What's new

Actiontec MoCA 2.0 ECB6000 Encryption

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Derelict

Occasional Visitor
Just got a couple of these to replace my D-Link DXN-220 MoCA 1.1 adapters.

With no configuration page how is one supposed to set the network encryption password?

Without it what's stopping someone from connecting another bridge at the PoE and hopping on my network?
 
Yes, I have an LPF. Still doesn't stop someone from putting a bridge at the PoE and hopping on my network.

As it is it will not join my existing network due to lack of an encryption key.

Pretty disappointing. I'm surprised they can be certified MoCA 2.0 without implementing AES.
 
Yes, I have an LPF. Still doesn't stop someone from putting a bridge at the PoE and hopping on my network.

As it is it will not join my existing network due to lack of an encryption key.

Pretty disappointing. I'm surprised they can be certified MoCA 2.0 without implementing AES.
Maybe I'm misunderstanding something. If you installed a POE filter inside your home where the cable comes in, all of your MoCA traffic will stay inside your home. To get another MoCA adapter to talk to your adapters, someone would have to place it inside your home, on the same side of the filter as your adapters. If they put an adapter outside your home (and obviously on the other side of the filter), your adapters wouldn't communicate with it or even see it.

I'm arguing that having encryption available wouldn't be a good thing, but in a private home I don't think it would normally be critical as long as there's a POE filter installed.
 
All my runs are home-run to the PoE. That's pretty typical for coax. There is a PoE filter on the main feed from the cable company into the 6-way splitter. That prevents the signal from bleeding back into the cable network but doesn't prevent someone from putting a bridge on the splitter at the PoE and being on my LAN.

I was not intending to give up encryption to go from MoCA 1.1 to MoCA 2.0.
 
All my runs are home-run to the PoE. That's pretty typical for coax. There is a PoE filter on the main feed from the cable company into the 6-way splitter. That prevents the signal from bleeding back into the cable network but doesn't prevent someone from putting a bridge on the splitter at the PoE and being on my LAN.

I was not intending to give up encryption to go from MoCA 1.1 to MoCA 2.0.

Just curious. Do you encrypt all your traffic on your LAN run using Ethernet cables?

Also once someone is inside your home what's to stop them from plugging into your router or splicing into an Ethernet cable?

Finally how do you protect your networks from someone installing a rogue AP?

If you aren't protected from these types of hacks then encrypting MOCA traffic is only closing one of your barn's doors.
 
I don't have an ethernet cable off my switch hanging out the side of my house in front of the gate in a box secured by a simple screw.

I am not talking about people inside my house. I'm talking about outside.

Rogue AP? They'd have to plug in - see above.

You are not going to convince me that encrypting MoCA isn't a good idea. MoCA 2.0 was supposed to take us to AES128. Not to nothing.
 
All my runs are home-run to the PoE. That's pretty typical for coax. There is a PoE filter on the main feed from the cable company into the 6-way splitter. That prevents the signal from bleeding back into the cable network but doesn't prevent someone from putting a bridge on the splitter at the PoE and being on my LAN.

I was not intending to give up encryption to go from MoCA 1.1 to MoCA 2.0.
Okay, now I see the difference. What you describe isn't typical for my area (unless they've changed things since my house was built). In this area TWC brings one cable into the house and then splits it to feed the locations inside the house. All the cables in the house go to the place (typically the basement) where the serving cable comes into the house, and they're attached with a splitter there. A POE filter can then be placed on the serving cable before it attaches to the splitter, and no MoCA traffic can leave the house.
 
Last edited:
Okay, now I see the difference. What you describe isn't typical for my area (unless they've changed things since my house was built). In this area TWC brings one cable into the house and then splits it to feed the locations inside the house. All the cable feeds in the house go to the place (typically the basement) where the serving cable comes into the house, and they're attached with a splitter there. A POE filter can then be placed on the serving cable before it attaches to the splitter, and no MoCA traffic can leave the house.

I would argue that even with the low-pass filter, your MoCA traffic would still be readable from the outside. The signal is still there, just attenuated.

It is better - for sure, and might require special equipment to receive, but absent strong encryption is likely still readable.
 
I would argue that even with the low-pass filter, your MoCA traffic would still be readable from the outside. The signal is still there, just attenuated.

It is better - for sure, and might require special equipment to receive, but absent strong encryption is likely still readable.
Well for your sake I hope you are running a VPN with strong encryption on your router so all data coming to and leaving your home is encrypted. If not someone can tap into your data stream on your drop, in the neighborhood at the node, or at your ISP and read everything you are sending and receiving. Also be sure to select a country, for the far point of your VPN connection, where they have strong laws protecting data privacy.

Having encryption on your POE LAN connections doesn't give you any protection once your data moves onto the WWW.

Install the filter inside your home and protect your demarc with a metal cabinet with a good padlock and call it good.
 
For the truly paranoid...
Put a cable TV amplifier/splitter with return in line with the coax that enters your premises.
The MoCA signals cannot flow in reverse through the amplifier.
The return path is needed for set top box, digital phone, cable modem's upstream. The return path's filter center is at about 30MHz whereas MoCA is about 1900MHz on the coax.

Maybe you already have an amp.

Data security: I'd worry much more about unencrypted (no SSL/HTTPS/VPN) data (read: email) going to/from your internet service provider and out in the global tangle of routers.
 
Well for your sake I hope you are running a VPN with strong encryption on your router so all data coming to and leaving your home is encrypted. If not someone can tap into your data stream on your drop, in the neighborhood at the node, or at your ISP and read everything you are sending and receiving. Also be sure to select a country, for the far point of your VPN connection, where they have strong laws protecting data privacy.

Having encryption on your POE LAN connections doesn't give you any protection once your data moves onto the WWW.

Install the filter inside your home and protect your demarc with a metal cabinet with a good padlock and call it good.

Why are you so willing to defend the obvious deficiency in this Actiontec product?

WAN is WAN. Yes, it's either in a VPN, protected with SSL, or out on the public internet for all to see.

LAN is LAN. I don't have my LAN hanging out in my PoE on the side of my house - unless I use this ECB6000, that is.

And, by the way, a steel box with a good padlock is nowhere nearly as secure as AES128 with a good, random key.

Securing your network is not paranoia. It's best practice.
 
Well for your sake I hope you are running a VPN with strong encryption on your router so all data coming to and leaving your home is encrypted. If not someone can tap into your data stream on your drop, in the neighborhood at the node, or at your ISP and read everything you are sending and receiving. Also be sure to select a country, for the far point of your VPN connection, where they have strong laws protecting data privacy.


FWIW - strong encryption or not - at some point, things need to get back into the clear...

At the end of the day - if you're worried about privacy, and using VPN - big data networks are tapped, and that traffic is going to be tagged, and then... it's compute resources, and TLA's (and 4LA's) have the resources..

just saying...
 
FWIW - strong encryption or not - at some point, things need to get back into the clear...

At the end of the day - if you're worried about privacy, and using VPN - big data networks are tapped, and that traffic is going to be tagged, and then... it's compute resources, and TLA's (and 4LA's) have the resources..

just saying...

Things that go out on the WAN, sure. I'm talking about the LAN, which is the realm of the MoCA technology, and the subject at hand.
 
My best bet is that there is not enough customer demand for encryption. Even with the Actiontec 1.1 devices if you wanted to do encryption with your own key you had to download the software and then enter the information needed. I bet most people did not do this. In fact I bet most people did not even know it could be done.
 
Just got a couple of these to replace my D-Link DXN-220 MoCA 1.1 adapters.

With no configuration page how is one supposed to set the network encryption password?

Without it what's stopping someone from connecting another bridge at the PoE and hopping on my network?
I don't know if you still have the ECB6000's, but in the thread about the ECB6200 it was discovered that the configuration page is at 192.168.144.30, and it includes the ability to turn on encryption. However, the ability to turn on encryption (called MOCA Privacy on the configuration page) is only available after doing a firmware update to the ECB6200, so you might want to contact Actiontec and see if there's an update for the ECB6000 as well.
 
Last edited:
Thanks a lot for posting. I did find a web interface on 192.168.144.20 (Should have nmap'ed it before. Derp) I don't know the authentication credentials and none of the standards have worked for me yet. Your information is hopeful enough for me to hang on to these.

I called actiontec level 1 support and she said there are no firmware updates available for the ECB6000 or ECB6200. That conflicts with your information. It's late and I'll revisit later.

Thanks again.
 
Last edited:
Thanks a lot for posting. I did find a web interface on 192.168.144.20 (Should have nmap'ed it before. Derp) I don't know the authentication credentials and none of the standards have worked for me yet. You information is hopeful enough for me to hang on to these.

I called actiontec level 1 support and she said there are no firmware updates available for the ECB6000 or ECB6200. That conflicts with your information. It's late and I'll revisit later.

Thanks again.
The firmware update for the ECB6200 was obtained by another poster in the thread linked above. He had submitted a problem report to Actiontec and they emailed him the update, so either the rep you spoke to isn't aware that the firmware update exists, or they aren't ready to make it generally available. It may be the latter because I noticed they haven't posted the update on their website either.

When you mention the authentication credentials, are you saying that the configuration page is requiring you to log in to make changes? With the ECB6200, the address I mentioned above took me straight to the configuration page with no login required.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top