This commit enhances the expect test against link metrics manager
feature to ensure that the feature can be continuously turned on or
off and work well. Because the feature will be controlled by the
feature flag in ot-br-posix.
This commit refines the `NetworkData::Publisher` to differentiate
between DNS/SRP unicast entries based on whether the address
information resides in service data (part of service TLV) or server
data (part of server sub-TLV).
Additionally, if another BR adds a service data unicast entry,
`Publisher` will zero out the desired count for server data unicast
entries, effectively removing any previously published server data
unicast entries.
The `test_netdata_publisher` has been updated to validate all the
newly added behaviors.
Unicast SRP dataset uses a ephemeral UDP port which could be taken by
another process. Currently SRP server creates the socket at the port
after the server is added into netdata. However, at that moment the
port may not be available on the platform so it may fail to create the
socket and start the server.
This commit adds the logic to restart the enabling process with
another port candidate if SRP server fails to create the socket.
This commit enables channel manager on SSED, together with channel monitor,
auto-selecting a better CSL channel for the link between child and its parent.
It also fixes tracking of CcaSuccessRate on CslChannel and adds toranj tests
for auto-channel selection and thread_cert test for autocsl-channel selection.
Updates validation logic after published route entry replacement to
prevent occasional failures due to a race condition. This increases
test stability.
This commit adds a argument `-L`/`--local-host` to simulation platform
to specify the source IP address for packets simulating 15.4
frames. This allows the simulation packets being transmitted over
different network interfaces, so that the simulation can run on
different hosts.
This can be used to enable multiple emulation devices(e.g. Android
Virtual Device) communicating to each other over emulated Thread
radio.
The argument accepts either an IPv4 address or a network interface
name. In the latter case, the first found IPv4 address on that
interface will be used will be used.
- Validates that key guard time is updated to 93% of key rotation
time when it changes.
- Checks for proper key sequence updates after key rotation
expiration.
- Confirms key guard mechanism blocks key sequence increments
while mesh nodes staying connected.
This commit makes changes/fixes to `KeyManager` regarding key switch
guard time.
Key Rotation Time updates:
- When the Key Rotation Time changes (due to security policy updates),
the key switch guard time (`mKeySwitchGuardTime`) is also adjusted.
It's set to 93% of the Rotation Time (rounded down).
- Immediately checks if the new rotation time indicates a rotation is
due and keys are rotated.
New variable `mKeySwitchGuardTimer`:
- This is reset to the current guard time whenever the key sequence is
updated.
- It decrements hourly until reaching zero.
- Key switch guard comparison is made with this value, aligning the
implementation with the Thread specification.
`SetCurrentKeySequence()` modification:
- Now accepts a new input parameter that determines whether to apply
or ignore the key switch guard when updating the key sequence.
- During a key rotation check (when the rotation time has passed), the
key switch guard is ignored and we always move to the next key
sequence number.
Other changes:
- Variables handling guard and rotation time now use `uint16_t`
instead of `uint32_t` to align with security policy definitions.
- API and CLI command documentation for setting the "key switch guard
time" emphasize that they are intended for testing purposes.
This commit implements address deprecation mechanism in `Slaac` class.
When a prefix is removed from Network Data, its corresponding SLAAC
address is not removed immediately. Instead, it is marked as
deprecated and its "preferred" flag is set to false. After a
deprecation interval (300 seconds), the deprecated address is
removed. If the prefix is re-added to Network Data before the
deprecation time elapses, the SLAAC address is also reinstated.
Since the number of SLAAC address entries is limited, non-deprecated
addresses are prioritized. This means that if a new entry is required
for a new prefix, the earliest deprecating entry can be evicted to
accommodate the new entry.
The `Slaac` module keeps track of the associated Domain IDs for
deprecating SLAAC prefixes, even if the related Prefix TLV has
already been removed from the Network Data. This information is used
during external route lookup in `NetworkData::Leader::RouteLookup()`
if a deprecating SLAAC address is used as the source address in
an outbound message, ensuring that the message is not dropped and
can be delivered.
This commit also adds a detailed test `test-027-slaac-address.py`
validating various behaviors of SLAAC module.
This commit updates how the `NetworkData::Publisher` handles "DNS/SRP
Service Unicast Address" entries. Specifically, when a "DNS/SRP
Service Anycast" entry is added by another BR, the publisher will set
the desired count of unicast entries to zero. This effectively
removes any previously added unicast entry. This new behavior is
only applied when the address and port are included in the Server TLV
data in a "DNS/SRP Service Unicast Address" entry.
The `test_netdata_publisher` has been updated to verify this new
behavior.
Config `OPENTHREAD_CONFIG_SRP_CLIENT_AUTO_START_DEFAULT_MODE` is
changed to use `1` by default (unless explicitly overridden in
project configs).
It also updates related test scripts to utilize auto-start mode or
explicitly disable it for manual SRP client control, reflecting this
default change.
Create OT API to support trel telemetry which is supported through
platform API and also add cli support to get/reset trel counters.
Metrics we are adding are:
- trel_frames_tx
- trel_bytes_tx
- trel_frames_rx
- trel_bytes_rx
- trel_frames_tx_failed
- num_trel_peers
Metrics already supported through API:
- trel_enabled
This commit adds cli `debug` command. This command is specifically
designed for testing and debugging purposes. It executes a series of
CLI commands to gather information about the device and thread
network.
This commit updates the `AutoAddress` mode in `Srp::Client` to
exclude any deprecated (non-preferred) address when registering
host addresses.
It also updates `test_srp_auto_host_address` to validate the new
behavior.
There was a check `self.assertNotEqual(br1_external_routes,
br2_external_routes)` that verifies the external route entries of BR1
and BR2 are different, based on the fact that their external route
prefixes (in /64) were different. However, today we're using generic
external routes like `fc00::/7` so the external route entries will be
the same when BR1 and BR2 have the same RLOC16.
I updated the test case to verify that the devices have expected
external route entries respectively.
This commit adds a public OT API to generate hex dump output line by
line. This function is then used for both `LogDump{}()` and frame
capture output by CLI `promiscuous` command (removing repeated
similar code) and harmonize the hex dump outputs.
The current code of the `mac.cpp` caches the supported channel mask to
a local variable. But the supported channel mask may be changed after
the country code is changed. This will cause the supported channel
mask used in `mac.cpp` to be inconsistent with the actual supported
channel mask.
This commit adds an API `otLinkSetRegion()` to set the region code and
then update the cached supported channel mask to avoid the channel
mask inconsistencies. The current Thread channel may be not included
in the new supported channel mask. When the Thread stack detects this
case, it detaches the current Thread network gracefully.
This commit adds `otNetDataGetCommissioningDataset()` as a public
API to retrieve the Commissioning Dataset from the Network Data.
It also updates CLI `netdata show` command to output the Commissioning
Dataset information. The documentation in `README_NETDATA.md` and
in `cli_network_data` are also updated. The test scripts that parse
`netdata show` output are also updated.
This commit updates CommissionerIdTlv to be defined as `StringTlvInfo`
(a TLV with a UTF-8 string value with a specified maximum length). This
allows us to use `Tlv` helper methods to `Find` and `Append` this
TLV, simplifying the code.
This commit also adds a helper `StringCopy()` method that copies a
C string into a given target string buffer array if it fits in the array.
This method can also optionally perform an encoding check on the string,
such as a UTF-8 encoding check. This helper method is used to simplify
setting different strings, such as Commissioner ID, Provisioning URL,
Vendor Name, etc.
The posix platform is able to support the HDLC, SPI and vendor spinel
interfaces, but the spinel interface type can't be changed
dynamically. It is inconvenient to use different spinel interfaces for
Thread stack in Android. This commit enables the posix platform to
support the HDLC, SPI and vendor interface at the same time, and the
final spinel interface type is determined by the radio url protocol.
Some other changes:
1. Not use CRTP style for the radio spinel.
2. Deprecate the OT_POSIX_CONFIG_RCP_BUS and
OPENTHREAD_POSIX_CONFIG_RCP_TIME_SYNC_INTERVAL.
This commit drops UDP datagrams from an untrusted origin to TMF port.
Examples of untrusted origin:
- A process other than OT on the host sends the packet to Thread
network via platform API.
