Broadband Forum

    DATA MODEL DEFINITION


TR-069 Device:2.5 Root Object definition
tr-181-2-5-0.xml (changes)

License

Copyright (c) 2010-2017, Broadband Forum

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The above license is used as a license under copyright only. Please reference the Forum IPR Policy for patent licensing terms <https://www.broadband-forum.org/ipr-policy>.

Any moral rights which are necessary to exercise under the above license grant are also deemed granted under this license.

Summary

Device:2.5 data model: added IPsec data model and BulkDataCollection component

Table of Contents

Data Types

The Parameters defined in this specification make use of a limited subset of the default SOAP data types [SOAP1.1]. These data types and the named data types used by this specification are described below.

Note: A Parameter that is defined to be one of the named data types is reported as such at the beginning of the Parameter's description via a reference back to the associated data type definition (e.g. [MacAddress]). However, such parameters still indicate their SOAP data type.

Data Type Base Type Description
Alias string(64)

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
IPAddress string(45)

IP address, i.e. IPv4 address (or IPv4 subnet mask) or IPv6 address.

All IPv4 addresses and subnet masks MUST be represented as strings in IPv4 dotted-decimal notation. Here are some examples of valid IPv4 address textual representations:

  • 216.52.29.100
  • 192.168.1.254

All IPv6 addresses MUST be represented using any of the 3 standard textual representations defined in [RFC4291] Sections 2.2.1, 2.2.2 and 2.2.3. Both lower-case and upper-case letters can be used, but use of lower-case letters is RECOMMENDED. Here are some examples of valid IPv6 address textual representations:

  • 1080:0:0:800:ba98:3210:11aa:12dd
  • 1080::800:ba98:3210:11aa:12dd
  • 0:0:0:0:0:0:13.1.68.3

IPv6 addresses MUST NOT include zone identifiers. Zone identifiers are discussed in [Section 6/RFC4007].

Unspecified or inapplicable addresses (or IPv4 subnet masks) MUST be represented as empty strings unless otherwise specified by the parameter definition.

IPv6Address IPAddress(45)

IPv6 address.

Can be any IPv6 address that is permitted by the IPAddress data type.

StatsCounter32 unsignedInt

A 32-bit statistics parameter, e.g. a byte counter.

This data type SHOULD NOT be used for statistics parameters whose values might become greater than the maximum value that can be represented as an unsignedInt (i.e. 0xffffffff, referred to below as maxval). StatsCounter64 SHOULD be used for such parameters.

The value maxval indicates that no data is available for this parameter. In the unlikely event that the actual value of the statistic is maxval, the CPE SHOULD return maxval - 1.

The actual value of the statistic might be greater than maxval. Such values SHOULD wrap around through zero.

The term packet is to be interpreted as the transmission unit appropriate to the protocol layer in question, e.g. an IP packet or an Ethernet frame.

StatsCounter64 unsignedLong

A 64-bit statistics parameter, e.g. a byte counter.

This data type SHOULD be used for all statistics parameters whose values might become greater than the maximum value that can be represented as an unsignedInt.

The maximum value that can be represented as an unsignedLong (i.e. 0xffffffffffffffff) indicates that no data is available for this parameter.

The term packet is to be interpreted as the transmission unit appropriate to the protocol layer in question, e.g. an IP packet or an Ethernet frame.

base64 -

Base64 encoded binary (no line-length limitation).

A minimum and maximum allowed length can be indicated using the form base64(Min:Max), where Min and Max are the minimum and maximum length in characters before Base64 encoding. If either Min or Max are missing, this indicates no limit, and if Min is missing the colon can also be omitted, as in base64(Max). Multiple comma-separated ranges can be specified, in which case the length MUST be in one of the ranges.

boolean - Boolean, where the allowed values are 0 or 1 (or equivalently, true or false).
dateTime - The subset of the ISO 8601 date-time format defined by the SOAP dateTime type.
hexBinary -

Hex encoded binary.

A minimum and maximum allowed length can be indicated using the form hexBinary(Min:Max), where Min and Max are the minimum and maximum length in characters before Hex Binary encoding. If either Min or Max are missing, this indicates no limit, and if Min is missing the colon can also be omitted, as in hexBinary(Max). Multiple comma-separated ranges can be specified, in which case the length MUST be in one of the ranges.

int -

Integer in the range -2147483648 to +2147483647, inclusive.

For some int types, a value range is given using the form int[Min:Max] or int[Min:Max step Step] where the Min and Max values are inclusive. If either Min or Max are missing, this indicates no limit. If Step is missing, this indicates a step of 1. Multiple comma-separated ranges can be specified, in which case the value will be in one of the ranges.

long -

Long integer in the range -9223372036854775808 to 9223372036854775807, inclusive.

For some long types, a value range is given using the form long[Min:Max] or long[Min:Max step Step], where the Min and Max values are inclusive. If either Min or Max are missing, this indicates no limit. If Step is missing, this indicates a step of 1. Multiple comma-separated ranges can be specified, in which case the value will be in one of the ranges.

object - A container for parameters and/or other objects. The full Path Name of a parameter is given by the parameter name appended to the full Path Name of the object it is contained within.
string - For strings, a minimum and maximum allowed length can be indicated using the form string(Min:Max), where Min and Max are the minimum and maximum string length in characters. If either Min or Max are missing, this indicates no limit, and if Min is missing the colon can also be omitted, as in string(Max). Multiple comma-separated ranges can be specified, in which case the string length will be in one of the ranges.
unsignedInt -

Unsigned integer in the range 0 to 4294967295, inclusive.

For some unsignedInt types, a value range is given using the form unsignedInt[Min:Max] or unsigned[Min:Max step Step], where the Min and Max values are inclusive. If either Min or Max are missing, this indicates no limit. If Step is missing, this indicates a step of 1. Multiple comma-separated ranges can be specified, in which case the value will be in one of the ranges.

unsignedLong -

Unsigned long integer in the range 0 to 18446744073709551615, inclusive.

For some unsignedLong types, a value range is given using the form unsignedLong[Min:Max] or unsignedLong[Min:Max step Step], where the Min and Max values are inclusive. If either Min or Max are missing, this indicates no limit. If Step is missing, this indicates a step of 1. Multiple comma-separated ranges can be specified, in which case the value will be in one of the ranges.

References

[IKEv2-params] IKEv2 Parameters, Internet Key Exchange Version 2 (IKEv2) Parameters, IETF.
[RFC2865] RFC 2865, Remote Authentication Dial In User Service (RADIUS), IETF, 2000.
[RFC2866] RFC 2866, RADIUS Accounting, IETF, 2000.
[RFC2869] RFC 2869, RADIUS Extensions, IETF, 2000.
[RFC3948] RFC 3948, UDP Encapsulation of IPsec ESP Packets, IETF, January 2005.
[RFC4301] RFC 4301, Security Architecture for the Internet Protocol, IETF, December 2005.
[RFC4302] RFC 4302, IP Authentication Header, IETF, December 2005.
[RFC4303] RFC 4303, IP Encapsulating Security Payload (ESP), IETF, December 2005.
[RFC4835] RFC 4835, Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH), IETF, 2007.
[RFC5996] RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2), IETF, September 2010.
[SOAP1.1] Simple Object Access Protocol (SOAP) 1.1, W3C.
[TR-181i2a5] TR-181 Issue 2 Amendment 5, Device Data Model for TR-069, Broadband Forum, 2012.

Device:2.5 Data Model (changes)

For a given implementation of this data model, the Agent MUST indicate support for the highest version number of any object or parameter that it supports. For example, even if the Agent supports only a single parameter that was introduced in version 2.5, then it will indicate support for version 2.5. The version number associated with each object and parameter is shown in the Version column.

Name Type Write Description Object Default Version
Device. object - The top-level object for a Device. - 2.0
Device.WiFi. object - The WiFi object is based on the WiFi Alliance 802.11 specifications ([802.11-2007]). It defines interface objects (Radio and SSID), and application objects (AccessPoint and EndPoint). - 2.0
Device.WiFi.AccessPoint.{i}. object W

This object models an 802.11 connection from the perspective of a wireless access point. Each AccessPoint entry is associated with a particular SSID interface instance via the SSIDReference parameter.

For enabled table entries, if SSIDReference is not a valid reference then the table entry is inoperable and the CPE MUST set Status to Error_Misconfigured.

Note: The AccessPoint table includes a unique key parameter that is a strong reference. If a strongly referenced object is deleted, the CPE will set the referencing parameter to an empty string. However, doing so under these circumstances might cause the updated AccessPoint row to then violate the table's unique key constraint; if this occurs, the CPE MUST set Status to Error_Misconfigured and disable the offending AccessPoint row.

At most one entry in this table (regardless of whether or not it is enabled) can exist with a given value for Alias. On creation of a new table entry, the Agent MUST choose an initial value for Alias such that the new entry does not conflict with any existing entries.

At most one enabled entry in this table can exist with a given value for SSIDReference.

- 2.0
Device.WiFi.AccessPoint.{i}.Security. object - This object contains security related parameters that apply to a CPE acting as an Access Point [802.11-2007]. - 2.0
SecondaryRadiusServerIPAddr string­(45) W

[IPAddress] The IP Address of a secondary RADIUS server used for WLAN security. SecondaryRadiusServerIPAddr is only applicable when ModeEnabled is an Enterprise type (i.e. WPA-Enterprise, WPA2-Enterprise or WPA-WPA2-Enterprise).

The client can forward requests to the secondary server in the event that the primary server is down or unreachable, or after a number of tries to the primary server fail, or in a round-robin fashion [RFC2865].

- 2.5
SecondaryRadiusServerPort unsignedInt W

The port number of the secondary RADIUS server used for WLAN security. SecondaryRadiusServerPort is only applicable when ModeEnabled is an Enterprise type (i.e. WPA-Enterprise, WPA2-Enterprise or WPA-WPA2-Enterprise).

If this parameter is not implemented, the secondary RADIUS server will use the same port number as the primary RADIUS server.

1812 2.5
SecondaryRadiusSecret string W

The secret used for handshaking with the secondary RADIUS server [RFC2865].

If this parameter is not implemented, the secondary RADIUS server will use the same secret as the primary RADIUS server.

When read, this parameter returns an empty string, regardless of the actual value.

- 2.5
Device.WiFi.AccessPoint.{i}.Accounting. object - This object contains the parameters related to RADIUS accounting functionality for the access point. - 2.5
Enable boolean W Enables or disables accounting functionality for the access point. - 2.5
ServerIPAddr string­(45) W [IPAddress] The IP Address of the RADIUS accounting server. - 2.5
SecondaryServerIPAddr string­(45) W

[IPAddress] The IP Address of a secondary RADIUS accounting server.

The client can forward requests to the secondary server in the event that the primary server is down or unreachable, or after a number of tries to the primary server fail, or in a round-robin fashion. [RFC2866]

- 2.5
ServerPort unsignedInt W The port number of the RADIUS server used for accounting. The default port is 1813 as defined in [RFC2866]. 1813 2.5
SecondaryServerPort unsignedInt W

The port number of the secondary RADIUS server used for accounting. The default port is 1813 as defined in [RFC2866].

If this parameter is not implemented, the secondary RADIUS server will use the same port number as the primary RADIUS server.

1813 2.5
Secret string W

The secret used for handshaking with the RADIUS accounting server [RFC2865].

When read, this parameter returns an empty string, regardless of the actual value.

- 2.5
SecondarySecret string W

The secret used for handshaking with the secondary RADIUS accounting server [RFC2865].

If this parameter is not implemented, the secondary RADIUS server will use the same secret as the primary RADIUS server.

When read, this parameter returns an empty string, regardless of the actual value.

- 2.5
InterimInterval unsignedInt­[0, 60:] W

Specifies the default interim accounting interval in seconds, which is used for service accounting when the Acct-Interim-Interval attribute is not configured. [Section 2.1/RFC2869]

The value MUST NOT be smaller than 60. The value SHOULD NOT be smaller than 600, and careful consideration should be given to its impact on network traffic [Section 5.16/RFC2869].

A value of 0 means no interim accounting messages are sent.

0 2.5
Device.IPsec. object -

IPsec [RFC4301] object that supports the configuration of Encapsulating Security Payload (ESP) [RFC4303] and Authentication Header (AH) [RFC4302] in tunnel mode [Section 3.2/RFC4301].

Use of IKEv2 [RFC5996] is assumed. The IPsec object does not currently support static configuration of tunnels and child Security Associations (SAs).

See the IPsec Theory of Operation [Appendix IX/TR-181i2a5] for a description of the working of this IPsec data model.

- 2.5
Enable boolean W Enables or disables IPsec. - 2.5
Status string -

IPsec status. Enumeration of:

The Error value MAY be used by the CPE to indicate a locally defined error condition.

- 2.5
AHSupported boolean - Indicates whether or not Authentication Header (AH) [RFC4302] is supported. - 2.5
IKEv2SupportedEncryptionAlgorithms string -

Comma-separated list of strings. Supported IKEv2 encryption algorithms [Transform Type 1/IKEv2-params]. Each list item is an enumeration of:

Note that these are the names from the above reference, transformed as follows:

  • Leading ENCR_ (when present) discarded because they are all encryption algorithms so it's not needed.
  • Underscores changed to hyphens to preserve names used in existing data models (and because of inconsistent conventions).
  • Phrases collapsed where unambiguous, e.g. "with a(n) NN octet ICV" -> "-NN".

As additional algorithms are added to the above reference, this data model will be extended according to the above conventions.

- 2.5
ESPSupportedEncryptionAlgorithms string -

Comma-separated list of strings. Supported ESP encryption algorithms [Transform Type 1/IKEv2-params] [Section 3.1.1/RFC4835]. Each list item is an enumeration of:

Note that these are the names from the above reference, transformed as follows:

  • Leading ENCR_ (when present) discarded because they are all encryption algorithms so it's not needed.
  • Underscores changed to hyphens to preserve names used in existing data models (and because of inconsistent conventions).
  • Phrases collapsed where unambiguous, e.g. "with a(n) NN octet ICV" -> "-NN".
  • Some algorithms with apparently rather specialised application are omitted, e.g. ENCR_NULL_AUTH_AES_GMAC.

As additional algorithms are added to the above reference, this data model will be extended according to the above conventions.

- 2.5
IKEv2SupportedPseudoRandomFunctions string -

Comma-separated list of strings. Supported IKEv2 pseudo-random functions [Transform Type 2/IKEv2-params]. Each list item is an enumeration of:

Note that these are the names from the above reference, transformed as follows:

  • Leading PRF_ (when present) discarded because they all pseudo-random functions so it's not needed.
  • Underscores changed to hyphens to preserve names used in existing data models.
  • Hyphen inserted after AES (or other acronym) when immediately followed by a key length.

As additional functions are added to the above reference, this data model will be extended according to the above conventions.

- 2.5
SupportedIntegrityAlgorithms string -

Comma-separated list of strings. Supported integrity algorithms [Transform Type 3/IKEv2-params]. Each list item is an enumeration of:

Note that these are the names from the above reference, transformed as follows:

  • Leading AUTH_ (when present) discarded because they all authentication (integrity) algorithms so it's not needed.
  • Underscores changed to hyphens to preserve names used in existing data models.

