Question about DOCSIS DHCP vs ARP

Robert Drake rdrake at direcpath.com
Sun Jan 13 03:08:33 UTC 2013


On Friday, January 11, 2013 8:29:23 PM, Jean-Francois Mezei wrote:
> Many thanks. In particular, you need "cable-source-verify dhcp" to
> prevent self assigned IPs that are unused by neighbours.
>
> Is this something that is now basically a default for all cable
> operators ? Or does this command add sufficient load to the CMTS that
> some cable operators choose to not use it for performance purposes ?
>

Nobody would turn it off for that reason.  They might fail to turn it 
on if they didn't read best practices for at least 10 years.   It's 
pretty much part of a fundamental set of commands turned on to prevent 
cable modem theft (along with requiring BPI+ and other things)

Here's an article I just found searching for "docsis bpi+"

http://volpefirm.com/blog/security/hacking-docsis-cable-modems/

>
> What happens when a CMTS reboots and has an enpty database of DHCP
> leases ? Does it then query the DHCP server for every IP/MAC it sees
> that it doesn't yet know about ?
>

Most of the time when a CMTS reboots they don't even get to the point 
of failing due to DHCP issues.  In any case the CMTS would ask the DHCP 
server and be happy with it's reply since it's the equivalent of a new 
modem coming online.

Most of the time the modems would fail into reject(pk) due to the 
public key negotiation not being valid now that the CMTS has been 
rebooted.  To fix that you could either wait for the modems to try 
again or run "clear cable modem reject delete" if it's a Cisco CMTS.





More information about the NANOG mailing list