The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the Dynamic Shared Secret feature, which enables service providers to provide higher levels of security
for their Data-over-Cable Service Interface Specifications (DOCSIS) cable networks. This feature uses randomized, single-use
shared secrets to verify the DOCSIS configuration files that are downloaded to each cable modem.
The Dynamic Shared Secret feature automatically creates a unique DOCSIS shared secret on a per-modem basis, creating a one-time
use DOCSIS configuration file that is valid only for the current session. This ensures that a DOCSIS configuration file that
has been downloaded for one cable modem can never be used by any other modem, nor can the same modem reuse this configuration
file at a later time.
This patented feature is designed to guarantee that all registered modems use only the quality of service (QoS) parameters
that have been specified by the DOCSIS provisioning system for a particular modem at the time of its registration. This feature
is an accepted DOCSIS standard.
Your software release may not support all the features that are documented in this module. For the latest feature information
and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this
document provides information about the documented features and lists the releases in which each feature is supported.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to
http://tools.cisco.com/ITDIT/CFN/.
An account on http://www.cisco.com/ is not required.
Contents
Hardware Compatibility Matrix for the Cisco cBR Series Routers
Note
The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless
otherwise specified.
Table 1. Hardware Compatibility Matrix for the Cisco cBR Series Routers
Cisco CMTS Platform
Processor Engine
Interface Cards
Cisco cBR-8 Converged Broadband Router
Cisco IOS-XE Release 16.5.1 and Later Releases
Cisco cBR-8Supervisor:
PID—CBR-SUP-250G
PID—CBR-CCAP-SUP-160G
Cisco IOS-XE Release 16.5.1 and Later Releases
Cisco cBR-8 CCAP Line Cards:
PID—CBR-LC-8D30-16U30
PID—CBR-LC-8D31-16U30
PID—CBR-RF-PIC
PID—CBR-RF-PROT-PIC
PID—CBR-CCAP-LC-40G
PID—CBR-CCAP-LC-40G-R
PID—CBR-CCAP-LC-G2-R
PID—CBR-SUP-8X10G-PIC
PID—CBR-2X100G-PIC
Digital PICs:
PID—CBR-DPIC-8X10G
PID—CBR-DPIC-2X100G
Cisco cBR-8 Downstream PHY Module:
PID—CBR-D31-DS-MOD
Cisco cBR-8 Upstream PHY Modules:
PID—CBR-D31-US-MOD
Note
Do not use DPICs (8X10G and 2x100G) to forward IP traffic, as it may cause buffer exhaustion, leading to line card reload.
The only allowed traffic on a DPIC interface is DEPI, UEPI, and GCP traffic from the Cisco cBR-8 router to Remote PHY devices.
Other traffic such as DHCP, SSH, and UTSC should flow via another router, since DPICs cannot be used for normal routing.
Prerequisites for
Dynamic Shared Secret
The configuration of Dynamic Shared Secret feature is supported on the Cisco CMTS routers.
Following is a list of other important prerequisites for the Dynamic Shared Secret feature:
The Cisco CMTS must be running Cisco IOS-XE 3.15.0S or later.
The Dynamic Shared Secret feature supports an external provisioning server.
A cable modem must be able to register with the Cisco CMTS before enabling the Dynamic Shared Secret feature.
For full security, DOCSIS configuration files should have filenames that are at least 5 or more characters in length.
For best performance during the provisioning of cable modems, we recommend using Cisco Network Registrar Release 3.5 or later.
Note
When the Dynamic
Shared Secret feature is enabled using its default configuration, a cable modem
diagnostic webpage shows a scrambled name for its DOCSIS configuration file.
This filename changes randomly each time that the cable modem registers with
the CMTS. To change the default behavior, use the
nocrypt
option with the
cabledynamic-secret command.
Restrictions for Dynamic Shared Secret
General
Restrictions for Dynamic Shared Secret
Shared-secret and secondary-shared-secret cannot be configured with
Dynamic Shared Secret feature.
If you configure the Dynamic Shared Secret feature on a primary cable interface, you should also configure the feature on
all of the corresponding subordinate cable interfaces.
The Dynamic Shared Secret feature ensures that each cable modem registering with the CMTS can use only the DOCSIS configuration
file that is specified by the service provider’s authorized Dynamic Host Configuration Protocol (DHCP) and TFTP servers, using
the DOCSIS-specified procedures.
The Dynamic Shared Secret feature does not affect cable modems that are already online and provisioned. If a cable modem is
online, you must reset it, so that it reregisters, before it complies with the Dynamic Shared Secret feature.
The DMIC lock mode uses the following behavior during a switchover event in HCCP N+1 Redundancy. All cable modems which were
previously in lock mode are taken offline during a switchover event, and the prior state of locked modems is lost. If previously
locked modems remain non-compliant, they will return to LOCK mode after three failed registration attempts. If the modems
have become DOCSIS compliant, they will return online in the normal fashion. Refer to the SNMP Support for additional information about DMIC lock mode.
If a Broadband Access Center for Cable (BACC) provisioning server is being used, the Device Provisioning Engine (DPE) TFTP
server verifies that the IP address of the TFTP client matches the expected DOCSIS cable modem IP Address. If a match is not
found, the request is dropped. This functionality is incompatible with the CMTS DMIC feature. Use the no tftp verify-ip command
on all BACC DPE servers to disable the verification of the requestor IP address on dynamic configuration TFTP requests. Refer
to the Cisco Broadband Access Centre DPE CLI Reference in the http://www.cisco.com/c/en/us/td/docs/net_mgmt/broadband_access_center_for_cable/4-0/command/reference/DPECLIRef40.html for additional information.
Cable Modem Restrictions for Dynamic Shared Secret
DHCP Restriction
for Incognito Server and Thomson Cable Modems
The Dynamic Host
Configuration Protocol (DHCP) passes configuration information to DHCP hosts on
a TCP/IP network. Configuration parameters and other control information are
stored in the options field of the DHCP message.
When using DMIC
with the Incognito DHCP server, the Incognito server must be re-configured so
that the following two options are
not sent in
the DHCP message:
option 66
—This option is used to identify a TFTP server when the sname field in the DHCP
header has been used for DHCP options. Option 66 is a variable-length field in
the Options field of a DHCP message described as "an option used to
identify a TFTP server when the 'sname' field in the DHCP header has been used
for DHCP options" as per RFC 2132.
sname field
—The sname field is a 64-octet field in the header of a DHCP message described
as "optional server host name, null terminated string," as per
RFC2131. A DHCP server inserts this option if the returned parameters exceed
the usual space allotted for options. If this option is present, the client
interprets the specified additional fields after it concludes interpretation of
the standard option fields.
Note
It is not
compliant with DOCSIS to include both of these options in the DHCP message.
The problematic
packet capture below is a DHCP offer in which both sname and option 66 are set
(in this respective sequence):
When using DMIC
with Incognito DHCP servers and Thomson cable modems, you must prevent both
options from being sent in the DHCP offer. Use one of the following workaround
methods to achieve this:
Change the
Incognito DHCP server so that it does not include the sname option as described
above.
Change the cable
modem code so that sname is not prioritized above option 66, as in the
problematic packet capture shown in the example above.
Migrate to a
compliant DHCP and TFTP server such as CNR. This also offers significantly
higher performance.
Refer to these
resources for additional DOCSIS DHCP information, or optional DHCP MAC
exclusion:
DHCP Options and
BOOTP Vendor Extensions, RFC 2132
Cable modems are assumed to be DOCSIS-compliant. If a cable modem is not fully DOCSIS-compliant, it could trigger a CMTS Message
Integrity Check (MIC) failure during registration in rare circumstances. Under normal operations, however, it can be assumed
that cable modems that fail the CMTS MIC check from the Dynamic Shared Secret feature are either not DOCSIS-compliant, or
they might have been hacked by the end user to circumvent DOCSIS security features.
Some of the cable modems with the following OUIs have been identified as having problems with the Dynamic Shared Secret feature,
depending on the hardware and software revisions:
00.01.03
00.E0.6F
00.02.B2
These particular cable modems can remain stuck in the init(o) MAC state and cannot come online until the Dynamic Shared Secret
feature is disabled. If this problem occurs, Cisco recommends upgrading the cable modem’s software to a fully compliant software
revision.
Alternatively, these cable modems may be excluded from the dynamic
secret function using the following command in global configuration mode:
cabledynamic-secretexclude
Excluding cable modems means that if a violator chooses to modify their cable modem to use one of the excluded OUIs, then
the system is no longer protected. Refer to the .
Tip
To help providers to identify non-DOCSIS compliant modems in their network, the Dynamic Shared Secret feature supports a “mark-only”
option. When operating in the mark-only mode, cable modems might be able to successfully obtain higher classes of service
than are provisioned, but these cable modems will be marked as miscreant in the showcablemodem displays (with!online, for example). Such cable modems also display with the
showcablemodemrogue command.
Service providers may decide whether those cable modems must be upgraded to DOCSIS-compliant software, or whether the end
users have hacked the cable modems for a theft-of-service attack.
The following example illustrates output from a Cisco CMTS that is configured with the cabledynamic-secretmark command with miscreant cable modems installed. These cable modems may briefly show up as "reject(m)" for up to three registration
cycles before achieving the !online status.
Cable modems can become
stuck in the TFTP transfer state (this is indicated as init(o) by the
showcablemodem command) in the following situation:
The Dynamic Shared Secret
feature is enabled on the cable interface, using the
cabledynamic-secret command. This feature applies if
the cable modem is a miscreant cable modem, or if the cable modem is a DOCSIS
1.0 cable modem running early DOCSIS 1.0 firmware that has not yet been
updated. This feature also applies if the TFTP server is unable to provide the
cable modem's TFTP configuration file to the Cisco CMTS. This is the case, for
example, when using BACC and not configuring the system to permit a TFTP
request from a non-matching source IP address. The
debugcabledynamic-secret command also shows this failure.
A large number of cable modems are
registering at the same time. Some or all of those cable modems could also be
downloading the DOCSIS configuration file using multiple TFTP transfers that
use multiple TFTP ports on the Cisco CMTS router, and the TFTP server is unable
to keep up with the rate of TFTP requests generated by the system. Some TFTP
servers may be limited to the number of concurrent TFTP get requests initiated
by the same source IP address per unit time, or simply unable to handle the
rate of new modem registrations before cable dynamic-secret is configured. The
debugcabledynamic-secret command shows failure to receive
some files in this situation.
This situation of
stuck cable modems can result in the TFTP server running out of available
ports, resulting in the cable modems failing the TFTP download stage. To
prevent this situation from happening, temporarily disable the Dynamic Shared
Secret feature on the cable interface or reduce the size of the DOCSIS
configuration file.
Information About Dynamic Shared Secret
The DOCSIS specifications require that cable modems download, from an
authorized TFTP server, a DOCSIS configuration file that specifies the quality
of service (QoS) and other parameters for the network session. Theft-of-service
attempts frequently attempt to intercept, modify, or substitute the authorized
DOCSIS configuration file, or to download the file from a local TFTP server.
To prevent theft-of-service attempts, the DOCSIS specification allows
service providers to use a shared secret password to calculate the CMTS Message
Integrity Check (MIC) field that is attached to all DOCSIS configuration files.
The CMTS MIC is an MD5 digest that is calculated over the DOCSIS
Type/Length/Value (TLV) fields that are specified in the configuration file,
and if a shared secret is being used, it is used in the MD5 calculation as
well.
The cable modem must include its calculation of the CMTS MIC in its
registration request, along with the contents of the DOCSIS configuration file.
If a user modifies any of the fields in the DOCSIS configuration file, or uses
a different shared secret value, the CMTS cannot verify the CMTS MIC when the
cable modem registers. The CMTS does not allow the cable modem to register, and
marks it as being in the “reject(m)” state to indicate a CMTS MIC failure.
Users, however, have used various techniques to circumvent these
security checks, so that they can obtain configuration files that provide
premium services, and then to use those files to provide themselves with higher
classes of services. Service providers have responded by changing the shared
secret, implementing DOCSIS time stamps, and using modem-specific configuration
files, but this has meant creating DOCSIS configuration files for every cable
modem on the network. Plus, these responses would have to be repeated whenever
a shared secret has been discovered.
The Dynamic Shared Secret feature prevents these types of attacks by
implementing a dynamically generated shared secret that is unique for each
cable modem on the network. In addition, the dynamic shared secrets are valid
only for the current session and cannot be reused, which removes the threat of
“replay attacks,” as well as the reuse of modified and substituted DOCSIS
configuration files.
Modes of Operation
The Dynamic Shared Secret feature can operate in three different modes, depending on what action should be taken for cable
modems that fail the CMTS MIC verification check:
Marking Mode—When using the mark option, the CMTS allows cable modems to come online even if they fail the CMTS MIC validity check. However, the CMTS also
prints a warning message on the console and marks the cable modem in the showcablemodem command with an exclamation point (!), so that this situation can be investigated.
Locking Mode—When the lock option is used, the CMTS assigns a restrictive QoS configuration to CMs that fail the MIC validity check twice in a row.
You can specify a particular QoS profile to be used for locked cable modems, or the CMTS defaults to special QoS profile that
limits the downstream and upstream service flows to a maximum rate of 10 kbps.
If a customer resets their CM, the CM will reregister but still uses the restricted QoS profile. A locked CM continues with
the restricted QoS profile until it goes offline and remains offline for at least 24 hours, at which point it is allowed to
reregister with a valid DOCSIS configuration file. A system operator can manually clear the lock on a CM by using the clearcablemodemlock command.
This option frustrates users who are repeatedly registering with the CMTS in an attempt to guess the shared secret, or to
determine the details of the Dynamic Shared Secret security system.
Reject Mode—In the reject mode, the CMTS refuses to allow CMs to come online if they fail the CMTS MIC validity check. These
cable modems are identified in the showcablemodem displays with a MAC state of “reject(m)” (bad MIC value). After a short timeout period, the CM attempts to reregister with
the CMTS. The CM must register with a valid DOCSIS configuration file before being allowed to come online. When it does come
online, the CMTS also prints a warning message on the console and marks the cable modem in the showcablemodem command with an exclamation point (!), so that this situation can be investigated.
Note
To account for possible network problems, such as loss of packets and congestion, the Cisco CMTS will allow a cable modem
to attempt to register twice before marking it as having failed the Dynamic Shared Secret authentication checks.
Operation of the
Dynamic Shared Secret
The Dynamic Shared
Secret feature automatically creates a unique DOCSIS shared secret on a
per-modem basis, creating a one-time use DOCSIS configuration file that is
valid only for the current session. This ensures that a DOCSIS configuration
file that has been downloaded for one cable modem can never be used by any
other modem, nor can the same modem reuse this configuration file at a later
time.
This patent pending
feature is designed to guarantee that all registered modems are using only the
QOS parameters that have been specified by the DOCSIS provisioning system for
that particular modem at the time of its registration.
When a
DOCSIS-compliant cable modem registers with the CMTS, it sends a DHCP request,
and the DHCP server sends a DHCP response that contains the name of the DOCSIS
configuration file that the cable modem should download from the specified TFTP
server. The cable modem downloads the DOCSIS configuration file and uses its
parameters to register with the CMTS
When the Dynamic
Shared Secret feature is enabled, the CMTS performs the following when it
receives the DHCP messages:
The CMTS creates a
dynamically generated shared secret.
In the default
configuration, the CMTS takes the name of the DOCSIS configuration file and
generates a new, randomized filename. This randomized filename changes every
time the cable modem registers, which prevents the caching of DOCSIS
configuration files by cable modems that are only semi-compliant with the
DOCSIS specifications. You can disable this randomization of the filename by
using the
nocrypt
option with the
cabledynamic-secret command.
The CMTS changes the IP
address of the TFTP server that the cable modem should use to the IP address of
the CMTS. This informs the cable modem that it should download its
configuration file from the CMTS.
The CMTS downloads the original
DOCSIS configuration file from the originally specified TFTP server so that it
can modify the file to use the newly generated dynamic secret.
When the cable
modem downloads the DOCSIS configuration file, it receives the modified file
from the CMTS. Because this file uses the one-time-use dynamically generated
shared secret, the CMTS can verify that the cable modem is using this
configuration file when it attempts to register with the CMTS.
Note
The Dynamic Shared Secret feature does not support and is
incompatible with, the use of the original shared secret or secondary shared
secrets that are configured using the
cable
shared-secondary-secret and
cable shared-secret
commands.
Tip
Although a user
could attempt to circumvent these checks by downloading a DOCSIS configuration
file from a local TFTP server, the cable modem would still fail the CMTS MIC
verification.
Interaction with
Different Commands
The Dynamic Shared
Secret feature works together with a number of other commands to ensure network
security and integrity:
cableshared-secret—The DOCSIS specification allows
service providers to use a shared-secret to ensure that cable modems are using
only authorized DOCSIS configuration files.