As additional algorithms are added to the above reference, this data model will be extended according to the above conventions.

- 2.5
SupportedDiffieHellmanGroupTransforms string -

Comma-separated list of strings. Supported Diffie-Hellman group transforms [Transform Type 4/IKEv2-params]. Each list item is an enumeration of:

Note that these are the names from the above reference, transformed as follows:

  • Name (other than NONE) always starts with the type of group, currently MODP or ECP (implies ECP random).
  • This is followed by -NN, where NN is the group length in bits.
  • this is followed by -PRIME-NN for groups with prime order subgroups, where NN is the subgroup length in bits.

As additional algorithms are added to the above reference, this data model will be extended according to the above conventions.

- 2.5
MaxFilterEntries unsignedInt -

The maximum number of entries in the Filter table.

A value of 0 means no specific limit.

- 2.5
MaxProfileEntries unsignedInt -

The maximum number of entries in the Profile table.

A value of 0 means no specific limit.

- 2.5
FilterNumberOfEntries unsignedInt - The number of entries in the Filter table. - 2.5
ProfileNumberOfEntries unsignedInt - The number of entries in the Profile table. - 2.5
TunnelNumberOfEntries unsignedInt - The number of entries in the Tunnel table. - 2.5
IKEv2SANumberOfEntries unsignedInt - The number of entries in the IKEv2SA table. - 2.5
Device.IPsec.Stats. object -

Global IPsec statistics. These statistics include all IPsec traffic, i.e. all IKEv2 negotiation, IKEv2 SAs and child SAs.

The CPE MUST reset global IPsec Stats parameters (unless otherwise stated in individual object or parameter descriptions) either when IPsec is disabled (IPsec.Enable is set to false) or when IPsec is enabled (IPsec.Enable is set to true).

- 2.5
NegotiationFailures unsignedInt - [StatsCounter32] The total number of times an IPsec negotiation failure has occurred. - 2.5
BytesSent unsignedLong - [StatsCounter64] The total number of bytes sent by IPsec. - 2.5
BytesReceived unsignedLong - [StatsCounter64] The total number of bytes received by IPsec. - 2.5
PacketsSent unsignedInt - [StatsCounter32] The total number of packets sent by IPsec. - 2.5
PacketsReceived unsignedInt - [StatsCounter32] The total number of packets received by IPsec. - 2.5
ErrorsSent unsignedInt - [StatsCounter32] The total number of packets discarded by IPsec due to any error. This can include packets dropped due to a lack of transmit buffers. - 2.5
UnknownSPIErrors unsignedInt - [StatsCounter32] The total number of packets discarded by IPsec due to an unknown SPI (Security Parameter Index). - 2.5
DecryptionErrors unsignedInt - [StatsCounter32] The total number of packets discarded by IPsec due to ESP decryption errors. - 2.5
IntegrityErrors unsignedInt - [StatsCounter32] The total number of packets discarded by IPsec due to integrity errors. - 2.5
ReplayErrors unsignedInt - [StatsCounter32] The total number of packets discarded by IPsec due to replay errors. - 2.5
PolicyErrors unsignedInt - [StatsCounter32] The total number of packets discarded by IPsec due to policy errors. - 2.5
OtherReceiveErrors unsignedInt - [StatsCounter32] The total number of packets discarded by IPsec due to errors other than unknown SPI, decryption, integrity, replay or policy errors. This can include packets dropped due to a lack of receive buffers. - 2.5
Device.IPsec.Filter.{i}. object W

Filter table that represents the IPsec Security Policy Database (SPD) [Section 4.4.1/RFC4301] selection criteria. Each (ordered) entry defines a set of selection criteria and references a Profile table entry that specifies how matching packets will be processed.

SPD filtering is performed for all packets that might need to cross the IPsec boundary [Section 3.1/RFC4301]. Given that IPsec operates at the IP level, this means that SPD filtering conceptually occurs after bridging and before routing.

For enabled table entries, if Interface is not a valid reference and AllInterfaces is false, then the table entry is inoperable and the CPE MUST set Status to Error_Misconfigured.

At most one entry in this table (regardless of whether or not it is enabled) can exist with a given value for Alias. On creation of a new table entry, the Agent MUST choose an initial value for Alias such that the new entry does not conflict with any existing entries.

- 2.5
Enable boolean W Enables or disables this IPsec Filter table entry. false 2.5
Status string -

The status of this IPsec Filter table entry. Enumeration of:

The Error_Misconfigured value indicates that a necessary configuration value is undefined or invalid.

The Error value MAY be used by the CPE to indicate a locally defined error condition.

"Disabled" 2.5
Order unsignedInt­[1:] W

Position of the Filter entry in the order of precedence. A value of 1 indicates the first entry considered (highest precedence). For each packet, the highest ordered entry that matches the filter criteria is applied. All lower order entries are ignored.

When this value is modified, if the value matches that of an existing entry, the Order value for the existing entry and all lower Order entries is incremented (lowered in precedence) to ensure uniqueness of this value. A deletion causes Order values to be compacted. When a value is changed, incrementing occurs before compaction.

The value of Order on creation of a Filter table entry MUST be one greater than the largest current value (initially assigned the lowest precedence).

- 2.5
Alias string­(64) W

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
- 2.5
Interface string­(256) W

SPD selection criterion. The value MUST be the Path Name of a table row. If the referenced object is deleted, the parameter value MUST be set to an empty string.

This specifies the ingress interface associated with the entry. It MAY be a layer 1, 2 or 3 interface. However, the types of interfaces for which filters can be instantiated is a local matter to the CPE.

<Empty> 2.5
AllInterfaces boolean W

SPD selection criterion.

This specifies that all ingress interfaces are associated with the entry. If true, the value of Interface is ignored since all ingress interfaces are indicated.

false 2.5
DestIP string­(45) W

[IPAddress] SPD selection criterion.

Destination IP address. An empty string indicates this criterion is not used, i.e. is ANY.

<Empty> 2.5
DestMask string­(45) W

[IPAddress] SPD selection criterion.

Destination IP address mask. If not an empty string, only the indicated network portion of the DestIP address is to be used for selection. An empty string indicates that the full DestIP address is to be used for selection.

<Empty> 2.5
DestIPExclude boolean W

If false, the rule matches only those packets that match the (masked) DestIP entry, if specified.

If true, the rule matches all packets except those that match the (masked) DestIP entry, if specified.

false 2.5
SourceIP string­(45) W

[IPAddress] SPD selection criterion.

Source IP address. An empty string indicates this criterion is not used, i.e. is ANY.

<Empty> 2.5
SourceMask string­(45) W

[IPAddress] SPD selection criterion.

Source IP address mask. If not an empty string, only the indicated network portion of the SourceIP address is to be used for selection. An empty string indicates that the full SourceIP address is to be used for selection.

<Empty> 2.5
SourceIPExclude boolean W

If false, the rule matches only those packets that match the (masked) SourceIP entry, if specified.

If true, the rule matches all packets except those that match the (masked) SourceIP entry, if specified.

false 2.5
Protocol int­[-1:255] W

SPD selection criterion.

Protocol number. A value of -1 indicates this criterion is not used, i.e. is ANY.

Note that [RFC4301] refers to this as the Next Layer Protocol. It is obtained from the IPv4 Protocol or the IPv6 Next Header fields.

-1 2.5
ProtocolExclude boolean W

If false, the rule matches only those packets that match Protocol, if specified.

If true, the rule matches all packets except those that match Protocol, if specified.

false 2.5
DestPort int­[-1:65535] W

SPD selection criterion.

Destination port number. A value of -1 indicates this criterion is not used, i.e. is ANY.

The value of this parameter is ignored for protocols that do not use ports, e.g. ICMP (1).

-1 2.5
DestPortRangeMax int­[-1:65535] W

SPD selection criterion.

If specified, indicates a destination port address range from DestPort through DestPortRangeMax (inclusive), in which case DestPortRangeMax MUST be greater than or equal to DestPort.

A value of -1 indicates that no destination port range is specified.

-1 2.5
DestPortExclude boolean W

If false, the rule matches only those packets that match DestPort (or port range), if specified.

If true, the rule matches all packets except those that match DestPort (or port range), if specified.

false 2.5
SourcePort int­[-1:65535] W

SPD selection criterion.

Source port number. A value of -1 indicates this criterion is not used, i.e. is ANY.

The value of this parameter is ignored for protocols that do not use ports, e.g. ICMP (1).

-1 2.5
SourcePortRangeMax int­[-1:65535] W

SPD selection criterion.

If specified, indicates a source port address range from SourcePort through SourcePortRangeMax (inclusive), in which case SourcePortRangeMax MUST be greater than or equal to SourcePort.

A value of -1 indicates that no source port range is specified.

-1 2.5
SourcePortExclude boolean W

If false, the rule matches only those packets that match SourcePort (or port range), if specified.

If true, the rule matches all packets except those that match SourcePort (or port range), if specified.

false 2.5
ProcessingChoice string W

Indicates how packets that match this rule will be processed [Section 4.4.1/RFC4301]. Enumeration of:

  • Discard (Packet is not allowed to traverse the IPsec boundary; packet will be discarded)
  • Bypass (Packet is allowed to bypass traverse the IPsec boundary without protection)
  • Protect (Packet is afforded protection as specified by Profile)
"Bypass" 2.5
Profile string W

The profile that defines the IPsec treatment for matching packets. The value MUST be the Path Name of a row in the Profile table. If the referenced object is deleted, the parameter value MUST be set to an empty string.

If ProcessingChoice is Protect, Profile MUST NOT be an empty string. In this case, if it ever becomes an empty string, e.g. because the referenced profile is deleted, this IPsec Filter table entry is invalid and Status MUST be set to Error_Misconfigured.

If ProcessingChoice is not Protect, Profile is ignored.

Any changes to the referenced profile will have an immediate effect on any established IPsec tunnels. Such changes will often force IKEv2 sessions and child SAs to be re-established.

- 2.5
Device.IPsec.Profile.{i}. object W

Profile table that represents the IPsec Security Policy Database (SPD) [Section 4.4.1/RFC4301] processing info. Each entry defines the IPsec treatment for packets that match the Filter entries that reference the entry.

At most one entry in this table can exist with a given value for Alias. On creation of a new table entry, the Agent MUST choose an initial value for Alias such that the new entry does not conflict with any existing entries.

- 2.5
Alias string­(64) W

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
- 2.5
MaxChildSAs unsignedInt W

Controls the maximum number of child Security Association (SA) pairs that can be negotiated by a single IKEv2 session.

If a new child SA pair is needed, but the current IKEv2 session already has MaxChildSAs child SA pairs, an additional IKEv2 session (and therefore an additional IPsec tunnel) will be established.

A value of 0 means no specific limit.

Note that support for more than one child SA pair per IKEv2 session is OPTIONAL [Section 1.3/RFC5996].

- 2.5
RemoteEndpoints string W Comma-separated list (up to 4 items) of strings (maximum item length 64). The host name or IP address of the remote IPsec tunnel endpoint. If more than one name/address is supplied, they will be tried in turn, i.e. they are in decreasing order of precedence. - 2.5
ForwardingPolicy unsignedInt W

Identifier of the forwarding policy associated with traffic that is associated with this profile.

The forwarding policy can be referenced by entries in the Routing.Router.{i}.IPv4Forwarding and Routing.Router.{i}.IPv6Forwarding tables, and therefore allows SPD selection criteria to influence the forwarding decision.

0 2.5
Protocol string W

The "child" security protocol.

This is not to be confused with Filter.Filter.{i}.Protocol, which is an SPD selector that can select packets that already have AH or ESP headers. Profile.Protocol selects whether AH or ESP will be used when encapsulating a packet. Enumeration of:

"ESP" 2.5
IKEv2AuthenticationMethod string W

IKEv2 CPE authentication method [Section 2.15/RFC5996]. The value MUST be the Path Name of an enabled row in the Security.Certificate table or in another table that contains appropriate CPE credentials. If the referenced object is deleted, the parameter value MUST be set to an empty string.

If an empty string, or the referenced row is disabled or deleted, the CPE chooses the authentication method based on local policy.

<Empty> 2.5
IKEv2AllowedEncryptionAlgorithms string W Comma-separated list of strings. Each list item MUST be a member of the list reported by the IPsec.IKEv2SupportedEncryptionAlgorithms parameter. Allowed IKEv2 encryption algorithms. - 2.5
ESPAllowedEncryptionAlgorithms string W Comma-separated list of strings. Each list item MUST be a member of the list reported by the IPsec.ESPSupportedEncryptionAlgorithms parameter. Allowed ESP encryption algorithms. - 2.5
IKEv2AllowedPseudoRandomFunctions string W Comma-separated list of strings. Each list item MUST be a member of the list reported by the IPsec.IKEv2SupportedPseudoRandomFunctions parameter. Allowed IKEv2 pseudo-random functions. - 2.5
IKEv2AllowedIntegrityAlgorithms string W Comma-separated list of strings. Each list item MUST be a member of the list reported by the IPsec.SupportedIntegrityAlgorithms parameter. Allowed IKEv2 integrity algorithms. - 2.5
AHAllowedIntegrityAlgorithms string W Comma-separated list of strings. Each list item MUST be a member of the list reported by the IPsec.SupportedIntegrityAlgorithms parameter. Allowed AH integrity algorithms [Transform Type 3/IKEv2-params] [Section 3.2/RFC4835]. <Empty> 2.5
ESPAllowedIntegrityAlgorithms string W Comma-separated list of strings. Each list item MUST be a member of the list reported by the IPsec.SupportedIntegrityAlgorithms parameter. Allowed ESP integrity algorithms [Transform Type 3/IKEv2-params] [Section 3.1.1/RFC4835]. <Empty> 2.5
IKEv2AllowedDiffieHellmanGroupTransforms string W Comma-separated list of strings. Each list item MUST be a member of the list reported by the IPsec.SupportedDiffieHellmanGroupTransforms parameter. Allowed IKEv2 Diffie-Hellman group transforms. - 2.5
IKEv2DeadPeerDetectionTimeout unsignedInt W IKEv2 Dead Peer Detection (DPD) timeout in seconds. [Section 2.4/RFC5996] - 2.5
IKEv2NATTKeepaliveTimeout unsignedInt W IKEv2 NAT traversal (NAT-T) keepalive timeout in seconds. [Section 4/RFC3948] - 2.5
AntiReplayWindowSize unsignedInt W

The size of the AH or ESP Anti-Replay Window. [Section B.2/RFC4302] [Section A2/RFC4303]

A value of 0 means that Sequence Number Verification is disabled.

0 2.5
DoNotFragment string W

Controls the value of the Do Not Fragment (DF) bit. [Section 8.1/RFC4301]

Enumeration of:

  • Set
  • Clear
  • Copy (Copy from inner header; applies only when both inner and outer headers are IPv4)
- 2.5
DSCPMarkPolicy int­[-2:63] W

DSCP with which to mark the outer IP header for traffic that is associated with this IPsec channel.

A value of -1 indicates copy from the incoming packet.

A value of -2 indicates automatic marking of DSCP.

De-tunneled packets are never re-marked.

Automatic DSCP marking behavior is a local matter to the CPE, possibly influenced by other Broadband Forum standards that it supports.

- 2.5
IKEv2SATrafficLimit unsignedLong W

IKEv2 SA lifetime in bytes, or zero if there is no traffic constraint on its expiration.

If both IKEv2SATrafficLimit and IKEv2SATimeLimit are non-zero, the IKEv2 SA is deleted when the first limit is reached.

- 2.5
IKEv2SATimeLimit unsignedInt W

IKEv2 SA lifetime in seconds, or zero if there is no time constraint on its expiration.

If both IKEv2SATimeLimit and IKEv2SATrafficLimit are non-zero, the IKEv2 SA is deleted when the first limit is reached.

- 2.5
IKEv2SAExpiryAction string W

Action to take when an IKEv2 SA expires, whether as a result of hitting a traffic limit or a time limit. Enumeration of:

- 2.5
ChildSATrafficLimit unsignedLong W

Child SA lifetime in bytes, or zero if there is no traffic constraint on its expiration.

If both ChildSATrafficLimit and ChildSATimeLimit are non-zero, the child SA is deleted when the first limit is reached.

- 2.5
ChildSATimeLimit unsignedInt W

Child SA lifetime in seconds, or zero if there is no time constraint on its expiration.

If both ChildSATimeLimit and ChildSATrafficLimit are non-zero, the child SA is deleted when the first limit is reached.

- 2.5
ChildSAExpiryAction string W

Action to take when a Child SA expires, whether as a result of hitting a traffic limit or a time limit. Enumeration of:

- 2.5
SentCPAttrNumberOfEntries unsignedInt - The number of entries in the SentCPAttr table. - 2.5
Device.IPsec.Profile.{i}.SentCPAttr.{i}. object W

Each instance of this object represents an IKEv2 Configuration Payload (CP) [Section 3.15/RFC5996] Attribute that MUST, if enabled, be sent in IKEv2 CP CFG_REQUEST messages. All such Attributes MUST be listed.

At most one entry in this table (regardless of whether or not it is enabled) can exist with a given value for Alias. On creation of a new table entry, the Agent MUST choose an initial value for Alias such that the new entry does not conflict with any existing entries.

At most one enabled entry in this table can exist with a given value for Type.

- 2.5
Enable boolean W Enables or disables this SentCPAttr entry. - 2.5
Alias string­(64) W

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
- 2.5
Type unsignedInt­[0:32767] W CP Attribute Type as described in [Section 3.15.1/RFC5996] and defined in [IKEv2 Configuration Payload Attribute Types/IKEv2-params]. - 2.5
Value hexBinary­(65535) W A hexbinary encoded CP Attribute Value as described in [Section 3.15.1/RFC5996] and defined in [IKEv2 Configuration Payload Attribute Types/IKEv2-params]. - 2.5
Device.IPsec.Tunnel.{i}. object -

Represents an IPsec tunnel, i.e. a virtual IP interface that models an IPsec tunnel entry point and exit point. A Tunnel instance always references (and has the same lifetime as) a (Tunnel,Tunneled) IP.Interface pair. The Tunnel instance models the IPsec-specific concepts, the Tunnel IP.Interface instance models the generic concepts, and the Tunneled IP.Interface instance exists only so it can be referenced by forwarding or filter rules.

Tunnel instances are automatically created (as needed) when Filter instances are enabled and disabled.

Each instance's Filters parameter references the Filter instances that require the Tunnel instance to exist. If this list ever becomes an empty string, e.g. because all the referenced Filter instances have been disabled or deleted, the CPE MAY choose not to delete the Tunnel instance (and its associated (Tunnel,Tunneled) IP.Interface pair). This can be desirable, because QoS.Classification, Routing.Router.{i}.IPv4Forwarding, Routing.Router.{i}.IPv6Forwarding etc instances might be referencing the IP.Interface instances.

At most one entry in this table can exist with a given value for Alias, or with the same values for TunnelInterface and TunneledInterface.

- 2.5
Alias string­(64) W

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
- 2.5
TunnelInterface string - The corresponding auto-created Tunnel IP.Interface instance. The value MUST be the Path Name of a row in the IP.Interface table. If the referenced object is deleted, this instance MUST also be deleted (so the parameter value will never be an empty string). - 2.5
TunneledInterface string - The corresponding auto-created Tunneled IP.Interface instance. The value MUST be the Path Name of a row in the IP.Interface table. If the referenced object is deleted, this instance MUST also be deleted (so the parameter value will never be an empty string). - 2.5
Filters string - Comma-separated list of strings. The Filter instances that require this Tunnel instance to exist. Each list item MUST be the Path Name of a row in the IPsec.Filter table. If the referenced object is deleted, the corresponding item MUST be removed from the list. - 2.5
Device.IPsec.Tunnel.{i}.Stats. object -

Statistics for this IPsec tunnel, i.e. all traffic that has passed through the tunnel, including IKEv2 negotiation, IKEv2 SA and ChildSA traffic.

The CPE MUST reset the tunnel's Stats parameters (unless otherwise stated in individual object or parameter descriptions) either when the tunnel becomes operationally down due to a previous administrative down (i.e. its associated IP.Interface.{i}.Status parameter transitions to a down state after the tunnel has been disabled) or when the tunnel becomes administratively up (i.e. its associated IP.Interface.{i}.Enable parameter transition from false to true).

Note that this object does not include generic statistics that are available in the associated IP.Interface.{i}.Stats object.

- 2.5
DecryptionErrors unsignedInt - [StatsCounter32] The total number of inbound packets discarded due to ESP decryption errors. - 2.5
IntegrityErrors unsignedInt - [StatsCounter32] The total number of inbound packets discarded due to integrity errors. - 2.5
ReplayErrors unsignedInt - [StatsCounter32] The total number of inbound packets discarded due to replay errors. - 2.5
PolicyErrors unsignedInt - [StatsCounter32] The total number of inbound packets discarded due to policy errors. - 2.5
OtherReceiveErrors unsignedInt - [StatsCounter32] The total number of inbound packets discarded due to errors other than decryption, integrity, replay or policy errors. This can include packets dropped due to a lack of receive buffers. - 2.5
Device.IPsec.IKEv2SA.{i}. object -

Represents an IKEv2 Security Association (SA), corresponding to an IKEv2 session. Instances are automatically created and deleted as IKEv2 SAs are created and deleted.

At most one entry in this table can exist with a given value for Tunnel.

- 2.5
Status string -

The current operational state of the IKEv2 SA. Enumeration of:

- 2.5
Alias string­(64) W

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
- 2.5
Tunnel string -

The associated Tunnel instance. The value MUST be the Path Name of a row in the Tunnel table. If the referenced object is deleted, the parameter value MUST be set to an empty string.

Note that Tunnel is a unique key, i.e only one IKEv2SA instance is associated with a given Tunnel instance. During rekeying [Section 2.8/RFC5996], a new IKEv2 SA is created and inherits the existing IKEv2 SA's child SAs, then the old IKEv2 SA is deleted. From the management point of view the new and old IKEv2 SAs are the same SA and MUST be modeled using the same IKEv2SA instance.

- 2.5
LocalAddress string­(45) - [IPAddress] The local IP address that this IKEv2 SA was negotiated with. This is assigned via IKEv2 and will also be available via the associated Tunnel's Tunnel.{i}.TunnelInterface IP.Interface.{i}.IPv4Address or IP.Interface.{i}.IPv6Address table (as appropriate). - 2.5
RemoteAddress string­(45) - [IPAddress] The IP address of the peer that this IKEv2 SA was negotiated with. This will be the IP address of one of the security gateways configured via Profile.{i}.RemoteEndpoints. - 2.5
EncryptionAlgorithm string­(64) -

The encryption algorithm applied to traffic carried by this IKEv2 SA.

This will be one of the Profile.{i}.IKEv2AllowedEncryptionAlgorithms from the Profile instance via which this IKEv2 SA was created.

- 2.5
EncryptionKeyLength unsignedInt -

The length of the encryption key in bits used for the algorithm specified in the EncryptionAlgorithm parameter.

The value is 0 if the key length is implicit in the specified algorithm or there is no encryption applied.

- 2.5
PseudoRandomFunction string­(64) -

The pseudo-random function used by this IKEv2 SA.

This will be one of the Profile.{i}.IKEv2AllowedPseudoRandomFunctions from the Profile instance via which this IKEv2 SA was created.

- 2.5
IntegrityAlgorithm string­(64) -

The integrity algorithm applied to the traffic carried by this IKEv2 SA.

This will be one of the Profile.{i}.IKEv2AllowedIntegrityAlgorithms from the Profile instance via which this IKEv2 SA was created.

- 2.5
DiffieHellmanGroupTransform string­(64) -

The Diffie-Hellman Group used by this IKEv2 SA.

This will be one of the Profile.{i}.IKEv2AllowedDiffieHellmanGroupTransforms from the Profile instance via which this IKEv2 SA was created.

- 2.5
CreationTime dateTime - When this IKEv2 SA was set up. - 2.5
NATDetected string -

Whether NAT traversal is supported by the device and, if so, whether a NAT was detected. Enumeration of:

- 2.5
ReceivedCPAttrNumberOfEntries unsignedInt - The number of entries in the ReceivedCPAttr table. - 2.5
ChildSANumberOfEntries unsignedInt - The number of entries in the ChildSA table. - 2.5
Device.IPsec.IKEv2SA.{i}.Stats. object -

Statistics for this IKEv2 Security Association (SA).

The CPE MUST reset the IKEv2 SA's Stats parameters (unless otherwise stated in individual object or parameter descriptions) whenever the associated Tunnel instance's Stats parameters are reset.

- 2.5
BytesSent unsignedLong - [StatsCounter64] The total number of bytes handled in the outbound direction by the IKEv2 SA. - 2.5
BytesReceived unsignedLong - [StatsCounter64] The total number of bytes handled in the inbound direction by the IKEv2 SA. - 2.5
PacketsSent unsignedInt - [StatsCounter32] The total number of packets handled in the outbound direction by the IKEv2 SA. - 2.5
PacketsReceived unsignedInt - [StatsCounter32] The total number of packets handled in the inbound direction by the IKEv2 SA. - 2.5
ErrorsSent unsignedInt -

[StatsCounter32] The total number of outbound packets from this IKEv2 SA discarded for any reason. This can include packets dropped due to a lack of transmit buffer space.

Note that this refers to IKE protocol packets, and not to packets carried by other SAs.

- 2.5
DecryptionErrors unsignedInt -

[StatsCounter32] The total number of inbound packets to this IKEv2 SA discarded due to decryption errors.

Note that this refers to IKEv2 protocol packets, and not to {units}} carried by other SAs.

- 2.5
IntegrityErrors unsignedInt -

[StatsCounter32] The total number of inbound packets to this IKEv2 SA discarded due to integrity errors.

Note that this refers to IKEv2 protocol packets, and not to packets carried by other SAs.

- 2.5
OtherReceiveErrors unsignedInt -

[StatsCounter32] The total number of inbound packets to this IKEv2 SA discarded for reasons other than decryption or integrity errors. This can include packets dropped due to a lack of receive buffer space.

Note that this refers to IKEv2 protocol packets, and not to packets carried by other SAs.

- 2.5
Device.IPsec.IKEv2SA.{i}.ReceivedCPAttr.{i}. object W

This is a transitory table that lists all the IKEv2 Configuration Payload (CP) [Section 3.15/RFC5996] Attributes that have been received via CFG_REPLY messages. Table entries are automatically created to correspond with received Attributes. However, it is a local matter to the CPE when to delete old table entries.

If the same Attribute is received multiple times, it is up to the CPE to decide which entries to include (i.e. whether the same Attribute will be present multiple times). In order to allow for the same Attribute to be present multiple times within the table, this table has no unique key defined.

- 2.5
Type unsignedInt­[0:32767] - CP Attribute Type as described in [Section 3.15.1/RFC5996] and defined in [IKEv2 Configuration Payload Attribute Types/IKEv2-params]. - 2.5
Value hexBinary­(65535) - A hexbinary encoded CP Attribute Value as described in [Section 3.15.1/RFC5996] and defined in [IKEv2 Configuration Payload Attribute Types/IKEv2-params]. - 2.5
Device.IPsec.IKEv2SA.{i}.ChildSA.{i}. object -

Represents a child Security Association (SA) pair, i.e. an inbound child SA and an outbound child SA.

At most one entry in this table can exist with a given value for InboundSPI, or with a given value for OutboundSPI.

- 2.5
Status string -

The current operational state of the child SA pair. Enumeration of:

- 2.5
Alias string­(64) W

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
- 2.5
InboundSPI unsignedInt - The inbound child SA's Security Parameter Index (SPI). - 2.5
OutboundSPI unsignedInt - The outbound child SA's Security Parameter Index (SPI). - 2.5
CreationTime dateTime - The date and time when the child SA was created. - 2.5
Device.IPsec.IKEv2SA.{i}.ChildSA.{i}.Stats. object -

Statistics for this child Security Association (SA).

The CPE MUST reset the child SA's Stats parameters (unless otherwise stated in individual object or parameter descriptions) whenever the parent ChildSA instance's Stats parameters are reset.

- 2.5
BytesSent unsignedLong - [StatsCounter64] The number of bytes handled by the outbound child SA. - 2.5
BytesReceived unsignedLong - [StatsCounter64] The number of bytes handled by the inbound child SA. - 2.5
PacketsSent unsignedInt - [StatsCounter32] The number of packets handled by the outbound child SA. - 2.5
PacketsReceived unsignedInt - [StatsCounter32] The number of packets handled by the inbound child SA. - 2.5
ErrorsSent unsignedInt - [StatsCounter32] The number of packets discarded by the outbound child SA due to any error. This can include compression errors or errors due to a lack of transmit buffers. - 2.5
DecryptionErrors unsignedInt - [StatsCounter32] The number of packets discarded by the inbound child SA due to decryption errors. - 2.5
IntegrityErrors unsignedInt - [StatsCounter32] The number of packets discarded by the inbound child SA due to integrity errors. - 2.5
ReplayErrors unsignedInt - [StatsCounter32] The number of packets discarded by the inbound child SA due to replay errors. - 2.5
PolicyErrors unsignedInt - [StatsCounter32] The number of packets discarded by the inbound child SA due to policy errors. - 2.5
OtherReceiveErrors unsignedInt - [StatsCounter32] The number of packets discarded by the inbound child SA due to errors other than decryption, integrity, replay or policy errors. This can include decompression errors or errors due to a lack of receive buffers. - 2.5
Device.DSLite. object -

Settings allowing a CPE to configure and route IPv6 Dual-Stack Lite (DSLite) as specified in [DSLite]. The DS-Lite mechanism is intended to be implemented only on gateway devices that support IPv4 on the LAN side and only have IPv6 connectivity on the WAN side.

See the Dual-Stack Lite Theory of Operation [Appendix VII/TR-181i2a2] for a description of the working of this DS-Lite data model.

- 2.2
Device.DSLite.InterfaceSetting.{i}. object -

DSLite [DSLite] settings.

At most one entry in this table can exist with a given value for Alias.

