Cisco Systems MC-607 manual Docsis Baseline Privacy, IPSec Network Security, MC-623

Page 17

Configuring Subscriber-End Broadband Access Router Features

Subscriber-End Broadband Access Router Security Features

Note The backup POTS connection enables only one of the VoIP ports on the Cisco uBR924 to function during a power outage. Calls in progress prior to the power outage will be disconnected. If power is reestablished while a cutover call is in progress, the connection will remain in place until the call is terminated. Once the cutover call is terminated, the router automatically reboots.

Subscriber-End Broadband Access Router Security Features

Cisco uBR900 series cable access routers support the security features described in the following sections.

DOCSIS Baseline Privacy

Support for DOCSIS Baseline Privacy in the Cisco uBR900 series is based on the DOCSIS Baseline Privacy Interface Specification (SP-BPI-I01-970922). It provides data privacy across the HFC network by encrypting traffic flows between the cable access router and the CMTS.

Baseline Privacy security services are defined as a set of extended services within the DOCSIS MAC sublayer. Two new MAC management message types, BPKM-REQ and BPKM-RSP, are employed to support the Baseline Privacy Key Management (BPKM) protocol.

The BPKM protocol does not use authentication mechanisms such as passwords or digital signatures; it provides basic protection of service by ensuring that a cable modem, uniquely identified by its 48-bit IEEE MAC address, can only obtain keying material for services it is authorized to access. The Cisco uBR900 series cable access router is able to obtain two types of keys from the CMTS: the traffic exchange key (TEK), which is used to encrypt and decrypt data packets, and the key exchange key (KEK), which is used to decrypt the TEK.

To support encryption/decryption, Cisco IOS images must contain encryption/decryption software at both the CMTS router and the Cisco uBR924 cable access router. Both the CMTS router and the Cisco uBR924 cable access router must be enabled and configured per the software feature set.

IPSec Network Security

IPSec Network Security (IPSec) is an IP security feature that provides robust authentication and encryption of IP packets. IPSec is a framework of open standards developed by the IETF providing security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer (Layer 3), protecting and authenticating IP packets between participating IPSec devices (peers) such as the Cisco uBR900 series cable access router.

IPSec provides the following network security services:

Privacy—IPSec can encrypt packets before transmitting them across a network.

Integrity—IPSec authenticates packets at the destination peer to ensure that the data has not been altered during transmission.

Authentication—Peers authenticate the source of all IPSec-protected packets.

Anti-replay protection—Prevents capture and replay of packets; helps protect against denial-of-service attacks.

Cisco IOS Multiservice Applications Configuration Guide

MC-623

Image 17
Contents MC-607 Configuring Subscriber-End Broadband Access Router FeaturesMC-608 Cisco IOS Software Feature SetsSubscriber-end Overview MC-609 Base IP Bridging Feature SetHome Office Easy IP Feature Set MC-610 Small Office Feature SetTelecommuter Feature Set MC-611 Operating ModesMC-612 Data SpecificationsDescription Downstream Values Upstream Values MC-613 Service AssignmentsMC-614 Downstream and Upstream Data TransferBridging Applications MC-615 Routing ApplicationsEasy IP L2TP ProtocolDhcp Server Network Address Translation and Port Address TranslationMC-617 Voice over IP OperationsSimplified VoIP over Cable Network MC-618MC-619 Voice Compression and DecompressionMC-620 Protocol StackSgcp Protocol Stack Subscriber-End Broadband Access Router Voice SpecificationsMetric Value MC-621MC-622 Backup Pots ConnectionMC-623 Docsis Baseline PrivacyIPSec Network Security Firewall Triple Data Encryption StandardNetRanger Support-Cisco IOS Intrusion Detection MC-624MC-625 Subscriber-End Broadband Access Router Configuration OptionsMC-626 MC-627 Event DescriptionMC-628 Sequence Event DescriptionMC-629 MC-630 MC-631 Cable Modem Initialization FlowchartMC-632 Subscriber-End Broadband Access Router Basic TroubleshootingWaitforlinkupstate MC-633UBR924# show controllers cable-modem 0 mac ? MC-634MC-635 Event 1-Wait for the Link to Come UpEvent 2-Scan for a Downstream Channel, then Synchronize MC-636 Event 4-Start Ranging for Power AdjustmentsEvent 3-Obtain Upstream Parameters MC-637 Event 5-Establish IP ConnectivityEvent 7-Establish Security Event 6-Establish the Time of DayEvent 8-Transfer Operational Parameters Event 9-Perform RegistrationMC-639 Event 11-Enter the Maintenance StateEvent 10-Comply with Baseline Privacy MC-640 Subscriber-End Broadband Access Router Configuration TasksMC-641 Configuring a Host Name and PasswordCommand Purpose MC-642 Configuring Ethernet and Cable Access Router InterfacesMC-643 Configuring RoutingMC-644 Verifying RoutingMC-645 Configuring BridgingMC-646 MC-647 Reestablishing DOCSIS-Compliant BridgingMC-648 Verifying DOCSIS-Compliant BridgingMC-649 Customizing the Cable Access Router InterfaceUsing Multiple PCs with the Cable Access Router MC-650 Basic Internet Access Bridging Configuration ExampleMC-651 Basic Internet Access Routing Configuration ExampleMC-652 IP Multicast Routing Configuration ExampleMC-653 VoIP Bridging Using H.323v2 Configuration ExampleMC-654 VoIP Routing Using H.323v2 Configuration ExampleMC-655 NAT/PAT Configuration ExampleMC-656 VoIP Bridging Using Sgcp Configuration ExampleMC-657 IPSec Configuration ExampleMC-658 L2TP Configuration ExampleMC-659 MC-660