Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentUBR924 - uBR 924 Router
12345678910
DOCSIS 1.1 for Cisco uBR905 and Cisco uBR925 Cable Access Routers and Cisco CVA122 Cable Voice Adapters
Information About DOCSIS 1.1 Support
9
Cisco IOS Release 12.2(15)CZ
Both sets of keys have a limited lifetime and must be renewed periodically. When a key reaches
approximately half its lifespan, the cable modem begins the process to request a new set of keys. While
the new set of keys is being exchanged, the cable modem can continue to use the old set to encrypt and
decrypt data. The KEK keys have a longer lifetime than the TEK keys to ensure that the cable modem
and CMTS will always be able to obtain new TEK keys, allowing data transmissions to continue without
interruptions.
Secure Software Download
DOCSIS 1.1 supports secure software download to allow a service provider to remotely upgrade a cable
modem’s software without risk of interception or alteration. Secure software download also prevents
users from upgrading the cable modem to unauthorized software images.
The manufacturer digitally signs the software image using a Pkcs#7 digital signature that is encrypted
using the Rivest-Shamir-Adleman (RSA) algorithm and secure hash algorithm-1 (SHA-1). This digital
signature is chained to the DOCSIS root code signing certificate so that it can be easily verified.
The cable operator can optionally also digitally sign the software image in a similar manner, using
another digital signature that is chained to the DOCSIS root code signing certificate. This allows cable
operators greater control over which software images are used on the cable network.
The cable operator initiates the software download by filling in the software filename and TFTP server
fields (TLVs 9 and 21) in the DOCSIS configuration file that it sends to the cable modem during
registration. You can also initiate a software download by using SNMP commands. In either case, the
cable modem then requests the specified file and downloads it from the specified TFTP server.
The cable modem verifies the manufacturer’s digital signature and, if present, the cable operator’s digital
signature, using the code verification certificates (CVCs) provided in the DOCSIS configuration file. If
the signatures are valid, the cable modem loads and runs the software.
When a cable modem is running DOCSIS 1.1 software, it must use the secure software download feature
to download a software image through the DOCSIS configuration file or through SNMP commands.
Even if you disable BPI+, a DOCSIS 1.1 cable modem still accepts only digitally signed software images
that can be verified through the secure software download process.
Note The secure software download feature does not prevent a user with console or Telnet access, and who
knows the proper passwords, from loading an unsigned software image directly into the cable modem’s
Flash memory by using the copy tftp command.
The secure software download feature requires the following prerequisites:
The Cisco uBR905, Cisco uBR925, or Cisco CVA122 must be running a DOCSIS 1.1 software
image.
If the cable modem is currently running a DOCSIS 1.0 software image, you cannot use the secure
software download to upgrade to a DOCSIS 1.1 image. Instead, you must use the DOCSIS 1.0
software upgrade process to load an unsigned DOCSIS 1.1 software image. Then you will be able
to use the secure software download process to load a digitally signed DOCSIS 1.1 software image.
The desired software image must be digitally signed by the manufacturer. The cable operator can
also optionally digitally sign the image. Unsigned images cannot be loaded using the secure
software download process.
Note You cannot use the copy tftp command to load digitally signed images into the Flash
memory on the cable modem.