Re: [PLUG] race condition betwee modem and router

[Doug <dsc3507@yahoo.com>]

 

Well the argument of that's the way cable is doesn't hack it because as I said it is not doing this when directly connected to a computer. As to cable and security this is a
DOCSIS  3 modem and if I am reading the statements below correctly my data is 128 bit AES secure. I have four bonded channels. I don't think my neighbors have access unless they are crunching pretty good!

Security

DOCSIS includes MAC layer security services in its Baseline Privacy Interface specifications. DOCSIS 1.0 utilized the initial Baseline Privacy Interface (BPI) specification. BPI was later improved with the release of the Baseline Privacy Interface Plus (BPI+) specification used by DOCSIS 1.1 & 2.0. Most recently, a number of enhancements to the Baseline Privacy Interface were added as part of DOCSIS 3.0, and the specification was renamed "Security" (SEC).

The intent of the BPI/SEC specifications is to describe MAC layer security services for DOCSIS CMTS to cable modem communications. BPI/SEC security goals are twofold:

• provide cable modem users with data privacy across the cable network
• provide cable service operators with service protection; i.e., prevent unauthorized modems and users from gaining access to the networkâs RF MAC services

BPI/SEC is intended to prevent cable users from listening to each other. It does this by encrypting data flows between the CMTS and the cable modem. BPI & BPI+ utilize 56-bit DES encryption, while SEC adds support for 128-bit AES. All versions provide for periodic key refreshes (at a period configured by the network operator) in order to increase the level of protection.

BPI/SEC is intended to allow cable service operators to refuse service to uncertified cable modems and unauthorized users. BPI+ strengthened service protection by adding digital certificate based authentication to its key exchange protocol, using a public key infrastructure (PKI), based on digital certificate authorities (CAs) of the certification testers, currently Excentis (formerly known as tComLabs) for EuroDOCSIS and CableLabs for DOCSIS. The relationship of the cable modem to the user is often done by means of manually adding the cable modem's MAC address to a customer's account with the cable service operator,^[9][10] who would then allow network access to a cable modem which can attest to that MAC address using a valid certificate issued via the PKI. The earlier BPI specification (ANSI/SCTE 22-2) had limited service protection because the underlying key management protocol did not authenticate the user's cable modem.

Security in the DOCSIS network is vastly improved when only business critical communications are permitted, and end user communication to the network infrastructure is denied. Successful attacks often occur when the CMTS is configured for backwards compatibility with early pre-standard DOCSIS 1.1 modems. These modems were "software upgradeable in the field", but did not include valid DOCSIS or EuroDOCSIS root certificates.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug