Send in your ideas. Deadline February 1, 2025
Grant
Theme fund: NGI0 PET
Period: 2019-04 — 2022-10

Rocket CWMP

Remote governance and configuration for internet equipment

This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work.

CWMP (CPE WAN Management Protocol) or TR-069 is a technical specification of a Broadband Forum designed for remote governing of a CPE. CWMP is a standardized and widely-used text-based protocol enabling communication between CPE and Auto Configuration Server (ACS).

Rocket CWMP is a modular CWMP-client capable of supporting TR-069, TR-181 and other technical reports. The project was started out of an industry gap regarding a production-ready, FOSS solution that meets the ISP requirements and the feature and security requirements of modern embedded devices. It is capable of integrating into existing solutions for automatic and remote software installation or provisioning of CPEs. The client is designed to be easily portable to different Linux platforms (OpenWrt and other Linux distributions such as Yocto, Debian, Ubuntu and others). Its modularity implies that developers can easily build new features based on their requirements. It would serve as a light weight glue between CWMP and embedded Linux software standards for configuration and statistics.

The end goal of this project would be to create and FOSS delivering mandatory remote management features in ISP ecosystem. ISPs would finally be equipped with a CWMP client that: a) is an open and extendable replacement of the closed software alternatives, b) is designed to easily include and configure various backend systems and c) allows replacing proprietary firmware and leveraging Open Source components.

Why does this actually matter to end users?

Somewhere in your house, office or library, there is a modest little box that connects you to the internet. Every connection a laptop, tablet or phone makes using your wifi goes through that box. The box is directly connected to the internet via your internet provider. If someone is able to control it, they can see all your traffic. And even worse - in subtle way manipulate it without you seeing it. When was the last time you think that box was updated? Do you know this for a fact? Who is even responsible for doing that? Do you suppose it is maintained remotely by someone? How do they do that? And can you trust that everything happens securely and is implemented flawlessly?

As a user, you may be rightly concerned about keeping the devices in your house secure and up to date. The fact that this box is typically hidden away in the proverbial broom closet, doesn't make it less of a critical point of failure for your day-to-day security. But at the same time, handling 24/7 internet threats is a heavy responsibility for normal consumers to bear - even technically inclined ones. You really want to be able to let professionals service and maintain your device. Your internet service provider (that typically provides you with such a box these days) will very much agree, because when devices in your household are captured by a botnet due to bad maintenance it causes a lot of work and headache on their part.

As a scoiety we really want such core technology components to use up-to-date code you can trust. Device manufacturers do not always act as responsible as they should, nor do they all have the same level of security skills and quality assurance and aftersales support. So as the device that keeps you connected to the internet ages, it becomes less and less secure over time. And in some cases, the manufacturer may have an unhealthy interest in your data - or is tempted in some other way by business models or political motivations that you may not agree on.

Luckily, one can in most cases replace the so called firmware that makes the device do everything it can do. Devices mostly reuse standard components, so you can download a community vetted open source solution on it instead. But if you install something different from what the supplier put on, that actually impacts the ability to remotely maintain. There are international standards for this, but the firmware needs to implement these for standard updates to work. So far this was not something that the community had created, and so it was hard to deploy at scale.

Rocket is a very welcome open source project led by a small Croatian company that offers the solution to exactly this problem. It is targeted to implement all the relevant industry standards service providers need to support users. This will allow them to switch their customers over from aged and closed vendor firmware, to something they and others can study and add new functionality to - and still perform the maintenance remotely as customers expect. Such updatability is extremely important both for security as well as for the Next Generation Internet initiative. The devices involved tend to have a very long life span, sometimes well over a decade. If old devices cannot be taught new tricks, such as adding new and more secure internet standards, progress is significantly slowed down. And of course technically inadequate devices currently operating in our homes and offices will continue to age, and make today's internet less safe for all.

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.