DOCSIS Cable Modem

Connection Process
1

Objectives
!Examine a DOCSIS system
!Define the DOCSIS modes
! RF Return
! Telco Return

!Learn the DOCSIS Downstream and Upstream Parameters

!Define the DOCSIS modem registration process

DOCSIS Block Diagram

!Principal Function of the DOCSIS Cable Modem System Is to
Transmit Internet Protocol (IP) Packets Transparently Between
the Head end and the Subscriber Location.
!The DOCSIS System Consists of:
! Cable Modem Termination System (CMTS) located at the headed
! Cable Network
! Cable Modem (CM) located at the Customer Premise

Wide-Area
Network
CMTS
Network Side
Interface

Cable
Modem
Termination
System
(CMTS)

Cable
Network
HFC

Cable Modem
(CM)

CM Customer Premises
Equipment Interface

Customer
Premises
Equipment

Transparent IP Traffic Through the System

3

DOCSIS Support Devices

NM

Data Services
- High Speed
- Packet Data
- IP Routing
- IP Multicast
- CM open Architecture

Satellite

Headend or Central
Office
CMTS

Internet
On-line
Services

Laser

HFC

Combiner/
Splitter
Local
Server

Video
Local
Programming

COAX

Cable Modem
Splitter

Fiber
Node

PC or MAC
Television

DHCP
Server

TOD
Server

TFTP
Server

Home Subscriber
4

TOD: Time of Day; TFTP: Trivial File Transfer Protocol; DHCP: Dynamic Host Configuration Protocol

DOCSIS DHCP Server

!DHCP Server
! Assigns IP addresses to client computers
" addresses are leased to clients (Cable Modems or CPEs) for a
period of time
DHCP
Server

" IP addresses can be reserved for specific clients or assigned from

pools
" clients may be authenticated based on their MAC address
" address may be assigned from different pools based on extended
options

DHCP Process
! The following parameters will be requested by the Cable
Modem (CM) from the DHCP server

DHCP
Server

" IP address of the CM

" IP address of the TFTP Server (for DOCSIS Configuration file)
" IP address of the DHCP Relay Agent (if the DCHP server resides
on a different network than the CM)
" TFTP/DOCSIS Configuration file name
" Subnet Mask to be used by the CM
" Time offset of the CM from Universal Coordinated Time (UTC)
" Default IP Gateway
" Time of Day Server IP address
" SYSLOG Server IP address

DOCSIS ToD Server

!ToD Server
! Internet Time Protocol (ITP)
" RFC 868

! UDP and TCP requests honored on port 37

ToD
Server

! 32-bit value defining the number of seconds since 00:00

(midnight January 1, 1900 GMT)

DOCSIS TFTP Server

!TFTP Server
! Trivial File Transfer Protocol
" (RFC 1350)
TFTP
Server

! UDP port 69
! Small and easy to implement
! Read and write to and from remote servers

TFTP Process
! The following settings MUST be included in the
configuration file:
" Network Access Configuration Setting
" Class of Service Configuration Setting

! The following settings are optional:

TFTP
Server

"
"
"
"
"
"
"
"
"
"
"
"
"

Downstream Frequency
Upstream Channel ID
Vendor ID
Baseline Privacy
Software Upgrade filename
SNMP Write-Access Control
SNMP MIB Object
Software Server IP Address
CPE Ethernet MAC Address
Maximum Number of CPEs (32 Max)
SNMP IP Address (if applicable)
Telephone Settings (if applicable)
Vendor-Specific Configuration (if applicable)
9

Cable Modem Architectures

RF Return
!RF-Return
! Suited for CATV networks that have been fully upgraded for
two-way communications
! Delivers high-speed data downstream and upstream over
broadband network
! DOCSIS establishes standard specification for data
communications over HFC network

