diff options
Diffstat (limited to 'doc/rfc/rfc4682.txt')
-rw-r--r-- | doc/rfc/rfc4682.txt | 3363 |
1 files changed, 3363 insertions, 0 deletions
diff --git a/doc/rfc/rfc4682.txt b/doc/rfc/rfc4682.txt new file mode 100644 index 0000000..285deeb --- /dev/null +++ b/doc/rfc/rfc4682.txt @@ -0,0 +1,3363 @@ + + + + + + +Network Working Group E. Nechamkin +Request for Comments: 4682 Broadcom Corp. +Category: Standards Track J-F. Mule + CableLabs + December 2006 + + + Multimedia Terminal Adapter (MTA) Management Information Base + for PacketCable- and IPCablecom-Compliant Devices + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The IETF Trust (2006). + +Abstract + + This memo defines a portion of the Management Information Base (MIB) + for use with network management protocols in the Internet community. + In particular, it defines a basic set of managed objects for Simple + Network Management Protocol (SNMP)-based management of PacketCable- + and IPCablecom-compliant Multimedia Terminal Adapter devices. + +Table of Contents + + 1. The Internet-Standard Management Framework ......................2 + 2. Terminology .....................................................2 + 3. Introduction ....................................................4 + 3.1. Structure of the MTA MIB ...................................5 + 3.2. pktcMtaDevBase .............................................5 + 3.3. pktcMtaDevServer ...........................................6 + 3.4. pktcMtaDevSecurity .........................................6 + 3.5. Relationship between MIB Objects in the MTA MIB ............7 + 3.6. Secure Software Download ...................................8 + 3.7. X.509 Certificates Dependencies ............................8 + 4. Definitions .....................................................9 + 5. Acknowledgements ...............................................52 + 6. Security Considerations ........................................52 + 7. IANA Considerations ............................................55 + 8. Normative References ...........................................55 + 9. Informative References .........................................57 + + + +Nechamkin & Mule Standards Track [Page 1] + +RFC 4682 IPCDN MTA MIB December 2006 + + +1. The Internet-Standard Management Framework + + For a detailed overview of the documents that describe the current + Internet-Standard Management Framework, please refer to section 7 of + RFC 3410 [RFC3410]. + + Managed objects are accessed via a virtual information store, termed + the Management Information Base or MIB. MIB objects are generally + accessed through the Simple Network Management Protocol (SNMP). + Objects in the MIB are defined using the mechanisms defined in the + Structure of Management Information (SMI). This memo specifies a MIB + module that is compliant to the SMIv2, which is described in STD 58, + RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 + [RFC2580]. + +2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL", when used in the guidelines in this memo, are to be + interpreted as described in RFC 2119 [RFC2119]. + + The terms "MIB module" and "information module" are used + interchangeably in this memo. As used here, both terms refer to any + of the three types of information modules defined in Section 3 of RFC + 2578 [RFC2578]. + + Some of the terms used in this memo are defined below. Some + additional terms are also defined in the PacketCable MTA Device + Provisioning Specification [PKT-SP-PROV] and the PacketCable Security + Specification [PKT-SP-SEC]. + + DOCSIS + The CableLabs(R) Certified(TM) Cable Modem project, also known as + DOCSIS(R) (Data over Cable Service Interface Specification), defines + interface requirements for cable modems involved in high-speed data + distribution over cable television system networks. DOCSIS also + refers to the ITU-T J.112 recommendation, Annex B, for cable modem + systems [ITU-T-J112]. + + Cable Modem + A Cable Modem (CM) acts as a data transport agent used to transfer + call management and voice data packets over a DOCSIS-compliant cable + system. + + Multimedia Terminal Adapter + A Multimedia Terminal Adapter (MTA) is a PacketCable- or IPCablecom- + compliant device providing telephony services over a cable or hybrid + + + +Nechamkin & Mule Standards Track [Page 2] + +RFC 4682 IPCDN MTA MIB December 2006 + + + system used to deliver video signals to a community. It contains an + interface to endpoints, a network interface, CODECs, and all + signaling and encapsulation functions required for Voice over IP + transport, call signaling, and Quality of Service signaling. An MTA + can be an embedded or a standalone device. An Embedded MTA (E-MTA) + is an MTA device containing an embedded DOCSIS Cable Modem. A + Standalone MTA (S-MTA) is an MTA device separated from the DOCSIS + cable modem by non-DOCSIS Message Access Control (MAC) interface + (e.g., Ethernet, USB). + + Endpoint + An endpoint or MTA endpoint is a standard RJ-11 telephony physical + port located on the MTA and used for attaching the telephone device + to the MTA. + + X.509 Certificate + A X.509 certificate is an Internet X.509 Public Key Infrastructure + certificate developed as part of the ITU-T X.500 Directory + recommendations. It is defined in RFC 3280 [RFC3280] and RFC 4630 + [RFC4630]. + + Voice over IP + Voice over IP (VoIP) is a technology providing the means to transfer + digitized packets with voice information over IP networks. + + Public Key Certificate + A Public Key Certificate (also known as a Digital Certificate) is a + binding between an entity's public key and one or more attributes + relating to its identity. + + DHCP + The Dynamic Host Configuration Protocol (DHCP) is defined by RFC 2131 + [RFC2131]. In addition, commonly used DHCP options are defined in + RFC 2132 [RFC2132]. Additional DHCP options used by PacketCable and + IPCablecom MTAs can be found in the CableLabs Client Configuration + DHCP specifications, RFC 3495 [RFC3495] and RFC 3594 [RFC3594]. + + TFTP + The Trivial File Transfer Protocol (TFTP) is defined by RFC 1350 + [RFC1350]. + + HTTP + The Hypertext Transfer Protocol (HTTP/1.1) is defined by RFC 2616 + [RFC2616]. + + Call Management Server + A Call Management Server (CMS) is an element of the PacketCable + network infrastructure that controls audio connections between MTAs. + + + +Nechamkin & Mule Standards Track [Page 3] + +RFC 4682 IPCDN MTA MIB December 2006 + + + CODEC, COder-DECoder + A Coder-DECoder is a hardware or software component used in + audio/video systems to convert an analog signal to digital, and then + (possibly) to compress it so that lower bandwidth telecommunications + channels can be used. The signal is decompressed and converted + (decoded) back to analog output by a compatible CODEC at the + receiving end. + + Operations Systems Support + An Operations Systems Support system (OSS) is a system of back office + software components used for fault, configuration, accounting, + performance, and security management working in interaction with each + other and providing the operations support in deployed PacketCable + systems. + + Key Distribution Center + A Key Distribution Center (KDC) is an element of the OSS systems + functioning as a Kerberos Security Server, providing mutual + authentication of the various components of the PacketCable system + (e.g., mutual authentication between an MTA and a CMS, or between an + MTA and the Provisioning Server). + + Security Association + A Security Association (SA) is a one-way relationship between a + sender and a receiver offering security services on the communication + flow. + +3. Introduction + + This MIB module provides a set of objects required for the management + of PacketCable, ETSI, and ITU-T IPCablecom compliant MTA devices. + The MTA MIB module is intended to supersede various MTA MIB modules + from which it is partly derived: + + - The PacketCable 1.0 MTA MIB Specification [PKT-SP-MIB-MTA]. + + - The ITU-T IPCablecom MTA MIB requirements [ITU-T-J168]. + + - The ETSI MTA MIB [ETSITS101909-8]. The ETSI MTA MIB requirements + also refer to various signal characteristics defined in + [EN300001], Chapter 3, titled 'Ringing Signal Characteristics', + and [EN300659-1]. + + Several normative and informative references are used to help define + MTA MIB objects. As a convention, wherever PacketCable and + IPCablecom requirements are equivalent, the PacketCable reference is + used in the object REFERENCE clause. IPCablecom-compliant MTA + devices MUST use the equivalent IPCablecom references. + + + +Nechamkin & Mule Standards Track [Page 4] + +RFC 4682 IPCDN MTA MIB December 2006 + + +3.1. Structure of the MTA MIB + + The MTA MIB module is identified by pktcIetfMtaMib and is structured + in three object groups: + + - pktcMtaDevBase defines the management information pertinent to the + MTA device itself. + + - pktcMtaDevServer defines the management information pertinent to + the provisioning back office servers. + + - pktcMtaDevSecurity defines the management information pertinent to + the PacketCable and IPCablecom security mechanisms. + + The first two object groups, pktcMtaDevBase and pktcMtaDevServer, + contain only scalar information objects describing the corresponding + characteristics of the MTA device and back office servers. + + The third group, pktcMtaDevSecurity, contains two tables controlling + the logical associations between KDC realms and Application Servers + (CMS and Provisioning Server). The rows in the various tables of the + MTA MIB module can be created automatically (e.g., by the device + according to the current state information), or they can be created + by the management station, depending on the operational situation. + The tables defined in the MTA MIB module may have a mixture of both + types of rows. + +3.2. pktcMtaDevBase + + This object group contains the management information related to the + MTA device itself. It also contains some objects used to control the + MTA state. Some highlights are as follows: + + - pktcMtaDevSerialNumber. This object contains the MTA Serial + Number. + + - pktcMtaDevEndPntCount. This object contains the number of + endpoints present in the managed MTA. + + - pktcMtaDevProvisioningState. This object contains the information + describing the completion state of the MTA initialization process. + + - pktcMtaDevEnabled. This object controls the administrative state + of the MTA endpoints and allows operators to enable or disable + telephony services on the device. + + - pktcMtaDevResetNow. This object is used to instruct the MTA to + reset. + + + +Nechamkin & Mule Standards Track [Page 5] + +RFC 4682 IPCDN MTA MIB December 2006 + + +3.3. pktcMtaDevServer + + This object group contains the management information describing the + back office servers and the parameters related to the communication + timers. It also includes some objects controlling the initial MTA + interaction with the Provisioning Server. + + Some highlights are as follows: + + - pktcMtaDevServerDhcp1. This object contains the IP address of the + primary DHCP server designated for the MTA provisioning. + + - pktcMtaDevServerDhcp2. This object contains the IP address of the + secondary DHCP server designated for the MTA provisioning. + + - pktcMtaDevServerDns1. This object contains the IP address of the + primary DNS used by the managed MTA to resolve the Fully Qualified + Domain Name (FQDN) and IP addresses. + + - pktcMtaDevServerDns2. This object contains the IP address of the + secondary DNS used by the managed MTA to resolve the FQDN and IP + addresses. + + - pktcMtaDevConfigFile. This object contains the name of the + provisioning configuration file the managed MTA must download from + the Provisioning Server. + + - pktcMtaDevProvConfigHash. This object contains the hash value of + the MTA configuration file calculated over its content. When the + managed MTA downloads the file, it authenticates the configuration + file using the hash value provided in this object. + +3.4. pktcMtaDevSecurity + + This object group contains the management information describing the + security-related characteristics of the managed MTA. It contains two + tables describing logical dependencies and parameters necessary to + establish Security Associations between the MTA and other Application + Servers (back office components and CMSes). The CMS table + (pktcMtaDevCmsTable) and the realm table (pktcMtaDevRealmTable) are + used for managing the MTA signaling security. The realm table + defines the CMS domains. The CMS table defines the CMS within the + domains. Each MTA endpoint is associated with one CMS at any given + time. + + + + + + + +Nechamkin & Mule Standards Track [Page 6] + +RFC 4682 IPCDN MTA MIB December 2006 + + + The two tables in this object group are as follows: + + - pktcMtaDevRealmTable. This table is used in conjunction with any + Application Server that communicates securely with the managed MTA + (CMS or Provisioning Server). + + - pktcMtaDevCmsTable. This table contains the parameters describing + the SA establishment between the MTA and CMSes. + +3.5. Relationship between MIB Objects in the MTA MIB + + This section clarifies the relationship between various MTA MIB + objects with respect to the role they play in the process of + establishing Security Associations. + + The process of Security Association establishment between an MTA and + Application Servers is described in the PacketCable Security + Specification [PKT-SP-SEC]. In particular, an MTA communicates with + 2 types of back office Application Servers: Call Management Servers + and Provisioning Servers. + + The SA establishment process consists of two steps: + + a. Authentication Server Exchange (AS-exchange). This step provides + mutual authentication between the parties; i.e., between an MTA + and an Authentication Server. The process of AS-exchange is + defined by a number of parameters grouped per each realm. These + parameters are gathered in the Realm Table (pktcMtaDevRealmTable). + The Realm Table is indexed by the Index Counter and contains + conceptual column with the Kerberos realm name. + + b. Application server exchange (AP-exchange). This step allows for + the establishment of Security Associations between authenticated + parties. The CMS table (pktcMtaDevCmsTable) contains the + parameters for the AP-exchange process between an MTA and a CMS. + The CMS table is indexed by the Index Counter and contains the CMS + FQDN (the conceptual column pktcMtaDevCmsFqdn). Each row contains + the Kerberos realm name associated with each CMS FQDN. This + allows for each CMS to exist in a different Kerberos realm. + + The MTA MIB module also contains a group of scalar MIB objects in the + server group (pktcMtaDevServer). These objects define various + parameters for the AP-exchange process between an MTA and the + Provisioning Server. These objects are: + + - pktcMtaDevProvUnsolicitedKeyMaxTimeout, + + - pktcMtaDevProvUnsolicitedKeyNomTimeout, + + + +Nechamkin & Mule Standards Track [Page 7] + +RFC 4682 IPCDN MTA MIB December 2006 + + + - pktcMtaDevProvUnsolicitedKeyMaxRetries, and + + - pktcMtaDevProvSolicitedKeyTimeout. + +3.6. Secure Software Download + + E-MTAs are embedded with DOCSIS 1.1 cable modems. E-MTAs have their + software upgraded by the Cable Modem according to the DOCSIS + requirements. + + Although E-MTAs have their software upgraded by the Cable Modem + according to the DOCSIS requirements, S-MTAs implement a specific + mechanism for Secure Software Download. This provides a means to + verify the code upgrade using Code Verification Certificates and is + modeled after the DOCSIS mechanism implemented in Cable Modems. This + is the reason why the MTA MIB and the S-MTA compliance modules also + rely on two MIB object groups: + + - docsBpi2CodeDownloadGroup, defined in the IETF BPI Plus MIB module + (DOCS-IETF-BPI2-MIB [RFC4131]). + + - docsDevSoftwareGroupV2, defined in the IETF Cable Devicev2 MIB + module (DOCS-CABLE-DEVICE-MIB [RFC4639]). + +3.7. X.509 Certificates Dependencies + + As specified in the PacketCable Security Specification [PKT-SP-SEC], + E-MTAs must use the authentication mechanism based on the X.509 + Public Key Infrastructure Certificates, as defined in RFC 3280 + [RFC3280] and RFC 4630 [RFC4630]. + + The value of the pktcMtaDevRealmOrgName MIB object should contain the + X.509 organization name attribute of the Telephony Service Provider + certificate (OrganizationName). X.509 attributes are defined using + UTF-8 string encoding [RFC3629, RFC3280, and RFC4630]. + + Note that UTF-8 encoded characters can be encoded as sequences of 1 + to 6 octets, assuming that code points as high as 0x7ffffffff might + be used ([RFC3629]). Subsequent versions of Unicode and ISO 10646 + have limited the upper bound to 0x10ffff ([RFC3629]). Consequently, + the current version of UTF-8, defined in RFC 3629, does not require + more than four octets to encode a valid code point. + + + + + + + + + +Nechamkin & Mule Standards Track [Page 8] + +RFC 4682 IPCDN MTA MIB December 2006 + + +4. Definitions + + The MIB module below makes references and citations to [RFC868], + [RFC3280], [RFC4630], and [RFC3617]. + + PKTC-IETF-MTA-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, + OBJECT-TYPE, + OBJECT-IDENTITY, + Unsigned32, + Counter32, + NOTIFICATION-TYPE, + mib-2 + FROM SNMPv2-SMI -- [RFC2578] + TEXTUAL-CONVENTION, + RowStatus, + TruthValue + FROM SNMPv2-TC -- [RFC2579] + OBJECT-GROUP, + MODULE-COMPLIANCE, + NOTIFICATION-GROUP + FROM SNMPv2-CONF -- [RFC2580] + InetAddressType, + InetAddress + FROM INET-ADDRESS-MIB -- [RFC4001] + sysDescr + FROM SNMPv2-MIB -- [RFC3418] + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB -- [RFC3411] + docsDevSoftwareGroupV2 + FROM DOCS-CABLE-DEVICE-MIB -- [RFC4639] + DocsX509ASN1DEREncodedCertificate, + docsBpi2CodeDownloadGroup + FROM DOCS-IETF-BPI2-MIB -- [RFC4131] + LongUtf8String + FROM SYSAPPL-MIB -- [RFC2287] + ifPhysAddress + FROM IF-MIB; -- [RFC2863] + + pktcIetfMtaMib MODULE-IDENTITY + LAST-UPDATED "200609180000Z" -- September 18, 2006 + ORGANIZATION "IETF IP over Cable Data Network Working Group" + CONTACT-INFO + "Eugene Nechamkin + Broadcom Corporation, + 200-13711 International Place, + + + +Nechamkin & Mule Standards Track [Page 9] + +RFC 4682 IPCDN MTA MIB December 2006 + + + Richmond, BC, V6V 2Z8 + CANADA + Phone: +1 604 233 8500 + Email: enechamkin@broadcom.com + + Jean-Francois Mule + Cable Television Laboratories, Inc. + 858 Coal Creek Circle + Louisville, CO 80027-9750 + U.S.A. + Phone: +1 303 661 9100 + Email: jf.mule@cablelabs.com + + IETF IPCDN Working Group + General Discussion: ipcdn@ietf.org + Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn + Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn + Co-Chair: Jean-Francois Mule, jf.mule@cablelabs.com + Co-Chair: Richard Woundy, Richard_Woundy@cable.comcast.com" + + DESCRIPTION + "This MIB module defines the basic management object + for the Multimedia Terminal Adapter devices compliant + with PacketCable and IPCablecom requirements. + + Copyright (C) The IETF Trust (2006). This version of + this MIB module is part of RFC 4682; see the RFC itself for + full legal notices." + + REVISION "200609180000Z" -- September 18, 2006 + + DESCRIPTION + "Initial version, published as RFC 4682." + + ::= { mib-2 140 } + + -- Textual Conventions + + PktcMtaDevProvEncryptAlg ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + " This textual convention defines various types of the + encryption algorithms used for the encryption of the MTA + configuration file. The description of the encryption + algorithm for each enumerated value is as follows: + + 'none(0)' no encryption is used, + 'des64CbcMode(1)' DES 64-bit key in CBC mode, + + + +Nechamkin & Mule Standards Track [Page 10] + +RFC 4682 IPCDN MTA MIB December 2006 + + + 't3Des192CbcMode(2)' 3DES 192-bit key in CBC mode, + 'aes128CbcMode(3)' AES 128-bit key in CBC mode, + 'aes256CbcMode(4)' AES 256-bit key in CBC mode." + SYNTAX INTEGER { + none (0), + des64CbcMode (1), + t3Des192CbcMode (2), + aes128CbcMode (3), + aes256CbcMode (4) + } + + --================================================================= + -- The MTA MIB module only supports a single Provisioning Server. + --================================================================= + + pktcMtaNotification OBJECT IDENTIFIER ::= { pktcIetfMtaMib 0 } + pktcMtaMibObjects OBJECT IDENTIFIER ::= { pktcIetfMtaMib 1 } + pktcMtaDevBase OBJECT IDENTIFIER ::= { pktcMtaMibObjects 1 } + pktcMtaDevServer OBJECT IDENTIFIER ::= { pktcMtaMibObjects 2 } + pktcMtaDevSecurity OBJECT IDENTIFIER ::= { pktcMtaMibObjects 3 } + pktcMtaDevErrors OBJECT IDENTIFIER ::= { pktcMtaMibObjects 4 } + pktcMtaConformance OBJECT IDENTIFIER ::= { pktcIetfMtaMib 2 } + + -- + -- The following pktcMtaDevBase group describes the base MTA objects + -- + + pktcMtaDevResetNow OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object controls the MTA software reset. + Reading this object always returns 'false'. Setting this + object to 'true' causes the device to reset immediately + and the following actions to occur: + 1. All connections (if present) are flushed locally. + 2. All current actions such as ringing immediately + terminate. + 3. Requests for signaling notifications, such as + notification based on digit map recognition, are + flushed. + 4. All endpoints are disabled. + 5. The provisioning flow is started at step MTA-1. + If a value is written into an instance of + pktcMtaDevResetNow, the agent MUST NOT retain the supplied + value across MTA re-initializations or reboots." + REFERENCE + + + +Nechamkin & Mule Standards Track [Page 11] + +RFC 4682 IPCDN MTA MIB December 2006 + + + " PacketCable MTA Device Provisioning Specification." + ::= { pktcMtaDevBase 1 } + + pktcMtaDevSerialNumber OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object specifies the manufacturer's serial + number of this MTA. The value of this object MUST be + identical to the value specified in DHCP option 43, + sub-option 4. The list of sub-options for DHCP option + 43 are defined in the PacketCable MTA Device + Provisioning Specification." + REFERENCE + " PacketCable MTA Device Provisioning Specification." + ::= { pktcMtaDevBase 2 } + + pktcMtaDevSwCurrentVers OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object identifies the software version currently + operating in the MTA. + The MTA MUST return a string descriptive of the current + software load. This object should use the syntax + defined by the individual vendor to identify the software + version. The data presented in this object MUST be + identical to the software version information contained + in the 'sysDescr' MIB object of the MTA. The value of + this object MUST be identical to the value specified in + DHCP option 43, sub-option 6. The list of sub-options for + DHCP option 43 are defined in the PacketCable MTA Device + Provisioning Specification." + REFERENCE + " PacketCable MTA Device Provisioning Specification." + + ::= { pktcMtaDevBase 3 } + + pktcMtaDevFQDN OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the Fully Qualified Domain Name for + this MTA. The MTA FQDN is used to uniquely identify the + device to the PacketCable back office elements." + + + +Nechamkin & Mule Standards Track [Page 12] + +RFC 4682 IPCDN MTA MIB December 2006 + + + ::= { pktcMtaDevBase 4 } + + pktcMtaDevEndPntCount OBJECT-TYPE + SYNTAX Unsigned32 (1..255) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the number of physical endpoints for + this MTA." + ::= { pktcMtaDevBase 5 } + + pktcMtaDevEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object contains the MTA Admin Status of this device. + If this object is set to 'true', the MTA is + administratively enabled, and the MTA MUST be able to + interact with the PacketCable entities, such as CMS, + Provisioning Server, KDC, and other MTAs and MGs on all + PacketCable interfaces. + If this object is set to 'false', the MTA is + administratively disabled, and the MTA MUST perform the + following actions for all endpoints: + - Shut down all media sessions, if present. + - Shut down Network Control Signaling (NCS) + signaling by following the Restart in + Progress procedures in the PacketCable NCS + specification. + The MTA must execute all actions required to + enable or disable the telephony services for all + endpoints immediately upon receipt of an SNMP SET + operation. + + Additionally, the MTA MUST maintain the SNMP Interface + for management and also the SNMP Key management interface. + Also, the MTA MUST NOT continue Kerberized key management + with CMSes until this object is set to 'true'. + Note: MTAs MUST renew the CMS Kerberos tickets according + to the PacketCable Security or IPCablecom Specification. + If a value is written into an instance of + pktcMtaDevEnabled, the agent MUST NOT retain the supplied + value across MTA re-initializations or reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + PacketCable Security Specification; + PacketCable Network-Based Call Signaling Protocol + + + +Nechamkin & Mule Standards Track [Page 13] + +RFC 4682 IPCDN MTA MIB December 2006 + + + Specification." + ::= { pktcMtaDevBase 6 } + + pktcMtaDevTypeIdentifier OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object provides the MTA device type identifier. The + value of this object must be a copy of the DHCP option 60 + value exchanged between the MTA and the DHCP server. The + DHCP option 60 value contains an ASCII-encoded string + identifying capabilities of the MTA as defined in the + PacketCable MTA Device Provisioning Specification." + REFERENCE + " RFC 2132, DHCP Options and BOOTP Vendor Extensions; + PacketCable MTA Device Provisioning Specification." + ::= { pktcMtaDevBase 7 } + + pktcMtaDevProvisioningState OBJECT-TYPE + SYNTAX INTEGER { + pass (1), + inProgress (2), + failConfigFileError (3), + passWithWarnings (4), + passWithIncompleteParsing (5), + failureInternalError (6), + failureOtherReason (7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object indicates the completion state of the MTA + device provisioning process. + + pass: + If the configuration file could be parsed successfully + and the MTA is able to reflect the same in its + MIB, the MTA MUST return the value 'pass'. + + inProgress: + If the MTA is in the process of being provisioned, + the MTA MUST return the value 'inProgress'. + + failConfigFileError: + If the configuration file was in error due to incorrect + values in the mandatory parameters, the MTA MUST reject + the configuration file, and the MTA MUST return the value + + + +Nechamkin & Mule Standards Track [Page 14] + +RFC 4682 IPCDN MTA MIB December 2006 + + + 'failConfigFileError'. + + passWithWarnings: + If the configuration file had proper values for all the + mandatory parameters but has errors in any of the optional + parameters (this includes any vendor-specific Object + Identifiers (OIDs) that are incorrect or not known + to the MTA), the MTA MUST return the value + 