Usage Guidelines
The
cable
dynamic-secret
configuration command automatically creates a unique DOCSIS
shared secret on a per-modem basis, creating a one-time-use DOCSIS
configuration file that is valid only for the current session. This ensures
that a DOCSIS configuration file that has been downloaded for one cable modem
can never be used by any other modem, nor can the same modem reuse this
configuration file at a later time. This patent-pending feature is designed to
guarantee that all registered modems are using only the QOS parameters that
have been specified by the DOCSIS provisioning system for that particular modem
at the time of its registration.
The
cable
dynamic-secret
configuration command enhances the existing shared secret
support on the Cisco CMTS by using a one-time, dynamically generated shared
secret each time a cable modem registers. This prevents theft-of-service
attacks in which users are able to substitute a DOCSIS configuration file that
provides a higher-level of service during the registration phase.
The DOCSIS
specification allows cable service providers to use a shared secret to create
the CMTS MIC value that is stored in a DOCSIS configuration file. If a user
attempts to register with the CMTS using a different or modified DOCSIS
configuration file, the CMTS can compare the CMTS MIC value sent by the cable
modem with the CMTS MIC it has calculated. If the two MIC values are different,
the file has been modified.
The
cable
dynamic-secret
command allows the CMTS to dynamically create the shared secret
at the time that the cable modem is registering, and that shared secret is
valid only for that particular session with that particular cable modem. A new
dynamically generated shared secret is used each time each cable modem
registers, which prevents users from guessing the shared secret and using it
again to register with a modified DOCSIS configuration file.
If the cable
modem’s DOCSIS configuration file fails the CMTS MIC verification check, one of
the following messages is displayed on the console:
%UBR7200-4-BADCFGFILE: Modem config file platinum.cm at C3/0: CMTS MIC Invalid
%UBR7200-4-BADCFGFILE: Modem config file platinum.cm at C3/0: No CMTS MIC
If the error
message specifies that the reason for the failure is “CMTS MIC Invalid,” the
CMTS MIC was not encoded with the proper dynamically generated shared secret.
If the reason is “No CMTS MIC,” the DOCSIS configuration file did not contain
any value for the CMTS MIC, which could indicate that the customer has
attempted to bypass the DOCSIS security checks by creating the user’s own
DOCSIS configuration file without any MIC values.
Note |
The Dynamic
Shared Secret feature does not affect the use of the original shared secret or
secondary shared secrets that are configured using the
cable
shared-secondary-secret and
cable
shared-secret commands. (Cisco cBR-8 router does
not allow the simultaneous configuration of the two commands.) If these shared
secrets are configured, the Cisco CMTS continues to use them to validate the
original DOCSIS configuration file that is downloaded from the TFTP server. If
the DOCSIS configuration file fails to pass the original or secondary shared
secret verification checks, the cable modem is not allowed to register, and the
Dynamic Shared Secret feature is not invoked for that particular cable modem.
|
Note |
The Cisco
uBR7100 series router does not support the Dynamic Shared Secret feature when
running in MxU bridging mode.
|
The original
filename for the DOCSIS configuration file is automatically encrypted by
default to prevent unauthorized parties from obtaining any useful information
from the filename, or from attempting to replace the original file with their
own. This encryption can be disabled, using the
nocrypt
option, so that DOCSIS configuration files are sent using their original
filenames.
Note |
Do not use
the
cable
dynamic-secret command along with the
ip
tftp-source command in Cisco IOS Release
12.2(15)BC1, because this could result in certain models of CMs not being able
to come online but instead be stuck in the init(o) state. This restriction is
removed in Cisco IOS Release 12.2(15)BC2 and later releases.
|
Modes of Operation
The
cable
dynamic-secret
command offers three different possible responses to cable
modems that fail the CMTS MIC verification check:
- When the
mark
option is used, the CMTS allows CMs to come online even if
they fail the CMTS MIC validity check. However, the CMTS also prints a warning
message on the console and marks the cable modem in the
show
cable
modem command with an exclamation point (!), so
that this situation can be investigated. The following message is displayed on
the console when such a CM registers with the Cisco CMTS:
06:53:57: %UBR7200-4-CMMARKED: Cable Modem 00ff.ffee.ddcc in C3/0 attempted theft of service
- When the
lock option
is used, the CMTS assigns a restrictive QoS configuration to CMs that fail the
CMTS MIC validity check. If an optional
lock-qos
profile is specified, the CMTS assigns this profile to the CM while it is
locked.
