- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: Modems and static IP addresses
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modems and static IP addresses
I was informed by my MSP (Sparklight) that if I want to use static IP addresses with my business subscription, that I have to use one of their devices... which are router/firewall/WAP/modem devices:
Can I purchase my own modem and still have a Static IP assigned?
I found this out after buying a new DOCSIS® 3.1 Cable Modem (CM1200) on Amazon.
I don't really get this.
- it's a CPE... I should get to run what I want on my side of the demarcation... otherwise, what's the point of having any sort of demarcation at all? Where does it end? Do I have to get my router, switches, WAPs, NASes, laptops, etc. from the MSP?
- my employer provides a firewall that they've chosen and provisioned... why do I need to stick another firewall in front of this--it will just cause more problems (e.g. double-NATTing, ISAKMP, STUN, etc).
- IP is a layer 3 abstraction, so why does my layer 2 device [modem] come into it?
- by turning off WiFi, firewall, and other [complex] router functions on my hypothetical Arris device, I've effectively turned it into just a modem... but I'm told I can't use just a modem;
so I asked about this, and here's the response I got:
For the security of our architecture we do not allow customers to directly peer with the routing protocols on cable modem or pon based services. The specific reason why is that to maintain the security of our CMTSs and routing protocols so the dynamic routing protocols are on devices under our own control
which I really didn't get, and I've written routing protocol stacks. A modem wouldn't be peering via a routing protocol with the MSP's infrastructure. It doesn't have the ability to: it operates at layer 2, and hence can't route anyway, being able to only address other MAC-layer devices that are on the same physical segment. And I'm not asking to peer at the routing protocol level with their infrastructure. I'm happy to provision a local address, subnet mask or prefix, and default gateway and call it good. No routing protocols involved.
Further, a router/firewall/WAP/modem device has more complexity, and hence more attack surface. It's axiomatic that a service doesn't necessarily need to be enabled to be vulnerable to attack. Less functionality, less attack surface, hence easier to secure. It's hard to be more secure than a modem.
The CMTS's should be capable of blocking [routing protocol] traffic via ACL's (access control lists), or simply disabling listening on the DOCSIS interfaces at the routing protocol layer.
That Sparklight has to protect their infrastructure by imposing restrictions on the CPE's is concerning to me: what happens when a customer manages to get a rogue device onto their network? Can it be that easy to compromise their infrastructure?
Does anyone else who knows more about the particulars of DOCSIS have any insight to offer on interpreting the response I got?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Modems and static IP addresses
I believe the ISP is correct in there policy. If you have a Business account, they seem to require the use of there equipment. That would be there policy. Technically, the static IP would be assigned to your service account and tied to the modem they associate with it. Then any external router connected would get this passed to the router, if they install a modem only unit. They may have modem/router units as well. However if there Business service requires the user of there HW, then thats up to them.
I'm on SL as well, however only use a home service so Dynamic WAN IP here. I've had my CM1200 online with them for a long time here and there. I just removed it as I got my CAX80 back from NG.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Modems and static IP addresses
If they're charging you for static IPs and requiring you to rent their modem, why not just include the cost of the modem in the static IP fee structure? Otherwise it starts to feel like you're being nickel and dimed.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Modems and static IP addresses
Something to ask them about. However ISPs I presume are in the business to make money as well. ISP along with other tech service companies are well known for nickel and diming customers. I.e. Cell phone service companies. Anything they can legally get away with, they seem to scrape what they can from us customers.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Modems and static IP addresses
Thankfully my cell phone provider (Verizon) charges me a flat-rate of $30/mo per line. Maybe there's a lesson there...
And my [small] business service from Sparklight isn't cheap: $193/mo with 5 static IPs, for 300/50mbs service (during the day more like 180/20mbs).
4 miles away I was getting 100/100mbs G.PON for $60/mo. That was a bargain.
As I said, I asked my MSP about the limitation on modems and it was word salad. See the original posting. Their reasoning ran counter to current best practices in network security.
"Something-something more secure" but what they really meant was, "because we say so."
It's not more secure, very much the opposite.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Modems and static IP addresses
And you have you answers. It's there show.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Modems and static IP addresses
@FURRYe38 wrote:And you have you answers. It's there show.
Fortunately, it's not that simple. There's federal telecommunications regulations, Telcordia and CableLabs TR's, and common carrier agreements... They can't just do things arbitrarily.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Modems and static IP addresses
Maybe however that's all at the ISP level. Nothing we can do here.
• Introducing NETGEAR WiFi 7 Orbi 770 Series and Nighthawk RS300
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more