'passWithWarnings'. + + passWithIncompleteParsing: + If the configuration file is valid but the MTA cannot + reflect the same in its configuration (for example, too + many entries caused memory exhaustion), it must accept + the CMS configuration entries related, and the MTA MUST + return the value 'passWithIncompleteParsing'. + + failureInternalError: + If the configuration file cannot be parsed due to an + Internal error, the MTA MUST return the value + 'failureInternalError'. + + failureOtherReason: + If the MTA cannot accept the configuration file for any + other reason than the ones stated above, the MTA MUST + return the value 'failureOtherReason'. + + When a final SNMP INFORM is sent as part of Step 25 of the + MTA Provisioning process, this parameter is also included + in the final INFORM message." + REFERENCE + " PacketCable MTA Device Provisioning Specification." + ::= { pktcMtaDevBase 8 } + + pktcMtaDevHttpAccess OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object indicates whether the HTTP protocol is + supported for the MTA configuration file transfer." + ::= { pktcMtaDevBase 9 } + + pktcMtaDevProvisioningTimer OBJECT-TYPE + SYNTAX Unsigned32 (0..30) + UNITS "minutes" + MAX-ACCESS read-write + STATUS current + + + +Nechamkin & Mule Standards Track [Page 15] + +RFC 4682 IPCDN MTA MIB December 2006 + + + DESCRIPTION + " This object defines the time interval for the provisioning + flow to complete. The MTA MUST finish all provisioning + operations starting from the moment when an MTA receives + its DHCP ACK and ending at the moment when the MTA + downloads its configuration file (e.g., MTA5 to MTA23) + within the period of time set by this object. + Failure to comply with this condition constitutes + a provisioning flow failure. If the object is set to 0, + the MTA MUST ignore the provisioning timer condition. + If a value is written into an instance of + pktcMtaDevProvisioningTimer, the agent MUST NOT retain the + supplied value across MTA re-initializations or reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification." + DEFVAL {10} + ::= {pktcMtaDevBase 10} + + pktcMtaDevProvisioningCounter OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object counts the number of times the + provisioning cycle has looped through step MTA-1." + ::= {pktcMtaDevBase 11} + + pktcMtaDevErrorOidsTable OBJECT-TYPE + SYNTAX SEQUENCE OF PktcMtaDevErrorOidsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This table contains the list of configuration errors or + warnings the MTA encountered when parsing the + configuration file it received from the Provisioning + Server. + For each error, an entry is created in this table, + containing the configuration parameters the MTA rejected + and the associated reason (e.g., wrong or unknown OID, + inappropriate object values). If the MTA + did not report a provisioning state of 'pass(1)' in + the pktcMtaDevProvisioningState object, this table MUST be + populated for each error or warning instance. Even if + different parameters share the same error type (e.g., all + realm name configuration parameters are invalid), all + observed errors or warnings must be reported as + different instances. Errors are placed into the table in + no particular order. The table MUST be cleared each time + + + +Nechamkin & Mule Standards Track [Page 16] + +RFC 4682 IPCDN MTA MIB December 2006 + + + the MTA reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification." + ::= {pktcMtaDevBase 12 } + + pktcMtaDevErrorOidsEntry OBJECT-TYPE + SYNTAX PktcMtaDevErrorOidsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This entry contains the necessary information the MTA MUST + attempt to provide in case of configuration file errors or + warnings." + INDEX { pktcMtaDevErrorOidIndex } + ::= {pktcMtaDevErrorOidsTable 1} + + PktcMtaDevErrorOidsEntry ::= SEQUENCE { + pktcMtaDevErrorOidIndex Unsigned32, + pktcMtaDevErrorOid SnmpAdminString, + pktcMtaDevErrorValue SnmpAdminString, + pktcMtaDevErrorReason SnmpAdminString + } + + pktcMtaDevErrorOidIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..1024) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This object is the index of the MTA configuration error + table. It is an integer value that starts at value '1' + and is incremented for each encountered configuration + file error or warning. + + The maximum number of errors or warnings that can be + recorded in the pktcMtaDevErrorOidsTable is set to 1024 as + a configuration file is usually validated by operators + before deployment. Given the possible number of + configuration parameter assignments in the MTA + configuration file, 1024 is perceived as a sufficient + limit even with future extensions. + + If the number of the errors in the configuration file + exceeds 1024, all errors beyond the 1024th one MUST + be ignored and not be reflected in the + pktcMtaDevErrorOidsTable." + + ::= {pktcMtaDevErrorOidsEntry 1} + + + + +Nechamkin & Mule Standards Track [Page 17] + +RFC 4682 IPCDN MTA MIB December 2006 + + + pktcMtaDevErrorOid OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains a human readable representation + (character string) of the OID corresponding to the + configuration file parameter that caused the particular + error. + For example, if the value of the pktcMtaDevEnabled object + in the configuration file caused an error, then this + object instance will contain the human-readable string of + '1.3.6.1.2.1.140.1.1.6.0'. + If