9.4.1 Introduction
This section describes requirements intended to secure the CM configuration file download process, and to ensure that the CM does not receive a different level of service than described by the configuration file.
9.4.2 CMTS Security Features for Configuration File Download
The CMTS supports several features intended to secure the download of CM configuration files:
• a capability to prevent the disclosure of the IP address of the configuration file server (TFTP Proxy, Section 9.4.2.1);
• a capability to enforce that a CM downloads the correct configuration file according to DHCP configurations offered to the CM (Configuration File Name Authorization, Section 9.4.2.3);
• a capability to verify that a CM registers with settings that match those in the downloaded configuration file (Configuration File Learning, Section 9.4.2.4).
9.4.2.1 TFTP Proxy
The CMTS MUST implement a TFTP server and a TFTP client compliant with [RFC 1350]. Both the TFTP server and client in the CMTS MUST support TFTP option extension [RFC 2347], TFTP blocksize option [RFC 2348] and TFTP timeout interval option [RFC 2349]. The CMTS MUST be capable of acting as the TFTP server for CMs to download configuration files. The CMTS MUST be capable of acting as a TFTP client to download configuration files from TFTP servers in the provisioning system. The CMTS MAY support other file transfer protocol clients for CM configuration file download.
When the CMTS acts as the TFTP server for a CM, and at the same time acts as a TFTP client downloading a configuration file from a TFTP server on behalf of the CM, the CMTS is referred to as a TFTP Proxy. The CMTS MUST support the capability to enable or disable TFTP Proxy. By default, the CMTS MUST enable TFTP Proxy.
9.4.2.2 Protecting TFTP Server Addresses
If TFTP Proxy is enabled on a CMTS and a CM is provisioned in IPv4 mode, then the CMTS MUST ensure that the TFTP Server Address Option and/or the siaddr field in DHCPACK messages sent to the CM is the CMTS’s IP address.
If TFTP Proxy is enabled on a CMTS and a CM is provisioned in IPv6 mode, then the CMTS MUST ensure that the CL_OPTION_TFTP_SERVERS suboption of the OPTION_VENDOR_OPTS in Reply messages sent to the CM is the CMTS’s IP address.
If TFTP Proxy is enabled and a valid configuration download TFTP request has been received from a CM, the CMTS MUST acquire the configuration file from the configuration server identified in the DHCPACK DHCPv4), or Reply (DHCPv6) messages relayed to the CM, and download it to the CM.
If TFTP Proxy is enabled on a CMTS, and if the provisioning system uses multiple configuration file servers, then the CMTS SHOULD support a mechanism that uses the multiple TFTP servers. The CMTS SHOULD implement a retry mechanism that synchronizes TFTP retries by the CM and by the CMTS. These mechanisms are not defined by this specification.
9.4.2.3 Configuration File Name Authorization
The CMTS MUST support the capability to maintain a list of authorized DHCP servers.
The CMTS MUST support the capability to learn the name of a CM’s configuration file from the DHCP
configurations offered to the CM from an authorized DHCP server. The learned configuration file name identifies the configuration file that the CM is authorized to download.
The CMTS MUST support the capability to discard CM TFTP Requests if the name of the configuration file requested by a CM is not identical to the learned name of the configuration file. This capability is referred to as
Configuration File Name Authorization. The CMTS MUST enable or disable Configuration File Name Authorization when the TFTP Proxy feature is enabled or disabled, respectively.
9.4.2.4 Configuration File Learning
When TFTP Proxy is enabled on a CMTS, the CMTS downloads configuration files on behalf of CMs, and the CMTS can learn about CMs’ configuration files. The CMTS MUST support a capability to learn about the CM’s configuration file. This capability is referred to as Configuration File Learning. The CMTS MUST be capable of being configured to enable or disable Configuration File Learning. By default, the CMTS MUST enable
Configuration File Learning.
The CMTS MUST support the capability to enforce that a CM’s Registration is consistent with what the CMTS has learned about the CM’s configuration file.
If TFTP Proxy and Configuration File Learning are both enabled on a CMTS, and the CM’s Registration is not consistent with what the CMTS has learned about the CM’s configuration file (e.g., based on CMTS MIC
calculation, or comparison of parameters used in CMTS MIC calculation), then the CMTS MUST respond with an Authentication Failure in the registration response status field (see [DOCSIS MULPIv3.0]). The CMTS MUST also log an event.
9.4.2.5 TFTP Options for CM’s MAC and IP Address
When TFTP Proxy is enabled on a CMTS, the client requesting a file from the backend provisioning system is the CMTS rather than the CM. However, some provisioning systems rely on the availability of the CM MAC and IP address in the request.
In order to allow this information to reach the provisioning system, the CMTS MUST support the MAC Address and IP Address TFTP options (Annex B). Enabling support for these options MUST be independently configurable on the CMTS with the default being disabled.
When a CM requests a configuration file and the IP Address option is enabled on the CMTS, the CMTS MUST include the CM’s IP address in the "netaddr" TFTP option. When a CM requests a configuration file and the MAC address is enabled on the CMTS, the CMTS MUST include the CM’s MAC address in the "hwaddr" TFTP option. If a TFTP packet received from a CM already includes these options, the CMTS MUST discard those options and include only the enabled TFTP options with source address values from the received packet. When either the IP address or MAC Address option is enabled, the CMTS MUST NOT cache configuration files locally. 49