DOCSIS - 4. Security

With Cable Modems it would be possible for your neighbours to view, with some kind of packet sniffing tool or similar, the data your are sending and receiving. To counter this problem the cable operators employ a system known as Baseline Privacy Plus (BPI+). This encrypts all your data to ensure that anyone can not snoop on your transmissions. The BPI+ also stops the illegal use of someone?s connection to gain free access.

The encryption used must travel with the information where ever it goes. The US has laws on the level of encryption that is allowed to be exported. As such the maximum encryption available is 128 bit. To have a data exchange there is first key exchange. The key exchange uses triple DES as its encryption. This is quite a strong encryption and provides a satisfactory protection to the key exchange. The algorithm used is a public key exchange. [GABE99d]

4.1 Authentication

Cable Modems do not require a username and password in the same way the dial up connections do. The authentication is actually hard coded into the Cable Modems when they are built. This is called the X.509 digital certificate it is built up of the following items:

• A serial number
• Cryptographic public key
• Ethernet MAC address
• The Manufacture?s Identification

The X.509 is verified by the head end also known as distribution hub. Once this has been verified the following data sent by that user is encrypted using their public key.

Figure 4.1 shows how a basic authentication is carried out between the cable modem and cable modem termination system. The CM Certificate is the X.509 certificate and the CM-ID is the serial number, manufacture ID, MAC address and RSA public key.

The cable modem first sends its X.509 certificate and manufactures certificate. This is verified by checking its expiration date, ensuring issuer name is the same as manufactures name and finally that the X.509 signature is valid using the manufactures certificate public key. The CMTS also verifies the manufacturer certificate but using DOCSIS root public key to test signature. Once the CMTS has verified the x.509 certificate it responds to ensure the owner is actually the correct owner.

To do this the CMTS will encrypt the authorization key with the CM public key. The CM uses it private key (if it was an impostor it would not have the matching private key) to get the authorization key. Using this it will generate a mso-bidi-font-family:Hash-based Message Authentication Code (HMAC) key and reply to the CMTS with this. The verification of this HMAC key proves the CM has the private key to match the public key.

4.2 QoS (Quality of Service)

Quality of Service was added to the DOCSIS standard in version 1.1. In order to implement Quality of Service, the following features where added into DOCSIS 1.1:

• Packet Priorities
• CMTS
• Unsolicited Grants
• Packet Fragmentation
• Payload Header Suppression

4.2.1 Packet Priorities

The packets are assigned a priority, those with higher priorities are dealt with first and can jump ahead of queues on routers etc.

4.2.2 CMTS Control

The CMTS instructs the modem how much data and for what period of time it may transmit its data.

4.2.3 Unsolicited Grants

The issue with CMTS is that everyone might transmit at the same time; the data would overlap and become confused and muddled. The UCG (Unsolicited Grant Service) solves this problem. Essentially what the UGS does is have the cable modem transmit the requirements of it?s session. This information is used to assign a slot of time to this transmission so that the different Cable Modems do not overlap and collide.

4.2.4 Packet Fragmentation

Large packets of information are broken up. This is done so that more important transmission (those with a higher priority) can interrupt and be transmitting without waiting for the whole of the large packet to be sent. 

4.2.5 Payload Header Suppression

The payload header suppression works to improve QoS by decreasing the amount of data that is sent. It does this by removing duplicate information that will not change from one packet to another, for example the destination address may be the same for multiple packets so it will remove any duplicates of the address. 

Another form of QoS used by Cable Modems (although not strictly a QoS method) is the implementation of capping. Capping limits the bandwidth available to a subscriber depending on what subscription price they pay. Examples of such bandwidths are 150kbs (it has been argued this is not true broadband), 600kbs, 1mbs. This means that a user can only use as much bandwidth as they have paid for. In the past there have been issues of subscribers ?uncapping? [see 3.3.3 TFTP Configuration Assignment] the limit and increasing their bandwidth illegally. This is not so much an issue these days as it is now well protected. 

One issue with Cable Modems is if neighbouring subscribers are using a lot of their bandwidth it can effect the whole street (or subscribers connected to same port). [NextGen03a] 

<< Previous | Index | Next >>