Hello, My company here in Florida recently finished migrating our systems to be able to support the Docsis 3.0 standard, We are now running a couple of CASA C10G and C100G CMTS's.
We are taking the steps to improve overall security for our costumers and eliminate signal theft from our carrier. Because our current provisioning service does not support dynamic shared secrets for the cable modems configuration files,Therefor, we are not able to use dynamic config files for our modems but we are currently looking into the tftp-proxy command which is almost the same as having enabled dynamic shared secret on the CMTS's, but unfortunately it does require that the TFTP server be ran directly from the CMTS in order to calculate the MIC for each config file.
So my question is, is it possible to use this tftp-proxy command while using my provisioning service's TFTP server or at least authorize it so it can generate it's own MIC with the provided shared secret, I was looking into the extend option of the shared secret command, but have not found any good documentation describing it, the command would go like this:
shared-secret 7 "mykeyhere" extend, but I'm not sure what the outcome of that would be, or even what it does.
Does anybody know if this extend option would allow our provisioning service to calculate the MIC that goes into the cable modems config files and allow them to complete the registration process?
Any help would be greatly appreciated thanks.
if you are already migrating to D3, I think your initial problem is that your provisioning system or configure needs to be upgraded or replaced. The dynamic shared key will not exactly prevent service theft if your provisioning server and system do not talk to each other. For example, if your TFTP server is handing out config files with the correct shared-keys in them, anyone on your HFC network will be able to copy that file and register with the CASA. A baseline solution is to always checked connected devices on the systems and compared them to your allowed service list. Remember, the MIC only ensures the config file can not be altered, it does not prevent it from being duplicated.