Home page logo
/

nanog logo nanog mailing list archives

Re: DOCSIS 3.0 and Multicast
From: Victor Kuarsingh <victor () jvknet com>
Date: Fri, 29 Nov 2013 16:59:32 -0500

Phil,

Been watching this conversation and had a few comments.

First, one of the concerns is exposure to wire monitoring on the HFC
(Hybrid-Fiber Coax) plant while using DOCSIS, then I think folks should be
aware that there is encryption applied to the traffic between the CMTS and
Cable Modem (CM).  This was traditionally BPI (Baseline Privacy Inspection)
and DOCSIS 3.0 supports SEC (which then allows use of AES).  I may have
missed the point along this email train, but folks may not be aware that
putting an RF capturing device on the plant, or sitting behind a CM on the
does not gain you gratuitous access to neighbouring people's data.  So if
application/network flows are also encrypted, you would not necessarily be
able to know who it's for as all payload traffic should already be
encrypted on the [DOCSIS] wire.  This however does not change eavesdropping
on the outside of the DOCSIS plan (after CM, or before CMTS).

If one did come up with a way of sending normal traffic over a DOCSIS
Multicast pipe, then there are a number of resource issues which need to be
considered (as they have operator and vendor impact).  Multicast is managed
very differently (signalling and payload) in DOCSIS vs. Unicast traffic,
and therefore resources will be an issue (i.e. IDs used to direct traffic
for Unicast are not the same as those used for Multicast).  To add, forcing
a bunch of (or all) traffic down a Multicast pipe would impact an
operator's ability to managed QoS for customers (which is already complex
enough in the DOCSIS world) and may impact CM operation (which will be
keeping track what multicast groups/packets will be forwarded for a given
service endpoint).

regards,

Victor K



On Fri, Nov 29, 2013 at 1:47 PM, Phil Karn <karn () philkarn net> wrote:

On 11/29/2013 10:03 AM, Frank Bulk wrote:

It looks like Cisco is doing something in the IP Video over DOCSIS area,
and
so if you're serious about this, you could reach out to them.

It's not video over IP multicast that interests me so much as the
opportunity to thwart NSA-style bulk traffic analysis by multicasting
unicast messages with encrypted destination addresses so an eavesdropper
can't tell who it's for.






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault