Manualshelf

System information

ManualsBrandsMotorola ManualsComputer equipmentBSR 64000
181182183184185186187188189190
Configuring the CMTS
6-9
A CPE with an IP address that is within the start and end range defined by the host
authorization range command that is currently connected remains in the host
authorization table until it is individually removed by the no host authorization
command, or if the BSR is reset.
Using DHCP Lease Query Function to Secure Cable Network
The DHCP lease query feature provides additional security on the cable network by
preventing hackers from stealing service from customers. Hackers steal service from
other subscribers by spoofing their connection information contained in ARP
broadcasts. Preventing hackers from spoofing the cable network also prevents
undesirable ARP broadcasts from disrupting service on the cable network.
The DHCP Lease Query feature is used in conjunction with the host authorization
feature on the BSR to query the location of a hackers Cable Modem (CM) and its
connected Customer Premises Equipment (CPE) when a packet either arrives from or
is destined to a subscribers CM and its CPE, and has no location information in the
DHCP Lease table.
If the DHCP Lease Query attempt fails, packets associated with the CM and its CPE
are discarded. The BSR sends DHCPLEASEQUERY messages to the specified
DHCP server and accepts DHCPACTIVE, DHCPKNOWN and DHCPUNKNOWN
replies from the DHCP server.
The following steps demonstrate how the BSR uses the DHCP lease query feature:
1. Cable Subscriber requests and gets an IP address from DHCP server.
2. Cable Subscriber starts to pass traffic through the cable interface.
3. The BSR inspects the cable network traffic to ensure source IP addresses are valid
by doing the following:
Verify DHCP server acknowledgement messages to learn if IP packets are
forwarded only once for an IP address.
Query the DHCP server to verify if an IP address was legally assigned by
verifying DHCP lease information table. If it is confirmed that static IP
address was assigned by a hacker for a CM, packets are not forwarded
beyond the cable interface.
Disallow ARP broadcasts