PacketCable™ 1.5 Specifications Security PKT-SP-SEC1.5-I03-090624 ISSUED Notice This PacketCable specification is the result of a cooperative effort undertaken at the direction of Cable Television Laboratories, Inc. for the benefit of the cable industry and its customers. This document may contain references to other documents not owned or controlled by CableLabs. Use and understanding of this document may require access to such other documents. Designing, manufacturing, distributing, using, selling, or servicing products, or providing services, based on this document may require intellectual property licenses from third parties for technology referenced in this document. Neither CableLabs nor any member company is responsible to any party for any liability of any nature whatsoever resulting from or arising out of use or reliance upon this document, or any document referenced herein. This document is furnished on an "AS IS" basis and neither CableLabs nor its members provides any representation or warranty, express or implied, regarding the accuracy, completeness, noninfringement, or fitness for a particular purpose of this document, or any document referenced herein. © Copyright 2004-2009 Cable Television Laboratories, Inc. All rights reserved. PKT-SP-SEC1.5-I03-090624 PacketCable™ 1.5 Specifications Document Status Sheet Document Control Number: PKT-SP-SEC1.5-I03-090624 Document Title: Security Revision History: I01 - Issued January 28, 2005 I02 - Issued April 12, 2007 I03 - Issued June 24, 2009 Date: June 24, 2009 Status: Work in Draft Issued Closed Progress Distribution Restrictions: Author CL/Member/ CL/Member/ Public Only IPR Vendor NDA Vendor Key to Document Status Codes: Work in Progress An incomplete document designed to guide discussion and generate feedback that may include several alternative requirements for consideration. Draft Documents in specification format considered largely complete, but lacking review by Members and vendors. Drafts are susceptible to substantial change during the review process. Issued A stable document, reviewed, tested and validated, suitable to enable cross- vendor interoperability, and for certification testing. Closed A static document, reviewed, tested, validated, and closed to further engineering change requests to the specification through CableLabs. Trademarks CableLabs®, DOCSIS®, EuroDOCSIS™, eDOCSIS™, M-CMTS™, PacketCable™, EuroPacketCable™, PCMM™, CableHome®, CableOffice™, OpenCable™, OCAP™, CableCARD™, M-Card™, DCAS™, tru2way™, and CablePC™ are trademarks of Cable Television Laboratories, Inc. ii CableLabs® 06/24/09 Security PKT-SP-SEC1.5-I03-090624 Contents 1 SCOPE AND INTRODUCTION....................................................................................................... 9 1.1 PURPOSE ...................................................................................................................................... 9 1.2 SCOPE .......................................................................................................................................... 9 1.2.1 Goals..................................................................................................................................... 10 1.2.2 Assumptions.......................................................................................................................... 10 1.2.3 Requirements ........................................................................................................................ 11 1.3 SPECIFICATION LANGUAGE ........................................................................................................ 11 1.4 DOCUMENT OVERVIEW.............................................................................................................. 12 2 REFERENCES.................................................................................................................................. 13 2.1 NORMATIVE REFERENCES.......................................................................................................... 13 2.2 INFORMATIVE REFERENCES ....................................................................................................... 15 2.3 REFERENCE ACQUISITION .......................................................................................................... 15 3 TERMS AND DEFINITIONS ......................................................................................................... 16 4 ABBREVIATIONS AND ACRONYMS......................................................................................... 20 5 ARCHITECTURAL OVERVIEW OF PACKETCABLE SECURITY ...................................... 27 5.1 PACKETCABLE REFERENCE ARCHITECTURE .............................................................................. 27 5.1.1 HFC Network........................................................................................................................ 27 5.1.2 Call Management Server ...................................................................................................... 27 5.1.3 Functional Categories .......................................................................................................... 28 5.2 THREATS .................................................................................................................................... 30 5.2.1 Theft of Network Services ..................................................................................................... 32 5.2.2 Bearer Channel Information Threats ................................................................................... 33 5.2.3 Signaling Channel Information Threats ............................................................................... 33 5.2.4 Service Disruption Threats................................................................................................... 34 5.2.5 Repudiation........................................................................................................................... 34 5.2.6 Threat Summary ................................................................................................................... 35 5.3 SECURITY ARCHITECTURE ......................................................................................................... 36 5.3.1 Overview of Security Interfaces............................................................................................ 36 5.3.2 Security Assumptions............................................................................................................ 39 5.3.3 Susceptibility of Network Elements to Attack ....................................................................... 41 6 SECURITY MECHANISMS........................................................................................................... 45 6.1 IPSEC ......................................................................................................................................... 45 6.1.1 Overview............................................................................................................................... 45 6.1.2 PacketCable Profile for IPsec ESP (Transport Mode)......................................................... 45 6.2 INTERNET KEY EXCHANGE (IKE) .............................................................................................. 47 6.2.1 Overview............................................................................................................................... 47 6.2.2 PacketCable Profile for IKE................................................................................................. 47 6.3 SNMPV3.................................................................................................................................... 49 6.3.1 SNMPv3 Transform Identifiers............................................................................................. 49 6.3.2 SNMPv3 Authentication Algorithms..................................................................................... 49 6.4 KERBEROS / PKINIT.................................................................................................................. 50 6.4.1 Overview............................................................................................................................... 50 6.4.2 PKINIT Exchange................................................................................................................. 52 6.4.3 Symmetric Key AS Request / AS Reply Exchange................................................................. 60 6.4.4 Kerberos TGS Request / TGS Reply Exchange..................................................................... 62 6.4.5 Kerberos Server Locations and Naming Conventions.......................................................... 65 6.4.6 MTA Principal Names .......................................................................................................... 68 6.4.7 Mapping of MTA MAC Address to MTA FQDN................................................................... 68 6.4.8 Server Key Management Time Out Procedure ..................................................................... 72 06/24/09 CableLabs® iii PKT-SP-SEC1.5-I03-090624 PacketCable™ 1.5 Specifications 6.4.9 Service Key Versioning......................................................................................................... 74 6.5 KERBERIZED KEY MANAGEMENT .............................................................................................. 74 6.5.1 Overview..............................................................................................................................