Installation guide

ManualsBrandsCisco ManualsComputer equipmentUBR924 - uBR 924 Router

3-24

Cisco uBR7100 Series Universal Broadband Router Software Configuration Guide

OL-2238-03

Chapter 3 Configuring the Cisco Cable Interface

Enabling and Configuring Baseline Privacy

BPI extends the definition of the MAC sublayer’s SID. The DOCSIS RF Interface Specification defines

a SID as a mapping between CMTS and CM to allocate upstream bandwidth and class of service

management. When BPI is activated, the SID also identifies a particular security association and has

upstream and downstream significance. When BPI is operational, downstream multicast traffic flow that

typically does not have a SID associated with it, now has a SID. The Privacy Extended Header Element

includes the SID associated with the MAC Packet Data Physical Data Unit (PDU). The SID and other

components of the extended header element identify to a CM the keying material required to decrypt the

MAC PDU’s packet data field.

BPI’s key management protocol runs between the CMTS and the CM. CMs use the protocol to obtain

authorization and traffic keying material relevant to a particular SID from the CMTS, and to support

periodic reauthorization and key refresh.

The key management protocol uses RSA—a public key encryption algorithm—and the electronic

codebook (ECB) mode of DES to secure key exchanges between the CMTS and a CM. Privacy is in the

form of 56-bit (the default) or 40-bit encryption between the CMTS and CM. Since BPI is part of

DOCSIS, all DOCSIS-certified CMs and qualified CMTS are fully interoperable. Figure 3-1 shows a

BPI architecture.

Note CMs must have factory-installed RSA private/public key pairs to support internal algorithms to generate

key pairs prior to first BPI establishment.

A SID’s keying material has a limited life span. When the CMTS delivers SID keying material to a CM,

it also provides the CM with the lifetime value.

Figure 3-1 BPI Network Example

BPI Key Management

BPI initialization begins with the CM sending the CMTS an authorization request, containing data

identifying:

• CM—48-bit IEEE MAC address

• CM’s RSA public key

• List of zero or more assigned unicast SIDs that have been configured to run BPI

37394

Cable

modem

Cable

network

Cisco

uBR7100 series

CMTS

MSO

network

Internet

Segment secured by baseline privacy

Cable

modem

Cable

modem