24 April 2014SKIT-DSN-1969 2.00
Confidential
NDS and Sky Italia
P r o x imi t y Con t r o l
Multi-room CA Proximity
Control
Feature Specification
NDS Limited 2014. All rights reserved. PROPRIETARY AND CONFIDENTIAL.
This document may include reference to technologies that use patents (pending or granted) which are owned by NDS Limited or third parties.
The use of such patents shall be subject to express written license terms. You shall not copy, disclose, reproduce, store in a retrieval system or
transmit in any form or by any means whether in whole or in part this document. NDS Limited accepts no liability and offers no warranty in
relation to the use of this document or any technology referenced herein as well as associated intellectual property rights except as it has otherwise
agreed in writing.
All trademarks and brands are the property of their respective owners, and their use is subject to license terms.
Total pages: 39
Doc. Title: Proximity Control
Multi-room CA Proximity Control
Feature Specification
Doc. No.: SKIT-DSN-1969 Classification: Confidential
Revision: 2.00 Restriction: NDS and Sky Italia
Date: 24 April 2014 Customer: Sky Italia
Owner: Max Sorkin Reviewers/
Approvers:
Julia Rabinovich
Moti Glick
Robert Noah
Ronen Rosenson
Author: Max Sorkin
Mike Steiner
Nadav Ramati
Contents
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 3
Contents
1 Preface .................................................. .................................................. ...............6
1.1 Abstract .................................................. .................................................. ............... 6
1.2 Purpose of This Document .................................................. ................................. 6
1.3 Using This Document .................................................. ......................................... 6
1.4 Applicability..................................... .................................................. .................... 6
1.5 References .................................................. .................................................. ........... 7
1.6 Terminology .................................................. .................................................. ....... 7
2 Solution Overview .................................................. ............................................9
2.1 Customer Requirements - STB .................................................. ........................... 9
2.1.1 Requirements for support of Companion Devices - Future ........... 9
2.2 Assumptions .................................................. .................................................. .... 10
2.3 General Description .................................................. .......................................... 10
2.3.1 Subscriber Management .................................................. .................. 10
2.3.2 Peer Definition .................................................. .................................. 10
2.3.3 Home network fingerprint .................................................. .............. 10
2.3.4 Proximity Check .................................................. ............................... 11
2.3.5 Periodic reportback .................................................. .......................... 12
2.3.6 Countermeasures - future .................................................. ............... 13
3 End-to-End Design .................................................. ..........................................14
3.1 External Interfaces .................................................. ............................................. 17
3.2 Subsystem requirements .................................................. .................................. 17
3.2.1 Headend .................................................. ............................................ 17
3.2.2 STB .................................................. .................................................. .... 18
3.3 Support for Companion Devices - future .................................................. ....... 18
3.3.1 Design .................................................. ................................................ 18
3.3.2 DTCP-IP RTT test .................................................. ............................. 19
4 Operator Use Cases .................................................. .........................................20
4.1 Configure Global Parameters .................................................. .......................... 20
4.1.1 Description .................................................. ........................................ 20
4.1.2 Preconditions .................................................. .................................... 20
4.1.3 Post-conditions .................................................. ................................. 21
4.1.4 Flow of Events .................................................. ................................... 21
4.2 Create Household .................................................. .............................................. 22
4.2.1 Description .................................................. ........................................ 22
4.2.2 Preconditions .................................................. .................................... 22
4.2.3 Post-conditions .................................................. ................................. 22
4.2.4 Flow of events .................................................. ................................... 22
4.3 Add Subscriber to Household & Enable Proximity Control in STB ............. 23
4.3.1 Description .................................................. ........................................ 23
4.3.2 Preconditions .................................................. .................................... 23
4.3.3 Post-conditions .................................................. ................................. 23
4.3.4 Flow of Events .................................................. ................................... 23
Contents
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 4
4.4 Remove Subscriber from Household .................................................. .............. 24
4.4.1 Description .................................................. ........................................ 24
4.4.2 Preconditions .................................................. .................................... 24
4.4.3 Post-conditions .................................................. ................................. 24
4.4.4 Flow of Events .................................................. ................................... 24
5 Internal use cases .................................................. ............................................25
5.1 STB registration in UHE – SAC1/2 establishment ........................................... 25
5.1.1 Description .................................................. ........................................ 25
5.1.2 Pre-conditions .................................................. ................................... 25
5.1.3 Post Conditions .................................................. ................................. 25
5.1.4 Flow of events .................................................. ................................... 26
5.2 Send Report to Headend .................................................. .................................. 27
5.2.1 Description .................................................. ........................................ 27
5.2.2 Preconditions .................................................. .................................... 27
5.2.3 Post-conditions .................................................. ................................. 27
6 STB Use Cases .................................................. .................................................2 8
6.1 Trigger STB to check whether Proximity Control is Enabled........................ 28
6.1.1 Description .................................................. ........................................ 28
6.1.2 Precondition .................................................. ...................................... 28
6.1.3 Post- Conditions .................................................. ............................... 28
6.1.4 Flow of events .................................................. ................................... 28
6.2 Proximity Check .................................................. ................................................ 29
6.2.1 Description .................................................. ........................................ 29
6.2.2 Preconditions .................................................. .................................... 29
6.2.3 Post-conditions .................................................. ................................. 29
6.2.4 Flow of Events .................................................. ................................... 30
7 Proximity Check Configuration Parameters ................................................31
7.1 Proximity Configuration Parameters........................................ ........................ 32
7.1.1 Max RTT .................................................. ............................................ 32
7.1.2 Time Windows .................................................. .................................. 32
7.1.3 Parameters Delivery and Processing ............................................... 33
8 Proximity diagnostics .................................................. .....................................34
8.1 Information about this device .................................................. .......................... 34
8.2 Information about peer devices .................................................. ....................... 34
Appendix A SMS->EMMG protocol changes ...........................................35
A.1 Proximity parameters configuration .................................................. ............... 35
A.2 Trigger immediate proximity reportback .................................................. ...... 36
Appendix B Proximity report data format .................................................3 7
Change History........................................... .................................................. .............38
List of Tables
Table 1 References .................................................. .................................................. ........... 7
Table 2 Terminology .................................................. .................................................. ....... 7
Table 3 Component Descriptions .................................................. .................................. 15
Table 4 External Interfaces .................................................. ............................................. 17
Contents
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 5
Table 5 Proximity Configuration Parameters........................................ ........................ 31
Table 6 Device information diagnostics .................................................. ....................... 34
Table 7 Peer STB diagnostics information .................................................. ................... 34
Table 8 Proximity Control Definition .................................................. ........................... 35
Table 9 Trigger proximity reportback. T020 DataToIRD format ................................ 36
Table 10 Proximity r eport data format .................................................. ........................... 37
List of Figures
Figure 1 Proximity Check Timeline .................................................. ................................ 12
Figure 2 High-level Components .................................................. ................................... 14
Figure 3 Proximity Control – ‘Headend Use Cases’ Use Case Diagram .................... 20
Figure 4 ‘Configure Global Parameters’ Sequence Diagram ........................................ 21
Figure 5 Create Household. Sequence diagram .................................................. ........... 22
Figure 6 Add Subscriber to Household .................................................. ......................... 23
Figure 7 Remove Subscriber from Household .................................................. .............. 24
Figure 8 STB Registration. Sequence Diagram .................................................. ............. 26
Figure 9 ‘Proximity Check’ Sequence Diagram .................................................. ............ 30
Preface
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 6
1 Preface
1.1 Abstract
Sky Italia offers its subscribers a Multivision deal where subscribers to having
multiple STBs for a single home are offered discounted rates for multiple STBs.
However, without the necessary provisions, this business model may be exploited
by a subscriber and/or a third-party dealer by distributing the discounted STBs
amongst several individual homes.
This document outlines the end-to-end architecture for an IP-based solution to
combat this exploit. By allowing the Sky Italia to designate STBs to a specific
household, each STB can determine if it is within reasonable physical proximity of
a peer STB on a local home network, and enforce Sky Italia Multivision policy.
Also, with the increasing ubiquity of companion devices such as tablets, Sky Italia
has also requested to enforce proximity control also for companion devices in a
home. Proposed solution answers this additional requirement.
Note Support of unmanaged devices will not be included in the first release.
1.2 Purpose of This Document
The purpose of this document is to describe the end-to-end architecture and
design for the proposed solution.
1.3 Using This Document
This document shall be used by Cisco project teams and Sky Italia to understand
the end-to-end architecture for the solution.
1.4 Applicability
The solution is applicable to IP enabled STB devices connected to one another via
a home network. The home network must include an IP router.
Although the overall design described in this document may be applicable to a
variety of consumer devices, the scope of this document is limited to address
Proximity Control between STB devices in a multi-room environment.
Preface
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 7
1.5 References
Table 1 lists documents and other reference sources containing information that
may be essential to understanding topics in this document.
Table 1 References
Designation Title
1. External document DTCP Volume 1 Supplement E Mapping DTCP to IP Revision
1.4 (Informational Version)
2. SKIT-T-020 SMS – EMMG protocol
1.6 Terminology
Table 2 provides a short glossary of any terms crucial to the understanding of this
document, and lists the acronyms and abbreviations used in the document.
Table 2 Terminology
Term Definition
EMM Entitlement Management Message
EMMG Entitlement Management Message Generator
Final RTT The lowest valued RTT from a batch of multiple, consecutive
proximity tests.
Home Network An ordinary Ethernet LAN in one of the following configurations:
A wired network where all hosts are connected to the same
default gateway through a hub or a switch; or
A wireless network where all hosts are connected to the
same default gateway through a wireless access point in the
infrastructure mode; or
A combination of a. and b.
Note
These configurations assume that all hosts in the network
are on the same IP subnet.
Household (HH) A physical location where multiple STB devices are connected to
each other via an Ethernet network switch. The STBs in a
household must reside on the same network segment. Also, an
entity in UPM containing the list of device sharing the same
domain k€ys.
ICD Interface Control Document
Last Success Time The time and date of the last successful proximity check was
performed.
Maximum RTT Threshold
(Max RTT)
The maximum roundtrip time (RTT) permissible between 2 STB
devices to achieve a successful proximity test.
Network footprint A set of parameters identifying a home network environment,
e.g. home router MAC address, external IP address, etc.
Preface
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 8
Term Definition
Peers A group of STB devices that are supposed to be connected to the
same home network and monitored for proximity.
Peer List A list of IP hosts (peers) identified by a UPnP discovery process
Proximity Control A term used to describe the feature used to detect if 2 STBs are
within reasonable physical proximity of one another.
PCS Proximity Control Service - a Sky Italia server that receives
Proximity reports sent by STBs.
Proximity Check A routine periodically performed by initiating multiple proximity
tests with various peers. The result of a proximity check is
referred to as the proximity status.
Proximity Test A secure “handshake” used by a Cisco STB device to authenticate
another peer Cisco STB device. The proximity test also
determines the latency between the 2 peers (RTT).
Proximity State The status, i.e., result, of a proximity check.
RTT Roundtrip Time. The term refers to the amount of time it takes
for an STB to successfully perform a proximity check with a peer
STB. A high latency RTT may indicate foul play.
SAC Secure Authenticated Channel
A channel of communication, where all messages are signed and
encrypted, and where both peers (and their k€ys) are mutually
authorized.
Shared Domain k€y
(SDK)
A secret k€y which is shared with all STBs in a household, and
securely delivered to each STB respectively.
STB Chipset A zerialized chipset containing a secrets protected by Cisco Chip
zerialization services
UDK Unique Device k€y. This k€y is used to encrypt device-specific
data.
UDKC Unique Device k€y Challenge
UPnP Universal Plug n Play
VIP Verifier Information Packet
Solution Overview
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 9
2 Solution Overview
2.1 Customer Requirements - STB
Sky Italia shall be capable of reasonably ensuring that multiple STB devices
on a home network are used only within the same home network.
The proximity check shall be reasonably secured against exploitation.
The solution shall provide Sky Italia back office with sufficient information
for deciding whether to grant a Multivision discount to a user.
The information shall be provided in a secure manner over a secure link
between the STBs and the Headend
The system shall scale easily to support a large sized network.
2.1.1 Requirements for support of Companion Devices - Future
Note For these, an STB will be a reference point.
In order to support the companion device proximity check it is suggested to
use DTCP-IP RTT test
Sky Italia will have to purchase DTCP-IP certificates from DTCP Licensing
Authority (DTLA) to be used by the STBs and ingest them into Cisco
Headend
All STBs in a home will be able to play a role of DTCP-IP server
2.1.1.1 Requirements for the companion devices
Note Companion device software will not be developed by Cisco, therefore
Cisco is not responsible for the proximity control enforcement by these
devices.
Companion device shall be able to discover a Cisco STB on the home network
using standard UPnP discovery mechanisms
Companion device shall support DTCP-IP protocol
After success of a DTCP RTT test with a discovered STB the companion
device shall extract the STB DTCP device ID. The system that manages the
companion device shall be able to identify whether the reported DTCP device
ID is associated with the desired household.
Solution Overview
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 10
2.2 Assumptions
Devices will be capable of communication with one another using TCP/IP
protocol
The home network will have a single router device.
The home network will properly support standard DHCP protocol.
The home network will support UPnP protocol.
The hardware and software of peer STBs devices is trusted.
All non-Cisco elements of the home network are not trusted.
The home network will be connected to the broadcaster’s head-end by IP
connection via home router.
2.3 General Description
The main functionality for the system includes the following elements:
2.3.1 Subscriber Management
Sky Italia creates a household entity for each Multivision household containing
STB devices requiring Proximity Control.
Sky Italia associates CA Subscribers with a specific household. This may be
performed when creating or modifying a subscriber in the Cisco Headend.
2.3.2 Peer Definition
The Cisco Headend system automatically generates and securely provides a
“Shared Domain k€y” and other complimentary data elements (used for
configuration, etc.) to each STB, when it’s added to a household.
Each STB generates a peer list by means of UPnP-based discovery mechanism.
Only devices of type STB are listed. The peer-list is dynamically managed by each
individual STB on the home network. After submitting a report to the Headend
STB resets the peer list.
2.3.3 Home network fingerprint
The STB client gathers the fingerprint of the network that it is operating in. This
may include:
The STB’s own IP and Mac addresses
Default gateway’s internal IP and MAC addresses
IP and MAC addresses of identified STB peers
This information is used in the Headend to check whether all the STBs are
reporting from the same network environment.
The STB submits the fingerprint of its home network to the Headend while the
Headend records the source IP address of the fingerprint.
Solution Overview
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 11
2.3.4 Proximity Check
Each STB device performs periodic proximity checks with all peers that appear in
its list and are discovered by this STB in the home network. The STB manages the
peer list the proximity check status for each peer. The proximity check status
could be:
Peer discovered and proximity check succeeded
Peer discovered and proximity check failed
RTT above threshold
Ping failed (TTL exhausted)
The STB checks for the available STB peers on the network using UPnP discovery.
In addition the STB support the UPnP subscription mechanism which notifies the
STB when a peer has become available on the network.
Proximity check invokes multiple proximity tests over the LAN with each peer in
the peer list. The proximity tests are performed over a Secure Authenticated Channel
(SAC).
The purpose of the proximity check is to authenticate the peer, and reliably measure
the round-trip time (RTT) between the source and destination peers.
The proximity check limits the TTL (Time-To-Live) to three hops in order to
prevent use of VPN tunnels as a mean to bypass the proximity check for STBs
which are not in the household.
If the proximity check succeeds so that the RTT with a particular peer is within the
permissible threshold (n milliseconds), the positive result for this peer is recorded
by the source STB. The threshold value may be configured globally.
Secure Authenticated Channel (SAC)
Authenticates the peer to ensure the peer is a genuine STB provided by
the Sky Italia, and a valid member of the household
Offers an encrypted communication path between STB peers to perform
proximity tests.
Proximity Test
Accurately measures the roundtrip-time (RTT) between the source and
destination peer
Performed multiple times concurrently during each proximity check. The
success or failure result is reported to MW. MW may query the actual
RTT of the test.
Performed periodically in accordance with the peer’s IP connectivity
status. The frequency of proximity check may be increased in the event
of failed proximity check.
Test results are stored securely in a sustainable storage so that it will be
available after a STB power-off or standby.
Solution Overview
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 12
Figure 1 describes the proximity check timeline:
Timeline
PT OK PT NOK
PT – Proximity test
PT OK PT OK
State = “Suspected”
Display warming period
PT NOK PT NOK
Show Warning
OSD
PT NOK PT OK
State = “Normal Operation”
Submit immediate report
Remove OSD
Normal operation
Immediate report sent to HE
Option: User is notified by non blocking OSD
Show Warning
OSD
Normal operation
Submit periodic report
Normal operation
Submit periodic report
PT NOK PT NOK
Validity Window
Figure 1 Proximity Check Timeline
2.3.5 Periodic reportback
Each STB submits proximity state reports to the Headend over secure connection
(SAC2). The report includes the following information:
STB and household identity
Note Domain_id (which is not same as Household ID in UPM) is reported as the
household identity. This allows Sky Italia Headend component to group
reports belonging to the same household.
