Achieve Seamless Access with Converged Access Edge Controller (CAEC)

Arun Yerra
Principal Mobile Network Architect

Dec 9, 2021

Imagine a world in which end users no longer worry about which network they’re connected to because the most optimal connectivity for any given moment is automatically provided. This connectivity consists of one or more seamlessly combined network connections, intelligently customized by a multitude of factors, such as application requirements, user priority and network status. CableLabs believes convergence will be the driving force in making this world a reality and is working on solutions to enable it. Converged Access Edge Controller (CAEC) is one of those solutions.

How Does CAEC Work?

Achieve Seamless Access with Converged Access Edge Controller (CAEC)

CAEC facilitates the converged use of HFC, Wi-Fi and mobile access technologies to optimize the use of network assets to deliver a seamless user experience. The controller dynamically switches, steers, or splits subscribers' data traffic across the available access links based on subscribers' device capabilities, subscription profile and real-time telemetry data of each access link, such as utilization and link quality.

For example, CAEC can be programmed to optimize the transport cost without degrading the perceived user experience. Households closer to the mobile site could primarily be served via wireless access link; CAEC will transparently switch them to HFC access link in the event of temporary congestion on that site to avoid degradation in the user experience. Similarly, households farther away from the mobile site could primarily be served via the HFC network, and CAEC could split the traffic between HFC and wireless upon onset of congestion in the HFC infrastructure. In another use case, the CAEC algorithm can be optimized to provide an instantaneous bandwidth boost by combining the available accesses based on device and subscription policies.

CAEC’s Modular and Extensible Architecture

CAEC offers powerful, near real-time traffic bonding, steering, and splitting capabilities across multiple access technologies managed by a single operator (i.e. multiple system operator). CAEC sports a microservices-based architecture consisting of three main services; network telemetry, AI/ML inference and traffic control. CAEC’s modular design and open APIs allow it to easily interoperate and complement other network services. For example, CAEC can be implemented as part of standardized network services such as O-RAN Alliance’s RAN Intelligent Controller (RIC) and 3GPP’s Network Data Analytics Function (NWDAF).  The CAEC platform is extensible to run customized machine learning models to identify the patterns in network behavior that are often tough for operators to identify. The platform also provides operators the flexibility to develop and implement their own traffic control algorithms.

There are alternative solutions to provide converged access that aggregate mobile and Wi-Fi traffic on capable client devices. For example, 3GPPP has defined an access aggregation specification called Access Traffic Steering, Switching & Splitting (ATSSS). Additionally, several companies are offering cloud-based solutions similar to ATSSS. CAEC can complement these solutions by providing near real-time directions to steer, switch or split the traffic based on a combination of AI/MI models and network intelligence. Converged Access Edge Controller can also provide valuable insights for proactive network maintenance based on real-time statistics analysis and pattern identification within the network.

Learn More

If you need more information or have any further questions, please feel free to reach out to Arun Yerra – Principal Mobile Architect, CAEC Project Lead (


HFC Network

Band Splits 101: Splitting Our Way to 10G

CableLabs Admin

Dec 9, 2021

As consumers’ bandwidth needs continue to grow, cable operators are always thinking of ways to expand their network capacity to accommodate future increases in data traffic—especially upstream traffic. Band splits play an important role in that effort, taking advantage of the incredible resiliency of cable’s hybrid fiber-coaxial (HFC) network.

What Is a Band Split and How Does It Work?

To describe what band splits are, we need to first define bandwidth. The best way to think of bandwidth is as a stretchable pipe that allows radio frequency (RF) signals carrying data to travel through it. So, when we talk about expanding the bandwidth of a network, we’re looking for ways to stretch that pipe to higher frequencies to accommodate more data traffic. The term “bandwidth” is somewhat synonymous with “capacity,” and on cable networks bandwidth is measured in megahertz (MHz) and gigahertz (GHz)—1 GHz is 1,000 times greater than 1 MHz.

The following figure shows several options available for band splits on the cable broadband network, allowing various mixes of upstream and downstream bandwidth depending on the needs of consumers. Frequency Division Duplex (FDD) designates separate bands for upstream and downstream traffic.

Upstream Splits
Note that the bands in the figure aren’t to scale. The red in the middle is the diplex filter used to separate the upstream (US) and downstream (DS) channels.

The bandwidth “pipe” (split into two parts) has data traffic traveling in opposite directions: downstream from your provider’s hub to your modem and upstream from your modem back to the hub. This back-and-forth flow allows you to use interactive services like video chat, teleconferencing, telehealth and more.

Band splits determine how much bandwidth is dedicated to downstream and upstream channels. Downstream traffic is usually transmitted on a high-band frequency range, whereas the lower band is dedicated to upstream traffic. Two-way amplifiers are used to amplify signals in both directions. These amplifiers have something called diplex filters to separate downstream and upstream frequencies to prevent interference.

Usually, consumers use a much larger chunk of the bandwidth pipe for downstream traffic, but that’s starting to change. As people switch to working and studying from home, they’re using more interactive services like video chats, which require more upstream data. To accommodate this trend and future demand, network operators need to consider when to add more upstream bandwidth. For this reason, they may need to rethink the way their networks are split.

What Kind of Band Splits Are There?

Not all band splits are created equal: In North America, there are sub-splits, mid-splits and high-splits, and Europe has its own band split. This situation has to do with how the operator divides the available bandwidth pipe between downstream and upstream traffic.

Although sub-splits are still prevalent in North America today, mid-split and high-split bands require an upgrade. In a sub-split, a spectrum range of 5 MHz to 42 MHz is used for upstream traffic and 54 MHz to 1.2 GHz or 1.8 GHz is for downstream traffic. In a mid-split scenario, 5 MHz to 85 MHz is dedicated for upstream and above 108 MHz for downstream. And high-split extends the upstream range to 204 MHz while reserving 258 MHz and higher frequencies for downstream.

The European split uses an upstream spectrum range of 5 MHz to 65 MHz, and the downstream spectrum range is above 88 MHz. There’s also an ultra-high-split where the upstream goes to a 684 MHz upper-frequency limit that includes even more choices of band-splits, which some operators may consider in the future. However, for most networks in North America, Europe and Latin America, future bandwidth allocations will consist of mid-split and high-split bands, and even some ultra-high-splits.

How Has This Technology Evolved?

If we go back to the early pre-internet days, information on cable networks traveled one way, delivering analog TV signals to millions of homes over coaxial cable, with no data traveling back from the consumer to the hub. Eventually, as consumer needs evolved, so did the industry, and networks began to send signals both ways, to and from the consumer, opening doors to cable broadband Internet, video chatting and much, much more.

As we move toward the next phase of HFC evolution, we must remember that building the super-fast and reliable networks we have today required a lot of collaboration and about $290 billion dollars in infrastructure and network investments over the past 20 years. And that’s just in the United States! For most cable operators, a re-allocation to mid-split, high-split or a mix of the two will require switching out signal amplifiers and other legacy equipment—an investment that many are already making. Although there’s no one-size-fits-all approach, the consensus is to move to at least the mid-split in the near future, further expanding the incredible capacity of the HFC network.

How Will Higher Band Splits Affect You and Your Future?

Although as a consumer you’ll never have to worry about how your cable company’s bandwidth is split between downstream and upstream, we know you pay attention to network speed. The journey from today’s 1G to tomorrow’s 10G offerings will involve expanding the bandwidth pipe to allow for more capacity. More bandwidth will give us more flexibility to accommodate near-future technologies, including bandwidth-hungry virtual reality (VR) applications and more.

That’s where band splitting really makes a difference. Dedicating higher band splits to upstream traffic will future-proof our networks for years to come, allowing us to reach our goals and build the next-generation of technologies to help us live, work, learn and play in the coming decades.



The 10G Challenge: How Corning Leverages Technology to Improve How We Work

CableLabs Admin

Nov 30, 2021

CableLabs believes mutually beneficial relationships are crucial to the growth of any business. Whether growing a customer base or reaching a new market, strategic collaboration can deliver value to both parties. To raise awareness about the 10G network, we’ve joined forces with outstanding organizations like Corning to get innovators thinking about how to build technologies that will work on the network of the future with the 10G Challenge. The 10G Challenge is designed to invent a better future that impacts the ways in which we live, work, learn and play.

The “Work” Category, Powered by Corning

In collaboration with Corning, one of the world's leading innovators in materials science, the 10G Challenge’s Work category highlights how the 10G network will enable smart, intuitive technologies that will transform how we collaborate and solve problems in business environments, ultimately boosting creativity and productivity. From 3D remote meetings to immersive demos from countries away, next-generation technologies will make a significant impact on the way we do business.

As an organization, Corning’s growth is fueled by a commitment to innovation. Through sustained investment in research, development and engineering, a unique combination of material and process innovation, and close collaboration with customers to solve tough technology challenges, Corning has spent the last 150-plus years bringing life-changing innovation to the world.

In 1970, Corning invented the first low-loss optical fiber, ushering in a communications revolution. Thanks to Corning’s fiber optics, enormous amounts of data are able to move around the planet, and that movement of data has enabled a barrage of follow-on innovations, including the internet, cloud and mobile technologies, streaming TV, autonomous cars, bitcoin, AI — you name it.

In the five decades since inventing optical fiber to pave the way for the information highway, Corning has continued to introduce new methods, ideas and products aimed at transforming the way we connect with one another and the world around us. From liquid crystal display glass to fiber-to-the-home connectors to revolutionary pharmaceutical glass packaging to whatever comes next, Corning’s participation in the 10G Challenge enables the leading materials science innovator to evolve to meet changing market needs and visualize what the future of work could look like. Even better, by working with CableLabs on the 10G Challenge, Corning will help support individuals and organizations leveraging a new, powerful broadband network to solve real-world problems across work environments.

Encouraging innovators to envision how 10G can help us solve real-world problems, the 10G Challenge showcases the individuals and organizations developing the technologies, services and applications that will rely on the network of the future. By advancing life-changing technologies and supporting the innovators developing new solutions, CableLabs and Corning are excited for what lies ahead and look forward to motivating forward-thinkers to leverage 10G to create a better future for humanity.



Converged Service Management Layer (CSML) Completes the Operations Convergence Puzzle

Rahil Gandotra
Senior Software Architect

Nov 18, 2021

Traditionally, telecommunications networks operate in siloes running specialized physical hardware functions for each domain (radio, access, transport, core, and data center), and they’re managed by proprietary element management systems. Operators who have both wireline and wireless networks, for example, run the networks on separate infrastructures and manage them independently. For that reason, designing, deploying, and operating end-to-end services can involve lengthy and manual processes resulting in longer lead times (weeks to months) until effective service delivery.

But the networks of tomorrow are envisioned to operate multiple different physical and cloud- native functions over a single flexible, programmable convergence platform whose hardware, software and data storage resources are shared across multiple access technologies. And a key building block of convergence is operations convergence, implying a common operations framework for deploying, configuring, and managing network functions constituting a service.

Converged Service Management Layer

The Converged Service Management Layer (CSML) Project

When it comes to solving these challenges, technologies like software-defined networking (SDN) and network functions virtualization (NFV) have already addressed certain pieces of the puzzle. SDN separates the data plane (network traffic) from the control plane (signaling/routing traffic) to enable flexible, coordinated control, and NFV decouples network and service functions from the underlying hardware. In addition, cloud computing provides an efficient means to utilize the infrastructure and make all these goals achievable. But a converged service operator needs to have the ability to model end-to-end services and to abstract and automate the control of physical and virtual resources.

CableLabs’ CSML project —the final puzzle piece in the operations convergence puzzle—began in response to the rising need for a common automation platform for different network lifecycle processes. The CSML implementation consists of an open-source orchestration platform —Open Network Automation Platform (ONAP) —and additional utilities developed by CableLabs to onboard service use cases. The project activities are broadly divided into three categories:

  • Service design involves specifying end-to-end services composed of multiple network functions (NFs) called xNFs. The model-driven approach helps with extending and reusing software artifacts for various use cases.
  • Service deployment involves automated instantiation, modification and removal of network services over both physical and virtual infrastructures.
  • Service assurance involves a vendor-agnostic monitoring and analytics framework for closed-loop management.

The use cases that are currently being designed and developed aim to either improve existing operational processes or demonstrate advanced orchestration and automation capabilities through new service concepts. For example, by converging both service and the underlying network data, operators are able to better extract and exploit the correlations between the two. Advances in machine learning can be applied to this converged data source to drive service automation and assurance features such as proactive network maintenance (PNM), auto-healing, or service resiliency and optimization.

CSML’s Long-Term Goals

The broader goals of the CSML project are to drive the adoption of network automation, virtualization and operations convergence at scale. Also, as the transition to NFV is progressing, the project aims to demonstrate how physical network elements can be harmonized with virtual elements to preserve exiting network investments. The use cases demonstrated by the project will provide a blueprint for a flexible, agile service platform, powering both existing and new innovative services while reducing cost and operational complexities.

If you need more information or have any further questions, please feel free to reach out to Rahil Gandotra, Senior SW Architect and Converged Service Management Layer Project Lead (



How Cable Networks Secure Communications

CableLabs Admin

Nov 12, 2021

The email you sent, the website you visited, the internet searches you performed, the internet purchases you just made—they all require strong security to protect against eavesdropping, changes to your messages, and those who would make these services unavailable to you. These service examples demonstrate the foundational triad of security: confidentiality, integrity, and availability.

Securing the confidentiality, integrity, and availability of broadband traffic can be applied at different layers of networking technology. Some messaging applications encrypt traffic (for confidentiality) at the upper levels of the OSI network model (the application, presentation, and session layers), but broadband traffic transits below just those top network layers.

The cable industry’s security technology ensures that the confidentiality, integrity, and availability of cable broadband technology happens at the lowest levels of the networking stack by encrypting the internet packets from cable subscribers’ homes and businesses. This security is provided through the cable industry’s use of its own public key infrastructure (PKI), the same type of security used by banks and the U.S Department of Defense for their own protection.

The cable industry created and manages a PKI with strong security. The digital keys used in the cable PKI have a very long private key (1024 bits and 2048 bits long), that is unique to each cable modem and part of each cable modem’s digital certificate. Digital certificates securely identify the modem and are used to help encrypt the traffic going to and from that modem. You may think of a digital certificate as a driver’s license for a cable modem to get onto the internet through a cable operator’s broadband network. The information in a digital certificate provides an immutable and mathematically attestable identifier that is embedded during the modem’s manufacture. The cable PKI encryption technology protects each cable network user from having anyone eavesdrop on their internet traffic, change, corrupt their communications, or introduce malware into the cable modem. Cable operators and cable device manufacturers use the cable PKI to securely update and manage cable devices in homes and businesses.

The cable modem and customer premise equipment (CPE) that help homes connect securely to the internet requires the same kind of patches and updates that other devices require to drive efficient and secure operation within the configuration required by the network to which they attach. Security specifications support SNMPv3 and TR-069, which are internet standards that provide commercial-grade security with ease of administration, and which include methods for authentication, authorization, access control and privacy in the configuration of devices. In the case of cable equipment, the firmware for these devices can be updated through a special secure channel by the network operator; this channel is secured similar to how the cable modem establishes its link. Firmware is the collection of all the software, memory, and operations that, akin to the medulla oblongata in the human body which passes messages between the brain and spinal cord, manages traffic to and from the subscriber home, and keeps the modem functioning. The firmware image is digitally signed by both the cable modem manufacturer and the network operator, whose public keys are accepted and recognized by the cable modem; this, and a special secure boot process, help make it increasingly difficult for malicious actors to compromise the device or network.

In addition to the cable PKI security controls, cable networks provide mechanisms to protect the routing and switching of broadband traffic once it leaves the cable broadband subscriber’s home or business. For example, source address verification ensures that origination packets are coming from proper, non-spoofed addresses. Additionally, the cable industry’s DOCSIS® Security provides several methods of filtering traffic, including enabling access control lists and security filters both at the cable modem and at the cable operator’s cable modem termination system, which connects a cable modem connects to the internet.

The cable industry uses security mechanisms that are broad and robust. These security mechanisms are continuously reviewed and improved as technology changes and security threats to cable broadband subscribers change. You can find more details in these blog posts The Cable Security Experience and 10G Integrity: The DOCSIS® 4.0 Specification and Its New Authentication and Authorization Framework.

CableLabs continues to work with cable operators and cable device manufacturers to increase cable broadband security beyond providing the encryption technology. These BCP’s, developed based on input from cable operators and cable device manufacturers, provide recommended security practices for cable operators and cable manufacturers and are aimed at improving the cybersecurity posture of devices and the networks they connect to. The BCP document strongly aligns with other industry and governmental security recommendations, such as the M3AAWG CPE Best Practices and recent publications from NIST and ENISA. Through continuous strengthening of security tools and practices, the cable industry works to protect its subscribers against those who would seek to eavesdrop, corrupt, or disrupt cable broadband access

Reference Gateway Device Security Best Common Practices:

Documentation: Gateway Device Security Best Common Practices Version V01

Blog: Raising the Bar on Gateway Device Security


Introducing Evolved Mobile Virtual Network Operator (MVNO) Architectures for Converged Wireless Deployments

Omkar Dharmadhikari
Wireless Architect

Nov 9, 2021

As smartphones and tablets continue to proliferate, seamless connectivity is becoming an integral part of a wireless operator’s service offering—as well as a competitive imperative. Recognizing the evolution of the mobile industry landscape, and driven by the introduction of 5G and the availability of new and innovative spectrum options, CableLabs and its members initiated a technical working group (Dec. 2020-Aug. 2021) to create an evolved architectural blueprint for mobile virtual network operators (MVNOs). The working group’s aim was to explore new converged architectures that will benefit our members’ wireless deployments while highlighting the benefits, impacts to existing deployments and features needed to be supported by both mobile network operator (MNO) and MVNO networks.


Many traditional broadband services providers—also known as multiple system operators (MSOs)—might not own mobile infrastructure but have (or are in the process of negotiating) MVNO arrangements with MNOs. These kinds of arrangements allow them to bundle fixed and mobile broadband services into a single service package. Traditionally, most MSOs adopt a reseller-type “Wi-Fi first” MVNO, where the MVNO doesn’t own any mobile network infrastructure and resells the services leveraging MNO infrastructure.

Emergence of a New MVNO Model

Emergence of a New MVNO Model

The MVNO models vary based on the amount of mobile network infrastructure that the MVNO owns and the degree of control over the management of different aspects of MVNO subscriptions and their service offerings. One common aspect of all traditional MVNO models is leveraging the radio access network (RAN) of a partner MNO.

With the advent of 5G and the availability of shared spectrum, many MSOs are actively evaluating offload opportunities for enhancing MVNO economics and are contemplating deploying their own mobile radio infrastructure in specific geographic areas (in addition to their substantial Wi-Fi footprint).

Such MSOs now have to contend with three disparate sets of wireless infrastructures:

  • the MSO’s community Wi-Fi network,
  • the MNO’s 4G/5G network, and
  • the MSO’s own 4G/5G network.

This creates a new type of MVNO model called hybrid-MVNO (H-MVNO) that enables MVNOs to offload their subscribers’ traffic from the MNO network—not just to their Wi-Fi networks but also to the MVNO-owned mobile network when inside the coverage footprint of their wireless network(s).

Maximizing data offload via the H-MVNOs’ own wireless assets—thus ensuring a consistent user experience and enforcing uniform and personalized policies as users move in and out of coverage of these three networks—will require the deployment of new converged network architecture and related capabilities.

Dual-SIM Architectures Evaluated by the Technical Working Group

Leveraging dual-SIM devices (devices with the ability to simultaneously connect to two networks) to realize this network convergence is the one way for an H-MVNO to maximize the use of its own network. Dual-SIM device usage allows the H-MVNO to leverage the existing reseller-type MVNO arrangements and require minimum interaction between the H-MVNO and MNO core networks.

However, leveraging the reseller MVNO with dual-SIM capabilities doesn’t offer the H-MVNO any real-time insights into their subscribers’ data usage statistics and patterns. Also, H-MVNOs have no control over policy, subscriptions, mobility or user experience management when their subscribers are outside H-MVNO network coverage.

This formed the basis of evaluating the new evolved Dual-SIM Dual Standby (DSDS) architectures, which leverage standardized 3GPP interfaces to overcome some of the limitations of the traditional reseller MVNO and provide more control to H-MVNOs with regard to policy, subscription and user-experience management by anchoring all subscriber data traffic in a common anchor within the H-MVNO network.

Voice handling with dual-SIM devices can be simplified by leveraging the MNO SIM and network for carrying voice traffic at all times, while prioritizing H-MVNO network (when available) for data traffic.

Single-SIM Architectures Evaluated by the Technical Working Group

Unlike architectures with dual SIMs, single-SIM devices allow the H-MVNO network to enable seamless low-latency mobility for data applications across the MNO and H-MVNO networks. An ideal architecture for offering mobile services with single-SIM device usage is to combine the roaming architecture and a mobility interface, both of which are standardized in 3GPP.

However, due to the targeted nature of H-MVNO mobile deployments, the signaling load can increase on MNO mobility management core network elements, as the H-MVNO subscribers move in and out of H-MVNO network coverage.

To overcome this problem, we evaluated new MVNO architectures that make use of dedicated network elements within the MNO domain to serve H-MVNO subscriber traffic, thereby isolating it from the MNO subscriber traffic and eliminating the increase in signaling load on core network elements that serve MNO subscribers.

In addition, we evaluated voice handling in scenarios where H-MVNOs don’t want to deploy their own voice platforms. One option is to offer voice via a third-party voice service provider; another is to enable additional interfaces between the MNO and the H-MVNO network to leverage the MNO’s voice platform.

Go Deeper

If you have any further questions, please feel free to reach out to the MVNO Interconnect Technical WG Lead, Omkar Dharmadhikari (

For more information, please visit:



CableLabs Launches 10G Challenge: Powering the Future of Broadband Innovation

Phil McKinney
President & CEO

Oct 21, 2021

What will our digital future look like? Presented by CableLabs on behalf of the cable industry, the 10G Challenge aims to answer that question, ultimately advancing innovative technologies and inventing a better future for everyone. CableLabs is committing more than $300,000 USD in prize money to six Challenge winners.

What is the 10G Challenge?

The objective of the 10G Challenge is to inspire people to envision a new, powerful broadband network as a tool to solve real-world problems. The challenge is designed to showcase the individuals and the organizations developing these technologies, services and applications that will rely on the network of the future.

Intended to support the development of those technologies, services and applications, the 10G Challenge is focused on encouraging innovation in four categories: live, work, learn and play. 10G not only provides faster symmetrical speeds but also lower latency, enhanced reliability and better security in a scalable manner. The 10G platform advances device and network performance to remain ahead of consumer demand, providing a broad range of immersive new digital experiences and other emerging technologies that will revolutionize the way we live, work, learn and play.

10G Challenge Industry Experts

The 10G Challenge will be judged, in part, by industry experts from Corning, Mayo Clinic and Zoom — four companies concentrating on leveraging technology to develop innovative new solutions in their industries.

Live (judged, in part, by Mayo Clinic): With health care being one of the largest and most significant industries in which technology can make a sizable impact, advanced technologies can help improve numerous aspects of our health and well-being. This video contains more information on what the future of health care could look like.

Work (judged by Corning): As we’ve learned over the past year-plus, smart, intuitive technologies are not only transforming how we collaborate and solve problems, but they are also boosting creativity and productivity at work. This video highlights what the future of work could look like.

Learn (judged by Zoom): From VR worlds to light field holodecks and omnipresent AI assistance, combining the right network speed with visionary thinking propels how we learn into the future. This video includes ideas detailing what the future of education could look like.

Play: Whether gaming, attending concerts, or watching our favorite movies and shows, technology will impact how we play and entertain ourselves in the near future. This video describes how the future of gaming and entertainment could look.

How To Get Involved

From forward-thinking individuals and entrepreneurial ventures to inventors, university students, or growing companies from the U.S. or Canada, the 10G Challenge encourages innovators building solutions that leverage the emerging 10G network to submit a short video demonstrating their technology or idea.

Five winning submissions will be chosen by business leaders: one winner in each category and a Grand Prize winner. The Grand Prize winner will receive $100,000 USD in the form of a cash prize to help advance their technology, while category winners will receive a non dilutive $50,000 USD cash prize. There is also a People's Choice winner who will receive a $10,000 USD cash prize.

At CableLabs, we are constantly building for the future and looking to support those who can help us revolutionize how the world lives, works, learns and plays.



Raising the Bar on Gateway Device Security

Brian Scriber
Vice President, Security Technologies

Darshak Thakore
Principal Architect

Mark Walker
Vice President, Technology Policy

Oct 7, 2021

Today, CableLabs® has publicly released a set of best common practices (BCP) to enhance the security of cable modems, integrated access points, and home routers (collectively, known as “gateway devices”) against malicious activity and other cyber threats. This work builds on and extends CableLabs’ and the cable industry’s longstanding leadership in cybersecurity to ensure a consistent and robust baseline for gateway device security, increased economies of scale, and an ontology for simplified communication and procurement between network operators and device manufacturers.

The BCP Working Group is comprised of security technologists from CableLabs, network operators from around the world, and gateway device manufactures, including representatives from CableOne, Charter, Cisco, Cogeco, Comcast, Commscope, Cox, Liberty Global, MaxLinear, MediaCom, Shaw and Technicolor. In developing the BCP, the Working Group drew heavily upon well-established and widely accepted security controls, recognized broadly by industry and government security experts.

The cable industry has long employed extensive network security practices to ensure the confidentiality, integrity and availability of broadband services, including gateway devices. The BCP expands and standardizes these network security practices for gateway devices and complements cable operators’ broader set of security practices. For instance, DOCSIS® Security testing is performed on all gateway devices to ensure DOCSIS protocol conformance, including the verification of the correct implementation of public key infrastructure (PKI) authentication and identity management, BPI+ encryption, and EAE (Early Authentication and Encryption) secure provisioning requirements.

The BCP document goes beyond DOCSIS Security requirements and provides a framework for the full range of security considerations applicable to gateway devices, including hardware and manufacturing considerations, default security settings, configuration procedures, secure boot, roots of trust, software/firmware development and verification, encryption requirements for both data in transit and data at rest, and physical security, among others. To further ensure the robustness of the BCP, the working group compared and mapped the BCP to NIST’s general guidance for connected devices used by the federal government, to help confirm the scope was fully comprehensive of applicable security considerations.

The BCP represents the industry coalescing around a common set of security baseline requirements that furthers the following critical goals:

  1. Provide a common framework for security elements and controls within gateway devices, including cable modems, integrated Wi-Fi access points, and home routers, to align the varied approaches to device security across the industry.
  2. Create a community of manufacturers and network operators collaborating to enhance gateway device security.
  3. Leverage well-established and well-vetted security controls and practices to minimize the risk of unknowingly introduced vulnerabilities or other security weaknesses.
  4. Harmonize security requirements across network operators to drive increased economies of scale, lowering the cost of broadband deployment.
  5. Further protect network resources and broadband service from malicious attacks.
  6. Provide a framework for network operator assurance that enables verification of testable practices and configurations.
  7. Enable alignment across standards, regulatory, and compliance regimes through a transparent and open set of best common practices.
  8. Establish a security framework for gateway devices that builds in flexibility and agility, so that manufacturers and network operators can address and adapt to new threats and changes in the cyber risk landscape.

While this initial release is an important achievement, one that strives to be comprehensive in terms of security posture for gateway devices, we all recognize that this field is constantly evolving and advancing. We see the BCP as a framework that must and will be updated and maintained as network technology, device security, and unfortunately, adversary techniques continue to evolve. To that end, we invite and welcome additional gateway and modem manufacturers as well as additional network operators to join the working group as we continue to progress this effort.

On October 13, 2021, at 3:00 pm ET, we invite you to join our virtual panel session at SCTE Cable-Tec Expo to discuss and further explore Gateway Device Security and our work to develop the BCP.

Register for SCTE Cable-Tec Expo GDS Panel Session


Finding Solutions to Randomized Wi-Fi MAC Addresses

Luther Smith
Director, Wireless Technology

Oct 5, 2021

As Wi-Fi device and OS vendors move to implement Randomized and Changing MAC Address (RCM) to reduce or eliminate the ability to track users and their devices, related functionality costs on the Wi-Fi industry are emerging. This blog will discuss how the industry is enhancing users’ privacy while working to maintain legitimate functions that require a stable means of device identification. It will wrap up by discussing the effects of RCM on beneficial tools and industry efforts to address those impacts through innovation and new technology development.

Functionality Impacts of Wi-Fi MAC Randomization

As privacy has become an increasing priority, addressing unwanted tracking of individuals and devices has become central to enhanced privacy efforts. Device and OS vendors have started to implement RCM to negate this tracking risk for consumers. This shift was previously discussed in an earlier CableLabs blog post titled “MAC Address Randomization: How User Privacy Impacts Wi-Fi And Internet Service Providers.” 

When a user’s device is on a Wi-Fi network, the Wi-Fi MAC address is used as part of the transport protocol. Anyone with a Wi-Fi sniffer can identify the specific device and associate it with the user as he or she moves about (e.g., entering and leaving an area). At that point, the malicious entity can use the Wi-Fi MAC address to track the user at future locations based on previously correlating the user’s device to the user. RCM randomizes the MAC address, disabling the correlation between the device and the user because the same MAC address isn’t repeatedly used.

RCM implementations differ based on the device and OS vendor; these range from Wi-Fi sessions, time periods and associated SSIDs (network names), to name a few. Although RCM can help reduce and even potentially eliminate the ability of a third party to track a user, the capability comes at a cost. RCM impairs legitimate functions, features and services that rely on a static, non-randomized MAC address to identify that device. Several examples of functions hindered by RCM include captive portal authorization, parental controls, allow/deny access lists and lawful intercept.

The Wi-Fi Industry’s Solutions

Because of the impairments to legitimate functions that occur based on RCM, the Wi-Fi industry is working to develop alternative methods of identifying devices without exposing the device identity and creating the risk that a user might be tracked. The first step in this process is identifying use cases in which the device identity needs to be known for legitimate purposes. Several Wi-Fi industry organizations—including Institute of Electrical and Electronics Engineers (IEEE), Internet Engineering Task Force (IETF) and Wireless Broadband Alliance (WBA)—are working on identifying and detailing these use cases.

Although each organization is working independently, each also recognizes that cooperation and information exchange are critical to addressing the issue in a timely and unified manner. CableLabs is leading the effort and actively contributing across several organizations to ensure that consumers are protected while functions important to broadband network operators continue to operate. Through the collective support of a Wi-Fi industry composed of operators, device and OS vendors, and other vendors, innovative solutions are being explored and specified to ensure that a balanced solution emerges.

Get Involved

Some vendors are already considering device-identification solutions that don’t require a static MAC address and allow privacy risks to be mitigated without breaking key functionalities. One promising approach, known as fingerprinting, develops a unique device signature through evaluating radio frequency and traffic characterization. Similar solutions are being investigated to identify the presence of individual devices necessary for legitimate features to operate. However, even with these solutions, some may still allow a third party to identify and correlate devices to users, enabling the devices and users to be tracked.

