CCAP Encryption - SCTE Piedmont Chapter

advertisement
CCAP Encryption
Integrating CCAP into the Video Control Plane
Kevin Taylor
Fellow
Comcast
July 31, 2014
Topics
CCAP in a Nutshell
CCAP In a System Context
CCAP Encryption Goals
CCAP Transition Strategy
CCAP Encryption Hardware Requirements
CCAP Encryption Options
CCAP Encryption Phasing Case Study
Special Considerations
2
CCAP in a nutshell
• Converged Cable Access Platform
• Combines the functions of the CMTS and Edge QAM
• Implements all narrowcast and broadcast QAMs
CCAP DS Port Assignments
IP Video
DOCSIS
HSD/CDV
Exhaust Air
Primary 100-Gig-E Ports
Secondary 100-Gig-E Ports
Broadcast
64 NC QAMs +
96 BC QAMs
Primary Switch/Route Engine
Secondary Switch/Route Engine
US Redundancy
US
US
US
US
US
cDVR
24 Ports/US Card
XR2
XR1
DS RF Port
12 Ports/DS Card
32/48/64 Narrowcast QAMs/Port
96 Broadcast QAMs/Port
DS Redundancy
DS
DS
DS
DS
DS
VOD
MPEG TS
Simplify, and
eventually
eliminate
RF
Combining
Rear View
16U Chassis
(Implemented using
high density UCH w/
MCX-75 connectors)
Power Supply
Modules
Front View
16U Chassis
Narrowcast & Broadcast
Digital Services
Legacy OOB & QAM
CCAP
DS
US
Analog
3
Split
Legacy OOB
Fan Modules
Intake Air
CCAP Impact
• Engineering: Capacity and efficiency
- 50% space savings with 4x capacity
- 60% power savings plus less cooling
- Improve existing UPS and battery backup performance
• Architecture: Simplicity and flexibility
- Minimum, simplified combining wiring
- Full-spectrum, MPEG/DOCSIS QAMs, easier migration to IPTV
- Future proof, single access platform
• Purchasing: Cost will quickly become a big driver
- Especially DOCSIS QAMs are significantly cheaper
• Operations: Reliability and manageability
- Fully redundant (N+1 LC & 1+1 Commons)
- Configuration change between QAM types vs. equipment swap-out
- Much shorter maintenance window (ISSU)
- Far less equipment to manage and maintain
4
CCAP in a System Context
5
System
Context
CCAP Encryption Goals
Architecture
- Cost Efficiency
- Resource Efficiency
- Compatibility with Deployed Conditional Access Systems
- Scalability
- Security
- Modern Network Architecture
- Reliability and Resiliency
Linear
- Broadcast
- DTA
- PPV/IPPV
- SDV
VOD
- Port Mapped (Static)
- Session (Dynamic)
6
CCAP Encryption
Converged Cable Access Platform
Encryption
Broadcast
SDV & VOD
QAM
QAM
M-CMTS
QAM
Hardware platform specifications
ARRIS MediaCipher
Cisco PowerKey
DVB Encryption
7
I-CMTS
8
8 Legacy Encryption vs. CCAP Encryption
Legacy Encryption
EQAM: Proprietary Generation of CW
and ECM
EQAM: Encryption
EQAM: Stream Multiplexing
Clear
Video
EQAM: Output Conversion
CWG
ECMG
MUX
IP or
QAM
Encrypted Video
With embedded ECM
Encrypt
GQAM, MQAM, SEM, APEX, NetCrypt
External ECMG
CWG
CCAP Encryption
ECMG: Proprietary Generation of
CW and ECMs move to Vendor
ECMG device
EQAM: Encryption, Multiplexing and
output conversion remain in EQAM
ECMG
CCAP and 3rd Party EQAM
MUX
Clear
Video
Encrypt
IP or
QAM
Encrypted Video
With embedded ECM
CCAP Transition Strategy
9
CCAP Encryption Requirements
10
Decryption Support
• Network Decryption (not currently
implemented)
- AES-128
Encryption Support
• MediaCipher / DTA
- SCTE-52 (DES-CBC)
• PowerKey / DTA
- DES-ECB
• AES
• DVB-CSA/CSA3 (Simulcrypt)
CA System Support
• PID Routing
- CAT
- DTA System Information
- DTA EMM
- DTA User Interface Data
- DTA Messaging
• PSIP Aggregation
- PSIP
- EAS
CCAP Encryption Options
• Option 1 – CCAP with ECMG
• Option 2 – CCAP with Bulk Encryption
• Option 3 – CCAP with DVB SimulCrypt
11
CCAP Encryption
Option 1 - CCAP with ECMG (Load Balancer/HTTP)
Authentication
CCAP
Web Request
{AC, ECM/CW}
Load Balancer
Shared
ECMG Pool
ECMG
.
CWG
.
.
ECMG
CWG
ECMG
CWG
ECM/CW cache
Abbreviations:
ECMG – Entitlement Control Message Generator
ECM – Entitlement Control Message
CW – Control Word
CWG – Control Word Generator
CAS – Conditional Access System
12
CAS
CCAP Encryption
Option 1 - CCAP with ECMG (Load Balancer/HTTP)
Shared ECMG Pool
ECMG
ECMG
ECMG
CWG
CWG
CWG
Secrets
Secrets
Secrets
Settop
CAS
DTA
CAS
http[AC, ECM/CW]
Load Balancer
http[AC, ECM/CW]
13
CCAP
Encrypt
MPTS/SPTS Video
(Clear Content)
MPTS/SPTS
(Encrypted
Content)
DTA CAT, SI, EMM, Data, EAS
CCAP Encryption
Option 1 - CCAP with ECMG (Load Balancer/HTTP)
• ECMG is not in the video path
• ECMG<>CCAP Interface is resilient to network delays and short
outages
• Batching of ECMs and CWs
• Standard network load balancing is supported
• CCAP needs licensed technology from CA vendors
• ECMG is stateless
14
Option 2 - CCAP with Bulk Encryptor
Settop
CAS
MPTS/SPTS
Video
(Clear
Content)
DTA
CAS
Bulk
Encryptor
Secrets
Encrypt
15
CCAP Encryption
DTA CAT, SI, EMM, Data, EAS
MPTS/SPTS
(Encrypted
Content)
Abbreviations:
DTA – Digital Terminal Adaptor
CAS – Conditional Access System
SI – System Information
EMM – Entitlement Management Message
EAS – Emergency Alert System
MPTS – Multi-Program Stream
SPTS – Single Program Stream
.
.
.
CCAP
MPTS/SPTS
(Encrypted
Content)
16
CCAP Encryption
Option 2 - CCAP with Bulk Encryptor
• Bulk encryptor is in the video path
• Requires appropriate redundancy to be applied at the bulk encryptor
and CCAP
• Bulk encryptor encapsulates all of the propriety CA vendor information
into a single video encryption device
• Maybe resilient to network delays and short outages
• Efficient encryption method for video architecture with many nodes
CCAP Encryption Option 3
CCAP with DVB SimulCrypt
DVB SimulCrypt
Compliant CA
System
EIS
Simulcrypt
EIS<->SCS
Abbreviations:
ECMG – Entitlement Control
Message Generator
EIS – Event Information Scheduler
SCS – SimulCrypt Synchronizer
CW – Control Word
CWG – Control Word Generator
CAS – Conditional Access System
Settop
CAS
ECMG
Secrets
Simulcrypt
SCS <->ECMG
ECMG
Secrets .
DTA
CAS
.
.
