PacketCable 2.0 is a robust, application-agnostic architecture that enables a multitude of services. It supports clients that are either hardware- or software-based, attached to the PacketCable network via various access network technologies, and may reside behind network address translation (NAT) and firewall devices such as home routers. Hardware clients can be embedded with devices such as cable modems. Alternatively, they can be standalone and connect to a local network via Wi-Fi or Ethernet. Software clients, on the other hand, utilize general-purpose hardware platforms such as PCs to provide services.
The PacketCable 2.0 architecture also allows for the independence of clients and subscribers. Multiple subscribers can use the same client simultaneously (for example, a set-top box that can simultaneously monitor and access text or voice messages sent to different members of the household), and a single subscriber can obtain services through multiple clients (for example, voice services across set-top boxes, software-based clients and cellular phones).
The outlined deployment models present unique provisioning, management, and security challenges that are addressed by the PacketCable 2.0 PACM and security frameworks. PACM framework The PACM framework consists of a set of capabilities required to provision, activate, configure and manage clients (hence the term "PACM"):
• Provisioning defines the process by which clients obtain Internet protocol (IP) configuration parameters (such as IP address and domain name servers), establishes communication with the PacketCable 2.0 network, and retrieves configuration data
• Activation defines how cable operators control the activation state of clients, users and service features; the states can depend on criteria such as subscription (for example, allowed features), network conditions (for example, bandwidth), administrative (for example, troubleshooting), and client environments (for example, supported features)
• Configuration defines how clients request and retrieve PacketCable 2.0 network configuration data and how clients are notified of changes to configuration data
• Management defines the interfaces and data representations used by cable operators to monitor and manage clients, users, and services.
Each capability set consists of protocols (interfaces), procedures, and data definitions. For instance, the provisioning capability specifies the interfaces between clients, the domain name systems (DNSs), and associated procedures to connect to a PacketCable 2.0 network.
The protocol definition provides a standard way for a client to communicate with network components. The associated procedures indicate how the client and network elements use the defined protocol to accomplish specific tasks. As an example, the exchange of configuration data is accomplished using the session initiation protocol (SIP) configuration framework, as proposed by the Internet Engineering Task Force (IETF). The SIP configuration framework uses SIP as the interface between the client and network element and defines a set of procedures that allows a client to obtain configuration information such as the features associated with a user’s subscription.
The data definitions, on the other hand, define how the data required for a given capability set is formatted and presented to the client. For example, the activation module defines the data format used to represent availability (or unavailability) of services and features.
PacketCable 2.0 applications can use this modular framework to choose the specific capabilities required for deployment. For example, the residential SIP telephony (RST) application includes an RST PACM profile that specifies how to provision, configure and manage clients supporting RST. It also provides additional data definitions to specify RST feature configurations such as ring tones.
Figure 1 illustrates PacketCable 2.0 PACM elements and how they connect to the cable operations support system (OSS) infrastructure. The PACM framework builds on the existing cable configuration and management paradigm. Cable operators only need to extend the client-facing components and interfaces while preserving the existing workflows, such as customer service representative (CSR) initiated subscriptions or self-subscriptions by customers. This decreases the impact to the existing cable OSS infrastructure. However, the PACM framework does provide enhancements where necessary to support the increased capabilities of the PacketCable 2.0 architecture. As an example, cable clients will continue to use dynamic host configuration control protocol (DHCP) to obtain an IP address (and other IP parameters). The difference is that the DHCP service no longer must be provided by the operator. It can also be provided by other networks, such as local Wi-Fi networks. This means the PACM framework does not use cable-specific DHCP options. Security framework PacketCable 2.0 specifications focus on the protocols and components of the system, so security mechanisms are defined in terms of the security services available to the applications and core systems. Similar to the PACM framework, these mechanisms are part of a security framework that can be used by PacketCable 2.0-based systems and applications.
The PacketCable 2.0 security framework supports authentication, confidentiality and integrity.
• Authentication defines the process of confirming a claimed identity.
• Confidentiality ensures that information is only disclosed to those who are authorized to access or view it.
• Integrity ensures that information is accurate, complete, and has not been changed (deliberately or accidentally).
The PacketCable 2.0 security framework encompasses three domains:
• Intra Domain provides connections between network elements within one operator’s domain
• Inter Domain provides connections between operator domains that maintain inter-domain security
• Access Domain covers the point at which a client connects to the operator’s network. SIP signaling between PacketCable clients and the operator’s P-CSCF is an example of an interface in this domain.
The access domain is the point at which applications access an operator’s PacketCable 2.0 network. It is vitally important to support strong, interoperable security interfaces in this domain, so the remainder of this article focuses on the access domain security services supported by the PacketCable 2.0 architecture.
The security services in the access domain are authentication, integrity and confidentiality of messaging. Figure 2 shows the signaling and configuration data flows between the client, or UE, and the network services available to the client in the access domain. Subscribers authenticate to the network, and the network is authenticated to the subscriber to ensure the subscriber is legitimate and that the subscriber is talking to the right network. As indicated earlier, the framework supports multiple credential types. Each entity (user, client, etc.) can have its own set of credentials, which can be used for different purposes. The PacketCable 2.0 network supports the following credentials:
• UICC is the abbreviation for Universal Integrated Circuit Card and is the card used in mobile terminals in Global System for Mobile communications (GSM) and Universal Mobile Telecommunications System (UMTS) networks. It holds the security credentials for user and subscription data.
• Username and pre-shared secret are credentials that consist of user names (which identify the users) and pre-shared secrets or passwords that are known by the authenticating element in the network. These credentials tend to be most suitable for applications where a user logs into a client application. They are regarded as less secure than digital certificates or UICCs.
• Digital Certificate binds a public key to an identity. The public key is one-half of a key pair belonging to the end entity. The private key is used by the end entity and can be used to prove the identity presented in the certificate. Certificates may be more suitable for hardware or embedded devices and provide for stronger authentication than usernames and passwords. PacketCable digital certificates are issued from a trusted Certificate Authority (CA), which is part of the CableLabs Public Key Infrastructure (PKI). In this model, the subscribers and operators trust the CA and the certificates issued by the CA. The certificates are used to strongly authenticate the owner of the certificate (in this case, the subscriber requesting service).
Confidentiality and integrity are important security services for SIP signaling messages within a PacketCable 2.0 network. To obtain confidentiality and integrity, Transport Layer Security (TLS) is used to protect SIP signaling messages. TLS is a client/server cryptographic protocol commonly used in Web applications. TLS uses an encryption algorithm (AES) to provide data packets with confidentiality and a keyed hash algorithm (SHA-1) to provide integrity. Summary Through a uniform configuration framework and a flexible security framework, the PacketCable 2.0 architecture allows cable operators to provide secure, managed services to its customers, regardless of where they are or what type of clients they are using. Sumanth Channabasappa is senior systems architect, advanced network systems, and Steve Dotson is senior architect, security, advanced network systems, both For Cablelabs. Reach them at firstname.lastname@example.org and email@example.com.