Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

RE: 1904.4 Consensus call



Thank you Curtis,

 

Please, see some comments below.

 

From: Curtis Knittle <C.Knittle@xxxxxxxxxxxxx>
Sent: Wednesday, May 4, 2022 11:43 AM
To: Glen Kramer <glen.kramer@xxxxxxxxxxxx>; STDS-1904-4-TF@xxxxxxxxxxxxxxxxx
Cc: Marek Hajduczenia <mxhajduczenia@xxxxxxxxx>
Subject: RE: 1904.4 Consensus call

 

Dear Colleagues,

I collected a little more info on the DOCSIS and DPoE security:

DOCSIS

The data plane in DOCSIS uses two encryption keys — the data plane key (Traffic Encryption Key) and another to encrypt that key. The key length of the Traffic Encryption Key (TEK) is dependent on the cipher algorithm used and may be 40 bits (40 bit DES), 56 bits (56 bit DES), or 128 bits (CBC mode AES128). The next spec release will include support for 256 bit (CBC mode AES256, but that is a post silicon development add to the spec, and only a MAY normatively, so I suspect will not be implemented any time soon. The TEK is transmitted by the CMTS to the CM and is encrypted using two-key 3DES (so 2x 56-bits; in implementation, that may actually be the same key twice). One thing that is really cool in DOCSIS is a hitless key rotation mechanism that is described in section 10.1 of DOCSIS SECv4.0. 

[GK] Key rotation is even simpler in DPOE. In 10G zero-overhead encryption, one bit in frame preamble represents key index. So, every frame explicitly indicates with which key it should be decrypted. The receiving device doesn’t need to try two keys in parallel. When the index bit changes from 1 to 0 or from 0 to 1, the decryptor switches to the next key. The 802.3ca assumed the same key rotation method, so the envelope headers include the EncKey bit for this purpose.

 

DPoE

DPoE only uses AES128 (and I don't think we specify the mode).

[GK] DPoE specifies the Cipher-Feedback (CFB) mode for 1G and 2G downstream and the Counter (CTR) mode for 10G downstream-only and 10G bidirectional encryption.

So its key length is 128 bits. Key exchange varies depending on whether the DPoE ONU is operating in 1Down, 10Down, or 10Bi. This is defined in section 7 of DPoE SEC v2.0 (I didn't look today at v1.0). I believe in 1Down and 10Down the D-ONU sends the 128 bit session key in the clear to the DPoE system — this is unnecessarily insecure and not a good approach. In 10Bi, the MACSec Key Agreement (MKA) protocol defined in 802.1x is used.

[GK] In the downstream-only mode, it is assumed/accepted that the upstream channel is secure (i.e., an ONU cannot eavesdrop on other ONUs’ upstream traffic). This is the reason the key is generated at the ONU and is transmitted to the OLT.

 

Management

There are other key exchanges used to support each of the management protocols, and we've allowed selection of a range of ciphers which use either 128 bit or 256 bit keys.

 

 

From: Glen Kramer <glen.kramer@xxxxxxxxxxxx>
Sent: Tuesday, May 3, 2022 6:23 PM
To: Curtis Knittle <C.Knittle@xxxxxxxxxxxxx>; STDS-1904-4-TF@xxxxxxxxxxxxxxxxx
Cc: Marek Hajduczenia <mxhajduczenia@xxxxxxxxx>
Subject: RE: 1904.4 Consensus call

 

Attached are the slides we used to guide the discussion on the call.

Thank you all who attended for providing feedback

 

Glen

 

From: Curtis Knittle <C.Knittle@xxxxxxxxxxxxx>
Sent: Tuesday, May 3, 2022 4:03 PM
To: STDS-1904-4-TF@xxxxxxxxxxxxxxxxx
Cc: Marek Hajduczenia <mxhajduczenia@xxxxxxxxx>; Glen Kramer <glen.kramer@xxxxxxxxxxxx>
Subject: RE: 1904.4 Consensus call

 

All,

Reminder that we’re starting the consensus call now.

 

 

-----Original Appointment-----
From: Curtis Knittle
Sent: Tuesday, April 12, 2022 5:38 PM
To: Curtis Knittle; stds-1904-4-TF@xxxxxxxxxxxxxxxxx
Cc: Marek Hajduczenia; Glen Kramer
Subject: 1904.4 Consensus call
When: Tuesday, May 3, 2022 5:00 PM-7:00 PM (UTC-07:00) Mountain Time (US & Canada).
Where: https://cablelabs.zoom.us/j/96581234470?pwd=Wm1Iemg2VVdsanRBcGx6MVdpaGJBUT09

 

Curtis Knittle (CableLabs) is inviting you to a scheduled Zoom meeting.

 

CableLabs meeting requests should include a GRIP to identify the goals, the roles, the behavioral expectations and the process/agenda that will be followed. See below for details:

 

(G)oals of this meeting:

(R)oles for the participants:

(I)nterpersonal norms:

(P)rocess/Agenda:

 

CableLabs Secure Zoom Meeting

https://cablelabs.zoom.us/j/96581234470?pwd=Wm1Iemg2VVdsanRBcGx6MVdpaGJBUT09

Meeting ID: 965 8123 4470

Password: 190805

 

CableLabs is hosting this Secure Virtual Meeting for invited participants.  See the options below to join this secure meeting.

 

Zoom Client: For a full-featured and fully encrypted connection, use the above link to join the meeting via your Zoom client.

 

Browser-Only: Use the link below to "join from your browser" if you do NOT wish to download or utilize the Zoom client.

https://zoom.us/wc/join/96581234470#

 

Audio-Only Dial-In: Use the available phone numbers.  You will be prompted for the meeting ID and password before joining.

One tap mobile

+17209289299,,96581234470#,,#,190805# US (Denver)

+16699006833,,96581234470#,,#,190805# US (San Jose)

 

Dial by your location

        +1 720 928 9299 US (Denver)

        +1 669 900 6833 US (San Jose)

        +1 253 215 8782 US (Tacoma)

        +1 346 248 7799 US (Houston)

        +1 646 558 8656 US (New York)

        +1 301 715 8592 US (Washington DC)

        +1 312 626 6799 US (Chicago)

        +91 22 48 798 004 India

Password: 190805

Find your local number: https://cablelabs.zoom.us/u/awd9a6aif

 

Join by SIP: Connect via audio-only from an remote conference room system.

96581234470@xxxxxxxxxxx

 

Join by H.323: Connect via full audio and video from a remote video conference room system.

162.255.37.11 (US West)

162.255.36.11 (US East)

69.174.57.160 (Canada)

Password: 190805

 

Join by Skype for Business: Use this link to connect. You will need to initially start video in order to be prompted for the meeting password.

https://cablelabs.zoom.us/skype/96581234470

 

For more information on CableLabs Secure Virtual Meeting go to:

https://www.cablelabs.com/virtual_meeting


To unsubscribe from the STDS-1904-4-TF list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-1904-4-TF&A=1

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature