260 likes | 694 Views
CCAP Encryption Integrating CCAP into the Video Control Plane. July 31, 2014. Kevin Taylor Fellow Comcast. Topics. CCAP in a Nutshell CCAP In a System Context CCAP Encryption Goals CCAP Transition Strategy CCAP Encryption Hardware Requirements CCAP Encryption Options
E N D
CCAP Encryption Integrating CCAP into the Video Control Plane July 31, 2014 Kevin TaylorFellow Comcast
Topics • CCAP in a Nutshell • CCAP In a System Context • CCAP Encryption Goals • CCAP Transition Strategy • CCAP Encryption Hardware Requirements • CCAP Encryption Options • CCAP Encryption Phasing Case Study • Special Considerations 2
Converged Cable Access Platform • Combines the functions of the CMTS and Edge QAM • Implements all narrowcast and broadcast QAMs CCAP in a nutshell CCAP DS Port Assignments HSD/CDV Simplify, and eventually eliminate RF Combining DOCSIS IP Video DS RF Port VOD cDVR 64 NC QAMs + 96 BC QAMs MPEG TS Broadcast Narrowcast & Broadcast Digital Services CCAP Legacy OOB & QAM Analog US Split Legacy OOB DS 3
CCAP Impact • Engineering:Capacity and efficiency • 50% space savings with 4x capacity • 60% power savings plus less cooling • Improve existing UPS and battery backup performance • Architecture:Simplicity and flexibility • Minimum, simplified combining wiring • Full-spectrum, MPEG/DOCSIS QAMs, easier migration to IPTV • Future proof, single access platform • Purchasing:Cost will quickly become a big driver • Especially DOCSIS QAMs are significantly cheaper • Operations:Reliability and manageability • Fully redundant (N+1 LC & 1+1 Commons) • Configuration change between QAM types vs. equipment swap-out • Much shorter maintenance window (ISSU) • Far less equipment to manage and maintain 4
CCAP in a System Context System Context
CCAP Encryption Goals Architecture • Cost Efficiency • Resource Efficiency • Compatibility with Deployed Conditional Access Systems • Scalability • Security • Modern Network Architecture • Reliability and Resiliency Linear • Broadcast • DTA • PPV/IPPV • SDV VOD • Port Mapped (Static) • Session (Dynamic)
CCAP Encryption Converged Cable Access Platform Encryption M-CMTS QAM I-CMTS Broadcast QAM SDV & VOD QAM Hardware platform specifications ARRIS MediaCipher Cisco PowerKey DVB Encryption
8 Legacy Encryption vs. CCAP Encryption Legacy Encryption EQAM: Proprietary Generation of CW and ECM EQAM: Encryption EQAM: Stream Multiplexing EQAM: Output Conversion GQAM, MQAM, SEM, APEX, NetCrypt CCAP Encryption ECMG: Proprietary Generation of CW and ECMs move to Vendor ECMG device EQAM: Encryption, Multiplexing and output conversion remain in EQAM CCAP and 3rd Party EQAM
CCAP Encryption Requirements Decryption Support • Network Decryption (not currently implemented) • AES-128 Encryption Support • MediaCipher / DTA • SCTE-52 (DES-CBC) • PowerKey / DTA • DES-ECB • AES • DVB-CSA/CSA3 (Simulcrypt) CA System Support • PID Routing • CAT • DTA System Information • DTA EMM • DTA User Interface Data • DTA Messaging • PSIP Aggregation • PSIP • EAS
CCAP Encryption Options • Option 1 – CCAP with ECMG • Option 2 – CCAP with Bulk Encryption • Option 3 – CCAP with DVB SimulCrypt 11
CCAP EncryptionOption 1 - CCAP with ECMG (Load Balancer/HTTP) CAS Shared ECMG Pool CCAP Load Balancer ECMG . . . CWG Web Request {AC, ECM/CW} Authentication ECMG CWG ECMG CWG ECM/CW cache Abbreviations: ECMG – Entitlement Control Message Generator ECM – Entitlement Control Message CW – Control Word CWG – Control Word Generator CAS – Conditional Access System
Settop CAS CCAP EncryptionOption 1 - CCAP with ECMG (Load Balancer/HTTP) Shared ECMG Pool ECMG ECMG ECMG CWG CWG CWG DTA CAS Secrets Secrets Secrets http[AC, ECM/CW] Load Balancer http[AC, ECM/CW] CCAP Encrypt MPTS/SPTS (Encrypted Content) MPTS/SPTS Video (Clear Content) DTA CAT, SI, EMM, Data, EAS
CCAP EncryptionOption 1 - CCAP with ECMG (Load Balancer/HTTP) • ECMG is not in the video path • ECMG<>CCAP Interface is resilient to network delays and short outages • Batching of ECMs and CWs • Standard network load balancing is supported • CCAP needs licensed technology from CA vendors • ECMG is stateless
CCAP EncryptionOption 2 - CCAP with Bulk Encryptor Settop CAS DTA CAS DTA CAT, SI, EMM, Data, EAS . . . Encrypt Bulk Encryptor CCAP MPTS/SPTS (Encrypted Content) MPTS/SPTS Video (Clear Content) MPTS/SPTS (Encrypted Content) Secrets Abbreviations: DTA – Digital Terminal Adaptor CAS – Conditional Access System SI – System Information EMM – Entitlement Management Message EAS – Emergency Alert System MPTS – Multi-Program Stream SPTS – Single Program Stream
CCAP EncryptionOption 2 - CCAP with Bulk Encryptor • Bulk encryptoris in the video path • Requires appropriate redundancy to be applied at the bulk encryptorand CCAP • Bulk encryptor encapsulates all of the propriety CA vendor information into a single video encryption device • Maybe resilient to network delays and short outages • Efficient encryption method for video architecture with many nodes
CCAP Encryption Option 3 CCAP with DVB SimulCrypt DVB SimulCrypt Compliant CA System EIS Settop CAS Simulcrypt EIS<->SCS ECMG Secrets Abbreviations: ECMG – Entitlement Control Message Generator EIS – Event Information Scheduler SCS – SimulCrypt Synchronizer CW – Control Word CWG – Control Word Generator CAS – Conditional Access System DTA CAS Simulcrypt SCS <->ECMG ECMG Secrets . . . Simulcrypt SCS <->ECMG CCAP Encrypt* CWG* MPTS/SPTS (Encrypted Content) MPTS/SPTS Video (Clear Content) DTA CAT, SI, EMM, Data, EAS *Varies by CA vendor
CCAP EncryptionOption 3 – CCAP with DVB SimulCrypt • ECMG is not in the video path • Standardized DVB Interfaces • Socket based interfaces • Not all CA Systems support a Simulcryptmode with the CCAP being the Simulcrypt Synchronizer(SCS) • Some CA System have IP or secrets that need to be applied at the Encryptor
Special Considerations • CCAP Broadcast Replication • Adult Content • Special Requirements • Combinations of Encryption Approaches
Summary • CCAP Architecture enables several mechanisms for the cable operator to enable video encryption • The cable operator will need to decide which approach is best for their system architecture, service type, and network Comcast IConfidential
Questions? Comcast IConfidential