Cable Modems and DOCSIS
Data Over Cable System Interface Specification
- De facto standard for cable modem operations
Baseline Privacy (BPI) specification
- Low-cost, widely-adopted for anti-sniffing
- DES (56-bit key) encryption with 768-bit RSA key exchange; AES will probably eventually be adopted
- Frequent key exchange makes brute-force attack infeasible
- Cable modem can also block certain ports (e.g., 139/tcp)
Notes:
The Data Over Cable System Interface Specification (DOCSIS) is the cable TV industry's de facto standard for deploying and operating a cable modem Internet access service. One of the lesser known aspects of DOCSIS is the Baseline Privacy (BPI) specification. This is a low-cost and widely-deployed scheme that provides protection from neighborhood packet sniffing and NetBIOS browsing.
To prevent someone from sniffing packets on the cable, BPI specifies the use of 56-bit DES encryption between the cable modem and head-end. Although DES is clearly not the strongest of crypto schemes, the DES key is changed frequently to make a brute force attack infeasible; it is unlikely that someone will buffer all of your packets and try to break the key if the key is changed daily. Secret key exchange is performed using 768-bit RSA. It is likely that the new AES specification will be employed (after it is formally adopted) in the next release of BPI.
BPI also specifies that certain "dangerous" TCP/UDP ports be blocked, particularly TCP port 139 (NetBIOS session service); blocking 139/tcp makes file and print sharing impossible. Some cable modems also allow blocking of other routable networking protocols, such as AppleTalk and Novell NetWare's Internetwork Packet Exchange (IPX).