PDA

View Full Version : ISP security questions



Nick
02-21-08, 04:07 PM
Hello All,

I have a few questions regarding subscriber authentication and
identification in cable Internet systems (or ISPs in general) that I'd
appreciate some input on:

1) It is my understanding that a cable modem is basically a layer-2
bridge, so all the user traffic goes directly through to the CMTS. In
this case, how does the cable service provider implement the 1 IP
address per subscriber limitation? In other words, how is the
subscriber prevented from simply connecting a switch to the cable
modem and obtaining multiple IP addresses for his equipment via DHCP?
Only the first IP address can be obtained in this manner - no more.

2) How does the service provider prevent a user from manually entering
a static IP address in the network configuration, potentially causing
conflicts with another user who has the same IP? In other words, how
does the provider ensure that the IP address given to a subscriber via
DHCP is the only IP address that the subscriber can use?

DSL service providers often use PPPoE, which takes care of both (1)
and (2) above, but cable providers do not, so they must have some
other way of doing it.

3) Given that a user's IP address can change (assuming dynamic
addressing via DHCP), and that his MAC address can also change (for
example, if he plugs another PC into the cable modem), how does the
service provider identify individual users for billing, bandwidth
usage reporting, etc.?

4) Is bandwidth limiting (i.e., ensuring that a user only gets the
bandwidth package that he paid for) typically implemented at the
network's edge by the cable modem, or centrally within the service
provider's network (via a bandwidth management appliance?)

I'd much appreciate any insight you can offer into these questions.

Thanks,
Nick

Tom Stiller
02-21-08, 05:19 PM
In article
<05bcd2a1-fe3c-40fc-98f4-06b336a97265@z17g2000hsg.googlegroups.com>,
Nick <nick971@hotmail.com> wrote:

> Hello All,
>
> I have a few questions regarding subscriber authentication and
> identification in cable Internet systems (or ISPs in general) that I'd
> appreciate some input on:
>
> 1) It is my understanding that a cable modem is basically a layer-2
> bridge, so all the user traffic goes directly through to the CMTS. In
> this case, how does the cable service provider implement the 1 IP
> address per subscriber limitation? In other words, how is the
> subscriber prevented from simply connecting a switch to the cable
> modem and obtaining multiple IP addresses for his equipment via DHCP?
> Only the first IP address can be obtained in this manner - no more.
>
> 2) How does the service provider prevent a user from manually entering
> a static IP address in the network configuration, potentially causing
> conflicts with another user who has the same IP? In other words, how
> does the provider ensure that the IP address given to a subscriber via
> DHCP is the only IP address that the subscriber can use?
>
> DSL service providers often use PPPoE, which takes care of both (1)
> and (2) above, but cable providers do not, so they must have some
> other way of doing it.
>
> 3) Given that a user's IP address can change (assuming dynamic
> addressing via DHCP), and that his MAC address can also change (for
> example, if he plugs another PC into the cable modem), how does the
> service provider identify individual users for billing, bandwidth
> usage reporting, etc.?
>
> 4) Is bandwidth limiting (i.e., ensuring that a user only gets the
> bandwidth package that he paid for) typically implemented at the
> network's edge by the cable modem, or centrally within the service
> provider's network (via a bandwidth management appliance?)
>
> I'd much appreciate any insight you can offer into these questions.
>

Your questions can be answered when you consider that the cable modem
has MAC and IP address on the cable side of the device, as well as on
the AN side of the device. The ISP's database defines which services
are allowed for which modem by using the modem's MAC address.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

Nick
02-21-08, 05:34 PM
Thanks for your reply. But, if the cable modem is acting like a true
bridge, then wouldn't it pass through the MAC address of the
subscriber's device (PC or router), so that the MAC address "seen" by
the ISP would be the address of the connected device, and not of the
modem itself?

Thanks,
Nick

Tom Stiller
02-21-08, 06:07 PM
In article
<8703f7b0-cb70-490b-aefa-8ee123f578d3@h25g2000hsf.googlegroups.com>,
Nick <nick971@hotmail.com> wrote:

> Thanks for your reply. But, if the cable modem is acting like a true
> bridge, then wouldn't it pass through the MAC address of the
> subscriber's device (PC or router), so that the MAC address "seen" by
> the ISP would be the address of the connected device, and not of the
> modem itself?