The industry still needs a secure method of identifying devices without hobbling features, functions and services that depend on a static Wi-Fi MAC address while protecting data privacy concerns. To get involved in defining use cases and helping to create the right solution(s), you can join one (or more) of the industry organizations that are addressing RCM.

For more information, please contact Luther Smith (



Finishing the P2P Coherent Optics Puzzle

Matt Schmitt
Principal Architect

Sep 9, 2021

This past June, CableLabs publicly released the first issued version of the Coherent Termination Device (CTD) Requirements Specification. The same month, the Institute of Electrical and Electronics Engineers (IEEE) Standards Association (SA) approved amendment 802.3ct-2021, which defines 100G Ethernet using coherent optics. Combined with previous point-to-point (P2P) coherent optics specifications released by CableLabs, these two events represent two of the final pieces of the puzzle for enabling low cost, interoperable, coherent optics solutions for cable operators.

Coherent Termination Device

CableLabs has developed a series of specifications to enable the development of interoperable transceivers using P2P coherent optics that are optimized for cable access networks, including operation at 100G and 200G per wavelength. This work was highly successful; there are transceivers compliant with the CableLabs PHYv1.0 specification (100G operation) as demonstrated at interop events held pre-pandemic, and transceivers compliant with the PHYv2.0 specification are in development. Additionally, routers and switches that those transceivers can be plugged into also exist, as seen at the demonstration CableLabs hosted at SCTE Expo 2019 in New Orleans.

Interoperable 100G P2P

However, there’s one key thing that’s unique to a cable access network deployment as compared to most other P2P coherent optics deployments to date: one end of the link sits outdoors. And while some existing solutions could operate in the temperature ranges required for an outdoor environment, they had to be installed in a street cabinet vs. the type of weatherproof enclosure (typically a clamshell box) that is typically used by many cable operators.

That device is what we refer to as a CTD that resides in an Aggregation Node, as shown in the figure below. The CTD for an Aggregation Node was a missing puzzle piece!


In order to address this issue, CableLabs worked with our members to develop the CTD Requirements Specification. This specification contains a set of requirements that are common across multiple different cable operators, representing a broad consensus on the definition for several critical aspects of a CTD. That in turn provides some assurance to manufacturers that if they build a CTD that meets those requirements they should find a broad market for the device.

Some key highlights of those requirements include:

  • A minimum of 2 line-side ports per CTD that support pluggable coherent optics transceiver modules
  • A minimum of 12 (and recommendation for 16) client-side ports per CTD that support 10G and/or 25 transceiver modules
  • Layer 2 (switching) and/or Layer 3 (routing) support
  • Guidance on power sizing and efficiency
  • Enclosures that meet IP66 requirements
  • Operation in external ambient temperatures from -40 to +60 degrees C

IEEE 802.3ct-2021

One of the keys for enabling the use of P2P coherent optics in cable operator networks reducing cost as much as possible, which is why that has been a focus at CableLabs. Both of the P2P Coherent Optics PHY specifications were written with cost in mind by incorporating inputs from suppliers, identifying optimizations for cable networks that will enable reduced cost devices, and promoting interoperability (leading to scale and competition).

Another way to drive scale is to encourage adoption by other groups and industries. For that reason, CableLabs decided to support and participate in an effort within the IEEE 802.3 Ethernet Working Group to define a standard for specifying 100G operation per wavelength using coherent optics. In particular, CableLabs wanted to ensure that manufacturers would be able to develop devices that complied not only with our CableLabs specifications, but also with the new IEEE standard.

A review of the new 802.3ct amendment suggests that goal has been achieved, and as a result, it should be possible for manufacturers to build a single device that complies with requirements from CableLabs, IEEE, ITU and OpenROADM, meaning there is a huge market for coherent optics equipment that manufacturers can take advantage of without having to build multiple different devices.

Puzzle Pieces Coming Together

With these two puzzle pieces now complete, the picture and opportunity for using P2P coherent optics in cable operator networks is really coming together.  Compliant transceiver modules and equipment suitable for indoor facilities (such as hubs and headends) are already available, and CTDs are expected later this year or early next year, enabling deployments in the not-too-distant future. Better still, it’s becoming clear that there are architectures and applications that can leverage CTDs beyond just cable networks — such as for supporting mobile network deployments — meaning there’s likely a broad, nascent market just waiting to take off.  Keep an eye on this space – things are just getting started.