BPI - Baseline Privacy Interface

By: Diane Shired, CTM

Meaning of BPI - "Baseline Privacy Interface", provides a data encryption scheme that protects data sent to and from cable modems in a data over cable network. BPI can also be use to authenticate cable modems and authorize the transmission of multicast (communication between a single sender and multiple receivers on a network) traffic. Multicast can also be define as a two-way communication between multiple sites or to transmit a single message to a select group of recipients (i.e. sending an email to a mailing list).

BPI gives subscribers data privacy across the RF Network between CMTS (Cable Modem Termination System) and CM (Cable Modem). BPI uses DOCSIS 1.0 (Data Over Cable Service Interface Specifications). DOCSIS 1.0 was confirmed by the (ITU) (International Telecommunication Union) in March 1998. This is a standard interface for cable modems.

The secondary goal of BPI is to provide basic protection from theft of service for cable operators.

The management requirements of the Baseline Privacy Interface are:

CM and CMTS must support viewing relevant RSA (Data Security) public keys, for future subscriber authentication applications.

Baseline Privacy management interface needs to support operator configuration of Authorization parameters, for performance tuning and security incident handling.

CM and CMTS must support viewing current authorization key sequence numbers and key expiration times for failure diagnosis.

Support dynamic control of the distribution of IP multicast data traffic. This control includes forwarding IP multicast traffic to the correct multicast group, and managing the membership lists of each multicast group. The CMTS must support configuring and viewing all IP multicast forwarding state, and all multicast group memberships, within the MAC domains of the CMTS.

Other Related Definitions:

“Baseline Privacy uses the Cipher Block Chaining (CBC) mode of the US Data Encryption Standard (DES) algorithm [FIPS-46, FIPS-46-1, FIPS-74, FIPS-81] to encrypt the Packet PDU field in both upstream and downstream RF MAC Packet Data PDUs. The MAC headers of these Packet Data PDUs MUST NOT be encrypted. The payloads, as well as headers, of MAC management messages MUST be sent in the clear to facilitate registration, ranging, and normal operation of the MAC sublayer. Baseline Privacy extends the definition of the MAC sublayer’s Service ID (SID). The Radio Frequency Interface Specification defines a SID as a mapping between CM and CMTS for the purposes of upstream bandwidth allocation and class-of-service management. In this context, the SID only has upstream significance. When Baseline Privacy is in operation, the SID also identifies a particular security association and, thus, has both upstream and downstream significance. A downstream multicast traffic flow, then, which normally would have no SID associated with it, will have an associated SID when Baseline Privacy is operational. The Privacy Extended Header Element includes the SID associated with the MAC Packet Data PDU; the SID, in combination with other components of the extended header element, identifies to a modem the keying material required to decrypt the MAC PDU’s Packet Data field.” [SCTE 22-2 2002 [formerly DSS 02-03]- DOCSIS 1.0]

“ While following the debate and wading through the political rhetoric of municipal broadband, I have seen precious little attention given by either proponents or operators on security, an issue that plagues many IT-related projects. That's somewhat surprising, considering that consumer broadband networks have faced the security issue before. Several years ago, the cable modem vs. DSL debate centered on the shared access medium of coax vs. the dedicated line of twisted pair. The implied judgment was that a shared medium likely meant slower speeds and that it unnecessarily exposed subscribers' traffic to their neighbors. The security issue resolved itself when those cable broadband networks upgraded to CableLab's DOCSIS standard, which had support for BPI (Baseline Privacy Interface), and the cable operators have consistently provided higher speed services (4 to 6 Mbps now) compared to the RBOCs (around 1.5 Mbps). ” [Network Computing – Frank Bulk, July 22, 2005 ]

Related Links:

ITArchitect - Cable Modem Systems
Informit Network - The Cable Access Link
SCTE - Society of Cable Telecommunications Engineers
Informit Network - Detecting Signs of Intrusion

Technical Resources:

Products and Solutions:

DOCS-BPI-MIB: Cisco DOCSIS Baseline Privacy Interface
How IDE Controllers Work
Sniffing A Cable Modem Network

Blogs, News, feeds…

Books:

See Also:

(C) Copyright Birds-Eye.Net, All rights reserved.
It is against the law to reproduce this content or any portion of it in any form without the explicit written permission of Birds-Eye Network Services, LLC. Federal copyright law (17 USC 504) makes it illegal, punishable with fines up to $100,000 per violation plus attorney's fees.