Join Us at CableLabs® Envision Vendor Forum 2021
Over the years, CableLabs Envision Vendor Forum has become a platform for collaboration between our industry’s leaders and innovators. More than just a meeting of the minds, it is an event where cable operators and industry vendors can compare common problems, align strategies and forge a path forward toward a better future—together. Our next Envision Vendor Forum, scheduled for September 23-24, will focus on Optical and Hybrid Fiber-Coax (HFC) technologies. It is also completely virtual and free.
What’s on the Agenda
We’ll take a few hours each day to dive deeper into the future of optical and wired technologies, covering the next-generation Passive Optical Network (PON) architectures, DOCSIS® 4.0 technology, Coherent PON and other HFC solutions. We will discuss how these technologies dovetail into wired-wireless convergence, identify the challenges surrounding current and future government broadband policies, and share our CableLabs innovation roadmap—along with a timeline for upcoming specification releases—with our operator and vendor communities.
From a cable technology perspective, there is no single path that will work for every operator. Depending on each operator’s HFC architecture, vision and goals, there are multiple paths for delivering next-generation service offerings. Our goal at Envision is to help operators and vendors de-risk their planning activities by providing a community forum that proactively spotlights emerging technological paths and encourages community discussion devoid of the pressure from outside participation.
The virtual event will consist of panel discussions and presentations, with multiple opportunities to ask questions.
This event is best suited for decision-makers, including executives, senior technologists and strategists on both the cable operator and the vendor side, who are leading the development and implementation of next-generation technologies and services in their respective areas.
This event is closed to journalists and analysts.
When: September 23-24, 2021, 9:00-11:30 a.m. MDT on both days.
How much: FREE. Each person must register separately with their company email by September 20, 2021.
CableLabs Certifies First Cable Modem with Low Latency DOCSIS® Support
CableLabs is pleased to announce that, for the first time, a DOCSIS® 3.1 specification–compliant cable modem that includes the Low Latency DOCSIS (LLD) set of features has become CableLabs Certified. This announcement represents a major milestone on the path toward 10G because LLD support is key to improving latency on DOCSIS networks, and improving latency is one of the pillars of 10G.
Starting with Certification Wave (CW) 134 in January, all DOCSIS 3.1 cable modems submitted for CableLabs certification are required to include support for the LLD feature set. Our Kyrio subsidiary recently finished testing the Motorola MG8725 from Minim, which was submitted for testing in that CW. The CableLabs Certification Board—made up of representatives from our member companies—then reviewed the results and determined that the device had met the requirements for CableLabs Certification.
The modem can be found on the Certified/Qualified Device List on the CableLabs website with an ID of MOTO1341. Any DOCSIS 3.1 cable modems added to that list in the future for CW 134 or later will also include support for the LLD feature set.
What Is Latency?
As described in our "Latency 101: Getting From There to Here" blog, latency refers to the time it takes for something to get from one point to another across a network. People experience this delay when doing things on the Internet, and it can come from myriad sources. Although latency performance often does not receive the same attention as speed, it’s one of the most noticeable aspects of a user’s online experience.
What Is Low Latency DOCSIS?
As described in our blog post “CableLabs Low Latency DOCSIS Technology Launches 10G Broadband into a New Era of Rapid Communication,” LLD technology is a set of new features for DOCSIS 3.1 (and future) equipment that can be added to already deployed devices via a software update. LLD can provide consistent low latency (as low as 1 millisecond) on the access network for the applications that need it. The user experience will be more consistent with much smaller delay variation.
Why Is Low Latency DOCSIS Important?
In our blog post “Rise of Cloud Gaming—Meeting the Challenges for ISPs,” we discussed applications such as online gaming and game streaming that can provide greatly improved user experiences with reduced, consistent latency. But latency isn’t just about gaming: Many work-from-home applications such as video conferencing can benefit from improved latency. And future technologies like interactive virtual experiences will require consistently low latencies as well.
What Is CableLabs Certification, and Why Does It Matter?
As detailed in our blog post “What’s in a Name? The Value of Certification/Qualification for Cable Operators,” in order for a device to become CableLabs Certified, Kyrio executes a series of tests to determine whether the device complies with a particular CableLabs specification. Once that testing is completed, the results are reviewed by the Certification Board to determine whether that device has earned CableLabs Certification status.
CableLabs Certification, therefore, serves as a mark of quality, indicating that a given device complies with the requirements of our specifications and enabling cable operators to roll out the device. CableLabs and Kyrio offer a number of options to assist vendors through the certification process—as detailed in our blog post “3 Tips on How to Make CableLabs Certification/Qualification Testing as Painless as Possible”—including interoperability events and device pre-testing.
A cable modem with LLD functionality that successfully completes CableLabs Certification represents a big step on the path to eventual wide deployment of these technologies, enabling a host of new applications and improved user experiences. We can’t wait to see the new ideas that will generate.
Remote PHY 101: Why the Industry Is Working Together to Take Things Apart
In our previous CableLabs 101 post about Distributed Access Architecture (DAA), we discussed the benefits of distributing key network functions throughout the cable access network to optimize its performance. Today, we delve deeper into Remote PHY—one of the earliest DAA solutions that cable operators are deploying to increase their network’s bandwidth and more.
What Is Remote PHY?
PHY stands for “physical radio frequency (RF) layer,” which delivers voice, video and data via the DOCSIS® protocol over the hybrid fiber-coax (HFC) network. Media Access Control (MAC) is an example of another CCAP layer that we’ll cover in our next CableLabs 101 post.
Prior to the introduction of the DAA concept, all CCAP functions, including PHY and MAC, were integrated at the Internet provider’s cable modem termination system (CMTS)—typically located at the headend or hub site—which sends and receives data to and from the modem in your home. This data exchange is the basis for how DOCSIS technology on HFC networks works. However, the integrated CCAP approach does not maximize the potential of the cable access network.
Once we figured out how to split the PHY and MAC functions, we were then able to distribute PHY closer to the end user, resulting in increased network capacity and greater speeds. You can refresh your memory about the benefits of DAA and Distributed CCAP Architecture (DCA) here.
Remote PHY was the first documented DCA specification that we officially released in 2015, followed by Flexible MAC Architecture (FMA), released in September 2020. These solutions are complementary and have similar benefits, giving cable operators the flexibility to architect their networks the way they see fit to support future high-bandwidth services. The specifications provide guidance to our industry vendors who are manufacturing Remote PHY–compatible equipment. Just like the other DOCSIS and Coherent Optics technologies, Remote PHY and the other DCA approaches are part of the 10G toolset.
How Does Remote PHY Work?
The Remote PHY specification defines ways to separate the physical RF layer from the MAC layer that remains at the headend and describes the interfaces between them. Let’s take a closer look at how it’s done.
The PHY layer of the CCAP system is placed in something called a Remote PHY Device (RPD). An RPD is a piece of equipment usually produced by a third-party cable vendor that contains all the PHY-related circuitry, as well as the pseudowire logic that connects back to the CCAP Core, which supports full DOCSIS functionality. In other words, all this rerouting on the back end is completely hidden from customers like you. Your network will function the same as before, only much faster because the PHY layer is now located much closer to where you live.
Speaking of location, the beauty of the Remote PHY architecture lies in its flexibility to place RPDs anywhere, including optical nodes closer to the network “edge”—a cable insider’s way of saying “closer to customers’ homes.” A single node can serve just a few blocks or even a single building; therefore, each customer modem connected to that node gets a bigger chunk of the bandwidth pie, so to speak. And, of course, more available bandwidth means better customer experience!
How Does This Technology Affect Me and My Future?
You might think that it makes no difference to you how your Internet provider’s CCAP is designed—and you would be right. What does matter, however, is the noticeable difference in your Internet quality, including how fast your apps work, how quickly you can download your movies or how much lag (or lack thereof) you experience when you play an online game with your friends. Looking forward to the near future, you may be using applications that utilize holographic displays, artificial intelligence, virtual rooms, 360° fully immersive entertainment experiences and other innovative technologies that require multi-gigabit bandwidth to function seamlessly.
This is why CableLabs and our partners in the cable industry are continuously inventing new ways to mine more bandwidth out of the available RF spectrum. Thanks to specifications like Remote PHY, FMA and others, we have all the pieces in place to deliver 10G symmetrical speeds—and more—to support future innovations. Now it’s just a matter of putting it all together.
DAA 101: A Flexible Approach to Better, Faster Cable Networks
This month, we’d like to share information about Distributed Access Architecture (DAA) and how cable operators are using it to build the 10G networks of the future. In our previous posts about DOCSIS® and Coherent Optics technologies, we touched on some of the components of the cable hybrid fiber-coax (HFC) network, such as the headend and fiber nodes, but of course, there’s much more to it. Today, we’ll take a closer look at the functionality of the cable access network and how it can be distributed between various components to optimize network performance.
What Is Distributed Access Architecture?
DAA isn’t a single technology but rather an umbrella term that describes the network architecture cable operators use to future-proof their access networks. This network evolution involves moving various key network functions that are traditionally located at the cable operator’s hub site (or headend) closer to customers’ homes—while also leveraging signal-quality improvements inherent with digital optics and the ubiquity of Ethernet. In addition, closer is better because it reduces the amount of hardware at the headend and creates efficiencies in network speed, reliability, latency and security.
In a nutshell, CableLabs’ DAA technology solutions give cable operators the ability to cost-efficiently redesign their access networks in stages, when and how they see fit. Because all providers’ business objectives are different, CableLabs has designed several DAA approaches they can leverage. Ultimately, it’s all about building a robust 10G network that not only supports the needs of today’s gig consumers but also anticipates tomorrow’s high-rate applications such as holodecks, artificial intelligence (AI), virtual reality (VR) and more.
Let’s take a look at one particular embodiment of DAA, known as Distributed CCAP Architecture (DCA).
How Does Distributed CCAP Architecture Work?
In a traditional HFC network architecture, the operator’s hub—or headend—is connected via fiber to the fiber node in your geographical region. In the fiber node, the optical signal is converted to a radio frequency (RF) signal that travels via a coaxial cable to the cable modem in your home. The key functions responsible for the transmission of data and device access are placed at either end of the operator’s access network—the hub and the modem—like bookends.
In 2015, CableLabs figured out how to split the key DOCSIS network functions into two components: a Media Access Control (MAC) layer that’s responsible for how devices in a network gain access to the network, and a Physical (PHY) layer, a physical component that’s responsible for the transmission and reception of data. Decoupled, these components can now be partially or fully moved from the headend into a fiber node closer to subscribers’ homes, resulting in increased network capacity, greater speeds, lower latency and so on. That’s the basis for DCA.
How Can Distributed CCAP Architecture Help Build Better Networks?
Distributing key DOCSIS network functions out of the headend and closer to subscribers’ homes comes with many benefits. Primarily, it allows operators to:
- Maximize Their Network’s Potential
DCA allows cable operators to take full advantage of the gigabit capabilities of Coherent Optics and DOCSIS 3.1 technology, including Full Duplex DOCSIS and Low Latency DOCSIS. This means their networks will have more than enough bandwidth to support the latest-generation products for years to come.
- Achieve a Better-Quality RF Signal
With distributed architecture, the RF signal that usually originates in the regional hub can now originate in the optical node, closer to the subscriber’s home, thus reducing distortion and creating a more seamless user experience.
- Increase Network Reliability
Because the main functions of the network no longer need to be housed at the headend, the access network can be redesigned so that fewer homes are connected to any single optical node (where the fiber and coax portions of the network meet). This means that if there’s an outage, it will affect fewer customers, ultimately increasing the reliability of the overall network.
- Expand RF Spectrum in the Future
Because DCA solutions are easily customizable and budget-friendly, they provide new opportunities for cable operators to expand their RF spectrum (basically maximizing the capacity of the coax portion of the HFC network) to support future services.
How Does This Technology Affect Me and My Future?
Widespread adoption of DCA, and importantly the superset of capabilities provided by DAA, is essential to creating the 10G future that we’re all looking forward to. And although it might seem that DAA only provides cost-effective solutions for cable companies, ultimately the real beneficiary is you, the customer. By reimagining and reinventing cable access infrastructure, we’re finding greater efficiencies that translate into more powerful networks. These networks will enable a wave of new, innovative services that will transform the way we live, learn, work and play.
Just like DOCSIS technology, Coherent Optics and other technologies that we’ll be covering in our 101 series, DAA is another piece of the puzzle responsible for propelling cable’s HFC networks into the new decade and beyond. Stay tuned for another installment—coming soon!
A “101” on DOCSIS® Technology: The Heart of Cable Broadband
Welcome to the first installment of our CableLabs 101 series about a suite of breakthrough technologies that are instrumental in the path toward the cable industry’s 10G vision—a new era of connectivity that will revolutionize the way we live, work, learn and play. These technologies work together to further expand the capabilities of cable’s hybrid fiber coaxial (HFC) network by increasing connection speeds and capacity, lowering latency and enhancing network reliability and security to meet cable customers’ needs for many years to come.
What Is DOCSIS?
Initially released by CableLabs in 1997, DOCSIS—or Data Over Cable Service Interface Specification—is the technology that enables broadband internet service over an HFC network, now used by hundreds of millions of residential and business customers around the globe. It is essentially the set of specifications that allows different cable industry vendors to design interoperable cable modems (the piece of network equipment that sits in the home) and cable modem termination systems (CMTSs—the network equipment that sits in the cable operator’s hub site). The CMTS is a head-end traffic controller that routes data between the modem in the home and the internet.
DOCSIS technology helped usher in the era of broadband and “always on” internet connections, enabling a wave of innovation that continues to this day. With DOCSIS technology, internet customers were no longer forced to use dial-up solutions that tied up home phone lines and probably caused a significant spike in family feuds. The DOCSIS solution changed everything. Not only did it allow for an “always-on” cable connection (no dial-up required!), it was also significantly faster than dial up. We’ll talk about connection speed—along with capacity, latency and other network performance metrics—and how they affect you a little later in this article.
How Does It Work?
DOCSIS technology governs how data is transmitted over the HFC network. To understand how it works, we need to start with the HFC network—the physical infrastructure that most cable companies use to provide high-speed internet connectivity to their customers. As the name suggests, the HFC network is composed of two parts: the fiber optical network and the coaxial network. HFC networks are predominantly fiber, as illustrated in our recent blog post. The remaining portion of the HFC network is coaxial cable. The coaxial network is connected to the optical fiber network at a “fiber node,” where the (fiber) optical signals are converted to radio frequency electrical signals for transmission over the coaxial network to the subscriber’s home. The HFC network seamlessly transmits data from the CMTS to your cable modem (we call this “downstream” or “download” traffic) or from your modem back to the CMTS (“upstream” or “upload”). In turn, the CMTS is connected to the internet via a set of routers in the service provider’s network.
Think of the HFC network as a “highway” and the data as traffic moving in “lanes” in either direction. In the downstream direction, DOCSIS devices translate the data from the internet into signals carried on the fiber optic portion of the HFC network and then down the coaxial network to your modem. On the upstream, the data that you upload is sent back up the network on a separate upstream “lane.” Traditionally, this “highway” has had more lanes dedicated to the downstream traffic than upstream, which matches current customer traffic patterns. All of this is about to change with the 10G vision, which strives toward symmetrical upstream and downstream service speeds.
How Has This Technology Evolved?
DOCSIS technology has come a long way since 1997. Over the years, it has undergone a few iterations, through versions 1.0, 1.1, 2.0 and 3.0 to 3.1. As DOCSIS has evolved, it has gotten faster by adding more lanes in each direction and it has become more energy-efficient as well. Along the way, several additions to the base technology have been continuously added. These include enabling lower latencies, increased security of the traffic, and tools to make the network more reliable. Today’s cable networks leverage DOCSIS 3.1 technology, which has enabled the widespread availability of 1 Gbps cable broadband services, allowing us to easily enjoy services like 4K video, faster downloads, seamless online gaming and video calls.
DOCSIS 4.0, released in March 2020, is another stepping stone toward that 10G vision. It will quadruple the upstream capacity to 6 Gbps, to match changing data traffic patterns and open doors to even more gigabit services, such as innovative videoconferencing applications and more. DOCSIS 4.0 equipment is still in the process of being developed and is seeing great progress each day toward device certification. Once certification is complete, cable vendors will start mass-producing DOCSIS 4.0-compatible equipment. With the widespread deployment of DOCSIS 4.0 technology, cable operators will have the ability to offer symmetrical multigigabit broadband services over their HFC networks.
How Does This Technology Affect Me and My Future?
All this talk about connection speeds, low latency, reliability and other performance metrics matter to us technologists because it’s how we gauge progress. But it’s so much more than giga-this and giga-that. These metrics will directly impact your future in a real, tangible way.
Over the past two decades, high-speed internet connectivity went from an obscure tech geek novelty to an important part of modern life. We are now streaming in 4K, collaborating on video chat, playing online games with people around the world, driving connected cars and so on. Continuous advancements in DOCSIS technologies are helping make this reality possible by increasing download and upload speeds, lowering latency—or lag—for a more seamless experience, and improving reliability and security to protect our online information.
DOCSIS 4.0 technology will enable symmetrical multigigabit services, ushering in a new wave of innovation across industries and applications, including healthcare, education, entertainment, collaboration technologies, autonomous vehicles and many more. In the near future, we will see advanced health monitoring services, immersive learning and work applications, visually rich VR/AR, holodecks, omnipresent AI assistants and other game-changing innovations that we haven’t even thought of yet. In many ways, the reach and flexibility of cable’s HFC infrastructure is the backbone of our 10G future, and DOCSIS—in combination with other advanced network technologies—is key to helping us reach this Near Future.
CableLabs Releases DOCSIS® Simulation Model
When it comes to technology innovation, one of the most powerful tools in an engineer’s toolbox is the ability to rapidly test hypotheses through simulations. Simulation frameworks are used in nearly all engineering disciplines as a way to understand complex system behaviors that would be difficult to predict analytically. Simulations also allow the researcher to control variables, explore a wide range of conditions and look deeply into emergent behaviors in ways that are either impossible or extremely challenging to accomplish in real-world testbeds or prototype implementations.
For some of our innovations, CableLabs uses the “ns” family of discrete-event network simulators (widely used in academic networking research) to investigate sophisticated techniques for making substantial improvements in broadband network performance. The ns family originated at Lawrence Berkeley National Laboratory in the mid-1990s, and has evolved over three versions, with “ns-3” being the current iteration that is actively developed and maintained. The open-source ns-3 is managed by a consortium of academic and industry members, of which CableLabs is a member. Examples of features developed with the help of ns include the Active Queue Management feature of the DOCSIS 3.1 specifications, which was developed by CableLabs using ns-2, and more recently, the Low Latency DOCSIS technology, which was created using models that we built in ns-3. In both cases, the simulation models were used to explore technology options and guide our decision making. In the end, these models were able to predict system behavior accurately enough to be used as the reference against which cable modems are compared to assess implementation compliance.
As a contribution to the global networking research community, CableLabs recently published its DOCSIS simulation model on the ns-3 “App Store,” thus enabling academic and industry researchers to easily include cable broadband links in their network simulations. This is expected to greatly enhance the ability of DOCSIS equipment vendors, operators and academic researchers to explore “what-if” scenarios for improvements in the core technology that underpins many of the services being delivered by cable operators worldwide. For example, a vCMTS developer could easily plug in an experimental new scheduler design and investigate its performance using high-fidelity simulations of real application traffic mixes. Because this DOCSIS model is open source, anyone can modify it for their own purposes and contribute enhancements that can then be published to the community.
If you’ve ever been interested in exploring DOCSIS performance in a particular scenario, or if you have had an idea about a new feature or capability to improve the way data is forwarded in the network, have a look at the new DOCSIS ns-3 module and let us know what you think!
The Cable Security Experience
We’ve all adjusted the ways we work and play and socialize in response to COVID. This has increased awareness that our broadband networks are critical – and they need to be secure. The cable industry has long focused on delivering best-in-class network security and we continue to innovate as we move on towards a 10G experience for subscribers.
CableLabs® participates in both hybrid fiber coaxial (HFC) and passive optical network (PON) technology development. This includes the development and maintenance of the Data Over Cable Service Interface Specification (DOCSIS®) technology that enables broadband internet service over HFC networks. We work closely with network operators and network equipment vendors to ensure the security of both types of networks. Let’s review these two network architectures and then discuss the threats that HFC and PON networks face. We’ll see that the physical media (fiber or coax) doesn’t matter much to the security of the wired network. We’ll discuss the two architectures and conclude by briefly discussing the security of the DOCSIS HFC networks.
A Review of HFC and PON Architectures
The following diagram illustrates the similarities and differences between HFC and PON.
Both HFC and PON-based FTTH are point-to-multipoint network architectures, which means that in both architectures the total capacity of the network is shared among all subscribers on the network. Most critically, from a security perspective, all downlink subscriber communications in both architectures are present at the terminating network element at the subscriber – the cable modem (CM) or optical network unit (ONU). This necessitates protections for these communications to ensure confidentiality.
In an HFC network, the fiber portion is between a hub or headend that serves a metro area (or portion thereof) and a fiber node that serves a neighborhood. The fiber node converts the optical signal to radio frequency, and the signal is then sent on to each home in the neighborhood over coaxial cable. This hybrid architecture enables continued broadband performance improvements to support higher user bandwidths without the need to replace the coaxial cable throughout the neighborhood. It’s important to note that the communication channels to end users in the DOCSIS HFC network are protected, through encryption, on both the coaxial (radio) and fiber portions of the network.
FTTH is most commonly deployed using a passive optical networking (PON) architecture, which uses a shared fiber down to a point in the access network where the optical signal is split using one or more passive optical splitters and transmitted over fiber to each home. The network element on the network side of this connection is an Optical Line Terminal (OLT) and at the subscriber side is an ONU. There are many standards for PON. The two most common are Gigabit Passive Optical Networks (GPON) and Ethernet Passive Optical Networks (EPON). An interesting architecture option to note is that CableLabs developed a mechanism that allows cable operators to manage EPON technology the same way they manage services over the DOCSIS HFC network – DOCSIS Provisioning of EPON.
In both HFC and PON architectures, encryption is used to ensure the confidentiality of the downlink communications. In DOCSIS HFC networks, encryption is used bi-directionally by encrypting both the communications to the subscriber’s cable modem (downlink) and communications from the subscriber’s cable modem (uplink). In PON, bi-directional encryption is also available.
How might an adversary (a hacker) look at these networks? There are four attack vectors available to adversaries in exploiting access networks:
- Adversaries can directly attack the access network (e.g., tapping the coax or fiber cable).
- They may attack a customer premises equipment (CPE) device from the network side of the service, typically referred to as the wide area network (WAN) side.
- They may attack the CPE device from the home network side, or the local area network (LAN) side.
- And they may attack the network operator’s infrastructure.
Tapping fiber or coaxial cables are both practical. In fact, tools to allow legitimate troubleshooting and management by authorized technicians abound for both fiber and coaxial cables. An incorrect assumption is to believe that fiber tapping is difficult or highly technical, relative to tapping a coaxial cable. You can easily find several examples on the internet of how this is simply done. Depending where the media is accessed, all user communications may be available on both the uplink and downlink side. However, both HFC and PON networks support having those communications encrypted, as highlighted above. Of course, that doesn’t mean adversaries can’t disrupt the communications. They can do so in both cases. Doing so, however, is relegated only to houses passed on that specific fiber or coaxial cable; the attack is local and doesn’t scale.
For the other attack vectors, the risks to HFC or PON networks are equivalent. CPE and network infrastructure (such as OLTs or CMTSs) must be hardened against both local and remote attacks regardless of transport media (e.g., fiber, coax).
Security Tools Available to Operators
In both HFC and PON architectures, the network operator can provide the subscriber with an equivalent level of network security. The three primary tools to secure both architectures rely on cryptography. These tools are authentication, encryption, and message hashing.
- Authentication is conducted using a secret of some sort. In the case of HFC, challenge and response are used based on asymmetric cryptography as supported by public key infrastructure (PKI). In FTTH deployments, mechanisms may rely on pre-shared keys, PKI, EAP-TLS (IETF RFC 5216) or some other scheme. The authentication of endpoints should be repeated regularly, which is supported in the CableLabs DOCSIS specification. Regular re-authentication increases the assurance that all endpoints attached to the network are legitimate and known to the network operator.
- Encryption provides the primary tool for keeping communications private. User communications in HFC are encrypted using cryptographic keys negotiated during the authentication step, using the DOCSIS Baseline Privacy Interface Plus (BPI+) specifications. Encryption implementation for FTTH varies. In both HFC and PON, the most common encryption algorithm used today is AES-128.
- Message hashing ensures the integrity of messages in the system, meaning that a message cannot be changed without detection once it has been sent. Sometimes this capability is built into the encryption algorithm. In DOCSIS networks, all subscriber communications to and from the cable modem are hashed to ensure integrity, and some network control messages receive additional hashing.
It is important to understand where in the network these cryptography tools are applied. In DOCSIS HFC networks, user communications are protected between the cable modem and the CMTS. If the CMTS functionality is provided by another device such as a Remote PHY Device (RPD) or Remote MACPHY Device (RMD), DOCSIS terminates there. However, the DOCSIS HFC architecture provides authentication and encryption capabilities to secure the link to the hub as well. In FTTH, the cryptographic tools provide protection between the ONU and the OLT. If the OLT is deployed remotely as may be the case with RPDs or RMDs, the backhaul link should also be secured in a similar manner.
The Reality – Security in Cable
The specifications and standards that outline how HFC and PON should be deployed provide good cryptography-based tools to authenticate network access and keep both network and subscriber information confidential. The security of the components of the architecture at the management layer may vary per operator. However, operators are very adept at securing both cable modems and ONUs. And, as our adversaries innovate new attacks, we work on incorporating new capabilities to address those attacks – cybersecurity innovation is a cultural necessity of security engineering!
Building on more than two-decades of experience, CableLabs continues to advance the security features available in the DOCSIS specification, soon enabling new or updated HFC deployments to be even more secure and ready for 10G. The DOCSIS 4.0 specification has introduced several advanced security controls, including mutual authentication, perfect forward secrecy, and improved security for network credentials such as private keys. Given our strong interest in both optical and HFC network technologies, CableLabs will ensure its own specifications for PON architectures adopt these new security capabilities and will continue to work with other standards bodies to do the same.
10G Integrity: The DOCSIS® 4.0 Specification and Its New Authentication and Authorization Framework
One of the pillars of the 10G platform is security. Simplicity, integrity, confidentiality and availability are all different aspects of Cable’s 10G security platform. In this work, we want to talk about the integrity (authentication) enhancements, that have been developing for the next generation of DOCSIS® networks, and how they update the security profiles of cable broadband services.
DOCSIS (Data Over Cable Service Interface Specifications) defines how networks and devices are created to provide broadband for the cable industry and its customers. Specifically, DOCSIS comprises a set of technical documents that are at the core of the cable broadband services. CableLabs manufacturers for the cable industry, and cable broadband operators continuously collaborate to improve their efficiency, reliability and security.
With regards to security, DOCSIS networks have pioneered the use of public key cryptography on a mass scale – the DOCSIS Public Key Infrastructure (PKIs) are among the largest PKIs in the world with half billion active certificates issued and actively used every day around the world.
Following, we introduce a brief history of DOCSIS security and look into the limitations of the current authorization framework and subsequently provide a description of the security properties introduced with the new version of the authorization (and authentication) framework which addresses current limitations.
A Journey Through DOCSIS Security
The DOCSIS protocol, which is used in cable’s network to provide connectivity and services to users, has undergone a series of security-related updates in its latest version DOCSIS 4.0, to help meet the 10G platform requirements.
In the first DOCSIS 1.0 specification, the radio frequency (RF) interface included three security specifications: Security System, Removable Security Module and Baseline Privacy Interface. Combined, the Security System plus the Removable Security Module Specification became Full Security (FS).
Soon after the adoption of public key cryptography that occurred in the authorization process, the cable industry realized that a secure way to authenticate devices was needed; a DOCSIS PKI was established for DOCSIS 1.1-3.0 devices to provide cable modems with verifiable identities.
With the DOCSIS 3.0 specification, the major security feature was the ability to perform the authentication and encryption earlier in the device registration process, thus providing protection for important configuration and setup data (e.g., the configuration file for the CM or the DHCP traffic) that was otherwise not protected. The new feature was called Early Authorization and Encryption (EAE), it allows to start Baseline Privacy Interface Plus (BPI) even before the device is provisioned with IP connectivity.
The DOCSIS 3.1 specifications created a new Public Key Infrastructure *(PKI) to handle the authentication needs for the new class of devices. This new PKI introduced several improvements over the original PKI when it comes to cryptography – a newer set of algorithms and increased key sizes were the major changes over the legacy PKI. The same new PKI that is used today to secure DOCSIS 3.1 devices will also provide the certificates for the newer DOCSIS 4.0 ones.
The DOCSIS 4.0 version of the specification introduces, among the numerous innovations, an improved authentication framework (BPI Plus V2) that addresses the current limitations of BPI Plus and implements new security properties such as full algorithm agility, Perfect Forward Secrecy (PFS), Mutual Message Authentication (MMA or MA) and Downgrade Attacks Protection.
Baseline Privacy Plus V1 and Its Limitations
In DOCSIS 1.0-3.1 specifications, when Baseline Privacy Plus (BPI+ V1) is enabled, the CMTS directly authorizes a CM by providing it with an Authorization Key, which is then used to derive all the authorization and encryption key material. These secrets are then used to secure the communication between the CM and the CMTS. In this security model, the CMTS is assumed trusted and its identity is not validated.
The design of BPI+ V1 dates back more than just few years and in this period of time, the security and cryptography landscapes have drastically changed; especially in regards to cryptography. At the time when BPI+ was designed, the crypto community was set on the use of the RSA public key algorithm, while today, the use of elliptic-curve cryptography and ECDSA signing algorithm is predominant because of its efficiency, especially when RSA 3072 or larger keys are required.
A missing feature in BPI+ is the lack of authentication for the authorization messages. In particular, CMs and CMTS-es are not required to authenticate (i.e., sign) their own messages, making them vulnerable to unauthorized manipulation.
In recent years, there has been a lot of discussion around authentication and how to make sure that compromises of long-term credentials (e.g., the private key associated with an X.509 certificate) do not provide access to all the sessions from that user in the clear (i.e., enables the decryption of all recorded sessions by breaking a single key) – because BPI+ V1 directly encrypts the Authorization Key by using the RSA public key that is in the CM’s device certificate, it does not support Perfect Forward Secrecy.
To address these issues, the cable industry worked on a new version of its authorization protocol, namely BPI Plus Version 2. With this update, a protection mechanism was required to prevent downgrade attacks, where attackers to force the use of the older, and possibly weaker, version of the protocol. In order to address this possible issue, the DOCSIS community decided that a specific protection mechanism was needed and introduced the Trust On First Use (TOFU) mechanism to address it.
The New Baseline Privacy Plus V2
The DOCSIS 4.0 specification introduces a new version of the authentication framework, namely Baseline Privacy Plus Version 2, that addresses the limitations of BPI+ V1 by providing support for the identified new security needs. Following is a summary of the new security properties provided by BPI+ V2 and how they address the current limitations:
- Message Authentication. BPI+ V2 Authorization messages are fully authenticated. For CMs this means that they need to digitally sign the Authorization Requests messages, thus eliminating the possibility for an attacker to substitute the CM certificate with another one. For CMTS-es, BPI+ V2 requires them to authenticate their own Authorization Reply messages this change adds an explicit authentication step to the current authorization mechanism. While recognizing the need for deploying mutual message authentication, DOCSIS 4.0 specification allows for a transitioning period where devices are still allowed to use BPI+ V1. The main reason for this choice is related to the new requirements imposed on DOCSIS networks that are now required to procure and renew their DOCSIS credentials when enabling BPI+ V2 (Mutual Authentication).
- Perfect Forward Secrecy. Differently from BPI+ V1, the new authentication framework requires both parties to participate in the derivation of the Authorization Key from authenticated public parameters. In particular, the introduction of Message Authentication on both sides of the communication (i.e., the CM and the CMTS) enables BPI+ V2 to use the Elliptic-Curves Diffie-Hellman Ephemeral (ECDHE) algorithm instead of the CMTS directly generating and encrypting the key for the different CMs.Because of the authentication on the Authorization messages, the use of ECDHE is safe against MITM attacks.
- Algorithm Agility. As the advancement in classical and quantum computing provides users with incredible computational power at their fingertips, it also provides the same ever-increasing capabilities to malicious users. BPI+ V2 removes the protocol dependencies on specific public-key algorithms that are present in BPI+ V1. , By introducing the use of the standard CMS format for message authentication (i.e., signatures) combined with the use of ECDHE, DOCSIS 4.0 security protocol effectively decouples the public key algorithm used in the X.509 certificates from the key exchange algorithm. This enables the use of new public key algorithms when needed for security or operational needs.
- Downgrade Attacks Protection. A new Trust On First Use (TOFU) mechanism is introduced to provide protection against downgrade attacks – although the principles behind TOFU mechanisms are not new, its use to protect against downgrade attacks is. It leverages the security parameters used during a first successful authorization as a baseline for future ones, unless indicated otherwise. By establishing the minimum required version of the authentication protocol, DOCSIS 4.0 cable modems actively prevent unauthorized use of a weaker version of the DOCSIS authentication framework (BPI+). During the transitioning period for the adoption of the new version of the protocol, cable operators can allow “planned” downgrades – for example, when a node split occurs or when a faulty equipment is replaced and BPI+ V2 is not enabled there. In other words, a successfully validated CMTS can set, on the CM, the allowed minimum version (and other CM-CMTS binding parameters) to be used for subsequent authentications.
In this work we provided a short history of DOCSIS security and reviewed the limitations of the current authorization framework. As CMTS functionality moves into the untrusted domain, these limitations could potentially be translated into security threats, especially in new distributed architectures like Remote PHY. Although in their final stage of approval, the proposed changes to the DOCSIS 4.0 are currently being addressed in the Security Working Group.
Member organizations and DOCSIS equipment vendors are always encouraged to participate in our DOCSIS working groups – if you qualify, please contact us and participate in our weekly DOCSIS 4.0 security meeting where these, and other security-related topics, are addressed.
CoMP over DOCSIS: Femtocells in the Age of vRAN
As promised in the last couple blogs discussing DOCSIS based femtocells, we’ve saved the best for last. So far in the series, we’ve made the case for femtocells over DOCSIS networks and laid out the total cost of ownership (TCO) benefits of this deployment model. In this final blog post, I’ll share the results of some testing we’ve been doing at CableLabs on using Coordinated Multipoint (CoMP) to optimize femtocell performance in dense deployments.
Decluttering the Radio Signal
Let’s step back and look at a key issue that has limited the benefit of femtocells in the past: intercell interference. When femtocells (or any cells, for that matter) are placed in close proximity, the radio signals each cell site produces can bleed into its neighbor’s territory and negatively affect network performance.
With CoMP, neighboring cells can coordinate their transmissions in a variety of ways to work collaboratively and prevent interference. They can share scheduling and beamforming data to avoid creating interference. Or, they can use joint processing, which allows multiple cells to talk to a single cell phone at the same time, increasing the signal quality.
Although it’s not a perfect analogy, it’s a bit like trying to listen to a bunch of people singing their favorite song at the top of their lungs versus listening to a choir following a conductor, as you see in the following figure. The former is old femtocells, and the latter is virtualized RAN (vRAN) femtocells using CoMP.
Since its inception, CoMP has been largely believed to require fiber transport links to work. For example, in TR 36.819, there’s a whole section devoted to the impact of “higher latency communication between points,” where “higher” refers to 5ms, 10ms or 15ms of latency. In that text, gains decrease as latency increases, ultimately going negative (i.e., losses in performance).
However, with the increase in attention on vRAN, particularly lower-layer splits like the work going on in Telecom Infra Project (TIP) vRAN Fronthaul and O-RAN Alliance WG4, latency takes on new meanings with respect to CoMP.
For example, what matters more, the latency from one radio unit to another or the latency from one virtualized baseband unit (vBBU) to another? And if it’s the latter, does that mean CoMP can provide benefit even over long-latency non-ideal vRAN fronthaul like DOCSIS?
To find out the answers to these questions, we set up a test bed at CableLabs in collaboration with Phluido to explore CoMP over DOCSIS. We used the hardware from the TIP vRAN Fronthaul project, with an LTE SW stack provided by Phluido that supports CoMP. We installed two radio units in different rooms, each radio connected via a DOCSIS® 3.0 network to the vBBU. We designated two test points, one with a phone located at the cell center, the other with both phone in the cell edge/cell overlap region.
Notably in our setup, the latency from radio unit to vBBU and radio unit to radio unit were both about 10ms. However, the latency between vBBUs was essentially zero as both radios shared the same vBBU. This setup is specifically designed to test whether vBBU-to-radio latency or vBBU-to-vBBU latency is more important for CoMP gains.
What we found is that radio-to-radio latency and radio-to-vBBU latency can be quite large in absolute terms, and we can still get good CoMP performance provided that latency is low between the vBBUs and that vBBU-to-radio unit latency is similar for the radios in the CoMP cluster, as you see below.
In other words, to realize CoMP gains, the relative latency between a set of cells is more important than the absolute latency from vBBU to each radio.
We tested four configurations of phones at the cell center versus the cell edge, or some mix thereof, as the following figure shows.
In case 1, we see full cell throughput at each phone with CoMP enabled or disabled. This is great; this result shows that we haven’t lost any system capacity at the cell center by combining the cells into a single physical cell ID (PCI) and enabling CoMP.
In case 2, the phone throughput jumped from 55 Mbps to 78 Mbps when we enabled CoMP, showing a CoMP gain of almost 50 percent.
In case 3, when we enabled CoMP, the phone at the cell edge saw a throughput gain of 84 percent. In this scenario, the throughput of the cell center phone saw a decrease in throughput. This illustrates a tradeoff of CoMP when using legacy transmission modes (TM4, in this case) where the operator must choose whether it wants to favor cell edge users or cell center users. With more advanced transmission modes (e.g., TM10), this tradeoff is no longer an issue. Note that this is true of any CoMP deployment and not related to our use of DOCSIS network fronthaul.
In case 4, we expected to see significant gains from CoMP, but so far we haven’t. This is an area of further investigation for our team.
vRAN Femtocell CoMP in MDUs
Let’s look at an example use case. Cell service in multi-dwelling units (MDUs) can be challenging. A combination of factors, such as commercial construction materials, glazing and elevation, affect the indoor signal quality. As discussed in my previous blog, serving those indoor users can be very resource intensive.
As an operator, it would be great to have a low-cost way to deploy indoor cells. With vRAN over DOCSIS networks supporting CoMP, the operator can target femtocell deployments at heavy users, then build CoMP clusters (i.e., the set of radios that collaborate) as needed to optimize the deployment.
Putting It All Together
The testing described here has shown that CoMP gains can be realized even when using long-latency fronthaul over DOCSIS networks. As these solutions mature and become commercial-ready, deployments of this type will provide the following for operators:
- Low-Cost Hardware: vRAN radios, particularly for femtocells, are low-complexity devices because the majority of the signal processing has been removed and put in the cloud. These radios can be built into the gateway customer premises equipment (CPE) already deployed by operators.
- Low-OPEX Self Installs: With vRAN radios built into DOCSIS CPEs, operators can leverage the simplicity of self-installation. The ability to dynamically reconfigure CoMP clusters means that detailed RF planning and professional installation aren’t necessary.
- High-Performing System: As shown in our testing results, CoMP gains can be realized over DOCSIS network–based vRAN femtocells. This eliminates another of the previous stumbling blocks encountered by earlier femtocell deployments.
Enabling 5G with 10G Low Latency Xhaul (LLX) Over DOCSIS® Technology
I am a GenXer, and I am addicted to my iPhone. But it’s not just me, today’s consumers, millennials and baby boomers and everyone in between, are increasingly spending more and more time on their mobile devices. Have you ever wondered what happens to your traffic when you interact with your iPhone or Android devices? The traffic reaches a radio tower, but it doesn’t just stop there – it needs to reach the internet via a connection between the cellular base station and a distant data center.
Traditionally, that connection (a.k.a., “xhaul”) is mostly provided by fiber. Fiber has great speed and latency performance but is costly to build. With advancements in LTE and 5G, mobile operators are increasingly deploying more and more radios deeper into the neighborhoods. They will need a more scalable solution to provide that xhaul without sacrificing the performance. This is where the hybrid fiber coaxial (HFC) network can help.
With ubiquitous cable infrastructures that are already in place, the cable operators have the scalability to support today’s LTE and tomorrow’s 5G networks without the cost of building new fiber networks. With DOCSIS 3.0+ as well as Low Latency Xhaul (LLX) technology, the DOCSIS network has performance that is virtually indistinguishable from fiber. The CableLabs 10G technologies make the HFC network a better xhaul network, which is a win-win for the consumers, mobile operators, and cable operators.
How Low Latency Xhaul (LLX) Works
Today’s DOCSIS technology provides a good starting point for mobile xhaul but may not be enough to support the ultimate latency requirements needed for future mobile traffic. DOCSIS upstream latency can range from a typical of 8-12 milliseconds to around a maximum of 50 milliseconds under heavy load. We want to see that latency down to 1 to 2 milliseconds range in order to support 5G.
The LLX technology is specifically designed to reduce the latency experienced by mobile traffic while traversing the DOCSIS transport network on its way to the internet. The LLX technology development started about 3 years ago as a joint innovation project between CableLabs and Cisco. I wrote about it here and here.
So, how does LLX work? Let’s look at the case of LTE backhauled over a DOCSIS network as an example. Today, LTE and DOCSIS are two independent systems – their operations occur in serial, and the overall latency is the sum of the two system latencies. But from an engineer’s point of view, both technologies have a similar request and grant-based mechanism to access the channel. If the two processes can be pipelined, then LTE and DOCSIS operations can take place in parallel, removing the “sum” from the latency equation. To enable pipelining, we designed a protocol that utilizes a message called the bandwidth report (BWR) that allows the LTE network to share information with the DOCSIS network. Pipelining is a unique and inventive aspect of LLX and is the heart of what creates a low latency transport.
So, just how well does LLX work? We have recently teamed up with Shaw, one of our Canadian members, as well as our technology development partners Cisco and Sercomm to perform a series of lab trials. The detail of the trials will be published in the upcoming SCTE Cable-Tec Expo in October. But as a preview, we demonstrated that even when the DOCSIS network is heavily loaded, LLX consistently reduced the DOCSIS upstream latency down to 1 to 2 milliseconds, all without adversely affecting other traffic.
Deploying LLX Technology
The LLX specification was published a few months ago, the result of collaborative efforts from key cable and mobile equipment vendors in the CableLabs-led LLX working group.
LLX technology is designed to work for a variety of deployment models, including backhaul and fronthaul, over DOCSIS as well as over PON networks. To this end, we have taken the technology to mobile industry standardization organizations such as the O-RAN Alliance whose current focus is fronthaul.
LLX works in the DOCSIS 3.0 and later networks as a software upgrade to the CMTS. It has been implemented on commercial DOCSIS and mobile equipment. More information on LLX is available here.
For those attending the SCTE Cable-Tec Expo in New Orleans, we will be discussing the innovation on the Innovation Stage at 12:45pm local time with my industry partners from Shaw, Cisco, and Sercomm. I will also dive deep into the technology and the Shaw trial results in my SCTE panel “Mobile X-haul and DOCSIS”, Wednesday October 2nd at 9am local time. Hope to see you there.