DOCSIS 3.0 Troubleshooting, SCTE Blacksburg, VA

7,503 views

Published on

SCTE Presentation Blacksburg, VA

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,503
On SlideShare
0
From Embeds
0
Number of Embeds
1,447
Actions
Shares
0
Downloads
332
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

DOCSIS 3.0 Troubleshooting, SCTE Blacksburg, VA

  1. 1. Brady Volpe
  2. 2. 2Who the heck am I?• Over 20 years as a normal cable guy.• Started in RF – C-COR Electronics (now Arris) ▫ Flexnet 700, 800, 900 Series Amplifiers ▫ E700 Series Line Extenders ▫ Lumicor Fiber Tx, Rx and EDFAs• First DOCSIS Protocol Analyzer – Most called it “The Sigtek”• Sunrise Telecom, and JDSU• Currently “The Volpe Firm, Inc.”• Check me out! You all will learn a lot on my blog… ▫ http://volpefirm.com © The Volpe Firm Confidential
  3. 3. 3Agenda• DOCSIS 3.0 Overview• DOCSIS 3.0 terminology• DOCSIS modem registration• Advanced Troubleshooting © The Volpe Firm Confidential
  4. 4. 4 Drivers for D3.0 – Other than Verizon & AT&T! All Video on Demand 100 Unicast per Subscriber 90 High Definition VideoMegabits per Second 80 on Demand 70 Video Blogs Podcasting 60 Video on Demand 50 Video Mail 40 Online Gaming 30 Digital Photos 20 VoIP Digital Music 10 Web Browsing E-mail © The Volpe Firm Time Confidential
  5. 5. 5DOCSIS 3.0 Overview• DOCSIS 3.0 Specification(s) ▫ DOCSIS 3.0 Interface Specifications (Released December 2006) ▫ Equipment readily available• Downstream data rates of 160 Mbps or higher 256QAM => ~40Mbps ▫ Channel Bonding ▫ 4 or more channels 8 x 256QAM => ~304 Mbps• Upstream data rates of 120 Mbps or higher ▫ Channel Bonding ▫ 4 or more channels 64QAM => ~30Mbps• Internet Protocol version 6 (IPv6) 4 x 64QAM => ~108 Mbps ▫ Current System (IPv4) is limited to 4.3B numbers ▫ IPv6 greatly expands the number of IP addresses  Expands IP address size from 32 bits to 128 bits  IPv6 supports 3.4×1038 addresses; 4923:2A1C:0DB8:04F3:AEB5:96F0:E08C:FFEC  Colon-Hexadecimal Format• 100% backward compatible with DOCSIS 1.0/1.1/2.0 © The Volpe Firm Confidential
  6. 6. 6DOCSIS Comparison Max Downstream Max UpstreamDOCSIS Version Throughput Throughput 1.x 42.88 (38) Mbit/s 10.24 (9) Mbit/s 2.0 42.88 (38) Mbit/s 30.72 (27) Mbit/s n x 42.88 (38) Mbit/s n x 30.72 (27) Mbit/s 3.0 8 x 38 = 304 Mbit/s 4 x 27 = 108 Mbit/sec © The Volpe Firm Confidential
  7. 7. 7DOCSIS® 3.0 Assumed Downstream RFChannel Transmission Characteristics Parameter Value Frequency range 108 to 1002 MHz edge to edge RF channel spacing (design bandwidth) 6 MHz Transit delay from head-end to most ≤ 0.800 ms (typically much less) distant customer Carrier-to-noise ratio in a 6 MHz band Not less than 35 dB Carrier-to- CTB, CSO, X-MOD, Ingress Not less than 41 dB Amplitude ripple 3 dB within the design bandwidth Group delay ripple in the spectrum 75 ns within the design bandwidth occupied by the CMTS -10 dBc@ <= 0.5 μsec Micro-reflections bound for dominant -20 dBc@ <= 1.5 μsec echo -30 dBc@ > 1.5 μsec Maximum analog video carrier level at 17 dBmV the CM input © The Volpe Firm Confidential
  8. 8. 8DOCSIS® 3.0 Assumed Upstream RFChannel Transmission Characteristics Parameter Value Frequency range 5 to 85 MHz edge to edge Carrier-to-interference plus ingress ratio Not less than 25 dB Carrier hum modulation Not greater than –23 dBc (7%) Not longer than 10 μsec at a 1 kHz Burst noise average rate for most cases Amplitude ripple 5-42 MHz 0.5 dB/MHz Group delay ripple 5-42 MHz 200 ns/MHz -10 dBc@ <= 0.5 μsec Micro-reflections—single echo -20 dBc@ <= 1.0 μsec -30 dBc@ > 1.0 μsec Seasonal and diurnal reverse gain (loss) Not greater than 14 dB min to max variation © The Volpe Firm Confidential
  9. 9. 9The Bonded Upstream © The Volpe Firm Confidential
  10. 10. 10Power Variance – 6dB Bonded vs. Unbonded DOCSIS 3.0 Cable Modem 1 Channel Transmit Power Levels DOCSIS 3.0 Cable Modem 4 Channel Transmit Power Levels © The Volpe Firm Confidential
  11. 11. 11Measuring Upstream Carrier Amplitudes These carriers will NOT have the same peak amplitude level when measured on a typical spectrum analyzer when they are each hitting the CMTS at “0 dBmV power per channel”. Test CW SignalAmplitude CW 1.6 MHz wide 3.2 MHz wide 6.4 MHz wide 1 Hz wide © The Volpe Firm Confidential
  12. 12. 12 Real Life Scenario• Upstream at 37 MHz – 64-QAM, 6.4 MHz BW ▫ Twice as wide and 3 dB lower than other carriers• 24.3% FEC errors, 30.6 dB MER• 25 MHz, 28.2 MHz, 31.4 MHz @ 64-QAM, 3.2 MHz okay• Why? What is the problem, what is the recommended solution without going into the field?• cable upstream 3 equalization-coefficient © The Volpe Firm Confidential
  13. 13. 13© The Volpe Firm Confidential
  14. 14. 14Downstream Terminology• Primary Downstream Channel(s) ▫ Master clock, UCD, MAPs, etc. ▫ CMs Registration + PDU• Non-Primary Capable Channel(s) ▫ PDU only ▫ D3.0 modems• Downstream Service Group (DSG) ▫ DS bonded CHs available to CM• Upstream Channel Descriptor – UCD ▫ MAC message to CMs describing US CH © The Volpe Firm Confidential
  15. 15. 15Upstream Terminology• Upstream Channel ▫ Physical Upstream Channel (DOCSIS RF), or ▫ Logical Upstream Channel (share same RF ch)• Upstream Bonding Group (UBG) ▫ Set of US bonded channels for CM © The Volpe Firm Confidential
  16. 16. 16 DOCSIS Communications ModelIP Data Backbone All three layers must work for DOCSIS to work Server 1 Server 2 Server 3 CMTS Subscriber Side HFC Network © The Volpe Firm Confidential
  17. 17. 17Cable Modem Registration – DOCSIS 1.x/2.0 ▫ CM registration requires the physical layer for signal transport ▫ DOCSIS and IP protocol layers are necessary to communicate the proper messages for modems to come online ▫ The next slides illustrate the interaction of these layers © The Volpe Firm Confidential
  18. 18. 18 DS Freq. Acquisition CMTS cable modem Next Sync Broadcast Frequency Scan DS Frequency (Minimum one per 200 msec) for a QAM signal No Yes No Wait for Sync Yes NoUCD Broadcast (every 2 sec) Wait for UCDMAP Broadcast (every 2 ms) Wait for MAP © The Volpe Firm Confidential
  19. 19. 19 CM Ranging CMTS cable modem RNG-REQ Initial Ranging Request Sent in Initial Maintenance time Slot Starting at 8 dBmV Using an initial SID = 0RNG-RSPRanging Response Contains: • Timing offset • Power offset • Temp SID Wait for Increment by RNG-RSP NO 3 dB YES Adjust Timing Offset and Power Offset © The Volpe Firm Confidential
  20. 20. 20 DHCP Overview CMTS cable modem Bandwidth RequestMAP Broadcasts Use Temp SID (Service ID)DHCP Reply (Offer) DHCP DiscoverDHCP offers an IP addressDHCP Ack (Response) DHCP RequestContains IP Addr, plus Acks Initial lP Address andadditional information requests Default GW, ToD Server, TOD offset, TFTP Server Addr and TFTP Boot Config File NameToD ResponseContains Time of Day per ToD RequestRFC 868 (Not NTP) © The Volpe Firm Confidential
  21. 21. 21 TFTP & Registration CMTS cable modemTFTP Boot File Transfer TFTP Boot RequestDOCSIS config file which contains For ‘Boot File name’Classifiers for QoS and schedule,Baseline Privacy (BPI), etc. Validate file MD5 Checksum Implement Config Registration Request Send QoS ParametersRegistration ResponseContains Assigned SIDModem registered Registration Acknowledge Send QoS Parameters © The Volpe Firm Confidential
  22. 22. 22CM Registration Summary ▫ Downstream channel search ▫ Ranging ▫ DHCP ▫ ToD ▫ TFTP ▫ Registration ▫ Optional BPI Encryption ▫ Ranging occurs at least every 30 seconds when online  T3 timeout part of this and typically indicate upstream problems  T4 timeout typically indicate downstream problems © The Volpe Firm Confidential
  23. 23. 23D3.0 Modem Registration Scan for DS Channel MAC Domain Provides Primary Ch ID on Secondary Chs Descriptor (MDD) MAC Domain •MD-DS-SG Obtain TX Params •MD-US-SG Descriptor (MDD) •Ch Parameters: Freq, Modulation, etc. Perform Ranging •Security: EAE •DHCP IPv4/IPv6 or suppressed and in config EAE BPI+ •If no MDD  DOCSIS 2.0 mode! DHCP D3.0 DHCP Options •IPv4 Only (DHCPv4) ToD •IPv6 Only (DHCPv6) •Alternate Provisioning Mode (APM) Optional •DHCPv6 then DHCPv4 TFTP •Dual-stack Provisioning Mode (DPM) •DHCPv6 and DHCPv4 Registration DS Ch Bonding •RCC for downstream channels •TCC to add upstream channels Normal BPI+ US Ch Bonding © The Volpe Firm Confidential
  24. 24. 24© The Volpe Firm Confidential
  25. 25. 25Advanced Field Troubleshooting• Why is DOCSIS 3 Troubleshooting Different? ▫ Multiple Bonded Channels  Downstream  Not that different.  The channels are constant carrier  Multiple downstream channels have been around forever  Upstream  Still most vulnerable portion of plant  The modem is no longer limited to a single upstream transmit path  In some ways this is actually easier with DOCSIS 3.0 © The Volpe Firm Confidential
  26. 26. 26You Likely Know Your Problems • Downstream – Typically not so bad ▫ CTB, CSO, CNR under digital channels ▫ Levels not correct into home (high, low, tilt) ▫ Suck-outs, especially if you have contractors doing disconnects ▫ Cheap modulators & upconverters never save you money ▫ DOCSIS 3.0 headaches - Channel bonding, isolation, legacy • Upstream – Your Achilles heal ▫ Easy: AWGN noise, impulse noise, coherent noise, CPD, Laser clipping ▫ Hard: Group delay, frequency response, micro-reflections ▫ Insane: DOCSIS 3.0 – multiple upstreams – power levels • Theft of Service© The Volpe Firm Confidential
  27. 27. 27Likely Upstream Problems ▫ Four times the US bandwidth (four bonded channels) creates a new dynamic for troubleshooting and monitoring: ▫ 6.4 MHz * 4 = 25.6 MHz (without guard bands) ▫ Increased likelihood for laser clipping ▫ Increased probability for problems with ingress, group delay, micro-reflections, and other linear distortions ▫ Inability to avoid problem frequencies such as Citizens’ Band, Ham, Shortwave, and hop between CPD 6MHz spacing ▫ Where are you going to put your sweep points? © The Volpe Firm Confidential
  28. 28. 28Test Equipment has Advanced! © The Volpe Firm Confidential
  29. 29. 29Latest D3.0 Test Meters © The Volpe Firm Confidential
  30. 30. 30Headend Dashboards © The Volpe Firm Confidential
  31. 31. 31Downstream Impairments © The Volpe Firm Confidential
  32. 32. 32Downstream Impairments Ingress, CW Interference © The Volpe Firm Confidential
  33. 33. 33Modulation Error Ratio (MER) – The quality of a QAM signal can be defined by Q the dispersion of the constellation’s points considering the target value I – The error or dispersion power is calculated by the value mean square of the error vectors (real value VS target value) 256 QAM • MER is the ratio in dB between the average   power of the signal and the power of the error   vectors   MER symb dB   10  log10  E av N  1  2 N ej  © The Volpe Firm Confidential  j 1  33
  34. 34. 34MER © The Volpe Firm Confidential
  35. 35. 35Upstream Ingress Cancellation – Ondefault CW Only 10 dB down © The Volpe Firm Confidential
  36. 36. 36Something New – DOCSIS 3.0 Modems © The Volpe Firm Confidential
  37. 37. 37Demod without Cancellation © The Volpe Firm Confidential
  38. 38. 38Testing DOCSIS 3.0 Meter – JDSU DSAM © The Volpe Firm Confidential
  39. 39. 39 DOCSIS 3.0 Channel Bonding• Eight channel downstream Bonded Downstream, Eight 256-QAM Carriers
  40. 40. 40VeEX CX380 CM Screen Shot • D3 8x4 Channel Bonding: Details Confidential & Proprietary Information of VeEX Inc
  41. 41. 41A Clean Upstream: Or Is It for 64-QAM? © The Volpe Firm Confidential
  42. 42. 42Impact to Adaptive EQ from Impulse Noise © The Volpe Firm Confidential
  43. 43. 43Ways to Mitigate Impact of Impulse Noise • Clean up plant • Improve robustness of modulation profile from: • cable modulation-profile 224 a-short 6 76 6 22 64qam scrambler 152 no-diff 64 shortened qpsk1 1 2048 • cable modulation-profile 224 a-long 9 232 0 22 64qam scrambler 152 no-diff 64 shortened qpsk1 1 2048 • To: • cable modulation-profile 224 a-short 6 76 6 22 64qam scrambler 152 no-diff 384 shortened qpsk1 0 2048 • cable modulation-profile 224 a-long 9 232 0 22 64qam scrambler 152 no-diff 384 shortened qpsk1 0 2048 • Changing 64 to 384 increases the preamble length, thus enhancing the training sequence on capturing the packet and lessening the effects of impulse noise • Changing the 1 to a 0 enables dynamic interleaving mode, increasing the effectiveness of Forward Error Correction (FEC) as impulse noise increases in the system © The Volpe Firm Confidential
  44. 44. 44Ways to Mitigate Impact of Impulse Noise • Clean up plant • Improve robustness of modulation profile from: • cable modulation-profile 224 initial 5 34 0 48 16qam scrambler 152 no-diff 64 fixed qpsk1 1 2048 • cable modulation-profile 224 station 5 34 0 48 16qam scrambler 152 no-diff 64 fixed qpsk1 1 2048 • To: • cable modulation-profile 224 initial 5 34 0 48 16qam scrambler 152 no-diff 384 fixed qpsk1 0 2048 • cable modulation-profile 224 station 5 34 0 48 16qam scrambler 152 no-diff 384 fixed qpsk1 0 2048 • Changing 64 to 384 increases the preamble length, thus enhancing the training sequence on capturing the packet and lessening the effects of impulse noise • Changing the 1 to a 0 enables dynamic interleaving mode, increasing the effectiveness of Forward Error Correction (FEC) as impulse noise increases in the system © The Volpe Firm Confidential
  45. 45. 45Monitoring Transient Events?• Laser Clipping or Impulse Noise for example… ▫ Plan on laser clipping being a popular word © The Volpe Firm Confidential
  46. 46. 46Two 64-QAM Bonded Channels © The Volpe Firm Confidential
  47. 47. 47Laser Clipping – FP Laser © The Volpe Firm Confidential
  48. 48. 48Laser Clipping – Hard to See © The Volpe Firm Confidential
  49. 49. 49Ingress Under QAM © The Volpe Firm Confidential
  50. 50. 50Laser Heterodyning © The Volpe Firm Confidential
  51. 51. 51Digital Return – RF above 42 MHz © The Volpe Firm Confidential
  52. 52. 52Partial Service Troubleshooting• Partial Service exhibits itself as missing channels• Does not exhibit as Packetloss or Throughput issue © The Volpe Firm Confidential
  53. 53. 53Impaired Service Troubleshooting ▫ An impaired service may or may not exhibit codeword errors and packetloss ▫ When troubleshooting impaired service, it is critical to view the performance of the individual upstream channels. © The Volpe Firm Confidential
  54. 54. 54Impaired Service Troubleshooting © The Volpe Firm Confidential
  55. 55. 55Impaired Service Troubleshooting © The Volpe Firm Confidential
  56. 56. 56Impaired Service Troubleshooting © The Volpe Firm Confidential
  57. 57. 57Impaired Service Troubleshooting © The Volpe Firm Confidential
  58. 58. 58Impaired Service Troubleshooting• Obviously there is an issue with the channel at 19 MHz• Utilize this method to traverse the network and find the impairment causing this issue © The Volpe Firm Confidential
  59. 59. 59 Summary• CMTS and SNMP data provide good troubleshooting ▫ But not all of it• DOCSIS 3.0 ▫ Significantly more throughput ▫ Supports legacy D2.0 modems ▫ D3.0 modems load balance in the upstream w/o loss of service• Advanced test equipment is an investment that ▫ Saves you time and money ▫ Gets your subscribers back online and keeps them there ▫ Makes you a predictable and reliable service provider ▫ Seamlessly integrates headend & field – 2 places / 1 person © The Volpe Firm Confidential
  60. 60. 60© The Volpe Firm Confidential
  61. 61. 61 IPv6You may not even know it happened…IPv6 Day June 8th, 2011 © The Volpe Firm Confidential
  62. 62. 62 IPv6 and DOCSIS 3.0• IPv4 only (DHCP4)• IPv6 only (DHCP6)• Alternate Provisioning Mode ▫ DHCP6 then DHCP4• Dual-Stack Provisioning Mode ▫ DHCP6 and DHCP4 © The Volpe Firm Confidential
  63. 63. Customer admin domain MSO admin domain © The Volpe Firm Access model 1 Confidential Servers • DHCP, DNS CM1 • TFTP CPE1 • TOD bridge • Management Access model 2 To HOME / CORE HFC SMB CPE CM2 Internet CPE2 router CMTS bridge router Access model 3 HOME / SMB CM CPE3 router DOCSIS 3.0 IPv6 Example ArchitectureManagement prefix: 2001:DB8:FFFF:0::/64Service prefix: 2001:DB8:FFFE:0::/64Customer 2 prefix: 2001:DB8:2::/48Customer 3 prefix: 2001:DB8:3::/48 MSO management; assigned 2001:DB8:FFFF:0::/64 MSO service 2001:DB8:FFFE:0::/64 Customer 2 premises link; assigned 2001:DB8:2:0::/64 Customer 3 premises link; assigned 2001:DB8:3:0::/64 63
  64. 64. 64© The Volpe Firm Confidential
  65. 65. 65 Why better DOCSIS security? • Various anonymous cable modem hackers have reported high success rates with zero signs of detection ▫ Durandal has a machine on a business configuration that has been seeding torrents steadily for over a year ▫ Many people have as many as 8 or more modems running concurrently ▫ In all of these scenarios, the individuals are paying for service. They are simply splicing their line to add additional modems Its beyond simple theft of service. Substantial traffic users can have a significant impact on system performanceSource: Defcon.org © The Volpe Firm Confidential
  66. 66. 66Hacking the Cable Modem• Which OIDs are used for hacking?• 1.3.6.1.2.1.69.1.4.5.0 ▫ To figure out what the current cfg file name is for cable modem.• 1.3.6.1.2.1.10.127.1.1.3.1.3.1• 1.3.6.1.2.1.10.127.1.1.3.1.5.1 ▫ To check Up/DownStream speed of cfg file• 1.3.6.1.2.1.69.1.4.4.0 ▫ To read TFTP Server IP of cable modem• 1.3.6.1.2.1.69.1.1.3.0 ▫ To reboot cable modem With some software and cheap hardware – hacking is pretty darn simple in a non-BPI+ environment © The Volpe Firm Confidential
  67. 67. 67BPI/BPI+ in DOCSIS 1.x / 2.0 • BPI: Baseline Privacy Interface ▫ Methods for encrypting traffic between the cable modem and the ▫ CMTS with 56bit DES encryption • BPI+: Baseline Privacy Interface Plus ▫ Implemented in DOCSIS 1.1 specs (Backwards compatible) ▫ Introduces X.509 v3 (RSA 1024bit) digital certificates & key pairs ▫ Authentication based on certificate hardware identity; validated when modem registers with a CMTS • Makes hacking a bit more difficult, however… ▫ Operators tend to leave “Self-signed certificates on ▫ During registration, there is no BPI+ security, all transactions are in the clear ▫ DOCSIS 1.x and 2.0 is still exposed to security breaches ▫ Even with Enforce TFTP, Masking TFTP file names, TFTP Proxy, etc. © The Volpe Firm Confidential
  68. 68. 68Enhance DOCSIS 3.0 & IPv6 Security• DOCSIS 3.0 Introduces ▫ 128 bit AES traffic encryption ▫ Early CM authentication and traffic encryption (EAE) ▫ Source IP address verification (SAV) ▫ TFTP proxy and configuration file learning ▫ MMH algorithm for CMTS MIC ▫ Certificate revocation ▫ Encryption support of new method of multicast messaging © The Volpe Firm Confidential
  69. 69. 69 Security Recommendation• Enable BPI+ and EAE• Use BPI+ Enforce• Disable Self-Signed Certificates• Use “Secure Provisioning” by leveraging SAV• Only allow CM software download via CVC• Disable Public SNMP access• Eliminate “Walled Garden” customer access points ▫ Walled Garden sites are the primary gateway for theft-of- service• Restrict access of your security department and policies to a limited, trusted number of people ▫ Security breeches often come from within © The Volpe Firm Confidential
  70. 70. 70For more information go to:http://volpefirm.com © The Volpe Firm Confidential

×