Hello all
I have a CMTS 1000 and I have noticed a security vulnerability. If I configure an appropriate ip address statically on a CPE device connected to a authenticated modem I can grab network access. Long story short this is an issue because I want the CPE devices to only get a ip address from the ip pool configured in the dhcpd server.
This may help you understand
Router
Ip address primary 10.0.0.1/24 (Modem Pool)
Ip address secondary 172.16.0.1/24 (CPE Pool)
If I put a ip on the CPE in the 10.0.0.1/24 range I have network access, I know why but I am hoping that you know of a way to stop this in the cmts1000 or on the cable modem config file.
Authentication is done in the cable modem, if you don't want them having network access, disable the modem, or its ethernet port. If your IP range is routed, any ip in that range will work regardless of whether it is static or dhcp, though most people won't try to stick a static address in if they get one via dhcp unless they're told to or request one. This isn't a security vulnerability, its just how it works. The only way you can get around this is to authenticate each customer CPE mac address in a ppoe/radius setup, but you're just double-provisioning at that point, which is just unnecessary.
Thanks for the reply.
Authentication has nothing to do with what I asked.....so i guess you didn't understand my question. Of course i want the CPE to have network access but i need to limit what part of the network the customer has access to, no public isp network should be configured in such a way that allows a CPE to have access to the network infrastructure devices (modem, router, cmts, etc)............
This is definitely a security issue when a customer can apply what ever ip they want to a CPE device, example....say you have a rule "firewall/filter/src address 10.0.0.0/8 accept all" on your router then the customer would have full access past a firewall also say you don't want a customer to have access to the modem subnet or the cmts subnet....I don't have this issue on newer cmts' because I can use the feature Cable Source-Verify and remove this issue but of course a cmts1000 does not support so the only way I believe to accomplish this is through the CM config file using IP filter but I do not know what the code to use is. I was kind of hoping i could get a reply regarding this.
Look at this example. The set of IP filters - the last one should block addresses of internal net from access behind CM:
SnmpMibObject docsDevFilterIpDefault.0 Integer 2; /* accept */
SnmpMibObject docsDevFilterIpStatus.1 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.1 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.1 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.1 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.1 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.1 Integer 6 ;
SnmpMibObject docsDevFilterIpSourcePortLow.1 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.1 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.1 Integer 135 ;
SnmpMibObject docsDevFilterIpDestPortHigh.1 Integer 139 ;
SnmpMibObject docsDevFilterIpStatus.2 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.2 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.2 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.2 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.2 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.2 Integer 17 ;
SnmpMibObject docsDevFilterIpSourcePortLow.2 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.2 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.2 Integer 135 ;
SnmpMibObject docsDevFilterIpDestPortHigh.2 Integer 139 ;
SnmpMibObject docsDevFilterIpStatus.3 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.3 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.3 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.3 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.3 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.3 Integer 6 ;
SnmpMibObject docsDevFilterIpSourcePortLow.3 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.3 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.3 Integer 445 ;
SnmpMibObject docsDevFilterIpDestPortHigh.3 Integer 445 ;
SnmpMibObject docsDevFilterIpStatus.4 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.4 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.4 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.4 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.4 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.4 Integer 17 ;
SnmpMibObject docsDevFilterIpSourcePortLow.4 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.4 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.4 Integer 445 ;
SnmpMibObject docsDevFilterIpDestPortHigh.4 Integer 445 ;
SnmpMibObject docsDevFilterIpStatus.5 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.5 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.5 Integer 1 ;
SnmpMibObject docsDevFilterIpDirection.5 Integer 1; /* inbound */
SnmpMibObject docsDevFilterIpBroadcast.5 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.5 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.5 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.5 IPAddress 10.105.0.0 ;
SnmpMibObject docsDevFilterIpDmask.5 IPAddress 255.255.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.5 Integer 256 ;
SnmpMibObject docsDevFilterIpStatus.6 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.6 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.6 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.6 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.6 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.6 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.6 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.6 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.6 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.6 Integer 17 ;
SnmpMibObject docsDevFilterIpSourcePortLow.6 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.6 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.6 Integer 25 ;
SnmpMibObject docsDevFilterIpDestPortHigh.6 Integer 25 ;
SnmpMibObject docsDevFilterIpStatus.7 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.7 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.7 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.7 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.7 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.7 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.7 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.7 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.7 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.7 Integer 6 ;
SnmpMibObject docsDevFilterIpSourcePortLow.7 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.7 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.7 Integer 25 ;
SnmpMibObject docsDevFilterIpDestPortHigh.7 Integer 25 ;
SnmpMibObject docsDevFilterIpStatus.8 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.8 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.8 Integer 1 ;
SnmpMibObject docsDevFilterIpDirection.8 Integer 1; /* inbound */
SnmpMibObject docsDevFilterIpBroadcast.8 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.8 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.8 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.8 IPAddress 10.106.254.0 ;
SnmpMibObject docsDevFilterIpDmask.8 IPAddress 255.255.255.0 ;
SnmpMibObject docsDevFilterIpProtocol.8 Integer 256 ;
Okay, the question makes more sense now. Yea, the reply above I believe is what you're looking for