Finishing the P2P Coherent Optics Puzzle
This past June, CableLabs publicly released the first issued version of the Coherent Termination Device (CTD) Requirements Specification. The same month, the Institute of Electrical and Electronics Engineers (IEEE) Standards Association (SA) approved amendment 802.3ct-2021, which defines 100G Ethernet using coherent optics. Combined with previous point-to-point (P2P) coherent optics specifications released by CableLabs, these two events represent two of the final pieces of the puzzle for enabling low cost, interoperable, coherent optics solutions for cable operators.
Coherent Termination Device
CableLabs has developed a series of specifications to enable the development of interoperable transceivers using P2P coherent optics that are optimized for cable access networks, including operation at 100G and 200G per wavelength. This work was highly successful; there are transceivers compliant with the CableLabs PHYv1.0 specification (100G operation) as demonstrated at interop events held pre-pandemic, and transceivers compliant with the PHYv2.0 specification are in development. Additionally, routers and switches that those transceivers can be plugged into also exist, as seen at the demonstration CableLabs hosted at SCTE Expo 2019 in New Orleans.
However, there’s one key thing that’s unique to a cable access network deployment as compared to most other P2P coherent optics deployments to date: one end of the link sits outdoors. And while some existing solutions could operate in the temperature ranges required for an outdoor environment, they had to be installed in a street cabinet vs. the type of weatherproof enclosure (typically a clamshell box) that is typically used by many cable operators.
That device is what we refer to as a CTD that resides in an Aggregation Node, as shown in the figure below. The CTD for an Aggregation Node was a missing puzzle piece!
In order to address this issue, CableLabs worked with our members to develop the CTD Requirements Specification. This specification contains a set of requirements that are common across multiple different cable operators, representing a broad consensus on the definition for several critical aspects of a CTD. That in turn provides some assurance to manufacturers that if they build a CTD that meets those requirements they should find a broad market for the device.
Some key highlights of those requirements include:
- A minimum of 2 line-side ports per CTD that support pluggable coherent optics transceiver modules
- A minimum of 12 (and recommendation for 16) client-side ports per CTD that support 10G and/or 25 transceiver modules
- Layer 2 (switching) and/or Layer 3 (routing) support
- Guidance on power sizing and efficiency
- Enclosures that meet IP66 requirements
- Operation in external ambient temperatures from -40 to +60 degrees C
One of the keys for enabling the use of P2P coherent optics in cable operator networks reducing cost as much as possible, which is why that has been a focus at CableLabs. Both of the P2P Coherent Optics PHY specifications were written with cost in mind by incorporating inputs from suppliers, identifying optimizations for cable networks that will enable reduced cost devices, and promoting interoperability (leading to scale and competition).
Another way to drive scale is to encourage adoption by other groups and industries. For that reason, CableLabs decided to support and participate in an effort within the IEEE 802.3 Ethernet Working Group to define a standard for specifying 100G operation per wavelength using coherent optics. In particular, CableLabs wanted to ensure that manufacturers would be able to develop devices that complied not only with our CableLabs specifications, but also with the new IEEE standard.
A review of the new 802.3ct amendment suggests that goal has been achieved, and as a result, it should be possible for manufacturers to build a single device that complies with requirements from CableLabs, IEEE, ITU and OpenROADM, meaning there is a huge market for coherent optics equipment that manufacturers can take advantage of without having to build multiple different devices.
Puzzle Pieces Coming Together
With these two puzzle pieces now complete, the picture and opportunity for using P2P coherent optics in cable operator networks is really coming together. Compliant transceiver modules and equipment suitable for indoor facilities (such as hubs and headends) are already available, and CTDs are expected later this year or early next year, enabling deployments in the not-too-distant future. Better still, it’s becoming clear that there are architectures and applications that can leverage CTDs beyond just cable networks — such as for supporting mobile network deployments — meaning there’s likely a broad, nascent market just waiting to take off. Keep an eye on this space – things are just getting started.
How DOCSIS® 4.0 Technology Is Enabling The Next Generation of Broadband
These speeds will allow consumers to access the next generation of higher bandwidth customer applications that allow for improved telework, education, gaming, health care, social interaction, and virtual reality (VR) and augmented reality (AR). There is so much that faster broadband will bring to consumers.
And speed is not the only focus of the 10G platform. DOCSIS 4.0 will improve consumers’ cable broadband experience through:
- Increased network security because the bad actors are out there. DOCSIS 4.0 technology provides several approaches that help reduce the risk of data loss, theft, and sabotage, with the goal to build consumer trust in the cable broadband network.
- More reliable connectivity because the cable broadband network is resilient, self-monitoring and self-healing. Technological advances keep it working without sudden glitches, slowdowns, freezing and other annoying interruptions. Consumers can get more done with cable broadband.
- Lower latency technology will spur a wave of innovation, enabling better gaming and seamless next-level experiences like holodecks, light field displays and 360° video. Learn more about low latency DOCSIS technology and read about how Kyrio certified the first low latency DOCSIS 3.1 modem this year.
There are no new wires to bury or trenches to be dug. Consumers will reap the benefits immediately because DOCSIS 4.0 uses the same cable network that not only pioneered broadband but has continually provided high-quality and reliable services.
CableLabs is hosting DOCSIS 4.0 interoperability events as DOCSIS 4.0 technology positions the cable broadband network to meet consumer needs for the next wave of broadband. These are significant steps towards realizing the cable 10G Platform.
U.S. Set-Top Box Voluntary Agreement Cuts Energy Use by 50 Percent
It’s that time of year again! The annual reports for the energy efficiency voluntary agreements (VAs) have been published. Every year, I think energy savings will plateau because it obviously takes some energy to power our set-top boxes and cable modems. Yet, once again, the annual reports have revealed another set of amazing accomplishments!
U.S. Set-Top Box Voluntary Agreement
The U.S. Set-Top Box Voluntary Agreement (STB VA) was established in 2012 with the goal of reducing the energy consumed by set-top boxes used for residential pay-TV service. At that time, energy efficiency advocates Natural Resources Defense Council (NRDC) and American Council for an Energy-Efficient Economy (ACEEE), along with pay-TV service providers from cable, satellite, and telco industries determined a baseline estimate of the annual energy consumed by all pay-TV set-top boxes in the United States. According to the report just published by D+R International, the independent administrator for the STB VA, the energy used by STBs in the United States has declined by over half from that baseline estimate!
Estimated Annual Energy Used by Set-Top Boxes in the United States
This 16.8 TWh of savings in 2020 alone equates to over $2.2B in consumer savings and avoiding over 11.9 million Metric Tons (MMT) CO2. To put this into context, this savings in just 2020 is equivalent to the greenhouse gas emissions from nearly 2.6 million passenger vehicles driven for one year.
Add this up over the eight years of the VA, and consumers have saved nearly $9.3B and avoided 50.9 MMT CO2! That’s the equivalent of carbon sequestered by 842,539,644 trees!
Several factors have contributed to this substantial decline in STB energy use, including the deployment of whole-home digital video recorders (DVRs), migration of DVRs to the cloud and migration to Internet Protocol (IP) video with much-lower-power IP boxes, or no extra STBs at all. The STB VA Annual Report also found that more than 56 million unique customer-owned and -managed devices (including smart TVs, mobile phones, laptops and tablets) accessed video services during 2020.
This VA isn’t done yet! Earlier this year, the signatories, including NRDC and ACEEE, committed to renewing and extending the U.S. STB VA through 2025.
U.S. Small Network Equipment Voluntary Agreement
The U.S. Small Network Equipment VA (U.S. SNE VA) also continued to make strides during 2020, even as demands for greater speeds, better Wi-Fi and residential usage increased due to the pandemic. The 2020 annual report indicates that energy efficiency, as measured in watts per Mbps, has improved by 28 percent for integrated access devices (IADs) since 2019, and improved by 78 percent since the VA was established in 2015. IADs (modems with additional integrated features such as a Wi-Fi router and voice service support) made up nearly 66 percent of the purchases in 2020.
Average Energy Usage by Equipment Type, Weighted by Broadband Speed
The U.S. SNE VA is also scheduled to expire this year, and CableLabs is leading a team of signatories and equipment providers to define the next tier of allowances and terms to renew and extend this VA as well.
Canadian Energy Efficiency Voluntary Agreement
Efforts north of the border are also impressive. In the most recent report from the Canadian Energy Efficiency Voluntary Agreement (CEEVA) STB program, the weighted average typical energy consumption (TEC) of STBs purchased in 2020 declined yet again and has already dropped 55 percent since the program began in 2017. Much like the United States, Canada is also trending toward lower-power IP and thin-client STBs, which is contributing to this continued energy savings year over year.
Weighted Average TEC of STB Purchases Under the CEEVA STB Program by Year
This is also the first year that the new CEEVA report includes the SNE program in Canada, and the report found that 100 percent of the service provider SNE purchases met the CEEVA SNE Tier 2 levels.
Programs such as these VAs are more important than ever before, especially in light of the recent United Nations report on climate change. As an increased global emphasis is placed on energy efficiency, these voluntary programs are demonstrating how incremental steps toward saving power can add up and make a difference. And the VAs continue to enable innovation in this rapidly changing market, leading to more exciting products and services. CableLabs is proud to be a key industry partner in the continued success of these VAs.
Gridmetrics Launches the Power Event Notification System, and It’s Just the Beginning
Would you believe that nearly 90 percent of all power outages happen in the last mile of the power grid? Worse yet, with no visibility into the status of power availability or the quality of the distribution portion of the electrical power grid, utility companies often aren’t alerted to an outage until customers call, send a text or post about their experience on social media platforms.
Enter Gridmetrics, Inc.
Originally incubated at CableLabs, Gridmetrics leverages the cable industry’s access-network monitoring capabilities and expertise to measure, monitor and track the availability and stability of voltage in the last mile of the U.S. power distribution grid.
The idea behind Gridmetrics was inspired by Dr. Robert Cruickshank, a DOCSIS pioneer and currently a researcher in power grid modernization. He recognized that the energy sector needs to rethink the way electron flow is managed, which requires new insights and instrumentation—particularly at the grid edge, where generation from renewables is increasingly changing the dynamics of the power demand/response paradigm. More specifically, Gridmetrics evolved from a conversation in 2017 between Dr. Cruickshank, who at the time was a visiting researcher from National Renewable Energy Labs (NREL), and Scott Caruso, who leads strategic ventures at CableLabs.
Gridmetrics is rooted in the belief that the broadband industry is uniquely positioned to provide insights that enable utilities to shape the flow of electrons, much like the early days of DOCSIS and data traffic shaping algorithms. The central idea behind Gridmetrics is to combine existing power sensor data extracted from fiber-node power supplies—delivered on private, high-speed secure communications networks—with analytics and AI to create an out-of-band network of grid sensors. Gridmetrics is positioned to deliver critical new insights and instrumentation to utilities operating the last miles of the power grid.
The two vast, global networks—the power distribution grid and the broadband access network—literally share the last mile (or the first mile, depending on your perspective). In the United States, the broadband network is composed of hundreds of providers, but the last miles of the power grid are operated by thousands of distribution entities, private and public. As a result, in the United States, there is no uniform operation, or even a view of the distribution power grid. Gridmetrics’ premise is based on providing the most comprehensive, independent, observational view of the distribution power grid. Gridmetrics aggregates the inverter status and input voltage every five minutes from hundreds of thousands of existing fiber-node power supplies. These “sensors” have the added advantage of being power resilient with battery backup, thus providing an unprecedented view of the power distribution grid, even when the power grid itself is down.
Gridmetrics’ first application of this new data set centered on a collaborative R&D project with NREL called Situational Awareness of Grid Anomalies (SAGA). The goal of the multi-year, multi-million-dollar project is to create a visualization tool that trains computers to classify grid events in near real time, in the context of potential grid cybersecurity threats.
Anthony Florita, Principal Engineer at NREL and SAGA Principle Investigator, stated: “Gridmetrics supplies a unique data set that is becoming increasingly important as an out-of-band view of the power distribution grid. We have been working with Gridmetrics to utilize this data for grid cybersecurity applications such as SAGA. In addition, we continue to explore opportunities utilizing Gridmetrics as an aide in the modernization of our power distribution grid.”
The Power Event Notification System (PENS) is Gridmetrics’ first commercial product offering, and it essentially creates a state diagram of the distribution grid every five minutes. PENS identifies events (primarily power outages) by looking at state changes in the sensor network across time and space (proximity). PENS has many applications—including insurance, fintech, real estate, corporate security, business resilience and smart cities—but the most urgent and important use of PENS is its application in the public safety, emergency response and situational awareness markets. This is because PENS offers near real-time, hyper-local power insights, often during our fellow citizens’ time of greatest need. PENS empowers public safety and emergency response to shift from reactive to proactive by helping to direct resources to power-vulnerable populations and facilities. PENS is essentially creating a power outage solution.
Gridmetrics wouldn’t have been possible without the support of CableLabs and its membership. And we’re just getting started! Although PENS opens a whole new chapter for Gridmetrics, one of the key learnings over the past few years is the uniqueness of the platform that houses our sensors. In aggregate, Gridmetrics represents the greatest density and distribution available to host commercial-grade Internet of Things (IoT) solutions that require very low latency, secure backhaul and power resilience. Today, participation in Gridmetrics is a no/low-lift for broadband operators. It’s simply a piece of software that polls and aggregates data from the existing equipment in the access network. Then, imagine the possibilities of Gridmetrics hosting purpose-built sensors that could take full advantage of this unique platform. Stay tuned!
Practical Considerations for Post-Quantum Cryptography Deployment
It’s the year 2031, and the pandemic is in the past. While Dave drinks his morning coffee and reads the news, a headline catches his attention. A large quantum computer is finally operational! Suddenly, Dave’s mind is racing. After few seconds, as his heartbeat slows, he looks up into the mirror and proudly says, “Yes, we’re ready.”
What you don’t know about Dave is that he’s been working for the past 10 years to make sure that all aspects of our broadband communications and access networks remain secure and protected. Besides searching for new quantum-resistant algorithms, Dave has been focusing on the practical aspects of their deployment and addressing their impact on the broadband industry.
Here in 2021, the broadband industry needs to start traveling the same path that Dave will have navigated 10 years from now. We need to make sure we remove the roadblocks ahead of time so that we can lay the groundwork for the adoption of new security tools like post-quantum (PQ) cryptography.
The Post-Quantum Cryptography Landscape
Although NIST is still finalizing its standardization process for PQ cryptography, there are interesting trends and practical long-term considerations for PQ deployment and the broadband industry that we can already infer.
Most of the algorithms that are still present in the final round of the algorithm competition are based on mathematical constructs called lattices, which, in practice, are collections of equally spaced vectors or points. Lattice-based cryptography security properties are rooted in the difficulty of solving certain topological problems for which there is not an efficient algorithm (even for a quantum computer), such as the Shortest Vector Problem (SVP) or the Closest Vector Problem (CVP). Algorithms like Falcon or Dilithium are based on lattices and produce the smallest authentication traces overall (i.e., signatures range from 700 bytes to 3,300 bytes).
Another class of algorithms to keep an eye on is based on isogenies. These algorithms use a different structure than lattices and have been proposed for key exchange algorithms. These new key-exchange algorithms—namely Key Encapsulation Mechanism (KEM)—leverage morphisms (or isogenies) among elliptic curves to provide “Diffie-Hellman–like” key exchange properties to implement Perfect Forward Secrecy. Isogeny-based encryption uses the shortest keys in the PQ algorithm landscape but is computationally very heavy.
Besides these two classes of algorithms, we should keep hash-based signature schemes in mind as a possible alternative. Specifically, they provide proven security at the expense of very large cryptographic signatures (public keys are extremely small) that hinder, at the moment, their adoption. A well-known hash-based algorithm that will probably be re-included in the NIST standardization process is SPHINCS+.
DOCSIS® Protocol, DOCSIS PKI and PQ Deployment
Now that you understand the available options to consider for your next-generation crypto infrastructure, it’s time to look at how these new algorithms impact the broadband environment. In fact, although the DOCSIS protocol has been using digital certificates and public-key cryptography since its inception, the broadband ecosystem relies on the RSA algorithm only—and that algorithm has very different characteristics than the PQ algorithms in consideration today.
The good news is that from a security perspective, minimal upgrades are required to replace the use of RSA using the latest version of the DOCSIS protocol (i.e., DOCSIS 4.0) when compared with previous versions. Specifically, DOCSIS 4.0 removes the dependency on the use of the RSA algorithm in terms of key exchange and leverages a standard signature format—namely, the Cryptographic Message Syntax (CMS)—to deliver signatures. CMS is already scheduled to be upgraded to provide standard support for PQ algorithms as soon as the algorithms standardization process ends. In DOCSIS 1.0–3.1, because of the dependency on the RSA algorithm for key exchange, the required protocol changes might be more extensive and employ the use of symmetric keys, in addition to RSA keys, to deliver secure authentications.
The size of the new algorithms is another important aspect of deployment. Although the lattice-based and isogenies-based algorithms are quite efficient for the sizes of authenticated (signature) or encrypted (key-exchange) data, they’re still an order of magnitude (or more) larger than what we’re used to today.
Therefore, the broadband industry needs to focus a first set of considerations surrounding the impact of cryptography on the size of authentication and authorization messages. In the DOCSIS protocol, the Baseline Privacy Key Management (BPKM) messages are used, at layer 2, to transfer authentication information across the cable modem and its termination system. Fortunately, because BPKM messages can provide support for any data size via fragmentation support, we don’t envision the need to update or modify the structure of Layer 2 authentication messages to accommodate the new size of crypto.
Somewhat connected to the size of the new crypto are the considerations related to algorithm performances. PQ algorithms, unlike RSA and ECDSA, are computationally very heavy and therefore might pose additional engineering hurdles when designing the hardware to support them. For end-entity devices such as cable modems and optical network units, there are various options to consider. One option, for example, is to look at the integration of modern microcontrollers that can offload computation and provide isolated environments in which algorithms can be securely executed. Another approach is to leverage trusted execution environments already available in many edge devices’ central processing units (CPUs), without the need to update today’s hardware architectures. On core devices, the added CPU load—when compared with the very fast RSA verifications—might require additional resources. This is an active area of investigation.
The final set of considerations is related to algorithm deployment models and certificate chain validation considerations. Specifically, because the current implementation paradigm for PQ algorithms required by NIST doesn’t use the hash-and-sign paradigm (it directly signs the data without hashing it first), there are some important considerations to make. Although this approach removes the security dependency on the hashing algorithm, it also introduces a subtle but important performance hit; the data to be authenticated or signed (i.e., when a device is trying to authenticate to the network) must be processed directly by the algorithm. This might require large data buses to carry the data to the MCU or to transition through the trusted execution environment on the CPU. Performance bottlenecks generated by the adopted signing mechanism have already been observed, and further investigations are needed to better understand the real impact over deployments.
For example, when signing with the “hash-and-sign” paradigm, the signing part of the operation on a 1TB document or 1KB document takes the same time (because you’re always signing the hash that’s only a few bytes in length). In comparison, when using the new paradigm (not possible with algorithms like RSA), signing times can differ wildly depending on the size of the data you’re signing. This problem is even more evident when addressing the costs associated with the generation and signing of hundreds of millions of certificates via this new approach. In other words, the new paradigm, if adopted, could potentially impact certificate providers and increase the costs associated with the signing of large quantities of certificates.
Available Tools and Projects
Now that you know where and what to look for, how can you start learning more about—and experimenting with—these new algorithms for real-world deployment?
One of the best places to start is the Open Quantum Safe (OQS) project that aims to support the development and prototyping of quantum-resistant cryptography. The OQS project provides two main repositories (open-source and available on GitHub): the base liboqs library, which provides a C implementation of quantum-resistant cryptographic algorithms, and a fork of the OpenSSL library that integrates liboqs and provides a prototype implementation of CableLabs’ Composite Crypto technology.
Although the OQS project is a great tool to start working with these new algorithms, the provided integration with OpenSSL doesn’t support generic signing operations: a limitation that might affect the possibility to test the new algorithms in different use-cases. To address these limitations and to provide better Composite Crypto support together with an hash-and-sign implementation for PQ algorithms, CableLabs started the integration of the PQ-enabled OpenSSL code with a new PQ-enabled LibPKI (a fork from the original OpenCA’s LibPKI repository) that can be used for building and testing these algorithms for all the aspects of the PKI lifecycle management, from validating the full certificate chain to generating quantum-resistant revocation information (e.g., CRLs and OCSP responses).
Driving toward 10G and Beyond: CableLabs Engagement in Standards Organizations and Industry Consortia
CableLabs continues to engage heavily with—and to play a key leadership role across—a broad group of global information and communications technology standards development organizations (SDOs) and industry consortia. These engagements enable CableLabs to influence emerging technologies and leverage our technical expertise and global recognition as a leading industry innovation lab to provide meaningful contributions and help advance these technologies. CableLabs is directly involved in over 90 distinct working groups across a broad range of technologies, including wireless, optical, security, immersive media formats and many others.
Through focused engagements with these SDOs and industry consortia, CableLabs influences global information and communications markets to drive advancements aligned with CableLabs’ objectives in fixed and mobile convergence, cybersecurity and broadband innovation (collectively, 10G). Figure 1 shows the breadth of organizations that CableLabs participate in to drive the convergence of wireless and wired networks and develop the technology required to fully realize the 10G vision.
Figure 1. CableLabs’ Standards Organization Engagements June 2020 – 2021.
Driving Convergence of Fixed and Mobile Access Across Wired and Wireless Networks
CableLabs and the cable industry are driving toward a new era of true convergence of fixed and mobile services where connectivity can be provided dynamically and seamlessly across access network technologies (e.g., fiber, hybrid fiber-coaxial (HFC) networks, Wi-Fi, mobile, shared spectrum models, such as CBRS and fixed wireless). Convergence will enable optimized connectivity for a more user-centric experience, unleashing a new wave of innovation in services and applications for consumers. Given the nature of the challenge, convergence will only succeed through cross-industry collaboration and cooperation to develop and define the interoperability requirements and technologies required.
CableLabs is helping to create open interface specifications across its convergence-related standards engagements to promote a diverse and competitive marketplace of vendors and suppliers (e.g., the Telecom Infra Project (TIP) and the O-RAN Alliance). CableLabs is helping enable the use of commercial off-the-shelf hardware and virtualization technologies for fixed, mobile and converged network functions. These functions include using cloud-native infrastructure to enable flexibility, elasticity, resiliency and telemetry, promoting technologies for closed-loop automation, zero-touch provisioning and self-healing of converged infrastructure and driving harmonization across multiple industries (e.g., 3GPP, OnGo Alliance, Wi‑Fi Alliance (WFA) and WInnForum).
Accelerating Broadband Innovation
The 10G platform is a combination of technologies that will deliver symmetric multi-gigabit Internet speeds with a vision toward enabling symmetric 10 gigabits per second (Gbps) services. The 10G platform will not only provide broadband at speeds 10x faster than what most consumers currently experience but will also allow for significantly lower latencies across the network. Advances in both the access network and home or local area network are required for consumers to realize the full benefit of 10G.
CableLabs is not only heavily invested in direct development of many of the 10G enabling technologies, including next-generation DOCSIS technologies, it also engages across a broad range of SDOs and industry consortia to guide and contribute to network technologies that are critical to the cable industry and part of the broader communications industry —for example, advancing optical technologies (e.g., defining the 25G/50G-EPON standard at the Institute of Electrical and Electronics Engineers (IEEE)) and boosting Wi-Fi performance (e.g., driving operator-required functionality into the WFA EasyMesh specifications). CableLabs also engages in industry efforts to accelerate next-generation broadband application development, including immersive media (e.g., at the Immersive Digital Experience Alliance, MPEG-I and Media Coding-Industry Forum (MCIF)), work to drive improvements and new solutions in network virtualization and cloud computing (e.g., at the Cloud Native Computing Foundation, Linux Foundation and Open Networking Foundation) and to stimulate adjacent innovation to help ensure full utilization of cable’s future networks (e.g., at Internet Engineering Task Force (IETF)).
The cable industry has a long history in leading advancements in network security, as recently evidenced by its approach to 10G, which incorporates security as a core element. To drive increased security, CableLabs participates in SDOs and industry consortia that cover network technologies, as well as technologies both upstream and downstream from cable broadband service.
Our work to increase security encompasses several major areas:
- Mobile and Fixed Network Security: Driving increased network security through 3GPP, WFA, WBA, European Telecommunications Standards Institute (ETSI) and IETF
- Internet of Things (IoT) Security: Building secure interoperability into IoT devices through our work with OCF, WFA and CSA Matter pioneering paths to new security capabilities such as integrating CableLabs® Micronets as one of the enabling technologies referenced in the National Cybersecurity Center of Excellence (NCCoE) lab’s research on the mitigation of network-based attacks using Manufacturer Usage Description (MUD) for IoT security
- Mitigating Threats to Broadband Service: Collaborating to develop approaches for improved Distributed Denial of Service (DDoS) mitigation through our work at M3AAWG monitoring IP-address spoofing prevention, routing security and advancing gateway device security
CableLabs engages across a dynamic field of SDOs and industry consortia to create the connectivity standards, protocols and best practices to bring the 10G vision to life. Through proactive collaboration and direct technical contributions in a broad group of organizations, CableLabs is pushing toward a more user-centric experience through driving network convergence, accelerating broadband innovation and advancing security throughout the network.
Join Us at CableLabs® Envision Vendor Forum 2021
Over the years, CableLabs Envision Vendor Forum has become a platform for collaboration between our industry’s leaders and innovators. More than just a meeting of the minds, it is an event where cable operators and industry vendors can compare common problems, align strategies and forge a path forward toward a better future—together. Our next Envision Vendor Forum, scheduled for September 23-24, will focus on Optical and Hybrid Fiber-Coax (HFC) technologies. It is also completely virtual and free.
What’s on the Agenda
We’ll take a few hours each day to dive deeper into the future of optical and wired technologies, covering the next-generation Passive Optical Network (PON) architectures, DOCSIS® 4.0 technology, Coherent PON and other HFC solutions. We will discuss how these technologies dovetail into wired-wireless convergence, identify the challenges surrounding current and future government broadband policies, and share our CableLabs innovation roadmap—along with a timeline for upcoming specification releases—with our operator and vendor communities.
From a cable technology perspective, there is no single path that will work for every operator. Depending on each operator’s HFC architecture, vision and goals, there are multiple paths for delivering next-generation service offerings. Our goal at Envision is to help operators and vendors de-risk their planning activities by providing a community forum that proactively spotlights emerging technological paths and encourages community discussion devoid of the pressure from outside participation.
The virtual event will consist of panel discussions and presentations, with multiple opportunities to ask questions.
This event is best suited for decision-makers, including executives, senior technologists and strategists on both the cable operator and the vendor side, who are leading the development and implementation of next-generation technologies and services in their respective areas.
This event is closed to journalists and analysts.
When: September 23-24, 2021, 9:00-11:30 a.m. MDT on both days.
How much: FREE. Each person must register separately with their company email by September 20, 2021.
Interop·Labs for DOCSIS® 4.0 Technology
On behalf of CableLabs, Kyrio will be hosting upcoming DOCSIS 4.0 interoperability events!
As vendors work to create the development of DOCSIS 4.0 products, CableLabs and Kyrio are busy preparing for the next phase of technology development: conducting interoperability events. CableLabs has established a rigorous process for technology development starting with DOCSIS 1.0 technology and ultimately leading to the robust ecosystem that exists today. The company’s proven approach has worked successfully at CableLabs for the past 24 years:
Phase 1 Phase 2 Phase 3
Phase 1 is the specification stage, when CableLabs, members and vendors come together to collaborate on defining the DOCSIS technology. Phase 1 for DOCSIS 4.0 was completed in 2019, when the specifications were written and suppliers have began implementation.
Phase 2 is when interoperability events (aka interops) occur at CableLabs in Louisville, Colorado to make sure that systems work together. As the term implies, interops are held to ensure that components of a DOCSIS system — including the base technology, security and support — are interoperable for easy installation and proactive customer care.
For DOCSIS 4.0 technology, CableLabs will be prepared to host the first interop event this year after SCTE Cable-Tec Expo 2021 in Atlanta, where the show floor promises to hold several DOCSIS 4.0 technology demonstrations.
At this time, 12 DOCSIS 4.0 interoperability events are planned to begin in October 2021 and will run through December 2022. This near-monthly spacing will give suppliers the opportunity to attend, learn and then run a sprint to add new functionality for the next interop.
The early interops focus on basic functionality of the DOCSIS chipsets. As the schedule progresses, the focus will shift to adding more software functionality. Always, the emphasis will be on interoperable solutions, including the cable modem, cable modem termination system (CMTS) and software support systems. Going forward, the interops will include Remote PHY and Remote MACPHY devices.
Interoperability gives operators the confidence to plan large installations and the certainty that the equipment they purchase today will also work tomorrow. Customers can buy a modem and take it with them if they move into a new cable territory, worldwide. Interoperability provides a larger market in which suppliers can compete, which, in turn, allows for healthier ecosystems and varying strategies.