Simulcrypt
SCS <->ECMG
CWG*
17
*Varies by CA vendor
CCAP
Encrypt*
MPTS/SPTS Video
(Clear Content)
MPTS/SPTS
(Encrypted Content)
DTA CAT, SI, EMM, Data, EAS
18
CCAP Encryption
Option 3 – CCAP with DVB SimulCrypt
• ECMG is not in the video path
• Standardized DVB Interfaces
• Socket based interfaces
• Not all CA Systems support a Simulcrypt mode with the CCAP being
the Simulcrypt Synchronizer(SCS)
• Some CA System have IP or secrets that need to be applied at the
Encryptor
19
CCAP Encryption Option Comparison (1)
Option
Option 1
ECMG
Option 2
Bulk Encryptor
Option 3
DVB Simulcrypt
CAS Operation
Single Vendor
Single Vendor
Multi-Vendor
Encryption
Location
CCAP
Bulk Encryptor
CCAP
Location of
Proprietary CA
Secrets
ECMG
Bulk Encryptor
ECMG
Interface
Standards
Proprietary
Propriety
(Licensed to CCAP
Vendors)
Open
Protocol Basis
HTTPS
Proprietary
Socket
Interface
Authentication
Authenticated
Per vendor
implementation
None
ECM Batching
Y
N/A
N (Transaction per
crypto period)
Load Balancing
Y
N/A
Concept of primary,
secondary, and
priority. Support
vendor specific.
CCAP Encryption Option Comparison (2)
Option
Option 1
ECMG
Option 2
Bulk Encryptor
Option 3
DVB Simulcrypt
Video Path
Redundancy
CCAP Responsibility
Bulk Encryptor
and CCAP share
redundancy
responsibility
CCAP Responsibility
Network Load
Resilient to short
network outages
Resilient to short
network outages
Resilient to short
network outages
State
Stateless
Stateful
Stateful
Cloud
Readiness
Auto-scaling, load
balancing, and failure
resiliency are part of
architecture
None
Concept of Primary /
Secondary ECMG
Hitless
Upgrades
Y – ECMG Pool
provides redundancy
N
Maybe – requires 1:1
redundancy
Horizontal
Scalability
Y
N
Concept of Primary /
Secondary ECMG
ECM
Stretching
Vendor specific
Vendor specific
Vendor specific
Future
Current
Current
20
Support
CCAP Encryption Phasing Case Study – ARRIS Network
Function
VOD Encryption
Privacy
Mode
VPME
Linear
Linear +
OneController
MediaCipher
Session
Based
Encryption
MediaCipher
MediaCipher
MediaCipher
(CTCP)
(ODCP)
(CTCP, ODCP)
(CTCP, ODCP)
Common Tier
Encryption
Linear Encryption
Mode
VOD Session Setup Port mapping Port mapping
Components
CCAP
Y
Y
ECMG
n/a
Y
VOD Back Office
N
N
Updates
DAC
N
Y
CASMR
N
Y
BVSM
n/a
n/a
(OneController)
Interfaces (Req’d)
CableLabs RMI
n/a
n/a
CCAP-ECMG
n/a
Y
CAMS-SM
n/a
n/a
21
Session
MediaCipher,
MediaCipher,
MediaCipher
MediaCipher
DTA
DTA
Port or Session Port or Session
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
n/a
n/a
Y
Y
Y
n/a
n/a
Y
n/a
Y
Y
Y
22
CCAP Encryption Phasing Case Study – Cisco Network
Function
VOD Encryption
Linear Encryption
Mode
VOD Session Setup
Embedded
PowerKey VOD
PowerKey VOD
on ECMG
PowerKey
PowerKey
Session
Linear with
Simulcrypt
Linear with
OneController
PowerKey,
SCP/SCC
PowerKey,
SCP/SCC
DNCS
BVSM
Session
Linear Session Setup
Components
CCAP
ECMG (PCG)
VOD Back Office
DNCS/EC
ECS
BVSM (OneController)
DTACS
Interfaces (Req’d)
CableLabs RMI
PEACH (ECMG)
CAMS-SM
Simulcrypt
N
n/a
Y
Y
Y
Y (Simulcrypt)
Y
Y
Y
Y
N
Y
Y
Y
n/a
n/a
Y
Y
n/a
n/a
Y
Y
n/a
Y
Y
Y
Y
Y
N
N
N
N
Y
Y
Y
N
N
N
N
Y
Y
Y
Y
N
Special Considerations
• CCAP Broadcast Replication
• Adult Content
- Special Requirements
- Combinations of Encryption Approaches
23
Summary
• CCAP Architecture enables several mechanisms for the cable
operator to enable video encryption
• The cable operator will need to decide which approach is best for
their system architecture, service type, and network
24
Comcast IConfidential
Questions?
Comcast IConfidential
25
Download