Revisiting Security Fundamentals
It’s Cybersecurity Awareness Month—time to study up!
Cybersecurity is a complex topic. The engineers who address cybersecurity must not only be security experts; they must also be experts in the technologies they secure. In addition, they have to understand the ways that the technologies they support and use might be vulnerable and open to attack.
Another layer of complexity is that technology is always evolving. In parallel with that evolution, our adversaries are continuously advancing their attack methods and techniques. How do we stay on top of that? We must be masters of security fundamentals. We need to be able to start with foundational principals and extend our security tools, techniques and methods from there: Make things no more complex than necessary to ensure safe and secure user experiences.
In celebration of Cybersecurity Awareness Month, I’d like to devote a series of blog posts to address some basics about security and to provide a fresh perspective on why these concepts remain important areas of focus for cybersecurity.
At the most basic level, the three primary goals of security for cable and wireless networks are to ensure the confidentiality, integrity and availability of services. NIST documented these concepts well in its special publication, “An Introduction to Information Security.”
- Confidentiality ensures that only authorized users and systems can access a given resource (e.g., network interface, data file, processor). This is a pretty easy concept to understand: The most well-known confidentiality approach is encryption.
- Integrity, which is a little more obscure, guards against unauthorized changes to data and systems. It also includes the idea of non-repudiation, which means that the source of a given message (or packet) is known and cannot be denied by that source.
- Availability is the uncelebrated element of the security triad. It’s often forgotten until failures in service availability are recognized as being “a real problem.” This is unfortunate because engineering to ensure availability is very mature.
In Part 1 of this series, I want to focus on confidentiality. I’ll discuss integrity and availability in two subsequent blogs.
As I mentioned, confidentiality is a security function that most people are aware of. Encryption is the most frequently used method to assure confidentiality. I’m not going to go into a primer about encryption. However, it is worth talking about the principles. Encryption is about applying math using space, power and time to ensure that only parties with the right secret (usually a key) can read certain data. Ideally, the math used should require much greater space, power or time for an unauthorized party without the right secret to read that data. Why does this matter? Because encryption provides confidentiality only as long as the math used is sound and that the corresponding amount of space, power and time for adversaries to read the data is impractical. That is often a good assumption, but history has shown that over time, a given encryption solution will eventually become insecure. So, it’s a good idea to apply other approaches to provide confidentiality as well.
What are some of those approaches? Ultimately, the other solutions prevent access to the data being protected. The notion is that if you prevent access (either physically or logically) to the data being protected, then it can’t be decrypted by unauthorized parties. Solutions in this area fall primarily into two strategies: access controls and separation.
Access controls validate that requests to access data or use a resource (like a network) come from authorized sources (identified using network addresses and other credentials). For example, an access control list (ACL) is used in networks to restrict resource access to specific IP or MAC addresses. As another example, a cryptographic challenge and response (often enabled by public key cryptography) might be used to ensure that the requesting entity has the “right credentials” to access data or a resource. One method we all use every day is passwords. Every time we “log on” to something, like a bank account, we present our username (identification) and our (hopefully) secret password.
Separation is another approach to confidentiality. One extreme example of separation is to establish a completely separate network architecture for conveying and storing confidential information. The government often uses this tactic, but even large enterprises use it with “private line networks.” Something less extreme is to use some form of identification or tagging to encapsulate packets or frames so that only authorized endpoints can receive traffic. This is achieved in ethernet by using virtual LANs (VLANs). Each frame is tagged by the endpoint or the switch to which it connects with a VLAN tag, and only endpoints in the same VLAN can receive traffic from that source endpoint. Higher network layer solutions include IP Virtual Private Network (VPNs) or, sometimes, Multiprotocol Label Switching (MPLS).
Threats to Confidentiality
What are the threats to confidentiality? I’ve already hinted that encryption isn’t perfect. The math on which a given encryption approach is based can sometimes be flawed. This type of flaw can be discovered decades after the original math was developed. That’s why it’s traditionally important to use cipher suites approved by appropriate government organizations such as NIST or ENISA. These organizations work with researchers to develop, select, test and validate given cryptographic algorithms as being provably sound.
However, even when an algorithm is sound, the way it’s implemented in code or hardware may have systemic errors. For example, most encryption approaches require the use of random number generators to execute certain functions. If a given code library for encryption uses a random number generator that’s biased in some way (less than truly random), the space, power and time necessary to achieve unauthorized access to encrypted data may be much less than intended.
One threat considered imminent to current cryptography methods is quantum computing. Quantum computers enable new algorithms that reduce the power, space and time necessary to solve certain specific problems, compared with what traditional computers required. For cryptography, two such algorithms are Grover’s and Shor’s.
Grover’s algorithm. Grover’s quantum algorithm addresses the length of time (number of computations) necessary to do unstructured search. This means that it may take half the number of guesses necessary to guess the secret (the key) to read a given piece of encrypted data. Given current commonly used encryption algorithms, which may provide confidentiality against two decades’ worth of traditional cryptanalysis, Grover’s algorithm is only a moderate threat—until you consider that systemic weaknesses in some implementations of those encryption algorithms may result in less than ideal security.
Shor’s algorithm. Shor’s quantum algorithm is a more serious threat specifically to asymmetric cryptography. Current asymmetric cryptography relies on mathematics that assume it’s hard to factor integers down to primes (such as used by the Rivest-Shamir-Adleman algorithm) or to guess given numbers in a mathematical function or field (such as used in elliptical curve cryptography). Shor’s quantum algorithm makes very quick work of factoring; in fact, it may be possible to factor these mathematics nearly instantly given a sufficiently large quantum computer able to execute the algorithm.
It’s important to understand the relationship between confidentiality and privacy. They aren’t the same. Confidentiality protects the content of a communication or data from unauthorized access, but privacy extends beyond the technical controls that protect confidentiality and extends to the business practices of how personal data is used. Moreover, in practice, a security infrastructure may for some data require it to be encrypted while in motion across a network, but perhaps not when at rest on a server. Also, while confidentiality, in a security context, is pretty much a straight forward technical topic, privacy is about rights, obligations and expectations related to the use of personal data.
Why do I bring it up here? Because a breach of confidentiality may also be a breach of privacy. And because application of confidentiality tools alone does not satisfy privacy requirements in many situations. Security engineers – adversarial engineers – need to keep these things in mind and remember that today privacy violations result in real costs in fines and brand damage to our companies.
Wow! Going through all that was a bit more involved than I intended – lets finish this blog. Cable and wireless networks have implemented many confidentiality solutions. WiFi, LTE, and DOCSIS technology all use encryption to ensure confidentiality on the shared mediums they use to transport packets. The cipher algorithm DOCSIS technology typically uses AES128 which has stood the test of time. We can anticipate future advances. One is a NIST initiative to select a new light weight cipher – something that uses less processing resources than AES. This is a big deal. For just a slight reduction in security (measured using a somewhat obscure metric called “security bits”), some of the candidates being considered by NIST may use half the power or space as compared to AES128. That may translate to lower cost and higher reliability of end-points that use the new ciphers.
Another area the cable industry, including CableLabs, continues to track is quantum resistant cryptography. There are two approaches here. One is to use quantum technologies (to generate keys or transmit data) that may be inherently secure against quantum computer based cryptanalysis. Another approach is to use quantum resistant algorithms (e.g., new math that is resistant to cryptanalysis using Shor’s and Grover’s algorithms) implemented on traditional computing methods. Both approaches are showing great promise.
There’s a quick review of confidentiality. Next up? Integrity.
Want to learn more about cybersecurity? Register for our upcoming webinar: Links in the Chain: CableLabs' Primer on What's Happening in Blockchain. Block your calendars. Chain yourselves to your computers. You will not want to miss this webinar on the state of Blockchain and Distributed Ledger Technology as it relates to the Cable and Telecommunications industry.
Jet Off to Miami for CableLabs’ First Latin America & Caribbean Summit
In recent years, expanding cable footprints across Latin America and the Caribbean have helped transform the lives of many people who now have access to better internet, TV and mobile services. But, there’s always more work that needs to be done. This December, join us in “Magic City” Miami for our first-ever Latin America & Caribbean Summit, where we’ll address the unique connectivity needs and challenges of the region and define strategies for the future.
Last year, cable overtook DSL to become the largest broadband technology platform in Latin America and the Caribbean. In 2018 alone, there were about 438 million Internet users—an increase of more than 130 million from 2013. This uptake is great not only for the providers, who are looking to expand and grow their revenues, but also for the communities they serve. In the long run, high-speed internet access changes the way people work, socialize and exchange ideas—leading to innovation, entrepreneurship and overall economic growth and prosperity. And we know that for many of our local provider members who care deeply about their communities, this is as much a motivating factor as their bottom line.
Our members in Latin America and the Caribbean represent a highly diverse group of cable operators – from 16 unique island communities in the Caribbean to 12 equally differentiated countries in North, Central and South America. At the summit, we will cover topics specific to their needs, including various ways the latest cable technology can accelerate progress in the region. You will have an opportunity to share ideas and insights with your peers, learn about the latest innovations and implementation strategies, and identify new opportunities for growth. Topics will include network evolution strategies in the context of 10G and DOCSIS 4.0, as well as fixed-mobile convergence, 5G, Kyrio's services and how they impact the connectivity industry, in-home Wi-Fi, operations experience improvements and other technology strategies for the new decade and beyond.
Who, When, Where?
The Latin America & Caribbean Summit is for C-level executives, technology leaders and subject matter experts from all CableLabs member companies in North, Central and South America and the Caribbean islands who have a deep understanding of the socio-economic characteristics of their markets and are committed to making a difference.
The event will take place in the beautiful Four Seasons hotel in Miami—the city appropriately referred to as the gateway to Latin America and the Caribbean—December 5–6, 2019.
Clocking In: 4Front 2020 Tackles the Future of Work
What will a typical workplace look like five, ten or even twenty years from now? Who will work there and what technologies will they use? These and other questions related to the future of work will form one of the major themes of our inaugural 4Front conference, scheduled for June 23-24, 2020, in Denver, Colorado.
Unlike some of the other conferences you may’ve attended, this event is not industry specific. It’s an inclusive idea launching pad where decision makers from all kinds of related ecosystems, including networking, government, infotech, education, healthcare and many others, can get together to address the technical needs of the future workforce and begin planning for the socioeconomic impacts of the upcoming changes.
What We'll Talk About
To be clear, our goal is to do more than just talk about the change that we already see happening. We are more interested in the next steps. Where do we want that change to lead us and how can we position our own businesses on the right path to getting there? In other words, how can we build the right technology for the right people?
In order to do that, we need to take a look at a few things, mainly:
- What kinds of jobs will be available in the future?
If you have a child who’s entering preschool, there’s a good chance his or her future job role hasn’t even been invented yet (think along the lines of a Memory Curator or an AI Ethics Officer). In fact, according to Accenture, 79% of executives agree that the future of work will be based more on specific projects than roles. Employers are already looking for people who are willing and able to wear “different hats” and think creatively even if the task at hand doesn’t match their official training. This trend will continue in the future, where skills like critical and creative thinking will be valued the most. The technologies we create have to support this new, agile way of working, allowing people to be more adaptable, efficient and creative no matter where or when they do it. This will inevitably lead to greater job satisfaction and a well-balanced, stress-free environment for the next generation of workers.
- How will people work together?
The future of work is all about flexibility. And not just in terms of schedule, but also where and how you work. Telecommuting is already becoming the new norm, but future technology, like holograms and VR, can take it to the next level, allowing people to log into virtual “rooms” where they can interact with their teammates as if they are in the same location. Seamless and instant connectivity, to both people and information, will be instrumental to the success of individual workers and their companies. And we need to help them get there.
- How will technology augment human jobs?
The topic of automation has been causing a lot of anxiety lately, especially among workers whose jobs are undergoing a transitional period. Are robots really taking over the workforce? Will there be enough work for us, humans, in the future? In short, yes. Fortunately, the human mind is far more skilled in any area that relies on creativity and emotional intelligence than machines and while some manual jobs might disappear, a great number of new, creative and highly-satisfying careers will take their place. It is up to us—technologists, lawmakers, entrepreneurs, futurists and creative visionaries—to architect a seamless transition to a future we can all be proud of.
Why You Should Attend
As already mentioned, we are planning to make 4Front an inclusive event that gathers representatives from a variety of technical and non-technical fields. And if your personal and company goals match any of the below, we would love for you to join us.
- Speakers: You’re a thought leader looking for a platform to communicate your vision of the future to an eager audience.
- Founders/entrepreneurs: You are a decision maker looking to find inspiration in people outside your industry or ecosystem and discover new market opportunities.
- Technologists: Your innovative spirit is guided by the desire to build a better future and you’re looking to make your products fit the needs of your target audiences. Both CableLabs members and non-members are invited.
- Policy makers: You are an expert in designing policies that navigate the socioeconomic impacts of innovation and you want to better understand the needs of entrepreneurs and end users.
- Influencers: You want to expand your network and cement your reputation as an industry trailblazer.
Why You Should Sponsor the Work Track
One of the best ways to drive the strategy of the future is by sponsoring the entire “work” track. It is a one-of-a-kind opportunity to widen your sphere of influence, showcase your innovations, attract new business opportunities and lead discussions on the topics that matter the most to your business.
As a 4Front sponsor, you will be able to:
- Contribute content to the main stage and introduce keynote speakers.
- Design an immersive experience that showcases your thought leadership.
- Drive the conversation with other decision makers by hosting your own panel.
- Gain attention of the brightest minds in the industry, including CEOs, founders and other entrepreneurs like yourself.
- Get invaluable media exposure, put yourself at the forefront of your industry and much more!
To discuss potential sponsorship opportunities and agenda ideas, please contact Jeff Metzger, CableLabs Director of Live Brand Experience, at email@example.com.
You can learn more about our vision of the future of work in our recent Near Future video. You can read more about 4Front and register below. See you there!
Vaccinate Your Network to Prevent the Spread of DDoS Attacks
CableLabs has developed a method to mitigate Distributed Denial of Service (DDoS) attacks at the source, before they become a problem. By blocking these devices at the source, service providers can help customers identify and fix compromised devices on their network.
DDoS Is a Growing Threat
DDoS attacks and other cyberattacks cost operators billions of dollars, and the impact of these attacks continues to grow in size and scale, with some exceeding 1 Tbps. The number of Internet of Things (IoT) devices also continues to grow rapidly, many have poor security, and upstream bandwidth is ever increasing; this perfect storm has led to exponential increases in IoT attacks, by over 600 percent between 2016 and 2017 alone. With an estimated increase in the number of IoT devices from 5 billion in 2016 to more than 20 billion in 2020, we can expect the number of attacks to continue this upward trend.
As applications and services are moved to the cloud and the reliance on connected devices grows, the impact of DDoS attacks can continue to worsen.
Enabled by the Programmable Data Plane
Don’t despair! New technology brings new solutions. Instead of mitigating a DDoS attack at the target, where it’s at full strength, we can stop the attack at the source. With the use of P4, a programing language designed for managing traffic on the network, the functionality of switches and routers can be updated to provide capabilities that aren’t available in current switches. By coupling P4 programs with ASICs built to run these programs at high speed, we can do this without sacrificing network performance.
As service providers update their networks with customizable switches and edge compute capabilities, they can roll out these new features with a software update.
Comparison Against Traditional DDoS Mitigation Solutions
|Feature||Transparent Security||Typical DDoS solution|
|Mitigates ingress traffic||X||X|
|Mitigates egress traffic||X|
|Deployed at network peering points||X||X|
|Deployed at hub/head end||X|
|Deployed at customer premises||X|
|Requires specialized hardware||X|
|Mitigates with white box switches||X|
|Works with customer gateways||X|
|Identifies attacking device||X|
|Time to mitigate attack||Seconds||Minutes|
|Packet header sample rate||100%||< 0.1%|
Transparent Security can mitigate ingress and egress traffic at every point in the network, from the customer premises to the core of the network. To mitigate ingress attacks, typical DDoS mitigation solutions are deployed only at the edge of the network. This means that they don’t protect the network from internal DDoS attacks and can allow their networks to be weaponized.
Transparent Security runs on white box switches and software at the gateway. This provides a wide variety of vendor options and is compatible with open standards, such as P4. Typical solutions frequently rely on the purchase of specialized hardware called scrubbers. It isn’t feasible to deploy these at the customer premises. Finally, Transparent Security can look at the header for every egress packet to quickly identify attacks originating on the service providers network. Typical solutions sample only 1 in 5,000 packets.
Just the Beginning
Transparent Security is just the beginning, and one of many solutions that can be deployed to improve broadband services. Through the programmable data plane, network management will become vastly smarter, and new services will benefit, from Micronets to firewall and managed router as a service.
Join the Project
CableLabs is engaging members and vendors to define the interfaces between the transparent security components. This should create an interoperable solution with a broad vendor ecosystem. The SDNC-Dashboard, AE-SDNC, SDNC-Switch and Switch-AE interfaces in the diagram below have been identified for the initial iteration. Section 6 of the white paper describes these interfaces in detail.
The Transparent Security architecture and interface definitions will expand over time to support additional use cases. These interfaces leverage existing industry standards when possible.
A Major Leap Toward 10G: CableLabs to Complete DOCSIS® 4.0 Specification in Early 2020
In a continuing effort to meet the industry’s recently announced 10G goal, CableLabs is wrapping up the first major update to its DOCSIS specification since DOCSIS 3.1. DOCSIS 4.0 technology will enable the next generation of broadband over cable’s existing hybrid fiber coax (HFC) networks, delivering symmetrical multi-gigabit speeds while supporting high reliability, high security and low latency.
What is DOCSIS 4.0 Technology?
Building on the success of DOCSIS 3.1 technology, which the cable industry is leveraging globally to deliver 1 Gbps services to end users, DOCSIS 4.0 technology supports a rich and flexible feature set of capabilities. The technology will enable multiple system operators (MSOs) to deliver on the 10G vision and includes support for Extended Spectrum DOCSIS (ESD) and Full Duplex DOCSIS (FDX) capabilities. These are complementary technologies that jointly or individually represent key elements to deliver on the 10G promise. By supporting these technologies, cable operators can deliver a richer feature set of capabilities and facilitate a cost-effective upgrade to a better, faster and more efficient network.
- Full Duplex DOCSIS Capabilities
FDX DOCSIS technology allows for concurrent use of spectrum for both upstream and downstream traffic, thus doubling the network efficiency by leveraging the HFC network characteristics, self-interference cancellation technology and intelligent scheduling. DOCSIS 4.0 technology is also backwards compatible with previous generations of DOCSIS technologies.
- Extended Spectrum DOCSIS
With ESD, operators can leverage a lot more usable spectrum on their existing HFC networks—up to 1.8GHz. That’s 600MHz more than the 1.2GHz available to them under the current DOCSIS 3.1 standard. The DOCSIS 4.0 working groups are in full swing, focusing on developing and adding the ESD requirements to the DOCSIS 4.0 specifications.
This boost in capacity provided by DOCSIS 4.0 technology will enable MSOs to provide multi-Gbps symmetric services to residential and business customers, and support the next generation of user experiences such as immersive media experiences in addition to serving as a catalyst for a new wave of innovations.
DOCSIS 4.0 technology is a major step toward reaching the industry’s 10G goal. You can learn more about the road to 10G and its technologies here. If you’re near New Orleans or attending the SCTE Cable-Tech Expo next week, register for our vendor forum, Envision, to get the exclusive opportunity to learn about the technologies the industry is working on. At Envision, which will take place on September 30, you can expect to hear updates about DOCSIS 4.0 technology and 10G, including how 10G will enable mobile and wireless networks.
Driving Increased Security in All IoT Devices
CableLabs engages with the IoT industry and the broader stakeholder community, including governments, to help drive increased IoT device security. The rapid proliferation of IoT devices has the potential to transform and enrich our lives and to drive significant productivity gains in the broader economy. However, the lack of sufficient security in a meaningful number of these newly connected devices creates significant risk to consumers and to the basic functionality of the Internet. Insecure IoT devices often serve as building blocks for botnets and other distributed threats that in turn perform DDoS attacks, steal personal and sensitive data, send spam, propagate ransomware, and more generally, provide the attacker access to the compromised devices and their connections.
To help address the challenge of insecure IoT, CableLabs along with 19 other industry organizations came together to develop “The C2 Consensus on IoT Device Security Baseline Capabilities” released earlier this week. The broad industry consensus identifies cybersecurity baseline capabilities that all new IoT devices should have, as well additional capabilities that should be phased in over time. The development kicked off in March with a workshop hosted by the Consumer Technology Association (CTA). Over the past months, the group has coalesced around the identified cybersecurity capabilities. These include capabilities in the areas of device identity, secured access, data protection and patchability, among others.
CableLabs has also engaged with the National Institute of Standards and Technology (NIST) as it develops its recently released draft report, “Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers.” Both industry and governments largely agree on the capabilities that must be included to increase device security. Like the C2 Consensus, NIST focuses on foundational cybersecurity capabilities, including device identity, secure access, patchability of firmware and software, protection of device configuration and device data, and cybersecurity event logging.
The cybersecurity capabilities identified in the C2 Consensus and NIST will help prevent and minimize the potential for exploitation of IoT devices. Both documents provide a strong foundation and help point IoT manufacturers in the right direction on how to increase device security. However, cybersecurity is an ongoing journey, not a destination. Security practices must evolve and continue to improve to address new and emerging threats and changes in technology. This foundation must continue to be built on overtime.
CableLabs has long been a leader in the development of security technologies. For decades, CableLabs has helped guide the cable industry in incorporating many of the identified security capabilities into cable devices and has ensured the maintenance and advancement of these capabilities over time. For instance, since the first DOCSIS specification in 1997, CableLabs has helped ensure the protection of data: All traffic flows between each cable modem and the CMTS are encrypted to protect the confidentiality and integrity of those transmissions. This is not a once-and-done process; CableLabs has and must continue to advance the cryptography used in cable devices to protect against new and more powerful brute force attacks and other potential threats. Similarly, nearly 20 years ago, CableLabs adopted PKI-based digital certificates to support strong device identity and authentication for devices connecting directly to the cable network (e.g., cable modems, Internet gateways, set-top boxes). Since the initial implementation, CableLabs has continued to advance its PKI implementation to address new and emerging threats.
CableLabs has leveraged its experience and success in developing and implementing cybersecurity technologies in cable devices to help drive increased security in IoT devices. The underlying fundamentals, as well as many of the approaches to implementing, are transferable to IoT, as detailed in our white paper, “A Vision for Secure IoT”. We’ve not only engaged with the C2 Consensus and NIST’s IoT security efforts, but also in industry specification organizations, specifically the Open Connectivity Foundation (OCF)—to develop secure interoperability for IoT devices. OCF has implemented nearly all of the identified capabilities in its specification, tests for the capabilities in its certification regime, and provides the capabilities, free of charge, in its open source reference implementation – IoTivity.
Since publishing “A Vision for Secure IoT” in the summer of 2017, industry and the broader stakeholder community, including governments, recognize and have begun to address the challenge of insecure IoT.
Gearing Up for 10G: Download the Technical Brief on CableLabs’ Low Latency Technologies for DOCSIS Networks
If you’ve been following our blog and our recent 10G announcement, you know that one of the main areas of focus for us is latency. Achieving a near-zero latency on DOCSIS networks is one of the goals of the 10G initiative and is just as important as increasing speed or bandwidth. The success of future 10G networks that can support seamless communication and next-level interactive experiences like holodecks and 360° video is heavily dependent on finding technological solutions that decrease latency to imperceptible levels, delivering consistent, real-time responsiveness that our customers desire.
The good news is we are well on our way to getting there. So far we’ve released a number of specifications, including Low Latency DOCSIS (LLD) and Low Latency Mobile Xhaul (LLX), aimed at reducing latency in the DOCSIS networks that provide residential services and also serve as backhaul, midhaul and fronthaul (collectively known as xhaul) for mobile traffic.
Low Latency DOCSIS (LLD)
In modern households, there are often multiple applications and devices connected to the same network at the same time, sending and receiving a variety of traffic. Some, like streaming video and large file downloads, send repeated large bursts of data and expect the network to buffer and play-out those bursts, while others, like online gaming and voice chat, send traffic smoothly. Ordinarily, the traffic from the smooth senders is subjected to the widely varying buffering latency caused by the bursty senders. LLD technology is optimized for these two different types of traffic behavior, and decreases delays for smooth sending applications (many of which are latency-sensitive) without affecting the other traffic. Low Latency DOCSIS technology can support a consistent sub-1ms latency round-trip for the smooth sending applications, resulting in a much better network performance overall.
