This commit adds a new IDLE state to PdPrefixManager.
PdPrefixManager enters idle state when PD is enabled and there is
already a BR requesting PD prefix. When there are multiple BRs
publishing PD prefix at the same time, the one with lexcial smaller
prefix wins.
This commit updates the `RouteingManager` to set the newly
allocated "SNAC Router Flag" (bit 6) in emitted RA messages from
Thread BR. The flag is also parsed and tracked in received RA
messages.
This replaces the previous model where an experimental flag bit
in "Flags Extension Option" indicated a "stub router". This commit
also removes the `STUB_ROUTER_FLAG_IN_EMITTED_RA_ENABLE` confg
(no longer optional/experimental) and renames `mStubRouterFlag` to
`mSnacRouterFlag`.
The test software for certification currently uses the mDNS packets of
trel service responses to find out the trel port, and then use the port
number to determine which packets in a capture should be decoded as TREL
packets. However this may not be reliable since it depends on when the
capture starts. Added a cli to get trel port, so this can be used by
a THCI function.
This commit updates the default Thread version to 1.4, so that most
latest features will be enabled by default. This commit also explicitly
enable the epskc feature just like other features in the build script.
This commit:
1. update the topology to make 3 BRs running on 2 AILs;
2. specify the test name as `test_multi_backbone_infra`, which is
focusing on verifying the multiple backbone framework works good
3. fix bug that previously pinging throught ethernet does not actually
work.
For 3, previous `br1.ping(br2_infra_link_local, interface=br1_infra_link_local)`
actually send ping command via ot-ctl instead of the docker bash. The
new `br1.ping(br2_onlink_ula, backbone=True)` actually send a docker
bash command to ping another node via ethernet. Here we choose to use
onlink ULA address (9100::) instead of the link local address because
only "ping [link-local-addr]%eth0" (by specifying the zone index) can
work for link-local address, but this is not currently supported by
`LinuxHost.ping_ether()` method.
This commit modifies thread-cert scripts utilizing `pktverify` to
adopt a more flexible approach to TLV type checking. Specifically, it
replaces strict equality (`==`) or strict subset (`<`) checks with a
subset or equal check (`<=`) when verifying the presence of TLVs in a
message. This adjustment ensures that test scripts adhere to the
principle of ignoring extra or unknown TLVs, thereby future-proofing
them against potential protocol updates that might introduce new
TLVs.
This commit adds functions to read peer BRs and routers on infra link by
wrapping the ot-ctl command `br peers` and `br routers`.
`test_multi_ail.py` is also updated to test the new added functions.
This commit targets to support getting infra link-local address of a
OtbrNode in docker test, which is usefully for future test cases.
The test_multi_ail.py is also updated to test the new method added.
This commit adds support for responding to "A record" queries in the
DNS-SD server and discovery proxy.
If the query matches a host registered with the SRP server, the host's
IPv6 addresses are returned in the Additional Data section of the
response. If the query is resolved by the proxy, the `otPlatDnssd`
APIs are used to start/stop IPv4 address resolvers for the hostname
on the infrastructure network.
The `test_dnssd_discovery_proxy` unit test is updated to validate the
new functionality.
### Background
https://github.com/openthread/openthread/pull/10550 introduced a new
way to support multiple backbone nework in otbr docker test. Though it
works good while running a single test, a bug exists when running
cert-suite, which runs a batch of tests in parallel.
cert-suite allocates the name of the backbone interfaces dynamically
by setting env PORT_OFFSET for each test, so there is potentially
conflict exists if we hard code the `backbone_network` name in
TOPOLOGY. This PR is targeting to fix this potential naming conflict.
### Fix
We fix it by assigning a number for `backbone_network_id` in each BR
definition in TOPOLOGY, instead of setting a fixed `backbone network`
name. The final backbone network name is decided by both `PORT_OFFSET`
env and the number of `backbone_network` (in
`backbone{PORT_OFFSET}.{backbone_network}` format)
For example, if `PORT_OFFSET` is 0 and `backbone_network_id` is 1,
then backbone network name will be `backbone0.1`. For the tests that
only use one backbone network and the `backbone_network_id` is not
given, the backbone network name is by default
`backbone{PORT_OFFSET}.0`.
### New test case format
```
class NewTestCase(thread_cert.TestCase):
...
BR = 1
...
TOPOLOGY = {
BR: {
...
'is_otbr': True,
'backbone_network_id': <backbone-id>,
...
}
...
}
...
```
`<backbone-id>` is any integer from 0, for each BR inside a single
test, if `<backbone-id>` is different, the BR use different backbone
interfaces; the same `<backbone-id>` inside a single test case means
the same backbone network interface.
`'backbone_network_id': <backbone-id>` is optional for single backbone
test cases, when it's not given while defining a otbr node, the
backbone is default as `backbone{PORT_OFFSET}.0`.
For developers, if you are defining a new test which has multiple
backbone interfaces, please ensure `backbone_network_id` is explicitly
defined in each BR, otherwize an error is reported.
In previous otbr docker tests, when creating docker containers, all the
containers(otbr nodes) are connected to the same docker network bridge `backbone0`
(when the env PORT_OFFSET is not set or set to 0), this means all the
otbr nodes are connected to the same infrastructures.
This commit adds support to enable user to config otbr instance
infrastructures seperately in `TOPOLOGY` when defining test cases, this
provides flexibility to run multi-ail related test cases.
The format to define backbone interface per node is:
```
class NewTestCase(thread_cert.TestCase):
...
BR = 1
...
TOPOLOGY = {
BR: {
...
'is_otbr': True,
'backbone': <backbone-name>,
...
}
...
}
...
```
`'backbone': <backbone-name>` is optional, when it's not given when
defining a otbr node, the backbone is default as
`BACKBONE_DOCKER_NETWORK_NAME`. The `<backbone-name>` is suggested to be
defined as `backbone[0-9]` to make it more easy to read and understand.
This commit also adds test_multi_ail.py as an example test case to use
this new method, this test case checks the two otbr nodes are connected
to the different infra and are in the same Thread mesh network.
In some cases that `_do_packet_verification` is False (e.g. verify() is
not defined), the docker network is not correctly removed.
docker network interface should always be removed at the end of the test
if it was created at the begin of the test
This commit supresses the docker output unless verbose mode is enabled,
which helps preventing unnecessary output from cluttering the console.
docker output is enabled when:
* env VERBOSE is set to a non-zero value
docker output is suppressed (redirecting to /dev/null) when:
* VERBOSE is not explicitly set in env, or
* env VERBOSE is set to 0
The cli command `linkmetrics` only provides an asynchronous output
method. It is difficult for scripts to call the `ot-ctl` to capture
the results of asynchronous output.
This commit replaces the command `linkmetrics mgmt` and `linkmetrics
query` with commands `linkmetrics config` and `linkmetrics
request`. Both the commands `linkmetrics config` and `linkmetrics
request` are set to the `sync` mode by default, and an option `async`
is added to these commands to support `async` mode.
This commit updates SRP client's `AutoHostAddress` behavior to
defer SRP updates on SLAAC address deprecation events.
Under `AutoHostAddressMode`, all preferred addresses on Thread Netif,
excluding link-local and mesh-local addresses, are registered. If no
eligible address is available, then the ML-EID will be registered.
This commit adds a new mechanism where if a previously registered
address starts being deprecated (e.g., due to an OMR prefix removal
from Network Data), the SRP update is deferred. The client will
re-register after the deprecation time has elapsed and the address is
removed. In the meantime, if any other event triggers the client to
send an SRP update, the updated address list will be included in that
update.
This commit also updates `test_srp_auto_host_address` to validate the
newly added behavior.
This commit makes two changes in `test_advertising_proxy`:
- In the test step where the server is restarted, a longer wait time
is used to account for the longer jitter interval used by SRP
client in such a case.
- Due to the use of short lease time (10 seconds) in this test, the
client will refresh the registered services quickly. Therefore, in
`check_host_and_service()`, any of `Registered`, `ToRefresh`, or
`Refreshing` states are accepted as indicating successful
registration.
This commit improves the `Srp::Client` mechanism for applying random
jitter delays before sending update messages to the server. It now
supports different jitter ranges based on specific triggers. Since
trigger events are often network-wide, potentially causing
simultaneous SRP re-registration from many nodes, longer jitter
intervals are used to distribute the resulting SRP update
transmissions and avoid congestion.
The following triggers are covered:
- Server switch: Client switching to a new server while already
connected to a discovered server. This occurs when a new server
entry appears in Network Data which is preferred over the current
selection.
- Server restart: Client was previously connected to a server that
disappeared from Network Data. Later, the same or a new server is
discovered in Network Data.
- SLAAC address add or remove: This is generally triggered by updates
to SLAAC prefixes in Network Data (e.g., OMR prefix changes).
- First registration after attach:
- If the device is attaching to an established Thread mesh
(e.g., after a reboot or initial pairing), the Network Data it
receives should already include a server entry, leading to a
quick server selection after attach. If server selection occurs
within a short window, a shorter TX jitter is used, allowing the
device to register quickly and become discoverable.
- If server discovery takes longer, a longer TX jitter is used. This
situation can indicate a server/BR starting up or a network-wide
restart of many nodes (e.g., due to a power outage).
This commit introduces `TxJitter` class to manage the requested TX
jitter based on a trigger reason. It tracks the time of the event
that triggered a longer jitter request. If the update message is sent
immediately after the trigger event, the requested maximum jitter is
applied. However, if the update message is sent later, the maximum
jitter is adjusted proportionally to the time elapsed since the
trigger event. If the elapsed time exceeds the requested maximum
jitter interval, the default short jitter is applied to avoid
unnecessary registration delay.
This commit removes the option to set `key_switch_guardtime` when
constructing nodes and network topology in test scripts. The
following tests are updated to reflect this change:
- `Cert_5_8_02_KeyIncrement.py`
- `Cert_5_8_03_KeyIncrementRollOver.py`
- `Cert_6_6_01_KeyIncrement.py`
- `Cert_6_6_02_KeyIncrementRollOver.py`
This commit refines the `NetworkData::Publisher` to differentiate
between DNS/SRP unicast entries based on whether the address
information resides in service data (part of service TLV) or server
data (part of server sub-TLV).
Additionally, if another BR adds a service data unicast entry,
`Publisher` will zero out the desired count for server data unicast
entries, effectively removing any previously published server data
unicast entries.
The `test_netdata_publisher` has been updated to validate all the
newly added behaviors.
Unicast SRP dataset uses a ephemeral UDP port which could be taken by
another process. Currently SRP server creates the socket at the port
after the server is added into netdata. However, at that moment the
port may not be available on the platform so it may fail to create the
socket and start the server.
This commit adds the logic to restart the enabling process with
another port candidate if SRP server fails to create the socket.
This commit enables channel manager on SSED, together with channel monitor,
auto-selecting a better CSL channel for the link between child and its parent.
It also fixes tracking of CcaSuccessRate on CslChannel and adds toranj tests
for auto-channel selection and thread_cert test for autocsl-channel selection.
Updates validation logic after published route entry replacement to
prevent occasional failures due to a race condition. This increases
test stability.
- Validates that key guard time is updated to 93% of key rotation
time when it changes.
- Checks for proper key sequence updates after key rotation
expiration.
- Confirms key guard mechanism blocks key sequence increments
while mesh nodes staying connected.
This commit makes changes/fixes to `KeyManager` regarding key switch
guard time.
Key Rotation Time updates:
- When the Key Rotation Time changes (due to security policy updates),
the key switch guard time (`mKeySwitchGuardTime`) is also adjusted.
It's set to 93% of the Rotation Time (rounded down).
- Immediately checks if the new rotation time indicates a rotation is
due and keys are rotated.
New variable `mKeySwitchGuardTimer`:
- This is reset to the current guard time whenever the key sequence is
updated.
- It decrements hourly until reaching zero.
- Key switch guard comparison is made with this value, aligning the
implementation with the Thread specification.
`SetCurrentKeySequence()` modification:
- Now accepts a new input parameter that determines whether to apply
or ignore the key switch guard when updating the key sequence.
- During a key rotation check (when the rotation time has passed), the
key switch guard is ignored and we always move to the next key
sequence number.
Other changes:
- Variables handling guard and rotation time now use `uint16_t`
instead of `uint32_t` to align with security policy definitions.
- API and CLI command documentation for setting the "key switch guard
time" emphasize that they are intended for testing purposes.
This commit implements address deprecation mechanism in `Slaac` class.
When a prefix is removed from Network Data, its corresponding SLAAC
address is not removed immediately. Instead, it is marked as
deprecated and its "preferred" flag is set to false. After a
deprecation interval (300 seconds), the deprecated address is
removed. If the prefix is re-added to Network Data before the
deprecation time elapses, the SLAAC address is also reinstated.
