Configuring Headend Broadband Access Router Features

Security Features

DOCSIS Baseline Privacy

The Cisco uBR7200 series routers support DOCSIS baseline privacy (BPI). When BPI is enabled, the Cisco uBR7200 series generates Traffic Encryption Keys (TEKs) for each applicable SID. The router uses the keys to encrypt downstream data and decrypt upstream traffic from two-way cable modems.

The Cisco uBR7200 series supports both 40-bit and 56-bit encryption/decryption. When BPI is enabled, 56-bit encryption/decryption is the default. A configuration command allows an administrator to manually force the Cisco uBR7200 series to generate a 40-bit DES key, where the DES key that is generated and returned masks the first 16 bits of the 56-bit key to 0 in software.

Note Both the Cisco uBR7200 series universal broadband router and the cable modem must contain software and be configured to support encryption/decryption.

The Cisco uBR7200 series router generates keys for unicast, broadcast, and multicast operation as appropriate. Keys are refreshed periodically and have a default lifetime of 12 hours.

Cable Modem and Multicast Authentication Using RADIUS

As an enhancement to baseline privacy, Cisco uBR7200 series universal broadband routers can be configured for cable modem and multicast authentication using the RADIUS protocol, an access server authentication, authorization, and accounting (AAA) protocol originally developed by Livingston, Inc. The Cisco uBR7200 series also supports additional vendor-proprietary RADIUS attributes.

When a cable modem comes online or when an access request is sent through a multicast data stream, the Cisco uBR7200 series sends relevant information to RADIUS servers for cable modem/host authentication. This feature can be configured on a per-interface basis.

An IETF draft standard, RFC 2138, defines the RADIUS protocol. RFC 2139 defines the corresponding RADIUS accounting protocol. Additional RFC drafts define vendor-proprietary attributes and MIBs that can be used with a Simple Network Management Protocol (SNMP) manager.

Upstream Address Verification

Upstream address verification prevents the spoofing of IP addresses by comparing the source IP address with the MAC address of the cable modem, thus verifying that each upstream data packet comes from the cable modem known to be associated with the source IP address in the packet. The cable source-verify[dhcp] cable interface command specifies that DHCP lease query requests are sent to verify any unknown source IP address found in upstream data packets. This feature requires a DHCP server that supports the LEASEQUERY message type.

Note Cisco Network Registrar (CNR) supports the LEASEQUERY message type in software release 3.01(T) and later.

Cisco IOS Multiservice Applications Configuration Guide

MC-529

Page 11
Image 11
Cisco Systems uBR7200 manual Docsis Baseline Privacy, Cable Modem and Multicast Authentication Using Radius, MC-529