Spelling it out: PacketCable 2.0
Configuration, management and security
This is the third in a four-part series that explains the PacketCable 2.0 architecture. The first article was on design goals, strategic drivers and architecture, and the second presented the signaling and quality-of-service (QoS) components of the architecture. The fourth article in the series will discuss the future of the PacketCable 2.0 project.
Figure 1: PacketCable 2.0 PACM elements and how they connect to the cable OSS infrastructure.
PacketCable 2.0 is a robust, application-agnostic architecture that enables a multitude of services. It supports clients that are either hardware- or software-based, attached to the PacketCable network via various access network technologies, and may reside behind Network Address Translation (NAT) and firewall devices such as home routers.
Hardware clients can be embedded with devices such as cable modems. Alternatively, they can be standalone and connect to a local network via WiFi or Ethernet. Software clients, on the other hand, utilize general purpose hardware platforms such as PCs to provide services.
The PacketCable 2.0 architecture also allows for the independence of clients and subscribers. Multiple subscribers can use the same client simultaneously (e.g., a set-top box that can simultaneously monitor and access text or voice messages sent to different members of the household), and a single subscriber can obtain services through multiple clients (e.g., voice services across STBs, software-based clients and cellular phones).
The outlined deployment models present unique provisioning, management and security challenges that are addressed by the PacketCable 2.0 PACM and Security frameworks.
The PACM framework consists of a set of capabilities required to provision, activate, configure and manage (hence the acronym) clients. The capabilities are:
Provisioning: defines the process by which clients obtain IP configuration parameters (such as IP address and domain name servers), establish communication with the PacketCable 2.0 network, and retrieve configuration data;
Activation: defines how cable operators control the activation state of clients, users, and service features; the states can depend on criteria such as subscription (e.g., allowed features), network conditions (e.g., bandwidth), administrative (e.g., troubleshooting), and client environments (e.g., supported features);
Configuration: defines how clients request and retrieve PacketCable 2.0 network configuration data, and how clients are notified of changes to configuration data;
Management: defines the interfaces and data representations used by cable operators to monitor and manage clients, users, and services.
Each capability set consists of protocols (interfaces), procedures, and data definitions. For example, the provisioning capability specifies the interfaces between clients, the Domain Name Systems (DNS), and associated procedures to connect to a PacketCable 2.0 network.
The protocol definition provides a standard way for a client to communicate with network components. The associated procedures indicate how the client and network elements use the defined protocol to accomplish specific tasks. As an example, the exchange of configuration data is accomplished using the Session Initiation Protocol (SIP) configuration framework, as proposed in the Internet Engineering Task Force (IETF). The SIP configuration framework uses SIP as the interface between the client and network element and defines a set of procedures that allows a client to obtain configuration information such as the features associated with a user’s subscription.
The data definitions, on the other hand, define how the data required for a given capability set is formatted and presented to the client. For example, the activation module defines the data format used to represent availability (or unavailability) of services and features.
PacketCable 2.0 applications can use this modular framework to choose the specific capabilities required for deployment. For example, the Residential SIP Telephony (RST) application includes an RST PACM profile that specifies how to provision, configure, and manage clients supporting RST. It also provides additional data definitions to specify RST feature configurations such as ring tones.
Figure 1 illustrates PacketCable 2.0 PACM elements and how they connect to the cable OSS infrastructure.
The PACM framework builds on the existing cable configuration and management paradigm. Cable operators only need to extend the client-facing components and interfaces while preserving the existing workflows, such as customer service representative (CSR) initiated subscriptions or self-subscriptions by customers. This decreases the impact on the existing cable OSS infrastructure.
However, the PACM framework does provide enhancements where necessary to support the increased capabilities of the PacketCable 2.0 architecture. As an example, cable clients will continue to use DHCP (Dynamic Host Configuration Protocol) to obtain an IP address (and other IP parameters). The difference is that the DHCP service no longer needs to be provided by the operator. It can also be provided by other networks, such as local WiFi networks. This means the PACM framework does not use cable-specific DHCP options.
PacketCable 2.0 specifications focus on the protocols and components of the system, so security mechanisms are defined in terms of the security services available to the applications and core systems. Similar to the PACM framework, these mechanisms are part of a security framework that can be used by PacketCable 2.0-based systems and applications.
The PacketCable 2.0 security framework supports the following security services: authentication, confidentiality and integrity.
- Authentication: defines the process of confirming a claimed identity.
- Confidentiality: assures that information is only disclosed to those who are authorized to access or view it.
- Integrity: assures that information is accurate, complete, and has not been changed (deliberately or accidentally).
The PacketCable 2.0 security framework encompasses three domains:
- Intra Domain: provides connections between network elements within one operator’s domain.
- Inter Domain: provides connections between operator domains that maintain inter-domain security.
- Access Domain: covers the point at which a client connects to the operator’s network. SIP signaling between PacketCable clients and the operator’s P-CSCF is an example of an interface in this domain.
The Access Domain is the point at which applications access an operator’s PacketCable 2.0 network. It is vitally important to support strong, interoperable security interfaces in this domain, so the remainder of this article focuses on the access domain security services supported by the PacketCable 2.0 architecture.
The security services in the access domain are authentication, integrity, and confidentiality of messaging. Figure 2 shows the signaling and configuration data flows between the client, or UE, and the network services available to the client in the access domain. Subscribers authenticate to the network, and the network is authenticated to the subscriber to ensure the subscriber is legitimate and that the subscriber is talking to the right network. As indicated earlier, the framework supports multiple credential types. Each entity (user, client, etc.) can have its own set of credentials, which can be used for different purposes.
Figure 2: PacketCable 2.0 Access Domain Security.
The PacketCable 2.0 network supports the following credentials:
UICC: is the abbreviation for Universal Integrated Circuit Card and is the card used in mobile terminals in GSM and UMTS networks. It holds the security credentials for user and subscription data.
Username and Pre-shared secret: are credentials that consist of user names (which identify the users) and pre-shared secrets or passwords that are known by the authenticating element in the network. These credentials tend to be most suitable for applications where a user logs into a client application. They are regarded as less secure than digital certificates or UICCs.
Digital certificate: binds a public key to an identity. The public key is one-half of a key pair belonging to the end entity. The private key is used by the end entity and can be used to prove the identity presented in the certificate. Certificates may be more suitable for hardware or embedded devices, and provide for stronger authentication than usernames and passwords. PacketCable digital certificates are issued from a trusted Certificate Authority (CA), which is part of the CableLabs Public Key Infrastructure (PKI). In this model, the subscribers and operators trust the CA and the certificates issued by the CA. The certificates are used to strongly authenticate the owner of the certificate (in this case, the subscriber requesting service).
Confidentiality and integrity are important security services for SIP signaling messages within a PacketCable 2.0 network. To obtain confidentiality and integrity, Transport Layer Security (TLS) is used to protect SIP signaling messages. TLS is a client/server cryptographic protocol commonly used in Web applications. TLS uses an encryption algorithm (i.e., AES) to provide data packets with confidentiality, and a keyed hash algorithm (SHA-1) to provide integrity.
Through a uniform configuration framework and a flexible security framework, the PacketCable 2.0 architecture allows cable operators to provide secure, managed services to its customers, regardless of where they are or what type of clients they are using.
The PacketCable 2.0 suite of specifications is comprised of PacketCable-modified IMS specifications, referred to as IMS “delta”specifications, along with CableLabs specifications and technical reports. IMS Delta specifications document the enhancements to IMS that are required for cable deployments. CableLabs specifications and technical reports detail how IMS integrates with cable.
PacketCable 2.0 specifications can be found at: http://www.packetcable.com/specifications/specifications20.html