The IESG has approved the following document:
- 'Management Information Base for DOCSIS Cable Modems and Cable Modem
Termination Systems for Baseline Privacy Plus '
<draft-ietf-ipcdn-bpiplus-mib-15.txt> as a Proposed Standard
This document is the product of the IP over Cable Data Network Working Group.
The IESG contact persons are Bert Wijnen and David Kessens.
Technical Summary
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it defines a set of managed objects for SNMP based
management of the Baseline Privacy Plus features of DOCSIS1.1 and
DOCSIS 2.0 compliant Cable Modems and Cable Modem Termination
Systems.
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it defines a set of managed objects for SNMP based
management of the Baseline Privacy Plus features of DOCSIS1.1 and
DOCSIS 2.0 (Data-over-Cable Service Interface Specification)
compliant Cable Modems and Cable Modem Termination
Working Group Summary
There is Working Group consensus to publish this document as a
Proposed Standard.
Protocol Quality
This document was reviewed for the IESG by Bert Wijnen
RFC-Editor note:
Please replace the last para of sect 7
OLD:
BPI+ Encryption Algorithms:
BPI+ Traffic Encryption Keys TEK (see [1]) uses DES
(Data Encryption Standard) 56 or 40 bits encryption ciphers.
Due DES cryptographic strength weakness, future revisions of BPI+
specification [1] should introduce advanced encryption algorithms
to overcome the progress in cheaper and faster decryption tools.
Traffic Encryption Keys (TEK) are configured per CM and per BPI+
multicast group which may reduce the threat of the DES weakness for
the overall system. The time to crack DES could be additionally
mitigated by a compromised value for the TEK lifetime and Grace Time
(up to a minimum of 30 minutes for the TEK lifetime, see
Appendix A [1]).
Not exempt of the same recommendations as above, The CM BPI+
Authorization protocol uses triple DES encryption,
which offers improved robustness compared to DES for CM
Authorization and TEK re-key management.
NEW:
BPI+ Encryption Algorithms:
The BPI+ Traffic Encryption Keys (TEK) defined in the DOCSIS BPI+
specification [1] use 40-bit or 56-bit DES for encryption (DES
CBC mode). There is currently no mechanism or algorithm defined
for data integrity.
Due to the DES cryptographic weaknesses, future revisions of the
DOCSIS BPI+ specification should introduce more advanced encryption
algorithms as proposed in the DocsBpkmDataEncryptAlg textual
convention to overcome the progress in cheaper and faster hardware
or software decryption tools. Future revisions of the DOCSIS BPI+
specification [1] should also adopt authentication algorithms as
described in DocsBpkmDataAuthentAlg textual convention.
It is important to note that frequent key changes do not necessarily
help to mitigate or reduce the risks of a DES attack. Indeed, the
traffic encryption keys which are configured on a per cable modem
basis and per BPI+ multicast group can be utilized to decrypt old
traffic even when they are no longer in active use.
Note that not exempt of the same recommendations as above, the CM
BPI+ authorization protocol uses triple DES encryption, which
offers improved robustness compared to DES for CM authorization
and TEK re-key management.
_______________________________________________
IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce
