Cable vs. T1? The ultimate question.

dynamik

milliamp wrote:

I don't mean to offend, but if you don't know the difference between unicast and broadcast maybe you shouldn't weigh in on this discussion. This would be like me walking around a hospital giving advice to cancer patients.

I don't mean to offend, but... Well, I'm sure you can imagine where that could have gone.

No one here claimed to be a cable guru. Everyone's posts furthered the discussion, and now we all have a better understanding of cable. Why are you getting so worked up over this?

milliamp

liven, my reply to you was pretty rude, I admit.

Rather than detail why I arp does not exclude Modem to CMTS traffic from being encrypted I insulted you un-deservingly basically because it required less text, sorry.

But basically the encryption between the modem and the CMTS is only relevant to that specific link. If my neighbor sends a broadcast packet, the packet is encrypted over the channel between him and the CMTS, but if the CMTS (basically a router) decides that packet is addressed to broadcast, it will forward the packet to me over my encrypted channel as well. In this example I am not actually reading his transmitted packet off of the wire, I am getting it forwarded to me by the gateway/CMTS. This is why you are able to see it in a packet capture.

liven

milliamp wrote:

liven, my reply to you was pretty rude, I admit.

Rather than detail why I arp does not exclude Modem to CMTS traffic from being encrypted I insulted you un-deservingly basically because it required less text, sorry.

But basically the encryption between the modem and the CMTS is only relevant to that specific link. If my neighbor sends a broadcast packet, the packet is encrypted over the channel between him and the CMTS, but if the CMTS (basically a router) decides that packet is addressed to broadcast, it will forward the packet to me over my encrypted channel as well. In this example I am not actually reading his transmitted packet off of the wire, I am getting it forwarded to me by the gateway/CMTS. This is why you are able to see it in a packet capture.

Hey man it is all good.

Ok so can I ask you more questions about this?

Only because I am curious and would like to understand this. Once again please understand I am not trying to argue or doubt your knowledge.

I understand that arp is layer 2. So how would we be able to connect to the neighbors shares if everything is encrypted? Wouldn't connections bound for neighboring machines have to send their requests through the "CMTS" in order to connect and communicate with machines on the same subnet (because of the encryption)?

hypnotoad

Can we all agree that responsible admins wouldn't leave encryption up to the telco anyway, right?

liven

nl wrote:

Can we all agree that responsible admins wouldn't leave encryption up to the telco anyway, right?

agreed!!!

I sure don't and never will.

I have worked for several providers and security was not their main concern!

milliamp

liven: "Wouldn't connections bound for neighboring machines have to send their requests through the "CMTS" in order to connect and communicate with machines on the same subnet (because of the encryption)?"

Yes, they would. Think of it a bit like having separate FastE interfaces in the same VLAN. We can have the same default gateway, but my communication from me to you or you to me is still passed through the gateway. If we encrypt our traffic between us and the gateway at the MAC layer, we are still able to communicate because IP is a layer above that.

Essentially, once my frame reaches the gateway/CMTS, the wrapper/encryption is removed and a packet is extracted from it. If it is destined to you, the CMTS will add a new wrapper, encrypt it with your TEK (traffic encryption key) and transmit the packet to you.

Even without the encryption, just connecting dedicated hardware to the coax to intercept all the QAM data on the correct frequencies, figuring out which channels/time slots etc. belong to which modems, and parsing the S-CDMA data would be a significant pain in the ass. That will become more complex with DOCSIS 3.0 channel bonding.

Even if they get through all of this and hash enough of your traffic to determine the TEK used your cable modem will use a new TEK in 12 or 24 hours anyway. The TEK/KEK is established during the registration process and is unique per cable modem, so even if you are successful you will get a partial snapshot of data for one user on the segment and even then only for the data they sent in clear text.

If you are after someone's data that bad it would be far easier to tap into another unencrypted line on their premises or install a keylogger for it.

liven

milliamp wrote:

liven: "Wouldn't connections bound for neighboring machines have to send their requests through the "CMTS" in order to connect and communicate with machines on the same subnet (because of the encryption)?"

Yes, they would. Think of it a bit like having separate FastE interfaces in the same VLAN. We can have the same default gateway, but my communication from me to you or you to me is still passed through the gateway. If we encrypt our traffic between us and the gateway at the MAC layer, we are still able to communicate because IP is a layer above that.

Essentially, once my frame reaches the gateway/CMTS, the wrapper/encryption is removed and a packet is extracted from it. If it is destined to you, the CMTS will add a new wrapper, encrypt it with your TEK (traffic encryption key) and transmit the packet to you.

Even without the encryption, just connecting dedicated hardware to the coax to intercept all the QAM data on the correct frequencies, figuring out which channels/time slots etc. belong to which modems, and parsing the S-CDMA data would be a significant pain in the ass. That will become more complex with DOCSIS 3.0 channel bonding.

Even if they get through all of this and hash enough of your traffic to determine the TEK used your cable modem will use a new TEK in 12 or 24 hours anyway. The TEK/KEK is established during the registration process and is unique per cable modem, so even if you are successful you will get a partial snapshot of data for one user on the segment and even then only for the data they sent in clear text.

If you are after someone's data that bad it would be far easier to tap into another unencrypted line on their premises or install a keylogger for it.

Nice answer.

Thanks

Ok so what provider do you work for?

I have worked with lots of folks over the years, and the small hand full that could go into that kinda detail about a specific circuit usually worked for a provider of some sort.

