CableLabs Member Vodafone Germany Surpasses 21 Million Households with Access to Gigabit Speeds
Today we are shining a spotlight on another monumental achievement in the European cable community. Our CableLabs member with the largest gigabit network in Germany, Vodafone, has just surpassed 21 million households with access to gigabit speeds, bringing blazing-fast internet to over 50 percent of German households.
As a leading provider, Vodafone Germany recognizes the importance of expanding its Hybrid-Fiber-Coax (HFC) network and combining it with innovative multi-layer technology to meet the rising demand for high-speed services. From Aachen to Zwickau, and from the North Sea to the Zugspitze, in the first quarter of this year, more than half of Vodafone’s new customers are opting in for a connection of 400 Mbps or faster and every third customer chooses 1 Gpbs service. It’s very clear: an ultra-high-speed cable connection is the digital future and Vodafone intends to deliver. Aside from adding new infrastructure to accommodate its growing customer base, Vodafone has been using CableLabs DOCSIS® 3.1 technology to significantly increase both download and upload speeds and expand network capacity. Right now, there is an average of 8 gigabytes passing through every Vodafone customer’s connection every day, allowing businesses and individuals to work, learn and enjoy multi-gig services.
Twenty-one million is a significant milestone, but while we are taking a minute to celebrate, Vodafone Germany is already working toward the next one: 25 million households in the Vodafone network by 2022! As soon as the first prototypes of the new hardware generation are available, Vodafone is planning initial field tests. These are to take place within the next two years.
"Vodafone, with its hybrid fiber coax network, is the main driver for the expansion of high-speed networks in Germany. With today's expansion step, we and above all our customers have well over 20 million reasons to celebrate," says Vodafone Germany CEO Hannes Ametsreiter and adds: "The upgrading of our hybrid fiber coax cable network continues and the end of the line in terms of speed is still a long way off. With each technology evolutionary step, we are making our cable internet even faster and even better by bringing more fiber optic into the network and pushing ahead with capacity expansion.”
Vodafone is a shining example of the true power of an HFC network in delivering the future we are all dreaming of. As more multi-gigabit innovations become part of our lives, Vodafone and other cable providers will be ready to not only meet the increasing demand but to stay well ahead of it—many years into the future.
Upstream: How Much Speed Do You Need?
In the middle of a global pandemic, in which people are working and playing on their various devices at home, internet usage is surging—whether because of virtual meetings or streaming entertainment or mindlessly scrolling through apps. And it’s not just the heavily used downstream aspect that’s seeing increased usage, we’re also seeing an increase in upstream usage.
What Is Upstream?
Upstream is when data flows from the user to the network. When we play an online multiplayer video game or conduct a web conferencing call, we’re using the upstream channel. According to the NCTA’s COVID-19 dashboard, upstream internet traffic through late July was elevated, up 22.1 percent compared with pre-pandemic levels.
Cable networks have ably handled this increased traffic, aided by the fact that popular upstream-dependent applications require relatively modest bandwidth. A web audio conference call requires a modest 0.03 to 0.15 Mbps in bandwidth, whereas a video call may require up to 3 Mbps. Given that nearly all U.S. households passed by cable networks have currently available upstream speeds of at least 20 Mbps, there’s sufficient capacity to meet today's demands.
Your cable broadband internet connection can handle it today and we continue to advance cable network technology to ensure we're also ready for tomorrow.
25G/50G-EPON Standard Crosses the Finish Line – Enhancing Fiber Deployments as Part of Cable’s 10G Platform
Nobody knows the extent to which broadband speeds will continue to increase over the next 5-10 years, but service providers intend to be certain that their network solutions will be able to handle whatever is coming. With the announcement of the 10G Platform the cable industry has set a new target for future broadband speeds of at least 10 Gbps, with symmetry being a key component of that new speed target.
Whereas the majority of the cable industry continues to leverage their ubiquitous hybrid fiber coaxial (HFC) networks to provide high-speed data services to a large proportion of their subscribers, fiber to the home (FTTH) solutions that utilize passive optical networks (PON) remain an important component of their solution set. Thus, it is important for FTTH technology to continually evolve in a way that meets future bandwidth demand. I am pleased to announce PON solutions have reached a new milestone in that technology evolution with the recent approval by the Institute of Electrical and Electronics Engineers (IEEE) of the 25G/50G-EPON standard.
Key Features of 25G/50G-EPON
A key requirement for 25G/50G- EPON is it must operate over already-deployed PON infrastructure with the same split ratio and nominal 20km reach as previous generations of technology. Beyond an increase is peak capacity, there are many new features and capabilities built into this standard, some of these features are focused on the efficient use of the available capacity and reducing overhead of the media access control (MAC), while others are focused on coexisting with legacy technologies and low-cost implementations. I will focus on just a few of these enhancements to the standard.
- Peak Capacity: As the name implies, the new EPON standard developed by the IEEE 802.3ca Task Force allows for symmetric or asymmetric operation with downstream speeds of 25 Gbps or 50 Gbps, and upstream speeds of 10 Gbps, 25 Gbps, or 50 Gbps. These peak capacities are more than capable of meeting the 10 Gbps symmetric service tier goals set forth in the 10G Platform. Achieving this increase in capacity is accomplished in two ways: (1) expanding the transmission rate to 25 Gbps per wavelength and (2) leveraging wavelength division multiplexing technology to add an additional wavelength. A benefit of this architecture is that service providers can initially deploy a single wavelength providing 25 Gbps, and then add a second wavelength to bring the total to 50 Gbps upon demand.
- Coexistence: An important consideration for service providers is the ability to support coexistence with legacy PON technologies, specifically 10 Gbps PON. Briefly, coexistence enables reuse of existing PON infrastructure by easily adding additional capacity while avoiding the complete removal of legacy PON technology. For 25G/50G-EPON, service providers who have already deployed 10G PON solutions are able to add one or more 25 Gbps wavelengths to bring total capacity to 35 Gbps or 60 Gbps in total over the same PON infrastructure. Various coexistence scenarios are shown in the diagram below.
- Low-Cost Implementation: The economics of any residential broadband solution are always an important consideration for service providers. For optical solutions such as PON, the optical transceiver on each end of the link is one of the more costly components. Particularly for FTTH PON solutions, it is critical to keep costs as low as possible for the customer premise equipment, the optical network unit (ONU) in the case of EPON. In this regard, 25G/50G-EPON aggressively strives to keep ONU optical component costs low in two key ways: (1) fixed wavelengths, instead of tunable wavelengths, and (2) wideband optics in O-band without dispersion compensation. In fact, in greenfield deployments, e.g. new FTTH builds unburdened with legacy PON technology, a 50 Gbps ONU can use two wideband channel sources to reduce costs instead of two narrowband channel sources or operating 50 Gbps on a single wavelength, as shown in the lower portion of the figure above.
Speed, coexistence and low-cost implementations are only three of the outstanding benefits built into the next generation of EPON. Without a doubt this version of PON technology represents the lowest cost per bit compared with any other PON technology. If you are interested in looking for future activities at CableLabs related to integration of this technology into cable networks or discovering more details about 25G/50G-EPON, please feel free to contact us to receive more information.
Specifications Aren’t Pretty…But They Are Necessary
Over 22 years ago, my first project at CableLabs was to prepare the DOCSIS® 1.0 Radio Frequency Interface (RFI) specification as a contribution to the International Telecommunication Institute-Telecom Sector (ITU-T). After working in various industries, I found the telecommunications industry to be an exciting new world. During my first week, I started a list of acronyms at the back of my notebook, and it was only the first sip of the alphabet soup I was about to devour.
A far cry from the two-page technical bulletins I previously prepared, CableLabs’ specifications were quite different. They were under strict document management control, with engineering changes (ECs) processed against issued versions in order to revise the specs. Learning the entire process took time, even with the help of great coworkers.
I also learned that CableLabs’ specifications are innovation-focused and designed to get products to market quickly. Interoperable devices that adhere to common specifications enable consumer choice, widespread deployment of new technologies, and lower per-unit cost due to industry-scale economics.
CableLabs’ specifications are driven by the collaborative working relationships between members, vendors and CableLabs’ staff within project-specific working groups. They address most aspects of cable access networks, including cable modems, set-top boxes, cable modem termination systems (CMTSs), remote-PHY and remote-MACPHY devices, optical devices, telephony and aspects of mobile base stations—all of which operators use to provide their customers with a wide range of products and service offerings.
Some advantages of current products built to our specifications include but are not limited to:
- Operator choice, in addition to price competition within a given marketplace
- Increased speed and security, as well as backward compatibility
- Advancements in network devices (e.g., wired, wireless, security) and their related functionality
- Simplicity in debugging problems in the lab/field as specifications define the expected behavior
As part of a publication support team working with strong engineering support, we recently published the DOCSIS 4.0 suite of specifications allowing cable operators to ultimately achieve 10 Gbps speeds downstream and 6 Gbps upstream. We’ve come a long way in over three decades! It’s been a privilege to see how many advancements have been produced in that timespan by CableLabs, together with its members and vendors, and just how much our efforts have changed the telecommunications world.
Do my four grandkids know and understand how CableLabs’ specifications development has helped them recently with online learning, or enabled my youngest granddaughter’s participation in her virtual kindergarten graduation—all by creating and supporting the best broadband services available? No, but that’s OK because we’re here working to continuously develop an innovative foundation for an ever-improving future for them.
See the Future Now With 4Front: Register for Our 2021 Event
Mark your calendars now because 4Front 2021 is coming next June! Thanks to work behind the scenes, the event’s visionary lineup is coming into even stronger focus. A unique cross-industry event that will bring together leaders and innovators from around the world to exchange ideas and explore how technology will shape the future, the inaugural 4Front conference was scheduled June 23-24 in Aurora, Colorado. However, because of health safety concerns stemming from the COVID-19 pandemic, CableLabs decided to postpone the event until June 15-16, 2021.
The 4Front 2021 event has already gained two notable recommitments among thought leaders, including artificial intelligence pioneer Rana el Kaliouby, founder and CEO of MIT-spinoff Affective. Under el Kaliouby’s guidance, Affectiva has developed a technology that analyzes faces for emotional nuances. The technology is being used in a wide range of content testing, video recruitment and mental health applications.
Also joining 4Front 2021 is Shoshana Zuboff, a noted author and futurist who predicted in the 1980s that computers would revolutionize the workplace. In her latest book, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, she proposes that technology users are raw materials for manufacturing and sales systems, as part of a new surveillance economic order.
The podcasts will feature 4Front visionaries who will reveal how they envision technology’s role in building a better, safer and more connected future. Imagine holographic displays that drive workplace productivity and literally bring a new dimension to education in the classroom. Or immersive virtual reality games the whole family can play. Or new video applications that will allow patients to see specialists a thousand miles away.
The first trio of podcasts will explore the future of education and the workplace.
- Education innovation expert Ai Addyson-Zhang will discuss her passion for incorporating social media and creative technologies to drive student remote learning.
- Mike Hess, founder and executive director of the Blind Institute of Technology, will talk about his mission to bring blind and visually impaired IT and tech professionals into the workforce.
- Spark Mindset CEO and Founder, Lawrence Wagner, will discuss what he sees in the workplace now, and what could change in the future.
More podcasts exploring entertainment and healthcare innovations will follow in the coming weeks so make sure to tune in and stay in the forefront of innovative thinking so that you're prepared for the 4Front conference next June.
How Reliable Is Cable Internet? Here’s How Our Networks Are Performing
Starting in mid-March, the world experienced a sudden surge in internet usage driven by the widespread COVID-19 stay-at-home orders that caused many of us to switch to working and studying at home in a matter of days. Cable broadband networks not only withstood this sudden surge in internet usage; they excelled. For example, for the week of June 27–July 4, 99.9 percent of U.S. cable broadband users saw no material impact on customer experience. Looking to the future, cable networks are also well-positioned to remain ahead of sustained increases in consumer demand. Although internet usage appears to have plateaued recently, CableLabs and the broader cable industry continue to develop further network advancements to ensure that internet performance stays well ahead of even the most demanding home users’ needs for years to come.
Internet Usage During COVID-19 and Cable Broadband Services
Network monitoring provider OpenVault reveals just how much home internet usage jumped over the past few months:
- In the United States, average daily downstream consumption from 9 a.m. to 5 p.m. in the first week of April totaled about 6.35 GB per household, up 42 percent from 4.46 GB in January. Upstream average usage during business hours rose to 0.39 GB, up 83 percent compared with 0.22 GB in January.
- Worldwide, looking at a sample of 500 fixed, mobile and Wi-Fi network providers, networking equipment provider Sandvine found that overall traffic increased 40 percent between February 1 and April 19. It also found that upstream traffic rose 121 percent during this period.
Even considering these dramatic increases, home internet use remains heavily asymmetrical. The amount of data transmitted to the home (downstream) vastly outweighs the amount of data transmitted from the home (upstream). This is driven by the continued use of video streaming services (e.g., Netflix, YouTube) that require substantial amounts of data to be transmitted to the home to enable the user to view a movie, TV show or other video. These applications require very little data transmitted from the home.
Two-way video collaboration tools (e.g., Zoom, Microsoft Teams) do require more data to be transmitted from the home (upstream) in comparison with video streaming services due to two-way audio and video functionality. Even with the increased use of these collaboration tools, upstream data transmissions remain well below a tenth of total data transmitted over home internet connections.
The predominance of downstream use is further confirmed in the detailed examination of broadband use from a top-tier North American cable broadband operator, as set forth in Figures 1 and 2 below. Over the past 8 years, the proportion of downstream traffic has increased and plateaued at roughly 92–94 percent of total traffic at peak. Looking more closely at the most recent 5 months illustrates the rapid increase in internet use due to COVID-19. Even with upstream increasing at a faster rate than downstream, upstream use at peak maxed out at only 9 percent of total traffic, as illustrated in Figure 2. Additional metrics, trends and observations on cable internet usage can be found on NCTA’s COVID-19 Dashboard.
Cable Broadband’s Outlook Is Healthy
The asymmetric design of cable’s internet service tiers accurately matches how consumers have been using the internet, even with the increased use during stay-at-home orders. This is important both to ensure a high-quality user experience and to efficiently allocate available network capacity. Cable operators continually monitor their networks and engineer them to accommodate significant fluctuations. There are indications that these increased levels of usage will be foundational as new use cases emerge and as a significant segment of the population continues to work and learn from home. For example, many companies have found that their remote workers maintained or even improved productivity—so much so that they may make the arrangement permanent.
Cable network technology, more formally known as Data Over Cable Service Interface Specification (DOCSIS®), has the flexibility and performance capabilities to handle further increases in consumer demand in both downstream and upstream data transmissions. With DOCSIS 3.1 technology, the current widely deployed version of cable network technology, cable operators are making gigabit services broadly available. For example, cable gigabit services are now available to 80 percent of U.S. housing units.
And there are more performance enhancements on the horizon with the recently released DOCSIS 4.0 specification, which will readily enable multi-gigabit internet services. In addition, the 10G platform provides increased reliability, enhanced security and reduced latency.
Taking a peek into the future, cable broadband networks have not only excelled in the initial surge in internet usage caused by the COVID-19 pandemic, but they will be ready for the potential long-term changes in consumer behavior that will drive increased internet usage. To learn more about the technologies that power cable’s broadband internet services today and into the future, click the button below.
Increase Upstream Reliability and Capacity with Optimized Profiles
Network usage patterns have shifted in unprecedented ways in the last few months with vast swaths of the population staying at home. A substantial increase in network traffic has been observed from homes with people collaborating for work and children learning over the Internet with online school sessions and material. The access networks have seen a transition of the peak weekend levels of traffic become the new normal throughout the week.
In this time of network traffic increase, reliability and capacity are increasingly important. Upstream reliability is fundamental to the network experience as seen by the end user in the home. For DOCSIS 3.1 and 4.0 networks configuring profiles is the key to maintaining a reliable channel while simultaneously optimizing capacity. Profiles define the modulation orders used on the channel, with higher modulation orders allowing for more bits of information to be communicated per modulation symbol.
In a previous blog post, we discussed downstream profile management. In this blog, we focus on upstream profile management which differs from the downstream due to the structure of the Hybrid-Fiber-Coax (HFC) plant and the nature of bursty transmissions from a cable modems (CM).
In the downstream direction, there is one location from where the signals enter the HFC plant, specifically the cable modem termination system (CMTS) in the headend. The operator has control of the signal at that point and along the network, to ensure it reaches every CM. From the head end to the CM, the RF signal fans out in a star topology network in a point to multipoint (P2MP) fashion. It is the opposite on the upstream/return path: the RF signals enter the plant from every home that is attached to the plant, and all of those signals combine together as they travel to the headend. Typical of all P2MP networks, the noise from every device on the network gets combined as it travels upstream and is finally received on the upstream port at the CMTS. This is known as the noise funneling problem, as shown in the diagram below. Thermal noise at the amplifiers and fiber optic link noise are common sources of upstream noise. Other noise sources which ingress into the upstream path include impulse noise from loose connectors, unterminated splitters or taps, cracked cables, common path distortion due to corroded connectors, clipping distortion etc.
Thus, in the upstream, the noise from every house and every network element gets accumulated and is seen at the upstream receiver on the CMTS. Now a CMTS receiver can measure the received modulation error ratio (RxMER) for each CM, see some example measurements from a live network in the diagram below. In the upstream, this signal to noise signature for each of the CMs (that are sharing the upstream channel) starts looking very similar, as they all share the same noise across the channel with slight differences due to the signal levels itself. This means common profiles can be designed for many CMs experiencing similar noise conditions. Most CMs will be able to use a common profile. For CMs which suffer more noise, they can be put into a different profile optimized for their particular noise environment. The modulation orders within a profile can vary appropriately across the spectrum as per the noise levels in that part of the spectrum.
The upstream Profile Management Application (PMA) can automate this design of the profiles on various upstream channels across various segments in the cable plant. Reading the upstream RxMER from the CMTSs on the network, processing the RxMER information with intelligent algorithms to create profiles, and then configuring the newly optimized profiles on the CMTS are the primary functions an upstream PMA solution accomplishes. Configuring optimized profiles brings solid reliability to the upstream network connection and also increases the capacity in parts of the spectrum which can accommodate higher modulation orders.
Many cable operators across the world are now turning on upstream OFDMA channels and leveraging the upstream PMA capability to automate the creation of profiles for their D3.1 upstream OFDMA channels.
If you are interested in discovering more details about upstream or downstream PMA, or setting up a field trial, please feel free to contact us to receive more in-depth information.
Network Capacity Management Using Proactive Network Maintenance
You probably know that Proactive Network Maintenance (PNM) is about finding and fixing problems before they impact the customer. But the other side of PNM is about managing the capacity or bandwidth available in the network. PNM may have started with the former concept in mind, but the latter is becoming more important as we rely on higher amounts of capacity at the edge. As the world adjusts to life under the COVID-19 pandemic, access network capacity is becoming even more critical. PNM is an important tool set for network capacity management, and CableLabs is helping operators manage network quality and capacity together.
Network condition impacts network capacity. Network impairments, a broad class of failures and flaws in the ability of a network to carry data, have to be addressed before they lead to service failure. The DOCSIS® protocol is a method for sending data over multiple radio frequencies in hybrid fiber coax networks, and comes with several resiliency mechanisms that help service continue in spite of impairments, to a point. These impairments in the cable plant may impact a few or all frequencies. Impairments that impact specific frequencies may or may not be able to be compensated for, on those frequencies. If severe, the impairment may impact the data carried on those frequencies entirely, leading to correctable or even uncorrectable data errors. If not severe, profiles may be able to adjust to lower modulation orders to allow less data to be reliably carried than otherwise. Impairments that impact a larger amount of frequencies of course have a greater impact on the bandwidth the network can carry. In any case, impairments impact the capacity that the operator can get from the access network.
This is why PNM, which is an important set of tools for network operators to manage network condition, becomes even more important as we depend more on our network capacity and move toward higher utilization of the access network capacity. As demand for bandwidth increases at the edge, PNM becomes an important network capacity management tool for network providers. The difference between a perfect network and one with flaws felt by customers begins to shrink. PNM begins to be an imperative; it is “table stakes” for maintaining communications services and managing the capacity of the network.
CableLabs has been working with these issues in mind for some time. In July of 2019, I wrote on the subject of 10G and reliability, pointing out that higher bandwidth solutions closer to the customer will be required for 10G. Then, in August, I wrote on the subject of reliability from a cable perspective and pointed out that the impairments addressed through PNM impact capacity. So, we see that reliability and network capacity are closely coupled. As we move toward higher bandwidth services, expand the utilization of frequencies and further push the limits of technology, reliable and sufficient bandwidth become highly coupled. Therefore, so do the tools that network providers use to manage these service qualities. CableLabs is working on solutions to help operators succeed in this reality.
Recently, CableLabs announced the release of a new capability in our Proactive Operations (ProOps) platform that uses RxMER per subcarrier and profile information to inform the selection of PNM opportunities. Also, our PNM working group announced the release of our DOCSIS 3.1 PNM primer of engineering practices, which we intend to develop toward best practices for the industry. If you are an operator or vendor interested in this subject, contact us for more information and to help us develop this solution for the industry.
 Because of the resiliency of DOCSIS® technology, impairments in the network have an impact on the capacity available in the network for serving customers, even when service remains functional, and even when customers may not notice right away or always. Without resiliency, an impairment leads to failure. Network resiliency is what keeps service running over impairments, which lets operators fix problems before they become severe and provide highly reliable services.
6 Tips to Speed Up Your Home Network
Are Your Devices up to Speed? Here’s Why It Matters…
Nobody likes to wait for an internet page or movie to load, but did you know there are things you can do to improve the speed? Yes YOU. Even if you think you’re not tech savvy, you can easily check your devices to see if they’re slowing things down. If you like to send/receive email messages, browse the internet, download files, and stream movies without delay, this blog post is for you.
Turns Out, Your Computer’s Age Might Be Affecting Your Speed
Did you know that even if you have purchased 1 Gbps service from your cable provider, your computer may not be able to deliver that speed due to how old your computer is?? You should check the age of your computer and other devices. They may not have the processing speed, gigabit card or compatibility with your service level to meet your expectations. Check your computer settings, the manual or even the manufacturer’s website for the specifications for your model number to make sure your laptop has wireless 802.11ac and gigabit ethernet cards.
Update Your Software and Drivers
Are your devices updated with the latest drivers and software? Go to the support page of your manufacturer’s website and check the “drivers” section. You may need to download the latest drivers which allow your device to properly communicate with your operating system. If you know your processor brand, you can also go to the Intel or AMD websites and use the driver auto detect / support assistant tool which will automatically let you know which drivers you need to download. Be sure to check for the latest drivers every 3 to 4 months.
Need a New Router?
Wi-Fi standards govern how different wireless devices are designed and how they communicate with each other. As these standards are improved, your devices may need to be upgraded to keep up with the improvements. Perhaps everything in your home except your wireless router can deliver gigabit service. Your network speed is dependent on your router specifications, so make sure that your wireless access point, router, or switch has 802.11ac wireless functionality and gigabit ports built in. If not, it might be time to buy a new one.
What’s the Best Location to Place Your Wi-Fi Router?
Where-oh-where is your wireless access point? It’s all about location, location, location. We created a brief video with suggestions for where to place your access point and tips to improve your home Wi-Fi performance.
Let’s Not Forget About Security
Security is imperative. You can learn how to secure your Wi-Fi router to protect your home network.
One last security tip: Your antivirus software will not work at its full capacity unless your computer is fully updated with the latest updates. To get your system updates in Microsoft Windows, go to settings and then click on windows updates. On a Mac, go to systems preferences from the Apple menu and click software update. (There is also a check box to automatically keep your Mac up to date.)
