| I can understand some of the concern. And while I will admit havent dove too deeply into the minutia how many of these DOCSIS manage modems at scale, after watching his presentation i felt most of that could or should be inferred. For example: I was well aware that you needed to get a MAC address whitelisted and then from there a config, including your speed tier would be pushed. I somewhat assumed DHCP reservations were used for that, on a management network, with TFTP for the config file. It makes sense. This was also solidified by that fact that in most cases during an internet outage, my routers IP would revert back to an RFC1918 address. Ive never used "landline" services from these providers so SIP wouldn't really be in scope but its not surprising that would be on a separate network and there may be some ability there to "sim-ring" calls. Thats standard in a lot of SIP implementations and probably a feature even a home user would want (ie: ring my cell phone and allow it to connect if phones on the modem dont work). Things like redirecting traffic etc would get noticed with a ton of stuff being SSL/TLS encrypted. But i would agree some/a lot of this should be using TLS as well. That said I have never mucked with any of it because. 1. I consider the modem, which i own, to be untrusted and while its inside my DMARC, its outside my security perimeter. Its not directly managed or controlled by me. Anything on it or passing through it should be considered hostile and subject to inspection or filtering. 1a. This is 100% of the reason why i run my own firewall, separately, from a device managed by the ISP and why i avoid AIO style modem/router/firewall devices. 2. I am unsure what mechanisms an ISP may employ to ensure certain things (like upstream/downstream configs) are not tampered with. This could be as simple as a hash check monthly or when billing rolls over to ensure my version is the same as theirs on their servers. Changing that could get be out of bounds with the TOS and canceled, which i have few other options. So its incumbent of me to basically mind my business. I can also see me "unleashing" my speed tier could impact others on my node, which may cause calls from other customers and an investigation shows that theres a sudden over subscription outside of their norms/standards. Again could be considered malicious and cancel my service/blacklist me or the address. WITH that said, i do understand the concern with respect to AIO style devices. But again i would consider anything on the ISP network to be "red" and no different from the relative hostility of the greater internet. But i dont see the concern with DHCP traffic and arp traffic, that seems normal, even on a ISP net, its how devices get online and authenticate and find the next hops on the network. ISP's should do better about segmenting that though, and should probably not provide an AIO solution in general or if they do have one with actual phsyical segementation (ie a box with 2 boards independent of each other connected the same way a modem and router would separately) but I understand why they may want to have simpler setups as well from a customer support standpoint considering the average technical prowess of their userbase. |