I mean for real that is some pretty serious detail you went into.

Thanks again.

Ahriakin

nl wrote:

Can we all agree that responsible admins wouldn't leave encryption up to the telco anyway, right?

Amen. A lot of this (while very interesting and corrected some of my own assumptions about the nature of traffic visibility on local cable segments) is moot when you'd have to be nuts not to have a corporate firewall for public facing assets and VPNs for branch offices regardless of the medium.

mgeorge

Wow what a thread...

I have to agree with nl, anyone who transmits business related traffic over an unsecure link
deserves to be hacked. I've seen many deployments in brach offices use both DSL and Cable
but use encrypted tunnels for business traffic back to the HQ. (common practice of course)
if you use such technologies.

But from my point of view if I were to use a link just for internet browsing then i'd throw in aDSL
everytime. While xDSL and Cable technologies have their own advantages/disadvantages, I
personally perfer xDSL over cable.

liven

I don't think anyone on here is suggesting that we trust the ISP/provider for security.

In my eyes the debate was in the topic of "is cable more secure than DSL".


Which seems to be very nicely answered by Milliamp.


Regardless of the medium used, encryption and tunneling should always be applied.

KenP

JDMurray wrote: »

How about putting Security? on that list!

Cable is a shared medium between your demarc and the cable company. Any other cable subscribers on your segment can sniff everyone else's traffic. DSL and T-carrier service gives you a private, Permanent Virtual Circuit between yourself and your Central Office. After the CO your security will be encryption, PKI, and VPN technology. If you want more bandwidth, look at the DSL and fractional T-3 offerings from the Telco in your area.

I'm evaluating cable vs bonded T1 (12Mbps). As for the "shared", I'm being led to believe that Comcast business class does not share bandwidth like home service and that we would not be affected by others in our area. Is this not accurate?

GAngel

Put three or four people on a cable line and the speed they advertise goes out the door. Put the same people on a T1 line and the speed is consistent. Plus T1 has a true SLA while cable is smoke and mirrors.

You have to do a risk analysis on how much it would hurt your company to be without internet access for X amount of time. If someone has to download 2 GB you should be looking at better methods of attaining the data.

RTmarc

KenP wrote: »

I'm evaluating cable vs bonded T1 (12Mbps). As for the "shared", I'm being led to believe that Comcast business class does not share bandwidth like home service and that we would not be affected by others in our area. Is this not accurate?

For that many bonded T1s, you could probably go the MetroE route for the same (or less) cost.

desertmouse

Can your business survive without internet for a day, or two, or three? If so - then go with cable. Otherwise stick to a T1, get a EoC solution (3mbps should be in your price range), or get Cable&DSL with some sort of firewall/router auto-failover.

Even "business class" cable doesn't have a true SLA, and you WILL have outages. Lastly - from a Chicago local - stay away from Cable here....

Claymoore

42

Nope, doesn't work.

eMeS

The cable hub (or whatever it's called) for several of my neighbors is in my back yard.

Is it wrong when my performance is slow to disconnect their lines?















Just kidding, of course, but I do live in the middle of a large city and I find it interesting that the cable "hub" isn't locked or secured in any way...

MS

veritas_libertas

milliamp wrote: »

liven: "Wouldn't connections bound for neighboring machines have to send their requests through the "CMTS" in order to connect and communicate with machines on the same subnet (because of the encryption)?"

Yes, they would. Think of it a bit like having separate FastE interfaces in the same VLAN. We can have the same default gateway, but my communication from me to you or you to me is still passed through the gateway. If we encrypt our traffic between us and the gateway at the MAC layer, we are still able to communicate because IP is a layer above that.

Essentially, once my frame reaches the gateway/CMTS, the wrapper/encryption is removed and a packet is extracted from it. If it is destined to you, the CMTS will add a new wrapper, encrypt it with your TEK (traffic encryption key) and transmit the packet to you.

Even without the encryption, just connecting dedicated hardware to the coax to intercept all the QAM data on the correct frequencies, figuring out which channels/time slots etc. belong to which modems, and parsing the S-CDMA data would be a significant pain in the ass. That will become more complex with DOCSIS 3.0 channel bonding.

Even if they get through all of this and hash enough of your traffic to determine the TEK used your cable modem will use a new TEK in 12 or 24 hours anyway. The TEK/KEK is established during the registration process and is unique per cable modem, so even if you are successful you will get a partial snapshot of data for one user on the segment and even then only for the data they sent in clear text.

If you are after someone's data that bad it would be far easier to tap into another unencrypted line on their premises or install a keylogger for it.

WOW! Nice detailed answer.

JDMurray

eMeS wrote: »

Just kidding, of course, but I do live in the middle of a large city and I find it interesting that the cable "hub" isn't locked or secured in any way...

I have a Verizon FiOS hub in an unlocked, easy-open cable vault under the sidewalk directly in front of my house. Unless someone is trained in working with fiber, there's not much anyone could do with it--other than to have a go at it with some bolt cutters.

Kaminsky

posted .. then deleted and stepped quietly back out of the thread.

eMeS

JDMurray wrote: »

I have a Verizon FiOS hub in an unlocked, easy-open cable vault under the sidewalk directly in front of my house. Unless someone is trained in working with fiber, there's not much anyone could do with it--other than to have a go at it with some bolt cutters.

I could actually disconnect people's cable lines...with or without bolt cutters...and I know which one is mine!

Wish I had FIOS...We're not a Verizon neighborhood....

MS