Table of Contents
Advertisement
Chapter 2
Cisco CMTS Configuration Commands
Configuring the Dynamic Shared Secret feature on the master interface in a bundle also automatically
Note
configures it for all interfaces in the bundle.
Command History
Release
12.2(15)BC1
12.2(15)BC1b
Usage Guidelines
The cable dynamic-secret configuration command automatically creates a unique DOCSIS shared
secret on a per-modem basis, creating a one-time-use DOCSIS configuration file that is valid only for
the current session. This ensures that a DOCSIS configuration file that has been downloaded for one
cable modem can never be used by any other modem, nor can the same modem reuse this configuration
file at a later time. This patent-pending feature is designed to guarantee that all registered modems are
using only the QOS parameters that have been specified by the DOCSIS provisioning system for that
particular modem at the time of its registration.
The cable dynamic-secret configuration command enhances the existing shared secret support on the
Cisco CMTS by using a one-time, dynamically generated shared secret each time a cable modem
registers. This prevents theft-of-service attacks in which users are able to substitute a DOCSIS
configuration file that provides a higher-level of service during the registration phase.
The DOCSIS specification allows cable service providers to use a shared secret to create the CMTS MIC
value that is stored in a DOCSIS configuration file. If a user attempts to register with the CMTS using a
different or modified DOCSIS configuration file, the CMTS can compare the CMTS MIC value sent by
the cable modem with the CMTS MIC it has calculated. If the two MIC values are different, the file has
been modified.
The cable dynamic-secret command allows the CMTS to dynamically create the shared secret at the
time that the cable modem is registering, and that shared secret is valid only for that particular session
with that particular cable modem. A new dynamically generated shared secret is used each time each
cable modem registers, which prevents users from guessing the shared secret and using it again to
register with a modified DOCSIS configuration file.
If the cable modem's DOCSIS configuration file fails the CMTS MIC verification check, one of the
following messages is displayed on the console:
%UBR7200-4-BADCFGFILE: Modem config file platinum.cm at C3/0: CMTS MIC Invalid
%UBR7200-4-BADCFGFILE: Modem config file platinum.cm at C3/0: No CMTS MIC
If the error message specifies that the reason for the failure is "CMTS MIC Invalid," the CMTS MIC was
not encoded with the proper dynamically generated shared secret. If the reason is "No CMTS MIC," the
DOCSIS configuration file did not contain any value for the CMTS MIC, which could indicate that the
customer has attempted to bypass the DOCSIS security checks by creating the user's own DOCSIS
configuration file without any MIC values.
The Dynamic Shared Secret feature does not affect the use of the original shared secret or secondary
Note
shared secrets that are configured using the
commands. If these shared secrets are configured, the Cisco CMTS continues to use them to validate
the original DOCSIS configuration file that is downloaded from the TFTP server. If the DOCSIS
OL-1581-08
Modification
This command was introduced.
Support for the nocrypt option was added.
cable shared-secondary-secret
Cisco Broadband Cable Command Reference Guide
cable dynamic-secret
and
cable shared-secret
2-73
Advertisement
Table of Contents
