Code:
BPI is not an authentication
BPI is not an authentication mechanism per se, it does not control whether a modem can come online or not, (note some CMTSes allow you to only allow BPI/BPI+ modems online but this is the CMTS not BPI/BPI+)
BPI is a mechanism to ensure all traffic from CM to CMTS back to CM is encrypted. Since HFC networks are shared this is necessary to prevent Customer A from seeing Customer B's traffic.
If BPI is not used it would be possible to see all the traffic on a downstream/upstream channel. Think of a HFC network like a network HUB traffic transmitted to a hub is available to all ports of the Hub, the way Docsis gets around this is to Encrypt all of this traffic so that the CMTS and the CM can decode this information.
Docsis does this with PKI (public key infrastructure). PKI works like so: a keypair is generated commonly referred to as a public key and a private key. These keys are related, such that information encrypted by the public key can only be decrypted by the private key, and information encrypted with the private key can only be decrypted by the public key.
The CMTS and the CM negotiate a keypair to use to encrypt traffic between them, this keypair has a finite lifetime at which time a new keypair must be negotiated. This negotiation is done using the built-in key pair for the CM and CMTS.
it looks something like this
during initialization the CMTS and the CM exchange their public keys in the clear
The CMTS then generates a new public/private key pair
Then the CMTS sends the CM the new public key to encrypt future traffic, this key is encrypted using the CM's public key
The cable modem Decrypts this message using the CM's private key,
When the CM sends a message it uses the new public key it decrypted to encrypt its message, The CMTS uses the private portion of that same key to decrypt that message
The key pair the CMTS generates is only good for a certain amount of time, and when it expires the process starts over again