Low Latency Mobile Xhaul (LLX)
LLX leverages collaboration between the mobile network scheduler and the DOCSIS scheduler to provide a low latency xhaul solution that achieves a consistent DOCSIS upstream delay of just 1 to 2 milliseconds. LLX also defines a common quality of service framework for both mobile and DOCSIS so that the relative priorities of different traffic streams are maintained across the two systems. In the foreseeable future, deploying LLX technology will help solidify DOCSIS cable networks as the xhaul transport of choice, capable of supporting the latency requirements of 5G and beyond.
For more detail, please download the following member-only technical brief on Low Latency Technologies for DOCSIS Networks which includes information about sources of latency, how we address them, implementation strategies and more.
If you’re not yet a CableLabs member, find out how you can become one here.
Wi-Fi Alliance Launches Wi-Fi CERTIFIED 6™ Certification Program
Wi-Fi 6 has been around for almost a year, in the news and on the shelves. Tuesday, however, marked a key milestone to the deployment of the next generation of Wi-Fi connectivity; the Wi-Fi Alliance has announced the launch of the Wi-Fi CERTIFIED 6 ™ certification program. Wi-Fi CERTIFIED 6™ provides the assurance that certified devices will interoperate and meet the industry-agreed standard requirements. With more than one billion Wi-Fi 6 chipsets expected to be shipped annually by 2022, interoperability is playing a crucial role to guarantee a proper operation of Wi-Fi networks and a seamless user experience.
Based on the IEEE 802.11ax standard, Wi-Fi 6 enhances the former Wi-Fi generations by delivering greater network capacity, improving performance in congested environments, increasing data rates, and improving power efficiency. IEEE 802.11ax Working Group started work on the next generation of Wi-Fi back in 2014. The former 802.11 standards focused primarily on delivering higher peak and aggregated throughput but with the rapid evolution of the Wi-Fi landscape, new use cases and challenges needed to be addressed. The exponential growth of Wi-Fi connected devices made it critical to focus on actual field conditions. 802.11ax, known as Wi-Fi 6, addresses the congestion and interference issues seen especially in dense deployments, to deliver higher average throughput per user. The targeted deployments include busy airports or train stations, public venues, mobile traffic offload, and apartment complexes. For Cable Operators this can translate to improved efficiency by serving multiple users at a higher average throughput in a residential environment or public hotspots.
Wi-Fi CERTIFIED 6™ key features
Wi-Fi CERTIFIED 6™ certification program includes a series of key features listed below:
- Downlink and uplink Orthogonal Frequency Division Multiple Access (OFDMA) where the channel width is split in different sub-channels that allocated to different clients. OFDMA increases the system efficiency while decreasing the latency in dense deployment, making more efficient use of the available spectrum. This allows multiple users to be served simultaneously compared to Wi-Fi 5 and earlier where a single user is served one at a time.
- Downlink Multiple User Multiple Input, Multiple Output (MU-MIMO) increases the system capacity. MU-MIMO was introduced in Wi-Fi 5 and is part of Wi-Fi 6 extends the capability to serve up to 8 users concurrently.
- Quadrature Amplitude Modulation (QAM) 1024 increases the peak throughput by 25% in good conditions compared to Wi-Fi 5.
- Transmit beamforming uses several transmit antennas on the access point to focus the signal to then destination station. This enables higher data rates at a longer range.
- Target Wakeup Time (TWT) is based on a scheduler that allows devices to negotiate when and how often they will wake up to send or receive data. TWT improves battery life of devices, a feature required for Internet of Things (IoT) devices.
- Basic Service Set (BSS) coloring allows for devices to recognize if incoming traffic is from an adjacent network, allowing devices to take measures to adapt transmissions to optimize intra-network activity.
Wi-Fi 6 certified devices must also meet 3 prerequisites:
- Wi-Fi CERTIFIED N (Wi-Fi 4) and Wi-Fi CERTIFIED AC (Wi-Fi 5) certifications ensure a backward compatibility with former Wi-Fi standards.
- Wi-Fi CERTIFIED Agile Multiband allows devices to make intelligent access point, band, and channel selection, improving efficiency and consistency on congested wireless networks.
- Wi-Fi CERTIFIED WPA3 improves security standards for authentication, authorization and encryption, resolving some vulnerabilities issues of WPA2 that emerged over the past years.
The Role of Wi-Fi 6 in the 10G Platform
Earlier this year, CableLabs® introduced 10G™, the cable industry’s vision for delivering 10 gigabit networks. The 10G platform includes a collection of technologies enabling 10 Gbps symmetrical speeds, lower latencies, enhanced reliability, and security. In addition to the wired related technologies such as DOCSIS 4.0 and P2P coherent optics, the platform includes a set of wireless technologies as an integral part of the network (e.g. Dual Channel Wi-Fi™ and Low Latency Wi-Fi). With almost half of the Internet traffic initiated from Wi-Fi connected devices, the cable industry is devoted to developing and enhancing wireless networks for a seamless user experience. Wi-Fi 6 increased capacity, lower latency, and higher throughput is supporting the necessary evolution of the wireless technologies to address the 10G roadmap.
