Slide 15 of 27
The Data Over Cable System Interface Specification (DOCSIS) is the cable TV industry's de facto standard for deploying and operating a cable modem Internet access service. One of the lesser known aspects of DOCSIS is the Baseline Privacy (BPI) specification. This is a low-cost and widely-deployed scheme that provides protection from neighborhood packet sniffing and NetBIOS browsing.
To prevent someone from sniffing packets on the cable, BPI specifies the use of 56-bit DES encryption between the cable modem and head-end. Although DES is clearly not the strongest of crypto schemes, the DES key is changed frequently to make a brute force attack infeasible; it is unlikely that someone will buffer all of your packets and try to break the key if the key is changed daily. Secret key exchange is performed using 768-bit RSA. It is likely that the new AES specification will be employed (after it is formally adopted) in the next release of BPI.
BPI also specifies that certain "dangerous" TCP/UDP ports be blocked, particularly TCP port 139 (NetBIOS session service); blocking 139/tcp makes file and print sharing impossible. Some cable modems also allow blocking of other routable networking protocols, such as AppleTalk and Novell NetWare's Internetwork Packet Exchange (IPX).