In addition to the unique file name, the IP address assigned to a device must be verified to download the file.
It is more secure to generate dynamic files than static files as the unique file names can’t be used in file replay attacks.
Furthermore, in addition to the above specifications, further security measures should be considered for an extra level of protection against cable modem cloning. Only provisioning solutions that dynamically generate DOCSIS and PacketCable configuration files on-demand can include features such as IP verification and TFTP server timestamp. As a result, BPI+ prevents simple MAC spoofing, which is one of the most common forms of theft of service, although further measures are required to detect whether the actual certificate itself has been cloned. This means that if the cable modem attempts to authenticate with a different MAC address than what is listed in the certificate, the CMTS will detect MAC address spoofing and will not authorize the CM for data services. The certificate exchange is very difficult to hack.
- Baseline Privacy Plus (BPI+): When enabled on the DOCSIS network, this causes the CMTS to authenticate the cable modem through an exchange of certificates that includes the MAC address of the modem.
- DOCSIS 3.0 Message Integrity Check (MIC): This feature provides additional security for file generation by ensuring the file the CMTS gives to the cable modem is correct.
- IP Address Verification (TLV 20): The IP address is included in the TLV to enable the CMTS to verify that the correct IP is being provisioned.
- TFTP Server Timestamp (TLV 19): This puts a timestamp in the TLV, which the CMTS uses to prevent a modem from downloading old files and incorrectly provisioning the device.
- There are a number of DOCSIS-specific specifications designed to address this problem: