Filter
Top Products
13-20
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Signed Configuration for Devices
Signed Configuration for Devices
Cisco BAC uses the Signed Configuration feature to sign a portion of the CPE configuration that is
targeted to be passed by the CPE to a third-party, such as an aggregation device. For example, a CPE
with Femtocell functionality passes the access control entries to the Femtocell Gateway.
The configuration is signed using a secret key that is shared between Cisco BAC and the Gateway. This
Signed Configuration eliminates the need to separately configure the Gateway for each individual CPE.
The signature provides proof to the Gateway that the configuration:
• Was generated by Cisco BAC.
• Was not falsified during transmit.
• Is targeted for a specific CPE.
• Is targeted for a specific Gateway.
• Is current.
To prevent replay attacks, the time of the signature generation and its validity period are also
incorporated in the signature.
Signature Expiration
Cisco BAC is configured with a signature validity period that determines the window during which the
device communicates the signed data and signature to the Gateway. If the device communicates the data
to the gateway beyond that validity period, the gateway rejects the signature.
The gateway can also be configured to cache configurations beyond their signature validity period,
provided the device reconnects to the gateway within a certain interval. This behavior reduces the load
of signature regenerations for active devices and allows the device to not persist a security-sensitive
signature across reboots.
Signature Regeneration
The DPE generates a new signature and sets it on a device only if:
• The Signed Configuration parameters at the RDU are changed in the data model or in the
configuration template.
• The device reports to the DPE that the Gateway rejected the signature for reasons such as invalidity
or expiration.
• Device reports to the DPE that it does not have a signature.
Configuration Interfaces
You can enable the Signed Configuration feature in Cisco BAC by configuring the following properties:
• Signature Validity—Specifies the number of seconds for which the signature is considered valid
• Signature Key Name— Indicates the name of the key that is used by the gateway to look up the
shared secret key. You must change the signature key name when the secret key is changed.
• Secret Key—Specifies the secret that is used to compute the signature.