DOCSIS Cable Modem

Connection Process

1
 Objectives

!Examine a DOCSIS system

!Define the DOCSIS modes
! RF Return
! Telco Return
!Learn the DOCSIS Downstream and Upstream Parameters
!Define the DOCSIS modem registration process

2
 DOCSIS Block Diagram

!Principal Function of the DOCSIS Cable Modem System Is to

Transmit Internet Protocol (IP) Packets Transparently Between
the Head end and the Subscriber Location.
!The DOCSIS System Consists of:
! Cable Modem Termination System (CMTS) located at the headed
! Cable Network
! Cable Modem (CM) located at the Customer Premise

Cable
Wide-Area Modem
Network Termination
System Cable
CMTS
(CMTS) Network Cable Modem CM Customer Premises
Network Side
Interface HFC (CM) Equipment Interface
Customer
Premises
Equipment
Transparent IP Traffic Through the System
3
 DOCSIS Support Devices

Satellite Data Services

Headend or Central - High Speed
Office
- Packet Data
- IP Routing
NM CMTS - IP Multicast
- CM open Architecture

Internet
On-line Laser HFC
Services
Combiner/ COAX Cable Modem
Splitter Splitter
Local
Server
Video
Fiber
Local Node
Programming PC or MAC

Television
DHCP TOD TFTP Home Subscriber
Server Server Server
4

TOD: Time of Day; TFTP: Trivial File Transfer Protocol; DHCP: Dynamic Host Configuration Protocol
 DOCSIS DHCP Server

!DHCP Server
! Assigns IP addresses to client computers
" addresses are “leased” to clients (Cable Modems or CPE’s) for a
period of time
" IP addresses can be reserved for specific clients or assigned from
DHCP
Server “pools”
" clients may be authenticated based on their MAC address
" address may be assigned from different “pools” based on extended
options

5
 DHCP Process

! The following parameters will be requested by the Cable

Modem (CM) from the DHCP server
" IP address of the CM
" IP address of the TFTP Server (for DOCSIS Configuration file)
DHCP " IP address of the DHCP Relay Agent (if the DCHP server resides
Server on a different network than the CM)
" TFTP/DOCSIS Configuration file name
" Subnet Mask to be used by the CM
" Time offset of the CM from Universal Coordinated Time (UTC)
" Default IP Gateway
" Time of Day Server IP address
" SYSLOG Server IP address

6
 DOCSIS ToD Server

!ToD Server
! Internet Time Protocol (ITP)
" RFC 868

! UDP and TCP requests honored on port 37

ToD
Server

! 32-bit value defining the number of seconds since 00:00

(midnight January 1, 1900 GMT)

7
 DOCSIS TFTP Server

!TFTP Server
! Trivial File Transfer Protocol
" (RFC 1350)

TFTP
Server ! UDP port 69

! Small and easy to implement

! Read and write to and from remote servers

8
 TFTP Process

! The following settings MUST be included in the

configuration file:
" Network Access Configuration Setting
" Class of Service Configuration Setting

! The following settings are optional:

" Downstream Frequency
" Upstream Channel ID
" Vendor ID
" Baseline Privacy
" Software Upgrade filename
TFTP
Server
" SNMP Write-Access Control
" SNMP MIB Object
" Software Server IP Address
" CPE Ethernet MAC Address
" Maximum Number of CPE’s (32 Max)
" SNMP IP Address (if applicable)
" Telephone Settings (if applicable)
" Vendor-Specific Configuration (if applicable)

9
 Cable Modem Architectures
RF Return
!RF-Return
! Suited for CATV networks that have been fully upgraded for
two-way communications
! Delivers high-speed data downstream and upstream over
broadband network
! DOCSIS establishes standard specification for data
communications over HFC network

10
 Cable Modem Architectures
Telco Return
!Telco-Return Suited for CATV networks without two-
way capability
! Delivers high-speed data downstream over broadband
network
! Relies on dial-up networking technology for return data
! Does not require HFC plant upgrade to two-way RF
! DOCSIS also specifies data communications using a
telephone-return architecture
! Support for MMDS Wireless systems, DOCSIS does not
support MMDS 2-Way

11
 DOCSIS Protocol Signaling

!Frames and Timing

! MPEG Frames
" 188 Bytes, 4 Byte header
! Synchronous Transmission
" Clock Synch messages from head end (613 per second)
" One source per downstream
" Multiple sources per upstream requiring time sharing
" Cable Modems identified by 16 bit Service ID (SID)

12
 DOCSIS Protocol and Signaling
contd.
!Frames and Timing
! Upstream Time Sharing (TDMA)

! Time allocation MAP from head end (every 4 ms)

! Upstream time allocated for Cable Modems in mini slots

" (Mini-slot = 8 ticks, Tick = 6.25 usec)

! Shared time slots for Maintenance & Requests (e.g. for new
modems with no SID to come online)

13
 DOCSIS Downstream Architecture

!RF Channel Spacing

! 88 - 860 MHz
! 6 MHz
» 64 QAM-Occupied bandwidth 5.057 MHz plus guard band
» 256 QAM- Occupied bandwidth 5.4 MHz plus guard band

14
 DOCSIS Downstream Architecture

!RF performance requirements

! CNR -- 23.5dB as measured for analog video performance.
(assumes DOCSIS carrier at analog level and 64 QAM
downstream.)
! Amplitude ripple (response) -- 0.5 dB
! Group delay -- 75ns
! Power levels – -15 dBmV to +15 dBmV

15
 DOCSIS Downstream Architecture

!The DOCSIS Specification Uses a Modulation and

Coding Scheme Defined by ITU J.83 Annex-b, for the
Downstream:
! Modulation Type: 64-QAM or 256-QAM
! Maximum Data Rate: 27 Mbps at 64-QAM, 38 Mbps at 256-
QAM
! Bandwidth: 6 MHz channel
! Frequency Range: 88 - 860 MHz
! Transport Protocol: MPEG-2
! Forward Error Correction (FEC) encoding: outer Reed-
Solomon and inner Trellis code
! 1E-8 BER with a carrier to noise ratio (Es/No) of:
• 23.5 dB for 64-QAM
• 30 dB for 256-QAM
16
 DOCSIS Upstream Architecture

!Variable RF bandwidth and modulation.

! 200 kHz,400 kHz, 800 kHz, 1600 kHz, and 3200 kHz
! QPSK ( Quadrature Phase Shift Key) or 16 QAM (Quadrature
Amplitude Modulation)
!Frequency Range
! 5 to 42 MHz (Edge to Edge)
!RF Performance requirements
! CNR -- Not less than 25 dB

17
 DOCSIS Upstream Architecture
!Motorola (GI) Developed and Designed the Flexible F/TDMA
Upstream Approach to the Physical Layer in the DOCSIS
Specification:
! Modulation Type: 16-QAM or QPSK
! Data Rates: 320Kbps - 10 Mbps
! Symbol Rates: 160, 320, 640, 1280 and 2560 ksym/s
! Bandwidth: 200, 400, 800, 1600 and 3200 kHz
! Frequency Range: 5 - 42 MHz (edge to edge)
!Range of available data rates and bandwidth used:
U p s tre a m S ym b o l B a n d w id t h QPSK 16 Q AM
R a te (k s p s ) U s e d (K H z ) D a ta R a te D a ta R a te
(k b p s ) (k b p s )
160 200 320 640
320 400 640 1280
640 800 1280 2560
1280 1600 2560 5120
2560 3200 5120 10240
18
 CMTS and Cable Modem Startup

!Provision modem in the Cable Router (operator configured or

automatically provisioned)
!Install modem at subscriber premise (cable and power)

HFC
MODEM
CMTS

19
 Downstream Channel Search

!CM searches for a downstream data channel

!Synchronize with QAM
!Synchronize with FEC and MPEG

QAM Signal

HFC MODEM
CMTS

20
 Monitor for SYNC Message

!Periodically transmitted by CMTS

!SYNC message contains a time stamp that exactly identifies
when the CMTS transmitted the message
!CM to synchronize its time-based reference clock so that its
transmission on the upstream will fall into the correct mini-
slots

SYNC Message

HFC
MODEM
CMTS

21
 Obtain Upstream Parameters

!Monitor for UCD message

! periodically transmitted by CMTS
! UCDs define characteristics of the upstream channel such as:
» mini-slot size
» upstream channel ID
» downstream channel ID
» burst descriptors

UCD Message

HFC
MODEM
CMTS

22

UCD: Upstream Channel Descriptor

 Initial Ranging

!CMTS periodically transmits MAP messages

!Upstream Bandwidth Allocation Map (MAP) includes:
! Initial Maintenance Interval (broadcast interval) with start and end of
connection opportunity
!CM responds with Ranging Request (RNG-REQ)

MAP Message

HFC
MODEM
CMTS RNG-REQ

23

MAP: Media Access Protocol

 Auto Adjustments

!CMTS receives initial Ranging Request from CM

!CMTS responds with Ranging Response (unicast)
! assigns a SID and allocates bandwidth to this SID
! adjust power level, timing offset, and frequency adjustment
! Sets downstream and upstream channels
!CMTS starts Admission Control

RNG-RSP

HFC
MODEM
CMTS

24
 Admission Control

!CMTS allocates a Temporary SID for the CM and puts the CM in

the Forwarding Tables
!CMTS sends MAP with Station Maintenance opportunity for
that SID
!CM ranges with new settings
!CMTS sends RNG-RSP to indicate success or failure of
Admission

MAP Message

HFC
MODEM
CMTS RNG-REQ

25
 Bandwidth Requests

! Uses special MAC frame (REQ - 6 bytes only)

! Can also piggyback request on data frame
! Uses a 4-byte Extended Header TLV
! Request contains SID and number of minislots needed
! Includes all FEC other PHY overhead
! Requests may be sent in Request, Request/Data, or Data
transmit intervals
! The MAP has a special code to signal a request has been
received although no grant is in the current MAP

26
 MAPS

!The upstream time is allocated to modems in the MAP

message
! MAP is variable length, typically 5-15 ms
!CMTS sends separate MAP messages for each upstream
channel
! Set of all MAPs for a channel covers all minislots
!For each BW grant, contains:
SID, Burst type, and Grant length
!MAP contains US Channel ID and configuration count
! Allows dynamic UCD changes

27
MAP Example

28
 IP Connectivity

!CM sends a broadcast DHCP request via the CMTS to the

DHCP Server
!DHCP server returns:
! IP address and Subnet Mask
! CM configuration file name and IP address of TFTP server
! UTC time offset to establish local time
! TOD Server IP address

Server

DHCP-REQ

LAN/WAN HFC MODEM

CMTS DHCP-RSP
29
 Time of Day

!CM sends a request to the ToD Server

!ToD Server responds: GMT

Server

ToD-REQ

LAN/WAN HFC MODEM

CMTS ToD-RSP
30
 Transfer Operational Parameters

!After DHCP operation, CM must download the configuration file

from the TFTP server
!Server address is specified in the “siaddr” field of the DHCP
response

Server

TFTP-REQ

LAN/WAN HFC MODEM

CMTS TFTP-RSP
31
 Registration

!CM generates a Registration Request (REG-REQ)

!Includes configuration parameters received from TFTP
configuration file:
! Downstream frequency, Upstream channel ID
! Network access configuration settings
! Class of Service
! Modem Capabilities
! Modem IP address
REG-REQ

HFC MODEM

CMTS

32
 Registration

!CMTS
! checks CM’s MAC address and authentication signature on the
parameters
! assigns a SID
! provides bandwidth for CM requested Class of Service
! modifies forwarding table to allow full user data if the modem
requested Network Access
! sends REG-RSP to CM (CM can pass unencrypted data)

REG-RSP

HFC MODEM

CMTS
33
 Baseline Privacy

!Follows modem registration

!Provides user data privacy by encrypting traffic flows,
upstream and downstream
!Provides cable operators basic protection from theft of service
!Mechanisms for:
! authentication: CM to CMTS and CMTS to CM
! key distribution: traffic keys and lifetimes
! data encryption applied to Sid's
!56 bit DES Encryption

34
 Security Association

!If CM is configured for Baseline Privacy in the modem TFTP

configuration file:
! CM sends Authorization Request
» Public key, MAC address, and SID’s
! CMTS responds with an Authorization Response
» Authorization Key (encrypted KEK)
» Key Sequence number and Lifetimes
» List of SID’s (for each requested Class of Service)

AUTH-REQ

HFC MODEM

CMTS AUTH-RSP
35
 Security Association

!CM requests Key Request for each SID

!CMTS responds with DES encrypted TEK for each SID
!CM can now pass encrypted data

KEY-REQ

HFC MODEM

CMTS TEK
36
 DOCSIS Today

! DOCSIS 1.0
! Product Interoperability across available CMTS’s
! 64 and 256 QAM modulation (downstream) formats
! 6-MHz occupied spectrum coexists with all other signals on the cable
plant
! Variable-depth interleaver supports both latency-sensitive and -
insensitive data.
! The features in the upstream direction are as follows:
• Flexible and programmable CM under control of the CMTS
• Frequency agility
• Time division multiple access
• QPSK and 16 QAM modulation formats
• Support of both fixed-frame and variable-length PDU formats
• Multiple symbol rates
• Programmable Reed-Solomon block coding
• Programmable preambles

37
 DOCSIS 1.1 Enhancements

!Telephony support a major driver for 1.1

!QoS
! Multiple (dynamic) Service Flows and classifiers
! More upstream scheduling types (polling, periodic grants)
! Fragmentation
!Concatenation, PHS
! Efficient use of upstream channels

38
 DOCSIS 1.1 Enhancements

!BPI+
! Authentication of CMs with digital certificates
! Longer keys and some new algorithms
!Secure code download
! Uses PKCS certificates and code image signing
!OSS enhancements
! SNMPv3
! Full set of standard events and messages are specified

39
 DOCSIS 1.1 Enhancements

! DOCSIS 1.1
! Packet Classification, based on fields in the Ethernet, IP, and UDP/TCP
headers, into a Service Flow
! Service Flow association with a DOCSIS Service Identifier
! QoS MIB’s
! Fragmentation
! Concatenation
! Payload Header Suppression (for increased bandwidth efficiency,
particularly in the case of relatively small Voice-over-IP [VoIP] packets)
! Priority Queuing (e.g. Weighted Fair Queuing) at the CMTS
! BPI+ (Base Line Privacy - Plus)
! IGMP (Internet Group Management Protocol) Management

40
 DOCSIS 1.0 and 1.1
Interoperability

! Can DOCSIS 1.0 and 1.1 Modems Can Be Used in the Same
System?
! DOCSIS 1.1 is backward compatible with DOCSIS 1.0
! DOCSIS 1.1 CMTS’s are required to to support both DOCSIS 1.0 and
1.1 cable modems
! DOCSIS 1.1 modems must be able to register as a DOCSIS 1.0
modem with a CMTS that only supports DOCSIS 1.0

! Can DOCSIS 1.0 and 1.1 Modems Used on the Same Upstream
Channel?
! Yes.
! Managing 1.0 and 1.1 modems on the same upstream channel is a
more complex task for the CMTS
! If QoS commitments cause conflicts, the CMTS can easily move a CM
from one upstream channel to another
41
 DOCSIS 1.1 Overview

! Quality of Service (QoS)

! Baseline Privacy Plus (BPI+)
! Multicast
! Secure code download
! Dynamic channel change
! SNMPv3
! Standardized event logging

42
 Quality of Service

E-mail
HFC HFC
Voice

CM CM
file

In
In DOCSIS
DOCSIS 1.0,
1.0, all
all services
services In
In DOCSIS
DOCSIS 1.1,
1.1, each
each service
service
compete
compete for
for upstream
upstream can
can get
get performance
performance
bandwidth
bandwidth on
on aa best
best effort
effort assurances
assurances based
based onon QoS
QoS
basis.
basis. parameters
parameters (e.g.
(e.g. bandwidth,
bandwidth,
jitter)
jitter)

43
 Packet Processing

Classifier Service Queues Upstream Scheduler

Data Packet

Classification Service Flow Upstream Scheduling

•IP Protocol •Max burst size •Unsolicited Grant Service

•Source/Dest IP •Req/Transmission policy (UGS)
Address •Max traffic rate •UGS w/ Activity Detection
•Source/Dest Port •Min reserved traffic rate •Real-Time Polling
•ToS •Upstream scheduling type •Non-Real-Time Polling
•Source/Dest MAC •Grant/poll jitter •Best Effort
Address •Grant/poll interval

44
 Service Flow Types

! Static
! Provisioned when the CM registers
! Defined in a CMs’ config file
! Dynamic
! Created as needed, based on demand
! Dynamic service flow messages
» Dynamic Service Add (DSA)
» Dynamic Service Change (DSC)
» Dynamic Service Delete (DSD)
! Either CM or CMTS can create

45
 Service Flow States

!Provisioned
! The CMTS has not yet reserved the resources in its MAC
scheduler
!Admitted
! The resources are reserved, but the flow is not active
!Active
! The resources are in use, data is actively being transmitted on
the flow

46
 Dynamic Service Flow Example
Two Phase Activation
!When a voice call is originated:
! Service flow created via DSA
! Resources are admitted (phase 1)
!When the far end answers:
! DSC used to activate the resources (phase 2)
! Call in progress
!When call ends, service flow is terminated via DSD

47
Fragmentation

48
 Concatenation

! Transmission from single CM limited by the REQ/Grant

handshake
! Nominal latency for REQ/Grant sequence in idle network is
~2.5 msec, or ~400 Grants/sec for a single CM
! Operationally, ~150 grants/sec is typical
! Thus, transmission limited to ~150 bursts/sec
! Concatenation allows multiple packets per burst
! Improved upstream performance and efficiency

49
 Payload Header Suppression

! Allows repetitive portion of packet to be suppressed over the HFC link

! A set of PHS rules defines the portion of the packet to suppress
! Set up during DSA or DSC signaling
! Improves bandwidth efficiency

50
PHS Example

51
 BPI+ Enhances BPI Capability

! Stronger crypto mechanisms

! Support of future upgrade of crypto capabilities
! Strong authentication
! Dynamic security associations

52
 Strong Authentication

! DOCSIS 1.0 does not have a secure mechanism to authenticate the CM

! DOCSIS 1.1 adds strong authentication of the CM through the use of
X.509 digital certificates
! Each CM issued a unique digital certificate that is verified through the
DOCSIS root certificate authority

53
DOCSIS Trust Hierarchy

54
 CM Authorization

Auth Request (CM-ID, CM-Certificate,

Security-Capability, primary SAID)

Auth Reply (Auth-key, Key-Lifetime,

CM Key-Sequence_Number, one or more CMTS
SA-Descriptors)

CM-ID : serial number, manufacturer ID, MAC addr, & RSA public key
CM Certificate : X.509 certificate
Security-Capability : crypto capability, BPI version
Primary SAID : CM’s primary SID
Auth-Key : Authorization key encrypted with CM’s public key
Key-Lifetime : remaining time that key is valid in secs
Key-Sequence-Number : Sequence number of Auth key
SA-Descriptors : Properties of the security association, including SAID, SA-type, &
cyrpto-suite

55
 Basic Authentication (1)

! CM sends: CM cert, manufacturer cert

! CMTS verifies CM cert
– MAC addr, serial #, CM public key are correct
! Expiration okay
! CM cert issuer name matches manuf cert subject name
! CM cert signature is valid, using manuf cert public key
! CMTS verifies manufacturer cert
! Expiration okay
! Manuf cert issuer name is DOCSIS
! Manuf cert signature is valid, using DOCSIS root public key
! Success proves CM cert is valid, but still need to determine that
CM is rightful owner

56
 Basic Authentication (2)

! CMTS RSA-encrypts authorization key using CM’s public

key in CM certificate
! CM uses HMAC key (derived from authorization key) to
generate HMAC on Key Request message
! CMTS verifies the HMAC
! Success proves CM knows the private key that matches
public key in CM cert, hence CM is rightful owner

57
 Dynamic Security Associations

! Useful for encrypting traffic flows that are dynamic or

temporal (e.g. multicast)
! SA-MAP mechanism allows CM to learn of encrypted traffic
flows and it’s security association.
! Currently applied to multicast downstream flow
! Inter-operate with DOCSIS 1.1. IGMP management
mechanism which triggers the establishment of dynamic
SAs.

58
 IGMP/SA-MAP Example

CPE CM CMTS
IGMP MR (Join) IGMP MR (Join)
Set
Set Multicast
Multicast
MAC
MAC Filter
Filter SA-MAP Request
Determine
Determine
SA-MAP Reply SAID
SAID

Start
Start TEK
TEK Key Req/Reply
FSM
FSM
Encrypted
Multicast Data Decrypt
Decrypt Multicast Data Encrypt
Encrypt Multicast Data
Multicast
Multicast Multicast
Multicast

59
 Secure Code Download

! DOCSIS provides a method to remotely download firmware updates to

the CM
! DOCSIS 1.1 adds a digital signature to the code file to verify the
source and integrity of the downloaded code
! Allows for both the manufacturer and the MSO to digitally ‘sign’ the
code file.

60
 Code Download Process

!DOCSIS Root CA
! Issues Manufacturer CVC

!Manufacturer
! Signs code file
! Send code file w/ CVC to MSO
!MSO
! Verifies code file
! Optionally, adds MSO co-signature and MSO CVC to code file
! Send code file to CM on request
!Cable Modem
! Download code file
! Verify manufacturer’s signature
! Verify MSO signature, if present
! If verified, install code image

61
 Dynamic Channel Change

! Enables CMTS to dynamically direct the CM to change its downstream

and/or upstream channel
! Near seamless change with minimum interruption of service
! Useful for traffic balancing, noise avoidance, …

62
 SNMPv3

! Enhances the SNMP v1/v2 framework to support:

! Privacy & authentication
! Authorization
! SNMPv3 defines a modular architecture within which
network management capabilities can evolve
! SNMPv3 defines no new protocols
! Documented in RFC 2571-2576

63
SNMPv3 Architecture

64
 Standardized Event Logging

!DOCSIS 1.1 defines a set of standardized event message

formats and priorities.
! ~250 standard event messages
! 16 DOCSIS-specific trap types
!Eases network management operations
! Common event message across CM products
! Facilitates automated event processing

65
 References

! Specifications are publically available at

www.cablemodem.com/specifications.html
! IEEE Communications, March 2001, p. 202
! Good overview article, available as PDF file
! CableLabs training on 1.0 MAC (VGs)
! CableLabs training on 1.1 (VGs and video)
! Video is of a presentation of the VG
! Clive Holborow and Greg Nakanishi
! BCS/IPNS, San Diego

66
Return to Introduction

67