Manualshelf

user manual

ManualsBrandsCisco Systems ManualsNetwork RouterNetwork Router uBR7200
11121314151617181920
Configuring Headend Broadband Access Router Features
Security Features
MC-529
Cisco IOS Multiservice Applications Configuration Guide
DOCSIS Baseline Privacy
The Cisco uBR7200 series routers support DOCSIS baseline privacy (BPI). When BPI is enabled, the
Cisco uBR7200 series generates Traffic Encryption Keys (TEKs) for each applicable SID. The router
uses the keys to encrypt downstream data and decrypt upstream traffic from two-way cable modems.
The Cisco uBR7200 series supports both 40-bit and 56-bit encryption/decryption. When BPI is enabled,
56-bit encryption/decryption is the default. A configuration command allows an administrator to
manually force the Cisco uBR7200 series to generate a 40-bit DES key, where the DES key that is
generated and returned masks the first 16 bits of the 56-bit key to 0 in software.
Note Both the Cisco uBR7200 series universal broadband router and the cable modem must
contain software and be configured to support encryption/decryption.
The Cisco uBR7200 series router generates keys for unicast, broadcast, and multicast operation as
appropriate. Keys are refreshed periodically and have a default lifetime of 12 hours.
Cable Modem and Multicast Authentication Using RADIUS
As an enhancement to baseline privacy, Cisco uBR7200 series universal broadband routers can be
configured for cable modem and multicast authentication using the RADIUS protocol, an access server
authentication, authorization, and accounting (AAA) protocol originally developed by Livingston, Inc.
The Cisco uBR7200 series also supports additional vendor-proprietary RADIUS attributes.
When a cable modem comes online or when an access request is sent through a multicast data stream,
the Cisco uBR7200 series sends relevant information to RADIUS servers for cable modem/host
authentication. This feature can be configured on a per-interface basis.
An IETF draft standard, RFC 2138, defines the RADIUS protocol. RFC 2139 defines the corresponding
RADIUS accounting protocol. Additional RFC drafts define vendor-proprietary attributes and MIBs that
can be used with a Simple Network Management Protocol (SNMP) manager.
Upstream Address Verification
Upstream address verification prevents the spoofing of IP addresses by comparing the source IP address
with the MAC address of the cable modem, thus verifying that each upstream data packet comes from
the cable modem known to be associated with the source IP address in the packet. The cable
source-verify [dhcp] cable interface command specifies that DHCP lease query requests are sent to
verify any unknown source IP address found in upstream data packets. This feature requires a DHCP
server that supports the LEASEQUERY message type.
Note Cisco Network Registrar (CNR) supports the LEASEQUERY message type in software
release 3.01(T) and later.