Management Information Base for Data Over Cable Service Interface Specification (DOCSIS) Cable Modems and Cable Modem Termination Systems for Baseline Privacy Plus
RFC 4131

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>, 
    ipcdn mailing list <ipcdn@ietf.org>, 
    ipcdn chair <ipcdn-chairs@tools.ietf.org>
Subject: Protocol Action: 'Management Information Base for 
         DOCSIS Cable Modems and Cable Modem Termination Systems for 
         Baseline Privacy Plus' to Proposed Standard 

The IESG has approved the following document:

- 'Management Information Base for DOCSIS Cable Modems and Cable Modem 
   Termination Systems for Baseline Privacy Plus '
   <draft-ietf-ipcdn-bpiplus-mib-16.txt> as a Proposed Standard

This document is the product of the IP over Cable Data Network Working 
Group. 

The IESG contact persons are Bert Wijnen and Dan Romascanu.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-ipcdn-bpiplus-mib-16.txt

Technical Summary
 
   This memo defines a portion of the Management Information Base (MIB)
   for use with network management protocols in the Internet community.
   In particular, it defines a set of managed objects for SNMP based
   management of the Baseline Privacy Plus features of DOCSIS1.1 and
   DOCSIS 2.0 compliant Cable Modems and Cable Modem Termination
   Systems. 

   This memo defines a portion of the Management Information Base (MIB)
   for use with network management protocols in the Internet community.
   In particular, it defines a set of managed objects for SNMP based
   management of the Baseline Privacy Plus features of DOCSIS1.1 and
   DOCSIS 2.0 (Data-over-Cable Service Interface Specification)
   compliant Cable Modems and Cable Modem Termination

Working Group Summary
 
   There is Working Group consensus to publish this document as a
   Proposed Standard. 

Protocol Quality
 
   This document was reviewed for the IESG by Bert Wijnen

RFC-Editor note:

Please replace the last para of sect 7

OLD:
    BPI+ Encryption Algorithms:
    BPI+ Traffic Encryption Keys TEK (see [1]) uses DES
    (Data Encryption Standard) 56 or 40 bits encryption ciphers.
    Due DES cryptographic strength weakness, future revisions of BPI+
    specification [1] should introduce advanced encryption algorithms
    to overcome the progress in cheaper and faster decryption tools.
    Traffic Encryption Keys (TEK) are configured per CM and per BPI+
    multicast group which may reduce the threat of the DES weakness for
    the overall system. The time to crack DES could be additionally
    mitigated by a compromised value for the TEK lifetime and Grace Time
    (up to a minimum of 30 minutes for the TEK lifetime, see
    Appendix A [1]).
    Not exempt of the same recommendations as above, The CM BPI+
    Authorization protocol uses triple DES encryption,
    which offers improved robustness compared to DES for CM
    Authorization and TEK re-key management.
NEW:
    BPI+ Encryption Algorithms:
    The BPI+ Traffic Encryption Keys (TEK) defined in the DOCSIS BPI+
    specification [1] use 40-bit or 56-bit DES for encryption (DES 
    CBC mode). There is currently no mechanism or algorithm defined
    for data integrity.
    Due to the DES cryptographic weaknesses, future revisions of the
    DOCSIS BPI+ specification should introduce more advanced encryption
    algorithms as proposed in the DocsBpkmDataEncryptAlg textual
    convention to overcome the progress in cheaper and faster hardware
    or software decryption tools. Future revisions of the DOCSIS BPI+
    specification [1] should also adopt authentication algorithms as
    described in DocsBpkmDataAuthentAlg textual convention. 
    It is important to note that frequent key changes do not necessarily
    help to mitigate or reduce the risks of a DES attack. Indeed, the
    traffic encryption keys which are configured on a per cable modem
    basis and per BPI+ multicast group can be utilized to decrypt old
    traffic even when they are no longer in active use.
    Note that not exempt of the same recommendations as above, the CM
    BPI+ authorization protocol uses triple DES encryption, which
    offers improved robustness compared to DES for CM authorization
    and TEK re-key management.