Enhanced cable services provide operators with the ability to expand their service offerings beyond the video entertainment services. Enhanced cable services consist of various applications ranging from VoIP, virtual private networks (VPNs), leased T-1 line emulation and videoconferencing, to next-generation applications such as home LAN management, home security monitoring, etc.

Enhanced services can be divided into four basic groups: high-speed data, leased-line, pay-per-use and one-time-use. These services can be viewed as concentric circles: the inner circle consists of high-speed data services, which is surrounded by leased-line services, which are surrounded by pay-per-use services. The outer circle features the one-time-use services, engulfing all of them.

For example, consider that each telephony call is a one-time-use service. During this time, the user is identified (using connectivity information), authorized (the user has subscribed for the services), and billed at the end of the call.

In short, enhanced classes of services require simpler authentication, authorization, policing and billing mechanisms, as one gets closer to the core. This article discusses the basic requirements of providing enhanced services, as well as the common theft-of-service threats to these services.

High-speed data services

High-speed data services are the main objective of DOCSIS 1.0 services. In this class of service, it is assumed that Web browsing does not require specific treatment of packets of a certain flow. The maximum traffic rate that a modem can utilize can be controlled for expectations management and service differentiation purposes, but a minimum bandwidth to a cable modem (CM) is not guaranteed.

The service definition for this class of service is controlled by the configuration file, which is loaded by the CM using the TFTP protocol during the initialization process.

A mode of threat for this kind of service is to use different configuration files to get higher valued services than subscribed. For example, a provider can give its customers two options: a "Bronze" service with 128 Kbps always-on connection with best-effort service, or the 2 Mbps "Silver" service. For these users, the configuration file will be the only difference. One configuration file will contain a maximum data rate of 128 Kbps, whereas the other will contain 2 Mbps.

The user of modem-like bronze service can try to steal services by changing the contents of the configuration file (from 128 Kbps to 2 Mbps). Another method is to use an old configuration file. For instance, the customer would first subscribe to silver service and then downgrade to bronze, but will continue to use the silver configuration file in the hacked CM. Another method is to use a friend's configuration file.

The DOCSIS specifications cryptographically ensure that the file's contents are not tampered with. However, some of the functionality defined within this article requires a special TFTP server that is designed specifically for cable networks.

One of the biggest shortcomings of high-speed data services is that the class does not have the notion of user as the dial-in ISPs do. In DOCSIS environments, the CM is authenticated and authorized; however, providers have no notion of a user behind their PC's browser. When an ISP has the notion of a user, it can start to offer differentiated services, depending on the user's identity.

The back office is typically responsible for authorization/control and billing for high-speed data services. The DHCP server acts as a user authorization tool: the configuration files that are served by the TFTP server control the users' bandwidth. In this class of service, the user is billed a flat rate upon authorization. CM users who subscribe to high-speed data services are billed for the service, whether they use it or not.

Leased-line services

In essence, leased-line services are very similar to high-speed data services. However, in the high-speed data model, all IP packets are treated the same, whereas leased-line services packets are treated according to the subscribed services.

The DOCSIS 1.1 specification makes it possible to:

  • Classify packets into service flows based on content.
  • Schedule/prioritize the packets depending on the flow.

Using the mechanisms mentioned above, a DOCSIS 1.1 CM/CMTS could treat IP packets that belong to different services in a discriminating manner so that the guaranteed service level agreements (SLAs) can be met.

For example, consider a CM that supports high-speed data, entertainment and education services, as well as a VPN connection. The user subscribes for 2 Mbps best effort high-speed data service and 64 Kbps high priority guaranteed services to the company VPN network.

The CM uses the destination IP address to identify the VPN packets and places them on a different service flow than general Web browsing services. This ensures a timely link to corporate resources and ultimately makes the VPN service flow a higher value service than basic Web browsing. However, a malicious CM is capable of using high-value services by mapping all the high-speed data packets to the company VPN service flow.

DOCSIS 1.1 provides definitions for CM policing of IP packets to/from a cable network. A properly operating DOCSIS 1.1 CM will correctly map IP packets to service flows using the source/destination address and/or contents of the packet. A CMTS that implements upstream policing reclassifies the IP packets to make sure that the mapping of IP packets to service flows meets the service flow profile as supplied by the configuration file.

In this model, the DHCP server is responsible for the authorization, whereas the control is carried using the TFTP server configuration file. Because these services are leased, the billing will be fixed. It is also possible to bill these services by traffic usage that's being reported by the SNMP interface of DOCSIS 1.1 management.

The most probable method of attack, however, is the reboot of the CM. When rebooting the CM, the CMTS will reset the traffic counters, causing the provider to capture incorrect values.

End-to-end quality of service

It is not enough to merely control the quality of service on the cable network. The behavior of the packets end-to-end, including the backbone network, must also be controlled. While DOCSIS specifications do not define network side interface behavior, they do contain sufficient handles to utilize one of the standard modes of backbone QoS control.

The networks that utilize TOS/DiffServ markings of IP packets treat them according to the information on the TOS/DiffServ field. For example, if the field is set for expedited forwarding, these packets will be sent in a virtual end-to-end connection with minimal latency and no packet drops.

DOCSIS 1.1 CMTSs can police the TOS/DiffServ fields of specific service flows and, if necessary, will re-mark packets, thereby changing the way these packets will be treated in the backbone. While it's possible to use alternative mechanisms for QoS assurance, they are not defined by CableLabs and may cause problems across different CMTS vendors.

One mode of theft of service is to send the packets by a rogue application with high-value TOS/DiffServ markings. In this case, the CMTS has the ability to re-mark these packets. Therefore, the packets will be treated with the QoS that is guaranteed by the service level agreement, which was communicated to the CMTS via CM registration.

Pay-per-use services

In this class, the user enables the services occasionally, rather than always utilizing them. Examples of pay-per-use services include IP telephony and batch database synchronizations.

This model can be classified into three billing schemes:

  • Flat-rate billing
  • Time-based billing
  • Traffic-based billing.
  • Flat-rate billing

DOCSIS 1.1 enables flat-rate billing by using deferred flows. In this scheme, the flow is authorized during the initialization of the CM via the configuration file. The CM requests the services at any time by using the service class name in the configuration file.

The problem with flat-rate billing is that the users are not given any incentive against service overuse. To be able to provide high-quality, low-blocking service with flat billing, the whole system must be traffic engineered with this in mind.

Consider, for example, what happens when a major snowstorm hits an area. During this time, users will use the Internet for entertainment, and phone systems will experience congestion due to longer call holding times. In these scenarios, the entire telephony system must be rescaled for longer call holding times because of the flat-rate billing nature of dial-in ISPs.

Time/traffic-based billing

Time-based billing is currently being used in today's long-distance telephony systems. When a user makes a phone call, it is billed proportionally to the duration of the call.

Even though DOCSIS 1.1 does not define a billing interface, PacketCable defines an event-recording interface that can be used later by the billing servers to harvest the information.

PacketCable ties the event-generation into the service flow creation, change and deletion of the DOCSIS defined dynamic services. Each event contains the time that the event occurred along with a handle that would identify the service flow. The handle is provided by an external server, which provides authorization for the service flow. The authorization is carried out using a content description scheme and maximum allowed traffic description.

When users want to utilize the services, they will request authorization, and the authorization server will use PacketCable defined gate-protocol to authorize/enable the services within the CMTS.

Because DOCSIS does not define a standard way to request CPE usage/bandwidth, PacketCable requests service through Media Gateway Signaling Protocol. Unfortunately, this method is not flexible enough to accommodate most applications that require enhanced services.

Traffic-based billing is attractive for services such as VPNs, where traffic counts can be used for calculating service charges. The PacketCable specification for defined events doesn't include the number of bytes consumed between events as an attribute, but the information can be added easily.

One-time-use services

In the services discussed above, it's been assumed that the users are pre-authorized and provisioned. However, in applications such as video-on-demand and gaming, content can change prices dramatically. Also, instant authorization/provisioning are very desirable features. Consider high-speed connections in hotel rooms. In the room, guests can connect to the authorization server, present credit card information and get provisioned for connection. At the end of the session, the bill will be based on time, bytes or a flat rate.

However, no standard method for user authentication exists within the cable networks. By using standard DOCSIS mechanisms, it is possible to achieve user authentication with a two-stage DHCP process. First, the CPE needs a temporary address that requires authorization. Next, the user can enter identification and credit card information into the authorization server. Upon authorization, the CPE will be issued a new IP address that can reach the Internet without any restrictions.

In summary

The DOCSIS specification suite enables the transport of data packets for various enhanced services and dictates how to control them in an interoperable manner on the cable network. Further, PacketCable specifications provide dynamic authorization for services and provides bills that are based on actual usage. With these tools in place, it is possible to offer a wide variety of enhanced services that add value to current offerings.

Author's note
I would like to thank my colleagues at Pacific Broadband Communications for their valuable feedback, and a special thanks to Victor Hou for his last– minute reviews.