Cisco Systems UBR900 User Manual
Feature Overview
16
Cisco IOS Release 12.0(7)T
Note
The backup POTS connection enables only one of the VoIP ports on the Cisco uBR924 to
function during a power outage. Calls in progress prior to the power outage will be disconnected. If
power is reestablished while a cutover call is in progress, the connection will remain in place until
the call is terminated. Once the cutover call is terminated, the router automatically reboots.
power is reestablished while a cutover call is in progress, the connection will remain in place until
the call is terminated. Once the cutover call is terminated, the router automatically reboots.
Security Features
Cisco uBR900 series cable access routers support the security features described in the paragraphs
below.
below.
DOCSIS Baseline Privacy
Support for DOCSIS Baseline Privacy in the Cisco uBR900 series is based on the DOCSIS Baseline
Privacy Interface Specification (SP-BPI-I01-970922). It provides data privacy across the HFC
network by encrypting traffic flows between the cable access router and the CMTS.
Privacy Interface Specification (SP-BPI-I01-970922). It provides data privacy across the HFC
network by encrypting traffic flows between the cable access router and the CMTS.
Baseline Privacy security services are defined as a set of extended services within the DOCSIS MAC
sublayer. Two new MAC management message types, BPKM-REQ and BPKM-RSP, are employed
to support the Baseline Privacy Key Management (BPKM) protocol.
sublayer. Two new MAC management message types, BPKM-REQ and BPKM-RSP, are employed
to support the Baseline Privacy Key Management (BPKM) protocol.
The BPKM protocol does not use authentication mechanisms such as passwords or digital
signatures; it provides basic protection of service by ensuring that a cable modem, uniquely
identified by its 48-bit IEEE MAC address, can only obtain keying material for services it is
authorized to access. The Cisco uBR900 series cable access router is able to obtain two types of keys
from the CMTS: the Traffic Exchange Key (TEK), which is used to encrypt and decrypt data packets,
and the Key Exchange Key (KEK), which is used to decrypt the TEK.
signatures; it provides basic protection of service by ensuring that a cable modem, uniquely
identified by its 48-bit IEEE MAC address, can only obtain keying material for services it is
authorized to access. The Cisco uBR900 series cable access router is able to obtain two types of keys
from the CMTS: the Traffic Exchange Key (TEK), which is used to encrypt and decrypt data packets,
and the Key Exchange Key (KEK), which is used to decrypt the TEK.
IPSec Network Security
IPSec Network Security (IPSec) is an IP security feature that provides robust authentication and
encryption of IP packets. IPSec is a framework of open standards developed by the Internet
Engineering Task Force (IETF) providing security for transmission of sensitive information over
unprotected networks such as the Internet. IPSec acts at the network layer (Layer 3), protecting and
authenticating IP packets between participating IPSec devices (“peers”) such as the Cisco uBR900
series cable access router.
encryption of IP packets. IPSec is a framework of open standards developed by the Internet
Engineering Task Force (IETF) providing security for transmission of sensitive information over
unprotected networks such as the Internet. IPSec acts at the network layer (Layer 3), protecting and
authenticating IP packets between participating IPSec devices (“peers”) such as the Cisco uBR900
series cable access router.
IPSec provides the following network security services:
•
Privacy—IPSec can encrypt packets before transmitting them across a network.
•
Integrity—IPSec authenticates packets at the destination peer to ensure that the data has not been
altered during transmission.
altered during transmission.
•
Authentication—Peers authenticate the source of all IPSec-protected packets.
•
Anti-replay protection—Prevents capture and replay of packets; helps protect against
denial-of-service attacks.
denial-of-service attacks.
Triple Data Encryption Standard
The Data Encryption Standard (DES) is a standard cryptographic algorithm developed by the United
States National Bureau of Standards. The Triple DES (3DES) Cisco IOS Software Release images
increase the security from the standard 56-bit IPSec encryption to 168-bit encryption, which is used
for highly sensitive and confidential information such as financial transactions and medical records.
States National Bureau of Standards. The Triple DES (3DES) Cisco IOS Software Release images
increase the security from the standard 56-bit IPSec encryption to 168-bit encryption, which is used
for highly sensitive and confidential information such as financial transactions and medical records.