Cisco Systems MC-607 Saw User Manual


 
Configuring Subscriber-End Broadband Access Router Features
Subscriber-End Broadband Access Router Security Features
MC-623
Cisco IOS Multiservice Applications Configuration Guide
Note The backup POTS connection enables only one of the VoIP ports on the Cisco uBR924 to
function during a power outage. Calls in progress prior to the power outage will be
disconnected. If power is reestablished while a cutover call is in progress, the connection
will remain in place until the call is terminated. Once the cutover call is terminated, the
router automatically reboots.
Subscriber-End Broadband Access Router Security Features
Cisco uBR900 series cable access routers support the security features described in the following
sections.
DOCSIS Baseline Privacy
Support for DOCSIS Baseline Privacy in the Cisco uBR900 series is based on the DOCSIS Baseline
Privacy Interface Specification (SP-BPI-I01-970922). It provides data privacy across the HFC network
by encrypting traffic flows between the cable access router and the CMTS.
Baseline Privacy security services are defined as a set of extended services within the DOCSIS MAC
sublayer. Two new MAC management message types, BPKM-REQ and BPKM-RSP, are employed to
support the Baseline Privacy Key Management (BPKM) protocol.
The BPKM protocol does not use authentication mechanisms such as passwords or digital signatures; it
provides basic protection of service by ensuring that a cable modem, uniquely identified by its 48-bit
IEEE MAC address, can only obtain keying material for services it is authorized to access. The
Cisco uBR900 series cable access router is able to obtain two types of keys from the CMTS: the traffic
exchange key (TEK), which is used to encrypt and decrypt data packets, and the key exchange key
(KEK), which is used to decrypt the TEK.
To support encryption/decryption, Cisco IOS images must contain encryption/decryption software at
both the CMTS router and the Cisco uBR924 cable access router. Both the CMTS router and the
Cisco uBR924 cable access router must be enabled and configured per the software feature set.
IPSec Network Security
IPSec Network Security (IPSec) is an IP security feature that provides robust authentication and
encryption of IP packets. IPSec is a framework of open standards developed by the IETF providing
security for transmission of sensitive information over unprotected networks such as the Internet. IPSec
acts at the network layer (Layer 3), protecting and authenticating IP packets between participating IPSec
devices (peers) such as the Cisco uBR900 series cable access router.
IPSec provides the following network security services:
Privacy—IPSec can encrypt packets before transmitting them across a network.
Integrity—IPSec authenticates packets at the destination peer to ensure that the data has not been
altered during transmission.
Authentication—Peers authenticate the source of all IPSec-protected packets.
Anti-replay protection—Prevents capture and replay of packets; helps protect against
denial-of-service attacks.