- 2.2
EndpointAddressTypePrecedence string W

Indicates the preferred method to be used to assign the address of the DS-Lite Endpoint when both EndpointName and EndpointAddress values are available and the Static method is used. See EndpointName and EndpointAddress for further clarification. Enumeration of:

  • FQDN (Derive from EndpointName via a DNS lookup)
  • IPv6Address (Use EndpointAddress directly)
- 2.5
EndpointAddressInUse string­(45) -

[IPv6Address] Indicates the address currently in use for the tunnel concentrator (remote endpoint). It is derived from the values of the EndpointAssignmentPrecedence, EndpointAddressTypePrecedence, EndpointName and EndpointAddress parameters.

It is an empty string if no endpoint address is currently known.

- 2.5
Device.BulkData. object -

Bulk Data collection utilizes the IPDR solution to collect data from devices based on a service specification described in [TR-232].

Bulk Data Collection Profiles are measured over a reporting interval (which can be aligned with absolute time) and are made available to the collection server.

This object provides bulk data collection capabilities and global collection settings that affect the entire device.

- 2.5
Enable boolean W

Enables or disables all collection profiles.

If false, bulk data will not be collected or reported.

- 2.5
Status string -

Indicates the status of the Bulk Data Collection mechanism. Enumeration of:

  • Enabled (Bulk Data Collection is enabled and working as intended)
  • Disabled (Bulk Data Collection is disabled)
  • Error (Bulk Data Collection is enabled, but there is an error condition preventing the successful collection of bulk data, OPTIONAL)
- 2.5
MinReportingInterval unsignedInt -

Minimum reporting interval in seconds that the CPE is capable of supporting.

A value of 0 indicates no minimum reporting interval.

- 2.5
Protocols string -

Comma-separated list of strings. Represents the IPDR Protocols that this device is capable of supporting. Each list item is an enumeration of:

- 2.5
EncodingTypes string -

Comma-separated list of strings. Represents the IPDR Encoding Types that this device is capable of supporting. Each list item is an enumeration of:

- 2.5
MaxNumberOfProfiles int­[-1:] -

The maximum number of profiles that can exist at any given time. Specifically, the maximum number of Profile.{i}. instances that the ACS can create.

If the value of this parameter is -1, then it means that the CPE doesn't have a limit to the number of profiles that can exist.

- 2.5
MaxNumberOfParameterReferences int­[-1:] -

The maximum number of parameters that can be referenced via the bulk data collection mechanism. Specifically, the maximum number of parameters that can be referenced via Profile.{i}.Parameter.{i}.Reference across all Profile and Parameter instances (including the expansion of partial paths within the Reference parameter).

If the value of this parameter is -1, then it means that the CPE doesn't have a limit to the number of parameter that can be referenced via the bulk data collection mechanism.

- 2.5
ProfileNumberOfEntries unsignedInt - The number of entries in the Profile table. - 2.5
Device.BulkData.Profile.{i}. object W

A set of Bulk Data Collection profiles.

Each profile represents a bulk data report, including its own timing configuration, communications configuration, and set of parameters. This allows the ACS to configure multiple reports to be generated at different times for different sets of data.

At most one entry in this table (regardless of whether or not it is enabled) can exist with a given value for Alias. On creation of a new table entry, the Agent MUST choose an initial value for Alias such that the new entry does not conflict with any existing entries.

- 2.5
Enable boolean W

Enables or disables this specific bulk data profile.

If false, this profile will not be collected or reported.

false 2.5
Alias string­(64) W

A non-volatile handle used to reference this instance. Alias provides a mechanism for an ACS to label this instance for future reference.

If the CPE supports the Alias-based Addressing feature as defined in [Section 3.6.1/TR-069a4] and described in [Appendix II/TR-069a4], the following mandatory constraints MUST be enforced:

  • Its value MUST NOT be empty.
  • Its value MUST start with a letter.
  • If its value is not assigned by the ACS, it MUST start with a "cpe-" prefix.
  • The CPE MUST NOT change the parameter value.
- 2.5
Protocol string W The value MUST be a member of the list reported by the Protocols parameter. The IPDR Protocol being used for this collection profile. - 2.5
EncodingType string W The value MUST be a member of the list reported by the EncodingTypes parameter. The IPDR Encoding Type being used for this collection profile. - 2.5
ReportingInterval unsignedInt­[1:] W

The reporting interval in seconds. Each report is generated based on this interval and TimeReference.

The CPE MAY reject a request to set ReportingInterval to less than MinReportingInterval.

Reporting intervals MUST begin every ReportingInterval seconds.

If ReportingInterval is changed while collection is enabled, the first reporting interval begins immediately.

For example, if ReportingInterval is 86400 (a day) and if TimeReference is set to UTC midnight on some day (in the past, present, or future) then the CPE will generate (and transmit, if the Protocol parameter is set to Streaming) its report at midnight every 24 hours.

86400 2.5
TimeReference dateTime W

An absolute time reference in UTC to determine when will be transmitted. Each reporting interval MUST complete at this reference time plus or minus an integer multiple of ReportingInterval, unless unable to due to higher prioritized operations.

TimeReference is used only to set the "phase" of the reporting intervals. The actual value of TimeReference can be arbitrarily far into the past or future.

If TimeReference is changed while collection of bulk data is enabled, the first reporting interval begins immediately.

The Unknown Time value as defined in [TR-106a2] indicates that no particular time reference is specified. That is, the CPE MAY locally choose the time reference, and is required only to adhere to the specified reporting intervals.

If absolute time is not available to the CPE, its reporting interval behavior MUST be the same as if the TimeReference parameter was set to the Unknown Time value.

For example, if ReportingInterval is 86400 (a day) and if TimeReference is set to UTC midnight on some day (in the past, present, or future) then the CPE will generate (and transmit, if in a "ITPush" mode) its report at midnight every 24 hours.

Note that, if TimeReference is set to a time other than the Unknown Time, the first reporting interval (which has to begin immediately) will almost certainly be shorter than ReportingInterval). This is why TimeReference is defined in terms of when reporting intervals complete rather than start.

0001-01-01T00:00:00Z 2.5
StreamingHost string­(256) W This is the host name or IP Address of the IPDR Collector to be used by the CPE to stream bulk data records if this collection profile is configured for the IPDR Streaming Protocol [IPDR-SP] (the Protocol parameter has a value of Streaming). - 2.5
StreamingPort unsignedInt­[0:65535] W This is the port number of the IPDR Collector to be used by the CPE to stream bulk data records if this collection profile is configured for the IPDR Streaming Protocol [IPDR-SP] (the Protocol parameter has a value of Streaming). 4737 2.5
StreamingSessionID unsignedInt­[48:57, 65:90] W

This is the unique identification of an IPDR Session to be used when this collection profile is configured for the IPDR Streaming Protocol [IPDR-SP] (the Protocol parameter has a value of Streaming).

An ACS MUST NOT configure multiple IPDR Streaming Protocol collection profiles with the same StreamingSessionID. Doing so MUST cause the CPE to fail the SetParameterValues.

Within the IPDR Streaming Protocol specification the Session ID has a type of a single 'char', but we are restricting the range even further (ASCII values of '0' - '9' and 'A' - 'Z'.

- 2.5
FileTransferURL string­(256) W This is the URL within the CPE that is used by an IPDR Collector to retrieve the IPDRDocs when this collection profile is configured for the IPDR File Transfer Protocol [IPDR-FTP] (the Protocol parameter has a value of File). - 2.5
FileTransferUsername string­(64) W

Username used for authentication of the FileTransferURL.

This is the FileTransferUsername that the IPDR Collector uses to access the CPE when this collection profile is configured for the IPDR File Transfer Protocol [IPDR-FTP] (the Protocol parameter has a value of File).

- 2.5
FileTransferPassword string­(64) W

Password used for authentication of the FileTransferURL.

This is the FileTransferPassword that the IPDR Collector uses to access the CPE when this collection profile is configured for the IPDR File Transfer Protocol [IPDR-FTP] (the Protocol parameter has a value of File).

When read, this parameter returns an empty string, regardless of the actual value.

- 2.5
ControlFileFormat string­(128) W

If this collection profile is configured for the IPDR File Transfer Protocol [IPDR-FTP] (the Protocol parameter has a value of File) then the control file names will be of the following format:

<ControlFilePrefix>_<ControlFilePolicy>.<ControlFileSuffix>

Where the following rules apply:

  • ControlFilePrefix MUST NOT contain an underscore '_' or any other character not suitable for a file name.
  • ControlFilePolicy MUST contain one or more ‘N’ characters, where the number of ‘N’ characters denotes the number of digits in the sequence number, including leading zeros as necessary to match the number of ‘N’ characters.
  • ControlFileSuffix is a file extension.

For example, BulkData_NNNN.log where "BulkData" would be the prefix, "NNNN" would be the policy, and "log" would be the suffix. Files adhering to this file format would look like: BulkData_0000.log, BulkData_0001.log, etc.

- 2.5
ParameterNumberOfEntries unsignedInt - The number of entries in the Parameter table. - 2.5
Device.BulkData.Profile.{i}.Parameter.{i}. object W

Bulk data parameter table.

Each entry in this table represents a parameter (or set of parameters if a partial path is provided) to be collected and reported.

- 2.5
Reference string­(256) W

The value MUST be the Path Name of a parameter or object. Represents the parameter(s) that are part of this Bulk Data collection profile.

In the case where a partial parameter path is specified all sub-objects and contained parameters will be part of the bulk data collected and reported. If the path name refers to an object then it MUST end with a '.'.

<Empty> 2.5

Inform and Notification Requirements

Forced Inform Parameters

Parameter

Forced Active Notification Parameters

Parameter

Default Active Notification Parameters

Parameter

Parameters for which Active Notification MAY be Denied

Parameter

Profile Definitions

Notation

The following abbreviations are used to specify profile requirements:

Abbreviation Description
R Read support is REQUIRED.
W Both Read and Write support is REQUIRED. This MUST NOT be specified for a parameter that is defined as read-only.
P The object is REQUIRED to be present.
C Creation and deletion of instances of the object is REQUIRED.
A Creation of instances of the object is REQUIRED, but deletion is not REQUIRED.
D Deletion of instances of the object is REQUIRED, but creation is not REQUIRED.

BulkDataColl:1 Profile

This table defines the BulkDataColl:1 profile for the Device:2 data model. The minimum REQUIRED version for this profile is Device:2.5.

Name Requirement
Device.­BulkData. P
Enable W
Status R
MinReportingInterval R
Protocols R
EncodingTypes R
ProfileNumberOfEntries R
Device.­BulkData.­Profile.­{i}. C
Enable W
Alias W
Protocol W
EncodingType W
ReportingInterval W
TimeReference W
ParameterNumberOfEntries R
Device.­BulkData.­Profile.­{i}.­Parameter.­{i}. C
Reference W

BulkDataStreaming:1 Profile

The BulkDataStreaming:1 profile for the Device:2 data model is defined as the union of the BulkDataColl:1 profile and the additional requirements defined in this table. The minimum REQUIRED version for this profile is Device:2.5.

Name Requirement
Device.­BulkData.­Profile.­{i}. C
StreamingHost W
StreamingPort W
StreamingSessionID W

BulkDataFileTransfer:1 Profile

The BulkDataFileTransfer:1 profile for the Device:2 data model is defined as the union of the BulkDataColl:1 profile and the additional requirements defined in this table. The minimum REQUIRED version for this profile is Device:2.5.

Name Requirement
Device.­BulkData.­Profile.­{i}. C
FileTransferURL W
FileTransferUsername W
FileTransferPassword W
ControlFileFormat W

IPsec:1 Profile

This table defines the IPsec:1 profile for the Device:2 data model. The minimum REQUIRED version for this profile is Device:2.5.

Name Requirement
Device.­IPsec. P
AHSupported R
IKEv2SupportedEncryptionAlgorithms R
ESPSupportedEncryptionAlgorithms R
IKEv2SupportedPseudoRandomFunctions R
SupportedIntegrityAlgorithms R
SupportedDiffieHellmanGroupTransforms R
MaxFilterEntries R
MaxProfileEntries R
FilterNumberOfEntries R
ProfileNumberOfEntries R
TunnelNumberOfEntries R
Device.­IPsec.­Stats. P
NegotiationFailures R
BytesSent R
BytesReceived R
PacketsSent R
PacketsReceived R
ErrorsSent R
UnknownSPIErrors R
DecryptionErrors R
IntegrityErrors R
OtherReceiveErrors R
Device.­IPsec.­Filter.­{i}. C
Enable W
Status R
Order W
Interface W
AllInterfaces W
DestIP W
DestMask W
DestIPExclude W
SourceIP W
SourceMask W
SourceIPExclude W
Protocol W
ProtocolExclude W
DestPort W
DestPortRangeMax W
DestPortExclude W
SourcePort W
SourcePortRangeMax W
SourcePortExclude W
ProcessingChoice W
Profile W
Device.­IPsec.­Profile.­{i}. C
MaxChildSAs W
RemoteEndpoints W
ForwardingPolicy W
Protocol W
IKEv2AuthenticationMethod W
IKEv2AllowedEncryptionAlgorithms W
ESPAllowedEncryptionAlgorithms W
IKEv2AllowedPseudoRandomFunctions W
IKEv2AllowedIntegrityAlgorithms W
ESPAllowedIntegrityAlgorithms W
IKEv2AllowedDiffieHellmanGroupTransforms W
Device.­IPsec.­Tunnel.­{i}. P
TunnelInterface R
TunneledInterface R
Device.­IPsec.­Tunnel.­{i}.­Stats. P
DecryptionErrors R
IntegrityErrors R
OtherReceiveErrors R

IPsecAdv:1 Profile

The IPsecAdv:1 profile for the Device:2 data model is defined as the union of the IPsec:1 profile and the additional requirements defined in this table. The minimum REQUIRED version for this profile is Device:2.5.

Name Requirement
Device.­IPsec. P
IKEv2SANumberOfEntries R
Device.­IPsec.­IKEv2SA.­{i}. P
Tunnel R
LocalAddress R
RemoteAddress R
CreationTime R
ChildSANumberOfEntries R
Device.­IPsec.­IKEv2SA.­{i}.­Stats. P
BytesSent R
BytesReceived R
PacketsSent R
PacketsReceived R
ErrorsSent R
DecryptionErrors R
IntegrityErrors R
OtherReceiveErrors R
Device.­IPsec.­IKEv2SA.­{i}.­ChildSA.­{i}. P
InboundSPI R
OutboundSPI R
CreationTime R
Device.­IPsec.­IKEv2SA.­{i}.­ChildSA.­{i}.­Stats. P
BytesSent R
BytesReceived R
PacketsSent R
PacketsReceived R
ErrorsSent R
DecryptionErrors R
IntegrityErrors R
OtherReceiveErrors R

DSLite:2 Profile

The DSLite:2 profile for the Device:2 data model is defined as the union of the DSLite:1 profile and the additional requirements defined in this table. The minimum REQUIRED version for this profile is Device:2.5.

Name Requirement
Device.­DSLite.­InterfaceSetting.­{i}. P
EndpointAddressTypePrecedence W
EndpointAddressInUse R


Generated by Broadband Forum report.pl#422 (2018/03/28 version) on 2018/04/02 at 12:23:04.
report.pl --exitcode=fatals --cwmpindex=.. --nofontstyles --nowarnreport --quiet --lastonly --report=html --outfile=tr-181-2-5-0-diffs.html tr-181-2-5-0.xml