- A packet forwarded from infrastructure network to Thread network by
Thread Border Router.
OT shouldn't allow UDP datagrams from untrusted origins going to TMF
port of any Thread device.
To implement this, there's an API `otIp6SendFromOrigin`
introduced. This can be used for specifying the origin of a packet you
want to send. This commit also encapsulates the 'origin' information
in `Message::Metadata`.
The default supported channel mask is set to 0x7fff000 in the default
configuration file. The dbus client test case sets the channel to 11
which is not valid in the supported channel mask. It causes the CI test
failures in https://github.com/openthread/ot-br-posix/pull/2027.
This commit updates the default supported and preferred channel masks
in the configuration file to avoid the CI test failures.
This commit allows developers to set the preferred channel mask and
the supported channel mask in the configuration file. The posix
platform selects channel masks from the configuration file based on
the region code when the region code is updated.
This commit implements the packet logic in OT core. It aims to have
the same effect as what's already achieved by our iptables-based
firewall. Instead of leveraging iptables, this commit filters the
border routing packets in user space by checking the
source/destination addresses of a packet.
This commit also adds a job to do BR regression test when this feature
is enabled and iptables-based firewall is disabled.
This commit implements a new module LinkMetricsManager, which utilizes
the Link Metrics feature to get the Link Metrics data from neighboring
devices.
The commit also adds a few tests to the module:
- Unit Test: tests/unit/test_link_metrics_manager.cpp, will be run in
`unit-tests` in `unit.yml`.
- Expect Test: tests/scripts/expect/v1_2-linkmetricsmgr.exp, will be
run in `expects` in `simulation-1.2.yml`.
- Simulation Test:
tests/scripts/thread-cert/v1_2_LowPower_test_link_metrics_manager.py,
will be run in `packet-verification-low-power` in
`simulation-1.2.yml`.
This commit adds support for TCP Fast Open, without cookie management.
To add support for this, I looked at the FreeBSD codebase and brought
in some code from FreeBSD 12.0 that implements TCP Fast Open --- the
version of FreeBSD that TCPlp is based on did not fully support TCP
Fast Open.
Normally, a part of TFO is cookie management --- the server generates
a cookie and includes it in the initial handshake, and client is
expected to present this cookie on future handshakes. This part is not
yet implemented, and I changed the logic from FreeBSD to allow data to
be exchanged in the TFO handshake even if the client does not present
a cookie. If we implement this functionality for TFO later, it is
probably worth departing from FreeBSD's data structures and policies
for maintaining cookie state in favor of something that is simpler and
more memory-efficient.
In `LeaderBase::RouteLookup()`, OT currently checks the source address
of the packet to ensure it matches any of the Prefix TLV in leader's
netdata. Actually it should also verify that the Prefix TLV has a
Border Router sub-TLV.
In the current implementation, OT may wrongly send/forward a packet to
BR when its source address matches with a Prefix TLV which only
contains an External Route sub-TLV. This lets BR accidentally forward
packets from Thread to infra network. For example, a packet from
Mesh-Local address to On-Link address will be wrongly forwarded to
infra network.
I recently noticed this problem because we're now using either
`fc00:/7` or `::/0` for external routes in netdata, which always
matches Mesh-Local source addresses and makes the issue more obvious.
Current implementation of RestoreProperties() assumes there's always a
networkInfo structure stored in the settings. But, it's possible the
RCP device needs to be recovered before this structure is populated.
Signed-off-by: Axel Le Bourhis <axel.lebourhis@nxp.com>
This commit updates public APIs for getting and setting CSL period to
use microseconds unit instead of the internal ten symbols unit. This
makes the APIs easier to use.
The CSL APIs have been renamed to follow the `otLinkGet/SetCsl{Item}()`
pattern, which is the common naming style of OpenThread. This
renaming will make the APIs more consistent and avoid potential
confusion with the now-removed APIs, which used a different unit for
CSL period.
This commit also updates the related CLI CSL commands:
- The `csl period` expects the given period to be in microseconds.
- The `csl` command (which outputs all CSL parameter) shows the CSL
period in microsecond unit (e.g., "Period: 160000us").
The NCP spinel `SPINEL_PROP_THREAD_CSL_PERIOD` is also updated to use
microsecond unit for CSL period.
The related test script are updated to use the new unit, in particular
the test harness `setCSLperiod()` in `harness-thci/OpenThread.py` is
updated (no need to convert from msec).
This commit updates `Dns::ServiceDiscovery::Server` such that when
answering a PTR query with more than one answer, it does not include
additional records. This is to keep the size of the response small.
This commit also updates the test scripts validating browse (PTR
query) function to check the new behavior. In particular, a common
python function `_parse_dns_service_info()` is added to parse service
info in CLI output of "dns browse" or "dns service" commands and
handle if output of "dns browse" does not include service info.
Processing of the Key Sequence is happening after each individual MLE
command processing, which leads to generating MLE responses with
outdated Key Sequence.
Make sure that the new greater Key Sequence is applied before
generating any MLE response.
A test case is updated to catch the case in which fragmented Child Id
Response was generated with the old Key Sequence whereas each
individual MAC fragment is already updated with the new Key Sequence,
leading to a security error.
This commit contains multiple changes to Network Diagnostics
modules.
It adds new TLVs: Child TLV, Child IPv6 Address List TLV, Router
Neighbor TLV and MLE counters TLV.
Child TLV contains information about a child entry including RLOC16,
extended MAC address, mode (rx-on-idle, FTD/MTD, full netdata,
CSL-sync), timeout, age, supervision interval, CSL period and
timeout, and link quality info such as RSS (last and average) and
frame/message error rates. Neighbor TLV provides similar info for a
router neighbor. The Child IPv6 Address List TLV allows to query a
parent to get the list of IPv6 addresses registered by its MTD
children.
The new Child and Neighbor TLVs can be requested in Network Diagnostic
Get Query "d/dq" message to a router (unicast) or multiple routers
(multicast). The router responds with one or more Network Diagnostic
Get Answer "d/da" messages.
We allow multiple Answer messages to be sent in response to a Query.
This is to support the case where a router has many children, and we
want to avoid sending a large message that contains all of the TLVs
for all of the children. Instead, we can send a sequence of Answer
messages, each of which contains a subset of the TLVs.
Each Answer message includes an Answer TLV that indicates the index of
the message in the sequence. The first Answer message has an index of
0, the second has an index of 1, and so on. The Answer TLV also
indicates whether the message is the last one in the sequence, or if
there are more Answer messages to come. Answer messages are sent in
sequence, and the next one is not sent until we receive a successful
CoAP ACK/response for the previous one.
This commit adds a Query ID TLV (with a 16-bit identifier as it
value) that can be optionally included in a Query message. The Query
ID is echoed back in all Answer messages associated with the same
Query message. This allows a node that sends multiple Queries to
distinguish between the received Answers.
This commit updates `MeshDiag` to use the newly added TLVs
to query the child table or children IPv6 addresses of a router.
New public OpenThread APIs under `otMeshDiag` are added for this,
along with CLI commands and their documentation. A test-case is added
to validate the newly added mechanism.
This commit adds a mechanism to delay the downgrade of routers or
leader when the security policy TLV changes in the Active Operational
Dataset such that the device is no longer eligible to act as a
router.
If the decision to become a child is made due to a security policy
change, the device first delays a random period up to the "router
selection jitter" before downgrading. If the device is the leader, an
additional fixed delay of 10 seconds is added to the random period.
If the security policy changes again while the device is waiting to
downgrade such that it becomes router-eligible again, the downgrade
is cancelled and the device remains in its current role.
This commit adds a `test_router_downgrade_on_sec_policy_change` to
validate the behavior of newly added mechanism.
This commit also updates the CLI `dataset` sub-commands to allow
getting and setting the "version threshold for routing" (VR) field in
security policy.
This commit implements time counting in radio to collect the time when
radio is in sleep/tx/rx time. 2 new APIs are added to get and reset
the statistics. This feature is only available on FTD and MTD. This PR
also adds cli commands to call the APIs on example cli firmware. This
feature is by default disabled in OT core config. It's enabled on
simulation platform by default now.
Regarding implementation, this feature is totally implemented by
software. It uses a simplified model to calculate the time. It may
not be very accurate, but it should be enough to give us an overview
of the time.