BPI+ encryption is by default enabled for 56-bit DES encryption on all cable interfaces. If BPI+ encryption has been previously disabled, or if you want to reconfigure BPI+ encryption on a cable interface on the CMTS, use the following procedure.
Note If you have disabled BPI+ encryption on a cable interface, and a cable modem attempts to register on that interface using BPI+ encryption, the CMTS will reject its registration request, displaying a %UBR7200-4-SERVICE_PERMANENTLY_UNAVAILABLE error message. The show cable modem
command will also show that this cable modem has been rejected with a MAC status of reject(c).
Prerequisites
BPI+ encryption is supported on all Cisco CMTS images that include “k1”, “k8”, or “k9” in its file name or BPI in the feature set description. All BPI images support 40-bit and 56-bit DES encryption. By default, BPI+ encryption is enabled for 56-bit DES encryption. Also, when a cable modem is running DOCSIS 1.1 software, BPI+ encryption is enabled by default, unless the service provider has disabled it by setting the Privacy Enable field (TLV 29) in the DOCSIS configuration file to 0. Therefore, both the CMTS and cable modem are set to use BPI+ encryption when using the default configurations.
SUMMARY STEPS
1. enable
2. configureterminal 3. interface cablex/y 4. cable privacy
5. cable privacy40-bit-des
6. cable privacy accept-self-signed-certificate
Caution Cisco strongly recommends that this above command remain unconfigured, as it bypasses DOCSIS BPI+ certificates. Otherwise, self-signed certificates provide workaround registration for cable modems that are not compliant with DOCSIS BPI+ certificates. This functionality is strictly intended for
troubleshooting of a short duration or in the context of additional security measures.
7. cable privacyauthenticate-modem 8. cable privacyauthorize-multicast 9. cable privacymandatory
10. cable privacyoaep-support
11. cable privacy kek {grace-timeseconds | life-timeseconds}
12. cable privacy tek {grace-timeseconds | life-timeseconds}
13. exit 14. exit
Configuring DOCSIS 1.1 on the Cisco CMTS
How to Configure the Cisco CMTS for DOCSIS 1.1 Operations
89
Cisco IOS Release 12.2(8)BC2 DETAILED STEPS Command Purpose Step 1 enable Example: Router> enable Router#
Enables privileged EXEC mode. Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal Router(config)#
Enters global configuration mode.
Step 3 interface cable x/y
Example:
Router(config)# interface cable 6/0 Router(config-if)#
Enters interface configuration mode for the cable interface line card at this particular slot.
Step 4 cable privacy
Example:
Router(config-if)# cable privacy Router(config-if)#
(Optional) Enables BPI+ 56-bit DES encryption on the cable interface (default).
Step 5 cable privacy 40-bit-des
Example:
Router(config-if)# cable privacy 48-bit-des Router(config-if)#
(Optional) Enables BPI+ 40-bit DES encryption on the cable interface. Cisco does not recommend this option for production systems because 40-bit encryption is not as secure as the 56-bit DES or 168-bit 3DES encryption algorithms.
Step 6 cable privacy accept-self-signed-certificate
Example:
Router(config-if)# cable privacy accept-self-signed-certificate Router(config-if)#
(Optional) Allows cable modems to register using self-signed manufacturer certificates, as opposed to the default of allowing only manufacturer’s certificates that are chained to the DOCSIS root certificate.
Caution Cisco strongly recommends that this command remain unconfigured, as it bypasses DOCSIS BPI+ certificates. Otherwise, self-signed certificates provide workaround registration for cable modems that are not compliant with DOCSIS BPI+ certificates. This functionality is strictly intended for troubleshooting of a short duration or in the context of additional security measures.
Note By default, the CMTS does not accept self-signed certificates. In the default configuration, if a cable modem attempts to register with self-signed certificates, the CMTS will refuse to allow the cable modem to register.
Configuring DOCSIS 1.1 on the Cisco CMTS How to Configure the Cisco CMTS for DOCSIS 1.1 Operations
Step 7 cable privacy authenticate-modem
Example:
Router(config-if)# cable privacy authenticate-modem
Router(config-if)#
(Optional) Enables BPI+ encryption on the cable interface and uses the Cisco IOS Authentication, Authorization and Accounting (AAA) service together with BPI to
authenticate the CMs.
Step 8 cable privacy authorize-multicast
Example:
Router(config-if)# cable privacy authorize-multicast
Router(config-if)#
(Optional) Enables BPI+ encryption on the cable interface and uses AAA protocols to authorize all multicast stream (IGMP) join requests.
Note If you use this command to authorize multicast streams, you must also use the cable privacy authenticate-modem command to enable AAA services on the cable interface.
Step 9 cable privacy mandatory
Example:
Router(config-if)# cable privacy mandatory Router(config-if)#
(Optional) Enables BPI+ encryption on the cable interface and requires baseline privacy for all CMs. If a CM does not enable BPI or BPI+ encryption in its DOCSIS configuration file, it will not be allowed to come online.
Step 10 cable privacy oaep-support
Example:
Router(config-if)# cable privacy oaep-support Router(config-if)#
(Optional) Enables BPI+ encryption on the cable interface and enables Optimal Asymmetric Encryption Padding (OAEP). This option is enabled by default. Disabling this option could have a performance impact.
Step 11 cable privacy kek {grace-time seconds |
life-time seconds}
Example:
Router(config-if)# cable privacy kek grace-time 480
Router(config-if)# cable privacy kek life-time 302400
Router(config-if)#
(Optional) Configures the grace-time and life-time values for the key encryption keys (KEKs) for BPI+ operations on all cable interfaces.
• grace-timeseconds1—(DOCSIS 1.0 BPI only) The amount of time before the KEK key expires that the CM should begin renegotiating a new key. The valid range is 60 to 1800 seconds, with a default of 600 seconds (10 minutes).
• life-timeseconds—The maximum amount of time, in seconds, that a KEK key can be considered valid. The valid range is 300 to 604,8000, with a default of 604,800 seconds (7 days).
Step 12 cable privacy tek {grace-time seconds |
life-time seconds}
Example:
Router(config-if)# cable privacy tek grace-time 1800
Router(config-if)# cable privacy tek life-time 86400
Router(config-if)#
(Optional) Configures the grace-time and life-time values for the traffic encryption keys (TEKs) for BPI+ operations on all cable interfaces.
• grace-time seconds1—(DOCSIS 1.0 BPI only) The amount of time before the TEK key expires that the CM should begin renegotiating a new key. The valid range is 60 to 1800 seconds, with a default of 600 seconds (10 minutes).
• life-timeseconds—The maximum amount of time, in seconds, that a TEK key can be considered valid. The valid range is 180 to 604,8000, with a default of 43,200 seconds (12 hours).
Configuring DOCSIS 1.1 on the Cisco CMTS
How to Configure the Cisco CMTS for DOCSIS 1.1 Operations
91
Cisco IOS Release 12.2(8)BC2
You can also configure the following additional timers for BPI+ operations in the DOCSIS configuration file for each cable modem. As a general rule, you do not need to specify these timers in the DOCSIS configuration file unless you have a specific reason for changing them from their default values.