• There are no items in your cart

TS 101 909-11 : 1.2.1

Current

Current

The latest, up-to-date edition.

ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 11: SECURITY

Available format(s)

Hardcopy , PDF

Language(s)

English

€46.74
Excluding VAT

Intellectual Property Rights
Foreword
Introduction
1 Scope
   1.1 Goals
   1.2 Assumptions
2 References
3 Definitions and abbreviations
   3.1 Definitions
   3.2 Abbreviations
4 Conventions
5 Architectural overview of IPCablecom security
   5.1 IPCablecom reference architecture
       5.1.1 HFC network
       5.1.2 Call Management Server
       5.1.3 Functional categories
             5.1.3.1 Device and service provisioning
             5.1.3.2 Dynamic Quality of Service
             5.1.3.3 Interdomain Quality of Service
             5.1.3.4 Billing system interfaces
             5.1.3.5 Call Signalling
             5.1.3.6 PSTN Interconnection
             5.1.3.7 CODEC Functionality and Media Stream Mapping
             5.1.3.8 Audio Server services
             5.1.3.9 Lawful Intercept
   5.2 Threats
       5.2.1 Theft of network services
             5.2.1.1 Cloning of MTAs
             5.2.1.2 Cloning of other network elements
             5.2.1.3 Subscription fraud
             5.2.1.4 Non-payment for voice communications services
             5.2.1.5 Protocol attacks against an MTA
             5.2.1.6 Protocol attacks against other network elements
             5.2.1.7 Theft of services provided by the MTA
             5.2.1.8 MTA moved to another network
       5.2.2 Bearer channel information threats
             5.2.2.1 Attacks
             5.2.2.2 Off-line cryptoanalysis
       5.2.3 Signalling channel information threats
             5.2.3.1 Attacks
       5.2.4 Service disruption threat
             5.2.4.1 Attacks
       5.2.5 Repudiation
       5.2.6 Threat summary
             5.2.6.1 Primary threats
             5.2.6.2 Secondary threats
   5.3 Security architecture
       5.3.1 Overview of security interfaces
       5.3.2 Security assumptions
             5.3.2.1 AN downstream messages are trusted
             5.3.2.2 Non-repudiation not supported
             5.3.2.3 Root private key compromise protection
             5.3.2.4 Limited prevention of denial-of-service attacks
       5.3.3 Susceptibility of network elements to attack
             5.3.3.1 Managed IP network
             5.3.3.2 MTA
             5.3.3.3 AN
             5.3.3.4 Voice communications network servers are
                     untrusted network elements
             5.3.3.5 PSTN gateways
6 Security mechanisms
   6.1 IPSec
       6.1.1 Overview
       6.1.2 IPCablecom profile for IPSec ESP (transport mode)
             6.1.2.1 IPSec ESP transform identifiers
             6.1.2.2 IPSec ESP authentication algorithms
             6.1.2.3 Replay protection
             6.1.2.4 Key management requirements
   6.2 Internet Key Exchange
       6.2.1 Overview
       6.2.2 IPCablecom profile for IKE
             6.2.2.1 First IKE phase
             6.2.2.2 Second IKE phase
             6.2.2.3 Encryption algorithms for IKE exchanges
             6.2.2.4 Diffie-Hellman groups
   6.3 SNMPv3
       6.3.1 SNMPv3 transform identifiers
       6.3.2 SNMPv3 authentication algorithms
   6.4 Kerberos/PKINIT
       6.4.1 Definitions
       6.4.2 Overview
       6.4.3 PKINIT exchange
              6.4.3.1 PKINIT profile for IPCablecom
              6.4.3.2 Profile for the Kerberos AS request/AS
                      reply messages
              6.4.3.3 Profile for Kerberos tickets
       6.4.4 Symmetric Key AS Request/AS reply exchange
              6.4.4.1 Profile for the Symmetric Key AS Request/AS
                      Reply exchanges
       6.4.5 Kerberos TGS request/TGS reply exchange
              6.4.5.1 TGS request profile
              6.4.5.2 TGS reply profile
              6.4.5.3 Error reply
       6.4.6 Kerberos server locations and naming conventions
              6.4.6.1 Kerberos realms
              6.4.6.2 KDC
              6.4.6.3 CMS
              6.4.6.4 Provisioning server
       6.4.7 MTA principal names
       6.4.8 Mapping of MTA MAC address to MTA FQDN
              6.4.8.1 MTA FQDN request
              6.4.8.2 MTA FQDN reply
              6.4.8.3 MTA FQDN error
              6.4.8.4 Pre-authenticator for provisioning server
                      location
       6.4.9 Server key management time out procedure
       6.4.10 Service key versioning
       6.4.11 Kerberos cross-realm operation
              6.4.11.1 IPCablecom profile for cross-realm operation
              6.4.11.2 Referrals
              6.4.11.3 Determining the location of a remote KDC
   6.5 Kerberized key management
       6.5.1 Definitions
       6.5.2 Overview
       6.5.3 Kerberized key management messages
       6.5.4 Rekey messages
       6.5.5 IPCablecom profile for KRB_AP_REQ/KRB_AP_REP messages
             6.5.5.1 Error reply
             6.5.5.2 Clock skew error
       6.5.6 Kerberized IPSec
             6.5.6.1 Derivation of IPSec keys
             6.5.6.2 Periodic re-establishment of IPSec security
                     associations
             6.5.6.3 Expiration of IPSec SAs
             6.5.6.4 Initial establishment of IPSec SAs
             6.5.6.5 On-demand establishment of IPSec SAs
             6.5.6.6 IPSec-specific errors returned in KRB-ERROR
       6.5.7 Kerberized SNMPv3
             6.5.7.1 Derivation of SNMPv3 keys
             6.5.7.2 Periodic re-establishment of SNMPv3 keys
             6.5.7.3 Expiration of SNMPv3 keys
             6.5.7.4 Initial establishment of SNMPv3 keys
             6.5.7.5 Error recovery
             6.5.7.6 SNMPv3-Specific Errors Returned in KRB-ERROR
   6.6 End-to-End Security for RTP
   6.7 End-to-End security for RTCP
   6.8 Additional requirements for cable modems
       6.8.1 Additional requirements for cable modems based on
             ITU-T Recommendation J.112 annex A
             6.8.1.1 Requirements
             6.8.1.2 Security mechanisms provided
             6.8.1.3 Packet data encryption
             6.8.1.4 Key management
       6.8.2 Additional requirements for cable modems based on
             ITU-T Recommendation J.112 annex B
   6.9 Radius
7 Security profile
   7.1 Device and service provisioning
       7.1.1 Device provisioning
             7.1.1.1 Security services
             7.1.1.2 Cryptographic mechanisms
             7.1.1.3 Key management
             7.1.1.4 MTA embedded keys
             7.1.1.5 Summary security profile matrix - Device
                     provisioning
       7.1.2 Subscriber enrollment
   7.2 Quality of Service (QoS) Signalling
       7.2.1 Dynamic Quality of Service (DQoS)
             7.2.1.1 Reference architecture for embedded MTAs
             7.2.1.2 Security services
             7.2.1.3 Cryptographic mechanisms
             7.2.1.4 Key management
       7.2.2 Interdomain QoS
             7.2.2.1 Architecture overview
             7.2.2.2 Differentiated Services (DiffServ)
             7.2.2.3 Resource reSerVation Protocol (RSVP)
   7.3 Billing system interfaces
       7.3.1 Security services
             7.3.1.1 CMS-RKS interface
             7.3.1.2 AN-RKS interface
             7.3.1.3 MGC - RKS inter
       7.3.2 Cryptographic mechanisms
             7.3.2.1 RADIUS server chaining
       7.3.3 Key-management
             7.3.3.1 CMS - RKS interface
             7.3.3.2 AN - RKS interface
             7.3.3.3 MGC - RKS interface
       7.3.4 Billing system summary security profile matrix
   7.4 Call signalling
       7.4.1 Network Call Signalling (NCS)
             7.4.1.1 Reference Architecture
             7.4.1.2 Security services
             7.4.1.3 Cryptographic mechanisms
             7.4.1.4 Key-management
   7.5 PSTN gateway interface
       7.5.1 Reference architecture
             7.5.1.1 Media Gateway Controller
             7.5.1.2 Media Gateway
             7.5.1.3 Signalling Gateway
       7.5.2 Security services
             7.5.2.1 MGC - MG Interface
             7.5.2.2 MGC - SG Interface
             7.5.2.3 CMS - SG Interface
       7.5.3 Cryptographic mechanisms
             7.5.3.1 MGC - MG Interface
             7.5.3.2 MGC - SG Interface
             7.5.3.3 CMS - SG Interface
       7.5.4 Key-management
             7.5.4.1 MGC - MG interface
             7.5.4.2 MGC - SG interface
             7.5.4.3 CMS - SG interface
       7.5.5 MGC-MG-CMS-SG summary security profile matrix
   7.6 Media stream
       7.6.1 Security services
             7.6.1.1 RTP
             7.6.1.2 RTCP
       7.6.2 Cryptographic mechanisms
             7.6.2.1 RTP packet format
             7.6.2.2 RTCP messages
             7.6.2.3 Key-management
             7.6.2.4 RTP-RTCP summary security profile matrix
   7.7 Audio server services
       7.7.1 Reference architecture
       7.7.2 Security services
             7.7.2.1 MTA-CMS NCS signalling (Ann-1)
             7.7.2.2 MPC-MP signalling (Ann-2)
             7.7.2.3 MTA-MP (Ann-4)
       7.7.3 Cryptographic mechanisms
             7.7.3.1 MTA-CMS NCS signalling (Ann-1)
             7.7.3.2 MPC-MP signalling (Ann-2)
             7.7.3.3 MTA-MP (Ann-4)
       7.7.4 Key-management
             7.7.4.1 MTA-CMS NCS Signalling (Ann-1)
             7.7.4.2 MPC-MP signalling (Ann-2)
             7.7.4.3 MTA-MP (Ann-4)
       7.7.5 MPC-MP summary security profile matrix
   7.8 Third party interfaces
       7.8.1 Reference architecture
       7.8.2 Security services
             7.8.2.1 Event interfaces CMS-DF, AN-DF and DF-DF
             7.8.2.2 Call content interfaces AN-DF and DF-DF
       7.8.3 Cryptographic mechanisms
             7.8.3.1 Interface between CMS and DF
             7.8.3.2 Interface between AN and DF for event messages
             7.8.3.3 Interface between DF and DF for event messages
       7.8.4 Key-management
             7.8.4.1 Interface between CMS and DF
             7.8.4.2 Interface between AN and DF
             7.8.4.3 Interface between DF and DF
8 IPCablecom certificates
   8.1 Generic structure
       8.1.1 Version
       8.1.2 Public key type
       8.1.3 Extensions
             8.1.3.1 subjectKeyIdentifier
             8.1.3.2 authorityKeyIdentifier
             8.1.3.3 KeyUsage
             8.1.3.4 BasicConstraints
       8.1.4 Signature algorithm
       8.1.5 SubjectName and IssuerName
   8.2 Certificate trust hierarchy
       8.2.1 Certificate validation
       8.2.2 MTA device certificate hierarchy
             8.2.2.1 MTA root certificate
             8.2.2.2 MTA manufacturer certificate
             8.2.2.3 MTA device certificate
             8.2.2.4 MTA Manufacturer code verification
                     certificate
       8.2.3 IPCablecom telephony certificate hierarchy
             8.2.3.1 IP Telephony root certificate
             8.2.3.2 Telephony service provider certificate
             8.2.3.3 Local system certificate
       8.2.4 Operational ancillary certificates
             8.2.4.1 Key Distribution Center certificate
             8.2.4.2 Distribution Function (DF)
             8.2.4.3 Operator Code Verification Certificate
       8.2.5 Certificate revocation
9 Cryptographic algorithms
   9.1 AES
   9.2 DES
       9.2.1 XDESX
       9.2.2 DES-CBC-PAD
       9.2.3 3DES-EDE
   9.3 Block termination
   9.4 RC4
   9.5 RSA signature
   9.6 HMAC-SHA1
   9.7 Key derivation
   9.8 The MMH-MAC
       9.8.1 The MMH function
             9.8.1.1 MMH[16,s,1]
             9.8.1.2 MMH[16,s,2]
       9.8.2 The MMH-MAC
             9.8.2.1 MMH-MAC when using RC-4
             9.8.2.2 MMH-MAC when using a block cipher
             9.8.2.3 Odd payload sizes
   9.9 Random number generation
10 Physical security
   10.1 Protection for MTA key storage
   10.2 MTA key Encapsulation
11 Secure Software upgrade
Annex A (normative): Security events
Annex B (normative): Kerberos network authentication service
Annex C (normative): PKINIT specification
Annex D (normative): PKCROSS specification
Annex E (normative): DNS locate specification
Annex F (informative): IPCablecom Admin guidelines & best practices
      F.1 Routine CMS service key refresh
Annex G (informative): Example of MMH algorithm implementation
Annex H (informative): Kerb error messages
Annex I (informative): Bibliography
History

Describes IPCablecom, a set of protocols and associated element functional requirements.

Committee
AT DIGITAL
DocumentType
Standard
Pages
399
PublisherName
European Telecommunications Standards Institute
Status
Current

TS 101 909-13-2 : 1.1.2 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 13: TRUNKING GATEWAY CONTROL PROTOCOL; SUB-PART 2: MGCP OPTION
TS 101 909-10 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 10: EVENT MESSAGE REQUIREMENTS FOR THE PROVISION OF REAL TIME SERVICES OVER CABLE TELEVISION NETWORKS USING CABLE MODEMS
TS 101 909-26-1 : 1.1.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 26: PROTOCOL IMPLEMENTATION CONFORMANCE STATEMENT (PICS) PROFORMA SPECIFICATION; SUB-PART 1: EMBEDDED MULTIMEDIA TERMINAL ADAPTER
TS 101 909-19-2 : 1.1.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 19: IPCABLECOM AUDIO SERVER PROTOCOL SPECIFICATION; SUB-PART 2: MGCP OPTION
TS 101 909-6 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 6: MEDIA TERMINAL ADAPTER (MTA) DEVICE PROVISIONING
TR 102 305 : 1.1.1 ACCESS AND TERMINALS (AT); IPCABLECOM ACCESS NETWORK; END TO END PROVISIONING FOR THE IPAT ARCHITECTURE (BETWEEN THE EMTA TO THE V5.2 INTERFACE)
TS 101 909-4 : 1.5.2 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 4: NETWORK CALL SIGNALLING PROTOCOL
TS 101 909-19-1 : 1.1.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 19: IPCABLECOM AUDIO SERVER PROTOCOL SPECIFICATION; SUB-PART 1: H.248 OPTION
TS 101 909-24 : 1.1.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 24: MTA BASIC ACCESS ISDN INTERFACE (MTA-ISDN)
TR 102 129 : 1.1.1 TELECOMMUNICATIONS AND INTERNET PROTOCOL HARMONIZATION OVER NETWORKS (TIPHON); REQUIREMENTS DEFINITION STUDY; INTERWORKING OF TIPHON AND IPCABLECOM; ARCHITECTURE, PROTOCOL, QOS AND SECURITY
TR 102 136 : 1.1.1 ACCESS AND TERMINALS (AT); ANALYSIS AND SCOPING OF IPCABLECOM INTERFACES AND INTERACTIONS FOR TESTING
TS 101 909-13-1 : 1.2.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 13: TRUNKING GATEWAY CONTROL PROTOCOL; SUB-PART 1: H.248 OPTION
TS 101 909-13 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 13: TRUNKING GATEWAY CONTROL PROTOCOL
TS 102 318 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PROTOCOL IMPLEMENTATION CONFORMANCE STATEMENT (PICS); INTERNET PROTOCOL ACCESS TERMINAL - LINE CONTROL SIGNALLING
TS 101 909-20-2 : 1.2.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 20: LAWFUL INTERCEPTION; SUB-PART 2: STREAMED MULTIMEDIA SERVICES
TS 101 909-23 : 1.1.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 23: INTERNET PROTOCOL ACCESS TERMINAL -LINE CONTROL SIGNALLING (IPAT-LCS)

TS 101 909-4 : 1.5.2 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 4: NETWORK CALL SIGNALLING PROTOCOL
TS 101 909-8 : 1.2.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 8: MEDIA TERMINAL ADAPTER (MTA) MANAGEMENT INFORMATION BASE (MIB)
TS 101 909-3 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 3: AUDIO CODEC REQUIREMENTS FOR THE PROVISION OF BI-DIRECTIONAL AUDIO SERVICE OVER CABLE TELEVISION NETWORKS USING CABLE MODEMS
TS 101 909-12 : 1.1.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 12: INTERNET SIGNALLING TRANSPORT PROTOCOL (ISTP)
TS 101 909-10 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 10: EVENT MESSAGE REQUIREMENTS FOR THE PROVISION OF REAL TIME SERVICES OVER CABLE TELEVISION NETWORKS USING CABLE MODEMS
TS 101 909-2 : 1.2.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 2: ARCHITECTURAL FRAMEWORK FOR THE DELIVERY OF TIME CRITICAL SERVICES OVER CABLE TELEVISION NETWORKS USING CABLE MODEMS
ES 200 800 : 1.3.1 DIGITAL VIDEO BROADCASTING (DVB); DVB INTERACTION CHANNEL FOR CABLE TV DISTRIBUTION SYSTEMS (CATV)
TS 101 909-17 : 1.1.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 17: INTER-DOMAIN QUALITY OF SERVICE
TS 101 909-7 : 1.2.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 7: MANAGEMENT INFORMATION BASE (MIB) FRAMEWORK
TS 101 909-6 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 6: MEDIA TERMINAL ADAPTER (MTA) DEVICE PROVISIONING
TS 101 909-9 : 1.3.2 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 9: NETWORK CALL SIGNALLING (NCS) MIB REQUIREMENTS
TS 101 909-1 : 1.4.1 DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 1: GENERAL
TS 101 909-13 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 13: TRUNKING GATEWAY CONTROL PROTOCOL
TS 101 909-5 : 1.1.1 ACCESS AND TERMINALS (AT); DIGITAL BROADBAND CABLE ACCESS TO THE PUBLIC TELECOMMUNICATIONS NETWORK; IP MULTIMEDIA TIME CRITICAL SERVICES; PART 5: DYNAMIC QUALITY OF SERVICE FOR THE PROVISION OF REAL TIME SERVICES OVER CABLE TELEVISION NETWORKS USING CABLE MODEMS

Access your standards online with a subscription

Features

  • Simple online access to standards, technical information and regulations.

  • Critical updates of standards and customisable alerts and notifications.

  • Multi-user online standards collection: secure, flexible and cost effective.