I've read the doc @coldfusion has provided and this is what I understand:
-CMTS can identify modem by anything associated with BPI+ (MAC and Vendor)
-CMTS can identify modem by sysDescr string returned by modem in REG_REQ
-CMTS can make DOCSIS queries ONLY about SNR (can't identify using this)
-CMTS can make queries about devices connected to modem(!) and list their MACs <- How is this possible, if all devices are (should be) behind the modem's NAT (when not operating as briged interface)?
-NOTHING else (according to this doc) can be used.
(-)When sending config file to modem EAE is used to encrpyt transmission, shared secret and MIC response to authenticate source of the config and if it was altered. Please, help me understand how it is supposed to protect anything if we can recive the file, calulate hash, discard it, use another file and when MIC is supposed to be sent just inject calculated hash. It works, when we are MITMing the file and altering it or using replay attack but what if we have full control over the modem (like forceWare has)? Am I missing something here?
PS: Please confirm if my interpetation of the document is correct.
EDIT:
I asked the question about config just out of interest not because I am going to do anything with it.
EDIT2:
Also, the CMTS knows about the configs (name and contents) only because it provides them to CMs. It can't do any queries to CMs about it, except MIC (again, according to this doc). Is this also correct?
-CMTS can identify modem by anything associated with BPI+ (MAC and Vendor)
-CMTS can identify modem by sysDescr string returned by modem in REG_REQ
-CMTS can make DOCSIS queries ONLY about SNR (can't identify using this)
-CMTS can make queries about devices connected to modem(!) and list their MACs <- How is this possible, if all devices are (should be) behind the modem's NAT (when not operating as briged interface)?
-NOTHING else (according to this doc) can be used.
(-)When sending config file to modem EAE is used to encrpyt transmission, shared secret and MIC response to authenticate source of the config and if it was altered. Please, help me understand how it is supposed to protect anything if we can recive the file, calulate hash, discard it, use another file and when MIC is supposed to be sent just inject calculated hash. It works, when we are MITMing the file and altering it or using replay attack but what if we have full control over the modem (like forceWare has)? Am I missing something here?
PS: Please confirm if my interpetation of the document is correct.
EDIT:
I asked the question about config just out of interest not because I am going to do anything with it.
EDIT2:
Also, the CMTS knows about the configs (name and contents) only because it provides them to CMs. It can't do any queries to CMs about it, except MIC (again, according to this doc). Is this also correct?