CPE gets a local IP, but not public | docsis.org

You are here

CPE gets a local IP, but not public

2 posts / 0 new
Last post
randyconstan
CPE gets a local IP, but not public

Hello,

I do not run an ISP. I am just interested in DOCSIS, and have a question about a particular scenario, so I hope that's ok. An unknown modem is plugged into the cable network with an HFC MAC address that is not from a paying customer. It gets the config file "unknownmodem.bin", which is shown at the bottom of this post.

The modem get's a local IP (10.x.x.x) which seems typical for the modem itself... but the CPE device attached to the modem also gets a local address (10.x.x.x). The CPE device cannot get a public address, whereas a regular customer does. My question is: is there a setting within this particular docsis config file that is blocking the CPE devices from getting real world IP addresses? I would assume with NetworkAccess set to 1, that the device would be able to obtain a public IP. This is where I get a little confused about what "NetworkAccess 1" is actually turning on/off.

What I am thinking is that the IP address given to the CPE device is determined by the CPE device's mac address. So the CMTS see's a request via dhcp from the CPE device, and assigns it a public IP or private IP. But the problem I have with that is a customer get a new network card at any time, meaning a new IP address without much hassel (a reboot of the modem at the most). So clearly, CPE Mac Addresses aren't used in the decision on whether or not the cpe device gets a public or private address.

Anyways, I always tend to ramble on in detail and over-explain myself :P. I am just looking for a more in-depth and clear example of what typically happens from when the modem loads the config file, to when a public IP address is finally assigned (or a private address in some cases) to a cpe device. What filters/features are set up within the config file and cmts to prevent rogue clients from using the service, and forcing them to only get a local address? Thanks!

Main
{
NetworkAccess 1;
MaxCPE 3;
GlobalPrivacyEnable 0;

UsServiceFlow
{
UsServiceFlowRef 1;
QosParamSetType 7;
TrafficPriority 0;
MaxRateSustained 512000;
MaxConcatenatedBurst 1522;
SchedulingType 2;
RequestOrTxPolicy 0x00000120;
}
UsServiceFlow
{
UsServiceFlowRef 2;
QosParamSetType 7;
TrafficPriority 4;
MaxRateSustained 30000;
MaxConcatenatedBurst 1522;
SchedulingType 2;
RequestOrTxPolicy 0x00000120;
}
UsPacketClass
{
ClassifierRef 1;
ServiceFlowRef 2;
RulePriority 2;
ActivationState 1;
LLCPacketClassifier
{
EtherType 0x030828;
}
}
UsPacketClass
{
ClassifierRef 2;
ServiceFlowRef 2;
RulePriority 2;
ActivationState 1;
IpPacketClassifier
{
IpTos 0x8080e0;
}
}
DsServiceFlow
{
DsServiceFlowRef 3;
QosParamSetType 7;
TrafficPriority 0;
MaxRateSustained 3000000;
}
DsServiceFlow
{
DsServiceFlowRef 4;
QosParamSetType 7;
TrafficPriority 4;
MaxRateSustained 10000;
MaxTrafficBurst 1522;
}
DsPacketClass
{
ClassifierRef 3;
ServiceFlowRef 3;
RulePriority 1;
ActivationState 1;
IpPacketClassifier
{
IpTos 0x0000e0;
}
}
DsPacketClass
{
ClassifierRef 4;
ServiceFlowRef 4;
RulePriority 3;
ActivationState 1;
IpPacketClassifier
{
IpTos 0x8080e0;
}
}
}

bealsm
Address pool is not typically determined by mac address,

Address pool is not typically determined by mac address, but rather characteristics of the device. The way we handle it is by allowing the CMTS to be a dhcp relay server. The dhcp server is on the same network as the CMTS and cable modems, but the CPE's are on a different one. When a CPE sends a DHCP discover message on the public network, the CMTS relays it over to the private. The DHCP server matches devices to address pools based on source network. Since the CPE's discover message is from the public network, it tries to give it a public address. So mac address is not involved in determining address pool.

Another thing that can be done, that we use as a security check is the vendor-class-identifier. The dhcp server watches for these, and when it sees on labled 'docsis', it classifies that device as a CM. Then in the pool definitions, we allow members of CM in the cm pool and deny members of CM in the CPE pool. To further keep CPE's from getting a CM IP and to regulate which modems can get service, we also deny unknown clients a CM lease. So for a modem to obtain an IP and download a config file, there must be a host entry in the .conf or .leases file. This is really the only MAC level check in place. Any device that matches the description of a modem (vendor-class-id) and has a valid host definition (by mac address) can get a CM Ip and a config file. Non-authorized modems will range out, but the DHCP server won't even acknowledge they are there.

That's a fairly simple way of doing it (which is why we do it that way). There are MANY other ways of handling it though depending on what your particular need is.

Log in or register to post comments