PacketCable Security Ticket Control Sub-Option for the DHCP CableLabs Client Configuration (CCC) Option (RFC3594)
Original Publication Date: 2003-Sep-01
Included in the Prior Art Database: 2003-Sep-09
Internet Society Requests For Comment (RFCs)
This document defines a new sub-option for the DHCP CableLabs Client Configuration (CCC) Option. This new sub-option will be used to direct CableLabs Client Devices (CCDs) to invalidate security tickets stored in CCD non volatile memory (i.e., locally persisted security tickets).
Network Working Group P. Duffy
Request for Comments: 3594 Cisco Systems
Category: Standards Track September 2003
PacketCable Security Ticket Control Sub-Option
for the DHCP CableLabs Client Configuration (CCC) Option
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document defines a new sub-option for the DHCP CableLabs Client
Configuration (CCC) Option. This new sub-option will be used to
direct CableLabs Client Devices (CCDs) to invalidate security tickets
stored in CCD non volatile memory (i.e., locally persisted security
1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119 .
Definitions of terms/acronyms used throughout this document:
CCC - CableLabs Client Configuration option, described in .
CCD - CableLabs Client Device. A PacketCable MTA is an example of a
STC - Security Ticket Control. The CCC sub-option described in this
Duffy Standards Track [Page 1]
RFC 3594 Security Ticket Control September 2003
MTA - Media Terminal Adapter. The CCD specific to the PacketCable
PacketCable - multimedia architecture developed by CableLabs. See
 for full details.
The CableLabs Client Configuration Option  defines several
sub-options used to configure devices deployed into CableLabs
architectures. These architectures implement the PacketCable
Security Specification  (based on Kerberos V5 ), to support CCD
authentication and establishment of security associations between
CCDs and application servers.
CCDs are permitted to retain security tickets in local persistent
storage. Thus a power-cycled CCD is enabled to avoid expensive
ticket acquisition for locally persisted, non-expired tickets. This
feature greatly reduces the security overhead of a deployment.
This sub-option allows the service provider to control the lifetime
of tickets persisted locally on a CCD. The service provider requires
this capability to support operational functions such as forcing re-
establishment of security associations, remote testing, and remote
diagnostic of CCDs.
It should be noted that, although based on the Kerberos V5 RFC ,
the PacketCable Security Specification is not a strict implementation
of this RFC. See  for details of the PacketCable Security
4. Security Ticket Control Sub-option
This sub-option defines a Ticket Control Mask (TCM) that instructs
the CCD to validate/invalidate sp...