iTeh Standards logo
EURUSD
Your shopping cart is empty.
ETSI

ETSI EN 302 878-5 V1.1.1 (2011-11)

Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0

Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0

DEN/ATTM-003006-5

Dostop, priključki, prenos in multipleksiranje (ATTM) - Tretja generacija prenosnih sistemov za storitve interaktivne kabelske televizije - IP-kabelski modemi - 5. del: Varnostne storitve - DOCSIS 3.0

Ta dokument je del skupine specifikacij, ki opredeljujejo tretjo generacijo sistemov hitrega prenosa podatkov prek kabelskega omrežja. Ta skupina je bila razvita za panogo kabelskih omrežij ter vključuje prispevke operaterjev in prodajalcev iz Severne Amerike, Evrope in drugih regij.
Ta dokument opredeljuje zgradbo vmesnika za izboljšano osnovno varnost (BPI+), ki zajema preverjanje pristnosti kabelskega modema, izmenjavo ključev in vzpostavitev šifriranih sej prometa med kabelskim modemom in sistemom CMTS. Zgodnje preverjanje pristnosti in šifriranje (EAE) uporablja BPI+ bolj zgodaj v procesu oskrbe (glejte točko 8). Ta specifikacija prav tako opredeljuje varnostne funkcije procesa oskrbe kabelskega modema, ki vključuje varno prenašanje programske opreme (SSD).

General Information

Status
Published
Publication Date
22-Nov-2011
Technical Committee
ATTM AT3 - Integrated broadband cable and television networks
Current Stage
12 - Completion
Due Date
15-Nov-2011
Completion Date
23-Nov-2011
Ref Project
SIST EN 302 878-5 V1.1.1:2012 - Access, Terminals, Transmission and Multiplexing (ATTM) - Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems - Part 5: Security Services - DOCSIS 3.0

Overview - DOCSIS 3.0 Security Services (ETSI EN 302 878-5 V1.1.1 (2011-11))

ETSI EN 302 878-5 V1.1.1 (2011-11) (identical to ETSI EN 302 878-5 V1.1.1) specifies security services for DOCSIS 3.0 IP Cable Modems used in third‑generation interactive cable television transmission systems. The standard updates and incorporates engineering changes to TS 102 639-5 and defines the architecture, messaging and operational requirements needed to protect data and control plane traffic between cable modems (CM) and cable modem termination systems (CMTS).

Keywords: DOCSIS 3.0, IP Cable Modems, security services, BPI+, BPKM, cable modem security, CMTS.

Key technical topics and requirements

  • BPI+ architecture and mechanisms for packet data encryption and enforcement of privacy policies.
  • Baseline Privacy Key Management (BPKM): key management protocol defining TEK (traffic encryption key) and authorization state machines, message flows and timers.
  • DOCSIS Security Associations (SAs) and their mapping to QoS SIDs/SAIDs for unicast and multicast protection.
  • MAC frame formats for encrypted payloads, including variable‑length PDUs, fragmentation and extended headers.
  • Secure provisioning and software download procedures to ensure authenticated firmware/CM configuration updates.
  • Initialization and network admission control: CM boot/registration, authentication reuse, configuration registration enforcement and key update mechanisms.
  • Detailed state machines, messages and timing parameters (Auth Request/Reply/Reject/Invalid; Key Request/Reply/Reject; TEK and Authorization states).
  • Support for encrypted multicast sessions and signaling requirements for dynamic/static multicast SAs.
  • Operational requirements for CM and CMTS to ensure interoperability, key lifecycle management and enforcement of security policies.

Practical applications

  • Securing broadband cable networks that deploy IP Cable Modems using DOCSIS 3.0.
  • Protecting subscriber data confidentiality and preventing unauthorized network access via standardized encryption and authentication.
  • Enabling secure delivery of multicast content (e.g., TV streams, video on demand) with session key management.
  • Providing a compliance baseline for firmware update mechanisms and secure provisioning workflows.
  • Reference for interoperability testing, vendor implementations (CM/CMTS) and network security audits.

Who should use this standard

  • Cable network operators and service providers planning DOCSIS 3.0 deployments.
  • CMTS and cable modem manufacturers implementing security stacks.
  • Network architects, security engineers and integrators responsible for provisioning, key management and content protection.
  • Test laboratories and certification bodies validating DOCSIS security compliance.

Related standards

  • TS 102 639-5 (updated by this document) - third generation transmission systems for interactive cable television services - IP Cable Modems.
  • ETSI/ETSI EN family documents on ATTM and cable broadband (see ETSI portal for status and normative references).
en_30287805v010100c - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0en_30287805v010100c - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0
PreviousNext
Standard
en_30287805v010100c - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0
English language
185 pages
sale 15% off
Preview
sale 15% off
Preview
en_30287805v010100v - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0en_30287805v010100v - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0
PreviousNext
Standard
en_30287805v010100v - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0
English language
185 pages
sale 15% off
Preview
sale 15% off
Preview
en_30287805v010101p - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0en_30287805v010101p - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0
PreviousNext
Standard
en_30287805v010101p - Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0
English language
185 pages
sale 15% off
Preview
sale 15% off
Preview
EN 302 878-5 V1.1.1:2012EN 302 878-5 V1.1.1:2012
PreviousNext
Standard
EN 302 878-5 V1.1.1:2012
English language
185 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


Draft ETSI EN 302 878-5 V1.1.0 (2011-04)
European Standard
Access, Terminals, Transmission and Multiplexing (ATTM);
Third Generation Transmission Systems for
Interactive Cable Television Services - IP Cable Modems;
Part 5: Security Services;
DOCSIS 3.0
2 Draft ETSI EN 302 878-5 V1.1.0 (2011-04)

Reference
DEN/ATTM-003006-5
Keywords
access, broadband, cable, data, IP, IPCable,
modem
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 Draft ETSI EN 302 878-5 V1.1.0 (2011-04)
Contents
Intellectual Property Rights . 10
Foreword . 10
1 Scope . 11
1.1 Introduction and Purpose . 11
1.2 Requirements . 11
1.3 Conventions . 11
2 References . 11
2.1 Normative references . 12
2.2 Informative references . 13
3 Definitions and abbreviations . 14
3.1 Definitions . 14
3.2 Abbreviations . 14
4 Void . 16
5 Overview . . 16
5.1 New DOCSIS 3.0 Security Features. 16
5.2 Technical Overview . 17
5.2.1 BPI+ Architecture . 17
5.2.1.1 Packet Data Encryption . 17
5.2.1.2 Key Management Protocol . 17
5.2.1.3 DOCSIS Security Associations . 18
5.2.1.4 QoS SIDs and DOCSIS SAIDs . 19
5.2.1.5 BPI+ Enforce. 19
5.2.2 Secure Provisioning . 20
5.3 Operation . 20
5.3.1 Cable Modem Initialization . 20
5.3.1.1 Network Admission Control . 21
5.3.1.2 EAE and Authentication Reuse . 21
5.3.1.3 Configuration Registration Enforcement . 21
5.3.2 Cable Modem Key Update Mechanism . 22
5.3.3 Cable Modem Secure Software Download . 22
6 Encrypted DOCSIS MAC Frame Formats . 22
6.1 CM Requirements. 22
6.2 CMTS Requirements . 22
6.3 Variable-Length PDU MAC Frame Format . 23
6.3.1 Baseline Privacy Extended Header Formats . 24
6.4 Fragmentation MAC Frame Format . 25
6.5 Registration Request (REG-REQ-MP) MAC Management Messages. 26
6.6 Use of the Baseline Privacy Extended Header in the MAC Header . 28
7 Baseline Privacy Key Management (BPKM) Protocol . 28
7.1 State Models . 28
7.1.1 Introduction. 28
7.1.1.1 Authorization State Machine Overview . 28
7.1.1.2 TEK State Machine Overview . 30
7.1.2 Encrypted Multicast . 31
7.1.2.1 Signaling of Dynamic and Static Multicast Session SAs when MDF is Disabled . 32
7.1.2.2 Signaling of Dynamic and Static Multicast Session SAs when MDF is Enabled . 32
7.1.2.2.1 Requirements Specific to the Signaling of Dynamic SAs for Dynamic Multicast Sessions . 32
7.1.2.2.2 Requirements Specific to the Signaling of Dynamic SAs for Static Multicast Sessions . 33
7.1.3 Selecting Cryptographic Suites . 33
7.1.4 Authorization State Machine . 34
7.1.4.1 Brief Description of States . 35
7.1.4.1.1 [Start] . 35
ETSI
4 Draft ETSI EN 302 878-5 V1.1.0 (2011-04)
7.1.4.1.2 [Auth Wait] . 35
7.1.4.1.3 [Authorized] . 35
7.1.4.1.4 [Reauth Wait] . 35
7.1.4.1.5 [Auth Reject Wait] . 35
7.1.4.1.6 [Silent] . 36
7.1.4.2 Brief Description of Messages . 36
7.1.4.2.1 Authorization Request (Auth Request) . 36
7.1.4.2.2 Authorization Reply (Auth Reply) . 36
7.1.4.2.3 Authorization Reject (Auth Reject) . 36
7.1.4.2.4 Authorization Invalid (Auth Invalid) . 36
7.1.4.2.5 Authentication Information (Auth Info) . 36
7.1.4.3 Brief Description of Events . 37
7.1.4.3.1 {Initiate Authentication} . 37
7.1.4.3.2 {Timeout} . 37
7.1.4.3.3 {Auth Grace Timeout} . 37
7.1.4.3.4 {Reauth} . 37
7.1.4.3.5 {Auth Invalid} . 37
7.1.4.3.6 {Perm Auth Reject} . 37
7.1.4.3.7 {Auth Reject} . 37
7.1.4.3.8 {EAE Disabled Auth Reject} . 37
7.1.4.4 Events sent to TEK State Machine . 37
7.1.4.4.1 {TEK Stop} . 38
7.1.4.4.2 {TEK Authorized} . 38
7.1.4.4.3 {Auth Pend} . 38
7.1.4.4.4 {Auth Comp} . 38
7.1.4.5 Brief Description of Timing Parameters . 38
7.1.4.5.1 Authorize Wait Timeout (Auth Wait Timeout) . 38
7.1.4.5.2 Reauthorize Wait Timeout (Reauth Wait Timeout). 38
7.1.4.5.3 Authorization Grace Time (Auth Grace Timeout). 38
7.1.4.5.4 Authorize Reject Wait Timeout (Auth Reject Wait Timeout) . 38
7.1.4.6 Timers . 38
7.1.4.6.1 Authorization Request . 38
7.1.4.6.2 Authorization Reject . 38
7.1.4.6.3 Authorization Grace . 38
7.1.4.7 Actions . 39
7.1.5 TEK State Machine . 41
7.1.5.1 Brief Description of States . 42
7.1.5.1.1 [Start] . 42
7.1.5.1.2 [Op Wait] . 42
7.1.5.1.3 [Op Reauth Wait] . 42
7.1.5.1.4 [Op] . 42
7.1.5.1.5 [Rekey Wait] . 42
7.1.5.1.6 [Rekey Reauth Wait] . 42
7.1.5.2 Brief Description of Messages . 42
7.1.5.2.1 Key Request . 42
7.1.5.2.2 Key Reply . 43
7.1.5.2.3 Key Reject . 43
7.1.5.2.4 TEK Invalid . 43
7.1.5.3 Brief Description of Events . 43
7.1.5.3.1 {Stop} . 43
7.1.5.3.2 {Authorized} . 43
7.1.5.3.3 {Auth Pend} . 43
7.1.5.3.4 {Auth Comp} . 43
7.1.5.3.5 {TEK Invalid} . 43
7.1.5.3.6 {Timeout} . 43
7.1.5.3.7 {TEK Refresh Timeout} . 43
7.1.5.4 Brief Description of Timing Parameters . 43
7.1.5.4.1 Operational Wait Timeout . 44
7.1.5.4.2 Rekey Wait Timeout . 44
7.1.5.4.3 TEK Grace Time . 44
7.1.5.5 Timers . 44
7.1.5.5.1 Key Request Retry . 44
ETSI
5 Draft ETSI EN 302 878-5 V1.1.0 (2011-04)
7.1.5.5.2 TEK Refresh . 44
7.1.5.6 Actions . 44
7.2 Key Management Message Formats. 46
7.2.1 Packet Formats . 46
7.2.1.1 Authorization Request (Auth Request) . 48
7.2.1.2 Authorization Reply (Auth Reply) . 48
7.2.1.3 Authorization Reject (Auth Reject) . 49
7.2.1.4 Key Request . 49
7.2.1.5 Key Reply . 50
7.2.1.6 Key Reject . 50
7.2.1.7 Authorization Invalid . 51
7.2.1.8 TEK Invalid. 51
7.2.1.9 Authentication Information (Auth Info) . 51
7.2.1.10 SA Map Request (MAP Request) . 52
7.2.1.11 SA Map Reply (Map Reply) . 52
7.2.1.12 SA Map Reject (Map Reject) . 52
7.2.2 BPKM Attributes . 53
7.2.2.1 Serial-Number . 54
7.2.2.2 Manufacturer-ID . 54
7.2.2.3 MAC-Address . 55
7.2.2.4 RSA-Public-Key . 55
7.2.2.5 CM-Identification . 55
7.2.2.6 Display-String . 56
7.2.2.7 Auth-Key . 56
7.2.2.8 TEK . 56
7.2.2.9 Key-Lifetime . 56
7.2.2.10 Key-Sequence-Number . 57
7.2.2.11 HMAC-Digest . 57
7.2.2.12 SAID . 57
7.2.2.13 TEK-Parameters . 57
7.2.2.14 CBC-IV . 58
7.2.2.15 Error-Code . 58
7.2.2.16 Vendor-Defined . 59
7.2.2.17 CA-Certificate . 59
7.2.2.18 CM-Certificate . 60
7.2.2.19 Security-Capabilities . 60
7.2.2.20 Cryptographic-Suite . 60
7.2.2.21 Cryptographic-Suite-List . 61
7.2.2.22 BPI-Version . 61
7.2.2.23 SA-Descriptor . 61
7.2.2.24 SA-Type . 62
7.2.2.25 SA-Query . 62
7.2.2.26 SA-Query-T ype . 63
7.2.2.27 IPv4-Address . 63
7.2.2.28 Download-Parameters . 63
7.2.2.29 CVC-Root-CA-Certificate . 63
7.2.2.30 CVC-CA-Certificate . 64
8 Early Authentication and Encryption (EAE) . 64
8.1 Introduction . 64
8.2 EAE Signaling . 64
8.3 EAE Encryption . 66
8.4 EAE Enforcement. 66
8.4.1 CMTS and CM behaviours when EAE is Enabled . 66
8.4.2 EAE enforcement determination . 67
8.4.2.1 Ranging-Based EAE Enforcement . 67
8.4.2.2 Capability-Based EAE Enforcement . 67
8.4.2.3 Total EAE Enforcement . 67
8.4.3 EAE Enforcement of DHCP Traffic . 67
8.4.4 CMTS and CM Behaviour when EAE is Disabled . 67
8.4.5 EAE Exclusion List . 67
8.4.6 Interoperability issues . 68
ETSI
6 Draft ETSI EN 302 878-5 V1.1.0 (2011-04)
8.5 Authentication Reuse . 68
8.6 BPI+ Control by Configuration File . 68
8.6.1 EAE Enabled . 68
8.6.2 EAE Disabled . 69
9 Secure Provisioning . 69
9.1 Introduction . 69
9.2 Encryption of Provisioning Messages . 69
9.3 Securing DHCP . 69
9.3.1 Securing DHCP on the Cable Network Link . 69
9.3.2 DHCPv6 . 69
9.4 TFTP Configuration File Security . 70
9.4.1 Introduction. 70
9.4.2 CMTS Security Features for Configuration File Download . 70
9.4.2.1 TFTP Proxy . 70
9.4.2.2 Protecting TFTP Server Addresses . 70
9.4.2.3 Configuration File Name Authorization. 70
9.4.2.4 Configuration File Learning . 71
9.4.2.5 TFTP Options for CM's MAC and IP Address . 71
9.5 Securing REG-REQ-MP Messages . 71
9.6 Source Address Verification. 71
9.7 Address Resolution Security Considerations . 73
10 Using Cryptographic Keys . 74
10.1 CMTS . 74
10.2 Cable Modem . 76
10.3 Authentication of Dynamic Service Requests . 77
10.3.1 CM . 77
10.3.2 CMTS . 77
11 Cryptographic Methods . 77
11.1 Packet Data Encryption . 77
11.2 Encryption of the TEK . 78
11.3 HMAC-Digest Algorithm . 79
11.4 TEKs, KEKs and Message Authentication Keys . 79
11.5 Public-Key Encryption of Authorization Key . 79
11.6 Digital Signatures . 80
11.7 The MMH-MIC . 80
11.7.1 The MMH Function . 80
11.7.1.1 MMH[16, σ, 1] . 80
11.7.1.2 MMH[16, σ, n] . 82
11.7.1.3 MMH[16, σ, 4] . 82
11.7.1.4 Handling Variable-Size Data . 82
11.7.2 Definition of MMH-MAC . 82
11.7.3 Calculating the DOCSIS MMH-MAC . 83
11.7.4 MMH Key Derivation for CMTS Extended MIC . 84
11.7.5 Shared Secret Recommendations . 85
11.7.6 Key Generation Function . 85
12 Physical Protection of Keys in the CM . 85
13 BPI+ X.509 Certificate Profile and Management . 86
13.1 BPI+ Certificate Management Architecture Overview . 86
13.2 Cable Modem Certificate Storage and Management in the CM . 88
13.3 Certificate Processing and Management in the CMTS . 89
13.3.1 CMTS Certificate Management Model. 89
13.3.2 Certificate Validation . 89
13.4 Certificate Revocation . 90
13.4.1 Certificate Revocation Lists . 90
13.4.1.1 CMTS CRL Support . 91
13.4.2 Online Certificate Status Protocol . 91
14 Secure Software Download . 92
14.1 Introduction . 92
ETSI
7 Draft ETSI EN 302 878-5 V1.1.0 (2011-04)
14.2 Overview . 92
14.3 Software Code Upgrade Requirements . 94
14.3.1 Code File Processing Requirements . 94
14.3.2 Code File Access Controls . 95
14.3.2.1 Subject Organization Names . 95
14.3.2.2 Time Varying Controls . 95
14.3.3 Cable Modem Code Upgrade Initialization . 95
14.3.3.1 Manufacturer Initialization . 96
14.3.3.2 Network Initialization . 96
14.3.3.2.1 Processing the Configuration File CVC . 97
14.3.3.2.2 Processing the SNMP CVC . 97
14.3.4 Code Signing Guidelines . 98
14.3.5 Code Verification Requirements . 98
14.3.5.1 Cable Modem Code Verification Steps . 98
14.3.6 DOCSIS Interoperability . 99
14.3.7 Error Codes . 99
14.4 Security Considerations (Informative) . 100
Annex A (normative): TFTP Configuration File Extensions . 102
A.1 Encodings . 102
A.1.1 Baseline Privacy Configuration Setting . 102
A.1.1.1 Internal Baseline Privacy Encodings . 102
A.1.1.1.1 Authorize Wait Timeout . 102
A.1.1.1.2 Reauthorize Wait Timeout . 102
A.1.1.1.3 Authorization Grace Time . 103
A.1.1.1.4 Operational Wait Timeout . 103
A.1.1.1.5 Rekey Wait Timeout . 103
A.1.1.1.6 TEK Grace Time . 103
A.1.1.1.7 Authorize Reject Wait Timeout . 103
A.1.1.1.8 SA Map Wait Timeout . 103
A.1.1.1.9 SA Map Max Retries . 103
A.2 Parameter Guidelines . 104
Annex B (normative): TFTP Options . 105
Annex C (normative): DOCSIS 1.1/2.0 Dynamic Security Associations . 113
C.1 Introduction . 113
C.2 Theory of Operation . 113
C.3 SA Mapping State Model . 114
C.3.1 Brief Description of States . 115
C.3.1.1 [Start]
...


Final draft ETSI EN 302 878-5 V1.1.0 (2011-09)

European Standard
Access, Terminals, Transmission and Multiplexing (ATTM);
Third Generation Transmission Systems for
Interactive Cable Television Services - IP Cable Modems;
Part 5: Security Services;
DOCSIS 3.0
2 Final draft ETSI EN 302 878-5 V1.1.0 (2011-09)

Reference
DEN/ATTM-003006-5
Keywords
access, broadband, cable, data, IP, IPCable,
modem
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 Final draft ETSI EN 302 878-5 V1.1.0 (2011-09)
Contents
Intellectual Property Rights . 10
Foreword . 10
1 Scope . 11
1.1 Introduction and Purpose . 11
1.2 Requirements . 11
1.3 Conventions . 11
2 References . 11
2.1 Normative references . 12
2.2 Informative references . 13
3 Definitions and abbreviations . 14
3.1 Definitions . 14
3.2 Abbreviations . 14
4 Void . 16
5 Overview . . 16
5.1 New DOCSIS 3.0 Security Features. 16
5.2 Technical Overview . 17
5.2.1 BPI+ Architecture . 17
5.2.1.1 Packet Data Encryption . 17
5.2.1.2 Key Management Protocol . 17
5.2.1.3 DOCSIS Security Associations . 18
5.2.1.4 QoS SIDs and DOCSIS SAIDs . 19
5.2.1.5 BPI+ Enforce. 19
5.2.2 Secure Provisioning . 20
5.3 Operation . 20
5.3.1 Cable Modem Initialization . 20
5.3.1.1 Network Admission Control . 21
5.3.1.2 EAE and Authentication Reuse . 21
5.3.1.3 Configuration Registration Enforcement . 21
5.3.2 Cable Modem Key Update Mechanism . 22
5.3.3 Cable Modem Secure Software Download . 22
6 Encrypted DOCSIS MAC Frame Formats . 22
6.1 CM Requirements. 22
6.2 CMTS Requirements . 22
6.3 Variable-Length PDU MAC Frame Format . 23
6.3.1 Baseline Privacy Extended Header Formats . 24
6.4 Fragmentation MAC Frame Format . 25
6.5 Registration Request (REG-REQ-MP) MAC Management Messages. 26
6.6 Use of the Baseline Privacy Extended Header in the MAC Header . 28
7 Baseline Privacy Key Management (BPKM) Protocol . 28
7.1 State Models . 28
7.1.1 Introduction. 28
7.1.1.1 Authorization State Machine Overview . 28
7.1.1.2 TEK State Machine Overview . 30
7.1.2 Encrypted Multicast . 31
7.1.2.1 Signaling of Dynamic and Static Multicast Session SAs when MDF is Disabled . 32
7.1.2.2 Signaling of Dynamic and Static Multicast Session SAs when MDF is Enabled . 32
7.1.2.2.1 Requirements Specific to the Signaling of Dynamic SAs for Dynamic Multicast Sessions . 32
7.1.2.2.2 Requirements Specific to the Signaling of Dynamic SAs for Static Multicast Sessions . 33
7.1.3 Selecting Cryptographic Suites . 33
7.1.4 Authorization State Machine . 34
7.1.4.1 Brief Description of States . 35
7.1.4.1.1 [Start] . 35
ETSI
4 Final draft ETSI EN 302 878-5 V1.1.0 (2011-09)
7.1.4.1.2 [Auth Wait] . 35
7.1.4.1.3 [Authorized] . 35
7.1.4.1.4 [Reauth Wait] . 35
7.1.4.1.5 [Auth Reject Wait] . 35
7.1.4.1.6 [Silent] . 36
7.1.4.2 Brief Description of Messages . 36
7.1.4.2.1 Authorization Request (Auth Request) . 36
7.1.4.2.2 Authorization Reply (Auth Reply) . 36
7.1.4.2.3 Authorization Reject (Auth Reject) . 36
7.1.4.2.4 Authorization Invalid (Auth Invalid) . 36
7.1.4.2.5 Authentication Information (Auth Info) . 36
7.1.4.3 Brief Description of Events . 37
7.1.4.3.1 {Initiate Authentication} . 37
7.1.4.3.2 {Timeout} . 37
7.1.4.3.3 {Auth Grace Timeout} . 37
7.1.4.3.4 {Reauth} . 37
7.1.4.3.5 {Auth Invalid} . 37
7.1.4.3.6 {Perm Auth Reject} . 37
7.1.4.3.7 {Auth Reject} . 37
7.1.4.3.8 {EAE Disabled Auth Reject} . 37
7.1.4.4 Events sent to TEK State Machine . 37
7.1.4.4.1 {TEK Stop} . 38
7.1.4.4.2 {TEK Authorized} . 38
7.1.4.4.3 {Auth Pend} . 38
7.1.4.4.4 {Auth Comp} . 38
7.1.4.5 Brief Description of Timing Parameters . 38
7.1.4.5.1 Authorize Wait Timeout (Auth Wait Timeout) . 38
7.1.4.5.2 Reauthorize Wait Timeout (Reauth Wait Timeout). 38
7.1.4.5.3 Authorization Grace Time (Auth Grace Timeout). 38
7.1.4.5.4 Authorize Reject Wait Timeout (Auth Reject Wait Timeout) . 38
7.1.4.6 Timers . 38
7.1.4.6.1 Authorization Request . 38
7.1.4.6.2 Authorization Reject . 38
7.1.4.6.3 Authorization Grace . 38
7.1.4.7 Actions . 39
7.1.5 TEK State Machine . 41
7.1.5.1 Brief Description of States . 42
7.1.5.1.1 [Start] . 42
7.1.5.1.2 [Op Wait] . 42
7.1.5.1.3 [Op Reauth Wait] . 42
7.1.5.1.4 [Op] . 42
7.1.5.1.5 [Rekey Wait] . 42
7.1.5.1.6 [Rekey Reauth Wait] . 42
7.1.5.2 Brief Description of Messages . 42
7.1.5.2.1 Key Request . 42
7.1.5.2.2 Key Reply . 43
7.1.5.2.3 Key Reject . 43
7.1.5.2.4 TEK Invalid . 43
7.1.5.3 Brief Description of Events . 43
7.1.5.3.1 {Stop} . 43
7.1.5.3.2 {Authorized} . 43
7.1.5.3.3 {Auth Pend} . 43
7.1.5.3.4 {Auth Comp} . 43
7.1.5.3.5 {TEK Invalid} . 43
7.1.5.3.6 {Timeout} . 43
7.1.5.3.7 {TEK Refresh Timeout} . 43
7.1.5.4 Brief Description of Timing Parameters . 43
7.1.5.4.1 Operational Wait Timeout . 44
7.1.5.4.2 Rekey Wait Timeout . 44
7.1.5.4.3 TEK Grace Time . 44
7.1.5.5 Timers . 44
7.1.5.5.1 Key Request Retry . 44
ETSI
5 Final draft ETSI EN 302 878-5 V1.1.0 (2011-09)
7.1.5.5.2 TEK Refresh . 44
7.1.5.6 Actions . 44
7.2 Key Management Message Formats. 46
7.2.1 Packet Formats . 46
7.2.1.1 Authorization Request (Auth Request) . 48
7.2.1.2 Authorization Reply (Auth Reply) . 48
7.2.1.3 Authorization Reject (Auth Reject) . 49
7.2.1.4 Key Request . 49
7.2.1.5 Key Reply . 50
7.2.1.6 Key Reject . 50
7.2.1.7 Authorization Invalid . 51
7.2.1.8 TEK Invalid. 51
7.2.1.9 Authentication Information (Auth Info) . 51
7.2.1.10 SA Map Request (MAP Request) . 52
7.2.1.11 SA Map Reply (Map Reply) . 52
7.2.1.12 SA Map Reject (Map Reject) . 52
7.2.2 BPKM Attributes . 53
7.2.2.1 Serial-Number . 54
7.2.2.2 Manufacturer-ID . 54
7.2.2.3 MAC-Address . 55
7.2.2.4 RSA-Public-Key . 55
7.2.2.5 CM-Identification . 55
7.2.2.6 Display-String . 56
7.2.2.7 Auth-Key . 56
7.2.2.8 TEK . 56
7.2.2.9 Key-Lifetime . 56
7.2.2.10 Key-Sequence-Number . 57
7.2.2.11 HMAC-Digest . 57
7.2.2.12 SAID . 57
7.2.2.13 TEK-Parameters . 57
7.2.2.14 CBC-IV . 58
7.2.2.15 Error-Code . 58
7.2.2.16 Vendor-Defined . 59
7.2.2.17 CA-Certificate . 59
7.2.2.18 CM-Certificate . 60
7.2.2.19 Security-Capabilities . 60
7.2.2.20 Cryptographic-Suite . 60
7.2.2.21 Cryptographic-Suite-List . 61
7.2.2.22 BPI-Version . 61
7.2.2.23 SA-Descriptor . 61
7.2.2.24 SA-Type . 62
7.2.2.25 SA-Query . 62
7.2.2.26 SA-Query-T ype . 63
7.2.2.27 IPv4-Address . 63
7.2.2.28 Download-Parameters . 63
7.2.2.29 CVC-Root-CA-Certificate . 63
7.2.2.30 CVC-CA-Certificate . 64
8 Early Authentication and Encryption (EAE) . 64
8.1 Introduction . 64
8.2 EAE Signaling . 64
8.3 EAE Encryption . 66
8.4 EAE Enforcement. 66
8.4.1 CMTS and CM behaviours when EAE is Enabled . 66
8.4.2 EAE enforcement determination . 67
8.4.2.1 Ranging-Based EAE Enforcement . 67
8.4.2.2 Capability-Based EAE Enforcement . 67
8.4.2.3 Total EAE Enforcement . 67
8.4.3 EAE Enforcement of DHCP Traffic . 67
8.4.4 CMTS and CM Behaviour when EAE is Disabled . 67
8.4.5 EAE Exclusion List . 67
8.4.6 Interoperability issues . 68
ETSI
6 Final draft ETSI EN 302 878-5 V1.1.0 (2011-09)
8.5 Authentication Reuse . 68
8.6 BPI+ Control by Configuration File . 68
8.6.1 EAE Enabled . 68
8.6.2 EAE Disabled . 69
9 Secure Provisioning . 69
9.1 Introduction . 69
9.2 Encryption of Provisioning Messages . 69
9.3 Securing DHCP . 69
9.3.1 Securing DHCP on the Cable Network Link . 69
9.3.2 DHCPv6 . 69
9.4 TFTP Configuration File Security . 70
9.4.1 Introduction. 70
9.4.2 CMTS Security Features for Configuration File Download . 70
9.4.2.1 TFTP Proxy . 70
9.4.2.2 Protecting TFTP Server Addresses . 70
9.4.2.3 Configuration File Name Authorization. 70
9.4.2.4 Configuration File Learning . 71
9.4.2.5 TFTP Options for CM's MAC and IP Address . 71
9.5 Securing REG-REQ-MP Messages . 71
9.6 Source Address Verification. 71
9.7 Address Resolution Security Considerations . 73
10 Using Cryptographic Keys . 74
10.1 CMTS . 74
10.2 Cable Modem . 76
10.3 Authentication of Dynamic Service Requests . 77
10.3.1 CM . 77
10.3.2 CMTS . 77
11 Cryptographic Methods . 77
11.1 Packet Data Encryption . 77
11.2 Encryption of the TEK . 78
11.3 HMAC-Digest Algorithm . 79
11.4 TEKs, KEKs and Message Authentication Keys . 79
11.5 Public-Key Encryption of Authorization Key . 79
11.6 Digital Signatures . 80
11.7 The MMH-MIC . 80
11.7.1 The MMH Function . 80
11.7.1.1 MMH[16, σ, 1] . 80
11.7.1.2 MMH[16, σ, n] . 82
11.7.1.3 MMH[16, σ, 4] . 82
11.7.1.4 Handling Variable-Size Data . 82
11.7.2 Definition of MMH-MAC . 82
11.7.3 Calculating the DOCSIS MMH-MAC . 83
11.7.4 MMH Key Derivation for CMTS Extended MIC . 84
11.7.5 Shared Secret Recommendations . 85
11.7.6 Key Generation Function . 85
12 Physical Protection of Keys in the CM . 85
13 BPI+ X.509 Certificate Profile and Management . 86
13.1 BPI+ Certificate Management Architecture Overview . 86
13.2 Cable Modem Certificate Storage and Management in the CM . 88
13.3 Certificate Processing and Management in the CMTS . 89
13.3.1 CMTS Certificate Management Model. 89
13.3.2 Certificate Validation . 89
13.4 Certificate Revocation . 90
13.4.1 Certificate Revocation Lists . 90
13.4.1.1 CMTS CRL Support . 91
13.4.2 Online Certificate Status Protocol . 91
14 Secure Software Download . 92
14.1 Introduction . 92
ETSI
7 Final draft ETSI EN 302 878-5 V1.1.0 (2011-09)
14.2 Overview . 92
14.3 Software Code Upgrade Requirements . 94
14.3.1 Code File Processing Requirements . 94
14.3.2 Code File Access Controls . 95
14.3.2.1 Subject Organization Names . 95
14.3.2.2 Time Varying Controls . 95
14.3.3 Cable Modem Code Upgrade Initialization . 95
14.3.3.1 Manufacturer Initialization . 96
14.3.3.2 Network Initialization . 96
14.3.3.2.1 Processing the Configuration File CVC . 97
14.3.3.2.2 Processing the SNMP CVC . 97
14.3.4 Code Signing Guidelines . 98
14.3.5 Code Verification Requirements . 98
14.3.5.1 Cable Modem Code Verification Steps . 98
14.3.6 DOCSIS Interoperability . 99
14.3.7 Error Codes . 99
14.4 Security Considerations (Informative) . 100
Annex A (normative): TFTP Configuration File Extensions . 102
A.1 Encodings . 102
A.1.1 Baseline Privacy Configuration Setting . 102
A.1.1.1 Internal Baseline Privacy Encodings . 102
A.1.1.1.1 Authorize Wait Timeout . 102
A.1.1.1.2 Reauthorize Wait Timeout . 102
A.1.1.1.3 Authorization Grace Time . 103
A.1.1.1.4 Operational Wait Timeout . 103
A.1.1.1.5 Rekey Wait Timeout . 103
A.1.1.1.6 TEK Grace Time . 103
A.1.1.1.7 Authorize Reject Wait Timeout . 103
A.1.1.1.8 SA Map Wait Timeout . 103
A.1.1.1.9 SA Map Max Retries . 103
A.2 Parameter Guidelines . 104
Annex B (normative): TFTP Options . 105
Annex C (normative): DOCSIS 1.1/2.0 Dynamic Security Associations . 113
C.1 Introduction . 113
C.2 Theory of Operation . 113
C.3 SA Mapping State Model . 114
C.3.1 Brief Description of States . 115
C.3.1.1 [Start] .
...


European Standard
Access, Terminals, Transmission and Multiplexing (ATTM);
Third Generation Transmission Systems for
Interactive Cable Television Services - IP Cable Modems;
Part 5: Security Services;
DOCSIS 3.0
2 ETSI EN 302 878-5 V1.1.1 (2011-11)

Reference
DEN/ATTM-003006-5
Keywords
access, broadband, cable, data, IP, IPCable,
modem
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI EN 302 878-5 V1.1.1 (2011-11)
Contents
Intellectual Property Rights . 10
Foreword . 10
1 Scope . 11
1.1 Introduction and Purpose . 11
1.2 Requirements . 11
1.3 Conventions . 11
2 References . 11
2.1 Normative references . 12
2.2 Informative references . 13
3 Definitions and abbreviations . 14
3.1 Definitions . 14
3.2 Abbreviations . 14
4 Void . 16
5 Overview . . 16
5.1 New DOCSIS 3.0 Security Features. 16
5.2 Technical Overview . 17
5.2.1 BPI+ Architecture . 17
5.2.1.1 Packet Data Encryption . 17
5.2.1.2 Key Management Protocol . 17
5.2.1.3 DOCSIS Security Associations . 18
5.2.1.4 QoS SIDs and DOCSIS SAIDs . 19
5.2.1.5 BPI+ Enforce. 19
5.2.2 Secure Provisioning . 20
5.3 Operation . 20
5.3.1 Cable Modem Initialization . 20
5.3.1.1 Network Admission Control . 21
5.3.1.2 EAE and Authentication Reuse . 21
5.3.1.3 Configuration Registration Enforcement . 21
5.3.2 Cable Modem Key Update Mechanism . 22
5.3.3 Cable Modem Secure Software Download . 22
6 Encrypted DOCSIS MAC Frame Formats . 22
6.1 CM Requirements. 22
6.2 CMTS Requirements . 22
6.3 Variable-Length PDU MAC Frame Format . 23
6.3.1 Baseline Privacy Extended Header Formats . 24
6.4 Fragmentation MAC Frame Format . 25
6.5 Registration Request (REG-REQ-MP) MAC Management Messages. 26
6.6 Use of the Baseline Privacy Extended Header in the MAC Header . 28
7 Baseline Privacy Key Management (BPKM) Protocol . 28
7.1 State Models . 28
7.1.1 Introduction. 28
7.1.1.1 Authorization State Machine Overview . 28
7.1.1.2 TEK State Machine Overview . 30
7.1.2 Encrypted Multicast . 31
7.1.2.1 Signaling of Dynamic and Static Multicast Session SAs when MDF is Disabled . 32
7.1.2.2 Signaling of Dynamic and Static Multicast Session SAs when MDF is Enabled . 32
7.1.2.2.1 Requirements Specific to the Signaling of Dynamic SAs for Dynamic Multicast Sessions . 32
7.1.2.2.2 Requirements Specific to the Signaling of Dynamic SAs for Static Multicast Sessions . 33
7.1.3 Selecting Cryptographic Suites . 33
7.1.4 Authorization State Machine . 34
7.1.4.1 Brief Description of States . 35
7.1.4.1.1 [Start] . 35
ETSI
4 ETSI EN 302 878-5 V1.1.1 (2011-11)
7.1.4.1.2 [Auth Wait] . 35
7.1.4.1.3 [Authorized] . 35
7.1.4.1.4 [Reauth Wait] . 35
7.1.4.1.5 [Auth Reject Wait] . 35
7.1.4.1.6 [Silent] . 36
7.1.4.2 Brief Description of Messages . 36
7.1.4.2.1 Authorization Request (Auth Request) . 36
7.1.4.2.2 Authorization Reply (Auth Reply) . 36
7.1.4.2.3 Authorization Reject (Auth Reject) . 36
7.1.4.2.4 Authorization Invalid (Auth Invalid) . 36
7.1.4.2.5 Authentication Information (Auth Info) . 36
7.1.4.3 Brief Description of Events . 37
7.1.4.3.1 {Initiate Authentication} . 37
7.1.4.3.2 {Timeout} . 37
7.1.4.3.3 {Auth Grace Timeout} . 37
7.1.4.3.4 {Reauth} . 37
7.1.4.3.5 {Auth Invalid} . 37
7.1.4.3.6 {Perm Auth Reject} . 37
7.1.4.3.7 {Auth Reject} . 37
7.1.4.3.8 {EAE Disabled Auth Reject} . 37
7.1.4.4 Events sent to TEK State Machine . 37
7.1.4.4.1 {TEK Stop} . 38
7.1.4.4.2 {TEK Authorized} . 38
7.1.4.4.3 {Auth Pend} . 38
7.1.4.4.4 {Auth Comp} . 38
7.1.4.5 Brief Description of Timing Parameters . 38
7.1.4.5.1 Authorize Wait Timeout (Auth Wait Timeout) . 38
7.1.4.5.2 Reauthorize Wait Timeout (Reauth Wait Timeout). 38
7.1.4.5.3 Authorization Grace Time (Auth Grace Timeout). 38
7.1.4.5.4 Authorize Reject Wait Timeout (Auth Reject Wait Timeout) . 38
7.1.4.6 Timers . 38
7.1.4.6.1 Authorization Request . 38
7.1.4.6.2 Authorization Reject . 38
7.1.4.6.3 Authorization Grace . 38
7.1.4.7 Actions . 39
7.1.5 TEK State Machine . 41
7.1.5.1 Brief Description of States . 42
7.1.5.1.1 [Start] . 42
7.1.5.1.2 [Op Wait] . 42
7.1.5.1.3 [Op Reauth Wait] . 42
7.1.5.1.4 [Op] . 42
7.1.5.1.5 [Rekey Wait] . 42
7.1.5.1.6 [Rekey Reauth Wait] . 42
7.1.5.2 Brief Description of Messages . 42
7.1.5.2.1 Key Request . 42
7.1.5.2.2 Key Reply . 43
7.1.5.2.3 Key Reject . 43
7.1.5.2.4 TEK Invalid . 43
7.1.5.3 Brief Description of Events . 43
7.1.5.3.1 {Stop} . 43
7.1.5.3.2 {Authorized} . 43
7.1.5.3.3 {Auth Pend} . 43
7.1.5.3.4 {Auth Comp} . 43
7.1.5.3.5 {TEK Invalid} . 43
7.1.5.3.6 {Timeout} . 43
7.1.5.3.7 {TEK Refresh Timeout} . 43
7.1.5.4 Brief Description of Timing Parameters . 43
7.1.5.4.1 Operational Wait Timeout . 44
7.1.5.4.2 Rekey Wait Timeout . 44
7.1.5.4.3 TEK Grace Time . 44
7.1.5.5 Timers . 44
7.1.5.5.1 Key Request Retry . 44
ETSI
5 ETSI EN 302 878-5 V1.1.1 (2011-11)
7.1.5.5.2 TEK Refresh . 44
7.1.5.6 Actions . 44
7.2 Key Management Message Formats. 46
7.2.1 Packet Formats . 46
7.2.1.1 Authorization Request (Auth Request) . 48
7.2.1.2 Authorization Reply (Auth Reply) . 48
7.2.1.3 Authorization Reject (Auth Reject) . 49
7.2.1.4 Key Request . 49
7.2.1.5 Key Reply . 50
7.2.1.6 Key Reject . 50
7.2.1.7 Authorization Invalid . 51
7.2.1.8 TEK Invalid. 51
7.2.1.9 Authentication Information (Auth Info) . 51
7.2.1.10 SA Map Request (MAP Request) . 52
7.2.1.11 SA Map Reply (Map Reply) . 52
7.2.1.12 SA Map Reject (Map Reject) . 52
7.2.2 BPKM Attributes . 53
7.2.2.1 Serial-Number . 54
7.2.2.2 Manufacturer-ID . 54
7.2.2.3 MAC-Address . 55
7.2.2.4 RSA-Public-Key . 55
7.2.2.5 CM-Identification . 55
7.2.2.6 Display-String . 56
7.2.2.7 Auth-Key . 56
7.2.2.8 TEK . 56
7.2.2.9 Key-Lifetime . 56
7.2.2.10 Key-Sequence-Number . 57
7.2.2.11 HMAC-Digest . 57
7.2.2.12 SAID . 57
7.2.2.13 TEK-Parameters . 57
7.2.2.14 CBC-IV . 58
7.2.2.15 Error-Code . 58
7.2.2.16 Vendor-Defined . 59
7.2.2.17 CA-Certificate . 59
7.2.2.18 CM-Certificate . 60
7.2.2.19 Security-Capabilities . 60
7.2.2.20 Cryptographic-Suite . 60
7.2.2.21 Cryptographic-Suite-List . 61
7.2.2.22 BPI-Version . 61
7.2.2.23 SA-Descriptor . 61
7.2.2.24 SA-Type . 62
7.2.2.25 SA-Query . 62
7.2.2.26 SA-Query-T ype . 63
7.2.2.27 IPv4-Address . 63
7.2.2.28 Download-Parameters . 63
7.2.2.29 CVC-Root-CA-Certificate . 63
7.2.2.30 CVC-CA-Certificate . 64
8 Early Authentication and Encryption (EAE) . 64
8.1 Introduction . 64
8.2 EAE Signaling . 64
8.3 EAE Encryption . 66
8.4 EAE Enforcement. 66
8.4.1 CMTS and CM behaviours when EAE is Enabled . 66
8.4.2 EAE enforcement determination . 67
8.4.2.1 Ranging-Based EAE Enforcement . 67
8.4.2.2 Capability-Based EAE Enforcement . 67
8.4.2.3 Total EAE Enforcement . 67
8.4.3 EAE Enforcement of DHCP Traffic . 67
8.4.4 CMTS and CM Behaviour when EAE is Disabled . 67
8.4.5 EAE Exclusion List . 67
8.4.6 Interoperability issues . 68
ETSI
6 ETSI EN 302 878-5 V1.1.1 (2011-11)
8.5 Authentication Reuse . 68
8.6 BPI+ Control by Configuration File . 68
8.6.1 EAE Enabled . 68
8.6.2 EAE Disabled . 69
9 Secure Provisioning . 69
9.1 Introduction . 69
9.2 Encryption of Provisioning Messages . 69
9.3 Securing DHCP . 69
9.3.1 Securing DHCP on the Cable Network Link . 69
9.3.2 DHCPv6 . 69
9.4 TFTP Configuration File Security . 70
9.4.1 Introduction. 70
9.4.2 CMTS Security Features for Configuration File Download . 70
9.4.2.1 TFTP Proxy . 70
9.4.2.2 Protecting TFTP Server Addresses . 70
9.4.2.3 Configuration File Name Authorization. 70
9.4.2.4 Configuration File Learning . 71
9.4.2.5 TFTP Options for CM's MAC and IP Address . 71
9.5 Securing REG-REQ-MP Messages . 71
9.6 Source Address Verification. 71
9.7 Address Resolution Security Considerations . 73
10 Using Cryptographic Keys . 74
10.1 CMTS . 74
10.2 Cable Modem . 76
10.3 Authentication of Dynamic Service Requests . 77
10.3.1 CM . 77
10.3.2 CMTS . 77
11 Cryptographic Methods . 77
11.1 Packet Data Encryption . 77
11.2 Encryption of the TEK . 78
11.3 HMAC-Digest Algorithm . 79
11.4 TEKs, KEKs and Message Authentication Keys . 79
11.5 Public-Key Encryption of Authorization Key . 79
11.6 Digital Signatures . 80
11.7 The MMH-MIC . 80
11.7.1 The MMH Function . 80
11.7.1.1 MMH[16, σ, 1] . 80
11.7.1.2 MMH[16, σ, n] . 82
11.7.1.3 MMH[16, σ, 4] . 82
11.7.1.4 Handling Variable-Size Data . 82
11.7.2 Definition of MMH-MAC . 82
11.7.3 Calculating the DOCSIS MMH-MAC . 83
11.7.4 MMH Key Derivation for CMTS Extended MIC . 84
11.7.5 Shared Secret Recommendations . 85
11.7.6 Key Generation Function . 85
12 Physical Protection of Keys in the CM . 85
13 BPI+ X.509 Certificate Profile and Management . 86
13.1 BPI+ Certificate Management Architecture Overview . 86
13.2 Cable Modem Certificate Storage and Management in the CM . 88
13.3 Certificate Processing and Management in the CMTS . 89
13.3.1 CMTS Certificate Management Model. 89
13.3.2 Certificate Validation . 89
13.4 Certificate Revocation . 90
13.4.1 Certificate Revocation Lists . 90
13.4.1.1 CMTS CRL Support . 91
13.4.2 Online Certificate Status Protocol . 91
14 Secure Software Download . 92
14.1 Introduction . 92
ETSI
7 ETSI EN 302 878-5 V1.1.1 (2011-11)
14.2 Overview . 92
14.3 Software Code Upgrade Requirements . 94
14.3.1 Code File Processing Requirements . 94
14.3.2 Code File Access Controls . 95
14.3.2.1 Subject Organization Names . 95
14.3.2.2 Time Varying Controls . 95
14.3.3 Cable Modem Code Upgrade Initialization . 95
14.3.3.1 Manufacturer Initialization . 96
14.3.3.2 Network Initialization . 96
14.3.3.2.1 Processing the Configuration File CVC . 97
14.3.3.2.2 Processing the SNMP CVC . 97
14.3.4 Code Signing Guidelines . 98
14.3.5 Code Verification Requirements . 98
14.3.5.1 Cable Modem Code Verification Steps . 98
14.3.6 DOCSIS Interoperability . 99
14.3.7 Error Codes . 99
14.4 Security Considerations (Informative) . 100
Annex A (normative): TFTP Configuration File Extensions . 102
A.1 Encodings . 102
A.1.1 Baseline Privacy Configuration Setting . 102
A.1.1.1 Internal Baseline Privacy Encodings . 102
A.1.1.1.1 Authorize Wait Timeout . 102
A.1.1.1.2 Reauthorize Wait Timeout . 102
A.1.1.1.3 Authorization Grace Time . 103
A.1.1.1.4 Operational Wait Timeout . 103
A.1.1.1.5 Rekey Wait Timeout . 103
A.1.1.1.6 TEK Grace Time . 103
A.1.1.1.7 Authorize Reject Wait Timeout . 103
A.1.1.1.8 SA Map Wait Timeout . 103
A.1.1.1.9 SA Map Max Retries . 103
A.2 Parameter Guidelines . 104
Annex B (normative): TFTP Options . 105
Annex C (normative): DOCSIS 1.1/2.0 Dynamic Security Associations . 113
C.1 Introduction . 113
C.2 Theory of Operation . 113
C.3 SA Mapping State Model . 114
C.3.1 Brief Description of States . 115
C.3.1.1 [Start] . 115
C.3.1.2 [Map W
...


SLOVENSKI STANDARD
01-februar-2012
'RVWRSSULNOMXþNLSUHQRVLQPXOWLSOHNVLUDQMH $770 7UHWMDJHQHUDFLMDSUHQRVQLK
VLVWHPRY]DVWRULWYHLQWHUDNWLYQHNDEHOVNHWHOHYL]LMH,3NDEHOVNLPRGHPLGHO
9DUQRVWQHVWRULWYH'2&6,6
Access, Terminals, Transmission and Multiplexing (ATTM) - Third Generation
Transmission Systems for Interactive Cable Television Services - IP Cable Modems -
Part 5: Security Services - DOCSIS 3.0
Ta slovenski standard je istoveten z: EN 302 878-5 Version 1.1.1
ICS:
35.180 Terminalska in druga IT Terminal and other
periferna oprema IT peripheral equipment
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

European Standard
Access, Terminals, Transmission and Multiplexing (ATTM);
Third Generation Transmission Systems for
Interactive Cable Television Services - IP Cable Modems;
Part 5: Security Services;
DOCSIS 3.0
2 ETSI EN 302 878-5 V1.1.1 (2011-11)

Reference
DEN/ATTM-003006-5
Keywords
access, broadband, cable, data, IP, IPCable,
modem
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2011.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI EN 302 878-5 V1.1.1 (2011-11)
Contents
Intellectual Property Rights . 10
Foreword . 10
1 Scope . 11
1.1 Introduction and Purpose . 11
1.2 Requirements . 11
1.3 Conventions . 11
2 References . 11
2.1 Normative references . 12
2.2 Informative references . 13
3 Definitions and abbreviations . 14
3.1 Definitions . 14
3.2 Abbreviations . 14
4 Void . 16
5 Overview . . 16
5.1 New DOCSIS 3.0 Security Features. 16
5.2 Technical Overview . 17
5.2.1 BPI+ Architecture . 17
5.2.1.1 Packet Data Encryption . 17
5.2.1.2 Key Management Protocol . 17
5.2.1.3 DOCSIS Security Associations . 18
5.2.1.4 QoS SIDs and DOCSIS SAIDs . 19
5.2.1.5 BPI+ Enforce. 19
5.2.2 Secure Provisioning . 20
5.3 Operation . 20
5.3.1 Cable Modem Initialization . 20
5.3.1.1 Network Admission Control . 21
5.3.1.2 EAE and Authentication Reuse . 21
5.3.1.3 Configuration Registration Enforcement . 21
5.3.2 Cable Modem Key Update Mechanism . 22
5.3.3 Cable Modem Secure Software Download . 22
6 Encrypted DOCSIS MAC Frame Formats . 22
6.1 CM Requirements. 22
6.2 CMTS Requirements . 22
6.3 Variable-Length PDU MAC Frame Format . 23
6.3.1 Baseline Privacy Extended Header Formats . 24
6.4 Fragmentation MAC Frame Format . 25
6.5 Registration Request (REG-REQ-MP) MAC Management Messages. 26
6.6 Use of the Baseline Privacy Extended Header in the MAC Header . 28
7 Baseline Privacy Key Management (BPKM) Protocol . 28
7.1 State Models . 28
7.1.1 Introduction. 28
7.1.1.1 Authorization State Machine Overview . 28
7.1.1.2 TEK State Machine Overview . 30
7.1.2 Encrypted Multicast . 31
7.1.2.1 Signaling of Dynamic and Static Multicast Session SAs when MDF is Disabled . 32
7.1.2.2 Signaling of Dynamic and Static Multicast Session SAs when MDF is Enabled . 32
7.1.2.2.1 Requirements Specific to the Signaling of Dynamic SAs for Dynamic Multicast Sessions . 32
7.1.2.2.2 Requirements Specific to the Signaling of Dynamic SAs for Static Multicast Sessions . 33
7.1.3 Selecting Cryptographic Suites . 33
7.1.4 Authorization State Machine . 34
7.1.4.1 Brief Description of States . 35
7.1.4.1.1 [Start] . 35
ETSI
4 ETSI EN 302 878-5 V1.1.1 (2011-11)
7.1.4.1.2 [Auth Wait] . 35
7.1.4.1.3 [Authorized] . 35
7.1.4.1.4 [Reauth Wait] . 35
7.1.4.1.5 [Auth Reject Wait] . 35
7.1.4.1.6 [Silent] . 36
7.1.4.2 Brief Description of Messages . 36
7.1.4.2.1 Authorization Request (Auth Request) . 36
7.1.4.2.2 Authorization Reply (Auth Reply) . 36
7.1.4.2.3 Authorization Reject (Auth Reject) . 36
7.1.4.2.4 Authorization Invalid (Auth Invalid) . 36
7.1.4.2.5 Authentication Information (Auth Info) . 36
7.1.4.3 Brief Description of Events . 37
7.1.4.3.1 {Initiate Authentication} . 37
7.1.4.3.2 {Timeout} . 37
7.1.4.3.3 {Auth Grace Timeout} . 37
7.1.4.3.4 {Reauth} . 37
7.1.4.3.5 {Auth Invalid} . 37
7.1.4.3.6 {Perm Auth Reject} . 37
7.1.4.3.7 {Auth Reject} . 37
7.1.4.3.8 {EAE Disabled Auth Reject} . 37
7.1.4.4 Events sent to TEK State Machine . 37
7.1.4.4.1 {TEK Stop} . 38
7.1.4.4.2 {TEK Authorized} . 38
7.1.4.4.3 {Auth Pend} . 38
7.1.4.4.4 {Auth Comp} . 38
7.1.4.5 Brief Description of Timing Parameters . 38
7.1.4.5.1 Authorize Wait Timeout (Auth Wait Timeout) . 38
7.1.4.5.2 Reauthorize Wait Timeout (Reauth Wait Timeout). 38
7.1.4.5.3 Authorization Grace Time (Auth Grace Timeout). 38
7.1.4.5.4 Authorize Reject Wait Timeout (Auth Reject Wait Timeout) . 38
7.1.4.6 Timers . 38
7.1.4.6.1 Authorization Request . 38
7.1.4.6.2 Authorization Reject . 38
7.1.4.6.3 Authorization Grace . 38
7.1.4.7 Actions . 39
7.1.5 TEK State Machine . 41
7.1.5.1 Brief Description of States . 42
7.1.5.1.1 [Start] . 42
7.1.5.1.2 [Op Wait] . 42
7.1.5.1.3 [Op Reauth Wait] . 42
7.1.5.1.4 [Op] . 42
7.1.5.1.5 [Rekey Wait] . 42
7.1.5.1.6 [Rekey Reauth Wait] . 42
7.1.5.2 Brief Description of Messages . 42
7.1.5.2.1 Key Request . 42
7.1.5.2.2 Key Reply . 43
7.1.5.2.3 Key Reject . 43
7.1.5.2.4 TEK Invalid . 43
7.1.5.3 Brief Description of Events . 43
7.1.5.3.1 {Stop} . 43
7.1.5.3.2 {Authorized} . 43
7.1.5.3.3 {Auth Pend} . 43
7.1.5.3.4 {Auth Comp} . 43
7.1.5.3.5 {TEK Invalid} . 43
7.1.5.3.6 {Timeout} . 43
7.1.5.3.7 {TEK Refresh Timeout} . 43
7.1.5.4 Brief Description of Timing Parameters . 43
7.1.5.4.1 Operational Wait Timeout . 44
7.1.5.4.2 Rekey Wait Timeout . 44
7.1.5.4.3 TEK Grace Time . 44
7.1.5.5 Timers . 44
7.1.5.5.1 Key Request Retry . 44
ETSI
5 ETSI EN 302 878-5 V1.1.1 (2011-11)
7.1.5.5.2 TEK Refresh . 44
7.1.5.6 Actions . 44
7.2 Key Management Message Formats. 46
7.2.1 Packet Formats . 46
7.2.1.1 Authorization Request (Auth Request) . 48
7.2.1.2 Authorization Reply (Auth Reply) . 48
7.2.1.3 Authorization Reject (Auth Reject) . 49
7.2.1.4 Key Request . 49
7.2.1.5 Key Reply . 50
7.2.1.6 Key Reject . 50
7.2.1.7 Authorization Invalid . 51
7.2.1.8 TEK Invalid. 51
7.2.1.9 Authentication Information (Auth Info) . 51
7.2.1.10 SA Map Request (MAP Request) . 52
7.2.1.11 SA Map Reply (Map Reply) . 52
7.2.1.12 SA Map Reject (Map Reject) . 52
7.2.2 BPKM Attributes . 53
7.2.2.1 Serial-Number . 54
7.2.2.2 Manufacturer-ID . 54
7.2.2.3 MAC-Address . 55
7.2.2.4 RSA-Public-Key . 55
7.2.2.5 CM-Identification . 55
7.2.2.6 Display-String . 56
7.2.2.7 Auth-Key . 56
7.2.2.8 TEK . 56
7.2.2.9 Key-Lifetime . 56
7.2.2.10 Key-Sequence-Number . 57
7.2.2.11 HMAC-Digest . 57
7.2.2.12 SAID . 57
7.2.2.13 TEK-Parameters . 57
7.2.2.14 CBC-IV . 58
7.2.2.15 Error-Code . 58
7.2.2.16 Vendor-Defined . 59
7.2.2.17 CA-Certificate . 59
7.2.2.18 CM-Certificate . 60
7.2.2.19 Security-Capabilities . 60
7.2.2.20 Cryptographic-Suite . 60
7.2.2.21 Cryptographic-Suite-List . 61
7.2.2.22 BPI-Version . 61
7.2.2.23 SA-Descriptor . 61
7.2.2.24 SA-Type . 62
7.2.2.25 SA-Query . 62
7.2.2.26 SA-Query-T ype . 63
7.2.2.27 IPv4-Address . 63
7.2.2.28 Download-Parameters . 63
7.2.2.29 CVC-Root-CA-Certificate . 63
7.2.2.30 CVC-CA-Certificate . 64
8 Early Authentication and Encryption (EAE) . 64
8.1 Introduction . 64
8.2 EAE Signaling . 64
8.3 EAE Encryption . 66
8.4 EAE Enforcement. 66
8.4.1 CMTS and CM behaviours when EAE is Enabled . 66
8.4.2 EAE enforcement determination . 67
8.4.2.1 Ranging-Based EAE Enforcement . 67
8.4.2.2 Capability-Based EAE Enforcement . 67
8.4.2.3 Total EAE Enforcement . 67
8.4.3 EAE Enforcement of DHCP Traffic . 67
8.4.4 CMTS and CM Behaviour when EAE is Disabled . 67
8.4.5 EAE Exclusion List . 67
8.4.6 Interoperability issues . 68
ETSI
6 ETSI EN 302 878-5 V1.1.1 (2011-11)
8.5 Authentication Reuse . 68
8.6 BPI+ Control by Configuration File . 68
8.6.1 EAE Enabled . 68
8.6.2 EAE Disabled . 69
9 Secure Provisioning . 69
9.1 Introduction . 69
9.2 Encryption of Provisioning Messages . 69
9.3 Securing DHCP . 69
9.3.1 Securing DHCP on the Cable Network Link . 69
9.3.2 DHCPv6 . 69
9.4 TFTP Configuration File Security . 70
9.4.1 Introduction. 70
9.4.2 CMTS Security Features for Configuration File Download . 70
9.4.2.1 TFTP Proxy . 70
9.4.2.2 Protecting TFTP Server Addresses . 70
9.4.2.3 Configuration File Name Authorization. 70
9.4.2.4 Configuration File Learning . 71
9.4.2.5 TFTP Options for CM's MAC and IP Address . 71
9.5 Securing REG-REQ-MP Messages . 71
9.6 Source Address Verification. 71
9.7 Address Resolution Security Considerations . 73
10 Using Cryptographic Keys . 74
10.1 CMTS . 74
10.2 Cable Modem . 76
10.3 Authentication of Dynamic Service Requests . 77
10.3.1 CM . 77
10.3.2 CMTS . 77
11 Cryptographic Methods . 77
11.1 Packet Data Encryption . 77
11.2 Encryption of the TEK . 78
11.3 HMAC-Digest Algorithm . 79
11.4 TEKs, KEKs and Message Authentication Keys . 79
11.5 Public-Key Encryption of Authorization Key . 79
11.6 Digital Signatures . 80
11.7 The MMH-MIC . 80
11.7.1 The MMH Function . 80
11.7.1.1 MMH[16, σ, 1] . 80
11.7.1.2 MMH[16, σ, n] . 82
11.7.1.3 MMH[16, σ, 4] . 82
11.7.1.4 Handling Variable-Size Data . 82
11.7.2 Definition of MMH-MAC . 82
11.7.3 Calculating the DOCSIS MMH-MAC . 83
11.7.4 MMH Key Derivation for CMTS Extended MIC . 84
11.7.5 Shared Secret Recommendations . 85
11.7.6 Key Generation Function . 85
12 Physical Protection of Keys in the CM . 85
13 BPI+ X.509 Certificate Profile and Management . 86
13.1 BPI+ Certificate Management Architecture Overview . 86
13.2 Cable Modem Certificate Storage and Management in the CM . 88
13.3 Certificate Processing and Management in the CMTS . 89
13.3.1 CMTS Certificate Management Model. 89
13.3.2 Certificate Validation . 89
13.4 Certificate Revocation . 90
13.4.1 Certificate Revocation Lists . 90
13.4.1.1 CMTS CRL Support . 91
13.4.2 Online Certificate Status Protocol . 91
14 Secure Software Download . 92
14.1 Introduction . 92
ETSI
7 ETSI EN 302 878-5 V1.1.1 (2011-11)
14.2 Overview . 92
14.3 Software Code Upgrade Requirements . 94
14.3.1 Code File Processing Requirements . 94
14.3.2 Code File Access Controls . 95
14.3.2.1 Subject Organization Names . 95
14.3.2.2 Time Varying Controls . 95
14.3.3 Cable Modem Code Upgrade Initialization . 95
14.3.3.1 Manufacturer Initialization . 96
14.3.3.2 Network Initialization . 96
14.3.3.2.1 Processing the Configuration File CVC . 97
14.3.3.2.2 Processing the SNMP CVC . 97
14.3.4 Code Signing Guidelines . 98
14.3.5 Code Verification Requirements . 98
14.3.5.1 Cable Modem Code Verification Steps . 98
14.3.6 DOCSIS Interoperability . 99
14.3.7 Error Codes . 99
14.4 Security Considerations (Informative) . 100
Annex A (normative): TFTP Configuration File Extensions . 102
A.1 Encodings . 102
A.1.1 Baseline Privacy Configuration Setting . 102
A.1.1.1 Internal Baseline Privacy Encodings . 102
A.1.1.1.1 Authorize Wait Timeout . 102
A.1.1.1.2 Reauthorize Wait Timeout . 102
A.1.1.1.3 Authorization Grace Time . 103
A.1.1.1.4 Operational Wait Timeout . 103
A.1.1.1.5 Rekey Wait Timeout . 103
A.1.1.1.6 TEK Grace Time . 103
A.1.1.1.7 Authorize Reject Wait Timeout . 103
A.1.1.1.8 SA Map Wait Timeout . 103
A.1.1.1.9 SA Map Max Retries . 103
A.2 Parameter Guidelines .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

Frequently Asked Questions

ETSI EN 302 878-5 V1.1.1 (2011-11) is a standard published by the European Telecommunications Standards Institute (ETSI). Its full title is "Access, Terminals, Transmission and Multiplexing (ATTM); Third Generation Transmission Systems for Interactive Cable Television Services - IP Cable Modems; Part 5: Security Services; DOCSIS 3.0". This standard covers: DEN/ATTM-003006-5

DEN/ATTM-003006-5

You can purchase ETSI EN 302 878-5 V1.1.1 (2011-11) directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ETSI standards.

This May Also Interest You

ETSI
ETSI EN 303 364-1-1 V1.1.1 (2025-06)
Primary Surveillance Radar (PSR); Harmonised Standard for access to radio spectrum; Part 1: Air Traffic Control (ATC) PSR sensors operating in the frequency band 1 215 MHz to 1 400 MHz (L band); Sub-part 1: radar systems using reflector antennas
SIST EN 303 364-1-1 V1.1.1:2025

DEN/ERM-TGAERO-31-1

  • Standard
    45 pages
    English language
    sale 15% off
  • Standard
    45 pages
    English language
    sale 15% off
  • Standard
    45 pages
    English language
    sale 10% off
    e-Library read for
    1 day
ETSI
ETSI EN 303 659 V1.1.1 (2025-02)
Short Range Devices (SRD) in Data Networks; Radio equipment to be used in the frequency ranges 865 MHz to 868 MHz and 915 MHz to 919,4 MHz; Harmonised Standard for access to radio spectrum
SIST EN 303 659 V1.1.1:2025

DEN/ERM-TG28-561

  • Standard
    100 pages
    English language
    sale 15% off
  • Standard
    100 pages
    English language
    sale 15% off
  • Standard
    100 pages
    English language
    sale 10% off
    e-Library read for
    1 day
ETSI
ETSI EN 300 220-2 V3.3.1 (2025-01)
Short Range Devices (SRD) operating in the frequency range 25 MHz to 1 000 MHz with power levels ranging up to 500 mW e.r.p.; Part 2: Harmonised Standard for access to radio spectrum for non specific radio equipment
SIST EN 300 220-2 V3.3.1:2025

The present document specifies technical requirements, limits and test methods for Short Range Devices in the non-
specific category operating in the frequency range 25 MHz to 1 000 MHz.
The non specific SRD category is defined by the EU Commission Decision 2019/1345/EU [i.3] as:
"The non-specific short-range device category covers all kinds of radio devices, regardless of the application or the
purpose, which fulfil the technical conditions as specified for a given frequency band. Typical uses include telemetry,
telecommand, alarms, data transmissions in general and other applications".
These radio equipment types are capable of transmitting up to 500 mW effective radiated power and operating indoor or
outdoor.
NOTE: The relationship between the present document and the essential requirements of article 3.2 of
Directive 2014/53/EU [i.2] is given in Annex A

  • Standard
    107 pages
    English language
    sale 15% off
  • Standard
    107 pages
    English language
    sale 15% off
  • Standard
    107 pages
    English language
    sale 10% off
    e-Library read for
    1 day
ETSI
ETSI EN 301 908-3 V15.0.0 (2024-02)
IMT cellular networks; Harmonised Standard for access to radio spectrum; Part 3: CDMA Direct Spread (UTRA FDD) Base Stations (BS) Release 15
SIST EN 301 908-3 V15.1.1:2024

REN/MSG-TFES-15-3

  • Standard
    67 pages
    English language
    sale 15% off
  • Standard
    67 pages
    English language
    sale 15% off
  • Standard
    67 pages
    English language
    sale 10% off
    e-Library read for
    1 day
ETSI
ETSI TS 129 521 V17.5.0 (2022-07)
5G; 5G System; Binding Support Management Service; Stage 3 (3GPP TS 29.521 version 17.5.0 Release 17)

RTS/TSGC-0329521vh50

  • Standard
    77 pages
    English language
    sale 15% off
ETSI
ETSI TS 129 523 V17.7.0 (2022-07)
5G; 5G System; Policy Control Event Exposure Service; Stage 3 (3GPP TS 29.523 version 17.7.0 Release 17)

RTS/TSGC-0329523vh70

  • Standard
    46 pages
    English language
    sale 15% off
ETSI
ETSI EN 303 364-2 V1.1.1 (2021-02)
Primary Surveillance Radar (PSR); Harmonised Standard for access to radio spectrum; Part 2: Air Traffic Control (ATC) PSR sensors operating in the frequency band 2 700 MHz to 3 100 MHz (S band)
SIST EN 303 364-2 V1.1.1:2021

DEN/ERM-TGAERO-31-2

  • Standard
    38 pages
    English language
    sale 15% off
  • Standard
    38 pages
    English language
    sale 15% off
  • Standard
    38 pages
    English language
    sale 10% off
    e-Library read for
    1 day
ETSI
ETSI TS 102 232-2 V3.12.1 (2020-08)
Lawful Interception (LI); Handover Interface and Service-Specific Details (SSD) for IP delivery; Part 2: Service-specific details for messaging services

RTS/LI-00190-2

  • Standard
    61 pages
    English language
    sale 15% off
  • 27-Aug-2020
  • LI
ETSI
ETSI TS 137 571-4 V14.5.0 (2020-04)
Universal Mobile Telecommunications System (UMTS); LTE; User Equipment (UE) conformance specification for UE positioning; Part 4: Test suites (3GPP TS 37.571-4 version 14.5.0 Release 14)

RTS/TSGR-0537571-4ve50

  • Standard
    14 pages
    English language
    sale 15% off
ETSI
ETSI TS 131 130 V15.2.2 (2020-04)
Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 5G; (U)SIM Application Programming Interface (API); (U)SIM API for Javaâ„¢ Card (3GPP TS 31.130 version 15.2.2 Release 15)

RTS/TSGC-0631130vf22

  • Standard
    25 pages
    English language
    sale 15% off