Comments
Events

Meet the CableLabs Experts Speaking at the All-Virtual SCTE•ISBE Cable-Tec Expo® 2020

Sep 22, 2020

This year, our colleagues at SCTE•ISBE are taking full advantage of the power of connectivity to make one of the biggest industry events completely virtual—and FREE—to all attendees. The first-ever SCTE•ISBE Cable-Tec Expo® Virtual Experience (sponsored by Charter Communications, Comcast and Cox Communications) is scheduled for October 12–15, 2020, and we’re very excited to be a part of it. We’ll have a virtual showcase starting on October 9th, and we’ve arranged for multiple speakers and moderators from CableLabs to participate in this year’s event, covering a broad range of topics from AI to fixed-mobile convergence to the future of 10G, and much more.

The theme of SCTE•ISBE Cable-Tec Expo®2020 is Imagine the Possibilities, and it’s all about exploring the future of our increasingly connected world. This topic resonates with many of our experts here at CableLabs who are working on advancing cable network technologies to meet the needs of current and future generations. We’d like to introduce you to a few of them.

  • Phil McKinney | President and CEO of CableLabs
    Session: CEO Welcome, Chairman’s Welcome and Opening General Session
    When: October 12 @ 11:00 AM–12:30 PM EDT

Author, innovation guru and CableLabs CEO Phil McKinney will kick off the General Session by introducing the participants and setting the overall objective for the 2020 Cable-Tec Expo.

  • Steve Goeringer | Distinguished Technologist
    Session: The Cable Industry and Fraud: What It Is and What To Do About It
    When: October 12 @ 1:00–2:00 PM EDT

Steve will moderate a discussion about the evolution of cyber fraud and how operators can prevent, detect and respond to attacks within the parameters of the privacy law.

  • Karthik Sundaresan | Distinguished Technologist
    Session: Latency Labors: Solving for the (Super Low) Requirements of What’s Coming
    When: October 12 @ 1:00 PM–2:00 PM EDT

In the Latency session, Karthik will offer well-needed focus on how latency can be represented quantitatively, including metrics for describing latency behavior and methods of collecting those metrics.

  • Greg White | Distinguished Technologist of Next-Generation Systems
    Session: Latency Labors: Solving for the (Super Low) Requirements of What’s Coming
    When: October 12 @ 1:00 PM–2:00 PM EDT

Greg will moderate a four-part workshop that focuses on latency and ways to lower latency to meet consumer demand for seamless digital experiences, such as multiplayer online gaming and workplace collaboration tools.

  • Debbie Fitzgerald | Immersive Experiences and Technology Policy, CableLabs
    Session: The 10G Platform: Powering the Smart Home of the Future
    When: October 12 @ 1:30 PM–2:00 PM EDT

What was once only imagined is now becoming reality with applications such as VR/AR, holographic devices and other high-tech high-bandwidth technologies in the home. Debbie Fitzgerald and key players that were involved with the Mediacom 10G Smart Home showcase project will discuss technological challenges and future opportunities.

  • Craig Pratt | Lead Security Engineer
    Session: Customer-Facing Security Mechanisms: Keeping People Safe Without Compromising Their Experiences
    When: October 12 @ 3:00–4:00 PM EDT

Craig will cover the WFA Easy Connect specification, which integrates into the CableLabs Frictionless Onboarding System to keep Wi-Fi connections secure.

  • Curtis Knittle | Vice President of Wired Technologies
    Session: The HFC Future: 10G, FDX and Extended Spectrum
    When: October 13 @ 9:30–10:30 AM EDT

Curtis will join his colleagues from CommScope and Comcast for a three-part workshop on future-proofing cable’s HFC networks on the path to 10G and beyond.

  • Max Pala | Principal Architect of Security
    Session: Evolving Security Tools: Advances in Identity Management, Cryptography and Secure Processing
    When: October 13 @ 9:30–10:30 AM EDT

Security, PKI and encryption expert Max Pala will cover the latest developments in quantum computing as a possible means to break public key cryptography.

  • Karthik Sundaresan | Distinguished Technologist
    Session: An Upstream Path Forecast: OFDMA Ahead
    When: October 13 @ 1:00 PM–2:00 PM EDT

Karthik will join the OFDMA session to talk about the work with NOS to develop an upstream Profile Management Application.

  • Mark Poletti | Director of Wireless
    Session: Current Events in CBRS for Cable
    When: October 13 @ 1:00–2:00 PM EDT

Mark will join experts from Celona and Charter to examine the opportunities offered by the FCC’s decision to make the Citizens Broadband Radio Service (CBRS) spectrum band available for unlicensed use in private LTE/5G networks.

  • Jason Rupe | Principal Architect
    Session: Proactive Network Management: Cool Tools to Identify and Eliminate Impairments
    When: October 13 @ 1:00 PM–2:00 PM EDT

As an expert in Proactive Network Management, Jason will take a look at profile management in DOCSIS® 3.1, including ways to sidestep LTE interference in the middle of an OFDM channel.

  • Kyle Haefner | Senior Security Engineer
    Session: Applying AI in the Home to Improve Consumer Experiences
    When: October 14 @ 3:00–4:00 PM EDT

Kyle will share recent academic work to classify devices and learn their behavior, so that the network can identify devices—and determine when they’re operating outside of their norm.

  • Jennifer Andreoli-Fang | Distinguished Technologist
    Session: The State of Converging Access and 5G Mobile Networks: What’s Happening, and What Matters?
    When: October 15 @ 10:00–11:15 AM EDT

Jennifer will kick off the workshop with a look at transport convergence between mobile and DOCSIS® technology, including major MSO deployments in North America and Europe.

  • Robert Cruickshank | Proactive Network Management Advisor
    Session: Powering 10G: What It Takes and How to Do It
    When: October 15 @ 1:00–2:00 PM EDT

A recognized expert in early cable technology development, Robert will examine data coming from a Gridmetrics pilot program to measure, monitor and track the availability and stability of voltage in the last mile of the access network’s power grid.

  • Matt Schmitt | Principal Architect
    Session: I’d Like a (Network) Slice, Please: Current Events in Multi-Network Convergence
    When: October 15 @ 1:00 PM–2:00 PM EDT

Matt will talk about CableLabs’ Convergence Lab and new business opportunities beyond
residential broadband, including mobile fronthaul/backhaul, business-grade Ethernet and
remote OLT.

You can always count on SCTE•ISBE Cable Tec Expo to bring together thousands of tech’s most ambitious minds, including leading innovators, technologists and visionaries. This year is no different. In fact, now it’s even easier to register and join from the comfort of your own home or workplace office. Although you can expect some deviation from the usual event proceedings due the virtual format, all the main event sessions are generally still in place, including the thought-provoking General Session, Innovation Theater presentations, Interactive Sponsor Showcase and, of course, the educational heart of the event—the Fall Technical Forum. You can learn more about all the CableLabs speakers here or review the full agenda on the SCTE•ISBE Cable-Tec Expo® site. Visit CableLabs and Kyrio at the Interactive Sponsor Showcase. We hope to “see” you at the Expo!

REGISTER

Comments
10G

  Welcome to the Smart Home of the Future, Powered by 10G

Sep 18, 2020

Today, we’re very excited to announce another successful milestone on the road to 10G. We’ve partnered with Mediacom Communications—one of the first cable operators to roll out gigabit service to all of its customers—and the NCTA-The Internet & Television Association to bring you a real-life demonstration of how 10G will power the smart home of the future. This demonstration is part of the first-ever 10G field trial conducted by Mediacom in Ames, Iowa.

Introduced in early 2019 as cable’s next great leap forward for broadband, the 10G platform will power a new wave of innovation that will be able to take full advantage of its ultra-fast, multi-gigabit symmetrical download and upload speeds, imperceptible latency and enhanced security and reliability. We’ve talked a lot about 10G over the past year and have even made a few videos to help you visualize what this new world might look like in the near future, but this is the first time we’re participating in a demonstration that brings the 10G vision to life.

What Is Mediacom’s 10G Smart Home? 

In simple terms, Mediacom’s 10G Smart Home is a lab. It’s a working technology laboratory wired for ultrafast speeds that allows Mediacom to test cutting-edge consumer applications in a real-world environment. What might look like an ordinary home is anything but! From the kitchen to the laundry room, every living area of this home has been outfitted with smart home technologies that will help the “future you” live your best life. The showcase includes:

  • Kitchen devices that blend IoT technology to create wholesome food
  • Telemedicine connections to improve patient engagement and care
  • Home automation technology that allows control of the environment with one tap or command
  • High-energy egaming played with low latency and seamless engagement and interactivity
  • Immersive entertainment experiences
  • Virtual and augment reality applications powered by the body’s own electricity to de-stress and quiet the mind
  • A variety of other technologies that can help with pet care, working from home, distance learning and even window washing

This demonstration is a thrilling glimpse into the ways 10G can transform and enhance every aspect of your life.

Inside the home, CableLabs showcases the next generation of display technologies for entertainment, research and education. As you can imagine, holographic video requires an enormous amount of data, but we’ll soon see holographic 3D images and video that won’t require glasses or heavy headwear. These are the types of experiences that our 10G platform will make possible.

Launched on September 17, 2020, Mediacom’s 10G Smart Home launch event included welcome messages from former FCC Chairman and NCTA CEO Michael Powell, CableLabs CEO Phil McKinney as well as high-profile attendees such as representatives from state and local government, the press and tech influencers. 

A True Tech Paradise

In a tech world, innovation faithfully follows the classic “if you build it, they will come” philosophy, which means that as internet speeds increase, new inventions come to light. Think about holodecks, video walls, immersive cord-free VR experiences and many other technologies that we haven’t even imagined that will help us live, learn, work and play in the future. Cable’s 10G platform will give innovators the flexibility they need to dream up big ideas that aren’t constrained by data limits and pave the way for a new hyperconnected future. That’s why demonstrations like Mediacom’s 10G Smart Home are so important.

Learn More About 10G

Comments
DOCSIS

CableLabs Releases DOCSIS® Simulation Model

Greg White
Distinguished Technologist

Sep 10, 2020

When it comes to technology innovation, one of the most powerful tools in an engineer’s toolbox is the ability to rapidly test hypotheses through simulations. Simulation frameworks are used in nearly all engineering disciplines as a way to understand complex system behaviors that would be difficult to predict analytically. Simulations also allow the researcher to control variables, explore a wide range of conditions and look deeply into emergent behaviors in ways that are either impossible or extremely challenging to accomplish in real-world testbeds or prototype implementations.

For some of our innovations, CableLabs uses the “ns” family of discrete-event network simulators (widely used in academic networking research) to investigate sophisticated techniques for making substantial improvements in broadband network performance. The ns family originated at Lawrence Berkeley National Laboratory in the mid-1990s, and has evolved over three versions, with “ns-3” being the current iteration that is actively developed and maintained. The open-source ns-3 is managed by a consortium of academic and industry members, of which CableLabs is a member. Examples of features developed with the help of ns include the Active Queue Management feature of the  DOCSIS 3.1 specifications, which was developed by CableLabs using ns-2, and more recently, the Low Latency DOCSIS technology, which was created using models that we built in ns-3. In both cases, the simulation models were used to explore technology options and guide our decision making. In the end, these models were able to predict system behavior accurately enough to be used as the reference against which cable modems are compared to assess implementation compliance.

CableLabs Releases DOCSIS® Simulation ModelAs a contribution to the global networking research community, CableLabs recently published its DOCSIS simulation model on the ns-3 “App Store,” thus enabling academic and industry researchers to easily include cable broadband links in their network simulations. This is expected to greatly enhance the ability of DOCSIS equipment vendors, operators and academic researchers to explore “what-if” scenarios for improvements in the core technology that underpins many of the services being delivered by cable operators worldwide. For example, a vCMTS developer could easily plug in an experimental new scheduler design and investigate its performance using high-fidelity simulations of real application traffic mixes. Because this DOCSIS model is open source, anyone can modify it for their own purposes and contribute enhancements that can then be published to the community.

If you’ve ever been interested in exploring DOCSIS performance in a particular scenario, or if you have had an idea about a new feature or capability to improve the way data is forwarded in the network, have a look at the new DOCSIS ns-3 module and let us know what you think!

Read More About The New DOCSIS NS-3 Module 

Comments
News

CableLabs Member, Telia Norge, Launches the Fastest Broadband Service in Norway

Sep 2, 2020

There’s more great news from across the pond! Just a month after Vodafone Germany surpassed the 21 million gigabit homes passed milestone, another European telecommunications company and CableLabs® member, Telia Norge (Telia Norway), is launching the fastest broadband service in Norway for its customers, operating under the GET brand it acquired in 2018.

Now, Telia Norway’s GET customers have access to as much as 1,250 Mbps download speed and either 500 Mbps or 50 Mbps upload speed, depending on the package they choose. Either option gives them unprecedented freedom to surf, stream and share on multiple devices at the same time. In addition to much higher speeds, customers will also enjoy the benefits of a significant increase in network capacity and reliability. These improvements are a direct outcome of Telia Norway’s ongoing commitment to modernize and future-proof its hybrid fiber-coax (HFC) network in preparation for the next generation of high-speed digital products and services. By upgrading its network to CableLabs DOCSIS® 3.1 technology, Telia Norway will be able to not only greatly improve the broadband experience for its current customers but also ensure that it stays ahead of their broadband needs for years to come.

“This is a large and important program for us, where we will invest a lot in the years ahead,” said Pål Rune Kaalen, Telia Norway Director of the Private Market. “Through the program, we are greatly expanding the speed, capacity and stability of today's network—something our new broadband product is a good example of. For us, this technology represents the broadband of the future.”

As part of this large-scale modernization push, Telia Norway plans to continue investing in its HFC infrastructure with a goal of upgrading more than 300,000 homeowners to the new DOCSIS technology by 2023. The inherent flexibility of the DOCSIS technology will allow for a cost-effective upgrade without digging new trenches and negatively impacting the environment—or the bottom line. And that’s what the broadband of the future is all about.

Check out the full press release on Telia's news site (Norwegian).

READ THE FULL PRESS RELEASE

Comments
HFC Network

The Cable Security Experience

Steve Goeringer
Distinguished Technologist, Security

Aug 31, 2020

We’ve all adjusted the ways we work and play and socialize in response to COVID. This has increased awareness that our broadband networks are critical – and they need to be secure. The cable industry has long focused on delivering best-in-class network security and we continue to innovate as we move on towards a 10G experience for subscribers.

CableLabs® participates in both hybrid fiber coaxial (HFC) and passive optical network (PON) technology development. This includes the development and maintenance of the Data Over Cable Service Interface Specification (DOCSIS®) technology that enables broadband internet service over HFC networks. We work closely with network operators and network equipment vendors to ensure the security of both types of networks. Let’s review these two network architectures and then discuss the threats that HFC and PON networks face. We’ll see that the physical media (fiber or coax) doesn’t matter much to the security of the wired network. We’ll discuss the two architectures and conclude by briefly discussing the security of the DOCSIS HFC networks.

A Review of HFC and PON Architectures

The following diagram illustrates the similarities and differences between HFC and PON.

The Cable Security Experience
 

Both HFC and PON-based FTTH are point-to-multipoint network architectures, which means that in both architectures the total capacity of the network is shared among all subscribers on the network. Most critically, from a security perspective, all downlink subscriber communications in both architectures are present at the terminating network element at the subscriber – the cable modem (CM) or optical network unit (ONU). This necessitates protections for these communications to ensure confidentiality.

In an HFC network, the fiber portion is between a hub or headend that serves a metro area (or portion thereof) and a fiber node that serves a neighborhood. The fiber node converts the optical signal to radio frequency, and the signal is then sent on to each home in the neighborhood over coaxial cable. This hybrid architecture enables continued broadband performance improvements to support higher user bandwidths without the need to replace the coaxial cable throughout the neighborhood. It’s important to note that the communication channels to end users in the DOCSIS HFC network are protected, through encryption, on both the coaxial (radio) and fiber portions of the network.