The Dynamic Shared Secret feature is incompatible with
cable
shared-secret. Do not configure the
cable
shared-secret command when using the Dynamic Shared Secret
feature
cableshared-secondary-secret— The Dynamic Shared Secret
feature is incompatible with
cable shared-secret. Do not configure the
cable
secondary-shared-secret command when using the Dynamic Shared
Secret feature
Performance Information
The Dynamic Shared Secret feature does not add any additional steps to the cable modem registration process, nor does it add
any additional requirements to the current provisioning systems. This feature can have either a small negative or a small
positive effect on the performance of the network provisioning system, depending on the following factors:
The provisioning system (DHCP and TFTP servers) being used
The number of cable modems that are coming online
The vendor and software versions of the cable modems
The number and size of the DOCSIS configuration files
Large-scale testing has shown that the Dynamic Shared Secret feature can affect the time it takes for cable modems to come
online from 5% slower to 10% faster. The most significant factor in the performance of the provisioning process is the provisioning
system itself. For this reason, Cisco recommends using Cisco Network Registrar (CNR) Release 3.5 or greater, which can provide
significant performance improvements over generic DHCP and TFTP servers.
The second-most important factor in the performance of cable modem provisioning is the number and size of the DOCSIS configuration
files. The size of the configuration file determines how long it takes to transmit the file to the cable modem, while the
number of configuration files can impact how efficiently the system keeps the files in its internal cache, allowing it to
reuse identical configuration files for multiple modems.
SNMP
Support
Cisco IOS-XE 3.15.0S and later releases
add the following SNMP support for the Dynamic Shared Secret feature:
Adds the following MIB objects to the
CISCO-DOCS-EXT-MIB:
cdxCmtsCmDMICMode—Sets and shows the
configuration of the Dynamic Shared Secret feature for a specific cable modem
(not configured, mark, lock, or reject).
cdxCmtsCmDMICLockQoS—Specifies the restrictive QoS profile assigned to a cable
modem that has failed the Dynamic Shared Secret security checks, when the
interface has been configured for lock mode.
cdxCmtsCmStatusDMICTable—Lists all cable modems that have failed the Dynamic
Shared Secret security checks.
An SNMP trap
(cdxCmtsCmDMICLockNotification) can be sent when a cable modem is locked for
failing the Dynamic Shared Secret security checks. The trap can be enabled
using the
snmp-serverenabletrapscabledmic-lock command.
Note
The DMIC lock
mode is disabled during a switchover event in HCCP N+1 Redundancy.
System Error
Messages
The following system error messages provide information about
cable modems that have failed the CMTS Message Integrity Check (MIC) when the
Dynamic Shared Secret feature is enabled.
Message
%CBR-4-CMLOCKED
The cable modem’s
DOCSIS configuration file did not contain a Message Integrity Check (MIC) value
that corresponds with the proper Dynamic Shared Secret that was used to encode
it. The CMTS has, therefore, assigned a restrictive quality of service (QoS)
configuration to this cable modem to limit its access to the network. The CMTS
has also locked the cable modem so that it will remain locked in the restricted
QoS configuration until it goes offline for at least 24 hours, at which point
it is permitted to reregister and obtain normal service (assuming it is
DOCSIS-compliant and using a valid DOCSIS configuration file).
This error message
appears when the
cabledynamic-secretlockcommand has been applied to a cable interface to enable the
Dynamic Shared Secret feature for the DOCSIS configuration files on that cable
interface. The cable modem has been allowed to register and come online, but
with a QoS configuration that is limited to a maximum rate of 10 kbps for both
the upstream and downstream flows. Check to ensure that this cable modem is not
running old software that caches the previously used configuration file. Also
check for a possible theft-of-service attempt by a user attempting to download
a modified DOCSIS configuration file from a local TFTP server. The CM cannot
reregister with a different QoS profile until it has been offline for 24 hours,
without attempting to register, or you have manually cleared the lock using the
clearcablemodemlock command.
Message
%CBR-4-CMMARKED
The cable modem’s
DOCSIS configuration file did not contain a Message Integrity Check (MIC) value
that corresponds with the proper dynamic shared secret that was used to encode
it. The CMTS has allowed this modem to register and come online, but has marked
it in the
showcablemodem displays with an exclamation point (!) so
that the situation can be investigated.
This error message
appears when the
cabledynamic-secretmarkcommand has been applied to a cable interface to enable the
Dynamic Shared Secret feature for the DOCSIS configuration files on that cable
interface. Check to ensure that this cable modem is not running old software
that caches the previously used configuration file. Also check for a possible
theft-of-service attempt by a user attempting to download a modified DOCSIS
configuration file from a local TFTP server.
Message
%CBR-4-NOCFGFILE
The CMTS could not
obtain the DOCSIS configuration file for this cable modem from the TFTP server.
This message occurs when the Dynamic Shared Secret feature is enabled on the
cable interface with the
cabledynamic-secret command.
Verify that the
CMTS has network connectivity with the TFTP server, and that the specified
DOCSIS configuration file is available on the TFTP server. Check that the DHCP
server is correctly configured to send the proper configuration filename in its
DHCP response to the cable modem. Also verify that the DOCSIS configuration
file is correctly formatted.
This problem could
also occur if the TFTP server is offline or is overloaded to the point where it
cannot respond promptly to new requests. It might also be seen if the interface
between the CMTS and TFTP server is not correctly configured and flaps
excessively.
Note
This error
indicates a problem with the provisioning system outside of the Cisco CMTS.
Disabling the Dynamic Shared Secret feature does not clear the fault, nor does
it allow cable modems to come online. You must first correct the problem with
the provisioning system.
Benefits
The Dynamic Shared
Secret feature provides the following benefits to cable service providers and
their partners and customers:
Improves
Network Security
Service providers
do not need to worry about users discovering the shared secret value and using
it to modify DOCSIS configuration files to give themselves higher levels of
service. Even if a user were to discover the value of a dynamically generated
shared secret, the user would not be able to use that shared secret again to
register.
The generic TFTP
server performance and error handling on the Cisco CMTS routers has been
greatly improved to support the high performance that is required for rapidly
provisioning cable modems.
Flexibility in
Dealing with Possible Theft-of-Service Attempts
Service providers
have the option of deciding what response to take when a DOCSIS configuration
file fails its CMTS MIC check: mark that cable modem and allow the user online,
reject the registration request and refuse to allow the user to come online
until a valid DOCSIS configuration file is used, or lock the cable modem in a
restricted QoS configuration until the modem remains offline for 24 hours.
Locking malicious modems is the most effective deterrent against hackers,
because it provides the maximum penalty and minimum reward for any user
attempting a theft-of-service attack.
No Changes to
Provisioning System Are Needed
Service providers
can use the Dynamic Shared Secret feature without changing their provisioning
or authentication systems. Existing DOCSIS configuration files can be used
unchanged, and you do not need to change any existing shared secrets.
Tip
If not already
done, the service provider could also install access controls that allow only
the CMTS routers to download DOCSIS configuration files from the TFTP servers.
No Changes to
Cable Modems Are Needed
The Dynamic Shared Secret feature
does not require any end-user changes or any changes to the cable modem
configuration. This feature supports any DOCSIS compliant cable modem.
Note
The Dynamic
Shared Secret feature does not affect cable modems that are already online and
provisioned. Cable modems that are already online when the feature is enabled
or disabled remain online.
Simplifies
Network Management
Service providers
do not have to continually update the shared secrets on a cable interface
whenever the files providing premium services become widely available. Instead,
providers can use the same shared secret on a cable interface for significant
periods of time, trusting in the Dynamic Shared Secret feature to provide
unique, single-use shared secrets for each cable modem.
In addition,
service providers do not have to manage unique DOCSIS configuration files for
each cable modem. The same configuration file can be used for all users in the
same service class, without affecting network security.
Related
Features
The following
features can be used with the Dynamic Shared Secret feature to enhance the
overall security of the cable network.
Baseline Privacy Interface
Plus (BPI+) Authorization and Encryption—Provides a secure link between the
cable modem and CMTS, preventing users from intercepting or modifying packets
that are transmitted over the cable interface. BPI+ also provides for secure
authorization of cable modems, using X.509 digital certificates, as well as a
secure software download capability that ensures that software upgrades are not
spoofed, intercepted, or altered.
How to Configure the Dynamic Shared Secret Feature
The following sections describe how to enable and configure the Dynamic
Shared Secret feature, to disable the feature, to manually clear a lock on a
cable modem, or dynamically upgrade firmware on the cable modems.
Note
All procedures begin and end at the privileged EXEC prompt
(“Router#”).
Enabling and
Configuring the Dynamic Shared Secret Feature
This section
describes how to enable and configure the Dynamic Shared Secret feature on a
cable interface.
Procedure
Step 1
configureterminal
Example:
Router# configure terminal
Example:
Router(config)#
Enters global configuration mode.
Step 2
cableqospermissioncreate
Example:
Router(config)# cable qos permission create
Example:
Router(config)#
(Optional) If you are using the lock option in Step 6, and if you are not specifying a specific QoS profile to be used, you must allow cable modems to create
their own QoS profiles.
Step 3
cableqospermissionupdate
Example:
Router(config)# cable qos permission update
Example:
Router(config)#
(Optional) If you are using the lock option in Step 6, and if you are not specifying a specific QoS profile to be used, you must allow cable modems to update
their own QoS profiles.
(Optional) Enables the sending of SNMP traps when a cable modem fails a dynamic shared-secret security check.
Step 5
interfacecableinterface
Example:
Router(config)# interface cable 3/0
Example:
Router(config-if)#
Enters interface configuration mode for the specified cable interface.
Step 6
cabledynamic-secret {lock[lock-qos ] | mark | reject} [nocrypt
Example:
Router(config-if)# cable dynamic-secret lock
Example:
Router(config-if)# cable dynamic-secret lock 90
Example:
Router(config-if)# cable dynamic-secret mark
Example:
Router(config-if)# cable dynamic-secret reject
Example:
Router(config-if)#
Enables the Dynamic Shared Secret feature on the cable interface and configures it for the appropriate option:
nocrypt—(Optional) The Cisco CMTS does not
encrypt the filenames of DOCSIS configuration files, but sends the
files to CMs using their original names.
lock—Cable modems that fail the MIC
verification are allowed online with a restrictive QoS profile. The
cable modems must remain offline for 24 hours to be able to
reregister with a different QoS profile.
lock-qos —(Optional) Specifies the QoS profile that should be
assigned to locked cable modems. The valid range is 1 to 256, and
the profile must have already been created. If not specified, locked
cable modems are assigned a QoS profile that limits service flows to
10 kbps (requires Step 2 and Step 3).
mark—Cable modems that fail the MIC
verification are allowed online but are marked in the
showcablemodem displays so that the situation can be
investigated.
reject—Cable modems that fail the MIC
verification are not allowed to register.
Note
Repeat Step 5 and Step 6 for each cable interface to be configured.
Step 7
end
Example:
Router(config-if)# end
Example:
Router#
Exits interface configuration mode and returns to privileged EXEC mode.
Note
If you have enabled the optional Dynamic Message Integrity Check (DMIC), you may need to specify source address/VRF for the
cable modem configuration file downloaded from CNR to cBR8. You can do this by using the following command:
The dmic-src configuration applies to bundle and sub-bundle. The vrf keyword is optional.
What to do next
Note
If you
configure the Dynamic Shared Secret feature on any interface in a cable
interface bundle, you should configure it on all interfaces in that same
bundle.
Disabling the
Dynamic Shared Secret on a Cable Interface
This section
describes how to disable the Dynamic Shared Secret feature on a cable
interface. The cable modem continues to be validated against any shared secret
or secondary shared secrets that have been defined on the cable interface.
Procedure
Step 1
configureterminal
Example:
Router# configure terminal
Example:
Router(config)#
Enters global configuration mode.
Step 2
interfacecableinterface
Example:
Router(config)# interface cable 3/0
Example:
Router(config-if)#
Enters interface configuration mode for the specified cable interface.
