1 Scope and introduction
1.1 Scope
1.2 Introduction
2 References
2.1 Normative references
2.2 Informative references
3 Terms and definitions
4 Abbreviations, acronyms and conventions
4.1 Abbreviations and acronyms
4.2 Conventions
5 Architectural overview of IPCablecom security
5.1 IPCablecom reference architecture
5.2 Threats
5.3 Security architecture
6 Security mechanisms
6.1 IPsec
6.2 Internet Key Exchange (IKE)
6.3 SNMPv3
6.4 Kerberos/PKINIT
6.5 Kerberized key management
6.6 End-to-end security for RTP
6.7 End-to-end security for RTCP
6.8 BPI+
6.9 TLS
7 Security profile
7.1 Device and service provisioning
7.2 Quality of Service (QoS) signalling
7.3 Billing system interfaces
7.4 Call signalling
7.5 PSTN Gateway interface
7.6 Media stream
7.7 Audio Server services
7.8 Electronic surveillance interfaces
7.9 CMS provisioning
8 IPCablecom certificates
8.1 Generic structure
8.2 Certificate trust hierarchy
9 Cryptographic algorithms
9.1 AES
9.2 DES
9.3 Block termination
9.4 RSA signature
9.5 HMAC-SHA‑1
9.6 Key derivation
9.7 The MMH-MAC
9.8 Random number generation
10 Physical security
10.1 Protection for MTA key storage
10.2 MTA key encapsulation
11 Secure software upgrade
Annex A – Oakley groups
Annex B – Kerberos Network Authentication Service
Annex C – PKINIT specification
Appendix I – IPCablecom administration guidelines and best practices
I.1 Routine CMS service key refresh
Appendix II – Example of MMH algorithm implementation