If the
lock-qos
profile is not specified, the CMTS uses a special QoS configuration that limits
the network access for these CMs by restricting their downstream and upstream
service flows to a maximum rate of 10 kbps. (If you do not specify the
lock-qos
profile, you must also allow cable modems to create QoS profiles, using the
cable
qos
permission command. If you do not do this and use
the
lock option
without specifying a particular QoS profile, locked cable modems will not be
allowed to register until the lock clears or expires.)
If a customer
resets their CM, the CM will reregister but still uses the restricted QoS
profile. A locked CM continues with the restricted QoS profile until it goes
offline and remains offline for at least 24 hours, at which point it is allowed
to reregister with a valid DOCSIS configuration file. This option frustrates
users who are repeatedly registering with the CMTS in an attempt to guess the
shared secret, or to determine the details of the Dynamic Shared Secret
security system.
In addition,
the following message is displayed on the console when a CM is locked.
06:53:57: %UBR7200-4-CMLOCKED: Cable Modem 00ff.ffee.ddcc in C3/0 attempted theft of service
Locked cable
modems are shown with an exclamation point (!) in the
show
cable
modem displays:
Router# show cable modem
MAC Address IP Address I/F MAC Prim RxPwr Timing Num BPI
State Sid (db) Offset CPE Enb
0010.9507.01db 144.205.151.130 C5/1/0/U5 online(pt) 1 0.25 938 1 N
0080.37b8.e99b 144.205.151.131 C5/1/0/U5 online 2 -0.25 1268 0 N
0002.fdfa.12ef 144.205.151.232 C6/1/0/U0 online(pt) 13 -0.25 1920 1 N
0002.fdfa.137d 144.205.151.160 C6/1/0/U0 !online 16 -0.50 1920 1 N
0003.e38f.e9ab 144.205.151.237 C6/1/0/U0 !online 3 -0.50 1926 1 N
Router#
Tip |
You can also
manually clear the lock on a CM by using the
clear
cable
modem
lock command.
|
- When the
reject
option is used, the CMTS refuses to allow CMs to come online
if they fail the CMTS MIC validity check. These cable modems appear with a MAC
state of “reject(m)” in the displays generated by the
show
cable
modem command. After a short timeout period, the
CM attempts to reregister with the CMTS. The CM must register with a valid
DOCSIS configuration file before being allowed to come online. When the CM does
come online, the CMTS prints a warning message on the console and marks the
cable modem in the
show
cable
modem command with an exclamation point (!), so
that this situation can be investigated.
Tip |
Cisco
recommends that you initially use the
mark
option, so that potential problems are identified without immediately
interfering with users’ ability to come online. After you identify and resolve
these initial problems, reconfigure the cable interfaces with the
reject or
lock
option to block problem cable modems that attempt to come
online without a valid shared secret.
|
Note |
To account
for possible network problems, such as loss of packets and congestion, the
Cisco CMTS will allow a cable modem to attempt to register twice before marking
it as having failed the Dynamic Shared Secret authentication checks.
|
Filename Encryption
By default,
the
cable
dynamic-secret command encrypts the original
filename for a DOCSIS configuration file when the Cisco CMTS transmits the file
to the CM. This filename changes in a semi-random manner, making it difficult
for users to predict the filename for the file that should be downloaded to the
CM.
This does mean,
however, that the filenames specified in the DHCP HELLO and ACK messages are
different, and that the filenames on the CM and on the TFTP server are
different. This could interfere with custom network management applications and
scripts. If this is the case, you can disable the automatic filename encryption
by adding the
nocrypt
option to the command.
The
nocrypt
option does slightly decrease the security provided by this feature, so this
possibility should be weighed against the ability to more conveniently manage
the network.
