The present invention relates generally to the field of network management. More particularly, the present invention permits the detection of cable modems and cable network devices with duplicate media access controller (MAC) addresses.
Every network interface has a media access controller (MAC) address, also known as the physical address. This is the actual hardware address that the lowest level of the network uses to communicate. In cable networks, the MAC address is used to assign an Internet protocol (IP) address to a device by means of a dynamic host configuration protocol (DHCP) server. The MAC address is theoretically unique to a particular device. This permits an IP network service provider to use the MAC address as a vehicle for authorizing access to its network and further aids in billing users for services.
A cable network comprises a variety of cable network devices, including cable modems (CMs) and cable modem auxiliary devices (CMADs) such as multimedia terminal adapters (MTAs) and two-way set top boxes (STBs). Each of these devices is assigned an IP address by the cable network based on the MAC address of the device. Ideally, at the time of manufacture, each cable network device (e.g., a CM, MTA, set top box among others) is assigned a MAC address that uniquely identifies that device. Either through error at the time of manufacture, or through malicious intent (hacking), a cable network device may appear on a cable network with a MAC address that has already been assigned to another cable network device. As the MAC address is often the sole identifier used to identify and authenticate a cable network device for network connectivity, programming delivery and billing purposes, it is imperative to guarantee the uniqueness of the MAC address for each cable network device in order to thwart “theft of services.”
In the cable environment, access to the cable network's data service is provided to CMADs through a cable modem (CM). Increasingly, CMs are required to comply with an industry standard referred to as the “Data Over Cable Service Interface Specification” or DOCSIS. DOCSIS provides a set of standards and a certifying authority by which cable companies can achieve cross-platform functionality in Internet delivery. A DOCSIS compliant cable network comprises cable modem termination systems (CMTSs) and cable modems that form the interface to an Internet service provider (ISP). The CM provides two-way connectivity between a customer and the ISP through the CMTS. A cable modem termination system (CMTS) is a component that exchanges digital signals with CMs on a cable network.
High-speed data (HSD) service is delivered to a subscriber through channels in a coaxial cable to a CM. An upstream channel is used to communicate from the CM to the CMTS. A downstream channel handles communication from the CMTS to the CM. When a CMTS receives signals from the CM, the CMTS converts these signals into Internet Protocol (IP) packets, which are then sent to an IP router for transmission across a managed IP network. When a CMTS sends signals to a cable modem, the CMTS modulates the downstream signals for transmission across the cable to the CM.
The provisioning of the CM is an example of an authentication process. A DHCP server associated with a CMTS uses the CM MAC address to determine whether a customer is authorized to receive HSD service via the CM (based on finding the MAC address in a provisioning/authentication database) and what level of service an authorized subscriber is entitled to receive. In a cable network with a single CMTS, the CMTS will deny an attempt by a CM to present a MAC address that is currently registered by that CMTS. However, if the cable network utilizes multiple CMTSs and if the second use of the MAC address is presented to a CMTS that is not the CMTS that registered the first instance of that MAC address, the duplicated MAC address will not be detected.
With the development of packet switching and the growth of the Internet, interest in real-time services, such as voice over IP (VoIP) and gaming using packet switching technology has grown. Real-time services over cable are subject to a variety of standards, including the various standards issued by Cable Television Laboratories, Inc. under the “PacketCable™” standard. The standards are directed to end-to-end functions, including signaling for services, media transport at variable QoS levels, security, provisioning of the client device, billing, and other network management functions. VoIP is the first service defined for this platform, but others are expected to follow. PacketCable services utilize a subscriber's CM and a multimedia (or media) terminal adapter (MTA). The MTA is connected between the CM and other subscriber equipment. For VoIP service, for example, the MTA connects to a standard telephone and handles voice compression, packetization, security, and call signaling. An MTA may be designed to be either a separate standalone device or to be embedded within the CM. The MTA and the CM are assigned separate media access control (MAC) and IP addresses, even if the elements are integrated into a single device. Typically, the MAC address of the MTA component of an integrated MTA/CM device is the MAC address of the CM component plus 1. The CMTS uses the Data Over Cable Service Interface Specification (DOCSIS) protocol (also issued by Cable Television Laboratories, Inc.) on the access network to manage access network resources for PacketCable services.
The DHCP server uses the MTA MAC address and the CM MAC address to determine whether an HSD service customer is entitled to receive PacketCable services through the MTA. In determining whether to authorize the MTA, the CM MAC is checked to see if the MTA DHCP request came through a CM that is entitled to data and voice service. The MTA MAC is also checked by the DHCP server to see what kind (make and model) of MTA is making the request so that the MTA can be told to request the appropriate type of MTA configuration file (which may contain make/model specific instructions). However, while it has been suggested that the relationship between the CM MAC and the MTA MAC can be exploited to police service theft, no system today checks to see if the two MAC addresses “belong” to each other.
Because the MTA is not “registered” by the CMTS before the MAC address is presented to the DHCP server, duplicate MTA addresses may not be detected even on a system with a single CMTS if used behind different CMs.
The two-way set-top box (STB) is another example of a CMAD that is provisioned by the cable network with an IP address based on the MAC address of the STB. The STB utilizes an integrated cable modem (which is provisioned in the same manner as a standalone CM) to communicate with a DHCP server, and receives its IP address based on both the integrated CM's and STB's MAC addresses. As in the case of the MTA, a duplicate STB MAC address can operate behind two or more legitimate CM MAC addresses without being detected.
In cable networks comprising regional networks, the detection of multiple MAC addresses from cable network devices is more difficult. CMs, for example, may present the same MAC addresses to different CMTS within a regional network or across different regional networks.
The consequences of allowing cable network devices with duplicate MAC addresses to operate on a cable network can be significant. If a “rogue” cable modem, MTA or other cable network device were to share the same MAC address as a legitimate cable network device, the “rogue” device would receive the same service as the legitimate device. If the legitimate device user is charged for service based upon the quantity of service used, it is likely that the legitimate user will be charged for the services utilized by the “rogue” device. Resolving payment disputes is costly for the cable service provider and, at a minimum, annoying and inconvenient for its subscribers.
As noted above, a cable network in which a single DHCP server supports a CMTS provides some level of protection against duplication of MAC addresses by CMs. CMs are identified to the cable network through an initialization process managed by the CMTS. The CM is initialized with the CMTS through a series of handshakes that comprise an exchange of data. When a CM is powered on, it scans the cable network for a downstream data channel carrying a signal that the CM recognizes as coming from the CMTS. The signal from the CMTS comprises an instruction set used by the CM module to communicate with the CMTS. The CM receives and implements the instruction set and then obtains from the CMTS parameters identifying available upstream channels on which the device may transmit. Other operational parameters are acquired and the CM is registered on the cable network.
In this provisioning example, the CM sends a dynamic host configuration protocol (DHCP) request to the CMTS for an Internet protocol (IP) address and other parameters. The IP address enables the CM to establish its identity for receiving the downstream data addressed to it and for transmitting data from a known Internet address. The request includes the MAC address of the CM. If the MAC address of the CM is not associated with a previously registered CM, the CMTS forwards the CM's request for the IP address to the DHCP server assigned to that CMTS. This server contains a database or pool of IP addresses allocated to the Internet devices on the network. The DHCP server responds through the CMTS with an IP address and other necessary data. The CM extracts this data from the message and immediately configures its IP parameters.
As noted, the DHCP request message contains the CM's MAC address. The CMTS receives the DHCP request and adds its own unique identifier (typically referred to as a gateway interface address or “giaddr”) to the DHCP request. The giaddr identifies the CMTS through which the CM is communicating and is used by the DHCP server to determine from which pool of IP addresses a specific IP address for CM will be selected. Thus, an intended function of the giaddr is to aid in the assignment of IP addresses.
The CMTS maintains a list of CM MAC addresses for CMs that are currently registered with the CMTS. If a CM is registered and another CM with the same MAC address as the first CM attempts to register with that CMTS, the CMTS will typically reject the second CM's registration attempt. Note that there is no mechanism for the CMTS to determine which of the CMs is the “rightful owner” of the CM MAC address. It can only determine that a CM is attempting to register with a MAC address with which another CM is currently registered.
The provisioning process for CMAD (e.g., an MTA) differs from the process experienced by the CM in that the CMAD provisioning is not managed by the CMTS, and the CMAD is not registered with the CMTS before presenting its MAC address to a DHCP server. Rather, the CMAD is provisioned after the CM has been authorized by the CMTS and assigned an IP address by the DHCP server. For example, two MTAs presenting the same MTA MAC address via different CMs presenting different and valid CM MAC addresses will not be detected by the CMTS. As noted, the DHCP request from the MTA comprises the MAC address of the MTA and the MAC address of the CM to which the MTA is connected. It has been suggested that the MTA MAC address be associated with the CM MAC address to detect use of a single MTA with multiple CMs. No specific implementations of this suggestion have been found. Even if implemented, this association does not address the problem of detecting unauthorized MTA usage when the cable network comprises multiple CMTSs or multiple networks each with its own CMTS and DHCP server support.
What is needed are means for identifying cable network devices having the same MAC address on a single CMTS or multiple CMTSs, either as part of single network or as part of multiple networks within a cable network.