"The SB6141 is not just a cable modem. It is a case study in how protocols interact across layers -- DOCSIS at the cable plant, Ethernet bridging on the LAN side, NAT for IP address sharing, TLS for remote management, and DNS for every name resolution the device performs. Understanding it requires everything we have covered in this course." -- NET-201 Instructor Notes
Lecture (100 min, two 50-min blocks)
13.1 The SB6141 as a Synthesis Target
The Motorola SB6141 cable modem appears throughout the Virtus Cyber Academy curriculum as a named lab target connecting computer systems architecture, networking, reverse engineering, and penetration testing. In NET-201, it is a synthesis object: every week's content has a concrete footprint in how the SB6141 operates.
SB6141 hardware summary (from handouts/cross-chapter-docsis-quad-cross-cut.md):
| Component | Function |
|---|---|
| MaxLinear MxL261 | RF demodulation; DOCSIS OFDM PHY; analog front-end |
| Broadcom BCM3380 | DOCSIS 3.0 MAC; QAM bonding; CMTS upstream/downstream management |
| Texas Instruments PDSP coprocessors | Packet classification; NAT acceleration; traffic shaping offload |
| ARM1176JZ-S (Linux application layer) | Linux 2.6.x kernel; DOCSIS provisioning stack; HTTP management GUI |
Network protocol footprint of the SB6141:
- DOCSIS layer: downstream QAM reception; upstream OFDMA burst transmission; provisioning via TFTP/DHCP from CMTS
- Ethernet bridging: bridges the cable-facing DOCSIS interface to the LAN-side Ethernet port (acts as a transparent bridge when in bridge mode; NAT/router when in gateway mode)
- NAT: maintains translation table mapping LAN addresses to the provisioned WAN IP
- DHCP server: distributes RFC 1918 addresses to LAN clients (when in gateway mode)
- DNS: resolves names for its own management stack; relays DNS queries from LAN clients (DNS proxy mode)
- TLS: remote management interface (SB6141 exposes an HTTPS-accessible status/configuration page)
- SNMP: DOCSIS MIB (Management Information Base) exposed for CMTS monitoring
This breadth is why the SB6141 appears across NET-201 chapters.
13.2 DOCSIS and the CMTS: The Missing Layer
DOCSIS (Data Over Cable Service Interface Specification) is the protocol that cable modems use to communicate with the Cable Modem Termination System (CMTS) at the cable plant. NET-201 covers Ethernet (Chapter 5), TCP/IP (Chapter 8), and BGP (Chapters 3-4) -- DOCSIS is the Layer-2 protocol underneath all of it on the cable access network.
DOCSIS channel bonding (SB6141 = DOCSIS 3.0):
- Downstream: up to 8 bonded QAM channels, each carrying ~38 Mbps (DOCSIS 3.0 QAM-256); maximum ~300 Mbps aggregate
- Upstream: up to 4 bonded OFDMA channels, each ~30 Mbps; maximum ~120 Mbps aggregate
- The SB6141 simultaneously receives from 8 downstream channels and transmits on 4 upstream; from the MAC layer's perspective, these appear as a single bonded pipe
DOCSIS provisioning sequence:
- Modem powers on; RF scan for a valid downstream signal
- SYNC message from CMTS establishes timing
- UCD (Upstream Channel Descriptor) messages configure upstream parameters
- DHCP request from modem; CMTS assigns a provisioning IP
- TFTP download of the modem configuration file (DOCSIS binary config: frequency plan, power levels, service class, rate limits)
- DOCSIS registration message to CMTS; modem comes online
- CPE DHCP: modem's NAT/bridge hands out IP to the LAN side
The configuration file governs rate limits. The DOCSIS specification requires the CMTS to sign configuration files; unsigned or tampered files are rejected. This is relevant to PEN-101: a misconfigured CMTS that does not enforce signing is a known vector.
