ETSI EN 302 878-5 V1.1.1 (2011-11)

SLOVENSKI STANDARD
SIST EN 302 878-5 V1.1.1:2012
01-februar-2012
'RVWRSSULNOMXþNLSUHQRVLQPXOWLSOHNVLUDQMH$7707UHWMDJHQHUDFLMDSUHQRVQLK
VLVWHPRY]DVWRULWYHLQWHUDNWLYQHNDEHOVNHWHOHYL]LMH,3NDEHOVNLPRGHPLGHO
9DUQRVWQHVWRULWYH'2&6,6
Access, Terminals, Transmission and Multiplexing (ATTM) - Third Generation
Transmission Systems for Interactive Cable Television Services - IP Cable Modems -
Part 5: Security Services - DOCSIS 3.0
Ta slovenski standard je istoveten z: EN 302 878-5 Version 1.1.1
ICS:
35.180 Terminalska in druga IT Terminal and other
periferna oprema IT peripheral equipment
SIST EN 302 878-5 V1.1.1:2012 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN 302 878-5 V1.1.1:2012

---------------------- Page: 2 ----------------------

SIST EN 302 878-5 V1.1.1:2012
ETSI EN 302 878-5 V1.1.1 (2011-11)






European Standard
Access, Terminals, Transmission and Multiplexing (ATTM);
Third Generation Transmission Systems for
Interactive Cable Television Services - IP Cable Modems;
Part 5: Security Services;
DOCSIS 3.0

---------------------- Page: 3 ----------------------

SIST EN 302 878-5 V1.1.1:2012
 2 ETSI EN 302 878-5 V1.1.1 (2011-11)



Reference
DEN/ATTM-003006-5
Keywords
access, broadband, cable, data, IP, IPCable,
modem
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 4 ----------------------

SIST EN 302 878-5 V1.1.1:2012
 3 ETSI EN 302 878-5 V1.1.1 (2011-11)
Contents
Intellectual Property Rights . 10
Foreword . 10
1 Scope . 11
1.1 Introduction and Purpose . 11
1.2 Requirements . 11
1.3 Conventions . 11
2 References . 11
2.1 Normative references . 12
2.2 Informative references . 13
3 Definitions and abbreviations . 14
3.1 Definitions . 14
3.2 Abbreviations . 14
4 Void . 16
5 Overview . . 16
5.1 New DOCSIS 3.0 Security Features. 16
5.2 Technical Overview . 17
5.2.1 BPI+ Architecture . 17
5.2.1.1 Packet Data Encryption . 17
5.2.1.2 Key Management Protocol . 17
5.2.1.3 DOCSIS Security Associations . 18
5.2.1.4 QoS SIDs and DOCSIS SAIDs . 19
5.2.1.5 BPI+ Enforce. 19
5.2.2 Secure Provisioning . 20
5.3 Operation . 20
5.3.1 Cable Modem Initialization . 20
5.3.1.1 Network Admission Control . 21
5.3.1.2 EAE and Authentication Reuse . 21
5.3.1.3 Configuration Registration Enforcement . 21
5.3.2 Cable Modem Key Update Mechanism . 22
5.3.3 Cable Modem Secure Software Download . 22
6 Encrypted DOCSIS MAC Frame Formats . 22
6.1 CM Requirements. 22
6.2 CMTS Requirements . 22
6.3 Variable-Length PDU MAC Frame Format . 23
6.3.1 Baseline Privacy Extended Header Formats . 24
6.4 Fragmentation MAC Frame Format . 25
6.5 Registration Request (REG-REQ-MP) MAC Management Messages. 26
6.6 Use of the Baseline Privacy Extended Header in the MAC Header . 28
7 Baseline Privacy Key Management (BPKM) Protocol . 28
7.1 State Models . 28
7.1.1 Introduction. 28
7.1.1.1 Authorization State Machine Overview . 28
7.1.1.2 TEK State Machine Overview . 30
7.1.2 Encrypted Multicast . 31
7.1.2.1 Signaling of Dynamic and Static Multicast Session SAs when MDF is Disabled . 32
7.1.2.2 Signaling of Dynamic and Static Multicast Session SAs when MDF is Enabled . 32
7.1.2.2.1 Requirements Specific to the Signaling of Dynamic SAs for Dynamic Multicast Sessions . 32
7.1.2.2.2 Requirements Specific to the Signaling of Dynamic SAs for Static Multicast Sessions . 33
7.1.3 Selecting Cryptographic Suites . 33
7.1.4 Authorization State Machine . 34
7.1.4.1 Brief Description of States . 35
7.1.4.1.1 [Start] . 35
ETSI

---------------------- Page: 5 ----------------------

SIST EN 302 878-5 V1.1.1:2012
 4 ETSI EN 302 878-5 V1.1.1 (2011-11)
7.1.4.1.2 [Auth Wait] . 35
7.1.4.1.3 [Authorized] . 35
7.1.4.1.4 [Reauth Wait] . 35
7.1.4.1.5 [Auth Reject Wait] . 35
7.1.4.1.6 [Silent] . 36
7.1.4.2 Brief Description of Messages . 36
7.1.4.2.1 Authorization Request (Auth Request) . 36
7.1.4.2.2 Authorization Reply (Auth Reply) . 36
7.1.4.2.3 Authorization Reject (Auth Reject) . 36
7.1.4.2.4 Authorization Invalid (Auth Invalid) . 36
7.1.4.2.5 Authentication Information (Auth Info) . 36
7.1.4.3 Brief Description of Events . 37
7.1.4.3.1 {Initiate Authentication} . 37
7.1.4.3.2 {Timeout} . 37
7.1.4.3.3 {Auth Grace Timeout} . 37
7.1.4.3.4 {Reauth} . 37
7.1.4.3.5 {Auth Invalid} . 37
7.1.4.3.6 {Perm Auth Reject} . 37
7.1.4.3.7 {Auth Reject} . 37
7.1.4.3.8 {EAE Disabled Auth Reject} . 37
7.1.4.4 Events sent to TEK State Machine . 37
7.1.4.4.1 {TEK Stop} . 38
7.1.4.4.2 {TEK Authorized} . 38
7.1.4.4.3 {Auth Pend} . 38
7.1.4.4.4 {Auth Comp} . 38
7.1.4.5 Brief Description of Timing Parameters . 38
7.1.4.5.1 Authorize Wait Timeout (Auth Wait Timeout) . 38
7.1.4.5.2 Reauthorize Wait Timeout (Reauth Wait Timeout). 38
7.1.4.5.3 Authorization Grace Time (Auth Grace Timeout). 38
7.1.4.5.4 Authorize Reject Wait Timeout (Auth Reject Wait Timeout) . 38
7.1.4.6 Timers . 38
7.1.4.6.1 Authorization Request . 38
7.1.4.6.2 Authorization Reject . 38
7.1.4.6.3 Authorization Grace . 38
7.1.4.7 Actions . 39
7.1.5 TEK State Machine . 41
7.1.5.1 Brief Description of States . 42
7.1.5.1.1 [Start] . 42
7.1.5.1.2 [Op Wait] . 42
7.1.5.1.3 [Op Reauth Wait] . 42
7.1.5.1.4 [Op] . 42
7.1.5.1.5 [Rekey Wait] . 42
7.1.5.1.6 [Rekey Reauth Wait] . 42
7.1.5.2 Brief Description of Messages . 42
7.1.5.2.1 Key Request . 42
7.1.5.2.2 Key Reply . 43
7.1.5.2.3 Key Reject . 43
7.1.5.2.4 TEK Invalid . 43
7.1.5.3 Brief Description of Events . 43
7.1.5.3.1 {Stop} . 43
7.1.5.3.2 {Authorized} . 43
7.1.5.3.3 {Auth Pend} . 43
7.1.5.3.4 {Auth Comp} . 43
7.1.5.3.5 {TEK Invalid} . 43
7.1.5.3.6 {Timeout} . 43
7.1.5.3.7 {TEK Refresh Timeout} . 43
7.1.5.4 Brief Description of Timing Parameters . 43
7.1.5.4.1 Operational Wait Timeout . 44
7.1.5.4.2 Rekey Wait Timeout . 44
7.1.5.4.3 TEK Grace Time . 44
7.1.5.5 Timers . 44
7.1.5.5.1 Key Request Retry . 44
ETSI

---------------------- Page: 6 ----------------------

SIST EN 302 878-5 V1.1.1:2012
 5 ETSI EN 302 878-5 V1.1.1 (2011-11)
7.1.5.5.2 TEK Refresh . 44
7.1.5.6 Actions . 44
7.2 Key Management Message Formats. 46
7.2.1 Packet Formats . 46
7.2.1.1 Authorization Request (Auth Request) . 48
7.2.1.2 Authorization Reply (Auth Reply) . 48
7.2.1.3 Authorization Reject (Auth Reject) . 49
7.2.1.4 Key Request . 49
7.2.1.5 Key Reply . 50
7.2.1.6 Key Reject . 50
7.2.1.7 Authorization Invalid . 51
7.2.1.8 TEK Invalid. 51
7.2.1.9 Authentication Information (Auth Info) . 51
7.2.1.10 SA Map Request (MAP Request) . 52
7.2.1.11 SA Map Reply (Map Reply) . 52
7.2.1.12 SA Map Reject (Map Reject) . 52
7.2.2 BPKM Attributes . 53
7.2.2.1 Serial-Number . 54
7.2.2.2 Manufacturer-ID . 54
7.2.2.3 MAC-Address . 55
7.2.2.4 RSA-Public-Key . 55
7.2.2.5 CM-Identification . 55
7.2.2.6 Display-String . 56
7.2.2.7 Auth-Key . 56
7.2.2.8 TEK . 56
7.2.2.9 Key-Lifetime . 56
7.2.2.10 Key-Sequence-Number . 57
7.2.2.11 HMAC-Digest . 57
7.2.2.12 SAID . 57
7.2.2.13 TEK-Parameters . 57
7.2.2.14 CBC-IV . 58
7.2.2.15 Error-Code . 58
7.2.2.16 Vendor-Defined . 59
7.2.2.17 CA-Certificate . 59
7.2.2.18 CM-Certificate . 60
7.2.2.19 Security-Capabilities . 60
7.2.2.20 Cryptographic-Suite . 60
7.2.2.21 Cryptographic-Suite-List . 61
7.2.2.22 BPI-Version . 61
7.2.2.23 SA-Descriptor . 61
7.2.2.24 SA-Type . 62
7.2.2.25 SA-Query . 62
7.2.2.26 SA-Query-T ype . 63
7.2.2.27 IPv4-Address . 63
7.2.2.28 Download-Parameters . 63
7.2.2.29 CVC-Root-CA-Certificate . 63
7.2.2.30 CVC-CA-Certificate . 64
8 Early Authentication and Encryption (EAE) . 64
8.1 Introduction . 64
8.2 EAE Signaling . 64
8.3 EAE Encryption . 66
8.4 EAE Enforcement. 66
8.4.1 CMTS and CM behaviours when EAE is Enabled . 66
8.4.2 EAE enforcement determination . 67
8.4.2.1 Ranging-Based EAE Enforcement . 67
8.4.2
...