diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4131.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4131.txt')
-rw-r--r-- | doc/rfc/rfc4131.txt | 4763 |
1 files changed, 4763 insertions, 0 deletions
diff --git a/doc/rfc/rfc4131.txt b/doc/rfc/rfc4131.txt new file mode 100644 index 0000000..b0ac915 --- /dev/null +++ b/doc/rfc/rfc4131.txt @@ -0,0 +1,4763 @@ + + + + + + +Network Working Group S. Green +Request for Comments: 4131 Consultant +Category: Standards Track K. Ozawa + Toshiba + E. Cardona, Ed. + CableLabs + A. Katsnelson + September 2005 + + Management Information Base for + Data Over Cable Service Interface Specification (DOCSIS) Cable Modems + and Cable Modem Termination Systems for Baseline Privacy Plus + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + This memo defines a portion of the Management Information Base (MIB) + for use with network management protocols in the Internet community. + In particular, it defines a set of managed objects for Simple Network + Management Protocol (SNMP) based management of the Baseline Privacy + Plus features of DOCSIS 1.1 and DOCSIS 2.0 (Data-over-Cable Service + Interface Specification) compliant Cable Modems and Cable Modem + Termination Systems. + +Table of Contents + + 1. The Internet-Standard Management Framework..................... 2 + 2. Overview....................................................... 2 + 2.1. Structure of the MIB...................................... 3 + 2.2. Relationship of BPI+ and BPI MIB Modules.................. 4 + 2.3. BPI+ MIB Module Relationship with The Interfaces Group MIB 5 + 3. Definitions.................................................... 5 + 4. Acknowledgements............................................... 77 + 5. Normative References........................................... 77 + 6. Informative References......................................... 78 + 7. Security Considerations........................................ 79 + 8. IANA Considerations............................................ 83 + + + +Green, et al. Standards Track [Page 1] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + +1. The Internet-Standard Management Framework + + For a detailed overview of the documents that describe the current + Internet-Standard Management Framework, please refer to section 7 of + RFC 3410 [RFC3410]. + + Managed objects are accessed via a virtual information store, termed + the Management Information Base or MIB. MIB objects are generally + accessed through the Simple Network Management Protocol (SNMP). + Objects in the MIB are defined using the mechanisms defined in the + Structure of Management Information (SMI). This memo specifies a MIB + module that is compliant to the SMIv2, which is described in STD 58, + RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 + [RFC2580]. + +2. Overview + + This MIB module (BPI+ MIB) provides a set of objects required for the + management of the Baseline Privacy Interface Plus features of DOCSIS + 1.1 and DOCSIS 2.0 Cable Modem (CM) and Cable Modem Termination + System (CMTS). The specification is derived from the operational + model described in the DOCSIS Baseline Privacy Interface Plus + Specification [DOCSIS]. + + DOCSIS Baseline Privacy Plus is composed of four distinct functional + and manageable areas: + + o Key exchange and data encryption + + o Cable modem authentication + + o Multicast encryption + + o Authentication of downloaded software images + + This MIB module is an extension of the DOCSIS 1.0 Baseline Privacy + MIB module [RFC3083] (BPI MIB), which is derived from the Operational + model described in the DOCSIS Baseline Privacy Interface + Specification [DOCSIS-1.0]. The original Baseline Privacy MIB + structure has mostly been preserved in the Baseline Privacy Plus MIB. + Please note that the referenced DOCSIS specifications only require + that Cable Modems process IPv4 customer traffic. Design choices in + this MIB module reflect those requirements. Future versions of the + DOCSIS specifications are expected to require support for IPv6 as + well. + + + + + + +Green, et al. Standards Track [Page 2] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL + NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" + in this document are to be interpreted as described in BCP 14, RFC + 2119 [RFC2119]. + +2.1. Structure of the MIB + + This MIB module is structured into several tables and objects. + +2.1.1. Cable Modem + + o The docsBpi2CmBaseTable contains authorization key exchange + information for one CM MAC interface. + + o The docsBpi2CmTEKTable contains traffic key exchange and data + encryption information for a particular security association ID of + the cable modem. + + o Multicast Encryption information is maintained under + Docsbpi2CmMulticastObjects. There is currently one multicast + table object that manages IP multicast encryption, + docsBpi2CmIpMulticastMapTable. + + o Digital certificates used for cable modem authentication are + accessible via docsBpi2CmDeviceCertTable. + + o Cryptographic suite capabilities for a CM MAC are maintained in + the docsBpi2CmCryptoSuiteTable. + +2.1.2. Cable Modem Termination System + + o The docsBpi2CmtsBaseTable contains default settings and summary + counters for the cable modem termination system. + + o The DocsBpi2CmtsAuthTable contains Authorization Key Exchange + information for each CM MAC interface, as well as data from CM + certificates used in cable modem authentication. + + o The docsBpi2CmtsTEKTable contains traffic key exchange and data + encryption information for a particular security association ID. + + o Multicast Encryption information is maintained under + Docsbpi2CmtsMulticastObjects. There are currently two multicast + table objects. The Table docsBpi2CmtsIpMulticastMapTable is + + + + + +Green, et al. Standards Track [Page 3] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + specifically designed for IP multicast encryption, whereas + docsBpi2CmtsMulticastAuthTable is meant to manage all multicast + security associations. + + In particular, the table docsBpi2CmtsIpMulticastMapTable + defines the object docsBpi2CmtsIpMulticastMask, which could be + a non-contiguous netmask; this is why the object syntax is + based on the INET-ADDRESS-MIB MIB Module [RFC4001] Textual + Convention InetAddress instead of InetAddressPrefixLength. + + This is to facilitate the assignment of same DOCSIS Security + Association ID (SAID) to one or more IPv6 multicast group IDs + matching one or more IPv6 multicast scope types within an entry + in this table. For example, multicast scopes labeled + "unassigned" [RFC3513] may be allocated by administrators to a + particular SAID, regardless of their multicast scope; such + mapping transient multicast group 'Y' to SAID 'z' for ANY + multicast scope. The non-contiguous netmask will be FF10:Y. + See [RFC3513] for details on IPv6 multicast addressing. + + o DocsBpi2CmtsCertObjects contains 2 manageable tables: one for + provisioned cable modem certificates and one for certification + authority certificates. + +2.1.3. Common + + o The docsBpi2CodeDownloadControl objects manage the authenticated + software download process for a given device. + +2.2. Relationship of BPI+ and BPI MIB Modules + + This section describes the relationship between the BPI+ MIB module + defined in this document and the BPI MIB module defined in RFC 3083 + [RFC3083]. The BPI+ protocol interface is an enhancement to the BPI + protocol, and it is a distinct protocol from BPI. The associated + BPI+ managed objects should be considered separate from the BPI MIB + objects defined in RFC 3083. + + DOCSIS 1.1 and 2.0 systems implement both the BPI+ and BPI protocols + to be backward compatible with 1.0 systems. For more information + regarding the interoperability between BPI and BPI+ compliant + systems, refer to appendix C of the DOCSIS BPI+ specification + [DOCSIS]. For MIB modules requirements, refer to section 4.6.1, + Figure 9, of the DOCSIS 1.1 OSSI specification [DOCSIS-1.1] and to + section 7.6.1, Tables 7-9, of the DOCSIS 2.0 OSSI specification + [DOCSIS-2.0]. + + + + + +Green, et al. Standards Track [Page 4] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + +2.3. BPI+ MIB Module Relationship with the Interfaces Group MIB + + The BPI+ MIB module is the management framework of Baseline Privacy + Plus Interface Specification [DOCSIS], which provides the MAC layer + (Media Access Control) security services of DOCSIS through the + Baseline Privacy Key Management (BPKM) protocol. The BPI+ MIB module + objects are organized as extensions of the Radio Frequency (RF) + Interface Management [RFC2670]. + + The MIB table structures of this MIB Module are extensions of the + DOCSIS CATV (Community Antenna Television) MAC layer interface + (DocsCableMaclayer by [IANA]). In particular, the provisions of the + Interface Group MIB [RFC2863] for counter discontinuities and system + re-initialization apply to CM and CMTS to validate the difference + between two consecutive counter polls. + + All BPI+ MIB module counters are 32 bits and are based on the minimum + time to wrap up considerations of [RFC2863] and their possible + frequency occurrence as BPI+ FSM (Finite State Machine) event + counters. See [DOCSIS] for BPI+ FSM parameter guidelines. + +3. Definitions + + DOCS-IETF-BPI2-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Integer32, + Unsigned32, + Counter32, + mib-2 + FROM SNMPv2-SMI -- [RFC2578] + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB -- [RFC3411] + TEXTUAL-CONVENTION, + MacAddress, + RowStatus, + TruthValue, + DateAndTime, + StorageType + FROM SNMPv2-TC -- [RFC2579] + OBJECT-GROUP, + MODULE-COMPLIANCE + FROM SNMPv2-CONF -- [RFC2580] + ifIndex + FROM IF-MIB -- [RFC2863] + InetAddressType, + InetAddress + + + +Green, et al. Standards Track [Page 5] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + FROM INET-ADDRESS-MIB; -- [RFC4001] + + docsBpi2MIB MODULE-IDENTITY + LAST-UPDATED "200507200000Z" -- July 20, 2005 + ORGANIZATION "IETF IP over Cable Data Network (IPCDN) + Working Group" + CONTACT-INFO "--------------------------------------- + Stuart M. Green + E-mail: rubbersoul3@yahoo.com + --------------------------------------- + Kaz Ozawa + Automotive Systems Development Center + TOSHIBA CORPORATION + 1-1, Shibaura 1-Chome + Minato-ku, Tokyo 105-8001 + Japan + Phone: +81-3-3457-8569 + Fax: +81-3-5444-9325 + E-mail: Kazuyoshi.Ozawa@toshiba.co.jp + --------------------------------------- + Alexander Katsnelson + Postal: + Tel: +1-303-680-3924 + E-mail: katsnelson6@peoplepc.com + --------------------------------------- + Eduardo Cardona + Postal: + Cable Television Laboratories, Inc. + 858 Coal Creek Circle + Louisville, CO 80027- 9750 + U.S.A. + Tel: +1 303 661 9100 + Fax: +1 303 661 9199 + E-mail: e.cardona@cablelabs.com + --------------------------------------- + + IETF IPCDN Working Group + General Discussion: ipcdn@ietf.org + Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn. + Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn. + Co-chairs: Richard Woundy, rwoundy@cisco.com + Jean-Francois Mule, jfm@cablelabs.com" + DESCRIPTION + "This is the MIB module for the DOCSIS Baseline + Privacy Plus Interface (BPI+) at cable modems (CMs) + and cable modem termination systems (CMTSs). + + Copyright (C) The Internet Society (2005). This + + + +Green, et al. Standards Track [Page 6] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + version of this MIB module is part of RFC 4131; see + the RFC itself for full legal notices." + + REVISION "200507200000Z" -- July 20, 2005 + DESCRIPTION + "Initial version of the IETF BPI+ MIB module. + This version published as RFC 4131." + ::= { mib-2 126 } + + -- Textual conventions + + DocsX509ASN1DEREncodedCertificate ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "An X509 digital certificate encoded as an ASN.1 DER + object." + SYNTAX OCTET STRING (SIZE (0..4096)) + + DocsSAId ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "Security Association identifier (SAID)." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface + specification, Section 2.1.3, BPI+ Security + Associations" + SYNTAX Integer32 (1..16383) + + DocsSAIdOrZero ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "Security Association identifier (SAID). The value + zero indicates that the SAID is yet to be determined." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface + specification, Section 2.1.3, BPI+ Security + Associations" + SYNTAX Unsigned32 (0 | 1..16383) + + DocsBpkmSAType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The type of security association (SA). + The values of the named-numbers are associated + with the BPKM SA-Type attributes: + 'primary' corresponds to code '1', 'static' to code '2', + + + +Green, et al. Standards Track [Page 7] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + and 'dynamic' to code '3'. + The 'none' value must only be used if the SA type has yet + to be determined." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface + specification, Section 4.2.2.24" + SYNTAX INTEGER { + none(0), + primary(1), + static(2), + dynamic(3) + } + + DocsBpkmDataEncryptAlg ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The list of data encryption algorithms defined for + the DOCSIS interface in the BPKM cryptographic-suite + parameter. The value 'none' indicates that the SAID + being referenced has no data encryption." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + SYNTAX INTEGER { + none(0), + des56CbcMode(1), + des40CbcMode(2), + t3Des128CbcMode(3), + aes128CbcMode(4), + aes256CbcMode(5) + } + + DocsBpkmDataAuthentAlg ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The list of data integrity algorithms defined for the + DOCSIS interface in the BPKM cryptographic-suite parameter. + The value 'none' indicates that no data integrity is used for + the SAID being referenced." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + SYNTAX INTEGER { + none(0), + hmacSha196(1) + } + + docsBpi2MIBObjects OBJECT IDENTIFIER ::= { docsBpi2MIB 1 } + + + +Green, et al. Standards Track [Page 8] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + -- Cable Modem Group + + docsBpi2CmObjects OBJECT IDENTIFIER ::= { docsBpi2MIBObjects 1 } + + -- + -- The BPI+ base and authorization table for CMs, + -- indexed by ifIndex + -- + + docsBpi2CmBaseTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmBaseEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the basic and authorization- + related Baseline Privacy Plus attributes of each CM MAC + interface." + ::= { docsBpi2CmObjects 1 } + + docsBpi2CmBaseEntry OBJECT-TYPE + SYNTAX DocsBpi2CmBaseEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains objects describing attributes of + one CM MAC interface. An entry in this table exists for + each ifEntry with an ifType of docsCableMaclayer(127)." + INDEX { ifIndex } + ::= { docsBpi2CmBaseTable 1 } + + DocsBpi2CmBaseEntry ::= SEQUENCE { + docsBpi2CmPrivacyEnable TruthValue, + docsBpi2CmPublicKey OCTET STRING, + docsBpi2CmAuthState INTEGER, + docsBpi2CmAuthKeySequenceNumber Integer32, + docsBpi2CmAuthExpiresOld DateAndTime, + docsBpi2CmAuthExpiresNew DateAndTime, + docsBpi2CmAuthReset TruthValue, + docsBpi2CmAuthGraceTime Integer32, + docsBpi2CmTEKGraceTime Integer32, + docsBpi2CmAuthWaitTimeout Integer32, + docsBpi2CmReauthWaitTimeout Integer32, + docsBpi2CmOpWaitTimeout Integer32, + docsBpi2CmRekeyWaitTimeout Integer32, + docsBpi2CmAuthRejectWaitTimeout Integer32, + docsBpi2CmSAMapWaitTimeout Integer32, + docsBpi2CmSAMapMaxRetries Integer32, + docsBpi2CmAuthentInfos Counter32, + + + +Green, et al. Standards Track [Page 9] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmAuthRequests Counter32, + docsBpi2CmAuthReplies Counter32, + docsBpi2CmAuthRejects Counter32, + docsBpi2CmAuthInvalids Counter32, + docsBpi2CmAuthRejectErrorCode INTEGER, + docsBpi2CmAuthRejectErrorString SnmpAdminString, + docsBpi2CmAuthInvalidErrorCode INTEGER, + docsBpi2CmAuthInvalidErrorString SnmpAdminString + } + + docsBpi2CmPrivacyEnable OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object identifies whether this CM is + provisioned to run Baseline Privacy Plus." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1." + ::= { docsBpi2CmBaseEntry 1 } + + docsBpi2CmPublicKey OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..524)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is a DER-encoded + RSAPublicKey ASN.1 type string, as defined in the RSA + Encryption Standard (PKCS #1), corresponding to the + public key of the CM." + + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.4." + ::= { docsBpi2CmBaseEntry 2 } + + docsBpi2CmAuthState OBJECT-TYPE + SYNTAX INTEGER { + start(1), + authWait(2), + authorized(3), + reauthWait(4), + authRejectWait(5), + silent(6) + } + MAX-ACCESS read-only + STATUS current + + + +Green, et al. Standards Track [Page 10] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + DESCRIPTION + "The value of this object is the state of the CM + authorization FSM. The start state indicates that FSM is + in its initial state." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.1.2.1." + ::= { docsBpi2CmBaseEntry 3 } + + docsBpi2CmAuthKeySequenceNumber OBJECT-TYPE + SYNTAX Integer32 (0..15) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the most recent + authorization key sequence number for this FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.2 and 4.2.2.10." + ::= { docsBpi2CmBaseEntry 4 } + + docsBpi2CmAuthExpiresOld OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the actual clock time for + expiration of the immediate predecessor of the most recent + authorization key for this FSM. If this FSM has only one + authorization key, then the value is the time of activation + of this FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.2 and 4.2.2.9." + ::= { docsBpi2CmBaseEntry 5 } + + docsBpi2CmAuthExpiresNew OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the actual clock time for + expiration of the most recent authorization key for this + FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.2 and 4.2.2.9." + ::= { docsBpi2CmBaseEntry 6 } + + + +Green, et al. Standards Track [Page 11] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmAuthReset OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting this object to 'true' generates a Reauthorize + event in the authorization FSM. Reading this object always + returns FALSE. + + This object is for testing purposes only, and therefore it + is not required to be associated with a last reset + object." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.1.2.3.4." + ::= { docsBpi2CmBaseEntry 7 } + + docsBpi2CmAuthGraceTime OBJECT-TYPE + SYNTAX Integer32 (1..6047999) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the grace time for an + authorization key in seconds. A CM is expected to start + trying to get a new authorization key beginning + AuthGraceTime seconds before the most recent authorization + key actually expires." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.3." + ::= { docsBpi2CmBaseEntry 8 } + + docsBpi2CmTEKGraceTime OBJECT-TYPE + SYNTAX Integer32 (1..302399) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the grace time for + the TEK in seconds. The CM is expected to start trying to + acquire a new TEK beginning TEK GraceTime seconds before + the expiration of the most recent TEK." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.6." + ::= { docsBpi2CmBaseEntry 9 } + + + + +Green, et al. Standards Track [Page 12] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmAuthWaitTimeout OBJECT-TYPE + SYNTAX Integer32 (1..30) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the Authorize Wait + Timeout in seconds." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.1." + ::= { docsBpi2CmBaseEntry 10 } + + docsBpi2CmReauthWaitTimeout OBJECT-TYPE + SYNTAX Integer32 (1..30) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the Reauthorize Wait + Timeout in seconds." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.2." + ::= { docsBpi2CmBaseEntry 11 } + + docsBpi2CmOpWaitTimeout OBJECT-TYPE + SYNTAX Integer32 (1..10) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the Operational Wait + Timeout in seconds." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.4." + ::= { docsBpi2CmBaseEntry 12 } + + docsBpi2CmRekeyWaitTimeout OBJECT-TYPE + SYNTAX Integer32 (1..10) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the Rekey Wait Timeout + in seconds." + REFERENCE + + + +Green, et al. Standards Track [Page 13] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.5." + ::= { docsBpi2CmBaseEntry 13 } + + docsBpi2CmAuthRejectWaitTimeout OBJECT-TYPE + SYNTAX Integer32 (1..600) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the Authorization Reject + Wait Timeout in seconds." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.7." + ::= { docsBpi2CmBaseEntry 14 } + + docsBpi2CmSAMapWaitTimeout OBJECT-TYPE + SYNTAX Integer32 (1..10) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the retransmission + interval, in seconds, of SA Map Requests from the MAP Wait + state." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.8." + ::= { docsBpi2CmBaseEntry 15 } + + docsBpi2CmSAMapMaxRetries OBJECT-TYPE + SYNTAX Integer32 (0..10) + UNITS "count" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the maximum number of + Map Request retries allowed." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.1.1.1.9." + ::= { docsBpi2CmBaseEntry 16 } + + docsBpi2CmAuthentInfos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + + + +Green, et al. Standards Track [Page 14] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + DESCRIPTION + "The value of this object is the number of times + the CM has transmitted an Authentication Information + message. Discontinuities in the value of this counter can + occur at re-initialization of the management system, and at + other times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.9." + ::= { docsBpi2CmBaseEntry 17 } + + docsBpi2CmAuthRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the CM + has transmitted an Authorization Request message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.1." + ::= { docsBpi2CmBaseEntry 18 } + + docsBpi2CmAuthReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the CM + has received an Authorization Reply message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.2." + ::= { docsBpi2CmBaseEntry 19 } + + docsBpi2CmAuthRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + + + +Green, et al. Standards Track [Page 15] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + DESCRIPTION + "The value of this object is the number of times the CM + has received an Authorization Reject message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.3." + ::= { docsBpi2CmBaseEntry 20 } + + docsBpi2CmAuthInvalids OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the count of times the CM + has received an Authorization Invalid message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.7." + ::= { docsBpi2CmBaseEntry 21 } + + docsBpi2CmAuthRejectErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + unauthorizedCm(3), + unauthorizedSaid(4), + permanentAuthorizationFailure(8), + timeOfDayNotAcquired(11) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent + Authorization Reject message received by the CM. This has + the value unknown(2) if the last Error-Code value was 0 and + none(1) if no Authorization Reject message has been received + since reboot." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + + + +Green, et al. Standards Track [Page 16] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Sections 4.2.1.3 and 4.2.2.15." + ::= { docsBpi2CmBaseEntry 22 } + + docsBpi2CmAuthRejectErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in the + most recent Authorization Reject message received by the + CM. This is a zero length string if no Authorization + Reject message has been received since reboot." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.3 and 4.2.2.6." + ::= { docsBpi2CmBaseEntry 23 } + + docsBpi2CmAuthInvalidErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + unauthorizedCm(3), + unsolicited(5), + invalidKeySequence(6), + keyRequestAuthenticationFailure(7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent + Authorization Invalid message received by the CM. This has + the value unknown(2) if the last Error-Code value was 0 and + none(1) if no Authorization Invalid message has been received + since reboot." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.7 and 4.2.2.15." + ::= { docsBpi2CmBaseEntry 24 } + + docsBpi2CmAuthInvalidErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in the + most recent Authorization Invalid message received by the + CM. This is a zero length string if no Authorization + + + +Green, et al. Standards Track [Page 17] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Invalid message has been received since reboot." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.7 and 4.2.2.6." + ::= { docsBpi2CmBaseEntry 25 } + + -- + -- The CM TEK Table, indexed by ifIndex and SAID + -- + + docsBpi2CmTEKTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmTEKEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the attributes of each CM + Traffic Encryption Key (TEK) association. The CM maintains + (no more than) one TEK association per SAID per CM MAC + interface." + ::= { docsBpi2CmObjects 2 } + + docsBpi2CmTEKEntry OBJECT-TYPE + SYNTAX DocsBpi2CmTEKEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains objects describing the TEK + association attributes of one SAID. The CM MUST create one + entry per SAID, regardless of whether the SAID was obtained + from a Registration Response message, from an Authorization + Reply message, or from any dynamic SAID establishment + mechanisms." + INDEX { ifIndex, docsBpi2CmTEKSAId } + ::= { docsBpi2CmTEKTable 1 } + + DocsBpi2CmTEKEntry ::= SEQUENCE { + docsBpi2CmTEKSAId DocsSAId, + docsBpi2CmTEKSAType DocsBpkmSAType, + docsBpi2CmTEKDataEncryptAlg DocsBpkmDataEncryptAlg, + docsBpi2CmTEKDataAuthentAlg DocsBpkmDataAuthentAlg, + docsBpi2CmTEKState INTEGER, + docsBpi2CmTEKKeySequenceNumber Integer32, + docsBpi2CmTEKExpiresOld DateAndTime, + docsBpi2CmTEKExpiresNew DateAndTime, + docsBpi2CmTEKKeyRequests Counter32, + docsBpi2CmTEKKeyReplies Counter32, + docsBpi2CmTEKKeyRejects Counter32, + docsBpi2CmTEKInvalids Counter32, + + + +Green, et al. Standards Track [Page 18] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmTEKAuthPends Counter32, + docsBpi2CmTEKKeyRejectErrorCode INTEGER, + docsBpi2CmTEKKeyRejectErrorString SnmpAdminString, + docsBpi2CmTEKInvalidErrorCode INTEGER, + docsBpi2CmTEKInvalidErrorString SnmpAdminString + } + + docsBpi2CmTEKSAId OBJECT-TYPE + SYNTAX DocsSAId + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value of this object is the DOCSIS Security + Association ID (SAID)." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.12." + ::= { docsBpi2CmTEKEntry 1 } + + docsBpi2CmTEKSAType OBJECT-TYPE + SYNTAX DocsBpkmSAType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the type of security + association." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 2.1.3." + ::= { docsBpi2CmTEKEntry 2 } + + docsBpi2CmTEKDataEncryptAlg OBJECT-TYPE + SYNTAX DocsBpkmDataEncryptAlg + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the data encryption + algorithm for this SAID." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + ::= { docsBpi2CmTEKEntry 3 } + + docsBpi2CmTEKDataAuthentAlg OBJECT-TYPE + SYNTAX DocsBpkmDataAuthentAlg + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 19] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "The value of this object is the data authentication + algorithm for this SAID." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + ::= { docsBpi2CmTEKEntry 4 } + + docsBpi2CmTEKState OBJECT-TYPE + SYNTAX INTEGER { + start(1), + opWait(2), + opReauthWait(3), + operational(4), + rekeyWait(5), + rekeyReauthWait(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the state of the + indicated TEK FSM. The start(1) state indicates that the + FSM is in its initial state." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.1.3.1." + ::= { docsBpi2CmTEKEntry 5 } + + docsBpi2CmTEKKeySequenceNumber OBJECT-TYPE + SYNTAX Integer32 (0..15) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the most recent TEK + key sequence number for this TEK FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.2.10 and 4.2.2.13." + ::= { docsBpi2CmTEKEntry 6 } + + docsBpi2CmTEKExpiresOld OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the actual clock time for + expiration of the immediate predecessor of the most recent + TEK for this FSM. If this FSM has only one TEK, then the + value is the time of activation of this FSM." + + + +Green, et al. Standards Track [Page 20] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.5 and 4.2.2.9." + ::= { docsBpi2CmTEKEntry 7 } + + docsBpi2CmTEKExpiresNew OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the actual clock time for + expiration of the most recent TEK for this FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.5 and 4.2.2.9." + ::= { docsBpi2CmTEKEntry 8 } + + docsBpi2CmTEKKeyRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the CM + has transmitted a Key Request message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.4." + ::= { docsBpi2CmTEKEntry 9 } + + docsBpi2CmTEKKeyReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the CM + has received a Key Reply message, including a message whose + authentication failed. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + + + +Green, et al. Standards Track [Page 21] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Section 4.2.1.5." + ::= { docsBpi2CmTEKEntry 10 } + + docsBpi2CmTEKKeyRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the CM + has received a Key Reject message, including a message + whose authentication failed. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.6." + ::= { docsBpi2CmTEKEntry 11 } + + docsBpi2CmTEKInvalids OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the CM + has received a TEK Invalid message, including a message + whose authentication failed. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.8." + ::= { docsBpi2CmTEKEntry 12 } + + docsBpi2CmTEKAuthPends OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the count of times an + Authorization Pending (Auth Pend) event occurred in this + FSM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + + + +Green, et al. Standards Track [Page 22] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.1.3.3.3." + ::= { docsBpi2CmTEKEntry 13 } + + docsBpi2CmTEKKeyRejectErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + unauthorizedSaid(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent Key Reject + message received by the CM. This has the value unknown(2) if + the last Error-Code value was 0 and none(1) if no Key + Reject message has been received since registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.1.2.6 and 4.2.2.15." + ::= { docsBpi2CmTEKEntry 14 } + + docsBpi2CmTEKKeyRejectErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in the + most recent Key Reject message received by the CM. This is + a zero length string if no Key Reject message has been + received since registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.1.2.6 and 4.2.2.6." + ::= { docsBpi2CmTEKEntry 15 } + + docsBpi2CmTEKInvalidErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + invalidKeySequence(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 23] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "The value of this object is the enumerated + description of the Error-Code in the most recent TEK Invalid + message received by the CM. This has the value unknown(2) if + the last Error-Code value was 0 and none(1) if no TEK + Invalid message has been received since registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.1.2.8 and 4.2.2.15." + ::= { docsBpi2CmTEKEntry 16 } + + docsBpi2CmTEKInvalidErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in the + most recent TEK Invalid message received by the CM. This is + a zero length string if no TEK Invalid message has been + received since registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.1.2.8 and 4.2.2.6." + ::= { docsBpi2CmTEKEntry 17 } + + -- + -- The CM Multicast Objects Group + -- + + docsBpi2CmMulticastObjects OBJECT IDENTIFIER + ::= { docsBpi2CmObjects 3 } + + -- + -- The CM Dynamic IP Multicast Mapping Table, indexed by + -- docsBpi2CmIpMulticastIndex and by ifIndex + -- + + docsBpi2CmIpMulticastMapTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmIpMulticastMapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table maps multicast IP addresses to SAIDs per + CM MAC Interface. + It is intended to map multicast IP addresses associated + with SA MAP Request messages." + ::= { docsBpi2CmMulticastObjects 1 } + + docsBpi2CmIpMulticastMapEntry OBJECT-TYPE + + + +Green, et al. Standards Track [Page 24] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + SYNTAX DocsBpi2CmIpMulticastMapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains objects describing the mapping of + one multicast IP address to one SAID, as well as + associated state, message counters, and error information. + + An entry may be removed from this table upon the reception + of an SA Map Reject." + INDEX { ifIndex, docsBpi2CmIpMulticastIndex } + ::= { docsBpi2CmIpMulticastMapTable 1 } + + DocsBpi2CmIpMulticastMapEntry ::= SEQUENCE { + docsBpi2CmIpMulticastIndex Unsigned32, + docsBpi2CmIpMulticastAddressType InetAddressType, + docsBpi2CmIpMulticastAddress InetAddress, + docsBpi2CmIpMulticastSAId DocsSAIdOrZero, + docsBpi2CmIpMulticastSAMapState INTEGER, + docsBpi2CmIpMulticastSAMapRequests Counter32, + docsBpi2CmIpMulticastSAMapReplies Counter32, + docsBpi2CmIpMulticastSAMapRejects Counter32, + docsBpi2CmIpMulticastSAMapRejectErrorCode INTEGER, + docsBpi2CmIpMulticastSAMapRejectErrorString SnmpAdminString + } + + docsBpi2CmIpMulticastIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index of this row." + ::= { docsBpi2CmIpMulticastMapEntry 1 } + + docsBpi2CmIpMulticastAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of Internet address for + docsBpi2CmIpMulticastAddress." + ::= { docsBpi2CmIpMulticastMapEntry 2 } + + docsBpi2CmIpMulticastAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 25] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "This object represents the IP multicast address + to be mapped. The type of this address is determined by + the value of the docsBpi2CmIpMulticastAddressType object." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 5.4." + ::= { docsBpi2CmIpMulticastMapEntry 3 } + + docsBpi2CmIpMulticastSAId OBJECT-TYPE + SYNTAX DocsSAIdOrZero + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object represents the SAID to which the IP + multicast address has been mapped. If no SA Map Reply has + been received for the IP address, this object should have + the value 0." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.12." + ::= { docsBpi2CmIpMulticastMapEntry 4 } + + docsBpi2CmIpMulticastSAMapState OBJECT-TYPE + SYNTAX INTEGER { + start(1), + mapWait(2), + mapped(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the state of the SA + Mapping FSM for this IP." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 5.3.1." + ::= { docsBpi2CmIpMulticastMapEntry 5 } + + docsBpi2CmIpMulticastSAMapRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CM has transmitted an SA Map Request message for this IP. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + + + +Green, et al. Standards Track [Page 26] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.10." + ::= { docsBpi2CmIpMulticastMapEntry 6 } + + docsBpi2CmIpMulticastSAMapReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CM has received an SA Map Reply message for this IP. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.11." + ::= { docsBpi2CmIpMulticastMapEntry 7 } + + docsBpi2CmIpMulticastSAMapRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CM has received an SA MAP Reject message for this IP. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.12." + ::= { docsBpi2CmIpMulticastMapEntry 8 } + + docsBpi2CmIpMulticastSAMapRejectErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + noAuthForRequestedDSFlow(9), + dsFlowNotMappedToSA(10) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 27] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "The value of this object is the enumerated + description of the Error-Code in the most recent SA Map + Reject message sent in response to an SA Map Request for + This IP. It has the value none(1) if no SA MAP Reject + message has been received since entry creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.12 and 4.2.2.15." + ::= { docsBpi2CmIpMulticastMapEntry 9 } + + docsBpi2CmIpMulticastSAMapRejectErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in + the most recent SA Map Reject message sent in response to + an SA Map Request for this IP. It is a zero length string + if no SA Map Reject message has been received since entry + creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.12 and 4.2.2.6." + ::= { docsBpi2CmIpMulticastMapEntry 10 } + + -- + -- CM Cert Objects + -- + + docsBpi2CmCertObjects OBJECT IDENTIFIER + ::= { docsBpi2CmObjects 4 } + + -- + -- CM Device Cert Table + -- + + docsBpi2CmDeviceCertTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmDeviceCertEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the Baseline Privacy Plus + device certificates for each CM MAC interface." + ::= { docsBpi2CmCertObjects 1 } + + docsBpi2CmDeviceCertEntry OBJECT-TYPE + SYNTAX DocsBpi2CmDeviceCertEntry + MAX-ACCESS not-accessible + + + +Green, et al. Standards Track [Page 28] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + STATUS current + DESCRIPTION + "Each entry contains the device certificates of + one CM MAC interface. An entry in this table exists for + each ifEntry with an ifType of docsCableMaclayer(127)." + INDEX { ifIndex } + ::= { docsBpi2CmDeviceCertTable 1 } + + DocsBpi2CmDeviceCertEntry ::= SEQUENCE { + docsBpi2CmDeviceCmCert + DocsX509ASN1DEREncodedCertificate, + docsBpi2CmDeviceManufCert + DocsX509ASN1DEREncodedCertificate + } + + docsBpi2CmDeviceCmCert OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The X509 DER-encoded cable modem certificate. + Note: This object can be set only when the value is the + zero-length OCTET STRING; otherwise, an error of + 'inconsistentValue' is returned. Once the object + contains the certificate, its access MUST be read-only + and persists after re-initialization of the + managed system." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.1." + ::= { docsBpi2CmDeviceCertEntry 1 } + + docsBpi2CmDeviceManufCert OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The X509 DER-encoded manufacturer certificate that + signed the cable modem certificate." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.1." + ::= { docsBpi2CmDeviceCertEntry 2 } + + -- + -- CM Crypto Suite Table + -- + + + + +Green, et al. Standards Track [Page 29] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmCryptoSuiteTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmCryptoSuiteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the Baseline Privacy Plus + cryptographic suite capabilities for each CM MAC + interface." + ::= { docsBpi2CmObjects 5 } + + docsBpi2CmCryptoSuiteEntry OBJECT-TYPE + SYNTAX DocsBpi2CmCryptoSuiteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains a cryptographic suite pair + that this CM MAC supports." + INDEX { ifIndex, docsBpi2CmCryptoSuiteIndex } + ::= { docsBpi2CmCryptoSuiteTable 1 } + + DocsBpi2CmCryptoSuiteEntry ::= SEQUENCE { + docsBpi2CmCryptoSuiteIndex Unsigned32, + docsBpi2CmCryptoSuiteDataEncryptAlg + DocsBpkmDataEncryptAlg, + docsBpi2CmCryptoSuiteDataAuthentAlg + DocsBpkmDataAuthentAlg + } + + docsBpi2CmCryptoSuiteIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..1000) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index for a cryptographic suite row." + ::= { docsBpi2CmCryptoSuiteEntry 1 } + + docsBpi2CmCryptoSuiteDataEncryptAlg OBJECT-TYPE + SYNTAX DocsBpkmDataEncryptAlg + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the data encryption + algorithm for this cryptographic suite capability." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + ::= { docsBpi2CmCryptoSuiteEntry 2 } + + + + +Green, et al. Standards Track [Page 30] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmCryptoSuiteDataAuthentAlg OBJECT-TYPE + SYNTAX DocsBpkmDataAuthentAlg + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the data authentication + algorithm for this cryptographic suite capability." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + ::= { docsBpi2CmCryptoSuiteEntry 3 } + + -- Cable Modem Termination System Group + + docsBpi2CmtsObjects OBJECT IDENTIFIER ::= { docsBpi2MIBObjects 2 } + + -- + -- SPECIAL NOTE: For the following CMTS tables, when a CM is + -- running in BPI mode, replace SAID (Security Association ID) + -- with SID (Service ID). The CMTS is required to map SAIDs and + -- SIDs to one contiguous space. + -- + + -- + -- The BPI+ base table for CMTSs, indexed by ifIndex + -- + + docsBpi2CmtsBaseTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmtsBaseEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the basic Baseline Privacy + attributes of each CMTS MAC interface." + ::= { docsBpi2CmtsObjects 1 } + + docsBpi2CmtsBaseEntry OBJECT-TYPE + SYNTAX DocsBpi2CmtsBaseEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains objects describing attributes of + one CMTS MAC interface. An entry in this table exists for + each ifEntry with an ifType of docsCableMaclayer(127)." + INDEX { ifIndex } + ::= { docsBpi2CmtsBaseTable 1 } + + DocsBpi2CmtsBaseEntry ::= SEQUENCE { + + + +Green, et al. Standards Track [Page 31] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsDefaultAuthLifetime Integer32, + docsBpi2CmtsDefaultTEKLifetime Integer32, + docsBpi2CmtsDefaultSelfSignedManufCertTrust INTEGER, + docsBpi2CmtsCheckCertValidityPeriods TruthValue, + docsBpi2CmtsAuthentInfos Counter32, + docsBpi2CmtsAuthRequests Counter32, + docsBpi2CmtsAuthReplies Counter32, + docsBpi2CmtsAuthRejects Counter32, + docsBpi2CmtsAuthInvalids Counter32, + docsBpi2CmtsSAMapRequests Counter32, + docsBpi2CmtsSAMapReplies Counter32, + docsBpi2CmtsSAMapRejects Counter32 + } + + docsBpi2CmtsDefaultAuthLifetime OBJECT-TYPE + SYNTAX Integer32 (1..6048000) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of this object is the default lifetime, in + seconds, that the CMTS assigns to a new authorization key. + This object value persists after re-initialization of the + managed system." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.2." + DEFVAL { 604800 } + ::= { docsBpi2CmtsBaseEntry 1 } + + docsBpi2CmtsDefaultTEKLifetime OBJECT-TYPE + SYNTAX Integer32 (1..604800) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of this object is the default lifetime, in + seconds, that the CMTS assigns to a new Traffic Encryption + Key (TEK). + This object value persists after re-initialization of the + managed system." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Appendix A.2." + DEFVAL { 43200 } + ::= { docsBpi2CmtsBaseEntry 2 } + + docsBpi2CmtsDefaultSelfSignedManufCertTrust OBJECT-TYPE + + + +Green, et al. Standards Track [Page 32] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + SYNTAX INTEGER { + trusted (1), + untrusted (2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object determines the default trust of + self-signed manufacturer certificate entries, contained + in docsBpi2CmtsCACertTable, and created after this + object is set. + This object need not persist after re-initialization + of the managed system." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.1" + ::= { docsBpi2CmtsBaseEntry 3 } + + docsBpi2CmtsCheckCertValidityPeriods OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting this object to 'true' causes all chained and + root certificates in the chain to have their validity + periods checked against the current time of day, when + the CMTS receives an Authorization Request from the + CM. + A 'false' setting causes all certificates in the chain + not to have their validity periods checked against the + current time of day. + This object need not persist after re-initialization + of the managed system." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.2" + ::= { docsBpi2CmtsBaseEntry 4 } + + docsBpi2CmtsAuthentInfos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has received an Authentication Information message + from any CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + + + +Green, et al. Standards Track [Page 33] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.9." + ::= { docsBpi2CmtsBaseEntry 5 } + + docsBpi2CmtsAuthRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has received an Authorization Request message from any + CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.1." + ::= { docsBpi2CmtsBaseEntry 6 } + + docsBpi2CmtsAuthReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an Authorization Reply message to any + CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.2." + ::= { docsBpi2CmtsBaseEntry 7 } + + docsBpi2CmtsAuthRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an Authorization Reject message to any + + + +Green, et al. Standards Track [Page 34] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.3." + ::= { docsBpi2CmtsBaseEntry 8 } + + docsBpi2CmtsAuthInvalids OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times + the CMTS has transmitted an Authorization Invalid message + to any CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.7." + ::= { docsBpi2CmtsBaseEntry 9 } + + docsBpi2CmtsSAMapRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has received an SA Map Request message from any CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.10." + ::= { docsBpi2CmtsBaseEntry 10 } + + docsBpi2CmtsSAMapReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 35] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "The value of this object is the number of times the + CMTS has transmitted an SA Map Reply message to any CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.11." + ::= { docsBpi2CmtsBaseEntry 11 } + + docsBpi2CmtsSAMapRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an SA Map Reject message to any CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.12." + ::= { docsBpi2CmtsBaseEntry 12 } + + -- + -- The CMTS Authorization Table, indexed by ifIndex and CM MAC + -- address + -- + + docsBpi2CmtsAuthTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmtsAuthEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the attributes of each CM + authorization association. The CMTS maintains one + authorization association with each Baseline Privacy- + enabled CM, registered on each CMTS MAC interface, + regardless of whether the CM is authorized or rejected." + ::= { docsBpi2CmtsObjects 2 } + + docsBpi2CmtsAuthEntry OBJECT-TYPE + SYNTAX DocsBpi2CmtsAuthEntry + MAX-ACCESS not-accessible + STATUS current + + + +Green, et al. Standards Track [Page 36] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + DESCRIPTION + "Each entry contains objects describing attributes of + one authorization association. The CMTS MUST create one + entry per CM per MAC interface, based on the receipt of an + Authorization Request message, and MUST not delete the + entry until the CM loses registration." + INDEX { ifIndex, docsBpi2CmtsAuthCmMacAddress } + ::= { docsBpi2CmtsAuthTable 1 } + + DocsBpi2CmtsAuthEntry ::= SEQUENCE { + docsBpi2CmtsAuthCmMacAddress MacAddress, + docsBpi2CmtsAuthCmBpiVersion INTEGER, + docsBpi2CmtsAuthCmPublicKey OCTET STRING, + docsBpi2CmtsAuthCmKeySequenceNumber Integer32, + docsBpi2CmtsAuthCmExpiresOld DateAndTime, + docsBpi2CmtsAuthCmExpiresNew DateAndTime, + docsBpi2CmtsAuthCmLifetime Integer32, + docsBpi2CmtsAuthCmReset INTEGER, + docsBpi2CmtsAuthCmInfos Counter32, + docsBpi2CmtsAuthCmRequests Counter32, + docsBpi2CmtsAuthCmReplies Counter32, + docsBpi2CmtsAuthCmRejects Counter32, + docsBpi2CmtsAuthCmInvalids Counter32, + docsBpi2CmtsAuthRejectErrorCode INTEGER, + docsBpi2CmtsAuthRejectErrorString SnmpAdminString, + docsBpi2CmtsAuthInvalidErrorCode INTEGER, + docsBpi2CmtsAuthInvalidErrorString SnmpAdminString, + docsBpi2CmtsAuthPrimarySAId DocsSAIdOrZero, + docsBpi2CmtsAuthBpkmCmCertValid INTEGER, + docsBpi2CmtsAuthBpkmCmCert + DocsX509ASN1DEREncodedCertificate, + docsBpi2CmtsAuthCACertIndexPtr Unsigned32 + } + + docsBpi2CmtsAuthCmMacAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value of this object is the physical address of + the CM to which the authorization association applies." + ::= { docsBpi2CmtsAuthEntry 1 } + + docsBpi2CmtsAuthCmBpiVersion OBJECT-TYPE + SYNTAX INTEGER { + bpi (0), + bpiPlus (1) + } + + + +Green, et al. Standards Track [Page 37] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the version of Baseline + Privacy for which this CM has registered. The value + 'bpiplus' represents the value of BPI-Version Attribute of + the Baseline Privacy Key Management BPKM attribute + BPI-Version (1). The value 'bpi' is used to represent the + CM registered using DOCSIS 1.0 Baseline Privacy." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.22; ANSI/SCTE 22-2 2002(formerly DSS 02-03) + Data-Over-Cable Service Interface Specification DOCSIS 1.0 + Baseline Privacy Interface (BPI)" + ::= { docsBpi2CmtsAuthEntry 2 } + + docsBpi2CmtsAuthCmPublicKey OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..524)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is a DER-encoded + RSAPublicKey ASN.1 type string, as defined in the RSA + Encryption Standard (PKCS #1), corresponding to the + public key of the CM. This is the zero-length OCTET + STRING if the CMTS does not retain the public key." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.4." + ::= { docsBpi2CmtsAuthEntry 3 } + + docsBpi2CmtsAuthCmKeySequenceNumber OBJECT-TYPE + SYNTAX Integer32 (0..15) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the most recent + authorization key sequence number for this CM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.2 and 4.2.2.10." + ::= { docsBpi2CmtsAuthEntry 4 } + + docsBpi2CmtsAuthCmExpiresOld OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 38] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "The value of this object is the actual clock time + for expiration of the immediate predecessor of the most + recent authorization key for this FSM. If this FSM has only + one authorization key, then the value is the time of + activation of this FSM. + Note: This object has no meaning for CMs running in BPI + mode; therefore, this object is not instantiated for entries + associated to those CMs." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.2 and 4.2.2.9." + ::= { docsBpi2CmtsAuthEntry 5 } + + docsBpi2CmtsAuthCmExpiresNew OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the actual clock + time for expiration of the most recent authorization key + for this FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.2 and 4.2.2.9." + ::= { docsBpi2CmtsAuthEntry 6 } + + docsBpi2CmtsAuthCmLifetime OBJECT-TYPE + SYNTAX Integer32 (1..6048000) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of this object is the lifetime, in seconds, + that the CMTS assigns to an authorization key for this CM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.2 and Appendix A.2." + ::= { docsBpi2CmtsAuthEntry 7 } + + docsBpi2CmtsAuthCmReset OBJECT-TYPE + SYNTAX INTEGER { + noResetRequested(1), + invalidateAuth(2), + sendAuthInvalid(3), + invalidateTeks(4) + } + MAX-ACCESS read-write + STATUS current + + + +Green, et al. Standards Track [Page 39] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + DESCRIPTION + "Setting this object to invalidateAuth(2) causes the + CMTS to invalidate the current CM authorization key(s), but + not to transmit an Authorization Invalid message nor to + invalidate the primary SAID's TEKs. Setting this object to + sendAuthInvalid(3) causes the CMTS to invalidate the + current CM authorization key(s), and to transmit an + Authorization Invalid message to the CM, but not to + invalidate the primary SAID's TEKs. Setting this object to + invalidateTeks(4) causes the CMTS to invalidate the current + CM authorization key(s), to transmit an Authorization + Invalid message to the CM, and to invalidate the TEKs + associated with this CM's primary SAID. + For BPI mode, substitute all of the CM's unicast + TEKs for the primary SAID's TEKs in the previous + paragraph. + Reading this object returns the most recently set + value of this object or, if the object has not been set + since entry creation, returns noResetRequested(1)." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.1.2.3.4, 4.1.2.3.5, and 4.1.3.3.5." + ::= { docsBpi2CmtsAuthEntry 8 } + + docsBpi2CmtsAuthCmInfos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has received an Authentication Information message + from this CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.9." + ::= { docsBpi2CmtsAuthEntry 9 } + + docsBpi2CmtsAuthCmRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has received an Authorization Request message from + + + +Green, et al. Standards Track [Page 40] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + this CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.1." + ::= { docsBpi2CmtsAuthEntry 10 } + + docsBpi2CmtsAuthCmReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an Authorization Reply message to this + CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.2." + ::= { docsBpi2CmtsAuthEntry 11 } + + docsBpi2CmtsAuthCmRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an Authorization Reject message to + this CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.3." + ::= { docsBpi2CmtsAuthEntry 12 } + + docsBpi2CmtsAuthCmInvalids OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + + + +Green, et al. Standards Track [Page 41] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an Authorization Invalid message to + this CM. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.7." + ::= { docsBpi2CmtsAuthEntry 13 } + + docsBpi2CmtsAuthRejectErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + unauthorizedCm(3), + unauthorizedSaid(4), + permanentAuthorizationFailure(8), + timeOfDayNotAcquired(11) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent + Authorization Reject message transmitted to the CM. This has + the value unknown(2) if the last Error-Code value was 0 and + none(1) if no Authorization Reject message has been + transmitted to the CM since entry creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.3 and 4.2.2.15." + ::= { docsBpi2CmtsAuthEntry 14 } + + docsBpi2CmtsAuthRejectErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in the + most recent Authorization Reject message transmitted to the + CM. This is a zero length string if no Authorization + Reject message has been transmitted to the CM since entry + creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + + + +Green, et al. Standards Track [Page 42] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Sections 4.2.1.3 and 4.2.2.6." + ::= { docsBpi2CmtsAuthEntry 15 } + + docsBpi2CmtsAuthInvalidErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + unauthorizedCm(3), + unsolicited(5), + invalidKeySequence(6), + keyRequestAuthenticationFailure(7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent + Authorization Invalid message transmitted to the CM. This + has the value unknown(2) if the last Error-Code value was 0 + and none(1) if no Authorization Invalid message has been + transmitted to the CM since entry creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.7 and 4.2.2.15." + ::= { docsBpi2CmtsAuthEntry 16 } + + docsBpi2CmtsAuthInvalidErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in the + most recent Authorization Invalid message transmitted to + the CM. This is a zero length string if no Authorization + Invalid message has been transmitted to the CM since entry + creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.7 and 4.2.2.6." + ::= { docsBpi2CmtsAuthEntry 17 } + + docsBpi2CmtsAuthPrimarySAId OBJECT-TYPE + SYNTAX DocsSAIdOrZero + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the Primary Security + Association identifier. For BPI mode, the value must be + + + +Green, et al. Standards Track [Page 43] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + any unicast SID." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 2.1.3." + ::= { docsBpi2CmtsAuthEntry 18 } + + docsBpi2CmtsAuthBpkmCmCertValid OBJECT-TYPE + SYNTAX INTEGER { + unknown (0), + validCmChained (1), + validCmTrusted (2), + invalidCmUntrusted (3), + invalidCAUntrusted (4), + invalidCmOther (5), + invalidCAOther (6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Contains the reason why a CM's certificate is deemed + valid or invalid. + Return unknown(0) if the CM is running BPI mode. + ValidCmChained(1) means the certificate is valid + because it chains to a valid certificate. + ValidCmTrusted(2) means the certificate is valid + because it has been provisioned (in the + docsBpi2CmtsProvisionedCmCert table) to be trusted. + InvalidCmUntrusted(3) means the certificate is invalid + because it has been provisioned (in the + docsBpi2CmtsProvisionedCmCert table) to be untrusted. + InvalidCAUntrusted(4) means the certificate is invalid + because it chains to an untrusted certificate. + InvalidCmOther(5) and InvalidCAOther(6) refer to + errors in parsing, validity periods, etc., which are + attributable to the CM certificate or its chain, + respectively; additional information may be found + in docsBpi2AuthRejectErrorString for these types + of errors." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.2." + ::= { docsBpi2CmtsAuthEntry 19 } + + docsBpi2CmtsAuthBpkmCmCert OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 44] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "The X509 CM Certificate sent as part of a BPKM + Authorization Request. + Note: The zero-length OCTET STRING must be returned if the + Entire certificate is not retained in the CMTS." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.2." + ::= { docsBpi2CmtsAuthEntry 20 } + + docsBpi2CmtsAuthCACertIndexPtr OBJECT-TYPE + SYNTAX Unsigned32 (0..4294967295) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A row index into docsBpi2CmtsCACertTable. + Returns the index in docsBpi2CmtsCACertTable to which + CA certificate this CM is chained to. A value of + 0 means it could not be found or not applicable." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.2." + ::= { docsBpi2CmtsAuthEntry 21 } + + -- + -- The CMTS TEK Table, indexed by ifIndex and SAID + -- + + docsBpi2CmtsTEKTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmtsTEKEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the attributes of each + Traffic Encryption Key (TEK) association. The CMTS + Maintains one TEK association per SAID on each CMTS MAC + interface." + ::= { docsBpi2CmtsObjects 3 } + + docsBpi2CmtsTEKEntry OBJECT-TYPE + SYNTAX DocsBpi2CmtsTEKEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains objects describing attributes of + one TEK association on a particular CMTS MAC interface. The + CMTS MUST create one entry per SAID per MAC interface, + based on the receipt of a Key Request message, and MUST not + delete the entry before the CM authorization for the SAID + + + +Green, et al. Standards Track [Page 45] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + permanently expires." + INDEX { ifIndex, docsBpi2CmtsTEKSAId } + ::= { docsBpi2CmtsTEKTable 1 } + + DocsBpi2CmtsTEKEntry ::= SEQUENCE { + docsBpi2CmtsTEKSAId DocsSAId, + docsBpi2CmtsTEKSAType DocsBpkmSAType, + docsBpi2CmtsTEKDataEncryptAlg DocsBpkmDataEncryptAlg, + docsBpi2CmtsTEKDataAuthentAlg DocsBpkmDataAuthentAlg, + docsBpi2CmtsTEKLifetime Integer32, + docsBpi2CmtsTEKKeySequenceNumber Integer32, + docsBpi2CmtsTEKExpiresOld DateAndTime, + docsBpi2CmtsTEKExpiresNew DateAndTime, + docsBpi2CmtsTEKReset TruthValue, + docsBpi2CmtsKeyRequests Counter32, + docsBpi2CmtsKeyReplies Counter32, + docsBpi2CmtsKeyRejects Counter32, + docsBpi2CmtsTEKInvalids Counter32, + docsBpi2CmtsKeyRejectErrorCode INTEGER, + docsBpi2CmtsKeyRejectErrorString SnmpAdminString, + docsBpi2CmtsTEKInvalidErrorCode INTEGER, + docsBpi2CmtsTEKInvalidErrorString SnmpAdminString + } + + docsBpi2CmtsTEKSAId OBJECT-TYPE + SYNTAX DocsSAId + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value of this object is the DOCSIS Security + Association ID (SAID)." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.12." + ::= { docsBpi2CmtsTEKEntry 1 } + + docsBpi2CmtsTEKSAType OBJECT-TYPE + SYNTAX DocsBpkmSAType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the type of security + association. 'dynamic' does not apply to CMs running in + BPI mode. Unicast BPI TEKs must utilize the 'primary' + encoding, and multicast BPI TEKs must utilize the 'static' + encoding." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + + + +Green, et al. Standards Track [Page 46] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Section 2.1.3." + ::= { docsBpi2CmtsTEKEntry 2 } + + docsBpi2CmtsTEKDataEncryptAlg OBJECT-TYPE + SYNTAX DocsBpkmDataEncryptAlg + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the data encryption + algorithm for this SAID." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + ::= { docsBpi2CmtsTEKEntry 3 } + + docsBpi2CmtsTEKDataAuthentAlg OBJECT-TYPE + SYNTAX DocsBpkmDataAuthentAlg + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the data authentication + algorithm for this SAID." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + ::= { docsBpi2CmtsTEKEntry 4 } + + docsBpi2CmtsTEKLifetime OBJECT-TYPE + SYNTAX Integer32 (1..604800) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of this object is the lifetime, in + seconds, that the CMTS assigns to keys for this TEK + association." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.5 and Appendix A.2." + ::= { docsBpi2CmtsTEKEntry 5 } + + + docsBpi2CmtsTEKKeySequenceNumber OBJECT-TYPE + SYNTAX Integer32 (0..15) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the most recent TEK + + + +Green, et al. Standards Track [Page 47] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + key sequence number for this SAID." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.2.10 and 4.2.2.13." + ::= { docsBpi2CmtsTEKEntry 6 } + + docsBpi2CmtsTEKExpiresOld OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the actual clock time + for expiration of the immediate predecessor of the most + recent TEK for this FSM. If this FSM has only one TEK, then + the value is the time of activation of this FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.5 and 4.2.2.9." + ::= { docsBpi2CmtsTEKEntry 7 } + + docsBpi2CmtsTEKExpiresNew OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the actual clock time + for expiration of the most recent TEK for this FSM." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.5 and 4.2.2.9." + ::= { docsBpi2CmtsTEKEntry 8 } + + docsBpi2CmtsTEKReset OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting this object to 'true' causes the CMTS to + invalidate all currently active TEKs and to generate new + TEKs for the associated SAID; the CMTS MAY also generate + unsolicited TEK Invalid messages, to optimize the TEK + synchronization between the CMTS and the CM(s). Reading + this object always returns FALSE." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.1.3.3.5." + ::= { docsBpi2CmtsTEKEntry 9 } + + + + +Green, et al. Standards Track [Page 48] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsKeyRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has received a Key Request message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.4." + ::= { docsBpi2CmtsTEKEntry 10 } + + docsBpi2CmtsKeyReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted a Key Reply message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.5." + ::= { docsBpi2CmtsTEKEntry 11 } + + docsBpi2CmtsKeyRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted a Key Reject message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.6." + ::= { docsBpi2CmtsTEKEntry 12 } + + + + +Green, et al. Standards Track [Page 49] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsTEKInvalids OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted a TEK Invalid message. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.8." + ::= { docsBpi2CmtsTEKEntry 13 } + + docsBpi2CmtsKeyRejectErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + unauthorizedSaid(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent Key Reject + message sent in response to a Key Request for this SAID. + This has the value unknown(2) if the last Error-Code value + was 0 and none(1) if no Key Reject message has been + received since registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.6 and 4.2.2.15." + ::= { docsBpi2CmtsTEKEntry 14 } + + docsBpi2CmtsKeyRejectErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in + the most recent Key Reject message sent in response to a + Key Request for this SAID. This is a zero length string if + no Key Reject message has been received since + registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + + + +Green, et al. Standards Track [Page 50] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Sections 4.2.1.6 and 4.2.2.6." + ::= { docsBpi2CmtsTEKEntry 15 } + + docsBpi2CmtsTEKInvalidErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + invalidKeySequence(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent TEK + Invalid message sent in association with this SAID. This + has the value unknown(2) if the last Error-Code value was 0 + and none(1) if no TEK Invalid message has been received + since registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.8 and 4.2.2.15." + ::= { docsBpi2CmtsTEKEntry 16 } + + docsBpi2CmtsTEKInvalidErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in + the most recent TEK Invalid message sent in association + with this SAID. This is a zero length string if no TEK + Invalid message has been received since registration." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.8 and 4.2.2.6." + ::= { docsBpi2CmtsTEKEntry 17 } + + -- + -- The CMTS Multicast Objects Group + -- + + docsBpi2CmtsMulticastObjects OBJECT IDENTIFIER + ::= { docsBpi2CmtsObjects 4 } + + -- + -- The CMTS IP Multicast Mapping Table, indexed by + -- docsBpi2CmtsIpMulticastIndex, and by ifIndex + -- + + + +Green, et al. Standards Track [Page 51] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsIpMulticastMapTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmtsIpMulticastMapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table maps multicast IP addresses to SAIDs. + If a multicast IP address is mapped by multiple rows + in the table, the row with the lowest + docsBpi2CmtsIpMulticastIndex must be utilized for the + mapping." + ::= { docsBpi2CmtsMulticastObjects 1 } + + docsBpi2CmtsIpMulticastMapEntry OBJECT-TYPE + SYNTAX DocsBpi2CmtsIpMulticastMapEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains objects describing the mapping of + a set of multicast IP address and the mask to one SAID + associated to a CMTS MAC Interface, as well as associated + message counters and error information." + INDEX { ifIndex, docsBpi2CmtsIpMulticastIndex } + ::= { docsBpi2CmtsIpMulticastMapTable 1 } + + DocsBpi2CmtsIpMulticastMapEntry ::= SEQUENCE { + docsBpi2CmtsIpMulticastIndex Unsigned32, + docsBpi2CmtsIpMulticastAddressType InetAddressType, + docsBpi2CmtsIpMulticastAddress InetAddress, + docsBpi2CmtsIpMulticastMask InetAddress, + docsBpi2CmtsIpMulticastSAId DocsSAIdOrZero, + docsBpi2CmtsIpMulticastSAType DocsBpkmSAType, + docsBpi2CmtsIpMulticastDataEncryptAlg + DocsBpkmDataEncryptAlg, + docsBpi2CmtsIpMulticastDataAuthentAlg + DocsBpkmDataAuthentAlg, + docsBpi2CmtsIpMulticastSAMapRequests Counter32, + docsBpi2CmtsIpMulticastSAMapReplies Counter32, + docsBpi2CmtsIpMulticastSAMapRejects Counter32, + docsBpi2CmtsIpMulticastSAMapRejectErrorCode + INTEGER, + docsBpi2CmtsIpMulticastSAMapRejectErrorString + SnmpAdminString, + docsBpi2CmtsIpMulticastMapControl RowStatus, + docsBpi2CmtsIpMulticastMapStorageType StorageType + } + + docsBpi2CmtsIpMulticastIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + + + +Green, et al. Standards Track [Page 52] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index of this row. Conceptual rows having the + value 'permanent' need not allow write-access to any + columnar objects in the row." + ::= { docsBpi2CmtsIpMulticastMapEntry 1 } + + docsBpi2CmtsIpMulticastAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of Internet address for + docsBpi2CmtsIpMulticastAddress + and docsBpi2CmtsIpMulticastMask." + DEFVAL { ipv4 } + ::= { docsBpi2CmtsIpMulticastMapEntry 2 } + + docsBpi2CmtsIpMulticastAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object represents the IP multicast address + to be mapped, in conjunction with + docsBpi2CmtsIpMulticastMask. The type of this address is + determined by the value of the object + docsBpi2CmtsIpMulticastAddressType." + ::= { docsBpi2CmtsIpMulticastMapEntry 3 } + + docsBpi2CmtsIpMulticastMask OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object represents the IP multicast address mask + for this row. + An IP multicast address matches this row if the logical + AND of the address with docsBpi2CmtsIpMulticastMask is + identical to the logical AND of + docsBpi2CmtsIpMulticastAddr with + docsBpi2CmtsIpMulticastMask. The type of this address is + determined by the value of the object + docsBpi2CmtsIpMulticastAddressType. + Note: For IPv6, this object need not represent a + contiguous netmask; e.g., to associate a SAID to a + multicast group matching 'any' multicast scope. The TC + + + +Green, et al. Standards Track [Page 53] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + InetAddressPrefixLength is not used, as it only + represents contiguous netmask." + ::= { docsBpi2CmtsIpMulticastMapEntry 4 } + + docsBpi2CmtsIpMulticastSAId OBJECT-TYPE + SYNTAX DocsSAIdOrZero + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object represents the multicast SAID to be + used in this IP multicast address mapping entry." + ::= { docsBpi2CmtsIpMulticastMapEntry 5 } + + docsBpi2CmtsIpMulticastSAType OBJECT-TYPE + SYNTAX DocsBpkmSAType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object is the type of security + association. 'dynamic' does not apply to CMs running in + BPI mode. Unicast BPI TEKs must utilize the 'primary' + encoding, and multicast BPI TEKs must utilize the 'static' + encoding. By default, SNMP created entries set this object + to 'static' if not set at row creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 2.1.3." + ::= { docsBpi2CmtsIpMulticastMapEntry 6 } + + docsBpi2CmtsIpMulticastDataEncryptAlg OBJECT-TYPE + SYNTAX DocsBpkmDataEncryptAlg + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object is the data encryption + algorithm for this IP." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + DEFVAL { des56CbcMode } + ::= { docsBpi2CmtsIpMulticastMapEntry 7 } + + docsBpi2CmtsIpMulticastDataAuthentAlg OBJECT-TYPE + SYNTAX DocsBpkmDataAuthentAlg + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object is the data authentication + + + +Green, et al. Standards Track [Page 54] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + algorithm for this IP." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.2.20." + DEFVAL { none } + ::= { docsBpi2CmtsIpMulticastMapEntry 8 } + + docsBpi2CmtsIpMulticastSAMapRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has received an SA Map Request message for this IP. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.10." + ::= { docsBpi2CmtsIpMulticastMapEntry 9 } + + docsBpi2CmtsIpMulticastSAMapReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an SA Map Reply message for this IP. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.11." + ::= { docsBpi2CmtsIpMulticastMapEntry 10 } + + docsBpi2CmtsIpMulticastSAMapRejects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the number of times the + CMTS has transmitted an SA Map Reject message for this IP. + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + + + +Green, et al. Standards Track [Page 55] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + times as indicated by the value of + ifCounterDiscontinuityTime." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 4.2.1.12." + ::= { docsBpi2CmtsIpMulticastMapEntry 11 } + + docsBpi2CmtsIpMulticastSAMapRejectErrorCode OBJECT-TYPE + SYNTAX INTEGER { + none(1), + unknown(2), + noAuthForRequestedDSFlow(9), + dsFlowNotMappedToSA(10) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the enumerated + description of the Error-Code in the most recent SA Map + Reject message sent in response to an SA Map Request for + this IP. It has the value unknown(2) if the last Error-Code + Value was 0 and none(1) if no SA MAP Reject message has + been received since entry creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.12 and 4.2.2.15." + ::= { docsBpi2CmtsIpMulticastMapEntry 12 } + + docsBpi2CmtsIpMulticastSAMapRejectErrorString OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the text string in + the most recent SA Map Reject message sent in response to + an SA Map Request for this IP. It is a zero length string + if no SA Map Reject message has been received since entry + creation." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections 4.2.1.12 and 4.2.2.6." + ::= { docsBpi2CmtsIpMulticastMapEntry 13 } + + docsBpi2CmtsIpMulticastMapControl OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + + + +Green, et al. Standards Track [Page 56] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "This object controls and reflects the IP multicast + address mapping entry. There is no restriction on the + ability to change values in this row while the row is + active. + A created row can be set to active only after the + Corresponding instances of docsBpi2CmtsIpMulticastAddress, + docsBpi2CmtsIpMulticastMask, docsBpi2CmtsIpMulticastSAId, + and docsBpi2CmtsIpMulticastSAType have all been set." + ::= { docsBpi2CmtsIpMulticastMapEntry 14 } + + docsBpi2CmtsIpMulticastMapStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not allow + write-access to any columnar objects in the row." + ::= { docsBpi2CmtsIpMulticastMapEntry 15 } + + -- + -- The CMTS Multicast SAID Authorization Table, + -- indexed by ifIndex by + -- multicast SAID by CM MAC address + -- + + docsBpi2CmtsMulticastAuthTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmtsMulticastAuthEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table describes the multicast SAID + authorization for each CM on each CMTS MAC interface." + ::= { docsBpi2CmtsMulticastObjects 2 } + + docsBpi2CmtsMulticastAuthEntry OBJECT-TYPE + SYNTAX DocsBpi2CmtsMulticastAuthEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains objects describing the key + authorization of one cable modem for one multicast SAID + for one CMTS MAC interface. + Row entries persist after re-initialization of + the managed system." + INDEX { ifIndex, docsBpi2CmtsMulticastAuthSAId, + docsBpi2CmtsMulticastAuthCmMacAddress } + ::= { docsBpi2CmtsMulticastAuthTable 1 } + + + +Green, et al. Standards Track [Page 57] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + DocsBpi2CmtsMulticastAuthEntry ::= SEQUENCE + { + docsBpi2CmtsMulticastAuthSAId DocsSAId, + docsBpi2CmtsMulticastAuthCmMacAddress MacAddress, + docsBpi2CmtsMulticastAuthControl RowStatus + } + + docsBpi2CmtsMulticastAuthSAId OBJECT-TYPE + SYNTAX DocsSAId + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This object represents the multicast SAID for + authorization." + ::= { docsBpi2CmtsMulticastAuthEntry 1 } + + docsBpi2CmtsMulticastAuthCmMacAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This object represents the MAC address of the CM + to which the multicast SAID authorization applies." + ::= { docsBpi2CmtsMulticastAuthEntry 2 } + + docsBpi2CmtsMulticastAuthControl OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row for the + authorization of multicast SAIDs to CMs." + ::= { docsBpi2CmtsMulticastAuthEntry 3 } + + -- + -- CMTS Cert Objects + -- + + docsBpi2CmtsCertObjects OBJECT IDENTIFIER + ::= { docsBpi2CmtsObjects 5 } + + -- + -- CMTS Provisioned CM Cert Table + -- + + docsBpi2CmtsProvisionedCmCertTable OBJECT-TYPE + SYNTAX SEQUENCE OF + DocsBpi2CmtsProvisionedCmCertEntry + + + +Green, et al. Standards Track [Page 58] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of CM certificate trust entries provisioned + to the CMTS. The trust object for a certificate in this + table has an overriding effect on the validity object of a + certificate in the authorization table, as long as the + entire contents of the two certificates are identical." + ::= { docsBpi2CmtsCertObjects 1 } + + docsBpi2CmtsProvisionedCmCertEntry OBJECT-TYPE + SYNTAX DocsBpi2CmtsProvisionedCmCertEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the CMTS's provisioned CM certificate + table. Row entries persist after re-initialization of + the managed system." + REFERENCE + "Data-Over-Cable Service Interface Specifications: + Operations Support System Interface Specification + SP-OSSIv2.0-I05-040407, Section 6.2.14" + INDEX { docsBpi2CmtsProvisionedCmCertMacAddress } + ::= { docsBpi2CmtsProvisionedCmCertTable 1 } + + DocsBpi2CmtsProvisionedCmCertEntry ::= SEQUENCE + { + docsBpi2CmtsProvisionedCmCertMacAddress MacAddress, + docsBpi2CmtsProvisionedCmCertTrust INTEGER, + docsBpi2CmtsProvisionedCmCertSource INTEGER, + docsBpi2CmtsProvisionedCmCertStatus RowStatus, + docsBpi2CmtsProvisionedCmCert + DocsX509ASN1DEREncodedCertificate + } + + docsBpi2CmtsProvisionedCmCertMacAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index of this row." + ::= { docsBpi2CmtsProvisionedCmCertEntry 1 } + + docsBpi2CmtsProvisionedCmCertTrust OBJECT-TYPE + SYNTAX INTEGER { + trusted(1), + untrusted(2) + } + + + +Green, et al. Standards Track [Page 59] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Trust state for the provisioned CM certificate entry. + Note: Setting this object need only override the validity + of CM certificates sent in future authorization requests; + instantaneous effect need not occur." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.1." + DEFVAL { untrusted } + ::= { docsBpi2CmtsProvisionedCmCertEntry 2 } + + docsBpi2CmtsProvisionedCmCertSource OBJECT-TYPE + SYNTAX INTEGER { + snmp(1), + configurationFile(2), + externalDatabase(3), + other(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object indicates how the certificate reached the + CMTS. Other(4) means that it originated from a source not + identified above." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.1." + ::= { docsBpi2CmtsProvisionedCmCertEntry 3 } + + docsBpi2CmtsProvisionedCmCertStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. Values in this row + cannot be changed while the row is 'active'." + ::= { docsBpi2CmtsProvisionedCmCertEntry 4 } + + docsBpi2CmtsProvisionedCmCert OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An X509 DER-encoded Certificate Authority + certificate. + Note: The zero-length OCTET STRING must be returned, on + + + +Green, et al. Standards Track [Page 60] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + reads, if the entire certificate is not retained in the + CMTS." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.2." + ::= { docsBpi2CmtsProvisionedCmCertEntry 5 } + + -- + -- CMTS CA Cert Table + -- + + docsBpi2CmtsCACertTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsBpi2CmtsCACertEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of known Certificate Authority certificates + acquired by this device." + ::= { docsBpi2CmtsCertObjects 2 } + + docsBpi2CmtsCACertEntry OBJECT-TYPE + SYNTAX DocsBpi2CmtsCACertEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A row in the Certificate Authority certificate + table. Row entries with the trust status 'trusted', + 'untrusted', or 'root' persist after re-initialization + of the managed system." + REFERENCE + "Data-Over-Cable Service Interface Specifications: + Operations Support System Interface Specification + SP-OSSIv2.0-I05-040407, Section 6.2.14" + INDEX { docsBpi2CmtsCACertIndex } + ::= {docsBpi2CmtsCACertTable 1 } + + DocsBpi2CmtsCACertEntry ::= SEQUENCE { + docsBpi2CmtsCACertIndex Unsigned32, + docsBpi2CmtsCACertSubject SnmpAdminString, + docsBpi2CmtsCACertIssuer SnmpAdminString, + docsBpi2CmtsCACertSerialNumber OCTET STRING, + docsBpi2CmtsCACertTrust INTEGER, + docsBpi2CmtsCACertSource INTEGER, + docsBpi2CmtsCACertStatus RowStatus, + docsBpi2CmtsCACert + DocsX509ASN1DEREncodedCertificate, + docsBpi2CmtsCACertThumbprint OCTET STRING + } + + + +Green, et al. Standards Track [Page 61] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsCACertIndex OBJECT-TYPE + SYNTAX Unsigned32 (1.. 4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index for this row." + ::= { docsBpi2CmtsCACertEntry 1 } + + docsBpi2CmtsCACertSubject OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The subject name exactly as it is encoded in the + X509 certificate. + The organizationName portion of the certificate's subject + name must be present. All other fields are optional. Any + optional field present must be prepended with <CR> + (carriage return, U+000D) <LF> (line feed, U+000A). + Ordering of fields present must conform to the following: + + organizationName <CR> <LF> + countryName <CR> <LF> + stateOrProvinceName <CR> <LF> + localityName <CR> <LF> + organizationalUnitName <CR> <LF> + organizationalUnitName=<Manufacturing Location> <CR> <LF> + commonName" + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.2.4" + ::= { docsBpi2CmtsCACertEntry 2 } + + docsBpi2CmtsCACertIssuer OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The issuer name exactly as it is encoded in the + X509 certificate. + The commonName portion of the certificate's issuer + name must be present. All other fields are optional. Any + optional field present must be prepended with <CR> + (carriage return, U+000D) <LF> (line feed, U+000A). + Ordering of fields present must conform to the following: + + CommonName <CR><LF> + countryName <CR><LF> + + + +Green, et al. Standards Track [Page 62] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + stateOrProvinceName <CR><LF> + localityName <CR><LF> + organizationName <CR><LF> + organizationalUnitName <CR><LF> + organizationalUnitName=<Manufacturing Location>" + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.2.4" + ::= { docsBpi2CmtsCACertEntry 3 } + + docsBpi2CmtsCACertSerialNumber OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (1..32)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This CA certificate's serial number, represented as + an octet string." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.2.2" + ::= { docsBpi2CmtsCACertEntry 4 } + + docsBpi2CmtsCACertTrust OBJECT-TYPE + SYNTAX INTEGER { + trusted (1), + untrusted (2), + chained (3), + root (4) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object controls the trust status of this + certificate. Root certificates must be given root(4) + trust; manufacturer certificates must not be given root(4) + trust. Trust on root certificates must not change. + Note: Setting this object need only affect the validity of + CM certificates sent in future authorization requests; + instantaneous effect need not occur." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.1" + DEFVAL { chained } + ::= { docsBpi2CmtsCACertEntry 5 } + + docsBpi2CmtsCACertSource OBJECT-TYPE + SYNTAX INTEGER { + snmp (1), + + + +Green, et al. Standards Track [Page 63] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + configurationFile (2), + externalDatabase (3), + other (4), + authentInfo (5), + compiledIntoCode (6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object indicates how the certificate reached + the CMTS. Other(4) means that it originated from a source + not identified above." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.1" + ::= { docsBpi2CmtsCACertEntry 6 } + + docsBpi2CmtsCACertStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. An attempt + to set writable columnar values while this row is active + behaves as follows: + - Sets to the object docsBpi2CmtsCACertTrust are allowed. + - Sets to the object docsBpi2CmtsCACert will return an + error of 'inconsistentValue'. + A newly created entry cannot be set to active until the + value of docsBpi2CmtsCACert is being set." + ::= { docsBpi2CmtsCACertEntry 7 } + + docsBpi2CmtsCACert OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An X509 DER-encoded Certificate Authority + certificate. + To help identify certificates, either this object or + docsBpi2CmtsCACertThumbprint must be returned by a CMTS for + self-signed CA certificates. + + Note: The zero-length OCTET STRING must be returned, on + reads, if the entire certificate is not retained in the + CMTS." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + + + +Green, et al. Standards Track [Page 64] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Section 9.2." + ::= { docsBpi2CmtsCACertEntry 8 } + + docsBpi2CmtsCACertThumbprint OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (20)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The SHA-1 hash of a CA certificate. + To help identify certificates, either this object or + docsBpi2CmtsCACert must be returned by a CMTS for + self-signed CA certificates. + + Note: The zero-length OCTET STRING must be returned, on + reads, if the CA certificate thumb print is not retained + in the CMTS." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section 9.4.3" + ::= { docsBpi2CmtsCACertEntry 9 } + + -- + -- Authenticated Software Download Objects + -- + + -- + -- Note: the authenticated software download objects are a + -- CM requirement only. + -- + + docsBpi2CodeDownloadControl OBJECT IDENTIFIER + ::= { docsBpi2MIBObjects 4 } + + docsBpi2CodeDownloadStatusCode OBJECT-TYPE + SYNTAX INTEGER { + configFileCvcVerified (1), + configFileCvcRejected (2), + snmpCvcVerified (3), + snmpCvcRejected (4), + codeFileVerified (5), + codeFileRejected (6), + other (7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value indicates the result of the latest config + file CVC verification, SNMP CVC verification, or code file + + + +Green, et al. Standards Track [Page 65] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + verification." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Sections D.3.3.2 and D.3.5.1." + ::= { docsBpi2CodeDownloadControl 1 } + + docsBpi2CodeDownloadStatusString OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object indicates the additional + information to the status code. The value will include + the error code and error description, which will be defined + separately." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.7" + ::= { docsBpi2CodeDownloadControl 2 } + + docsBpi2CodeMfgOrgName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the device manufacturer's + organizationName." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.2.2." + ::= { docsBpi2CodeDownloadControl 3 } + + docsBpi2CodeMfgCodeAccessStart OBJECT-TYPE + SYNTAX DateAndTime (SIZE(11)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the device manufacturer's + current codeAccessStart value. This value will always + refer to Greenwich Mean Time (GMT), and the value + format must contain TimeZone information (fields 8-10)." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.2.2." + ::= { docsBpi2CodeDownloadControl 4 } + + docsBpi2CodeMfgCvcAccessStart OBJECT-TYPE + SYNTAX DateAndTime (SIZE(11)) + + + +Green, et al. Standards Track [Page 66] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the device manufacturer's + current cvcAccessStart value. This value will always + refer to Greenwich Mean Time (GMT), and the value + format must contain TimeZone information (fields 8-10)." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.2.2." + ::= { docsBpi2CodeDownloadControl 5 } + + docsBpi2CodeCoSignerOrgName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the co-signer's + organizationName. The value is a zero length string if + the co-signer is not specified." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.2.2." + ::= { docsBpi2CodeDownloadControl 6 } + + docsBpi2CodeCoSignerCodeAccessStart OBJECT-TYPE + SYNTAX DateAndTime (SIZE(11)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the co-signer's current + codeAccessStart value. This value will always refer to + Greenwich Mean Time (GMT), and the value format must contain + TimeZone information (fields 8-10). + If docsBpi2CodeCoSignerOrgName is a zero + length string, the value of this object is meaningless." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.2.2." + ::= { docsBpi2CodeDownloadControl 7 } + + docsBpi2CodeCoSignerCvcAccessStart OBJECT-TYPE + SYNTAX DateAndTime (SIZE(11)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object is the co-signer's current + cvcAccessStart value. This value will always refer to + + + +Green, et al. Standards Track [Page 67] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Greenwich Mean Time (GMT), and the value format must contain + TimeZone information (fields 8-10). + If docsBpi2CodeCoSignerOrgName is a zero + length string, the value of this object is meaningless." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.2.2." + ::= { docsBpi2CodeDownloadControl 8 } + + docsBpi2CodeCvcUpdate OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting a CVC to this object triggers the device + to verify the CVC and update the cvcAccessStart values. + The content of this object is then discarded. + If the device is not enabled to upgrade codefiles, or if + the CVC verification fails, the CVC will be rejected. + Reading this object always returns the zero-length OCTET + STRING." + REFERENCE + "DOCSIS Baseline Privacy Plus Interface Specification, + Section D.3.3.2.2." + ::= { docsBpi2CodeDownloadControl 9 } + + -- + -- The BPI+ MIB Conformance Statements (with a placeholder for + -- notifications) + -- + + docsBpi2Notification OBJECT IDENTIFIER + ::= { docsBpi2MIB 0 } + docsBpi2Conformance OBJECT IDENTIFIER + ::= { docsBpi2MIB 2 } + docsBpi2Compliances OBJECT IDENTIFIER + ::= { docsBpi2Conformance 1 } + docsBpi2Groups OBJECT IDENTIFIER + ::= { docsBpi2Conformance 2 } + + + docsBpi2CmCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "This is the compliance statement for CMs that + implement the DOCSIS Baseline Privacy Interface Plus." + + MODULE -- docsBpi2MIB + + + +Green, et al. Standards Track [Page 68] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + -- unconditionally mandatory group + MANDATORY-GROUPS { + docsBpi2CmGroup, + docsBpi2CodeDownloadGroup + } + + -- constrain on Encryption algorithms + OBJECT docsBpi2CmTEKDataEncryptAlg + SYNTAX DocsBpkmDataEncryptAlg { + none(0), + des56CbcMode(1), + des40CbcMode(2) + } + DESCRIPTION + "It is compliant to support des56CbcMode(1) and + des40CbcMode(2) for data encryption algorithms." + + -- constrain on Integrity algorithms + OBJECT docsBpi2CmTEKDataAuthentAlg + SYNTAX DocsBpkmDataAuthentAlg { + none(0) + } + DESCRIPTION + "It is compliant to not support data message + authentication algorithms." + + -- constrain on IP addressing + OBJECT docsBpi2CmIpMulticastAddressType + SYNTAX InetAddressType { ipv4(1) } + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Support for other address types may be defined + in future versions of this MIB module." + + -- constrain on IP addressing + OBJECT docsBpi2CmIpMulticastAddress + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses Other address types support may be defined in + future versions of this MIB module." + + -- constrain on Encryption algorithms + OBJECT docsBpi2CmCryptoSuiteDataEncryptAlg + SYNTAX DocsBpkmDataEncryptAlg { + none(0), + des56CbcMode(1), + des40CbcMode(2) + + + +Green, et al. Standards Track [Page 69] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + } + DESCRIPTION + "It is compliant to only support des56CbcMode(1) + and des40CbcMode(2) for data encryption algorithms." + + -- constrain on Integrity algorithms + OBJECT docsBpi2CmCryptoSuiteDataAuthentAlg + SYNTAX DocsBpkmDataAuthentAlg { + none(0) + } + DESCRIPTION + "It is compliant to not support data message + authentication algorithms." + + ::= { docsBpi2Compliances 1 } + + + docsBpi2CmtsCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "This is the compliance statement for CMTSs that + implement the DOCSIS Baseline Privacy Interface Plus." + + MODULE -- docsBpi2MIB + -- unconditionally mandatory group + MANDATORY-GROUPS { + docsBpi2CmtsGroup + } + + -- unconditionally optional group + GROUP docsBpi2CodeDownloadGroup + DESCRIPTION + "This group is optional for CMTSes. The implementation + decision of this group is left to the vendor" + + -- constrain on mandatory range + + OBJECT docsBpi2CmtsDefaultAuthLifetime + SYNTAX Integer32 (86400..6048000) + DESCRIPTION + "The refined range corresponds to the minimum and + maximum values in operational networks." + + -- constrain on mandatory range + + OBJECT docsBpi2CmtsDefaultTEKLifetime + SYNTAX Integer32 (1800..604800) + DESCRIPTION + + + +Green, et al. Standards Track [Page 70] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "The refined range corresponds to the minimum and + maximum values in operational networks." + + -- constrain on mandatory range + + OBJECT docsBpi2CmtsAuthCmLifetime + SYNTAX Integer32 (86400..6048000) + DESCRIPTION + "The refined range corresponds to the minimum and + maximum values in operational networks." + + -- constrain on Encryption algorithms + + OBJECT docsBpi2CmtsTEKDataEncryptAlg + SYNTAX DocsBpkmDataEncryptAlg { + none(0), + des56CbcMode(1), + des40CbcMode(2) + } + DESCRIPTION + "It is compliant to only support des56CbcMode(1) + and des40CbcMode(2) for data encryption." + + -- constrain on Integrity algorithms + + OBJECT docsBpi2CmtsTEKDataAuthentAlg + SYNTAX DocsBpkmDataAuthentAlg { + none(0) + } + DESCRIPTION + "It is compliant to not support data message + authentication algorithms." + + -- constrain on mandatory range + + OBJECT docsBpi2CmtsTEKLifetime + SYNTAX Integer32 (1800..604800) + DESCRIPTION + "The refined range corresponds to the minimum and + maximum values in operational networks." + + -- constrain on access + -- constrain on IP Addressing + + OBJECT docsBpi2CmtsIpMulticastAddressType + SYNTAX InetAddressType { ipv4(1) } + MIN-ACCESS read-only + DESCRIPTION + + + +Green, et al. Standards Track [Page 71] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + "Write access is not required. + An implementation is only required to support IPv4 + addresses. Support for other address types may be defined + in future versions of this MIB module." + + OBJECT docsBpi2CmtsIpMulticastAddress + SYNTAX InetAddress (SIZE(4)) + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. + An implementation is only required to support IPv4 + addresses. Support for other address types may be defined + in future versions of this MIB module." + + OBJECT docsBpi2CmtsIpMulticastMask + SYNTAX InetAddress (SIZE(4)) + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. + An implementation is only required to support IPv4 + addresses. Support for other address types may be defined + in future versions of this MIB module." + + -- constrain on access + + OBJECT docsBpi2CmtsIpMulticastSAId + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT docsBpi2CmtsIpMulticastSAType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + -- constrain on access + -- constrain on Encryption algorithms + + OBJECT docsBpi2CmtsIpMulticastDataEncryptAlg + SYNTAX DocsBpkmDataEncryptAlg { + none(0), + des56CbcMode(1), + des40CbcMode(2) + } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. + It is compliant to only support des56CbcMode(1) + + + +Green, et al. Standards Track [Page 72] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + and des40CbcMode(2) for data encryption" + + -- constrain on access + -- constrain on Integrity algorithms + + OBJECT docsBpi2CmtsIpMulticastDataAuthentAlg + SYNTAX DocsBpkmDataAuthentAlg { + none(0) + } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. + It is compliant to not support data message + authentication algorithms." + + -- constrain on access + + OBJECT docsBpi2CmtsMulticastAuthControl + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + ::= { docsBpi2Compliances 2 } + + docsBpi2CmGroup OBJECT-GROUP + OBJECTS { + docsBpi2CmPrivacyEnable, + docsBpi2CmPublicKey, + docsBpi2CmAuthState, + docsBpi2CmAuthKeySequenceNumber, + docsBpi2CmAuthExpiresOld, + docsBpi2CmAuthExpiresNew, + docsBpi2CmAuthReset, + docsBpi2CmAuthGraceTime, + docsBpi2CmTEKGraceTime, + docsBpi2CmAuthWaitTimeout, + docsBpi2CmReauthWaitTimeout, + docsBpi2CmOpWaitTimeout, + docsBpi2CmRekeyWaitTimeout, + docsBpi2CmAuthRejectWaitTimeout, + docsBpi2CmSAMapWaitTimeout, + docsBpi2CmSAMapMaxRetries, + docsBpi2CmAuthentInfos, + docsBpi2CmAuthRequests, + docsBpi2CmAuthReplies, + docsBpi2CmAuthRejects, + docsBpi2CmAuthInvalids, + docsBpi2CmAuthRejectErrorCode, + + + +Green, et al. Standards Track [Page 73] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmAuthRejectErrorString, + docsBpi2CmAuthInvalidErrorCode, + docsBpi2CmAuthInvalidErrorString, + docsBpi2CmTEKSAType, + docsBpi2CmTEKDataEncryptAlg, + docsBpi2CmTEKDataAuthentAlg, + docsBpi2CmTEKState, + docsBpi2CmTEKKeySequenceNumber, + docsBpi2CmTEKExpiresOld, + docsBpi2CmTEKExpiresNew, + docsBpi2CmTEKKeyRequests, + docsBpi2CmTEKKeyReplies, + docsBpi2CmTEKKeyRejects, + docsBpi2CmTEKInvalids, + docsBpi2CmTEKAuthPends, + docsBpi2CmTEKKeyRejectErrorCode, + docsBpi2CmTEKKeyRejectErrorString, + docsBpi2CmTEKInvalidErrorCode, + docsBpi2CmTEKInvalidErrorString, + docsBpi2CmIpMulticastAddressType, + docsBpi2CmIpMulticastAddress, + docsBpi2CmIpMulticastSAId, + docsBpi2CmIpMulticastSAMapState, + docsBpi2CmIpMulticastSAMapRequests, + docsBpi2CmIpMulticastSAMapReplies, + docsBpi2CmIpMulticastSAMapRejects, + docsBpi2CmIpMulticastSAMapRejectErrorCode, + docsBpi2CmIpMulticastSAMapRejectErrorString, + docsBpi2CmDeviceCmCert, + docsBpi2CmDeviceManufCert, + docsBpi2CmCryptoSuiteDataEncryptAlg, + docsBpi2CmCryptoSuiteDataAuthentAlg + } + STATUS current + DESCRIPTION + "This collection of objects provides CM BPI+ status + and control." + ::= { docsBpi2Groups 1 } + + docsBpi2CmtsGroup OBJECT-GROUP + OBJECTS { + docsBpi2CmtsDefaultAuthLifetime, + docsBpi2CmtsDefaultTEKLifetime, + docsBpi2CmtsDefaultSelfSignedManufCertTrust, + docsBpi2CmtsCheckCertValidityPeriods, + docsBpi2CmtsAuthentInfos, + docsBpi2CmtsAuthRequests, + docsBpi2CmtsAuthReplies, + + + +Green, et al. Standards Track [Page 74] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsAuthRejects, + docsBpi2CmtsAuthInvalids, + docsBpi2CmtsSAMapRequests, + docsBpi2CmtsSAMapReplies, + docsBpi2CmtsSAMapRejects, + docsBpi2CmtsAuthCmBpiVersion, + docsBpi2CmtsAuthCmPublicKey, + docsBpi2CmtsAuthCmKeySequenceNumber, + docsBpi2CmtsAuthCmExpiresOld, + docsBpi2CmtsAuthCmExpiresNew, + docsBpi2CmtsAuthCmLifetime, + docsBpi2CmtsAuthCmReset, + docsBpi2CmtsAuthCmInfos, + docsBpi2CmtsAuthCmRequests, + docsBpi2CmtsAuthCmReplies, + docsBpi2CmtsAuthCmRejects, + docsBpi2CmtsAuthCmInvalids, + docsBpi2CmtsAuthRejectErrorCode, + docsBpi2CmtsAuthRejectErrorString, + docsBpi2CmtsAuthInvalidErrorCode, + docsBpi2CmtsAuthInvalidErrorString, + docsBpi2CmtsAuthPrimarySAId, + docsBpi2CmtsAuthBpkmCmCertValid, + docsBpi2CmtsAuthBpkmCmCert, + docsBpi2CmtsAuthCACertIndexPtr, + docsBpi2CmtsTEKSAType, + docsBpi2CmtsTEKDataEncryptAlg, + docsBpi2CmtsTEKDataAuthentAlg, + docsBpi2CmtsTEKLifetime, + docsBpi2CmtsTEKKeySequenceNumber, + docsBpi2CmtsTEKExpiresOld, + docsBpi2CmtsTEKExpiresNew, + docsBpi2CmtsTEKReset, + docsBpi2CmtsKeyRequests, + docsBpi2CmtsKeyReplies, + docsBpi2CmtsKeyRejects, + docsBpi2CmtsTEKInvalids, + docsBpi2CmtsKeyRejectErrorCode, + docsBpi2CmtsKeyRejectErrorString, + docsBpi2CmtsTEKInvalidErrorCode, + docsBpi2CmtsTEKInvalidErrorString, + docsBpi2CmtsIpMulticastAddressType, + docsBpi2CmtsIpMulticastAddress, + docsBpi2CmtsIpMulticastMask, + docsBpi2CmtsIpMulticastSAId, + docsBpi2CmtsIpMulticastSAType, + docsBpi2CmtsIpMulticastDataEncryptAlg, + docsBpi2CmtsIpMulticastDataAuthentAlg, + + + +Green, et al. Standards Track [Page 75] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsIpMulticastSAMapRequests, + docsBpi2CmtsIpMulticastSAMapReplies, + docsBpi2CmtsIpMulticastSAMapRejects, + docsBpi2CmtsIpMulticastSAMapRejectErrorCode, + docsBpi2CmtsIpMulticastSAMapRejectErrorString, + docsBpi2CmtsIpMulticastMapControl, + docsBpi2CmtsIpMulticastMapStorageType, + docsBpi2CmtsMulticastAuthControl, + docsBpi2CmtsProvisionedCmCertTrust, + docsBpi2CmtsProvisionedCmCertSource, + docsBpi2CmtsProvisionedCmCertStatus, + docsBpi2CmtsProvisionedCmCert, + docsBpi2CmtsCACertSubject, + docsBpi2CmtsCACertIssuer, + docsBpi2CmtsCACertSerialNumber, + docsBpi2CmtsCACertTrust, + docsBpi2CmtsCACertSource, + docsBpi2CmtsCACertStatus, + docsBpi2CmtsCACert, + docsBpi2CmtsCACertThumbprint + } + STATUS current + DESCRIPTION + "This collection of objects provides CMTS BPI+ status + and control." + ::= { docsBpi2Groups 2 } + + docsBpi2CodeDownloadGroup OBJECT-GROUP + OBJECTS { + docsBpi2CodeDownloadStatusCode, + docsBpi2CodeDownloadStatusString, + docsBpi2CodeMfgOrgName, + docsBpi2CodeMfgCodeAccessStart, + docsBpi2CodeMfgCvcAccessStart, + docsBpi2CodeCoSignerOrgName, + docsBpi2CodeCoSignerCodeAccessStart, + docsBpi2CodeCoSignerCvcAccessStart, + docsBpi2CodeCvcUpdate + } + STATUS current + DESCRIPTION + "This collection of objects provides authenticated + software download support." + ::= { docsBpi2Groups 3 } + + END + + + + + +Green, et al. Standards Track [Page 76] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + +4. Acknowledgements + + Kaz Ozawa: Authenticated Software Download objects and general + suggestions. + + Rich Woundy: BPI MIB and general MIB expertise. + + Mike St. Johns: BPI MIB and first version of BPI+ MIB. + + Bert Wijnen: Extensive comments in MIB syntax and accuracy. + + Thanks to Mike Sabin and Manson Wong for reviewing early BPI+ MIB + drafts and to Jean-Francois Mule for contributing to the last + versions. + +5. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Structure of Management Information Version 2 (SMIv2)", + STD 58, RFC 2578, April 1999. + + [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Textual Conventions for SMIv2", STD 58, RFC 2579, April + 1999. + + [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, + "Conformance Statements for SMIv2", STD 58, RFC 2580, + April 1999. + + [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network Management + Protocol (SNMP) Management Frameworks", STD 62, RFC + 3411, December 2002. + + [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. + Schoenwaelder, "Textual Conventions for Internet Network + Addresses", RFC 4001, February 2005. + + [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group + MIB", RFC 2863, June 2000. + + + + + + + + +Green, et al. Standards Track [Page 77] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + [RFC2670] St. Johns, M., "Radio Frequency (RF) Interface + Management Information Base for MCNS/DOCSIS compliant RF + interfaces", RFC 2670, August 1999. + + [DOCSIS] "Data-Over-Cable Service Interface Specifications: + Baseline Privacy Plus Interface Specification SP-BPI+- + I11-040407", DOCSIS, April 2004, available at + http://www.cablemodem.com. + http://www.cablelabs.com/specifications/archives. + +6. Informative References + + [RFC3083] Woundy, R., "Baseline Privacy Interface Management + Information Base for DOCSIS Compliant Cable Modems and + Cable Modem Termination Systems", RFC 3083, March 2001. + + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, + "Introduction and Applicability Statements for + Internet-Standard Management Framework", RFC 3410, + December 2002. + + [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 + (IPv6) Addressing Architecture", RFC 3513, April 2003. + + [DOCSIS-1.0] "Data-Over-Cable Service Interface Specifications: + DOCSIS 1.0 Baseline Privacy Interface (BPI) ANSI/SCTE + 22-2 2202, Available at http://www.scte.org. + + [DOCSIS-1.1] "Data-Over-Cable Service Interface Specifications: + Operations Support System Interface Specification SP- + OSSIv1.1-I07-030730", DOCSIS 1.1 July 2003, available at + http://www.cablemodem.com. + http://www.cablelabs.com/specifications/archives. + + [DOCSIS-2.0] "Data-Over-Cable Service Interface Specifications: + Operations Support System Interface Specification SP- + OSSIv2.0-I05-040407", DOCSIS 2.0 April 2004, + http://www.cablemodem.com. + http://www.cablelabs.com/specifications/archives. + + [IANA] "Protocol Numbers and Assignment Services", IANA, + http://www.iana.org/assignments/ianaiftype-mib. + + + + + + + + + +Green, et al. Standards Track [Page 78] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + +7. Security Considerations + + There are a number of management objects defined in this MIB module + with a MAX-ACCESS clause of read-write and/or read-create. Such + objects may be considered sensitive or vulnerable in some network + environments. The support for SET operations in a non-secure + environment without proper protection can have a negative effect on + network operations. These are the tables and objects and their + sensitivity/vulnerability: + + - The following objects, if SNMP SET maliciously, could constitute + denial of service or theft of service attacks or compromise the + intended data privacy of users: + + Objects related to the Baseline Privacy Key Management (BPKM) + + docsBpi2CmAuthReset, + docsBpi2CmtsAuthCmReset, + docsBpi2CmtsTEKReset: + These objects are used for initiating a re-key process. A + malicious massive SET attack may cause CMTS processing + overload and may compromise the service. + + docsBpi2CmtsDefaultAuthLifetime, + docsBpi2CmtsDefaultTEKLifetime, + docsBpi2CmtsAuthCmLifetime, + docsBpi2CmtsTEKLifetime: + To minimize the risk of malicious or unintended short periods + of time when key updates may lead to degradation or denial of + service, implementers are encouraged to follow these objects' + range constraints, as defined in the docsBpi2CmtsCompliance + MODULE-COMPLIANCE clause for operational deployments. + + docsBpi2CmtsDefaultSelfSignedManufCertTrust: + A malicious SET in a self-signed certificate as reject + message, which may constitute denial of service. This object + is designed for testing purposes; therefore, it is not + RECOMMENDED for use in commercial deployments [DOCSIS]. + Administrators can make use of View-based Access Control + (VACM) introduced in section 7.9 of [RFC3410] to restrict + write access to this object. + + docsBpi2CmtsCheckCertValidityPeriods: + A malicious SET in this object that enables the period + validity and a wrong clock time in the CMTS could cause denial + of service, as CM authorization requests will be rejected. + + + + + +Green, et al. Standards Track [Page 79] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + For more details in the validation of CM certificates, refer to + section 9 of [DOCSIS] . + + Objects related to the CM only: + + Objects in docsBpi2CmDeviceCertTable + + docsBpi2CmDeviceCmCert: + This object is not harmful, considering that a CM received a + Certificate during the manufacturing process. Therefore, the + object access becomes read-only. See the object DESCRIPTION + clause in section 3 for details. + + Objects for Secure Software Download in table + docsBpi2CodeDownloadControl: + + docsBpi2CodeCvcUpdate: + A malicious SET on this object may not constitute a risk, + since the CM holds the DOCSIS root key to verify the CVC + authenticity. The operator, if configured, could receive a + notification for event occurrences, which may lead to + detecting the source of the attack. Moreover, [DOCSIS] + recommends that CMs CVC be regularly updated to minimize the + risk of potential code-signing keys being compromised (e.g., + by configuration file). + + Objects related to the CMTS only: + + Objects in docsBpi2CmtsProvisionedCmCertTable and + docsBpi2CmtsCACertTable containing CM Certificates and Certificate + Authority information, respectively: + + docsBpi2CmtsProvisionedCmCertTrust, + docsBpi2CmtsProvisionedCmCertStatus, + docsBpi2CmtsProvisionedCmCert, + docsBpi2CmtsCACertStatus, + docsBpi2CmtsCACert: + A malicious SET on these objects may constitute a denial of + service attack that will be experienced after the CMs perform + authorization requests. It does not affect CMs in the + authorized state. + + Objects in multicast tables docsBpi2CmtsIpMulticastMapTable and + docsBpi2CmtsMulticastAuthTable: + + docsBpi2CmtsIpMulticastAddressType, + docsBpi2CmtsIpMulticastAddress, + docsBpi2CmtsIpMulticastMaskType, + + + +Green, et al. Standards Track [Page 80] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + docsBpi2CmtsIpMulticastMask, + docsBpi2CmtsIpMulticastSAId, + docsBpi2CmtsIpMulticastSAType: + Malicious SET on these objects may cause misconfiguration, + causing interruption of the users' active multicast + applications. + + docsBpi2CmtsIpMulticastDataEncryptAlg, + docsBpi2CmtsIpMulticastDataAuthentAlg: + Malicious SETs on these objects may create service + misconfiguration, causing service interruption or theft of + service if encryption algorithms are removed for the multicast + groups. + + docsBpi2CmtsIpMulticastMapControl, + docsBpi2CmtsMulticastAuthControl: + Malicious SETs on these objects may remove and/or disable + customers and/or multicast groups, causing service disruption. + This may also constitute theft of service by authorizing non- + subscribed users to multicast groups or by adding other + multicast groups in the forward path. + + Some of the readable objects in this MIB module (i.e., objects with a + MAX-ACCESS other than not-accessible) may be considered sensitive or + vulnerable in some network environments. It is thus important to + control even GET and/or NOTIFY access to these objects and possibly + to even encrypt the values of these objects when sending them over + the network via SNMP. These are the tables and objects and their + sensitivity/vulnerability: + + Objects in docsBpi2CmBaseTable, docsBpi2CmTEKTable, + docsBpi2CmtsBaseTable, docsBpi2CmtsAuthTable, + docsBpi2CmtsTEKTable, docsBpi2CmtsProvisionedCmCertTable, and + docsBpi2CmtsCACertTable: + If this information is accessible, attackers may use it to + distinguish users configured to work without data encryption + (e.g., docsBpi2CmPrivacyEnable) and to know current Baseline + Privacy parameters in the network. + + Objects in docsBpi2CmIpMulticastMapTable and + docsBpi2CmtsMulticastAuthTable: + In addition to the vulnerabilities around BPI plus multicast + objects described in the previous part, the read-only objects + of this table may help attackers monitor the status of the + intrusion. + + + + + + +Green, et al. Standards Track [Page 81] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Objects in docsBpi2CodeDownloadControl: + In addition to the vulnerability of the read-write object + docsBpi2CodeCvcUpdate, attackers may be able to monitor the + status of a denial of service using Secure Software Download. + + SNMP versions prior to SNMPv3 did not include adequate security. + Even if the network itself is secure (for example by using IPSec), + even then, there is no control as to who on the secure network is + allowed to access and GET/SET (read/change/create/delete) the objects + in this MIB module. + + It is RECOMMENDED that implementers consider the security features as + provided by the SNMPv3 framework (see [RFC3410], section 8), + including full support for the SNMPv3 cryptographic mechanisms (for + authentication and privacy). + + Further, deployment of SNMP versions prior to SNMPv3 is NOT + RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to + enable cryptographic security. It is then a customer/operator + responsibility to ensure that the SNMP entity giving access to an + instance of this MIB module is properly configured to give access to + the objects only to those principals (users) that have legitimate + rights to indeed GET or SET (change/create/delete) them. + + BPI+ Encryption Algorithms: + + The BPI+ Traffic Encryption Keys (TEK) defined in the DOCSIS BPI+ + specification [DOCSIS] use 40-bit or 56-bit DES for encryption (DES + CBC mode). Currently, there is no mechanism or algorithm defined for + data integrity. + + Due to the DES cryptographic weaknesses, future revisions of the + DOCSIS BPI+ specification should introduce more advanced encryption + algorithms, as proposed in the DocsBpkmDataEncryptAlg textual + convention, to overcome the progress in cheaper and faster hardware + or software decryption tools. Future revisions of the DOCSIS BPI+ + specification [DOCSIS] should also adopt authentication algorithms, + as described in the DocsBpkmDataAuthentAlg textual convention. + + It is important to note that frequent key changes do not necessarily + help in mitigating or reducing the risks of a DES attack. Indeed, + the traffic encryption keys, which are configured on a per cable + modem basis and per BPI+ multicast group, can be utilized to decrypt + old traffic, even when they are no longer in active use. + + + + + + + +Green, et al. Standards Track [Page 82] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + + Note that, not exempt to the same recommendations above, the CM BPI+ + authorization protocol uses triple DES encryption, which offers + improved robustness in comparison to DES for CM authorization and TEK + re-key management. + +8. IANA Considerations + + The MIB module in this document uses the following IANA-assigned + OBJECT IDENTIFIER value, recorded in the SMI Numbers registry: + + Descriptor OBJECT IDENTIFIER Value + ---------- ----------------------- + docsBpi2MIB { mib-2 126 } + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Green, et al. Standards Track [Page 83] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + +Authors' Addresses + + Stuart M. Green + + EMail: rubbersoul3@yahoo.com + + + Kaz Ozawa + Automotive Systems Development Center + TOSHIBA CORPORATION + 1-1, Shibaura 1-Chome + Minato-ku, Tokyo 105-8001 + Japan + + Phone: +81-3-3457-8569 + Fax: +81-3-5444-9325 + EMail: Kazuyoshi.Ozawa@toshiba.co.jp + + + Alexander Katsnelson + + Phone: +1-303-680-3924 + EMail: katsnelson6@peoplepc.com + + + Eduardo Cardona + Cable Television Laboratories, Inc. + 858 Coal Creek Circle + Louisville, CO 80027- 9750 + U.S.A. + + Phone: +1 303 661 9100 + EMail: e.cardona@cablelabs.com + + + + + + + + + + + + + + + + + + +Green, et al. Standards Track [Page 84] + +RFC 4131 DOCSIS BPI Plus MIB September 2005 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2005). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Green, et al. Standards Track [Page 85] + |