Since the number of SLAAC address entries is limited, non-deprecated
addresses are prioritized. This means that if a new entry is required
for a new prefix, the earliest deprecating entry can be evicted to
accommodate the new entry.
The `Slaac` module keeps track of the associated Domain IDs for
deprecating SLAAC prefixes, even if the related Prefix TLV has
already been removed from the Network Data. This information is used
during external route lookup in `NetworkData::Leader::RouteLookup()`
if a deprecating SLAAC address is used as the source address in
an outbound message, ensuring that the message is not dropped and
can be delivered.
This commit also adds a detailed test `test-027-slaac-address.py`
validating various behaviors of SLAAC module.
This commit updates how the `NetworkData::Publisher` handles "DNS/SRP
Service Unicast Address" entries. Specifically, when a "DNS/SRP
Service Anycast" entry is added by another BR, the publisher will set
the desired count of unicast entries to zero. This effectively
removes any previously added unicast entry. This new behavior is
only applied when the address and port are included in the Server TLV
data in a "DNS/SRP Service Unicast Address" entry.
The `test_netdata_publisher` has been updated to verify this new
behavior.
Config `OPENTHREAD_CONFIG_SRP_CLIENT_AUTO_START_DEFAULT_MODE` is
changed to use `1` by default (unless explicitly overridden in
project configs).
It also updates related test scripts to utilize auto-start mode or
explicitly disable it for manual SRP client control, reflecting this
default change.
Create OT API to support trel telemetry which is supported through
platform API and also add cli support to get/reset trel counters.
Metrics we are adding are:
- trel_frames_tx
- trel_bytes_tx
- trel_frames_rx
- trel_bytes_rx
- trel_frames_tx_failed
- num_trel_peers
Metrics already supported through API:
- trel_enabled
This commit updates the `AutoAddress` mode in `Srp::Client` to
exclude any deprecated (non-preferred) address when registering
host addresses.
It also updates `test_srp_auto_host_address` to validate the new
behavior.
There was a check `self.assertNotEqual(br1_external_routes,
br2_external_routes)` that verifies the external route entries of BR1
and BR2 are different, based on the fact that their external route
prefixes (in /64) were different. However, today we're using generic
external routes like `fc00::/7` so the external route entries will be
the same when BR1 and BR2 have the same RLOC16.
I updated the test case to verify that the devices have expected
external route entries respectively.
This commit adds `otNetDataGetCommissioningDataset()` as a public
API to retrieve the Commissioning Dataset from the Network Data.
It also updates CLI `netdata show` command to output the Commissioning
Dataset information. The documentation in `README_NETDATA.md` and
in `cli_network_data` are also updated. The test scripts that parse
`netdata show` output are also updated.
This commit drops UDP datagrams from an untrusted origin to TMF port.
Examples of untrusted origin:
- A process other than OT on the host sends the packet to Thread
network via platform API.
- A packet forwarded from infrastructure network to Thread network by
Thread Border Router.
OT shouldn't allow UDP datagrams from untrusted origins going to TMF
port of any Thread device.
To implement this, there's an API `otIp6SendFromOrigin`
introduced. This can be used for specifying the origin of a packet you
want to send. This commit also encapsulates the 'origin' information
in `Message::Metadata`.
This commit implements the packet logic in OT core. It aims to have
the same effect as what's already achieved by our iptables-based
firewall. Instead of leveraging iptables, this commit filters the
border routing packets in user space by checking the
source/destination addresses of a packet.
This commit also adds a job to do BR regression test when this feature
is enabled and iptables-based firewall is disabled.
This commit implements a new module LinkMetricsManager, which utilizes
the Link Metrics feature to get the Link Metrics data from neighboring
devices.
The commit also adds a few tests to the module:
- Unit Test: tests/unit/test_link_metrics_manager.cpp, will be run in
`unit-tests` in `unit.yml`.
- Expect Test: tests/scripts/expect/v1_2-linkmetricsmgr.exp, will be
run in `expects` in `simulation-1.2.yml`.
- Simulation Test:
tests/scripts/thread-cert/v1_2_LowPower_test_link_metrics_manager.py,
will be run in `packet-verification-low-power` in
`simulation-1.2.yml`.