FTTH is most commonly deployed using a passive optical networking (PON) architecture, which uses a shared fiber down to a point in the access network where the optical signal is split using one or more passive optical splitters and transmitted over fiber to each home. The network element on the network side of this connection is an Optical Line Terminal (OLT) and at the subscriber side is an ONU. There are many standards for PON. The two most common are Gigabit Passive Optical Networks (GPON) and Ethernet Passive Optical Networks (EPON). An interesting architecture option to note is that CableLabs developed a mechanism that allows cable operators to manage EPON technology the same way they manage services over the DOCSIS HFC network – DOCSIS Provisioning of EPON.

In both HFC and PON architectures, encryption is used to ensure the confidentiality of the downlink communications. In DOCSIS HFC networks, encryption is used bi-directionally by encrypting both the communications to the subscriber’s cable modem (downlink) and communications from the subscriber’s cable modem (uplink). In PON, bi-directional encryption is also available.

Attacker View

How might an adversary (a hacker) look at these networks? There are four attack vectors available to adversaries in exploiting access networks:

  • Adversaries can directly attack the access network (e.g., tapping the coax or fiber cable).
  • They may attack a customer premises equipment (CPE) device from the network side of the service, typically referred to as the wide area network (WAN) side.
  • They may attack the CPE device from the home network side, or the local area network (LAN) side.
  • And they may attack the network operator’s infrastructure.

Tapping fiber or coaxial cables are both practical. In fact, tools to allow legitimate troubleshooting and management by authorized technicians abound for both fiber and coaxial cables. An incorrect assumption is to believe that fiber tapping is difficult or highly technical, relative to tapping a coaxial cable. You can easily find several examples on the internet of how this is simply done. Depending where the media is accessed, all user communications may be available on both the uplink and downlink side. However, both HFC and PON networks support having those communications encrypted, as highlighted above. Of course, that doesn’t mean adversaries can’t disrupt the communications. They can do so in both cases. Doing so, however, is relegated only to houses passed on that specific fiber or coaxial cable; the attack is local and doesn’t scale.

For the other attack vectors, the risks to HFC or PON networks are equivalent. CPE and network infrastructure (such as OLTs or CMTSs) must be hardened against both local and remote attacks regardless of transport media (e.g., fiber, coax).

Security Tools Available to Operators

In both HFC and PON architectures, the network operator can provide the subscriber with an equivalent level of network security. The three primary tools to secure both architectures rely on cryptography. These tools are authentication, encryption, and message hashing.

  • Authentication is conducted using a secret of some sort. In the case of HFC, challenge and response are used based on asymmetric cryptography as supported by public key infrastructure (PKI). In FTTH deployments, mechanisms may rely on pre-shared keys, PKI, EAP-TLS (IETF RFC 5216) or some other scheme. The authentication of endpoints should be repeated regularly, which is supported in the CableLabs DOCSIS specification. Regular re-authentication increases the assurance that all endpoints attached to the network are legitimate and known to the network operator.
  • Encryption provides the primary tool for keeping communications private. User communications in HFC are encrypted using cryptographic keys negotiated during the authentication step, using the DOCSIS Baseline Privacy Interface Plus (BPI+) specifications. Encryption implementation for FTTH varies. In both HFC and PON, the most common encryption algorithm used today is AES-128.
  • Message hashing ensures the integrity of messages in the system, meaning that a message cannot be changed without detection once it has been sent. Sometimes this capability is built into the encryption algorithm. In DOCSIS networks, all subscriber communications to and from the cable modem are hashed to ensure integrity, and some network control messages receive additional hashing.

It is important to understand where in the network these cryptography tools are applied. In DOCSIS HFC networks, user communications are protected between the cable modem and the CMTS. If the CMTS functionality is provided by another device such as a Remote PHY Device (RPD) or Remote MACPHY Device (RMD), DOCSIS terminates there. However, the DOCSIS HFC architecture provides authentication and encryption capabilities to secure the link to the hub as well. In FTTH, the cryptographic tools provide protection between the ONU and the OLT. If the OLT is deployed remotely as may be the case with RPDs or RMDs, the backhaul link should also be secured in a similar manner.

The Reality – Security in Cable

The specifications and standards that outline how HFC and PON should be deployed provide good cryptography-based tools to authenticate network access and keep both network and subscriber information confidential. The security of the components of the architecture at the management layer may vary per operator. However, operators are very adept at securing both cable modems and ONUs. And, as our adversaries innovate new attacks, we work on incorporating new capabilities to address those attacks – cybersecurity innovation is a cultural necessity of security engineering!

Building on more than two-decades of experience, CableLabs continues to advance the security features available in the DOCSIS specification, soon enabling new or updated HFC deployments to be even more secure and ready for 10G. The DOCSIS 4.0 specification has introduced several advanced security controls, including mutual authentication, perfect forward secrecy, and improved security for network credentials such as private keys. Given our strong interest in both optical and HFC network technologies, CableLabs will ensure its own specifications for PON architectures adopt these new security capabilities and will continue to work with other standards bodies to do the same.

Learn More About 10G Security

Comments
HFC Network

Managing Network Quality and Capacity With Proactive Network Maintenance

Jason Rupe
Principal Architect

Aug 28, 2020

You probably know that Proactive Network Maintenance (PNM) is about finding and fixing problems before they impact the customer to ensure highly reliable and available cable broadband services. But the other side of PNM is about managing the capacity or bandwidth available in the network. PNM may have started with the former concept in mind, but the latter is becoming more important as we rely on higher amounts of capacity at the edge. As the world adjusts to life during the COVID-19 pandemic, access network capacity is becoming even more critical. PNM is an important toolset for network capacity management, and CableLabs is helping operators manage network quality and capacity together.

Network condition impacts network capacity. Network impairments, a broad class of failures and flaws in the ability of a network to carry data, have to be addressed before they lead to service failure. The DOCSIS® protocol is a method for sending data over multiple radio frequencies in hybrid fiber-coax networks, and comes with several resiliency mechanisms, like profile management, that help service continue in spite of impairments, to a point. These impairments in the cable plant may impact a few or all frequencies. Impairments that impact specific frequencies may or may not be able to be compensated for, on those frequencies. If severe, the impairment may impact the data carried on those frequencies entirely, leading to correctable or even uncorrectable data errors. If not severe, profiles may be able to adjust to lower modulation orders to allow less data to be reliably carried than otherwise. Impairments that impact a larger amount of frequencies of course have a greater impact on the bandwidth the network can carry. In any case, impairments impact the capacity that the operator can get from the access network.

For example, consider that operators often place upstream bandwidth into lower frequencies, near where radio and electrical interference can enter the network through damaged cable or loose connectors. Upstream profiles can help make these frequencies useful when otherwise impaired; PNM can help operators find, work around, and fix ingress issues before they impact service. If the cable is damaged in multiple places (or say water gets into the cable due to wind causing it to move and get lose or damaged) then multiple frequencies can be impacted. But DOCSIS mechanisms help services be robust to these problems, and PNM can alert the operator to the problem, allowing a proactive fix.

PNM is a practical set of tools for network operators to manage network conditions, which becomes even more important as we move toward higher utilization of the access network capacity. As demand for bandwidth increases at the edge, PNM becomes an important network capacity management tool for network providers. The difference between a perfect network and one with flaws felt by customers begins to shrink. PNM begins to be an imperative; it is “table stakes” for maintaining communications services and managing the capacity of the network.

For almost all of us, we share our connection to the internet and our communication services whether fiber or coaxial cable is the final connection to the home. Over the years, DOCSIS has grown to provide much higher data rates over a shared medium, in addition to adding resiliency. Cable Modem Termination Systems (CMTSs) enable the network resources to be shared efficiently, so that we all have access to better communications through economies of scale, allowing us all to take advantage of the capacity available. Service providers can manage the network capacity with a number of methods to make sure service needs are met, PNM being one of those mechanisms.

CableLabs has been working with these issues in mind for some time. In July of 2019, I wrote on the subject of 10G and reliability, pointing out that higher bandwidth solutions closer to the customer will be required for 10G. Then, in August, I wrote on the subject of reliability from a cable perspective and pointed out that the impairments addressed through PNM impact capacity. So, we see that reliability and network capacity are closely coupled. As we move toward higher bandwidth services, expand the utilization of frequencies and further push the limits of technology, reliable and sufficient bandwidth become highly coupled. Therefore, so do the tools that network providers use to manage these service qualities. CableLabs is working on solutions to help operators succeed in this reality.

LEARN MORE ABOUT PNM

Comments
Latency

Rise of Cloud Gaming – Meeting the Challenges for ISPs

Matt Schmitt
Principal Architect

Barry Ferris
Senior Product Manager

Aug 26, 2020

Spinning iconLight Reading recently posted an article titled "Operators need to prepare for the game-streaming tsunami" which talks about a new wave of game streaming services (aka cloud gaming services) that are on the way. The article points out that the network demands these services require are completely different from anything cable operators have had to deal with before: cable operators cannot simply assume the work that was done previously in order to better support video streaming will be sufficient to effectively support game streaming. They warn that ISPs should get ahead of the network demands of the new game streaming services or replay the pain of the past. We are all familiar with the exasperation of watching the spinning loading “ball” in the middle of our favorite movie scene; imagine the frustration when things suddenly lock up or lag in the middle of an intense game.

Here at CableLabs, we agree with Light Reading’s assessment of the importance of readying operator networks for the impact of game streaming services. Although cloud gaming is still in its early adoption phase, Sandvine’s May 2020 Phenomena Report shows NVidia’s GeForce Now game streaming service in the top 10 gaming traffic generators.

The good news is that CableLabs has been building and testing latency and congestion management solutions for some time, including one that is well-tailored to game streaming. The suite of features developed by CableLabs and our industry partners, known as Low Latency DOCSIS® (LLD), can provide better customer experiences for both current multiplayer online gaming and emerging cloud gaming performance services.

An early observation of the low latency team at CableLabs was that different applications have different traffic patterns and needs, which ultimately require different solutions for reducing and managing latency. This is true even between seemingly related applications like online gaming and game streaming:

  • Multiplayer online gaming uses very low data rates (~150kbps) but can be very sensitive to latency and jitter (variations in latency).
  • Game Streaming – running the game on a remote server and streaming it to an end device – is also very sensitive to latency and jitter, but also requires high data rates on the order of tens of megabits per second, and cannot be buffered since it’s played in real-time.

Latency for online gaming comes not from a lack of capacity – since the data rates are very low – but rather from gaming traffic getting caught behind other types of traffic that aren’t latency sensitive. Therefore, LLD employs tools to keep that gaming traffic from getting stuck without impacting other traffic negatively.

Game streaming, because of the high data rates involved, requires the addition of something more:  the ability to be able to sense and adapt to changing capacity along the network path at any bottleneck. This is why support for Low Latency, Low Loss, Scalable Throughput (L4S) is a part of LLD technology. L4S technology builds on the mechanisms developed for online gaming by enabling the network to provide precise feedback to applications about impending congestion. If implemented by an application at both ends of a network connection as well as any bottleneck points in between, it permits the application to send at high data rates while maintaining consistent low latency.

Therefore, by deploying DOCSIS equipment that supports the LLD feature set – including L4S support – cable operators will be able to provide the very best game streaming experience as soon as those services incorporate L4S support.

While gamers will be thrilled with this, LLD technology doesn't just apply to gaming: when implemented by application developers, it will also enable improved service for work-from-home applications like video conferencing, making DOCSIS based cable systems the platform of choice for these demanding applications. That’s why latency is one of the pillars of the cable industry’s 10G Platform.

Even better, availability of DOCSIS equipment that supports LLD is just around the corner. CableLabs has been actively working jointly with equipment suppliers to bring these features to market as soon as possible via software updates to their existing DOCSIS 3.1 equipment. We’ve seen support for these features rapidly evolve, and we will continue to support the industry in getting these features deployed in live networks. We’re always interested in working with more partners on testing and validation of these emerging technologies and applications, so please reach out to us here at CableLabs if you’d like to get involved or learn more.

There is a tsunami coming, but with preparation, it will be a tsunami of awesome.

Learn More About Low Latency DOCSIS

Comments
Security

EAP-CREDS: Enabling Policy-Oriented Credential Management in Access Networks

Massimiliano Pala
Principal Security Architect

Aug 20, 2020

In our ever-connected world, we want our devices and gadgets to be always available, independently from where or which access networks we are currently using. There’s a wide variety of Internet of Things (IoT) devices out there, and although they differ in myriad ways – power, data collection capabilities, connectivity – we want them all to work seamlessly with our networks. Unfortunately, it can be quite difficult to enjoy our devices without worrying about getting them securely onto our networks (onboarding), providing network credentials (provisioning) and even managing them.

Ideally, the onboarding process should be secure, efficient and flexible enough to meet the needs of various use cases. Because IoT devices typically lack screens and keyboards, provisioning their credentials can be a cumbersome task: Some devices might be capable of using only a username and a password, whereas others might be able to use more complex credentials such as digital certificates or cryptographic tokens. For consumers, secure onboarding should be easy; for enterprises, the process should be automated and flexible so that large numbers of devices can quickly provisioned with unique credentials.

Ideally, at the end of the process, devices should be provisioned with network-and-device specific credentials, directly managed by the network and unique to the device so that compromises impact that specific device on that specific network. In practice, the creation and installation of new credentials is often a very painful process, especially for devices in the lower segment of the market.

It’s Credentials Management, Not Just Onboarding 

After a device is successfully “registered” or “onboarded”, the missing piece that has been and continues to be, so far, ignored is how to manage these credentials. Even when devices allow for configuring them, their deployments tend to be “static” and they rarely get updated. There are two reasons for this: The first reason is the lack of security controls, typically on smaller devices, to set these credentials, and the second, and more relevant, reason is that users rarely remember to update authentication settings. According to a recent article, even in corporate environments, “almost half (47%) of CIOs and IT managers have allowed IoT devices onto their corporate network without changing the default passwords” even though another CISO survey has found that “ ... almost half (47%) of CISOs were worried about a potential breach due to their organization’s failure to secure IoT devices in the workplace.”

At CableLabs we look at the problem from many angles. In particular, we focus on how to provide network credentials management that (a) is flexible, (b) can enforce credentials policies across devices and (c) does not require additional discovery mechanisms.

EAP-CREDS: The Right Tool for the Specific Task 

The IEEE Port-Based Network Access Control (802.1x) provides the basis for access network architectures to allow entities (e.g., devices, applications) to authenticate to the network even before being granted connectivity. Specifically, the Extensible Authentication Protocol (EAP) provides a communication channel in which various authentication methods can be used to exchange different types of credentials. Once the communication between the client and the server has been secured via a mechanism such as EAP-TLS or EAP-TEAP, our work (EAP-CREDS), uses the “extensible” attribute of EAP to include access network credentials management.

EAP-CREDS implements three separate phases: initialization, provisioning and validation. In the initialization phase, the EAP server asks the device to list all credentials available on the device (for the current network only) and, if needed, initiates the provisioning phase during which a credentials provisioning or renewal protocol supported by both parties is executed.  After that phase is complete, the server may initiate the validation phase (to check that the credentials have been successfully received and installed on the device) or declare success and terminate the EAP session.

To keep the protocol simple, EAP-CREDS comes with specific requirements for its deployment:

  • EAP-CREDS cannot be used as a stand-alone method. It’s required that EAP-CREDS is used as an inner method of any tunneling mechanism that provides secrecy (encryption), server-side authentication and, for devices that already have a set of valid credentials, client-side authentication.
  • EAP-CREDS doesn’t mandate for (or provide) a specific protocol for provisioning or managing the device credentials because it’s meant only to provide EAP messages for encapsulating existing (standard or vendor-specific) protocols. In its first versions, however, EAP-CREDS also incorporated a Simple Provisioning Protocol (SPP) that supported username/password and X.509 certificate management (server-side driven). The SPP has been extracted from the original EAP-CREDS proposal and will be standardized as a separate protocol.

 

 EAP-CREDS: Enabling Policy-Oriented Credential Management in Access Networks

Figure 2 - Two EAP-CREDS sessions. On the left (Figure 2a), the server provisions a server-generated password (4 msgs). On the right (Figure 2b), the client renews its certificate by generating a PKCS#10 request; the server replies with the newly issued certificate (6 msgs).

 

When these two requirements are met, EAP-CREDS can manage virtually any type of credentials supported by the device and the server. An example of early adoption of the EAP-CREDS mechanism can be found in the Release 3 of the CBRS Alliance specifications where EAP-CREDS is used to manage non-USIM based credentials (e.g., username/password or X.509 certificates) for authenticating end-user devices (e.g., cell phones). Specifically, CBRS-A uses EAP-CREDS to transport the provisioning messages from the SPP to manage username/password combinations as well as X.509 certificates. The combination of EAP-CREDS and SPP provides an efficient way to manage network credentials.

SPP and EAP-CREDS: Flexibility and Efficiency 

To understand the specific type of messages implemented in EAP-CREDS and SPP, let’s look at Figure 2a which shows a typical exchange between an already registered IoT device and a business network.

In this case, after successfully authenticating both sides of the communication, the server initiates EAP-CREDS and uses SPP to deliver a new password. The total number of messages exchanged in this case is between four (when server-side generation is used) and six (when co-generation between client and server is used). Figure 2b provides the same use-case for X.509 certificates where co-generation is used.

One of the interesting characteristics of EAP-CREDS and SPP is their flexibility and ability to easily accommodate solutions that, today, need to go through more complex processes (e.g., OSU registration). For instance, SPP can also be used to register existing credentials in two ways. Besides using an authorization token during the initialization phase (i.e., any kind of unique identifier, whether a signed token or a device certificate), devices can also register their existing credentials (e.g., their device certificate) for network authentication.

Policy-Based Credentials Management 

As we’ve seen, EAP-CREDS delivers an automatic, policy-driven, cross-device credentials-management system and its use can improve the security of different types of access networks: industrial, business and home.

For the business and industrial environments, EAP-CREDS provides a cross-vendor standard way to automate credentials management for large number of devices,(not just IoT) thus making sure that (a) no default credentials are used, (b) that the ones (credentials) that are used are regularly updated and (c) credentials aren’t shared with other (possibly less secure) home environments. For the home environment, EAP-CREDS provides the possibility to make sure that the small IoT devices we’re buying today aren’t easily compromised because of weak and static credentials and provides a complementary tool (for 802.1x-enabled networks only) to consumer-oriented solutions like the Wi-Fi Alliance’s DPP.

If you’re interested in further details about EAP-CREDS and credentials management, please feel free to contact us and start something new today!

Learn More About 10G

Comments
Energy

Energy Efficiency Voluntary Agreements Helped Pave the Way for Increased Remote Access

Debbie Fitzgerald
Technology Policy Director

Aug 19, 2020

We’re enduring crazy times in 2020! Because of COVID-19, the world has shifted to learning, working and playing at home for months at a time—and residential cable networks have successfully handled the load. One key reason that networks have managed so well is because cable service providers build for the future: The majority of cable networks were well-positioned to deliver the necessary downstream and upstream data to customers who are now conducting much of their day remotely over the network.

How do energy efficiency voluntary agreements play a role? One major advantage to the voluntary approach is the New Feature Allowances Process, which enables operators and manufacturers to innovate and evolve their networks and consumer devices without being constrained by regulation. An example is the Small Network Equipment Voluntary Agreement (SNE VA) adopted by the United States in 2015 (Canada also established a similar agreement late last year). In the 4 years that the SNE VA has been in place, average broadband download speeds have nearly quadrupled and consumer devices have evolved significantly, such as cable modems migrating from DOCSIS 3.0 to 3.1 to deliver faster download speeds. In addition, Wi-Fi devices have evolved to use more radios with more spatial streams and capabilities to deliver increased Wi-Fi capacity within the home. The New Feature Allowances Process provides the ability to define new features that may require additional power, which—in the case of small network equipment—allowed operators to roll out devices early to meet the increased demand due to COVID-19 when consumers needed it the most.

And, according to the recently released US SNE VA annual report, the energy consumption of these devices has remained stable, as demonstrated in the figure below.

Energy Efficiency Voluntary Agreements Helped Pave the Way for Increased Remote Access

In fact, the independent administrator for the voluntary agreements, D+R International, reported that the energy efficiency[1] of integrated access devices (modems with Wi-Fi routers and/or embedded phone support) has improved by 70 percent since the beginning of the SNE VA in 2015.

The US SNE VA was also recognized by the Global Commission For Urgent Action on Energy Efficiency as an “Exemplar Policy” program in this recent report.

U.S. Set-Top Box Voluntary Agreement (US STB VA)

The US STB VA report also shared good news, finding that the national set-top box annual energy consumption has declined by 46 percent since the beginning of the VA in 2012, even as functionality and features of set-top boxes have improved.

 

The STB VA saved 14.7 TWh in 2019, which is nearly equivalent to the power generated by five coal-run power plants in a year, and saved consumers over $1.9 billion on their utility bills.  This is enough electricity to power ALL the homes in California for a full 7 months!

Energy Efficiency Voluntary Agreements Helped Pave the Way for Increased Remote Access

Canadian Energy Efficiency Voluntary Agreement (CEEVA)

Even though CEEVA has been around for only 3 years, Canada is making great strides as well, as detailed in its most recent CEEVA Annual Report.  The average weighted energy consumption of purchased set-top boxes has decreased by 44 percent over the 3 years that CEEVA has been in place. This significant decline is due to a number of reasons:

  • Deployment of whole-home architectures that enable customers to view recorded content throughout the home with just one personal video recorder (PVR)
  • Deployment of cloud-based recording that eliminates the need for any PVR in the home, and PVRs generally consume more power than non-PVRs
  • Improvement in set-top box energy efficiency

Energy Efficiency Voluntary Agreements Helped Pave the Way for Increased Remote Access
 

As we reported in December 2019, Canada stood up a new CEEVA agreement for small network equipment that went into effect in 2020, but the first report won’t be out until next year.

CableLabs is proud to be part of these highly successful voluntary agreements that afford new innovative features, greater functionality and the capability to deliver high-quality services to consumers in an energy-efficient manner.

[1] Energy efficiency of network equipment is measured in terms of energy per consumed bit.  In the US SNE VA report, the unit of measure is Watts/Mbps.

READ MORE BLOGS ON THIS TOPIC

Comments
Security

Maintaining Confidentiality in the 10G Network

Andy Dolan
Senior Security Engineer

Aug 4, 2020

The 10G platform will offer almost limitless opportunities for innovation and new experiences in the home, bolstering the capabilities of the Internet of Things (IoT) landscape. While the volume of data that passes over cable technologies continues to grow, the classification of private and confidential boundaries continues to change.

Moreover, security is an abstract topic, particularly in the sense of the assurance it provides. We expect security to be present, but in a way that we don’t need to think about; we expect the assurance of security to be seamless. Behind the scenes, security is a constant source of innovation to make that seamless protection possible in the face of an ever-changing set of vulnerabilities, threats and exploits. The frequent application of the phrase “arms race” to describe that innovation is appropriate. Addressing confidentiality is a key pillar in the 10G security platform; it ensures that user data continues to be protected as new possibilities and services become available.

Brief Review: What Is Confidentiality?

Last fall, CableLabs produced a set of blog posts covering the security pillars of confidentiality, integrity and availability. Confidentiality ensures that access to resources such as hardware components, sensor data or private information is only granted to authorized actors, whether they’re users or processes. Authorization is part of the mechanism that enables confidentiality as the barrier between the actor and resource.

What are the primary ways that we can keep information confidential? We’re going to focus on two techniques applied to information:

  • Encryption-Using algorithms to render information unreadable without the proper materials (keys) to decrypt it.
  • Separation and Isolation-Putting barriers in place that must be traversed before gaining access to information.

In addition, there are some threats against confidentiality, including vulnerabilities in encryption algorithms, exploits that can circumvent authorization mechanisms, and, of course, there’s the possibility of quantum computing right around the corner. To stay ahead of the curve, we must continue to innovate to meet these threats.

Where Confidentiality Counts: The Network

Confidentiality is key when it comes to the amount of data that passes between machines. Even over the past 5 years, the data that we consider to be critical in terms of confidentiality has evolved beyond simply what we’re browsing or streaming. It’s also about what our devices are doing.

In the age of the IoT, where every device is connected and often eager to capture the aspects of our environment or actions it invokes, confidentiality also applies to the data that is shared between devices and their cloud services. A great amount can be garnered from the passive observations and actions of smart devices as they’re used over time, including behaviors typical of users interacting with them (e.g., when the smart coffee pot is typically started in the morning). Protecting such data at home is particularly paramount during these unprecedented times of increased “work-from-home” routines.

Continuing to Ensure Confidentiality on the Network

Since its inception in 1997, the DOCSIS ® specification (and later the extended DOCSIS ® security specification) have implemented encryption to ensure that user data is protected from eavesdropping on the cable network. Over the years, changes to encryption algorithms and key sizes have been enacted in DOCSIS in line with the recommendations and best practices of industry and standards organizations.

As the threats against confidentiality continue to be revealed in the world of 10G, CableLabs will continue to adapt to the cryptographic standards and recommendations of such groups through updates to specifications and best practices. Future innovations in encryption technologies will continue to accommodate the incredible power of the 10G network while ensuring the confidentiality of the data that is carried over it.

Maintaining Confidentiality in the Age of the Smart Home

A major evolution in the architecture of the Internet that has come about in only the past decade has been the advent of the IoT. As noted before, confidential data and its privacy implications are now more prevalent than ever, even within only a single smart home. In addition, it may be possible for one compromised smart device to act as a starting point for further intrusions of other devices or points in the home; how can we utilize separation to protect against such a scenario?

Enter CableLabs Micronets, a system that can dynamically organize devices into different groups and provide network separation among them. With this system enabled on your home (or work) networks, one compromised device doesn’t directly provide an attacker with the possibility to target other devices and/or confidential data they may have stored or transmitted over the network.

As for confidentiality when devices talk to each other, CableLabs continues to engage with standards organizations such as OCF to draft standards that ensure the secure operation (and interoperation) of IoT devices, as well as device interactions with cloud services.

Conclusions

The opportunities that the 10G platform will provide are immense in both promise and scope, allowing previously infeasible technologies to be brought to the forefront to provide new classes of products and services.

In light of these great innovations, we must remain cognizant when it comes to the confidentiality of our resources and the protection of user data. As the “arms race” continues, we will continue innovating and staying one step ahead. That’s the speed of security.


SUBSCRIBE TO OUR BLOG

Comments