1-17
Cisco uBR905 Router Hardware Installation Guide
OL-0598-01 (9/2000)
Chapter 1
Product Overview
Functional Overview
Security
The Cisco uBR905 provides two basic options to protect the data it transmits over public networks:
•
Baseline Privacy Interface (BPI) —Encrypts the Ethernet packets transmitted over the cable
interface between a cable modem and CMTS.
•
IPsec network security—Provides robust authentication and end-to-end encryption of IP packets
over an unprotected network such as the Internet.
Baseline Privacy Interface
BPI security is defined by the DOCSIS 1.0 BPI specification (SP-BPI-I02-990319 or later revision).
Both the CMTS and Cisco uBR905 cable access router must support BPI security and enable its use
before this option can be used.
When using BPI security, the CMTS and router encrypt all data before transmitting it on the cable
interface. Data is encrypted using a 40-bit or 56-bit data encryption algorithm, which prevents
unauthorized parties from intercepting and reading the data as it travels across the cable network.
When using the BPI option, the Cisco uBR905 router uses a uniquely assigned key encryption key (kek)
to connect to the CMTS. The kek authorizes the router to negotiate a traffic encryption key (tek), which
the router and CMTS use to encrypt and decrypt the data sent on the cable interface. The keys have a
limited lifespan, and the router must request a new key before the current one expires.
IPsec Network Security
IPsec is a framework of open standards developed by the Internet Engineering Task Force (IETF) for
the secure transmission of sensitive information over unprotected networks such as the Internet. IPsec
acts at the network layer (Layer 3), protecting and authenticating IP packets between participating IPsec
devices (“peers”) such as the Cisco uBR905 cable access router.
IPsec encryption provides end-to-end protection across public and insecure networks such as the
Internet. Two levels of encryption—56-bit and 168-bit—are available, depending on the software image
being used. Keys can be pre-shared or determined from a digital certificate that has been verified by a
certificate authority.
The Cisco uBR905 router provides a hardware IPsec accelerator with greatly improved performance
over software-based IPsec encryption. Subscribers can have the protection of IPsec encryption without
sacrificing the high-speed performance of a cable network.
Note
Cisco IOS images with strong encryption (including, but not limited to, 168-bit [3DES]
data encryption feature sets) are subject to United States government export controls and
have limited distribution. Strong encryption images to be installed outside the United
States may require an export license. Customer orders may be denied or subject to delay
due to United States government regulations. When applicable, the purchaser or user must
obtain local import and use authorizations for all encryption strengths. Contact your sales
representative or distributor for more information, or send an e-mail to [email protected].