10G Integrity: The DOCSIS® 4.0 Specification and Its New Authentication and Authorization Framework
One of the pillars of the 10G platform is security. Simplicity, integrity, confidentiality and availability are all different aspects of Cable’s 10G security platform. In this work, we want to talk about the integrity (authentication) enhancements, that have been developing for the next generation of DOCSIS® networks, and how they update the security profiles of cable broadband services.
DOCSIS (Data Over Cable Service Interface Specifications) defines how networks and devices are created to provide broadband for the cable industry and its customers. Specifically, DOCSIS comprises a set of technical documents that are at the core of the cable broadband services. CableLabs manufacturers for the cable industry, and cable broadband operators continuously collaborate to improve their efficiency, reliability and security.
With regards to security, DOCSIS networks have pioneered the use of public key cryptography on a mass scale – the DOCSIS Public Key Infrastructure (PKIs) are among the largest PKIs in the world with half billion active certificates issued and actively used every day around the world.
Following, we introduce a brief history of DOCSIS security and look into the limitations of the current authorization framework and subsequently provide a description of the security properties introduced with the new version of the authorization (and authentication) framework which addresses current limitations.
A Journey Through DOCSIS Security
The DOCSIS protocol, which is used in cable’s network to provide connectivity and services to users, has undergone a series of security-related updates in its latest version DOCSIS 4.0, to help meet the 10G platform requirements.
In the first DOCSIS 1.0 specification, the radio frequency (RF) interface included three security specifications: Security System, Removable Security Module and Baseline Privacy Interface. Combined, the Security System plus the Removable Security Module Specification became Full Security (FS).
Soon after the adoption of public key cryptography that occurred in the authorization process, the cable industry realized that a secure way to authenticate devices was needed; a DOCSIS PKI was established for DOCSIS 1.1-3.0 devices to provide cable modems with verifiable identities.
With the DOCSIS 3.0 specification, the major security feature was the ability to perform the authentication and encryption earlier in the device registration process, thus providing protection for important configuration and setup data (e.g., the configuration file for the CM or the DHCP traffic) that was otherwise not protected. The new feature was called Early Authorization and Encryption (EAE), it allows to start Baseline Privacy Interface Plus (BPI) even before the device is provisioned with IP connectivity.
The DOCSIS 3.1 specifications created a new Public Key Infrastructure *(PKI) to handle the authentication needs for the new class of devices. This new PKI introduced several improvements over the original PKI when it comes to cryptography – a newer set of algorithms and increased key sizes were the major changes over the legacy PKI. The same new PKI that is used today to secure DOCSIS 3.1 devices will also provide the certificates for the newer DOCSIS 4.0 ones.
The DOCSIS 4.0 version of the specification introduces, among the numerous innovations, an improved authentication framework (BPI Plus V2) that addresses the current limitations of BPI Plus and implements new security properties such as full algorithm agility, Perfect Forward Secrecy (PFS), Mutual Message Authentication (MMA or MA) and Downgrade Attacks Protection.
Baseline Privacy Plus V1 and Its Limitations
In DOCSIS 1.0-3.1 specifications, when Baseline Privacy Plus (BPI+ V1) is enabled, the CMTS directly authorizes a CM by providing it with an Authorization Key, which is then used to derive all the authorization and encryption key material. These secrets are then used to secure the communication between the CM and the CMTS. In this security model, the CMTS is assumed trusted and its identity is not validated.
The design of BPI+ V1 dates back more than just few years and in this period of time, the security and cryptography landscapes have drastically changed; especially in regards to cryptography. At the time when BPI+ was designed, the crypto community was set on the use of the RSA public key algorithm, while today, the use of elliptic-curve cryptography and ECDSA signing algorithm is predominant because of its efficiency, especially when RSA 3072 or larger keys are required.
A missing feature in BPI+ is the lack of authentication for the authorization messages. In particular, CMs and CMTS-es are not required to authenticate (i.e., sign) their own messages, making them vulnerable to unauthorized manipulation.
In recent years, there has been a lot of discussion around authentication and how to make sure that compromises of long-term credentials (e.g., the private key associated with an X.509 certificate) do not provide access to all the sessions from that user in the clear (i.e., enables the decryption of all recorded sessions by breaking a single key) – because BPI+ V1 directly encrypts the Authorization Key by using the RSA public key that is in the CM’s device certificate, it does not support Perfect Forward Secrecy.
To address these issues, the cable industry worked on a new version of its authorization protocol, namely BPI Plus Version 2. With this update, a protection mechanism was required to prevent downgrade attacks, where attackers to force the use of the older, and possibly weaker, version of the protocol. In order to address this possible issue, the DOCSIS community decided that a specific protection mechanism was needed and introduced the Trust On First Use (TOFU) mechanism to address it.
The New Baseline Privacy Plus V2
The DOCSIS 4.0 specification introduces a new version of the authentication framework, namely Baseline Privacy Plus Version 2, that addresses the limitations of BPI+ V1 by providing support for the identified new security needs. Following is a summary of the new security properties provided by BPI+ V2 and how they address the current limitations:
- Message Authentication. BPI+ V2 Authorization messages are fully authenticated. For CMs this means that they need to digitally sign the Authorization Requests messages, thus eliminating the possibility for an attacker to substitute the CM certificate with another one. For CMTS-es, BPI+ V2 requires them to authenticate their own Authorization Reply messages this change adds an explicit authentication step to the current authorization mechanism. While recognizing the need for deploying mutual message authentication, DOCSIS 4.0 specification allows for a transitioning period where devices are still allowed to use BPI+ V1. The main reason for this choice is related to the new requirements imposed on DOCSIS networks that are now required to procure and renew their DOCSIS credentials when enabling BPI+ V2 (Mutual Authentication).
- Perfect Forward Secrecy. Differently from BPI+ V1, the new authentication framework requires both parties to participate in the derivation of the Authorization Key from authenticated public parameters. In particular, the introduction of Message Authentication on both sides of the communication (i.e., the CM and the CMTS) enables BPI+ V2 to use the Elliptic-Curves Diffie-Hellman Ephemeral (ECDHE) algorithm instead of the CMTS directly generating and encrypting the key for the different CMs.Because of the authentication on the Authorization messages, the use of ECDHE is safe against MITM attacks.
- Algorithm Agility. As the advancement in classical and quantum computing provides users with incredible computational power at their fingertips, it also provides the same ever-increasing capabilities to malicious users. BPI+ V2 removes the protocol dependencies on specific public-key algorithms that are present in BPI+ V1. , By introducing the use of the standard CMS format for message authentication (i.e., signatures) combined with the use of ECDHE, DOCSIS 4.0 security protocol effectively decouples the public key algorithm used in the X.509 certificates from the key exchange algorithm. This enables the use of new public key algorithms when needed for security or operational needs.
- Downgrade Attacks Protection. A new Trust On First Use (TOFU) mechanism is introduced to provide protection against downgrade attacks – although the principles behind TOFU mechanisms are not new, its use to protect against downgrade attacks is. It leverages the security parameters used during a first successful authorization as a baseline for future ones, unless indicated otherwise. By establishing the minimum required version of the authentication protocol, DOCSIS 4.0 cable modems actively prevent unauthorized use of a weaker version of the DOCSIS authentication framework (BPI+). During the transitioning period for the adoption of the new version of the protocol, cable operators can allow “planned” downgrades – for example, when a node split occurs or when a faulty equipment is replaced and BPI+ V2 is not enabled there. In other words, a successfully validated CMTS can set, on the CM, the allowed minimum version (and other CM-CMTS binding parameters) to be used for subsequent authentications.
In this work we provided a short history of DOCSIS security and reviewed the limitations of the current authorization framework. As CMTS functionality moves into the untrusted domain, these limitations could potentially be translated into security threats, especially in new distributed architectures like Remote PHY. Although in their final stage of approval, the proposed changes to the DOCSIS 4.0 are currently being addressed in the Security Working Group.
Member organizations and DOCSIS equipment vendors are always encouraged to participate in our DOCSIS working groups – if you qualify, please contact us and participate in our weekly DOCSIS 4.0 security meeting where these, and other security-related topics, are addressed.