Step 3
nocabledynamic-secret
Example:
Router(config-if)# no cable dynamic-secret
Example:
Router(config-if)#
Disables the Dynamic Shared Secret feature on the cable interface.
Note
Repeat Step 2 and Step 3 for each cable interface to be configured.
Step 4
end
Example:
Router(config-if)# end
Example:
Router#
Exits interface configuration mode and returns to privileged EXEC mode.
Excluding Cable
Modems from the Dynamic Shared Secret Feature
This section
describes how to exclude one or more cable modems from being processed by the
Dynamic Shared Secret feature. The cable modem continues to be validated
against any shared secret or secondary shared secrets that have been defined on
the cable interface.
Excludes one or more cable modems from being processed by the Dynamic Shared Secret security checks, on the basis of their
MAC addresses or OUI values:
modemmac-address—Specifies the hardware (MAC) address of one specific and individual cable modem to be excluded from the Dynamic Shared Secret
feature. (You cannot specify a multicast MAC address.)
ouioui-id—Specifies the organization unique identifier (OUI) of a vendor, so that a group of cable modems from this vendor are excluded
from the Dynamic Shared Secret feature. The OUI should be specified as three hexadecimal bytes separated by either periods
or colons.
Note
Repeat this command for each cable modem MAC address or OUI vendor to be excluded.
Step 3
exit
Example:
Router(config)# exit
Exits the interface configuration mode and returns to privileged EXEC mode.
Clearing the Lock on One or More Cable Modems
This section describes how to manually clear the lock on one or more
cable modems. This forces the cable modems to reinitialize, and the cable
modems must reregister with a valid DOCSIS configuration file before being
allowed online. If you do not manually clear the lock (using the
clearcablemodemlock command), the cable modem is locked in its
current restricted QoS profile and cannot reregister with a different profile
until it has been offline for at least 24 hours.
Clears the lock for the cable modems, which can be identified as
follows:
mac-addr —Specifies the MAC address for one particular
cable modem to be cleared.
ip-addr —Specifies the IP address for one particular cable
modem to be cleared.
all—Clears the locks on all locked
cable modems.
ouistring —Clears the locks on all cable modems with a vendor
ID that matches the specified Organizational Unique Identifier (OUI) string.
reject—Clears the locks on all cable
modems that are currently in the reject state (which would occur if a locked
cable modem went offline and attempted to reregister before 24 hours had
elapsed).
What to do next
Tip
A cable modem can also be unlocked by manually deleting the cable
modem from all CMTS internal databases, using the
clearcablemodemdelete command.
Upgrading Firmware on the Cable Modems
This section describes how to upgrade firmware on cable modems by
dynamically inserting the correct TLV values in the DOCSIS configuration file
that is downloaded by the cable modem. The DOCSIS configuration file contains
the following TLV values:
Software Upgrade Filename
(TLV 9)—Specifies the filename of the firmware.
Upgrade IPv4 TFTP Server (TLV21)—Specifies the IPv4 address of the
TFTP server from where the modem downloads the DOCSIS configuration file.
Upgrade IPv6 TFTP Server (TLV58)—Specifies the IPv6 address of the
TFTP server from where the modem downloads the DOCSIS configuration file.
Note
The TFTP server addresses are inserted only when the software
upgrade filename (TLV9) is specified and when the TFTP server address
(TLV21/TLV58) is either not specified or set to 0.
The command to enable or disable the Dynamic Shared Secret feature
is available at the MAC domain level. However, the command to upgrade the
firmware on cable modems is available at the global level.
Dynamically inserts the specific IPv4 or IPv6 TLV values in the
DOCSIS configuration file to complete firmware upgrade on cable modems.
Step 3
end
Example:
Router(config)# end
Example:
Router#
Exits the configuration mode and returns to the privileged EXEC
mode.
What to do next
Note
If you configure the Dynamic Shared Secret feature on an interface
in a cable interface bundle, you should configure it on all the interfaces of
that bundle.
How to Monitor the Dynamic Shared Secret Feature
This section describes the following procedures you can use to monitor
and display information about the Dynamic Shared Secret feature:
Displaying Marked Cable Modems
When you configure a cable interface with the
cabledynamic-secretmark command, cable modems that fail the
dynamically generated CMTS MIC verification are allowed online, but are marked
with an exclamation point (!) in the MAC state column in the
showcablemodemdisplay. The exclamation point is also used to identify cable
modems that were initially rejected, using the
cabledynamic-secretreject command, but then reregistered using a
valid DOCSIS configuration file.
For example, the following example shows that four cable modems are
marked as having failed the CMTS MIC verification, but that they have been
allowed online:
Router# show cable modems
MAC Address IP Address I/F MAC Prim RxPwr Timing Num BPI
State Sid (db) Offset CPE Enb
0010.9507.01db 144.205.151.130 C5/1/0/U5 online(pt) 1 0.25 938 1 N
0080.37b8.e99b 144.205.151.131 C5/1/0/U5 online 2 -0.25 1268 0 N
0002.fdfa.12ef 144.205.151.232 C6/1/0/U0 online(pt) 13 -0.25 1920 1 N
0002.fdfa.137d 144.205.151.160 C6/1/0/U0 !online 16 -0.50 1920 1 N
0003.e38f.e9ab 144.205.151.237 C6/1/0/U0 !online 3 -0.50 1926 1 N
0003.e3a6.8173 144.205.151.179 C6/1/1/U2 offline 4 0.50 1929 0 N
0003.e3a6.8195 144.205.151.219 C6/1/1/U2 !online(pt) 22 -0.50 1929 1 N
0006.28dc.37fd 144.205.151.244 C6/1/1/U2 online(pt) 61 0.00 1925 2 N
0006.28e9.81c9 144.205.151.138 C6/1/1/U2 online(pt) 2 0.75 1925 1 N
0006.28f9.8bbd 144.205.151.134 C6/1/1/U2 online 25 -0.25 1924 1 N
0006.28f9.9d19 144.205.151.144 C6/1/1/U2 online(pt) 28 0.25 1924 1 N
0010.7bed.9b6d 144.205.151.228 C6/1/1/U2 online(pt) 59 0.25 1554 1 N
0002.fdfa.12db 144.205.151.234 C7/0/0/U0 online 15 -0.75 1914 1 N
0002.fdfa.138d 144.205.151.140 C7/0/0/U5 online 4 0.00 1917 1 N
0003.e38f.e85b 144.205.151.214 C7/0/0/U5 !online 17 0.25 1919 1 N
0003.e38f.f4cb 144.205.151.238 C7/0/0/U5 online(pt) 16 0.00 !2750 1 N
0003.e3a6.7fd9 144.205.151.151 C7/0/0/U5 online 1 0.25 1922 0 N
0020.4005.3f06 144.205.151.145 C7/0/0/U0 online(pt) 2 0.00 1901 1 N
0020.4006.b010 144.205.151.164 C7/0/0/U5 online(pt) 3 0.00 1901 1 N
0050.7302.3d83 144.205.151.240 C7/0/0/U0 online(pt) 18 -0.25 1543 1 N
00b0.6478.ae8d 144.205.151.254 C7/0/0/U5 online(pt) 44 0.25 1920 21 N
00d0.bad3.c0cd 144.205.151.149 C7/0/0/U5 online 19 0.25 1543 1 N
00d0.bad3.c0cf 144.205.151.194 C7/0/0/U0 online 13 0.00 1546 1 N
00d0.bad3.c0d5 144.205.151.133 C7/0/0/U0 online 12 0.50 1546 1 N
Router#
You can also use the
showcablemodemrogue command to display only those cable modems
that have been rejected for failing the dynamic shared-secret authentication
checks:
In Cisco IOS XE Everest 16.5.1, the verbose option for the showcablemodem command displays the dynamically generated shared secret (a 16-byte hexadecimal value) that was used in the cable modem’s
previous registration cycle. The display also shows if the cable modem failed the dynamic shared-secret check or did not download
the DOCSIS configuration file from the TFTP server. If a cable modem is offline, its dynamic secret is shown as all zeros.
For example, the following example shows a typical display for a
single cable modem that failed the dynamic shared-secret check:
Router# show cable modem 00c0.73ee.bbaa verbose
MAC Address : 00c0.73ee.bbaa
IP Address : 3.18.1.6
Prim Sid : 2
QoS Profile Index : 6
Interface : C3/0/U0
Upstream Power : 0.00 dBmV (SNR = 26.92 dBmV)
Downstream Power : 0.00 dBmV (SNR = ----- dBmV)
Timing Offset : 2812
Initial Timing Offset : 2812
Received Power : 0.00
MAC Version : DOC1.0
Provisioned Mode : DOC1.0
Capabilities : {Frag=N, Concat=N, PHS=N, Priv=BPI}
Sid/Said Limit : {Max Us Sids=0, Max Ds Saids=0}
Optional Filtering Support : {802.1P=N, 802.1Q=N}
Transmit Equalizer Support : {Taps/Symbol= 0, Num of Taps= 0}
Number of CPE IPs : 0(Max CPE IPs = 1)
CFG Max-CPE : 1
Flaps : 26(Feb 14 02:35:39)
Errors : 0 CRCs, 0 HCSes
Stn Mtn Failures : 6 aborts, 0 exhausted
Total US Flows : 1(1 active)
Total DS Flows : 1(1 active)
Total US Data : 0 packets, 0 bytes
Total US Throughput : 0 bits/sec, 0 packets/sec
Total DS Data : 0 packets, 0 bytes
Total DS Throughput : 0 bits/sec, 0 packets/sec
Active Classifiers : 0 (Max = NO LIMIT)
Dynamic Secret : A3D1028F36EBD54FDCC2F74719664D3F
Router#
The following example shows a typical display for a single cable
modem that is currently offline (the Dynamic Secret field shows all zeros):
Router# show cable modem 00C0.6914.8601 verbose
MAC Address : 00C0.6914.8601
IP Address : 10.212.192.119
Prim Sid : 6231
QoS Profile Index : 2
Interface : C5/1/0/U3
Upstream Power : 0.00 dBmV (SNR = 30.19 dBmV)
Downstream Power : 0.00 dBmV (SNR = ----- dBmV)
Timing Offset : 1831
Initial Timing Offset : 1831
Received Power : !-2.25
MAC Version : DOC1.0
Provisioned Mode : DOC1.0
Capabilities : {Frag=N, Concat=Y, PHS=N, Priv=BPI}
Sid/Said Limit : {Max Us Sids=0, Max Ds Saids=0}
Optional Filtering Support : {802.1P=N, 802.1Q=N}
Transmit Equalizer Support : {Taps/Symbol= 0, Num of Taps= 0}
Number of CPE IPs : 4(Max CPE IPs = 4)
CFG Max-CPE : 4
Flaps : 20638(Feb 10 16:04:10)
Errors : 0 CRCs, 0 HCSes
Stn Mtn Failures : 108 aborts, 161 exhausted
Total US Flows : 1(1 active)
Total DS Flows : 1(1 active)
Total US Data : 236222 packets, 146630868 bytes
Total US Throughput : 0 bits/sec, 0 packets/sec
Total DS Data : 9 packets, 1114 bytes
Total DS Throughput : 0 bits/sec, 0 packets/sec
Active Classifiers : 0 (Max = NO LIMIT)
Dynamic Secret : 00000000000000000000000000000000
Router#
Note
The Dynamic Secret field shown above is all zeros
(“00000000000000000000000000000000”), which indicates that this cable modem is
offline.