Interaction with the TFTP
Enforce Feature
Note |
Cisco cBR-8 router does not support
cable
tftp-enforce command.
|
The
cable
tftp-enforce command provides another layer of
protection against theft-of-service attacks by requiring cable modems to
download a DOCSIS configuration file through the CMTS cable interface before
being allowed to register. When the
cable
tftp-enforce command is used with the
cable
dynamic-secret
command, the TFTP enforce checks are done before the dynamic
shared-secret checks. If a cable modem fails to download a DOCSIS configuration
file through the CMTS, it is not allowed to register, regardless of the dynamic
shared-secret checks.
Displaying Rogue Cable
Modems
Use the
show
cable
modem
rogue
command to display the cable modems that have failed the
dynamic shared-secret authentication checks:
Router# show cable modem rogue
Spoof TFTP
MAC Address Vendor Interface Count Dnld Dynamic Secret
AAAA.7b43.aa7f Vendor1 C4/0/U5 2 Yes 45494DC933F8F47A398F69EE6361B017
AAAA.7b43.aa7f Vendor1 C4/0/U5 2 Yes D47BCBB5494E9936D51CB0EB66EF0B0A
BBBB.7b43.aa7f Vendor2 C4/0/U5 2 No 8EB196423170B26684BF6730C099D271
AAAA.7b43.aa7f Vendor1 C4/0/U5 2 No DF8FE30203010001A326302430120603
BBBB.7b43.aa7f Vendor2 C4/0/U5 2 No 300E0603551D0F0101FF040403020106
AAAA.7b43.aa7f Vendor1 C4/0/U5 2 Yes 820101002D1A264CE212A1BB6C1728B3
DDDD.7b43.aa7f Vendor4 C4/0/U5 2 Yes 7935B694DCA90BC624AC92A519C214B9
AAAA.7b43.aa7f Vendor1 C4/0/U5 2 No 3AB096D00D56ECD07D9B7AB662451CFF
Router#
If the CMTS
cannot obtain the DOCSIS configuration file from the TFTP server, a message
similar to the following is displayed on the console:
%UBR7200-4-NOCFGFILE: Cannot read modem config file platinum.cm from C3/0: <reason>
where the
reason can be one of the following, depending on the error that the TFTP server
reported:
- Compression Failed
- File too big
- Invalid Checksum
- Invalid IP address or
hostname
- Uncompression Failed
- User Abort
Examples
The following
example shows how to configure a cable interface on a Cisco uBR7200 series
router with the
mark
option, so that CMs that fail the MIC verification are allowed to register but
are marked in the
show
cable
modem
displays so that their situation can be further investigated:
Router# configure terminal
Router(config)# interface cable 4/0
Router(config-if)# cable dynamic-secret mark
Router(config-if)# exit
Router(config)# exit
Router#
The following
example shows how to configure the cable interface on a Cisco uBR7100 series
router, so that CMs that fail the MIC verification are locked with a QoS
profile that limits upstream and downstream service flows to 10 kbps:
Router# configure terminal
Router(config)# cable qos permission create
Router(config)# cable qos permission update
Router(config)# interface cable 1/0
Router(config-if)# cable dynamic-secret lock
Router(config-if)# exit
Router(config)# exit
Router#
Note |
If you do
not use the
cable
qos
permission global configuration command to allow
cable modems to create their own QoS profiles, the CMTS rejects this command
and displays the following error message: %Need permission for modems to create
QoS profile
|
The following
example shows how to configure a cable interface so that CMs that fail the MIC
verification are locked with a specific QoS profile:
Router# configure terminal
Router(config)# interface cable 1/0
Router(config-if)# cable dynamic-secret lock 31
Router(config-if)# exit
Router(config)# exit
Router#
Note |
If the
specified QoS profile does not exist, the CMTS rejects this command and
displays the following error message: %Profile
qos-id to
lock modem does not exist
|
The following
example shows how to configure a cable interface on a Cisco uBR7200 series
router, so that CMs that fail the MIC verification are not allowed to register
and must reregister with a valid DOCSIS configuration file before being allowed
to come online:
Router# configure terminal
Router(config)# interface cable 3/0
Router(config-if)# cable dynamic-secret reject
Router(config-if)# exit
Router(config)# exit
Router#
The following
example shows how to disable the Dynamic Shared Secret feature on a cable
interface on the Cisco uBR10012 router:
Router# configure terminal
Router(config)# interface cable 6/1/0
Router(config-if)# no cable dynamic-secret
Router(config-if)# exit
Router(config)# exit
Router#