13.3 RE-Track Cross-Cut: Protocol Analysis from Firmware
The VCA-RE-101 curriculum (taught in parallel for RE-track students) extracts the SB6141's firmware, identifies the DOCSIS management stack, and traces how the firmware implements the DOCSIS protocol state machine.
NET-201 students are not expected to perform firmware extraction. However, understanding the networking protocols allows a RE-101 student to:
- Recognize DOCSIS MIB OIDs in the firmware's SNMP implementation
- Understand what the TFTPClient function is downloading and why
- Identify the DNS resolver embedded in the modem's Linux image
- Map the network interfaces (DOCSIS MAC, LAN bridge, loopback) that appear in
/proc/net/dev
Cross-reference protocol knowledge:
| What RE-101 finds | What NET-201 explains |
|---|---|
| SNMP GET/SET handler for OIDs 1.3.6.1.2.1.10.127 (DOCSIS cable interface MIB) | SNMP protocol mechanics; DOCSIS MIB structure |
| TLS session in HTTP management interface (port 443 local) | TLS 1.2 handshake (Week 6); certificate chain |
| DNS proxy: UDP packets forwarded to provisioned DNS server | DNS resolver function (Week 7); DNS64 relevance |
NAT conntrack table in /proc/net/nf_conntrack |
NAT/NAPT translation table mechanics (Week 8) |
| OSPF or RIP not present (DOCSIS uses DHCP-assigned route) | Contrast with enterprise IGPs (Weeks 1-2) |
13.4 PT-Track Cross-Cut: Attack Surface of the SB6141
For students continuing to PEN-101, the SB6141's attack surface becomes the engagement target. NET-201 lays the foundation for understanding what PEN-101 will attack.
Network-accessible attack surface:
| Interface | Protocol | Default state | NET-201 topic |
|---|---|---|---|
| LAN side port 80 | HTTP (redirects to 443) | Open | TLS, HTTP |
| LAN side port 443 | HTTPS management GUI | Open | TLS (Week 6) |
| LAN side SNMP (161/UDP) | SNMP v1/v2c | Disabled by default | Network mgmt |
| WAN side | No ports open by default | Closed | NAT (Week 8) |
| DOCSIS channel | DOCSIS MAC | CMTS-facing | DOCSIS (this week) |
Common misconfigurations relevant to PEN-101:
- Default credentials on the HTTPS management interface (admin/motorola)
- SNMP community string
publicenabled (historical SB6141 firmware versions) - Outdated TLS configuration: SB6141 factory firmware exposes TLS 1.0/1.1 and weak cipher suites
- No HSTS: HTTPS management page accessible without HSTS enforcement
Network observability from PEN-101 perspective:
- ARP poisoning the LAN gateway allows capturing all traffic from LAN clients (Week 10 NSM skills)
- DNS poisoning via the modem's DNS proxy (relevant to DNSSEC / DoT, Week 7)
- BGP is not present in SB6141 (home modem); the CMTS-side BGP is the carrier's routing domain (relevant to Weeks 3-4)
13.5 Wireless AKA Progression: Cross-Cut from WIR-101
For students who have completed WIR-101 or who are taking it concurrently, the wireless authentication progression (WPA2-SAE -> WPA3-SAE -> 5G-AKA) cross-cuts with NET-201's TLS and DNS content.
See handouts/cross-chapter-wireless-aka-progression.md for the full Architecture Comparison Sidebar (from the D10 handout set).
Key connections:
- WPA2-4-way handshake vs. TLS 1.3: both are authenticated key establishment protocols; both derive session keys from a shared secret plus random nonces; comparing their structures deepens understanding of both (Week 6)
- 5G Core and DNS: the 5G Core (AMF, SMF, UPF) uses HTTP/2 (SBI -- Service-Based Interface) with DNS for service discovery within the core network; DNS failure in the 5G Core has the same consequences as DNS failure in an enterprise (Week 7)
- 5G AKA vs. WPA3-SAE: 5G AKA (3GPP TS 33.501) uses EAP-AKA' with SIM credentials; WPA3-SAE uses Dragonfly PAKE. Both prevent offline dictionary attacks; different authentication infrastructures (carrier-managed USIM vs. local PSK)
This cross-cut is summarized in the handouts/cross-chapter-wireless-aka-progression.md sidebar. Students taking WIR-101 and NET-201 in sequence should read that sidebar after completing both Week 6 (TLS) and WIR-101 Week 8 (WPA3-SAE).
13.6 Preparing for the Capstone
Week 14 is the Enterprise Operational Playbook workshop. The capstone asks students to synthesize all NET-201 content into a document describing a small enterprise network. This week's cross-cuts ensure students understand where the curriculum connects to the broader academy ecosystem.
Capstone preview -- topics that will appear:
- Routing protocol choice + rationale (Weeks 1-4)
- Switching topology + STP/RSTP/LACP design (Week 5)
- TLS everywhere policy + certificate management (Week 6)
- DNS architecture + DNSSEC + DoT forwarding (Week 7)
- NAT / IPv6 transition timeline (Week 8)
- SDN vs. traditional routing decision (Week 9)
- NSM sensor placement + Suricata/Zeek deployment (Week 10)
- Performance SLA and AQM configuration (Week 11)
- Datacenter fabric design (optional advanced section, Week 12)
Lab Preview
No new lab this week. Students complete any outstanding labs from Weeks 10-11 and begin the capstone planning section (see Week 14).
Recommended activity: review your lab captures from Labs 1-11. Can you trace an end-to-end story? A packet from a client in Area 1 of your OSPF topology (Lab 1) travels through an iBGP route reflector (Lab 2), crosses a VLAN trunk (Lab 3), is protected by TLS (Lab 4), resolves a name via DNSSEC (Lab 5), and exits through a NAT64 gateway (Lab 6). That is the story of this course.
Homework
Reading (45 min): Review handouts/cross-chapter-docsis-quad-cross-cut.md and handouts/cross-chapter-wireless-aka-progression.md. Both are required capstone reference material. If you have not read the DOCSIS sidebar from Chapter 5 (Switching), re-read the SB6141 chip-by-chip section now with Week 13's commentary in mind.
Hands-on (60 min): Capstone planning. Draft a 1-page outline for your Enterprise Operational Playbook. Include:
- Network topology sketch (how many sites, how many VLANs, which routing protocol)
- Routing protocol choice + one-sentence rationale
- DNS architecture (authoritative + recursive; DNSSEC yes/no; DoT yes/no)
- TLS policy statement
- NSM sensor placement (where do the Suricata + Zeek sensors go?)
- IPv6 transition approach (dual-stack, NAT64, or deferred)
Bring this outline to Week 14 for the workshop session.
Key Terms
- DOCSIS: Data Over Cable Service Interface Specification; Layer-2 protocol for cable modem communication with the CMTS; QAM channel bonding; TFTP-based provisioning; signing requirement for config files
- CMTS: Cable Modem Termination System; the head-end device at the cable plant that manages all cable modems on a node; handles DOCSIS MAC, assigns IP addresses via DHCP, enforces rate limits
- SB6141: Motorola DOCSIS 3.0 cable modem; 8×4 channel bonding; ARM1176JZ-S + BCM3380 + MxL261; network attack surface: HTTPS management (port 443), legacy SNMP, DOCSIS channel; named lab target in VCA-RE-101 and VCA-PEN-101
- SBI: Service-Based Interface; HTTP/2-based REST API architecture used within the 5G Core network (AMF, SMF, UPF, etc.) for service discovery and inter-function communication
- ARP poisoning: sending gratuitous ARP replies mapping a victim's IP to the attacker's MAC; redirects traffic through the attacker (LAN-level MITM); detectable via NDP/ARP monitoring in Zeek conn.log
- 5G AKA: 5G Authentication and Key Agreement (3GPP TS 33.501); EAP-AKA' based; uses USIM credentials and SUPI/SUCI privacy protection; successor to LTE EPS-AKA; prevents IMSI catchers