Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPCablecom Security Eric Rosenfeld, CableLabs Sasha Medvinsky, Motorola Simon Kang, Motorola ITU IPCablecom Mediacom Workshop March 13, 2002 Geneva, Switzerland.

Published byEvelyn Sherman Modified over 8 years ago

Similar presentations

Presentation on theme: "IPCablecom Security Eric Rosenfeld, CableLabs Sasha Medvinsky, Motorola Simon Kang, Motorola ITU IPCablecom Mediacom Workshop March 13, 2002 Geneva, Switzerland."— Presentation transcript:

1 IPCablecom Security Eric Rosenfeld, CableLabs Sasha Medvinsky, Motorola Simon Kang, Motorola ITU IPCablecom Mediacom Workshop March 13, 2002 Geneva, Switzerland

2 Agenda IPCablecom Overview How it Works Services and Capabilities Security Goals of IPCablecom IPCablecom Security Architecture Security Mechanisms & Component Summary

3 What is IPCablecom? IPCablecom is a set of standards that define protocols and functional requirements for the purpose of providing Quality-of- Service (QoS) enhanced secure communications using the Internet Protocol (IP) over the cable television Hybrid Fiber Coax (HFC) J.112 network

4 IPCablecom Framework Broadband Modem Physical LayerMedia Access ControlInternet ProtocolIPCablecom Protocols Voice/Video Telephony Conferencing Video/Data Applications J.112 IPCablecom

5 Servers PSTN IPCablecom How it Works HFC J.112 Cable Modem CMTS (J.112 AN) Cable IP Network Internet Upgrade to IPCablecom + MTA

6 IPCablecom Architecture Managed IP Backbone (QoS Features) (Headend, Local, Regional) PSTN Media Gateway Signaling Gateway Call Management Server HFC access network (J.112) MTA Embedded MTA CMTS HFC access network (J.112) Cable Modem MTA Embedded MTA CMTS Media Gateway Controller OSS Back Office Media Servers Announcement Servers Conference Mixing Bridges... Billing Provisioning Problem Resolution DHCP Servers TFTP Servers Key Distribution Center (KDC) Cable Modem

7 IPCablecom : What Equipment? Home: –Embedded Multimedia Terminal Adapter (MTA) -- cable modem with RJ-11 jacks Headend: –Cable Modem Termination System (CMTS): J.112 AN –IPCablecom Servers: Call Management Server (CMS), Record Keeping Server (RKS), Device Provisioning Server, Key Distribution Center (KDC) –Gateways: To link IP calls to backbone or PSTN

8 And now the security…

9 Why do we need security? Threats to the IPCablecom Network –Threats exist because: Shared network Access in the users home Valued functionality –Types of threats: Network attacks Theft of service Eavesdropping Denial of Service

10 Security Services provided by J.112 Baseline Privacy Interface + (BPI+) –Privacy between the Cable Modem and CMTS DES encryption –Protection from theft of Service Authentication of Cable Modems via X.509 digital certificates –Enable secure code download to the Cable Modem Authentication of Cable Modem software image via X.509 Code Verification Certificate

11 BPI+ Applicability to IPCablecom Embedded MTAs rely on Cable Modem for secure code download Privacy of J.112 QoS messages prevents some denial of service attacks Theft of Service protection doesn’t apply: –CPEs behind a CM are not authenticated –IP Telephony servers also not authenticated Additional security at application layer is needed to protect IPCablecom services

12 IPCablecom Security Objectives End-to-end secure communication –Must be at least as secure as PSTN networks Protection for the user –Ensure privacy of media sessions Protection for the operator –Combat theft-of-service –Protect infrastructure Comprehensive plan –Who/What needs to protect and why? –When/Why do we protect this information? –How will we incorporate security?

13 IPCablecom Security Objectives Use open standards whenever possible Conduct a risk assessment Provide a reasonable level of security Specify Interface security –No device or operator network security Assume operators must have reasonable network management security policy Require J.112 networks with BPI+ enabled

14 IPCablecom Security Architecture

15 Security Mechanisms Kerberos –Centralized network authentication via a Key Distribution Center (KDC) –Public Key Initialization (PKINIT) Digital Certificates are used to authenticate the MTA to the KDC and KDC to MTA –Key Management Allows MTAs and CMSs to agree on cryptographic keys for secure communications

16 Security Mechanisms IPsec –IP-layer security protocol (IETF standard) –Encapsulating Security Payload (ESP) Transport mode for end-to-end security Privacy/authentication/integrity of payload –3DES, HMAC SHA1 or HMAC MD5 –Initial Authentication & Key Management provided by: Kerberos+PKINIT for MTAs Internet Key Exchange (IKE) with pre-shared keys for infrastructure components (CMS, CMTS, RKS, Gateways)

17 Security Mechanisms SNMPv3 security –SNMPv3 is used to monitor & manage MTAs –Initial Authentication & Key Management Kerberos+PKINIT –Message Authentication & Integrity HMAC MD5 algorithm –Privacy (optional) DES algorithm

18 Security Mechanisms Call Signaling Security –NCS, TCAP/IP, ISTP, and TGCP Protocols –Protocol security provided by IPsec –Mix of authentication & key management technologies: IKE with pre-shared keys for servers –Default for IPsec, comes bundled with off- the-shelf implementations Kerberos+PKINIT for MTAs –Needed to address scalability issues on the CMS-MTA interface

19 Security Mechanisms RTP/RTCP (Media Stream) –Initial Authentication Each end-point (MTA or MG) authenticated by the Call Management Server –Key Management Via IPsec-secured Network-based Call Signaling (NCS) –Privacy Advanced Encryption Standard (AES) –Authentication & Integrity (optional) MMH (Multilinear Modular Hash)

20 Key Distribution Center (KDC) The only standalone security component in IPCablecom Acts as a trusted third-party authentication service Implements: –Kerberos version 5 –PKINIT w/X.509 digital certificates

21 Multimedia Terminal Adapter X.509 Digital Certificates for authentication –IP Telephony Root CA Certificate –MTA Manufacturer CA Certificate –MTA Device Certificate MTA Private Key FIPS 140-1 Cryptographic Module –Level 1 required (minimal physical security) –Additional physical security recommended for higher value services Random Number Generator AES, MMH, IPsec, Kerberos+PKINIT Embedded J.112 CM with BPI+

22 Device Provisioning Server Authentication & Key Management –Kerberos+PKINIT authentication Integrity & Privacy –SNMPv3 security Authentication –HMAC MD5 Privacy (optional) –DES

23 PSTN Gateways Media Gateway Controller (MGC) –IPsec,IKE w/pre-shared keys for call signaling Media Gateway (MG) –AES, MMH for media stream –IPsec, IKE w/pre-shared keys for call signaling Signaling Gateway (SG) –IPsec, IKE w/pre-shared keys for call signaling

24 Other Components Cable Modem Termination System (CMTS) –J.112 Access Node (AN) w/BPI+ –IPsec w/pre-shared keys and RADIUS authentication for QoS interface with CMS Call Management Server (CMS) –IPsec w/pre-shared keys –IPsec w/Kerberized Key Management for MTAs Record Keeping Server (RKS) –IPsec w/pre-shared keys for billing events

25 On-Net to Off-Net Media Path PSTN Cable Modem MTA Media Gateway Hi Mom. How are you today? HmDMSmB7HTKgEwLE3aSmttcBY AizqPicdTZKyXxVp7A4GxaPw/BH7 kwYtuKxEr3nPS70i15nB+z7miTw2 TXwrc+pYGO+FNvIScRQIrlaOqwY UMLF+5LjagzZSlbX8rrw+Y2uE21Y ZJxIirVuTX/tZI9af16nz75VcF5x0N4 YRAjtjwpo3GW0CK+B4ihcg/6 MTA Encrypts MG Decrypts Hi Mom. How are you today? CMTS RTP / RTCP AES, MMH

26 Summary IPCablecom provides QoS-enhanced secure communications Security is a major component and is integrated into the architecture A range of security protocols and services are used IPCablecom security architecture is fully defined in the J.170 recommendation

27 For More Information… Eric Rosenfeld CableLabs PacketCable Security Architect e.rosenfeld@cablelabs.com Sasha Medvinsky Motorola Senior Staff Engineer smedvinsky@motorola.com Simon Kang Motorola International Regulatory and Standards Specialist simonkang@motorola.com

Download ppt "IPCablecom Security Eric Rosenfeld, CableLabs Sasha Medvinsky, Motorola Simon Kang, Motorola ITU IPCablecom Mediacom Workshop March 13, 2002 Geneva, Switzerland."

Similar presentations

Malcolm Taylor (ECB) Luc Martens (tComLabs) Dirk Jaeger (ECCA)

Malcolm Taylor (ECB) Luc Martens (tComLabs) Dirk Jaeger (ECCA)
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
David Reed Chief Strategy Officer, CableLabs June 8, 2004

David Reed Chief Strategy Officer, CableLabs June 8, 2004
Telephony Troubleshooting in the Home

Telephony Troubleshooting in the Home
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,

Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.

Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Similar presentations

Ads by Google