Phase 3, the certification stage, will happen naturally as the interoperability process produces more mature products and systems. We’ll talk more about this phase when that time approaches.
The interop phase can be a fun, invigorating time. Some of us have been working on the DOCSIS project for two decades, and there are always new entrants. As we shift back to working in our offices post-pandemic, we’re all looking forward working face-to-face in the lab—all in the effort to bring forward the next generation of cable broadband and deliver on the 10G promise.
Interoperability is paramount to the DOCSIS ecosystem. The DOCSIS community is encouraged to once again come together for these upcoming interoperability events, contributing and collaborating to keep the DOCSIS 4.0 ecosystem healthy and sustainable. This fall, CableLabs will be ready!
Chris Lammers Selected for Cable TV Pioneers Class of 2021
Cable TV Pioneers recently announced that 24 new members have been selected for the Cable TV Pioneers 55th Annual Induction. Each of the honorees has a minimum of 20 years of direct involvement in the cable industry and has made a positive impact on the growth and innovation of our industry during those years. The members of this year’s class include a strong array of men and women, from CEOs and company founders to technologists and journalists. Each has demonstrated and proven his or her value as a cable pioneer. We are very excited to announce that among those honored is our very own Chris Lammers, chief operating officer and senior vice president of member development at CableLabs.
Over the past four decades, Chris has held numerous senior roles and responsibilities within the cable industry. Today at CableLabs, he’s responsible for operations, membership development and international relationships. Under his guidance, CableLabs’ membership has grown from 23 members to 65 members across 35 countries in North America, Latin America, Europe and Asia. In addition, Chris established CableLabs’ test and evaluation labs, leading the cable industry’s first video, broadband and voice certification programs. Chris also leads mergers and acquisitions for CableLabs, including the procurement of multiple cable television systems and, most recently, the acquisition of the Society of Cable Telecommunications Engineers (SCTE), with a critical focus on the integration of SCTE into CableLabs.
In what many see as one of his most substantial contributions to the broadband industry, Chris developed the MTO Group within CableLabs, made up of a highly influential community of mid-market and smaller operators across the United States and Canada. Chris was the first individual to recognize the need for including small organizations and determining how to understand, serve and address the coverage area of these smaller markets.
Through these efforts, Chris continues to represent the “voice” of the mid-market and small-market operators at CableLabs. His passion for mid-tier operators and small-market members brings a more holistic perspective of the entire broadband industry to CableLabs. It’s no exaggeration to say that Chris has been a true leader in bringing together cable operators of differing sizes and nations to create a truly global community.
Chris also supports CableLabs’ staff engaging in innovation to support MTOs, such as CableLabs’ mapping project and initiatives related to rural broadband. Through this work, Chris has ensured that mid-market and smaller operators are valued and that their unique needs are addressed. Without this work, many consumers served by MTOs wouldn’t receive the leading-edge services they enjoy today.
Another very important activity that is near and dear to Chris’ heart is giving back to the community. Chris serves on the Emma Bowen Foundation’s Board of Directors (as well as its Executive Committee), an organization to which he has been committed for nearly 20 years. He has contributed to the Foundation by seeking to build a more diverse media industry by recruiting promising college and university students of color and placing them in multi-year paid internships at some of the nation’s leading media, PR and technology companies. Chris has supported the WICT Rocky Mountain chapter through its Tech It Out and Walk of Fame programs. He has also contributed to numerous state and local cable associations through industry guidance and speaking engagements.
Chris began his cable tenure serving as senior vice president and general counsel (1988–1993) at Western Communications, where the majority of his clients were cable operators, and he has been employed at CableLabs for the past 24 years. Please join us in congratulating Chris on his outstanding years of service and for his contributions to—and the impact he has made on—the entire industry.
Transparent Security Outperforms Traditional DDoS Solution in Lab Trial
Transparent Security is an open-source solution for identifying and mitigating distributed denial of service (DDoS) attacks and the devices (e.g., Internet of Things [IoT] sensors) that are the source of those attacks. Transparent Security is enabled through a programmable data plane (e.g., “P4”-based) and uses in-band network telemetry (INT) technology for device identification and mitigation, blocking attack traffic where it originates on the operator’s network.
Cox Communications and CableLabs conducted a proof-of-concept test of the Transparent Security solution in the Cox lab in late 2020. Testing was primarily focused on the following major objectives:
- Compare and contrast performance of the Transparent Security solution against that of a leading commercially available DDoS mitigation solution.
- Validate that INT-encapsulated packets can be transported across an IPv4/IPv6/Multiprotocol Label Switching (MPLS) network without any adverse impact to network performance.
- Validate that the Transparent Security solution can be readily implemented on commercially available programmable switches.
This trial compared the effectiveness of Transparent Security with that of a leading DDoS mitigation solution. Transparent Security was able to identify and mitigate attacks in one second as compared with one minute for the leading vendor. We also validated that inserting and removing the INT header had no observable impact on throughput or latency.
The History and Updates of Transparent Security
We initially released the Transparent Security architecture and open-source reference implementation in October 2019. Since then, we’ve achieved several milestones:
- We added source-only metadata to the P4 in-band telemetry specification, along with Transparent Security as an example implementation.
- We added support to collate multiple packet headers in a single telemetry report.
- We released a document titled “Transparent Security: Personal Data Privacy Considerations.”
- We created a Transparent Security landing page.
Why Cox Is Interested
As the proliferation of IoT devices continues to increase, the number of devices that can be compromised and used to participate in DDoS attacks also increases. At the same time, the frequency of DDoS attacks continues to grow because of the widespread availability of DDoS for-hire sites that allow individuals to launch DDoS attacks for relatively little cost. These factors contribute to a trend of malicious traffic increasingly using upstream bandwidth on the access network.
Although currently available DDoS mitigation solutions can monitor for outbound attacks, they’re primarily focused on mitigating DDoS attacks directed at endpoints on the operator’s network. These solutions use techniques such as BGP diversion and Flowspec to drop traffic as it comes into the network. However, mitigating outbound attacks using these techniques aren’t effective because the malicious traffic will have already traversed the access network, where it has the greatest negative impact before the traffic can be diverted to a scrubber or dropped by a Flowspec rule.
Transparent Security offers the promise of near-instantaneous detection of outbound attacks, as well as the ability to mitigate that attack at the source, on the customer premises equipment (CPE), thereby preventing that traffic from using upstream access network resources.
In addition to Transparent Security’s DDoS mitigation capabilities, there are additional benefits to network performance/visibility in general. Implementation of Transparent Security on the CPE means that network operators can derive the specific device type associated with a given flow. This allows the operator to determine the type of IoT devices being leveraged in the attack.
This also opens myriad other possibilities—for example, reducing truck rolls by enabling customer service personnel to determine that a customer’s issue is with one specific device versus all the devices on the internal network. Another example would be the capability to track the path a given packet followed through the network by examining the INT metadata.
Consumers will see a direct benefit from Transparent Security. Once compromised devices are identified, the consumer can be notified to resolve the issue or, alternatively, rules can be pushed to the CPE to isolate that device from the internet while allowing the consumer’s other devices continued access. Such isolation mitigates the additional harm coming from compromised devices. This additional harm can take the form of degraded performance, exfiltration of private data, breaks in presumed confidentiality in communications, as well as the traffic consumed through DDoS. Less malicious traffic on the network provides for a better overall customer experience.
Lab Trial Setup
The test environment was designed to simulate traffic originating from the access network, carried over the service provider’s core backbone network, and targeting another endpoint on the service provider’s access network in a different market (e.g., an “east-to-west” or “west-to-east" attack).
The following diagram provides a high-level overview of the lab test environment:
In the lab trial, various types of DDoS traffic (UDP/TCP over IPv4/IPV6) were generated by the traffic generator and sent to the West Market Arista switch, which used a custom P4 profile to insert an INT header and metadata before sending the traffic to the West Market PE router. The traffic then traversed an MPLS label-switched path (LSP) to the East Market PE router, before being sent to the East Market Arista, which used a custom P4 profile to generate INT telemetry reports and to strip the INT headers before sending the original IPv4/IPv6 packet back to the traffic generator.
When comparing and contrasting the performance of the Transparent Security solution against that of a leading commercially available DDoS mitigation solution, the lab test results were very promising. Detection of outbound attacks was rapid, taking approximately one second, and Transparent Security deployed the mitigation in five seconds. The commercial solution took 80 seconds to detect and mitigate the attack. These tests were run with randomized UDP floods; UDP reflection and TCP state exhaustion attacks were identified and mitigated by both solutions. In this trial, only packets related to the attack were dropped. Packets not related to the attack were not dropped.
The Transparent Security solution was implemented on commercially available programmable switches provided by Arista. These switches are being deployed in networks today. No changes to the Networking Operations System (NOS) were required to implement Transparent Security.
The tests validated that INT-encapsulated packets can be transported across an IPv4/IPv6/MPLS network without any adverse impact. There was no observable impact to throughput when adding INT headers, generating telemetry reports or mitigating the DDoS attacks. We validated that the traffic ran at line speed, with the INT headers increasing the packet size by an average 2.4 percent.
Application response time showed no variance with or without enabling Transparent Security. This suggests that there will be no measurable impact to customer traffic when the solution is deployed in a production network.
Conclusion and Next Steps
Transparent Security uses in-band telemetry to help identify the source of the DDoS attack.
This trial focused on using Transparent Security on switches inside the service provider’s network. For the full impact of Transparent Security to be realized, its reach needs to be extended to gateways on the customer premises. Such a configuration can mitigate an attack before it uses any network bandwidth outside of the home and will help identify the exact device that is participating in the attack.
This testing took place on a custom P4 profile based on our open-source reference implementation. We would encourage vendors to add INT support to their devices and operators to deploy programmable switches and INT-enabled CPEs.