[ale] An unnecessary outage

[Matt Rutherford]

On Wed, Apr 13, 2011 at 5:34 PM, Michael B. Trausch <mike at trausch.us> wrote:

> On 04/13/2011 01:50 PM, Matt Rutherford wrote:
> > Lurker cable person here. First, what's hardware version of the SMC? You
>
> It's a pretty heavily locked down SMC D3G, r1.01.  While I have access
> to the Web-based UI, it's pretty useless---just enough to see what it's
> doing, and configure some basic firewall-type behavior.  That's pretty
> much it.  It has the upstream capability to do things like VPN and flash
> updates, but I have access to none of those options.
>
>
Yeah, unfortunately most of those options in my experience are unused and/or
require support to enable. Some companies refuse to do it. A case of
functional equipment, non-functional setup.



> > might check if there are known-fix options for it. Do you have access to
> > the GUI on it via it's local gateway IP? I've worked with some of the
> > 'business class' SMC modems that cable companies use and there are some
> > weird issues with some versions. That said, I've been on the support end
> > of the line plenty of times with residential cable modems where a
> > problem on the internal network (typically the routers) will actually
> > offline a modem entirely or cause serious problems with the network. So
> > there is no 100% guarantee that the modem won't be impacted on the
> > DOCSIS/RF side of things by a device in the home. Same goes for anything
> > throwing enough static sharing the same power strip, though happens less
> > often overall.
>
> Joy.
>
> > Do you know what happened to the Linksys? I'm just curious if this was
> > an issue where the Linksys and the modem were fighting for control of
> > default gateway route, or something more hardware-level. Most modems
> > providing NAT or bridge/routing mode still advertise a local address
> > (for residential cable modems typically 192.168.100.1) that you can use
> > to reach their GUI and check diagnostics. If the Linksys got reset to
> > defaults or conflicting settings, I can see that causing problems.
> > Hardware level stuff can be much more random-seeming.
>
> The problem started yesterday at just a little after noon (12:06 was
> when my alarms started going off).  We were experiencing a lot of high
> winds then, so I'm guessing that we probably experienced a slight power
> surge.  The Linksys device probably stopped functioning properly at that
> time.  It seems to me that they are sensitive to things like certain
> types of power spikes.  This is the first time this one has ever done
> that and it's been here for seven months or so now.  (That said, it's
> malfunction should have affected only its network segment, seriously.)
>
> The tech unplugged the Ethernet cables one-by-one from the SMC box and
> when he unplugged the one that goes upstairs to feed the Linksys
> wireless router, the cable modem started working correctly.
>
>
I have seen nearly this exact behavior with modems and routers. Usually
resolved by router-swap, unfortunately I've never been onsite with wireshark
and voltage meters to figure out if the source is feedback/overpower down
the ethernet, or just random garbled nastiness on an ARP level coming out of
the router.

I can't pinpoint blame to power surges, but they are the most likely
culprit. If I lived in an area with more thunderstorms than I do right now,
I would likely rent rather than own a cable modem - just so I didn't have to
replace one every time a surge came down the coax and blew through the
modem.

The other interesting thing to note is that this happened not just with
> one SMC box, but two of them (the second one being brand new).  That is
> why I have the feeling that this is some sort of result of a design
> flaw.  I cannot recall _ever_ having a switch that suffered complete
> failure when one device on it was misbehaving.
>
>
Switches I would agree are more robust in this regard, but as David
mentioned, you might daisy-chain the SMC->router->more routers/home
network.


> > Replacing the SMC with your own equipment it depends on how your
> > provider has their IP routing set up. I've mostly seen RIPv2 based
> > routing for 'business class' or static IP service from cable ISPs. This
> > requires your modem to have the static IP configurations in place and
> > the (non customer visble/secret) RIP key in place to make these IP's
> > route to the modem at the premises. This means that cloning the MAC
> > address alone of the device won't set up the modem to route your /28.
>
> Sigh.


> Never did I think that AT&T would have a point in its favor, but it'd
> seem it does.  The way _they_ do static-address subnetworks is to update
> a routing table on their network whenever a PPPoE session is started for
> a customer that has it.  I confirmed that when I swapped out my client's
> AT&T provided DSL modem with one from Fry's (which I did because AT&T
> swapped the modem their modem three times to no avail, and their modems
> would stop working every 24 hours, like clockwork).
>
> Cable got away from the user-login based stuff, which as we see here, has
problems as well as benefits. I don't know DSL as well as I know cable by
any stretch, but I have a feeling the DSLAM model relies partly on the fact
you're not sharing bandwidth the same was as you do on the HFC networks. On
the opposite side, I deal with having to get my (non-static) IP whitelisted
on a VPN every time my cats decide the DSL modem cord looks like fun to play
with. On cable you typically don't get a new IP from their DHCP pool until
your DHCP session ends without a renew or a new modem/CPE MAC address is
introduced. So a few hours of downtime doesn't always result in a new IP.

That said, if the device is using something like RIP or similar, that
> means that the device has to have the public key of the target server
> (if using encryption) or its own private key (if just signing); there is
> no way around that requirement that I can think of.  Which means that
> it's likely possible to do, though it would be a veritable pain in the ass.
>
> Possible perhaps, but I agree it would be pretty painful. No easy way to
get around it. Especially not within your contract, user agreements, etc.


> > Additionally, most residential class/off the shelf modem/router combo's
> > won't actually accept a static IP configuration due to the firmware
> > imaging. I'll cut short a lot of detailed info but in a nutshell the
> > firmware on modems (customer owned or corporate provided) is provided by
> > the cable company and if a non-authorized image is detected the modem
> > won't be authorized for service. For standard cable modems, the services
> > are based on MAC address, but the checks for an authenticated/signed
> > firmware image will prevent services thanks to happy cable modem hackers
> > - especially in Docsis3. This is typically in the small print of the
> > contract/user agreement/policies - even if it's your equipment, the
> > cable company can force firmware updates and deny service to
> > non-authorized images.
>
> That's... interesting.  I will need to re-read my contract.  I do not
> recall such a provision in it.  Though, it is possible that I could have
> overlooked it.
>

Yep, it all goes back to the cable modem hackers and the subsequent arrests,
criminal trials, lawsuits, etc. I know why the security is in place, though
it can be frustrating. In general there's not much in the way of software
updates for cable modems, even the combined router/modems.

>
> > I do not think you will see the DOCSIS side broadcasts from wireshark
> > since these go out from a separate interface which performs DOCSIS
> > encapsulation between the modem's RF out chip and the CMTS upstream,
> > where the traffic is re-encapsulated to head out on the backbone.
>
> Well, right.  I know this much: wireshark knows the DOCSIS protocols.
> I'd presume that means it's been used for that purpose before, unless
> this was just implemented either to a spec or in order to monitor
> emulated hardware or something.
>

I was hoping that there would be some way to get on the other side of
> that interface.  Something like connecting a "tap" on the coax line and
> logging/monitoring the traffic going across the physical link.
>
> In theory, sure. In practice, packets from modem->CMTS are hit with BPI
(Baseline Privacy Interface), now called SEC in Docsis3.0. Otherwise, due to
shared bandwidth, there would be major vulnerability for taps or people with
modems set to 'listen only' somewhere along the line. Good basics of it are
here: http://en.wikipedia.org/wiki/DOCSIS#Security


> Lastly, the mixed luck news: I've not seen a single cable operator that
> > will route a static IP block to a modem they don't own because of the
> > secret key for whatever routing scheme they use. Making that available
> > to end-user controlled modems would be a major security flaw. However
> > many operators do have more than one type or provider of the modems they
> > use in the market. You may be able to call the cable operator and
> > request a modem from a different manufacturer, but that depends heavily
> > on the market you're in and what hardware availability is like.
>
> Comcast only seems to have the SMC boxes.
>
> Don't get me wrong here: they're probably great for most people.  You
> plug 'em in, and they work.  They handle multiple IP networks on the
> bridged segment just fine, pass protocol 41, and (for the most part)
> work as they should.
>
>
The SMC's are pretty highly functional when compared to some of the older
boxes from Cisco and Arris I dealt with, and the configuration options are
far and away more extensive - but fairly poorly used.

But it comes at the cost of using one of your static IP addresses (I
> have a /28; I can't use the first address because it's the network
> address, I can't use the last address because it's the broadcast
> address, and I can't use the second to the last address because that's
> the one that the gateway takes).  AT&T does the same thing with their
> own DSL modems, but you get the gateway IP address back if you don't use
> their equipment, since it's tied to the PPPoE session; of course that
> means that when you have a /29 with them, you actually get an extra
> address because the PPPoE session has a dynamic IP which serves as the
> gateway address for the /29 that you have.
>
> Agreed, the overhead is a bummer. Didn't know that trick to using your own
equipment - I may have to get a static IP w/AT&T due to the cat-shenannigans
mentioned above, would be nice to have an extra.


> > With regard to internal cable modems, their unavailability comes from a
> > couple directions: Control of hardware, control of software. There's
> > some interesting books out there about cable modem hacking and the
> > history of cable modems, but from my understanding it boils down to the
> > controllers of the DOCSIS spec (CableLabs) having a vested interest in
> > keeping end-users from fiddling with and bypassing security and
> > authentication measures, including the digital certificates internal to
> > the modems. I'm highly doubtful a computer-internal cable modem would
> > ever get licensed for DOCSIS or pass DOCSIS certification.
>
> That's sad.  There were DOCSIS 1.0, 1.1, and 2.0 internal cable modems
> that I was able to find, but of course those would do me no good.
>
> I'm surprised you can find 1.0/.1 and 2.0 internals. One concern I would
have is from personal experience with internal dialup modems: one more
avenue for frying, and I never had much luck with surge protection (this
being 10+ years ago) saving my PC.

> In summary, your best bet is to contact your cable provider and ask
> > about alternate modem availability to see if another modem doesn't have
> > the same kind of problem. It's possible they could also re-configure the
> > SMC to a different setup to prevent possible failure of this type in the
> > future if there was a known-issue from a tech bulletin/etc.
>
> They do nothing with the firmware, other than "program" it for your
> static IP allocation when it is deployed.
>
> Yeah, corporate policy probably. Just because it's possible doesn't mean
it's possible!


> Sigh.
>
> The more I have minor little troubles here and there, the more I wish I
> had the money to just get a pair of dedicated lines that I could do BGP
> announcements on and have an SLA with a high level of service.  For the
> price, Comcast is not bad.  But the whole notion that the cable company
> cannot proactively monitor its equipment, will not let you provide your
> own equipment, and provides only a 24-turnaround time guarantee to
> engage you on an issue that you report is getting to be very obnoxious
> to me.
>
It's always a tradeoff situation in my experience. I currently run AT&T
1.5/256 DSL and ClearWire both, because I absolutely need internet access
-and neither of them can offer me enough pipeline on their own. I wish I was
serviceable for Comcast or U-Verse.

>

Perhaps I need to spend a week on dialup.  That ought to refresh my
> perspective and get me to quit my bitching.  Mostly, anyway.
>
> Hey, I hear Earthlink's still around!


>        --- Mike
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110413/7256e228/attachment-0001.html