However, this ID can not be used for querying (or exporting) household
information from UPM. If full UPM household information is required, it
can be queried using STB ID of any of the STBs belonging to the
household.
Network fingerprint
Proximity test results since the previous report
Proximity test status per discovered peer
Last time of successful proximity test per peer.
The report is sent as a payload of HTTP POST message. The format of the message
is described in see Appendix B Proximity report data format.
In addition, PCS shall retrieve the home router external IP address from XFF
HTTP header.
The reports are submitted:
Periodically, e.g. once a week
Immediately in the case a proximity test with at least one of the peers failed,
i.e. RTT is greater than the threshold, or failed because of TTL
Immediately in case the proximity state succeeds after being unsuccessful.
Solution Overview
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 13
If the STB fails to send a report, it will keep collecting the information and retry
sending the report every [N] minutes until it succeeds.
The reports are stored in Sky Italia Proximity Control Service (PCS), from where
they can be used by Sky Italia for further analysis.
Based on the information in the reports Sky Italia may take an action:
In case not all STBs submitted reports – send OSD to all STBs requesting to
connect the STB to the network
In case of proximity test failure or reports having different network
fingerprints – cancel Multivision discount (perhaps after sending a warning,
etc.)
2.3.6 Countermeasures - future
An STB which has entered the “Suspected” state will trigger a proximity report
submission, and in addition, may display a dismissible OSD warning about
Multivision rules breaking. The OSD text may advise the consumer on methods to
remedy the problem.
STB configuration controls whether such an OSD should be displayed.
The validity period of the proximity checks shall be configurable.
If configured to use the warning OSD:
The warning period is configurable
The warning OSD will be dismissible during this period
The warning OSD will be displayed in a periodic fashion
The warning OSD frequency will be configurable.
While in suspected or not connected states, the STB will increase the rate at which
it performs proximity checks in order to facilitate a timely recovery once the
problem has been solved.
Once the problem is solved and a successful proximity check occurs, the STB will
automatically remove the OSD and submit a proximity report with the updated
state to the Headend.
The STB will not apply any sanctions that block TV viewing. It is up to Sky Italia
Headend to apply sanctions such as canceling Multivision discount or blocking
the viewing.
End-to-End Design
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 14
3 End-to-End Design
Figure 2 shows the high-level components that participate in Multi-room CA
Proximity Control:
Unmanaged Unmanaged IIPP NNeettwwoorrkk
SMS EUS
SGW
Define Household
SAC
SAC
Retrieve SDK
Submit report
EMMG EMMs
- HH Mgmt
- Config params
DRMS
- Registration
- SAC1,2
UPM
Retrieve/modify HH and device info
VGS AUS
VSCC
Proximity Control Service
- Headend Evaluation()
Proximity Report
OOppeerraattoorr RReeppoorrttss
Home Network
STB +
DRM-A
STB +
DRM-A
UPnP &
Proximity Check
(SAC4)
STB +
DRM-A
UPnP &
Proximity Check (SAC4)
UPnP &
Proximity Check (SAC4)
Home Router
UPnP &
Proximity Check
(DTCP-IP)
Companion
Comdpeavniicoen
device
SDLLG
- DTCP certificates
ingest and storage
Figure 2 High-level Components
End-to-End Design
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 15
Table 3 describes the components depicted in Figure 2 above.
Table 3 Component Descriptions
Component Description
SMS The Cisco customer’s SMS. It shall support the ability to manage
the Multivision households – Create, Add or Remove STBs, Delete.
Furthermore, the SMS may activate/deactivate the Proximity
Control feature by authorizing/reauthorizing a named parameter
EMMs and setting of personal bits.
The SMS may also toggle the countermeasure functionality by
enabling/disabling a predefined Personal Region Bit.
SMS may trigger an immediate STB report of the proximity state.
SMS may send OSD to be displayed on the STBs belonging to a
household.
EMMG Receives and stores subscriber provisioning data from the SMS.
STB STB devices are connected to the same home network via an
Ethernet-based medium.
The STB implements the following functionality:
Dynamically manages a peer list using UPnP-based discovery
Authenticates peers by using SDK to establish a SAC4
Performs periodic proximity checks to determine physical
proximity to the required number of peers
Performs reportbacks to the Headend via SGW – periodic or
immediate
Implements countermeasure if final elapsed time is has
exceeded (optional, configurable)
Home Network A consumer’s Ethernet LAN, consisting of a single network subnet
connected to a single default gateway (home router).
All STB devices connected to a single home network are considered
to be in reasonable physical proximity of one another.
Home Router An untrusted, third-party hardware device which allows for a single
Internet connection to be shared between multiple devices in a
household.
The Home Router provides DHCP services to the devices on the
home network. The Home Router shall allow UPnP.
Broadcast Network This is the Sky Italia one-way digital broadcast network and EMM
delivery path.
SGW Responsible for establishing a client/server SAC1 and SAC2 secure
channel Interface) based on client authentication
DRM Server The DRM Server supports STB proximity client registration in the
Headend.
Delivers Shared Domain k€y and hardened DTCP certificate to STBs
in a household.
Provides DTCP certificate to UPM to support refresh on the client
side.
SDLLG Stores DTCP certificates received from the License Authority. A
certificate is provided to DRMS upon STB registration.
End-to-End Design
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 16
Component Description
EUS EMM-UPM Synchronizer synchronizes the household state managed
by SMS in EMMG with the UPM.
UPM User Profile Management stores the household information
Proximity Control
Service (PCS)
A Sky Italia server that receives and stores STB proximity reports.
These reports are used by Sky Italia for data mining.
The server is placed behind the SGW, so the communication
between the STB and PCS is authenticated and encrypted.
Companion device
(none or more)
Discovers an STB in the home network. Checks the proximity to
that STB using DTCP-IP RTT test.