10

Cable Modem Architectures

Telco Return
!Telco-Return Suited for CATV networks without twoway capability
! Delivers high-speed data downstream over broadband
network
! Relies on dial-up networking technology for return data
! Does not require HFC plant upgrade to two-way RF
! DOCSIS also specifies data communications using a
telephone-return architecture
! Support for MMDS Wireless systems, DOCSIS does not
support MMDS 2-Way

11

DOCSIS Protocol Signaling

!Frames and Timing
! MPEG Frames
" 188 Bytes, 4 Byte header

! Synchronous Transmission
"
"
"
"

Clock Synch messages from head end (613 per second)

One source per downstream
Multiple sources per upstream requiring time sharing
Cable Modems identified by 16 bit Service ID (SID)

12

DOCSIS Protocol and Signaling

contd.
!Frames and Timing
! Upstream Time Sharing (TDMA)
! Time allocation MAP from head end (every 4 ms)
! Upstream time allocated for Cable Modems in mini slots
" (Mini-slot = 8 ticks, Tick = 6.25 usec)

! Shared time slots for Maintenance & Requests (e.g. for new
modems with no SID to come online)

13

DOCSIS Downstream Architecture

!RF Channel Spacing
! 88 - 860 MHz
! 6 MHz
64 QAM-Occupied bandwidth 5.057 MHz plus guard band
256 QAM- Occupied bandwidth 5.4 MHz plus guard band

14

DOCSIS Downstream Architecture

!RF performance requirements
! CNR -- 23.5dB as measured for analog video performance.
(assumes DOCSIS carrier at analog level and 64 QAM
downstream.)
! Amplitude ripple (response) -- 0.5 dB
! Group delay -- 75ns
! Power levels -15 dBmV to +15 dBmV

15

DOCSIS Downstream Architecture

!The DOCSIS Specification Uses a Modulation and
Coding Scheme Defined by ITU J.83 Annex-b, for the
Downstream:
! Modulation Type: 64-QAM or 256-QAM
! Maximum Data Rate: 27 Mbps at 64-QAM, 38 Mbps at 256QAM
! Bandwidth: 6 MHz channel
! Frequency Range: 88 - 860 MHz
! Transport Protocol: MPEG-2
! Forward Error Correction (FEC) encoding: outer ReedSolomon and inner Trellis code
! 1E-8 BER with a carrier to noise ratio (Es/No) of:
23.5 dB for 64-QAM
30 dB for 256-QAM

16

DOCSIS Upstream Architecture

!Variable RF bandwidth and modulation.
! 200 kHz,400 kHz, 800 kHz, 1600 kHz, and 3200 kHz
! QPSK ( Quadrature Phase Shift Key) or 16 QAM (Quadrature
Amplitude Modulation)

!Frequency Range
! 5 to 42 MHz (Edge to Edge)

!RF Performance requirements

! CNR -- Not less than 25 dB

17

DOCSIS Upstream Architecture

!Motorola (GI) Developed and Designed the Flexible F/TDMA
Upstream Approach to the Physical Layer in the DOCSIS
Specification:
! Modulation Type: 16-QAM or QPSK
! Data Rates: 320Kbps - 10 Mbps
! Symbol Rates: 160, 320, 640, 1280 and 2560 ksym/s
! Bandwidth: 200, 400, 800, 1600 and 3200 kHz
! Frequency Range: 5 - 42 MHz (edge to edge)

!Range of available data rates and bandwidth used:

U p s tre a m S ym b o l
R a te (k s p s )

B a n d w id t h
U s e d (K H z )

160
320
640
1280
2560

200
400
800
1600
3200

QPSK
D a ta R a te
(k b p s )
320
640
1280
2560
5120

16 Q AM
D a ta R a te
(k b p s )
640
1280
2560
5120
10240
18

CMTS and Cable Modem Startup

!Provision modem in the Cable Router (operator configured or
automatically provisioned)
!Install modem at subscriber premise (cable and power)

HFC

MODEM

CMTS

19

Downstream Channel Search

!CM searches for a downstream data channel
!Synchronize with QAM
!Synchronize with FEC and MPEG

QAM Signal

HFC

MODEM

CMTS

20

Monitor for SYNC Message

!Periodically transmitted by CMTS
!SYNC message contains a time stamp that exactly identifies
when the CMTS transmitted the message
!CM to synchronize its time-based reference clock so that its
transmission on the upstream will fall into the correct minislots

SYNC Message
HFC

MODEM

CMTS

21

Obtain Upstream Parameters

!Monitor for UCD message
! periodically transmitted by CMTS
! UCDs define characteristics of the upstream channel such as:
mini-slot size
upstream channel ID
downstream channel ID
burst descriptors
UCD Message
HFC

MODEM

CMTS

22

UCD: Upstream Channel Descriptor

Initial Ranging
!CMTS periodically transmits MAP messages
!Upstream Bandwidth Allocation Map (MAP) includes:
! Initial Maintenance Interval (broadcast interval) with start and end of
connection opportunity

!CM responds with Ranging Request (RNG-REQ)

MAP Message
HFC

CMTS

MODEM

RNG-REQ

23

MAP: Media Access Protocol

Auto Adjustments
!CMTS receives initial Ranging Request from CM
!CMTS responds with Ranging Response (unicast)
! assigns a SID and allocates bandwidth to this SID
! adjust power level, timing offset, and frequency adjustment
! Sets downstream and upstream channels

!CMTS starts Admission Control

RNG-RSP
HFC

MODEM

CMTS

24

Admission Control
!CMTS allocates a Temporary SID for the CM and puts the CM in
the Forwarding Tables
!CMTS sends MAP with Station Maintenance opportunity for
that SID
!CM ranges with new settings
!CMTS sends RNG-RSP to indicate success or failure of
Admission
MAP Message
HFC

CMTS

MODEM

RNG-REQ

25

Bandwidth Requests
! Uses special MAC frame (REQ - 6 bytes only)
! Can also piggyback request on data frame
! Uses a 4-byte Extended Header TLV

! Request contains SID and number of minislots needed

! Includes all FEC other PHY overhead

! Requests may be sent in Request, Request/Data, or Data

transmit intervals
! The MAP has a special code to signal a request has been
received although no grant is in the current MAP

26

MAPS
!The upstream time is allocated to modems in the MAP
message
! MAP is variable length, typically 5-15 ms

!CMTS sends separate MAP messages for each upstream

channel
! Set of all MAPs for a channel covers all minislots

!For each BW grant, contains:

SID, Burst type, and Grant length
!MAP contains US Channel ID and configuration count
! Allows dynamic UCD changes

27

MAP Example

28

IP Connectivity
!CM sends a broadcast DHCP request via the CMTS to the
DHCP Server
!DHCP server returns:
! IP address and Subnet Mask
! CM configuration file name and IP address of TFTP server
! UTC time offset to establish local time
! TOD Server IP address
Server
DHCP-REQ

HFC

LAN/WAN

CMTS

MODEM

DHCP-RSP
29

Time of Day
!CM sends a request to the ToD Server
!ToD Server responds: GMT

Server
ToD-REQ

HFC

LAN/WAN

CMTS

MODEM

ToD-RSP
30

Transfer Operational Parameters

!After DHCP operation, CM must download the configuration file
from the TFTP server
!Server address is specified in the siaddr field of the DHCP
response

Server
TFTP-REQ

HFC

LAN/WAN

CMTS

MODEM

TFTP-RSP
31

Registration
!CM generates a Registration Request (REG-REQ)
!Includes configuration parameters received from TFTP
configuration file:
! Downstream frequency, Upstream channel ID
! Network access configuration settings
! Class of Service
! Modem Capabilities
! Modem IP address
REG-REQ

HFC

MODEM

CMTS

32

Registration
!CMTS
! checks CMs MAC address and authentication signature on the
parameters
! assigns a SID
! provides bandwidth for CM requested Class of Service
! modifies forwarding table to allow full user data if the modem
requested Network Access
! sends REG-RSP to CM (CM can pass unencrypted data)

REG-RSP

HFC

MODEM

CMTS
33

Baseline Privacy
!Follows modem registration
!Provides user data privacy by encrypting traffic flows,
upstream and downstream
!Provides cable operators basic protection from theft of service
!Mechanisms for:
! authentication: CM to CMTS and CMTS to CM
! key distribution: traffic keys and lifetimes
! data encryption applied to Sid's

!56 bit DES Encryption

34

Security Association
!If CM is configured for Baseline Privacy in the modem TFTP
configuration file:
! CM sends Authorization Request
Public key, MAC address, and SIDs
! CMTS responds with an Authorization Response
Authorization Key (encrypted KEK)
Key Sequence number and Lifetimes
List of SIDs (for each requested Class of Service)

AUTH-REQ

HFC

CMTS

MODEM

AUTH-RSP
35

Security Association
!CM requests Key Request for each SID
!CMTS responds with DES encrypted TEK for each SID
!CM can now pass encrypted data

KEY-REQ

HFC

CMTS

MODEM

TEK
36

DOCSIS Today
! DOCSIS 1.0
! Product Interoperability across available CMTSs
! 64 and 256 QAM modulation (downstream) formats
! 6-MHz occupied spectrum coexists with all other signals on the cable
plant
! Variable-depth interleaver supports both latency-sensitive and insensitive data.
! The features in the upstream direction are as follows:

Flexible and programmable CM under control of the CMTS

Frequency agility
Time division multiple access
QPSK and 16 QAM modulation formats
Support of both fixed-frame and variable-length PDU formats
Multiple symbol rates
Programmable Reed-Solomon block coding
Programmable preambles
37

DOCSIS 1.1 Enhancements

!Telephony support a major driver for 1.1
!QoS
! Multiple (dynamic) Service Flows and classifiers
! More upstream scheduling types (polling, periodic grants)
! Fragmentation

!Concatenation, PHS
! Efficient use of upstream channels

38

DOCSIS 1.1 Enhancements

!BPI+
! Authentication of CMs with digital certificates
! Longer keys and some new algorithms

!Secure code download

! Uses PKCS certificates and code image signing

!OSS enhancements
! SNMPv3
! Full set of standard events and messages are specified

39

DOCSIS 1.1 Enhancements

! DOCSIS 1.1
! Packet Classification, based on fields in the Ethernet, IP, and UDP/TCP
headers, into a Service Flow
! Service Flow association with a DOCSIS Service Identifier
! QoS MIBs
! Fragmentation
! Concatenation
! Payload Header Suppression (for increased bandwidth efficiency,
particularly in the case of relatively small Voice-over-IP [VoIP] packets)
! Priority Queuing (e.g. Weighted Fair Queuing) at the CMTS
! BPI+ (Base Line Privacy - Plus)
! IGMP (Internet Group Management Protocol) Management

40

DOCSIS 1.0 and 1.1

Interoperability
! Can DOCSIS 1.0 and 1.1 Modems Can Be Used in the Same
System?
! DOCSIS 1.1 is backward compatible with DOCSIS 1.0
! DOCSIS 1.1 CMTSs are required to to support both DOCSIS 1.0 and
1.1 cable modems
! DOCSIS 1.1 modems must be able to register as a DOCSIS 1.0
modem with a CMTS that only supports DOCSIS 1.0

! Can DOCSIS 1.0 and 1.1 Modems Used on the Same Upstream
Channel?
! Yes.
! Managing 1.0 and 1.1 modems on the same upstream channel is a
more complex task for the CMTS
! If QoS commitments cause conflicts, the CMTS can easily move a CM
from one upstream channel to another
41

DOCSIS 1.1 Overview

! Quality of Service (QoS)
! Baseline Privacy Plus (BPI+)
! Multicast
! Secure code download
! Dynamic channel change
! SNMPv3
! Standardized event logging

42

Quality of Service

E-mail

HFC

HFC

Voice

file

CM

In
In DOCSIS
DOCSIS 1.0,
1.0, all
all services
services
compete
compete for
for upstream
upstream
bandwidth
bandwidth on
on aa best
best effort
effort
basis.
basis.

CM

In
In DOCSIS
DOCSIS 1.1,
1.1, each
each service
service
can
can get
get performance
performance
assurances
assurances based
based on
on QoS
QoS
parameters
parameters (e.g.
(e.g. bandwidth,
bandwidth,
jitter)
jitter)

43

Packet Processing
Classifier

Service Queues

Classification

Service Flow

Upstream Scheduler

Data Packet

IP Protocol
Source/Dest IP
Address
Source/Dest Port
ToS
Source/Dest MAC
Address

Max burst size

Req/Transmission policy
Max traffic rate
Min reserved traffic rate
Upstream scheduling type
Grant/poll jitter
Grant/poll interval

Upstream Scheduling
Unsolicited Grant Service
(UGS)
UGS w/ Activity Detection
Real-Time Polling
Non-Real-Time Polling
Best Effort

44

Service Flow Types

! Static
! Provisioned when the CM registers
! Defined in a CMs config file

! Dynamic
! Created as needed, based on demand
! Dynamic service flow messages
Dynamic Service Add (DSA)
Dynamic Service Change (DSC)
Dynamic Service Delete (DSD)
! Either CM or CMTS can create

45

Service Flow States

!Provisioned
! The CMTS has not yet reserved the resources in its MAC
scheduler

!Admitted
! The resources are reserved, but the flow is not active

!Active
! The resources are in use, data is actively being transmitted on
the flow

46

Dynamic Service Flow Example

Two Phase Activation
!When a voice call is originated:
! Service flow created via DSA
! Resources are admitted (phase 1)

!When the far end answers:

! DSC used to activate the resources (phase 2)
! Call in progress

!When call ends, service flow is terminated via DSD

47

Fragmentation

48

Concatenation
! Transmission from single CM limited by the REQ/Grant
handshake
! Nominal latency for REQ/Grant sequence in idle network is
~2.5 msec, or ~400 Grants/sec for a single CM
! Operationally, ~150 grants/sec is typical
! Thus, transmission limited to ~150 bursts/sec

! Concatenation allows multiple packets per burst

! Improved upstream performance and efficiency

49

Payload Header Suppression

! Allows repetitive portion of packet to be suppressed over the HFC link
! A set of PHS rules defines the portion of the packet to suppress
! Set up during DSA or DSC signaling
! Improves bandwidth efficiency

50

PHS Example

51

BPI+ Enhances BPI Capability

! Stronger crypto mechanisms
! Support of future upgrade of crypto capabilities
! Strong authentication
! Dynamic security associations

52

Strong Authentication
! DOCSIS 1.0 does not have a secure mechanism to authenticate the CM
! DOCSIS 1.1 adds strong authentication of the CM through the use of
X.509 digital certificates
! Each CM issued a unique digital certificate that is verified through the
DOCSIS root certificate authority

53

DOCSIS Trust Hierarchy

54

CM Authorization
Auth Request (CM-ID, CM-Certificate,
Security-Capability, primary SAID)

CM

Auth Reply (Auth-key, Key-Lifetime,

Key-Sequence_Number, one or more
SA-Descriptors)

CMTS

CM-ID : serial number, manufacturer ID, MAC addr, & RSA public key
CM Certificate : X.509 certificate
Security-Capability : crypto capability, BPI version
Primary SAID : CMs primary SID
Auth-Key : Authorization key encrypted with CMs public key
Key-Lifetime : remaining time that key is valid in secs
Key-Sequence-Number : Sequence number of Auth key
SA-Descriptors : Properties of the security association, including SAID, SA-type, &
cyrpto-suite

55

Basic Authentication (1)

! CM sends: CM cert, manufacturer cert
! CMTS verifies CM cert
MAC addr, serial #, CM public key are correct
! Expiration okay
! CM cert issuer name matches manuf cert subject name
! CM cert signature is valid, using manuf cert public key

! CMTS verifies manufacturer cert

! Expiration okay
! Manuf cert issuer name is DOCSIS
! Manuf cert signature is valid, using DOCSIS root public key

! Success proves CM cert is valid, but still need to determine that

CM is rightful owner

56

Basic Authentication (2)

! CMTS RSA-encrypts authorization key using CMs public
key in CM certificate
! CM uses HMAC key (derived from authorization key) to
generate HMAC on Key Request message
! CMTS verifies the HMAC
! Success proves CM knows the private key that matches
public key in CM cert, hence CM is rightful owner

57

Dynamic Security Associations

! Useful for encrypting traffic flows that are dynamic or
temporal (e.g. multicast)
! SA-MAP mechanism allows CM to learn of encrypted traffic
flows and its security association.
! Currently applied to multicast downstream flow
! Inter-operate with DOCSIS 1.1. IGMP management
mechanism which triggers the establishment of dynamic
SAs.

58

IGMP/SA-MAP Example

CM

CPE
IGMP MR (Join)

CMTS
IGMP MR (Join)

Set
Set Multicast
Multicast
MAC
MAC Filter
Filter

SA-MAP Request
SA-MAP Reply

Start
Start TEK
TEK
FSM
FSM
Multicast Data

Decrypt
Decrypt
Multicast
Multicast

Determine
Determine
SAID
SAID

Key Req/Reply

Encrypted
Multicast Data

Encrypt
Encrypt
Multicast
Multicast

Multicast Data

59

Secure Code Download

! DOCSIS provides a method to remotely download firmware updates to
the CM
! DOCSIS 1.1 adds a digital signature to the code file to verify the
source and integrity of the downloaded code
! Allows for both the manufacturer and the MSO to digitally sign the
code file.

60

Code Download Process

!DOCSIS Root CA
! Issues Manufacturer CVC

!Manufacturer

! Signs code file

! Send code file w/ CVC to MSO

!MSO

! Verifies code file

! Optionally, adds MSO co-signature and MSO CVC to code file
! Send code file to CM on request

!Cable Modem
!
!
!
!

Download code file

Verify manufacturers signature
Verify MSO signature, if present
If verified, install code image

61

Dynamic Channel Change

! Enables CMTS to dynamically direct the CM to change its downstream
and/or upstream channel
! Near seamless change with minimum interruption of service
! Useful for traffic balancing, noise avoidance,

62

SNMPv3
! Enhances the SNMP v1/v2 framework to support:
! Privacy & authentication
! Authorization

! SNMPv3 defines a modular architecture within which

network management capabilities can evolve
! SNMPv3 defines no new protocols
! Documented in RFC 2571-2576

63

SNMPv3 Architecture

64

Standardized Event Logging

!DOCSIS 1.1 defines a set of standardized event message
formats and priorities.
! ~250 standard event messages
! 16 DOCSIS-specific trap types

!Eases network management operations

! Common event message across CM products
! Facilitates automated event processing

65

References
! Specifications are publically available at
www.cablemodem.com/specifications.html
! IEEE Communications, March 2001, p. 202
! Good overview article, available as PDF file

! CableLabs training on 1.0 MAC (VGs)

! CableLabs training on 1.1 (VGs and video)
! Video is of a presentation of the VG

! Clive Holborow and Greg Nakanishi

! BCS/IPNS, San Diego

66

Return to Introduction

67