ISP security questions

ISP security questions
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.modems.cable  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
ISP security questions Nick 02-21-2008
Posted by Nick on February 21, 2008, 4:07 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello All,

I have a few questions regarding subscriber authentication and
identification in cable Internet systems (or ISPs in general) that I'd
appreciate some input on:

1) It is my understanding that a cable modem is basically a layer-2
bridge, so all the user traffic goes directly through to the CMTS. In
this case, how does the cable service provider implement the 1 IP
address per subscriber limitation? In other words, how is the
subscriber prevented from simply connecting a switch to the cable
modem and obtaining multiple IP addresses for his equipment via DHCP?
Only the first IP address can be obtained in this manner - no more.

2) How does the service provider prevent a user from manually entering
a static IP address in the network configuration, potentially causing
conflicts with another user who has the same IP? In other words, how
does the provider ensure that the IP address given to a subscriber via
DHCP is the only IP address that the subscriber can use?

DSL service providers often use PPPoE, which takes care of both (1)
and (2) above, but cable providers do not, so they must have some
other way of doing it.

3) Given that a user's IP address can change (assuming dynamic
addressing via DHCP), and that his MAC address can also change (for
example, if he plugs another PC into the cable modem), how does the
service provider identify individual users for billing, bandwidth
usage reporting, etc.?

4) Is bandwidth limiting (i.e., ensuring that a user only gets the
bandwidth package that he paid for) typically implemented at the
network's edge by the cable modem, or centrally within the service
provider's network (via a bandwidth management appliance?)

I'd much appreciate any insight you can offer into these questions.

Thanks,
Nick

Posted by Tom Stiller on February 21, 2008, 5:19 pm
In article

> Hello All,
>
> I have a few questions regarding subscriber authentication and
> identification in cable Internet systems (or ISPs in general) that I'd
> appreciate some input on:
>
> 1) It is my understanding that a cable modem is basically a layer-2
> bridge, so all the user traffic goes directly through to the CMTS. In
> this case, how does the cable service provider implement the 1 IP
> address per subscriber limitation? In other words, how is the
> subscriber prevented from simply connecting a switch to the cable
> modem and obtaining multiple IP addresses for his equipment via DHCP?
> Only the first IP address can be obtained in this manner - no more.
>
> 2) How does the service provider prevent a user from manually entering
> a static IP address in the network configuration, potentially causing
> conflicts with another user who has the same IP? In other words, how
> does the provider ensure that the IP address given to a subscriber via
> DHCP is the only IP address that the subscriber can use?
>
> DSL service providers often use PPPoE, which takes care of both (1)
> and (2) above, but cable providers do not, so they must have some
> other way of doing it.
>
> 3) Given that a user's IP address can change (assuming dynamic
> addressing via DHCP), and that his MAC address can also change (for
> example, if he plugs another PC into the cable modem), how does the
> service provider identify individual users for billing, bandwidth
> usage reporting, etc.?
>
> 4) Is bandwidth limiting (i.e., ensuring that a user only gets the
> bandwidth package that he paid for) typically implemented at the
> network's edge by the cable modem, or centrally within the service
> provider's network (via a bandwidth management appliance?)
>
> I'd much appreciate any insight you can offer into these questions.
>

Your questions can be answered when you consider that the cable modem
has MAC and IP address on the cable side of the device, as well as on
the AN side of the device. The ISP's database defines which services
are allowed for which modem by using the modem's MAC address.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

Posted by Nick on February 21, 2008, 5:34 pm
Thanks for your reply. But, if the cable modem is acting like a true
bridge, then wouldn't it pass through the MAC address of the
subscriber's device (PC or router), so that the MAC address "seen" by
the ISP would be the address of the connected device, and not of the
modem itself?

Thanks,
Nick

Posted by Tom Stiller on February 21, 2008, 6:07 pm
In article

> Thanks for your reply. But, if the cable modem is acting like a true
> bridge, then wouldn't it pass through the MAC address of the
> subscriber's device (PC or router), so that the MAC address "seen" by
> the ISP would be the address of the connected device, and not of the
> modem itself?

Who says the cable modem acts as a bridge? Remember, all the traffic
for a given neighborhood is present on the same cable. The modem has to
detect and selectively pass only the traffic intended for it.
Similarly, the modem is paired with only one device (specified by MAC
address) on the LAN side. That sounds more like routing, rather than
bridging.

All that aside, you could probably look up the DOCIS specifications and
see exactly what the protocol does, and does not, allow.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

Posted by Todd H. on February 21, 2008, 6:23 pm

> Thanks for your reply. But, if the cable modem is acting like a true
> bridge,

But, in reality, it's not.

Now the big fun is if you can modify your cable modem's MAC to be a
mac of a legit cable modem on another segment. There was a
vulnerability or hack released several years ago whereby access was
regulated upstream of multiple segments whereby if you spoofed a legit
MAC on another segment, your traffic would be routed happily by the
upstream devices, and because you were on a separate segment, there
would be no arp conflicts. I never tried it, but it is the best
example I can think of that plays to the scenarios you are pondering.
I think it also needed a configuration goof on teh cable modem
provider's part to not lock ip's to a mac or some such. I'm fuzzy on
the details, but it was possible at some providers apparently.

Best Regards,
--
Todd H.
http://www.toddh.net/

Similar ThreadsPosted
Cable Newbie questions March 25, 2005, 9:58 am
Linksys cable modem questions August 7, 2005, 3:14 pm
Cable Modem and Airline Security - A little off topic July 24, 2005, 10:55 pm
Help! Cable Modem Security? (Lights Blinking Constantly) May 6, 2006, 2:03 pm
windows update security patches slowing down broadband acess September 19, 2005, 5:36 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map