NDS is not responsible for the Companion device application,
therefore it is up to Sky Italia to define the Multi-room
enforcement rules for the companion devices.
End-to-End Design
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 17
3.1 External Interfaces
Table 4 describes the external interfaces throughout the system.
Table 4 External Interfaces
Participants Interface Description
SMS<->EMMG SKIT-T-020 Used by Sky Italia to provision subscribers and
households, activate/deactivate Proximity
Control, and send OSD messages to STBs.
Also allows sending immediate Proximity
Reportback trigger.
Headend Operator ->
EMMG
SKIT-T-020 A Headend Operator can tweak the following
global configuration parameters related to
Proximity Control:
Maximum RTT Threshold
Proximity Time windows
Reportback configuration
STB<->Router Ethernet The network interface is used for DHCP, UPnP
peer discovery and proximity checks.
STB registration with Cisco Headend and reports
are sent to the Headend over IP via the Router.
3.2 Subsystem requirements
3.2.1 Headend
1. Support Household management in EMMG
2. Support Household information synchronization between EMMG and UPM
3. Support STB registration in UPM using STB chip security
4. Support SAC2 handling
5. Support proximity reports
Reception over SAC2
Storing the reports persistently
6. Allow Sky Italia tools to retrieve and delete the submitted proximity reports
End-to-End Design
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 18
3.2.2 STB
1. Support registration in the UPM using chip security
2. Support proximity check functionality as defined in this document
Proximity state, including the peer list, management
The proximity test results shall be stored persistently in the STB between
the reportbacks, keeping the data through STB power cycles and/or SC
removals/insertions.
Peer discovery
Proximity check based on RTT/TTL over SAC4 with the peers
Submission of proximity reports to Proximity Control Service in the
Headend over SAC2.
3.3 Support for Companion Devices - future
3.3.1 Design
3.3.1.1 Cisco Headend
DTCP IP certificates shall be received from the License Authority and will be
ingested into the Headend
On STB registration a DTCP certificate from the pool will be delivered to the
STB
Headend will extract the DTCP device ID and other certificate information
from the certificate and store it in the UPM within the registered STB record
UPM will make this DTCP device ID available for querying. Alternatively,
UPM could export this information.
3.3.1.2 Client side
The clients will discover a STB via UPnP/DLNA.
Clients will run DTCP-IP RTT test against the STB.
Clients will extract the DTCP device ID from the certificate provided by the
STB
Client shall be able to check whether this DTCP device ID is associated with
the desired household, either by looking up a list of allowed IDs managed
within the application, or by sending a request to an Application server.
Sky Italia back office shall be able to query Cisco Headend household
information to retrieve a list of DTCP device IDs of the STBs
Client will examine the result of the above test and take the defined action.
End-to-End Design
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 19
3.3.2 DTCP-IP RTT test
For the details of the test see section V1SE 10.5 of the external document “DTCP
Volume 1 Supplement E Mapping DTCP to IP Revision 1.4 (Informational
Version)”.
Note According to the DTCP-IP specification, a DTCP source function should
keep an RTT registry of devices that have performed successfully RTT.
This means that, once the RTT is passed, RTT will not be performed on
subsequent AKE until the sink device is removed from the registry. By
default, this occurs after 40 hours of content transmission
Operator Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 20
4 Operator Use Cases
This section describes the main use cases relevant to the Sky Italia. The use cases
are summarized in Figure 3 below, and described in the later sections of this
chapter.
Figure 3 Proximity Control – ‘Headend Use Cases’ Use Case Diagram
4.1 Configure Global Parameters
4.1.1 Description
A Cisco Engineer may configure various global parameters that impact the
behavior of Proximity Control, as outlined in table 5 “Proximity Configuration
Parameters.”
4.1.2 Preconditions
Proximity Control behavior is enabled in EMMG global configuration
uc Headend use cases
Cisco UHE
EMMG
(from Headend)
Create New Household
SMS
(from
Actors)
(from Headend)
Add Subscriber to HH
(from Headend)
Remov e Subscriber
from HH
HE Operator
(from
Actors)
(from Headend)
Configure User
Parameters
(from Headend)
Activ ate/Deactiv ate
Proximity Control in
STB
Analyze reports
Operator Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 21
4.1.3 Post-conditions
EMMG generates a generally addressed EMM containing configuration data
Variable (see below)
4.1.4 Flow of Events
Figure 4 ‘Configure Global Parameters’ Sequence Diagram
sd Configure User Parameters
HE Operator
(from Actors)
«resource»
EMMG Database
«component»
EMMG
STB
Cisco
Third Party
Cisco Resource
Legend
alt
[or]
opt if Proximity Control is == Enabled
Set Proximity
Configuration
Paramaters(Max RTT,
Time Unit ID, Number of
status levels, per each
status level: Level id,
Time window duration,
proximity check
repetiotion rate)
Generate
Config EMM()
The EMMG generates or updates a generally
addressed EMM containing the configuration
data.
Store EMM()
The EMMG stores the Named Parameter EMM
to the database.
Carousel
Config
EMM()
The EMM is transmitted to all STBs in the
population.
Operator Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 22
4.2 Create Household
4.2.1 Description
Multivision enforcement is applicable only to STBs within the same household. If
there is no household provisioned in the Cisco Headend, Sky Italia SMS has to
define a household.
4.2.2 Preconditions
None
4.2.3 Post-conditions
Household entity created
“Shared Domain k€y” (SDK) generated and stored
4.2.4 Flow of events
The flow of events for create household is a generic one, but in case of Multivision
it triggers household creation in UPM.
Figure 5 shows the flow of household creation.
Figure 5 Create Household. Sequence diagram
sd Create New Household
SMS
«component»
EMMG
«resource»
EMMG Database
«component»
EUS
«component»
UPM
Cisco
Third Party
Cisco Resource
Legend
CreateHousehold()
StoreHouseholdInfo()
household_id()
GetHouseholdInfo()
CreateHousehold(household_id, stb_id)
GenerateSDK(household_id)
Operator Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 23
4.3 Add Subscriber to Household & Enable Proximity Control
in STB
4.3.1 Description
Sky Italia adds to the household all the STBs (CA subscribers) of a Multivision
user.
By adding the subscriber to the household, the SMS authorizes the proximity
control feature by setting a region bit in the smart card on the STB. This is
achieved via a T020 interface between the SMS and EMMG. In this way, the SMS
can trigger an EMM to be played out to the target STB so that the region bit on its
smart card is set accordingly. The default value of this region bit on all smart
cards in all STBs is “0”- meaning proximity check is disabled. Setting of this
region bit is required in order for the STB to perform proximity control.
The region bit used for proximity control is bit 31 in area D.
4.3.2 Preconditions
CA Subscriber is created
Household is created
4.3.3 Post-conditions
Subscriber is associated with household
New STB is added to the household definition in UPM
New STB registers in UPM via SGW and DRMS
Proximity checks are performed by the STB.
4.3.4 Flow of Events
Figure 6 Add Subscriber to Household
sd Add Subscriber to M-v ision HH
SMS
(from Actors)
«component»
EMMG
«component»
EUS
«component»
UPM
«component» STB
SGW
«component»
DRMS
seq SAC1/SAC2 establishment
[Not yet registered in UHE]
Cisco
Third Party
Cisco Resource
Legend
AddSubscriberToHH(subscriber_id, household_id)
GetHouseholdInfo()
UpdateHouseholdInfo(household_id, stb_id)
EnableProximityCheck(ca_subscriber_id)
SendEMM()
GetnetworkFootprint()
Operator Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 24
4.4 Remove Subscriber from Household
4.4.1 Description
Sky Italia removes a subscriber provisioned for Multivision from the relevant
household entity. This is achieved via a T020 interface between the SMS and
EMMG. In this way, the SMS can trigger an EMM to be played out to the target
STB so that the region bit on its smart card is set back to its default value of 0
(disabled).
4.4.2 Preconditions
Subscriber is created
Household is created
4.4.3 Post-conditions
Subscriber is removed from household
Proximity Control is disabled for subscriber
STB is unregistered from the household in UHE
DRMA in STB is deactivated
STB stops sending proximity status reports to Headend
STB is not discoverable by the peers in the home network.
4.4.4 Flow of Events
Figure 7 Remove Subscriber from Household
sd Remov e Subscriber from HH - 2
SMS
(from Actors)
«component»
EMMG
«component»
EUS
«component»
UPM
STB
Cisco
Third Party
Cisco Resource
Legend
RemoveSubscriberFromHH(household_id, subscriber_id)
GetHouseholdInfo()
UpdateHouseholdInfo(household_id, stb_id)
DisableProximityCheck(ca_subscriber_id)
SendEMM()
DeactivateDRMA()
Internal use cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 25
5 Internal use cases
5.1 STB registration in UHE – SAC1/2 establishment
5.1.1 Description
Proximity checks are performed over SAC4 allowing secure communication
between peer STBs.
Establishing SAC4 between the STBs requires STB being registered in UHE. STB
registration process includes one-off establishment of SAC1. At the end of SAC1
the STB receives an identity object that is used from this time and on for
establishing SAC2. The STB is using SAC2 in order to submit the proximity status
reports to the Headend.
The following flow describes the establishment of SAC1 and SAC2.
Note STB registration in the Headend is not directly related to the Multivision
enforcement. Rather, this registration, including SAC1/SAC2 provide an
infrastructure used by the STB for the proximity testing and reporting.
5.1.2 Pre-conditions
A household is created in the EMMG and UHE.
STB is a part of a household. STB information in the household include
STB_ID and Chip_ID which allows performing chip-based authentication
zerialization data loaded for all STBs into UHE DB to support Chip ID based
authentication
5.1.3 Post Conditions
STB is registered in the UHE and SAC2 is established and maintained
between the STB and the Headend
The STB can establish SAC4 with the peers in the household for proximity
checks.
Internal use cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 26
5.1.4 Flow of events
Figure 8 STB Registration. Sequence Diagram
sd STB Registration
DRMA SGW VGS AUS - VSCC DRMS UPM
Open SAC1(deviceId =
ChipID)
Validate(challenge, response)
return(OK)
return (OK)
GetIdentityDiscoveryOverSAC1(STB ID, Chip ID)
GetHouseHold(STB ID)
return(householdId)
return(discovery request Security Object)
GetIdentifyOverSAC1(Chip ID, STB ID, Chip ID discovery response)
QueryDevice(STB ID)
return(householdId)
CreateSystemDeviceId()
Update(systemDeviceId)
CreateUserId(domainId, systemDeviceId)
return(identity Security Object)
Open SAC-2(identity cookie, challenge, response)
return(SAC-2 cookie)
Get Domain Info (SAC2 cookie, Devide Id, Domain Id)
Query Domain info(Device Id, Domain Id)
return(domain info: list of device ids, device types)
return(Domain info: lidt of device ids, device types)
Internal use cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 27
5.2 Send Report to Headend
5.2.1 Description
Every connected STB participating in Multivision will submit regular reports to
the Headend. The report contains the network fingerprint information and the
proximity test results.
The report is sent to the Headend over SAC2, to protect the report information.
STB will use “PCS” alias as a target for the reports.
The reports will be sent as a payload of HTTP POST message.
5.2.2 Preconditions
STB is registered in the UPM
STB is participating in Multivision, i.e. the respective personal bit is set in the
smartcard
SAC2 is established
Note In the scope of this feature there is no specific requirement on whether
SAC2 shall be maintained at all times, or established just before the
report sending to the Headend.