Who says the cable modem acts as a bridge? Remember, all the traffic
for a given neighborhood is present on the same cable. The modem has to
detect and selectively pass only the traffic intended for it.
Similarly, the modem is paired with only one device (specified by MAC
address) on the LAN side. That sounds more like routing, rather than
bridging.

All that aside, you could probably look up the DOCIS specifications and
see exactly what the protocol does, and does not, allow.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

Todd H.
02-21-08, 06:23 PM
Nick <nick971@hotmail.com> writes:

> Thanks for your reply. But, if the cable modem is acting like a true
> bridge,

But, in reality, it's not.

Now the big fun is if you can modify your cable modem's MAC to be a
mac of a legit cable modem on another segment. There was a
vulnerability or hack released several years ago whereby access was
regulated upstream of multiple segments whereby if you spoofed a legit
MAC on another segment, your traffic would be routed happily by the
upstream devices, and because you were on a separate segment, there
would be no arp conflicts. I never tried it, but it is the best
example I can think of that plays to the scenarios you are pondering.
I think it also needed a configuration goof on teh cable modem
provider's part to not lock ip's to a mac or some such. I'm fuzzy on
the details, but it was possible at some providers apparently.

Best Regards,
--
Todd H.
http://www.toddh.net/

Bill M.
02-21-08, 07:36 PM
On Thu, 21 Feb 2008 13:07:32 -0800 (PST), Nick <nick971@hotmail.com>
wrote:

>Hello All,
>
>I have a few questions regarding subscriber authentication and
>identification in cable Internet systems (or ISPs in general) that I'd
>appreciate some input on:

I'll take a stab, partly because I hope someone will correct me where
I'm wrong.

>1) It is my understanding that a cable modem is basically a layer-2
>bridge, so all the user traffic goes directly through to the CMTS. In
>this case, how does the cable service provider implement the 1 IP
>address per subscriber limitation? In other words, how is the
>subscriber prevented from simply connecting a switch to the cable
>modem and obtaining multiple IP addresses for his equipment via DHCP?
>Only the first IP address can be obtained in this manner - no more.

The cable modem knows how many IP's it's allowed to request on your
behalf via it's config file, and it learns the MAC address of the
first device that it talks to after powering up. If you're allowed X,
and you request X+1, the last request is ignored.

>2) How does the service provider prevent a user from manually entering
>a static IP address in the network configuration, potentially causing
>conflicts with another user who has the same IP? In other words, how
>does the provider ensure that the IP address given to a subscriber via
>DHCP is the only IP address that the subscriber can use?

My information is dated here, but as recently as 2001 I knew of a
teenager (who would later become my step-son) who would manually
assign public IP addresses to 3-4 of his friends when they'd bring
their PC's over for a LAN party. He was in a single-PC household with
the PC directly connected to the CM (via a hub), so he would look at
his own IP and just make up as many additional IP's as he needed by
incrementing the last octet. If anyone had trouble connecting to the
'net, he would try another number until he found one that worked. My
assumption is that 'trouble connecting' meant an IP collision with a
legitimate user of that IP. When I discovered what they were doing, I
added a router to the mix. Who knows how many people they
inconvenienced by making up their own 24.x.x.x IP's.

>DSL service providers often use PPPoE, which takes care of both (1)
>and (2) above, but cable providers do not, so they must have some
>other way of doing it.
>
>3) Given that a user's IP address can change (assuming dynamic
>addressing via DHCP), and that his MAC address can also change (for
>example, if he plugs another PC into the cable modem), how does the
>service provider identify individual users for billing, bandwidth
>usage reporting, etc.?

The cable modem's MAC never changes and is provisioned to a specific
user account, so my guess is that the CM MAC plays a role here. At the
same time, the ISP knows who had a specific IP address at a specific
time, so one way or another it should be pretty simple to identify
individual users for billing, etc.

