WAN) management of CWMP devices. TR-069 gives broadband service providers a framework and common language to remotely provision and manage these devices, which are usually in a home network, regardless of device type or manufacturer.
TR-069 supports a variety of functionalities to manage CPEs and has the following primary capabilities:
- Auto-configuration and dynamic service provisioning
- Software/firmware management
- Status and performance monitoring
TR-069 is a specific technical report from Broadband Forum; however, the term is commonly used to refer to associated reports and extensions, including TR-106, TR-098, TR-104, TR-135, TR-140, and TR-111. See the Broadband Forum for the most up-to-date information.
How does TR-069 work?
TR-069 is a SOAP/HTTP-based protocol. Orders are sent between the device (CPE) and an auto configuration server over HTTP or HTTPS in the form of remote procedure calls (RPCs) and responses, with SOAP acting as the encoding syntax to transport RPCs. The CPE acts as the HTTP client and the ACS acts as the HTTP server.
The basic network elements required include:
- An auto configuration server (ACS): The management server on the network.
- Customer premises equipment (CPE): The device that is managed on the network
- DNS server: Used to resolve the URL that is required for the ACS and CPE to interact
- DHCP server: Can be used to assign an IP address to a device on the network. Well-known DHCP options can configure important parameters on the CPE, such as the ACS URL.
By specifying a variety of criteria, including provisioning parameters and vendor-specific information, an auto configuration server provisions a CPE or collection of CPEs.
What is a remote procedure call (RPC)?
A remote procedure call (RPC) is an operation between an ACS and the CPE. It is used for bidirectional communication between CPE and an ACS. Some common RPCs include:
- GetParameterValue: The ACS uses this RPC to get the value of one or more parameters of a CPE
- SetParameterValue: The ACS sets the value of one or more parameters of a CPE
- Inform: A CPE sends this message to an ACS to initiate a session and to periodically send local information
- Download: When the ACS requires a CPE to download a specified file to upgrade hardware and download a configuration file
- Upload: When the ACS requires a CPE to upload a specified file to a specified location
- Reboot: An ACS reboots a CPE remotely when the CPE encounters a failure or needs a software upgrade
- Add Object: Allows the ACS to create instances of objects available on the CPE, for example, port mapping entries. The ACS also creates the associated parameters and sub-objects.
- Delete Object: Enables the ACS to delete existing instances of objects available on the CPE. It also deletes the associated parameters and sub-objects.
How are tasks completed in a TR-069 environment?
In a TR-069 environment, tasks are completed through sessions. Each session consists of a series of remote procedure calls (RPC) between an ACS and the CPE. TR-069 uses HTTP or HTTPS and SOAP messaging, which allows messages to pass through firewalls and NAT gateways. TR-069 defines a generic mechanism by which an ACS can read or write parameters to configure a CPE and monitor CPE status and statistics.
Is TR-069 widely used?
Yes. A 2012 report from analyst firm Ovum found that more than 147 million CPE devices are managed using TR-069 worldwide — and that number is growing. Wireline providers, particularly DSL operators, were the first to adopt TR-069 on a wide scale but the protocol has since gained popularity in other broadband areas, including the cable industry.
Who uses TR-069?
Broadband service providers use TR-069 to manage end-user devices and reduce operational costs. Although originally favored by DSL providers, TR-069 has moved well past the wireline access world. TR-069 and related standards have been deployed on Ethernet, WiMAX, GPON, FTTH, and more recently, cable networks. The release of DOCSIS 3.0 and the development of powerful residential gateways is encouraging cable providers to adopt TR-069 as home networks become too complicated for subscribers to configure and manage on their own.
What devices use TR-069?
TR-069 offers management capabilities for a wide range of devices including wireline and cable residential gateways, fiber optical network terminals, IPTV set-top boxes, network attached storage, HomePlug adapters, IP phones, and more. More recently, the cable industry has seen the emergence of multimedia residential gateways that utilizes traditional DOCSIS provisioning along with TR-069 to manage value-added features such as gateway configuration, VoIP, WiFi, and IPTV set-top box services.
What is an auto configuration server and why is it necessary?
TR-069 specifies communication between customer-premises equipment (CPE) and an auto configuration server. The auto configuration server acts as a management server for TR-069-enabled CPE. It is essentially the link between the subscriber’s devices in the home and the service provider’s customer service representative (CSR), support staff, operational support systems and business support systems (OSS/BSS). An auto configuration server enables you to automate provisioning and many management tasks for TR-069 devices, facilitating remote management.
Why should I use TR-069?
There are many benefits associated with using TR-069 to provision and manage end-user devices. TR-069 and its extensions allow you to:
- Enable remote provisioning of CPE
- Better manage broadband networks with increased visibility and control of CPE
- Collect data for analytics on network usage and activity, home network characteristics, and service utilization
- Deliver new managed data services such as WiFi, content filtering and other parental controls, online backup, and home surveillance
- Offer subscribers a degree of self-service through web portals
- Expand service offerings and manage the connected home
- Improve your customer service with improved diagnostics, monitoring, and firmware management
- Reduce support calls and remove the burden of CPE configuration from subscribers and roll-out services with an automated process
Can I use TR-069 with DOCSIS or other protocols?
Yes. There are many scenarios where TR-069 may be deployed in conjunction with another management protocol, such as DOCSIS. For example, a cable operator may use DOCSIS to bring a device onto the network and then use TR-069 for provisioning. The production of TR-069-enabled DOCSIS gateways has encouraged the cable industry to embrace TR-069 for CPE management.
TR-069 can extend beyond the residential gateway to provide carrier class management of other networking devices and services within the customer premises. This means that if a subscriber has a TR-069 device, such as a set-top box, that connects to the residential gateway, this can also be managed.
Is TR-069 secure?
Yes. The Broadband Forum designed the TR-069 security model to provide a high degree of security. The stated security goals of this protocol are below:
- Prevent tampering with the management functions of a CPE or ACS, or the transactions that take place between CPE and an ACS
- Provide confidentiality for the transactions that take place between CPE and ACS
- Allow appropriate authentication for each type of transaction
- Prevent theft of service
Secure socket layer (SSL) or transport layer security (TLS) should be used to encrypt traffic between CPE and an ACS. It is possible to use the protocol directly over a HTTP connection; however, some aspects of security will be sacrificed. When SSL/TLS is used, the CPE must authenticate the ACS using the ACS-provided certificate.