ISP security questions - Connectivity

This is a discussion on ISP security questions - Connectivity ; Hello All, I have a few questions regarding subscriber authentication and identification in cable Internet systems (or ISPs in general) that I'd appreciate some input on: 1) It is my understanding that a cable modem is basically a layer-2 bridge, ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: ISP security questions

  1. ISP security questions

    Hello All,

    I have a few questions regarding subscriber authentication and
    identification in cable Internet systems (or ISPs in general) that I'd
    appreciate some input on:

    1) It is my understanding that a cable modem is basically a layer-2
    bridge, so all the user traffic goes directly through to the CMTS. In
    this case, how does the cable service provider implement the 1 IP
    address per subscriber limitation? In other words, how is the
    subscriber prevented from simply connecting a switch to the cable
    modem and obtaining multiple IP addresses for his equipment via DHCP?
    Only the first IP address can be obtained in this manner - no more.

    2) How does the service provider prevent a user from manually entering
    a static IP address in the network configuration, potentially causing
    conflicts with another user who has the same IP? In other words, how
    does the provider ensure that the IP address given to a subscriber via
    DHCP is the only IP address that the subscriber can use?

    DSL service providers often use PPPoE, which takes care of both (1)
    and (2) above, but cable providers do not, so they must have some
    other way of doing it.

    3) Given that a user's IP address can change (assuming dynamic
    addressing via DHCP), and that his MAC address can also change (for
    example, if he plugs another PC into the cable modem), how does the
    service provider identify individual users for billing, bandwidth
    usage reporting, etc.?

    4) Is bandwidth limiting (i.e., ensuring that a user only gets the
    bandwidth package that he paid for) typically implemented at the
    network's edge by the cable modem, or centrally within the service
    provider's network (via a bandwidth management appliance?)

    I'd much appreciate any insight you can offer into these questions.

    Thanks,
    Nick

  2. Re: ISP security questions

    In article
    <05bcd2a1-fe3c-40fc-98f4-06b336a97265@z17g2000hsg.googlegroups.com>,
    Nick wrote:

    > Hello All,
    >
    > I have a few questions regarding subscriber authentication and
    > identification in cable Internet systems (or ISPs in general) that I'd
    > appreciate some input on:
    >
    > 1) It is my understanding that a cable modem is basically a layer-2
    > bridge, so all the user traffic goes directly through to the CMTS. In
    > this case, how does the cable service provider implement the 1 IP
    > address per subscriber limitation? In other words, how is the
    > subscriber prevented from simply connecting a switch to the cable
    > modem and obtaining multiple IP addresses for his equipment via DHCP?
    > Only the first IP address can be obtained in this manner - no more.
    >
    > 2) How does the service provider prevent a user from manually entering
    > a static IP address in the network configuration, potentially causing
    > conflicts with another user who has the same IP? In other words, how
    > does the provider ensure that the IP address given to a subscriber via
    > DHCP is the only IP address that the subscriber can use?
    >
    > DSL service providers often use PPPoE, which takes care of both (1)
    > and (2) above, but cable providers do not, so they must have some
    > other way of doing it.
    >
    > 3) Given that a user's IP address can change (assuming dynamic
    > addressing via DHCP), and that his MAC address can also change (for
    > example, if he plugs another PC into the cable modem), how does the
    > service provider identify individual users for billing, bandwidth
    > usage reporting, etc.?
    >
    > 4) Is bandwidth limiting (i.e., ensuring that a user only gets the
    > bandwidth package that he paid for) typically implemented at the
    > network's edge by the cable modem, or centrally within the service
    > provider's network (via a bandwidth management appliance?)
    >
    > I'd much appreciate any insight you can offer into these questions.
    >


    Your questions can be answered when you consider that the cable modem
    has MAC and IP address on the cable side of the device, as well as on
    the AN side of the device. The ISP's database defines which services
    are allowed for which modem by using the modem's MAC address.

    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

  3. Re: ISP security questions

    Thanks for your reply. But, if the cable modem is acting like a true
    bridge, then wouldn't it pass through the MAC address of the
    subscriber's device (PC or router), so that the MAC address "seen" by
    the ISP would be the address of the connected device, and not of the
    modem itself?

    Thanks,
    Nick

  4. Re: ISP security questions

    In article
    <8703f7b0-cb70-490b-aefa-8ee123f578d3@h25g2000hsf.googlegroups.com>,
    Nick wrote:

    > Thanks for your reply. But, if the cable modem is acting like a true
    > bridge, then wouldn't it pass through the MAC address of the
    > subscriber's device (PC or router), so that the MAC address "seen" by
    > the ISP would be the address of the connected device, and not of the
    > modem itself?


    Who says the cable modem acts as a bridge? Remember, all the traffic
    for a given neighborhood is present on the same cable. The modem has to
    detect and selectively pass only the traffic intended for it.
    Similarly, the modem is paired with only one device (specified by MAC
    address) on the LAN side. That sounds more like routing, rather than
    bridging.

    All that aside, you could probably look up the DOCIS specifications and
    see exactly what the protocol does, and does not, allow.

    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

  5. Re: ISP security questions

    Nick writes:

    > Thanks for your reply. But, if the cable modem is acting like a true
    > bridge,


    But, in reality, it's not.

    Now the big fun is if you can modify your cable modem's MAC to be a
    mac of a legit cable modem on another segment. There was a
    vulnerability or hack released several years ago whereby access was
    regulated upstream of multiple segments whereby if you spoofed a legit
    MAC on another segment, your traffic would be routed happily by the
    upstream devices, and because you were on a separate segment, there
    would be no arp conflicts. I never tried it, but it is the best
    example I can think of that plays to the scenarios you are pondering.
    I think it also needed a configuration goof on teh cable modem
    provider's part to not lock ip's to a mac or some such. I'm fuzzy on
    the details, but it was possible at some providers apparently.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  6. Re: ISP security questions

    On Thu, 21 Feb 2008 13:07:32 -0800 (PST), Nick
    wrote:

    >Hello All,
    >
    >I have a few questions regarding subscriber authentication and
    >identification in cable Internet systems (or ISPs in general) that I'd
    >appreciate some input on:


    I'll take a stab, partly because I hope someone will correct me where
    I'm wrong.

    >1) It is my understanding that a cable modem is basically a layer-2
    >bridge, so all the user traffic goes directly through to the CMTS. In
    >this case, how does the cable service provider implement the 1 IP
    >address per subscriber limitation? In other words, how is the
    >subscriber prevented from simply connecting a switch to the cable
    >modem and obtaining multiple IP addresses for his equipment via DHCP?
    >Only the first IP address can be obtained in this manner - no more.


    The cable modem knows how many IP's it's allowed to request on your
    behalf via it's config file, and it learns the MAC address of the
    first device that it talks to after powering up. If you're allowed X,
    and you request X+1, the last request is ignored.

    >2) How does the service provider prevent a user from manually entering
    >a static IP address in the network configuration, potentially causing
    >conflicts with another user who has the same IP? In other words, how
    >does the provider ensure that the IP address given to a subscriber via
    >DHCP is the only IP address that the subscriber can use?


    My information is dated here, but as recently as 2001 I knew of a
    teenager (who would later become my step-son) who would manually
    assign public IP addresses to 3-4 of his friends when they'd bring
    their PC's over for a LAN party. He was in a single-PC household with
    the PC directly connected to the CM (via a hub), so he would look at
    his own IP and just make up as many additional IP's as he needed by
    incrementing the last octet. If anyone had trouble connecting to the
    'net, he would try another number until he found one that worked. My
    assumption is that 'trouble connecting' meant an IP collision with a
    legitimate user of that IP. When I discovered what they were doing, I
    added a router to the mix. Who knows how many people they
    inconvenienced by making up their own 24.x.x.x IP's.

    >DSL service providers often use PPPoE, which takes care of both (1)
    >and (2) above, but cable providers do not, so they must have some
    >other way of doing it.
    >
    >3) Given that a user's IP address can change (assuming dynamic
    >addressing via DHCP), and that his MAC address can also change (for
    >example, if he plugs another PC into the cable modem), how does the
    >service provider identify individual users for billing, bandwidth
    >usage reporting, etc.?


    The cable modem's MAC never changes and is provisioned to a specific
    user account, so my guess is that the CM MAC plays a role here. At the
    same time, the ISP knows who had a specific IP address at a specific
    time, so one way or another it should be pretty simple to identify
    individual users for billing, etc.

    >4) Is bandwidth limiting (i.e., ensuring that a user only gets the
    >bandwidth package that he paid for) typically implemented at the
    >network's edge by the cable modem, or centrally within the service
    >provider's network (via a bandwidth management appliance?)


    I believe the CM's config file contains the bandwidth parameter, so
    the CM is the traffic cop.

    --
    Bill

  7. Re: ISP security questions


    "Nick" wrote in message
    news:05bcd2a1-fe3c-40fc-98f4-06b336a97265@z17g2000hsg.googlegroups.com...
    > Hello All,
    >
    > I have a few questions regarding subscriber authentication and
    > identification in cable Internet systems (or ISPs in general) that I'd
    > appreciate some input on:
    >
    > 1) It is my understanding that a cable modem is basically a layer-2
    > bridge, so all the user traffic goes directly through to the CMTS. In
    > this case, how does the cable service provider implement the 1 IP
    > address per subscriber limitation? In other words, how is the
    > subscriber prevented from simply connecting a switch to the cable
    > modem and obtaining multiple IP addresses for his equipment via DHCP?
    > Only the first IP address can be obtained in this manner - no more.
    >
    > 2) How does the service provider prevent a user from manually entering
    > a static IP address in the network configuration, potentially causing
    > conflicts with another user who has the same IP? In other words, how
    > does the provider ensure that the IP address given to a subscriber via
    > DHCP is the only IP address that the subscriber can use?
    >
    > DSL service providers often use PPPoE, which takes care of both (1)
    > and (2) above, but cable providers do not, so they must have some
    > other way of doing it.
    >
    > 3) Given that a user's IP address can change (assuming dynamic
    > addressing via DHCP), and that his MAC address can also change (for
    > example, if he plugs another PC into the cable modem), how does the
    > service provider identify individual users for billing, bandwidth
    > usage reporting, etc.?
    >
    > 4) Is bandwidth limiting (i.e., ensuring that a user only gets the
    > bandwidth package that he paid for) typically implemented at the
    > network's edge by the cable modem, or centrally within the service
    > provider's network (via a bandwidth management appliance?)
    >
    > I'd much appreciate any insight you can offer into these questions.
    >
    > Thanks,
    > Nick




    http://en.wikipedia.org/wiki/DOCSIS



  8. Re: ISP security questions

    I did a bit more digging around regarding the authentication
    mechanism, and found the following guide:

    http://homepage.ntlworld.com/robin.d...s/cmworks.html

    It suggests that the cable modem acts like a transparent learning
    bridge and does not modify the source and destination MAC addresses of
    the customer traffic. In this case, the question remains - how are
    different users identified, since the source MAC address can change if
    the user, e.g., plugs another PC into the cable modem? Some cable
    providers require the user to provide the MAC address of his PC or
    router, probably for this very reason; others, however, don't have
    this requirement, so they must have another way to do it.

    One possible explanation that I've come up with is that when the user
    makes a DHCP request, the head-end router dynamically records the
    user's current MAC address and "binds" it to the assigned DHCP IP
    address, so that the user traffic can be identified. Is this how it's
    done?

    Thanks,
    Nick

  9. Re: ISP security questions

    In article
    <16a1f644-bd5c-47b1-940f-dcce12d627e4@n77g2000hse.googlegroups.com>,
    Nick wrote:

    > I did a bit more digging around regarding the authentication
    > mechanism, and found the following guide:
    >
    > http://homepage.ntlworld.com/robin.d...s/cmworks.html
    >
    > It suggests that the cable modem acts like a transparent learning
    > bridge and does not modify the source and destination MAC addresses of
    > the customer traffic. In this case, the question remains - how are
    > different users identified, since the source MAC address can change if
    > the user, e.g., plugs another PC into the cable modem? Some cable
    > providers require the user to provide the MAC address of his PC or
    > router, probably for this very reason; others, however, don't have
    > this requirement, so they must have another way to do it.


    They use the MAC address on the cable side of the modem; not the MAC
    address of the user device attached to the LAN side of the modem.
    >
    > One possible explanation that I've come up with is that when the user
    > makes a DHCP request, the head-end router dynamically records the
    > user's current MAC address and "binds" it to the assigned DHCP IP
    > address, so that the user traffic can be identified. Is this how it's
    > done?
    >
    > Thanks,
    > Nick


    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

+ Reply to Thread