>4) Is bandwidth limiting (i.e., ensuring that a user only gets the
>bandwidth package that he paid for) typically implemented at the
>network's edge by the cable modem, or centrally within the service
>provider's network (via a bandwidth management appliance?)

I believe the CM's config file contains the bandwidth parameter, so
the CM is the traffic cop.

--
Bill

Dan
02-25-08, 12:24 AM
"Nick" <nick971@hotmail.com> wrote in message
news:05bcd2a1-fe3c-40fc-98f4-06b336a97265@z17g2000hsg.googlegroups.com...
> Hello All,
>
> I have a few questions regarding subscriber authentication and
> identification in cable Internet systems (or ISPs in general) that I'd
> appreciate some input on:
>
> 1) It is my understanding that a cable modem is basically a layer-2
> bridge, so all the user traffic goes directly through to the CMTS. In
> this case, how does the cable service provider implement the 1 IP
> address per subscriber limitation? In other words, how is the
> subscriber prevented from simply connecting a switch to the cable
> modem and obtaining multiple IP addresses for his equipment via DHCP?
> Only the first IP address can be obtained in this manner - no more.
>
> 2) How does the service provider prevent a user from manually entering
> a static IP address in the network configuration, potentially causing
> conflicts with another user who has the same IP? In other words, how
> does the provider ensure that the IP address given to a subscriber via
> DHCP is the only IP address that the subscriber can use?
>
> DSL service providers often use PPPoE, which takes care of both (1)
> and (2) above, but cable providers do not, so they must have some
> other way of doing it.
>
> 3) Given that a user's IP address can change (assuming dynamic
> addressing via DHCP), and that his MAC address can also change (for
> example, if he plugs another PC into the cable modem), how does the
> service provider identify individual users for billing, bandwidth
> usage reporting, etc.?
>
> 4) Is bandwidth limiting (i.e., ensuring that a user only gets the
> bandwidth package that he paid for) typically implemented at the
> network's edge by the cable modem, or centrally within the service
> provider's network (via a bandwidth management appliance?)
>
> I'd much appreciate any insight you can offer into these questions.
>
> Thanks,
> Nick



http://en.wikipedia.org/wiki/DOCSIS

Nick
03-11-08, 11:01 AM
I did a bit more digging around regarding the authentication
mechanism, and found the following guide:

http://homepage.ntlworld.com/robin.d.h.walker/cmtips/cmworks.html

It suggests that the cable modem acts like a transparent learning
bridge and does not modify the source and destination MAC addresses of
the customer traffic. In this case, the question remains - how are
different users identified, since the source MAC address can change if
the user, e.g., plugs another PC into the cable modem? Some cable
providers require the user to provide the MAC address of his PC or
router, probably for this very reason; others, however, don't have
this requirement, so they must have another way to do it.

One possible explanation that I've come up with is that when the user
makes a DHCP request, the head-end router dynamically records the
user's current MAC address and "binds" it to the assigned DHCP IP
address, so that the user traffic can be identified. Is this how it's
done?

Thanks,
Nick

Tom Stiller
03-11-08, 11:28 AM
In article
<16a1f644-bd5c-47b1-940f-dcce12d627e4@n77g2000hse.googlegroups.com>,
Nick <nick971@hotmail.com> wrote:

> I did a bit more digging around regarding the authentication
> mechanism, and found the following guide:
>
> http://homepage.ntlworld.com/robin.d.h.walker/cmtips/cmworks.html
>
> It suggests that the cable modem acts like a transparent learning
> bridge and does not modify the source and destination MAC addresses of
> the customer traffic. In this case, the question remains - how are
> different users identified, since the source MAC address can change if
> the user, e.g., plugs another PC into the cable modem? Some cable
> providers require the user to provide the MAC address of his PC or
> router, probably for this very reason; others, however, don't have
> this requirement, so they must have another way to do it.

They use the MAC address on the cable side of the modem; not the MAC
address of the user device attached to the LAN side of the modem.
>
> One possible explanation that I've come up with is that when the user
> makes a DHCP request, the head-end router dynamically records the
> user's current MAC address and "binds" it to the assigned DHCP IP
> address, so that the user traffic can be identified. Is this how it's
> done?
>
> Thanks,
> Nick

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF