Cisco uBR10012 Software Configuration Manual page 138

Reviewing Your Settings and Configurations
When Baseline Privacy is enabled, the Cisco uBR10012 router routes encrypted and decrypted packets
from a host or peer to another host or peer. BPI is configured with key encryption keys (KEKs) and traffic
encryption keys (TEKs). A KEK is assigned to a CM, based on the CM's service identifier (SID), and
permits the CM to connect to the Cisco uBR10012 router when Baseline Privacy is activated. The TEK
is assigned to a CM when its KEK has been established. The TEK is used to encrypt data traffic between
the CM and the Cisco uBR10012 router.
KEKS and TEKs can be set for Baseline Privacy on the HFC network to expire based on a grace-time
or a life-time value, defined in seconds. A grace-time value assigns a temporary key to a CM to access
the network. A life-time value assigns a more permanent key to a CM. Each CM that has a life-time
value assigned requests a new lifetime key from the Cisco uBR10012 router before the current one
expires.
To set the duration in
in global configuration mode. To restore the default values, use the no form of each command.
cable privacy kek {grace-time [seconds] | life-time [seconds]}
no cable privacy kek {grace-time | life-time}
cable privacy tek {grace-time [seconds] | life-time [seconds]}
no cable privacy tek {grace-time | life-time}
Syntax Description
grace-time seconds
life-time seconds
Use the show cable modem command to identify a CM with encryption and decryption enabled. The
Tip
online(pk) output of this command reveals a CM that is registered with BPI enabled and a KEK
assigned. The online(pt) output reveals a CM that is registered with BPI enabled and a TEK assigned.
Should you want to change the Cisco uBR10000 series default of 56-bit encryption and decryption to
40-bit, use the "40 bit DES" option:
Router(config-if)# cable privacy ?
40-bit-des
^^^^^^^^^^
authenticate-modem
authorize-multicast
kek
mandatory
tek
Software then generates a 40-bit DES key, where the DES key that is generated and returned masks the
first 16 bits of the 56-bit key to zero in software. To return to 56-bit encryption and decryption after
changing to 40-bit, enter the no command in front of the "40 bit des" option.
Cisco uBR10012 Universal Broadband Router Software Configuration Guide
2-18
Chapter 2
for KEK or TEK grace-time or life-time, use the following commands
seconds
(Optional) Length of key encryption grace-time in seconds. Valid range is
300 to 1800 seconds. The default grace-time value is 600 seconds.
(Optional) Length of the key encryption life-time in seconds.Valid range is
86,400 to 604,8000. The default life-time value is 604800 seconds.
select 40 bit DES
turn on BPI modem authentication
turn on BPI multicast authorization
KEK Key Parms
force privacy be mandatory
TEK Key Parms
Configuring the Cable Modem Termination System for the First Time
OL-1520-05