[0048] figure 1 The method shown is used to improve the security of the actions performed by the remote procedure call RPC called during the TR-069 remote management protocol session, which is then only referred to as the TR-069 session, which is in the DSL telecommunication system Between the client equipment CPE and the auto-configuration server ACS. The TR-069 session includes several remote procedure call RPCs that perform actions on the parameters of the object model.
[0049] The remote procedure call RPC is executed as an atomic action, that is, either the RPC succeeds and the action is fully effective, or the RPC fails and the final partial change is not completed until the point where the RPC is executed. For example, SetParameterValues, SetParameterAttributes, AddObject, etc. will not affect the object model if an error occurs during RPC execution.
[0050] Although RPC atomically protects the changes that occur at a single RPC level, the present invention provides a similar method at the session level, because in some cases all RPCs can be successfully executed, but the session itself may not take effect.
[0051] The basic idea to improve the security of actions invoked during a TR-069 session is to introduce TR-069 "save points". The TR-069 savepoint can be best described as a snapshot captured at a specific moment, where the TR-069 object model is considered stable.
[0052] The TR-069 savepoint has the following characteristics:
[0053] -They are preferably stored on the CPE side, which is usually at the request of the ACS, but in some cases it is also feasible to be initiated by the CPE if the ACS is not initiated, for example in the case of ACS URL changes;
[0054] -The save point can be set at the very beginning, during the TR-069 session or at the end of the TR-069 session, or between one or more than one TR-069 session;
[0055] -Restoring to the previous save point may include overwriting of changed parameter values and attributes, and/or execution of undo operations, such as RPC rollback for downloads as "uninstall".
[0056] In addition, TR-069 savepoints can be used to:
[0057] -Make a backup of the current state of the CPE (such as the object model);
[0058] -In order to make CPE no longer need to store savepoints, they can be uploaded to a remote file server and downloaded back to the CPE later;
[0059] -Dump configuration profile (profile), which includes setting a larger set of parameters into one. Using the standard SetParameterValue method will take too long or consume too much processing or bandwidth. A variant of this method can be implemented by Configure the save point of the action to select the pre-provided OEM profile on the CPE.
[0060] Finally, restoring to the previous savepoint or accepting a new savepoint should be further supported by the lightweight transaction mechanism, which supports the processing of explicit transaction processing or timer monitoring. Timing processing enables the CPE to return to a stable save point in the event that the connection to the ACS is lost due to changes.
[0061] In detail, TR-069 savepoint processing is supported by a lightweight transaction mechanism, which operates as follows; the mark between square brackets is figure 1 Similar to the tags in.
[0062] First, the transaction TR-069 session (hereinafter referred to as the transaction) is opened [100], whereby the parameters of the object model processed by the remote procedure call RPC are protected by the savepoint mechanism.
[0063] The auto-configuration server ACS then calls [110] RPC on the CPE side of the client device.
[0064] On the one hand, when the ACS has finished [120] invoking the RPC, it conducts a [130] TR-069 transaction session.
[0065] On the other hand, if the RPC fails [140], the ACS decides whether [150] returns to the previous stable state [Yes] or [No].
[0066] If the ACS decides to return to the previous state [Yes], the ACS calls [160] RestoreSavePoint RPC. The RestoreSavePoint RPC called by the ACS requests the CPE to return to the state previously saved through the savepoint mechanism. All changes are therefore not completed and the process returns [170] to the RPC called by the ACS in state [110].
[0067] If the ACS decides not to return [No], the process immediately returns [170] to the RPC called by the ACS in state [110].
[0068] The transaction is completed [130] through the ACS's decision on whether to process the change at this stage [180].
[0069] If the RPC is successful, the ACS decides to process the [Yes] change and calls [190] StoreSavePoint RPC. The action is thus fully effective, the StoreSavePointRPC called by the ACS processes the change and orders the CPE to close the transaction TR-069 session. All changes thus remain continuous. The TR-069 session is thus also terminated [200].
[0070] If the ACS decides not to process the [No] change, the TR-069 session is immediately terminated [200].
[0071] It should be noted that in the case where the savepoint is not stored in the established or current TR-069 session, it must be stored in the next session.
[0072] Through this savepoint mechanism, which prevents the CPE from being blocked or locked during the TR-069 session, two new RPCs are introduced:
[0073] -StoreSavePoint RPC: When the ACS processes changes and orders the CPE to close the transaction: all changes remain persistent; and
[0074] -RestoreSavePoint RPC: When the ACS requests the CPE to return to the last saved save point: all changes are not completed.
[0075] in figure 2 In the basic implementation of the TR-069 savepoint processing shown, the transaction TR-069 session [100] is implicitly opened at the beginning of the TR-069 session [000], that is, when the first RPC is called on the CPE. This means that from now on, every TR-069 session is transactional.
[0076] However, since it is not always desirable to open a transaction along with the TR-069 remote management protocol session, image 3 A more flexible approach is shown, where explicit transaction markers are preferably used. Among them, the ACS notified the CPE to open the [050] transaction, because the changes to be performed may be harmful. In detail, the transaction TR-069 session is then explicitly opened through the StartRecording RPC called by the autoconfiguration server ACS [050].
[0077] Two types of processing can be implemented:
[0078] -Normal savepoint processing: This is the type of processing described above for implicitly and explicitly opening transactions called by ACS. In this case, savepoints can be processed in an established session, or if the next The transaction is not explicitly processed in the running TR-069 session when the session is established, then the savepoint can be processed; and
[0079] -Timed savepoint processing: In order to prevent the CPE from being locked, the next TR-069 session can be scheduled immediately or after a given period of time. The timing savepoint processing RPC is called by the ACS and fixed the established TR-069 session with the next The delay between a TR-069 session, in other words, the next TR-069 session is scheduled after a given period of time, which is a delay determined by the timing savepoint processing RPC, which prevents the CPE from being locked.
[0080] Preferably, the automatic configuration server ACS calls several timed savepoints to process RPC during the same transaction. Each of these sequential or nested timed savepoint processing RPCs has a fixed delay that is shorter than the delay fixed by the previous timed savepoint processing RPC. This nested savepoint system enables partial recovery and facilitates failure detection.
[0081] The savepoint mechanism saves the parameter values of the object model processed before any remote procedure call RPC. As a result, if the transaction is not processed by StoreSavePoint RPC, a failure is suspected and the CPE should restore its state to the save point of the last processing.
[0082] More generally, when a transaction is not explicitly processed in a running TR-069 session, it must be processed in the next TR-069 session.
[0083] This can be achieved, for example, by one of the following out-of-session transaction delivery mechanisms.
[0084] When the transaction TR-069 session is not processed during the first TR-069 session remote management protocol session, the client device CPE sends the Inform with the event code to the automatic configuration server ACS, such as OpenSavePoint, during the next TR-069 session, thereby Remind ACS that transactions with changes are waiting to be processed. The ACS can then reply by including additional fields in the InformResponse, thereby closing the transaction and processing the savepoint and the first TR-069 session.
[0085] ACS can also decide to do explicit processing through StoreSavePoint RPC, or do explicit processing through RestoreSavePoint RPC after the evaluation rollback.
[0086] Maybe not all parameters of the object model need to be protected by savepoints. In this case, new parameter attributes can be defined, such as a specified transaction or savepoint. Only parameters whose attributes are marked as transactions or savepoints should be considered in this careful selection.
[0087] The save point must be stored on the CPE side. The most obvious way is to create a file for each savepoint on the file system containing parameter values, attributes, etc.
[0088] These files can also be uploaded to a remote file server for backup/restore purposes, or when the CPE runs out of space on the file system.
[0089] Finally, the savepoint mechanism can save the history of remote procedure calls invoked during the transaction TR-069 session on the CPE side, so that parameters can be restored when necessary.
[0090] Finally, it should be noted that the embodiments of the present invention are described above in terms of functional blocks. According to the functional description of these blocks given above, it is obvious to those skilled in the art of designing electronic devices that the embodiments of how to manufacture these blocks using known electronic components. Therefore, the detailed structure of the content of the function block is not given.
[0091] Although the principle of the present invention has been described above in conjunction with the designated device, it should be clearly understood that this description is only an example and not a limitation on the scope of the present invention, which is defined by the appended claims.