You can also use the following command to display all the dynamically
generated shared secrets that are in use:
Troubleshooting Cable Modems with Dynamic Shared Secret
If a cable modem is being marked as having violated the dynamic shared secret, you can enable the following debugs to get
more information about the sequence of events that is occurring:
debugcablemac-addresscm-mac-addrverbose—Enables detailed debugging for the cable modem with the specific MAC address.
debugcabletlv—Displays the contents of Type/Length/Value messages that are sent during the registration process.
debugcabledynamic-secret—Displays debugging messages about dynamic shared secret operation.
debugtftpserverevents—Displays debugging messages for the major events that occur with the Cisco CMTS router’s onboard TFTP server.
debugtftpserverpackets—Displays a packet dump for the DOCSIS configuration files that the TFTP server downloads to a cable modem.
In addition, examine the messages in the router’s log buffer for any helpful information. Use the showlogging command to display the contents of the router’s logging buffer to display these messages. You can limit the output to a specific
hour and minute by using the begin output modifier. For example, to display only those messages that were recorded at 12:10, give the following command:
Router# show logging | begin 12:10
Note
The exact format for the begin output modifier depends on the timestamp you are using for your logging buffer.
Configuration Examples for Dynamic Shared Secret
This section lists a typical configuration for the Dynamic Shared
Secret feature.
Note
These configurations also show a shared secret and secondary secret
being configured on the cable interface. This is optional but highly
recommended, because it adds an additional layer of security during the
registration of cable modems.
Mark
Configuration: Example
The following
excerpt from a configuration for the cable interface on a Cisco CMTS router
configures the cable interface so that cable modems that fail the CMTS MIC
check are allowed to come online, but are marked with an exclamation point (!)
in the
showcablemodem displays, so that the situation can be
investigated further.
interface cable c5/1/0
cable dynamic-secret mark
...
Lock Configuration: Example
The following excerpt from a configuration for the cable interface on a Cisco CMTS router configures the cable interface
so that cable modems that fail the CMTS MIC check are allowed to come online, but are locked into a restrictive QoS configuration
that limits the upstream and downstream service flows to a maximum rate of 10 kbps. A locked cable modem remains locked into
the restrictive QoS configuration until the modem has remained offline for more than 24 hours, or until you have manually
cleared it using the clearcablemodemlock command.
Configuring the cable qos permission create and cable qos permission update commands are optional.
If you use the lock option without specifying a specific QoS profile, you must allow cable modems to create and update QoS profiles, using the
cable qos permission modems command. If you do not do this and continue to use the lock option without specifying a particular QoS profile, locked cable modems are not allowed to register until the lock clears
or expires.
The following example is the same except that it specifies that the locked cable modem should be assigned QoS profile 90.
The cable modem remains locked with this QoS profile until the modem has remained offline for more than 24 hours, or until
you have manually cleared it using the clearcablemodemlock command. Because a specific QoS profile is specified, you do not need to use the cable qos permission modems command.
When a locked modem is cleared, it is automatically reset so that it reregisters with the CMTS. It is allowed online with
the requested QoS parameters if it registers with a valid DOCSIS configuration that passes the Dynamic Shared Secret checks.
However, the modem is locked again if it violates the DOCSIS specifications again.
The show cable qos profile command does not show the default qos profile when dmic lock is working. The following example shows a sample output of the
show cable qos profile command when dmic lock is working.
Router# show cable qos profile
Load for five secs: 12%/0%; one minute: 11%; five minutes: 11%
Time source is NTP, 10:49:33.828 EDT Mon Jun 5 2023
% Warning: Use "show interface Cable x/y/z qos paramset" since it replaces
"show cable qos profile" for DOCSIS1.1 operation
ID Prio Max Guarantee Max Max TOS TOS Create B IP prec.
upstream upstream downstream tx AND OR by priv rate
bandwidth bandwidth bandwidth burst mask mask enab enab
1 0 0 0 0 0 0xFF 0x0 cmts(r) no no
2 0 64000 0 1000000 0 0xFF 0x0 cmts(r) no no
3 7 31200 31200 0 0 0xFF 0x0 cmts yes no
4 7 87200 87200 0 0 0xFF 0x0 cmts yes no
Reject
Configuration: Example
The following
excerpt from a configuration for the cable interface on a Cisco CMTS configures
the cable interface so that cable modems that fail the CMTS MIC check are
rejected and not allowed to register. The cable modem must reregister using a
DOCSIS configuration file with a CMTS MIC that matches one of the shared secret
or secondary secret values. When it does come online, the CMTS also prints a
warning message on the console and marks the cable modem in the
showcablemodem command with an exclamation point (!), so
that this situation can be investigated.
The following
excerpt from a configuration for the cable interface on a Cisco uBR7100 series
router disables the Dynamic Shared Secret feature. In this configuration, the
CMTS uses the shared secret and secondary shared secret values unchanged when
verifying the CMTS MIC value for each DOCSIS configuration file.
interface cable c1/0
no cable dynamic-secret
...
Additional References
For additional information related to Dynamic Shared Secret, refer to
the following references:
No new or modified MIB objects are supported by the Dynamic
Shared Secret feature.
CISCO-DOCS-EXT-MIB—Includes attributes to configure the Dynamic Shared Secret
feature and to generate traps when a cable modem fails the shared-secret
security checks.
To locate and download MIBs for selected platforms, Cisco
IOS releases, and feature sets, use Cisco MIB Locator found at the following
URL:
Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator
enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature
Navigator, go to the https://cfnng.cisco.com/ link. An account on the Cisco.com page is not required.
Note
The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent
releases of that software release train also support that feature.
Table 2. Feature Information for Downstream Interface Configuration
Feature Name
Releases
Feature Information
Dynamic shared secret
Cisco IOS XE Everest 16.6.1
This feature was integrated into Cisco IOS XE Everest 16.6.1 on theCisco cBR Series Converged Broadband Router.