At least one of two conditions is met:
Periodic report time has come, or
A proximity test with at least one of the peers has either actually failed,
i.e. either the ping to a discovered peer didn’t reach the destination, or
RTT is above the threshold, or recovered from a failure.
5.2.3 Post-conditions
Report has been submitted and stored in the Headend
STB sets the time for the next report submission, according to the
configuration.
STB Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 28
6 STB Use Cases
6.1 Trigger STB to check whether Proximity Control is
Enabled
6.1.1 Description
The following scenarios will trigger the STB to check whether Proximity Control is
enabled or disabled.
6.1.2 Precondition
None
6.1.3 Post- Conditions
None
6.1.4 Flow of events
The following scenarios trigger the STB to check whether Proximity Control is
enabled or disabled:
1. On receipt of an EMM from the Headend to set/reset the Region Bit on the
smart card to enable / disable Proximity Control
2. After the STB is powered off and rebooted: it will check the Region Bit on the
Smart Card to determine whether Proximity Control is enabled or disabled
3. Smart card removal / insertion: the STB will check the Region Bit on the
Smart Card to determine whether Proximity Control is enabled or disabled
Note While the smartcard is removed the user can’t watch Sky Italia content.
The proximity check and reporting to the Headend are not performed.
STB Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 29
6.2 Proximity Check
6.2.1 Description
If the STB is enabled for proximity check, the STB periodically performs secure
proximity checks to enforce Sky Italia Multivision policy, as described in
Section 2.3.4 Proximity Check. Each STB must perform a successful proximity
check at least once within the defined period (i.e. proximity validity window) for STB
proximity to be considered non-suspect.
If the feature is enabled for a given STB and the proximity checks fail the STB shall
submit an immediate report to the Headend. Optionally, it may display a warning
dismissible OSD at a configurable frequency. Once the problem is solved STB
shall submit a report to the Headend and to clear the OSD if it is shown.
Note Currently the OSD will not be supported.
6.2.2 Preconditions
Subscriber is provisioned with Proximity Control enabled.
Subscriber has received all Proximity Control provisional data elements
STB is connected to the home IP network
UPnP is enabled in the home network
STB has successfully registered and established SAC2 with the Headend.
6.2.3 Post-conditions
Proximity state updated
If test failed or reportback time period expired – report submitted to
Headend.
STB Use Cases
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 30
6.2.4 Flow of Events
Figure 9 ‘Proximity Check’ Sequence Diagram
sd Proximity Check - M-v ision
:DRM Agent «system»
:Peer STB
Proximity Control
Service
STB SW
loop proximity check
[periodically according to configuration per time window]
loop for each discov eed peer
loop proximity test
[if SAC == established {and} iteration <= 50]
Get STB List()
STB List(STB Qty, Device IDs, Device Type)
UPnP Discovery or UPnP notification(ID, IP_address)
Filter UPnP list()
PerformProximityCheck()
Setup SAC with Peer IP()
Proximity Test()
Proximity Test Response(Status, RTT)
ProximityTest Response(Status, Final RTT)
UpdateProximityCheckState(ID, date_time, status)
[Proximity failed {or} reportback period expired]:SubmitReport()
Proximity Check Configuration Parameters
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 31
7 Proximity Check Configuration Parameters
Table 5 provides the configurable items for proximity control, describing each
configurable item, its range and default values.
In addition parameters configuration specification is detailed in section 7.1.
Table 5 Proximity Configuration Parameters
Configurable Item for
Proximity Control
Description Range Default Value Comments
Max RTT Threshold The maximum roundtrip time (RTT)
permissible between 2 STB devices
to achieve a successful proximity
test.
1-255 ms 7 ms Global and STB
specific.
Controlled by
System Engineers.
Note- a different
value should be set
for wired
connectivity and
wireless/mixed
connectivity
Proximity validity
window
The maximum time for a successful
proximity check to remain valid.
This is mapped to status level 0’s
time window duration defined
in 7.1.2 “Time Windows”
1-255 days 7 days Global and STB
specific.
Controlled by
System Engineers
Proximity check ratevalidity
window
The proximity check frequency while
in validity window.
This is mapped to status level 0’s
proximity check repetition rate
defined in 7.1.2 “Time Windows”
1-255 units
of 15 sec.
80 units
(=20 mins)
Global and STB
specific.
Controlled by
System Engineers
Proximity check ratedisplay
warning window
The proximity check frequency while
in warning time window.
This is mapped to status level 2’s
proximity check repetition rate
defined in 7.1.2 “Time Windows”
1-255 units
of 15 sec.
100 units (=25
mins)
Global and STB
specific.
Controlled by
System Engineers
Periodic repeat rate of
warning message
The rate for displaying a dismissible
warning OSD.
1-255
mins
30 mins.
Global and STB
specific.
Controlled by
System Engineers
Proximity report
submission period
The period between submitting two
subsequent proximity reports while
in the ‘Normal Operation’ state
1 – 180 days 30 days Controlled by Sky
Italia
Proximity Check Configuration Parameters
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 32
7.1 Proximity Configuration Parameters
In order to configure the proximity check time windows, to allow specifying
status levels of time windows and their properties, the following parameters will
be defined:
1. Max RTT
2. Time Unit
3. Number of status levels
Per each status level:
4. Level ID
5. Time window duration
6. Proximity check repetition rate
The configuration parameters will be sent either to a unique STB or in a global
fashion. If both global and unique setting is set to the box, the unique setting will
take precedence.
7.1.1 Max RTT
Defines the Maximum RTT threshold. This threshold defines the maximum RTT
time which is treated by the STB as a successful result.
The RTT threshold could be defined according to the household physical
connectivity scheme – accommodating wired, wireless and mixed connectivity
schemes.
Max RTT will be delivered to the STB in a single Byte presenting Max RTT in
milliseconds, range: 0-255 msec.
7.1.2 Time Windows
The following will define the time windows:
Time Unit - defines the time units used to set the windows time duration,
this impacts the windows duration field only, allowing to set it in different
time units as required.
The range is 0,1,2:
0- days
1- hours
2- minutes
Number of status levels - defines the number of status levels managed by the
proximity manager. Two levels will be used.
Proximity Check Configuration Parameters
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 33
Level ID - defines the status level; this status level will be reported to the
sanction manager which will select the appropriate sanction depending on
the level reported. Two levels are applicable –
Validity Window – level 0
Display Warning Window – level 1
Time window duration - duration of the status level in time units defined
above.
The time window will be measured from the end of the previous window. Level
ID and Time window duration will be provided per all the levels defined in
Number of status levels.
Note Time window duration of the highest level (display warning) is not
bounded. Exit from this window is a successful proximity test.
Proximity check repetition rate – defines the proximity check repetition rate
for the specified level in units of 15 seconds.
7.1.3 Parameters Delivery and Processing
The parameters defined above will be delivered from the headend to the
proximity manager by EMM. The proximity manager is responsible for parsing
and processing these parameters.
Proximity diagnostics
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 34
8 Proximity diagnostics
The following diagnostics will be available in the STB proximity diagnostics
screen
8.1 Information about this device
Table 6 Device information diagnostics
Item value comments
Proximity Checking Enabled / Disabled
Headend Communication
Status
Ok/Failed Indicates if the STB
received a DRM identity or
not- “DRM Activation
Status”
IP Status Ok/Failed Same as IP Connection
Status in the IP diagnostics
screen
Domain ID xxxxxxxxxxxxx The DRM Domain ID in UPM
UPM device ID Xxxxxxxxxxxxx Device ID in UPM
Total Number of peer devices
in the Home
# of peer STBs The number of peer STBsreceived
from the Headend
8.2 Information about peer devices
Table 7 Peer STB diagnostics information
Item value comments
Per each peer device (e.g. device 1 of 2)
Device ID xxxxxxxxxxxxx This is received from the
peer STB discovered over
UPnP
Last Status Reported Ok/Failed/Not found
Last Time Updated dd/mm/yyyy , hh:mm:ss
Last Time Successful dd/mm/yyyy , hh:mm:ss
Last response time xxxxxx this is the obfuscated “RTT”
value
Appendix A - SMS->EMMG protocol changes
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 35
Appendix A SMS->EMMG protocol changes
A.1 Proximity parameters configuration
This appendix lists the details of setting the proximity parameters configuration in
the STB by the Headend. The control is achieved via T020 ‘Data To IRD’ action.
The table below defines the “Data to IRD” payload.
Table 8 Proximity Control Definition
Offset Length comment
2 Action type - 24 (TBC)
0 1 Round trip time in milliseconds. Value of 0 used if correction not
required (see section 7.1.1)
1 1 Number of defined Time windows
2 1 Size of information block for each Time window
3 1 Time units used: 0 = Days; 1 = Hours; 2 = Minutes;
Next fields are repeated for each Time window
1 Status level id (see section 7.1.2)
2 Time window duration (MSB)
1 Retest rate in units of 15 sec
Note Will not be currently supported
1 Time window definition. Reserved for future use must be 0
9 1 Reportback frequency (optional, default – 30 days)
10 1 Reportback frequency time units (optional, default – days):
0 = days
1 = hours
2 = minutes
Appendix A - SMS->EMMG protocol changes
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 36
A.2 Trigger immediate proximity reportback
DataToIRD Verifier Information Packet (VIP) can be used to trigger an immediate
proximity reportback.
Table 9 describes the T020 DataToIRD payload format.
Table 9 Trigger proximity reportback. T020 DataToIRD format
Field Length (bytes) Value/Description Comment
Action type 2 9E – Proximity
reportback control
Sub-action 1 1 – trigger immediate
reportback
Other values reserved
for future use
Appendix B - Proximity report data format
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 37
Appendix B Proximity report data format
Table 10 describes the format of proximity report sent by STB to PCS in the
Headend. The report is TLV formatted ASCII message delivered as a payload of
HTTP POST message.
Table 10 Proximity report data format
Tag (2 bytes
ASCII)
Meaning Length (HEX
or ASCII
bytes)
Value (HEX or
ASCII)
Notes
TM Report timestamp 8H in seconds from
1970
HH Domain ID 16H
SD STB ID 8H
SP STB IP Address Vary (A)
SM STB MAC Address 16H
UD STB UPnP UDN 42A
GP Default gateway IP
Address
Vary (A)
GM Default gateway MAC
Address
16H
PN Number of peer
devices
2H
For each STB peer:
PD Peer STB ID 8H
PP Peer STB IP Address Vary (A)
PM Peer STB MAC Address 16H
PU Peer UPnP UDN 42A
TT Last proximity test
time
8H in seconds from
1970
TR Last proximity result 1A ‘S’ – success
‘F’ – failed
‘N’ – not
reached
‘D’ – not found
F – RTT over
threshold
N – TTL exhausted
D – not UPnP
discovered
RT Last proximity test
RTT value
4H Milliseconds (up to
65 seconds)
Change History
SKIT-DSN-1969 2.00
Confidential
Proximity Control
Multi-room CA Proximity Control: Feature Specification
Page 38
Change History
Revision 2.00
Revision date: 24 April 2014
Location Change
Section 1.1 Note added
Section 2.1.1 Title changed to Requirements for support of Companion Devices - Future
Section 2.3.4 Proximity test updated
Section 2.3.5 STB and household identity added
Domain_id Note added
Section 2.3.6 Title changed to Countermeasures - future
Section 3.2.2 Proximity test results storage added
Section 5.1 STB registration note added
Section 5.2.2 Preconditions updated
Section 6.2.1 Note added
Section 8.1 Table 6: Device information diagnosti