Wi-Fi 6 is also addressed by Kyrio™, a subsidiary of CableLabs. Kyrios’s Wi-Fi 6 test setup (based on Otoscope®) provides a lab environment for controlled testing. In addition, the Kyrio test house is equipped with Wi-Fi 6 devices to simulate a real-world experience and characterize Wi-Fi 6 performance in a residential environment.
CoMP over DOCSIS: Femtocells in the Age of vRAN
As promised in the last couple blogs discussing DOCSIS based femtocells, we’ve saved the best for last. So far in the series, we’ve made the case for femtocells over DOCSIS networks and laid out the total cost of ownership (TCO) benefits of this deployment model. In this final blog post, I’ll share the results of some testing we’ve been doing at CableLabs on using Coordinated Multipoint (CoMP) to optimize femtocell performance in dense deployments.
Decluttering the Radio Signal
Let’s step back and look at a key issue that has limited the benefit of femtocells in the past: intercell interference. When femtocells (or any cells, for that matter) are placed in close proximity, the radio signals each cell site produces can bleed into its neighbor’s territory and negatively affect network performance.
With CoMP, neighboring cells can coordinate their transmissions in a variety of ways to work collaboratively and prevent interference. They can share scheduling and beamforming data to avoid creating interference. Or, they can use joint processing, which allows multiple cells to talk to a single cell phone at the same time, increasing the signal quality.
Although it’s not a perfect analogy, it’s a bit like trying to listen to a bunch of people singing their favorite song at the top of their lungs versus listening to a choir following a conductor, as you see in the following figure. The former is old femtocells, and the latter is virtualized RAN (vRAN) femtocells using CoMP.
Since its inception, CoMP has been largely believed to require fiber transport links to work. For example, in TR 36.819, there’s a whole section devoted to the impact of “higher latency communication between points,” where “higher” refers to 5ms, 10ms or 15ms of latency. In that text, gains decrease as latency increases, ultimately going negative (i.e., losses in performance).
However, with the increase in attention on vRAN, particularly lower-layer splits like the work going on in Telecom Infra Project (TIP) vRAN Fronthaul and O-RAN Alliance WG4, latency takes on new meanings with respect to CoMP.
For example, what matters more, the latency from one radio unit to another or the latency from one virtualized baseband unit (vBBU) to another? And if it’s the latter, does that mean CoMP can provide benefit even over long-latency non-ideal vRAN fronthaul like DOCSIS?
To find out the answers to these questions, we set up a test bed at CableLabs in collaboration with Phluido to explore CoMP over DOCSIS. We used the hardware from the TIP vRAN Fronthaul project, with an LTE SW stack provided by Phluido that supports CoMP. We installed two radio units in different rooms, each radio connected via a DOCSIS® 3.0 network to the vBBU. We designated two test points, one with a phone located at the cell center, the other with both phone in the cell edge/cell overlap region.
Notably in our setup, the latency from radio unit to vBBU and radio unit to radio unit were both about 10ms. However, the latency between vBBUs was essentially zero as both radios shared the same vBBU. This setup is specifically designed to test whether vBBU-to-radio latency or vBBU-to-vBBU latency is more important for CoMP gains.
What we found is that radio-to-radio latency and radio-to-vBBU latency can be quite large in absolute terms, and we can still get good CoMP performance provided that latency is low between the vBBUs and that vBBU-to-radio unit latency is similar for the radios in the CoMP cluster, as you see below.
In other words, to realize CoMP gains, the relative latency between a set of cells is more important than the absolute latency from vBBU to each radio.
We tested four configurations of phones at the cell center versus the cell edge, or some mix thereof, as the following figure shows.
In case 1, we see full cell throughput at each phone with CoMP enabled or disabled. This is great; this result shows that we haven’t lost any system capacity at the cell center by combining the cells into a single physical cell ID (PCI) and enabling CoMP.
In case 2, the phone throughput jumped from 55 Mbps to 78 Mbps when we enabled CoMP, showing a CoMP gain of almost 50 percent.
In case 3, when we enabled CoMP, the phone at the cell edge saw a throughput gain of 84 percent. In this scenario, the throughput of the cell center phone saw a decrease in throughput. This illustrates a tradeoff of CoMP when using legacy transmission modes (TM4, in this case) where the operator must choose whether it wants to favor cell edge users or cell center users. With more advanced transmission modes (e.g., TM10), this tradeoff is no longer an issue. Note that this is true of any CoMP deployment and not related to our use of DOCSIS network fronthaul.
In case 4, we expected to see significant gains from CoMP, but so far we haven’t. This is an area of further investigation for our team.
vRAN Femtocell CoMP in MDUs
Let’s look at an example use case. Cell service in multi-dwelling units (MDUs) can be challenging. A combination of factors, such as commercial construction materials, glazing and elevation, affect the indoor signal quality. As discussed in my previous blog, serving those indoor users can be very resource intensive.
As an operator, it would be great to have a low-cost way to deploy indoor cells. With vRAN over DOCSIS networks supporting CoMP, the operator can target femtocell deployments at heavy users, then build CoMP clusters (i.e., the set of radios that collaborate) as needed to optimize the deployment.
Putting It All Together
The testing described here has shown that CoMP gains can be realized even when using long-latency fronthaul over DOCSIS networks. As these solutions mature and become commercial-ready, deployments of this type will provide the following for operators:
- Low-Cost Hardware: vRAN radios, particularly for femtocells, are low-complexity devices because the majority of the signal processing has been removed and put in the cloud. These radios can be built into the gateway customer premises equipment (CPE) already deployed by operators.
- Low-OPEX Self Installs: With vRAN radios built into DOCSIS CPEs, operators can leverage the simplicity of self-installation. The ability to dynamically reconfigure CoMP clusters means that detailed RF planning and professional installation aren’t necessary.
- High-Performing System: As shown in our testing results, CoMP gains can be realized over DOCSIS network–based vRAN femtocells. This eliminates another of the previous stumbling blocks encountered by earlier femtocell deployments.
Enabling 5G with 10G Low Latency Xhaul (LLX) Over DOCSIS® Technology
I am a GenXer, and I am addicted to my iPhone. But it’s not just me, today’s consumers, millennials and baby boomers and everyone in between, are increasingly spending more and more time on their mobile devices. Have you ever wondered what happens to your traffic when you interact with your iPhone or Android devices? The traffic reaches a radio tower, but it doesn’t just stop there – it needs to reach the internet via a connection between the cellular base station and a distant data center.
Traditionally, that connection (a.k.a., “xhaul”) is mostly provided by fiber. Fiber has great speed and latency performance but is costly to build. With advancements in LTE and 5G, mobile operators are increasingly deploying more and more radios deeper into the neighborhoods. They will need a more scalable solution to provide that xhaul without sacrificing the performance. This is where the hybrid fiber coaxial (HFC) network can help.
With ubiquitous cable infrastructures that are already in place, the cable operators have the scalability to support today’s LTE and tomorrow’s 5G networks without the cost of building new fiber networks. With DOCSIS 3.0+ as well as Low Latency Xhaul (LLX) technology, the DOCSIS network has performance that is virtually indistinguishable from fiber. The CableLabs 10G technologies make the HFC network a better xhaul network, which is a win-win for the consumers, mobile operators, and cable operators.
How Low Latency Xhaul (LLX) Works
Today’s DOCSIS technology provides a good starting point for mobile xhaul but may not be enough to support the ultimate latency requirements needed for future mobile traffic. DOCSIS upstream latency can range from a typical of 8-12 milliseconds to around a maximum of 50 milliseconds under heavy load. We want to see that latency down to 1 to 2 milliseconds range in order to support 5G.
The LLX technology is specifically designed to reduce the latency experienced by mobile traffic while traversing the DOCSIS transport network on its way to the internet. The LLX technology development started about 3 years ago as a joint innovation project between CableLabs and Cisco. I wrote about it here and here.
So, how does LLX work? Let’s look at the case of LTE backhauled over a DOCSIS network as an example. Today, LTE and DOCSIS are two independent systems – their operations occur in serial, and the overall latency is the sum of the two system latencies. But from an engineer’s point of view, both technologies have a similar request and grant-based mechanism to access the channel. If the two processes can be pipelined, then LTE and DOCSIS operations can take place in parallel, removing the “sum” from the latency equation. To enable pipelining, we designed a protocol that utilizes a message called the bandwidth report (BWR) that allows the LTE network to share information with the DOCSIS network. Pipelining is a unique and inventive aspect of LLX and is the heart of what creates a low latency transport.
So, just how well does LLX work? We have recently teamed up with Shaw, one of our Canadian members, as well as our technology development partners Cisco and Sercomm to perform a series of lab trials. The detail of the trials will be published in the upcoming SCTE Cable-Tec Expo in October. But as a preview, we demonstrated that even when the DOCSIS network is heavily loaded, LLX consistently reduced the DOCSIS upstream latency down to 1 to 2 milliseconds, all without adversely affecting other traffic.
Deploying LLX Technology
The LLX specification was published a few months ago, the result of collaborative efforts from key cable and mobile equipment vendors in the CableLabs-led LLX working group.
LLX technology is designed to work for a variety of deployment models, including backhaul and fronthaul, over DOCSIS as well as over PON networks. To this end, we have taken the technology to mobile industry standardization organizations such as the O-RAN Alliance whose current focus is fronthaul.
LLX works in the DOCSIS 3.0 and later networks as a software upgrade to the CMTS. It has been implemented on commercial DOCSIS and mobile equipment. More information on LLX is available here.
For those attending the SCTE Cable-Tec Expo in New Orleans, we will be discussing the innovation on the Innovation Stage at 12:45pm local time with my industry partners from Shaw, Cisco, and Sercomm. I will also dive deep into the technology and the Shaw trial results in my SCTE panel “Mobile X-haul and DOCSIS”, Wednesday October 2nd at 9am local time. Hope to see you there.