Modems and static IP addresses

Question

I was informed by my MSP (Sparklight) that if I want to use static IP addresses with my business subscription, that I have to use one of their devices... which are router/firewall/WAP/modem devices:

Can I purchase my own modem and still have a Static IP assigned?

I found this out after buying a new DOCSIS® 3.1 Cable Modem (CM1200) on Amazon.

I don't really get this.

it's a CPE... I should get to run what I want on my side of the demarcation... otherwise, what's the point of having any sort of demarcation at all? Where does it end? Do I have to get my router, switches, WAPs, NASes, laptops, etc. from the MSP?
my employer provides a firewall that they've chosen and provisioned... why do I need to stick another firewall in front of this--it will just cause more problems (e.g. double-NATTing, ISAKMP, STUN, etc).
IP is a layer 3 abstraction, so why does my layer 2 device [modem] come into it?
by turning off WiFi, firewall, and other [complex] router functions on my hypothetical Arris device, I've effectively turned it into just a modem... but I'm told I can't use just a modem;

so I asked about this, and here's the response I got:

For the security of our architecture we do not allow customers to directly peer with the routing protocols on cable modem or pon based services. The specific reason why is that to maintain the security of our CMTSs and routing protocols so the dynamic routing protocols are on devices under our own control

which I really didn't get, and I've written routing protocol stacks. A modem wouldn't be peering via a routing protocol with the MSP's infrastructure. It doesn't have the ability to: it operates at layer 2, and hence can't route anyway, being able to only address other MAC-layer devices that are on the same physical segment. And I'm not asking to peer at the routing protocol level with their infrastructure. I'm happy to provision a local address, subnet mask or prefix, and default gateway and call it good. No routing protocols involved.

Further, a router/firewall/WAP/modem device has more complexity, and hence more attack surface. It's axiomatic that a service doesn't necessarily need to be enabled to be vulnerable to attack. Less functionality, less attack surface, hence easier to secure. It's hard to be more secure than a modem.

The CMTS's should be capable of blocking [routing protocol] traffic via ACL's (access control lists), or simply disabling listening on the DOCSIS interfaces at the routing protocol layer.

That Sparklight has to protect their infrastructure by imposing restrictions on the CPE's is concerning to me: what happens when a customer manages to get a rogue device onto their network? Can it be that easy to compromise their infrastructure?

Does anyone else who knows more about the particulars of DOCSIS have any insight to offer on interpreting the response I got?

Thanks

FURRYe38 · Answer

I believe the ISP is correct in there policy. If you have a Business account, they seem to require the use of there equipment. That would be there policy. Technically, the static IP would be assigned to your service account and tied to the modem they associate with it. Then any external router connected would get this passed to the router, if they install a modem only unit. They may have modem/router units as well. However if there Business service requires the user of there HW, then thats up to them.&nbsp;
I'm on SL as well, however only use a home service so Dynamic WAN IP here. I've had my CM1200 online with them for a long time here and there. I just removed it as I got my CAX80 back from NG.&nbsp;
&nbsp;
&nbsp;

pprindeville · Answer

If they're charging you for static IPs and requiring you to rent their modem, why not just include the cost of the modem in the static IP fee structure? &nbsp;Otherwise it starts to feel like you're being nickel and dimed.&nbsp;

FURRYe38 · Answer

Something to ask them about. However ISPs I presume are in the business to make money as well. ISP along with other tech service companies are well known for nickel and diming customers. I.e. Cell phone service companies. Anything they can legally get away with, they seem to scrape what they can from us customers.&nbsp;
&nbsp;
&nbsp;

pprindeville · Answer

Thankfully my cell phone provider (Verizon) charges me a flat-rate of $30/mo per line. &nbsp;Maybe there's a lesson there...&nbsp;And my [small] business service from Sparklight isn't cheap: $193/mo with 5 static IPs, for 300/50mbs service (during the day more like 180/20mbs).&nbsp;4 miles away I was getting 100/100mbs G.PON for $60/mo. &nbsp;That was a bargain.&nbsp;As I said, I asked my MSP about the limitation on modems and it was word salad. &nbsp;See the original posting. &nbsp;Their reasoning ran counter to current best practices in network security.&nbsp;"Something-something more secure" but what they really meant was, "because we say so."&nbsp;It's not more secure, very much the opposite.&nbsp;

FURRYe38 · Answer

And you have you answers. It's there show.

Forum Discussion

Modems and static IP addresses

7 Replies