Hello All,

I have a few questions regarding subscriber authentication and
identification in cable Internet systems (or ISPs in general) that I'd
appreciate some input on:

1) It is my understanding that a cable modem is basically a layer-2
bridge, so all the user traffic goes directly through to the CMTS. In
this case, how does the cable service provider implement the 1 IP
address per subscriber limitation? In other words, how is the
subscriber prevented from simply connecting a switch to the cable
modem and obtaining multiple IP addresses for his equipment via DHCP?
Only the first IP address can be obtained in this manner - no more.

2) How does the service provider prevent a user from manually entering
a static IP address in the network configuration, potentially causing
conflicts with another user who has the same IP? In other words, how
does the provider ensure that the IP address given to a subscriber via
DHCP is the only IP address that the subscriber can use?

DSL service providers often use PPPoE, which takes care of both (1)
and (2) above, but cable providers do not, so they must have some
other way of doing it.

3) Given that a user's IP address can change (assuming dynamic
addressing via DHCP), and that his MAC address can also change (for
example, if he plugs another PC into the cable modem), how does the
service provider identify individual users for billing, bandwidth
usage reporting, etc.?

4) Is bandwidth limiting (i.e., ensuring that a user only gets the
bandwidth package that he paid for) typically implemented at the
network's edge by the cable modem, or centrally within the service
provider's network (via a bandwidth management appliance?)

I'd much appreciate any insight you can offer into these questions.

Thanks,
Nick

In article
<05bcd2a1-fe3c-40fc-98f4-06b336a97265@z17g2000hsg.googlegroups.com>,
Nick <nick971@hotmail.com> wrote:

Your questions can be answered when you consider that the cable modem
has MAC and IP address on the cable side of the device, as well as on
the AN side of the device. The ISP's database defines which services
are allowed for which modem by using the modem's MAC address.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

Thanks for your reply. But, if the cable modem is acting like a true
bridge, then wouldn't it pass through the MAC address of the
subscriber's device (PC or router), so that the MAC address "seen" by
the ISP would be the address of the connected device, and not of the
modem itself?

Thanks,
Nick

In article
<8703f7b0-cb70-490b-aefa-8ee123f578d3@h25g2000hsf.googlegroups.com>,
Nick <nick971@hotmail.com> wrote:

Who says the cable modem acts as a bridge? Remember, all the traffic
for a given neighborhood is present on the same cable. The modem has to
detect and selectively pass only the traffic intended for it.
Similarly, the modem is paired with only one device (specified by MAC
address) on the LAN side. That sounds more like routing, rather than
bridging.

All that aside, you could probably look up the DOCIS specifications and
see exactly what the protocol does, and does not, allow.

--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF

Nick <nick971@hotmail.com> writes:

But, in reality, it's not.

Now the big fun is if you can modify your cable modem's MAC to be a
mac of a legit cable modem on another segment. There was a
vulnerability or hack released several years ago whereby access was
regulated upstream of multiple segments whereby if you spoofed a legit
MAC on another segment, your traffic would be routed happily by the
upstream devices, and because you were on a separate segment, there
would be no arp conflicts. I never tried it, but it is the best
example I can think of that plays to the scenarios you are pondering.
I think it also needed a configuration goof on teh cable modem
provider's part to not lock ip's to a mac or some such. I'm fuzzy on
the details, but it was possible at some providers apparently.

Best Regards,
--
Todd H.
http://www.toddh.net/

"Nick" <nick971@hotmail.com> wrote in message
news:05bcd2a1-fe3c-40fc-98f4-06b336a97265@z17g2000hsg.googlegroups.com...


http://en.wikipedia.org/wiki/DOCSIS

I did a bit more digging around regarding the authentication
mechanism, and found the following guide:

http://homepage.ntlworld.com/robin.d...s/cmworks.html

It suggests that the cable modem acts like a transparent learning
bridge and does not modify the source and destination MAC addresses of
the customer traffic. In this case, the question remains - how are
different users identified, since the source MAC address can change if
the user, e.g., plugs another PC into the cable modem? Some cable
providers require the user to provide the MAC address of his PC or
router, probably for this very reason; others, however, don't have
this requirement, so they must have another way to do it.

One possible explanation that I've come up with is that when the user
makes a DHCP request, the head-end router dynamically records the
user's current MAC address and "binds" it to the assigned DHCP IP
address, so that the user traffic can be identified. Is this how it's
done?

Thanks,
Nick

In article
<16a1f644-bd5c-47b1-940f-dcce12d627e4@n77g2000hse.googlegroups.com>,
Nick <nick971@hotmail.com> wrote:

They use the MAC address on the cable side of the modem; not the MAC
address of the user device attached to the LAN side of the modem.
--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3 7BDA 71ED 6496 99C0 C7CF