When EAE is enabled, the CMTS uses EAE to perform network admission control by forcing CMs to authenticate before allowing them to proceed with the initialization process. As a result of EAE, a security association is established for the CM’s primary SAID, which protects subsequent provisioning messages (see [DOCSIS MULPIv3.0]).
The CMTS enforces EAE only for CMs that initialize on a downstream channel on which the CMTS is transmitting MDD messages. The CMTS MUST support the following configurable EAE enforcement policies:
Policy 1: No EAE enforcement, i.e., EAE is disabled, and the CMTS does not enforce EAE on any CM. Policy 2: Ranging-Based EAE Enforcement, i.e., the CMTS enforces EAE on CMs that range with a B-INIT- RNG-REQ MAC message.
Policy 3: Capability-Based EAE Enforcement, i.e.,the CMTS enforces EAE on CMs that range with a B-INIT- RNG-REQ MAC message in which the EAE capability flag is set.
Policy 4: Total EAE Enforcement, i.e., the CMTS enforces EAE on all CMs.
The EAE enforcement policies are mutually exclusive. By default, the CMTS MUST enable Ranging-Based EAE Enforcement (Policy 2). Policies 2 and 3 are referred to as Selective EAE Enforcement.
When configured for Selective EAE Enforcement the CMTS does not enforce EAE for DOCSIS 1.0/1.1/2.0 CMs since they do not support the B-INIT-RNG-REQ MAC message.
The CMTS enforces EAE on CMs based on the configured EAE enforcement policies. CMs in the EAE Exclusion List (see Section 8.4.5), are always exempted from EAE enforcement.
8.4.1 CMTS and CM behaviors when EAE is Enabled
When EAE is enabled on a CMTS and a CM performs EAE, then:
• following successful completion of the ranging process, the CMTS MUST drop all PDUs (i.e.,frames with FC type 00) [DOCSIS MULPIv3.0] from the CM until it has successfully completed EAE. A CM completes EAE when it has received the Key Reply message for the Primary SAID.
• the CMTS MUST use the Primary SA to carry all IP messages involved in the provisioning of the CM (i.e., DHCP, TOD, and TFTP).
• the CM MUST use the Primary SA to carry all IP messages involved in the provisioning of the CM (i.e., DHCP, TOD, and TFTP), and its REG-REQ-MP MAC messages.
8.4.2 EAE enforcement determination
This section describes how the CMTS makes EAE enforcement decisions based on its configured policy.
8.4.2.1 Ranging-Based EAE Enforcement
When the CMTS is configured to enable Ranging-Based EAE Enforcement (policy 2), the CMTS enforces EAE on a CM based on the CM’s ranging MAC message type, ignoring the EAE capability flag in the B-INIT-RNG-REQ. When the CMTS is configured for EAE enforcement policy 2, it MUST enforce EAE only on CMs that range with B-INIT-RNG-REQ, except for CMs on the EAE Exclusion List (see Section 8.4.5).
8.4.2.2 Capability-Based EAE Enforcement
When the CMTS is configured to enable Capability-Based EAE Enforcement (policy 3), the CMTS enforces EAE on a CM based on its ranging MAC message type as well as the EAE capability flag in the B-INIT-RNG-REQ [DOCSIS MULPIv3.0]. When the CMTS is configured for policy 3 enforcement, it MUST enforce EAE only on CMs that range with B-INIT-RNG-REQ in which the EAE capability flag is set, except for CMs on the EAE Exclusion List (see Section 8.4.4).
8.4.2.3 Total EAE Enforcement
When the CMTS is configured to enable Total EAE Enforcement (policy 4), the CMTS MUST enforce EAE on all CMs, except for CMs on the EAE Exclusion List (Section 8.4.4).
8.4.3 EAE Enforcement of DHCP Traffic42
When the CMTS is configured to enable EAE with policy 2 or 3 enforcement the CMTS MUST discard DHCP packets from a CM if:
• the Vendor Class Identifier Option (option 60 for DHCPv4 and option 16 for DHCPv6) in the DHCP packets advertise DOCSIS version 3.0 or later [DOCSIS MULPIv3.0]; and
• the CM has not successfully completed EAE; and
• the CM is not on the EAE Exclusion List (see 8.4.5). 8.4.4 CMTS and CM Behavior when EAE is Disabled
When EAE is disabled, then:
• the CMTS MUST allow a CM to proceed with the Initialization process [DOCSIS MULPIv3.0] without performing EAE;
• the CM MUST NOT initiate EAE after completing initial ranging;
• after completing initial ranging the CM MUST proceed to the next step in the CM initialization process as defined in [DOCSIS MULPIv3.0];
• if the CMTS receives an Authorization Request from a CM following ranging completion, the CMTS SHOULD NOT perform authentication on the CM. The CMTS MUST respond to the Authorization Request with an Authorization Reject message containing the error code 10.
8.4.5 EAE Exclusion List
The CMTS MUST support the capability to exclude individual CMs from EAE enforcement based on their MAC addresses when policy 2, 3, or 4 is enabled on a per-MAC domain basis.
If a CM is on the exclusion list, then:
• the CMTS MUST allow the CM to proceed with the Initialization process [DOCSIS MULPIv3.0] without performing EAE.
• if the CMTS receives an Authorization Request from the CM following ranging completion, the CMTS MUST respond with an Authorization Reject message containing the error code 10.
• If the CM sends an Authorization Request immediately after ranging completion and receives error code 10 in the Authorization Reject message in response, the CM MUST terminate its Authorization state machine and proceed to the next step in its initialization process as described in [DOCSIS MULPIv3.0]. The CM will later initiate Authorization and subsequent TEK key exchanges if it receives a configuration file that enables BPI+ (see Section 7).43
8.4.6 Interoperability issues
A pre-DOCSIS 3.0 CM does not recognize the MDD message and thus will not attempt to perform EAE. The DOCSIS 3.0 CMTS MUST support initialization of pre-DOCSIS 3.0 CMs including operation of the Authorization and TEK state machines following registration as defined in [DOCSIS RFIv2.0].
A DOCSIS 3.0 CM capable of EAE, when deployed against a pre-DOCSIS 3.0 CMTS, determines that EAE is disabled because it does not receive a valid MDD during initial ranging. The process by which a CM detects a valid MDD during initial ranging is described in [DOCSIS MULPIv3.0]. A CM that fails to detect an MDD message proceeds directly to the "Establish IP Connectivity" phase after initial ranging.