RFC 3594 (rfc3594) - Page 2 of 7


PacketCable Security Ticket Control Sub-Option for the DHCP CableLabs Client Configuration (CCC) Option



Alternative Format: Original Text Document



RFC 3594                Security Ticket Control           September 2003


   MTA - Media Terminal Adapter.  The CCD specific to the PacketCable
         architecture.

   PacketCable - multimedia architecture developed by CableLabs.  See
         [8] for full details.

3.   Introduction

   The CableLabs Client Configuration Option [1] defines several
   sub-options used to configure devices deployed into CableLabs
   architectures.  These architectures implement the PacketCable
   Security Specification [4] (based on Kerberos V5 [5]), to support CCD
   authentication and establishment of security associations between
   CCDs and application servers.

   CCDs are permitted to retain security tickets in local persistent
   storage.  Thus a power-cycled CCD is enabled to avoid expensive
   ticket acquisition for locally persisted, non-expired tickets.  This
   feature greatly reduces the security overhead of a deployment.

   This sub-option allows the service provider to control the lifetime
   of tickets persisted locally on a CCD.  The service provider requires
   this capability to support operational functions such as forcing re-
   establishment of security associations, remote testing, and remote
   diagnostic of CCDs.

   It should be noted that, although based on the Kerberos V5 RFC [5],
   the PacketCable Security Specification is not a strict implementation
   of this RFC.  See [4] for details of the PacketCable Security
   Specification.

4.   Security Ticket Control Sub-option

   This sub-option defines a Ticket Control Mask (TCM) that instructs
   the CCD to validate/invalidate specific application server tickets.
   The sub-option is encoded as follows:

    Code   Len      TCM
   +-----+-----+-----+-----+
   |  9  |  2  | m1  | m2  |
   +-----+-----+-----+-----+

   The length MUST be 2.  The TCM field is encoded as an unsigned 16 bit
   quantity per network byte order.  Each bit of the TCM is assigned to
   a specific server or server group.  A bit value of 0 means the CCD
   MUST apply normal invalidation rules (defined in [4]) to the locally





Duffy                       Standards Track