the MTA generated an error because it was not able + to recognize a particular OID, then this object + instance would contain an empty value (zero-length + string). + For example, if the value of an OID in the configuration + file was interpreted by the MTA as being 1.2.3.4.5, and if + the MTA was not able to recognize this OID as a valid one, + this object instance will contain a zero-length string. + + If the number of errors in the configuration file exceeds + 1024, then for all subsequent errors, the + pktcMtaDevErrorOid of the table's 1024th entry MUST + contain a human-readable representation of the + pktcMtaDevErrorsTooManyErrors object; i.e., the string + '1.3.6.1.2.1.140.1.1.4.1.0'. + Note that the syntax of this object is SnmpAdminString + instead of OBJECT IDENTIFIER because the object value may + not be a valid OID due to human or configuration tool + encoding errors." + + ::= {pktcMtaDevErrorOidsEntry 2} + + pktcMtaDevErrorValue OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the value of the OID corresponding to + the configuration file parameter that caused the error. + If the MTA cannot recognize the OID of the + configuration parameter causing the error, then this + object instance contains the OID itself as interpreted + by the MTA in human-readable representation. + If the MTA can recognize the OID but generate an error due + to a wrong value of the parameter, then the object + + + +Nechamkin & Mule Standards Track [Page 18] + +RFC 4682 IPCDN MTA MIB December 2006 + + + instance contains the erroneous value of the parameter as + read from the configuration file. + In both cases, the value of this object must be + represented in human-readable form as a character string. + For example, if the value of the pktcMtaDevEnabled object + in the configuration file was 3 (invalid value), then the + pktcMtaDevErrorValue object instance will contain the + human-readable (string) representation of value '3'. + Similarly, if the OID in the configuration file has been + interpreted by the MTA as being 1.2.3.4.5 and the MTA + cannot recognize this OID as a valid one, then this + pktcMtaDevErrorValue object instance will contain human + readable (string) representation of value '1.2.3.4.5'. + + If the number of errors in the configuration file exceeds + 1024, then for all subsequent errors, the + pktcMtaDevErrorValue of the table's 1024th entry MUST + contain a human-readable representation of the + pktcMtaDevErrorsTooManyErrors object; i.e., the string + '1.3.6.1.2.1.140.1.1.4.1.0'." + + ::= {pktcMtaDevErrorOidsEntry 3} + + pktcMtaDevErrorReason OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object indicates the reason for the error or warning, + as per the MTA's interpretation, in human-readable form. + For example: + 'VALUE NOT IN RANGE', 'VALUE DOES NOT MATCH TYPE', + 'UNSUPPORTED VALUE', 'LAST 4 BITS MUST BE SET TO ZERO', + 'OUT OF MEMORY - CANNOT STORE'. + This object may also contain vendor specific errors for + private vendor OIDs and any proprietary error codes or + messages that can help diagnose configuration errors. + + If the number of errors in the configuration file exceeds + 1024, then for all subsequent errors, the + pktcMtaDevErrorReason of the table's 1024th entry MUST + contain a human-readable string indicating the reason + for an error; for example, + 'Too many errors in the configuration file'." + ::= {pktcMtaDevErrorOidsEntry 4} + + -- + -- The following group describes server access and parameters used + + + +Nechamkin & Mule Standards Track [Page 19] + +RFC 4682 IPCDN MTA MIB December 2006 + + + -- for the initial MTA provisioning and bootstrapping phases. + -- + + pktcMtaDevDhcpServerAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the Internet address type for the + PacketCable DHCP servers specified in MTA MIB." + DEFVAL { ipv4 } + ::= { pktcMtaDevServer 1} + + pktcMtaDevServerDhcp1 OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the Internet Address of the primary + DHCP server the MTA uses during provisioning. + The type of this address is determined by the value of + the pktcMtaDevDhcpServerAddressType object. + When the latter has the value 'ipv4(1)', this object + contains the IP address of the primary DHCP + server. It is provided by the CM to the MTA via the DHCP + option code 122, sub-option 1, as defined in RFC 3495. + + The behavior of this object when the value of + pktcMtaDevDhcpServerAddressType is other than 'ipv4(1)' + is not presently specified, but it may be specified + in future versions of this MIB module. + If this object is of value + 0.0.0.0, the MTA MUST stop all provisioning + attempts, as well as all other activities. + If this object is of value 255.255.255.255, it means + that there was no preference given for the primary + DHCP server, and, the MTA must follow the logic of + RFC2131, and the value of DHCP option 122, + sub-option 2, must be ignored." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + RFC 2131, Dynamic Host Configuration Protocol; + RFC 3495, DHCP Option for CableLabs Client Configuration." + ::= { pktcMtaDevServer 2 } + + pktcMtaDevServerDhcp2 OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + + + +Nechamkin & Mule Standards Track [Page 20] + +RFC 4682 IPCDN MTA MIB December 2006 + + + STATUS current + DESCRIPTION + " This object contains the Internet Address of the secondary + DHCP server the MTA uses during provisioning. + The type of this address is determined by the value of + the pktcMtaDevDhcpServerAddressType object. + When the latter has the value 'ipv4(1)', this object + contains the IP address of the secondary DHCP + server. It is provided by the CM to the MTA via the DHCP + option code 122, sub-option 2, as defined in RFC 3495. + + The behavior of this object when the value of + pktcMtaDevDhcpServerAddressType is other than 'ipv4(1)' + is not presently specified, but it may be specified + in future versions of this MIB module. + If there was no secondary DHCP server provided in DHCP + Option 122, sub-option 2, this object must return the value + 0.0.0.0." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + RFC 3495, DHCP Option for CableLabs Client Configuration." + ::= { pktcMtaDevServer 3 } + + pktcMtaDevDnsServerAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the Internet address type for the + PacketCable DNS servers specified in MTA MIB." + DEFVAL { ipv4 } + ::= { pktcMtaDevServer 4} + + pktcMtaDevServerDns1 OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object contains the IP Address of the primary + DNS server to be used by the MTA. The type of this address + is determined by the value of the + pktcMtaDevDnsServerAddressType object. + When the latter has the value 'ipv4(1)', this object + contains the IP address of the primary DNS server. + As defined in RFC 2132, PacketCable-compliant MTAs receive + the IP addresses of the DNS Servers in DHCP option 6. + The behavior of this object when the value of + pktcMtaDevDnsServerAddressType is other than 'ipv4(1)' + + + +Nechamkin & Mule Standards Track [Page 21] + +RFC 4682 IPCDN MTA MIB December 2006 + + + is not presently specified, but it may be specified + in future versions of this MIB module. + If a value is written into an instance of + pktcMtaDevServerDns1, the agent MUST NOT retain the + supplied value across MTA re-initializations or reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + RFC 2132, DHCP Options and BOOTP Vendor Extensions." + ::= { pktcMtaDevServer 5 } + + pktcMtaDevServerDns2 OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object contains the IP Address of the secondary + DNS server to be used by the MTA. The type of this address + is determined by the value of the + pktcMtaDevDnsServerAddressType object. + When the latter has the value 'ipv4(1)', this object + contains the IP address of the secondary DNS + server. As defined in RFC 2132, PacketCable-compliant MTAs + receive the IP addresses of the DNS Servers in DHCP + option 6. + The behavior of this object when the value of + pktcMtaDevDnsServerAddressType is other than 'ipv4(1)' + is not presently specified, but it may be specified + in future versions of this MIB module. + If a value is written into an instance of + pktcMtaDevServerDns2, the agent MUST NOT retain the + supplied value across MTA re-initializations or reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + RFC 2132, DHCP Options and BOOTP Vendor Extensions." + ::= { pktcMtaDevServer 6 } + + pktcMtaDevTimeServerAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the Internet address type for the + PacketCable Time servers specified in MTA MIB." + DEFVAL { ipv4 } + ::= { pktcMtaDevServer 7} + + pktcMtaDevTimeServer OBJECT-TYPE + SYNTAX InetAddress + + + +Nechamkin & Mule Standards Track [Page 22] + +RFC 4682 IPCDN MTA MIB December 2006 + + + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object contains the Internet Address of the Time + Server used by an S-MTA for Time Synchronization. The type + of this address is determined by the value of the + pktcMtaDevTimeServerAddressType object. + When the latter has the value 'ipv4(1)', this object + contains the IP address of the Time Server used for Time + Synchronization. + In the case of an S-MTA, this object must be + populated with a value other than 0.0.0.0 as obtained + from DHCP option 4. The protocol by which the time of day + MUST be retrieved is defined in RFC 868. + In the case of an E-MTA, this object must contain a + value of 0.0.0.0 if the address type is 'ipv4(1)' since + an E-MTA does not use the Time Protocol for time + synchronization (an E-MTA uses the time retrieved by the + DOCSIS cable modem). + The behavior of this object when the value of + pktcMtaDevTimeServerAddressType is other than 'ipv4(1)' + is not presently specified, but it may be specified in + future versions of this MIB module. + If a value is written into an instance of + pktcMtaDevTimeServer, the agent MUST NOT retain the + supplied value across MTA re-initializations or reboots." + REFERENCE + " RFC 868, Time Protocol; + RFC 2131, Dynamic Host Configuration Protocol; + RFC 2132, DHCP Options and BOOTP Vendor Extensions." + ::= { pktcMtaDevServer 8} + + pktcMtaDevConfigFile OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object specifies the MTA device configuration file + information, including the access method, the server name, + and the configuration file name. The value of this object + is the Uniform Resource Locator (URL) of the configuration + file for TFTP or HTTP download. + If this object value is a TFTP URL, it must be formatted + as defined in RFC 3617. + If this object value is an HTTP URL, it must be formatted + as defined in RFC 2616. + If the MTA SNMP Enrollment mechanism is used, then the MTA + must download the file provided by the Provisioning Server + + + +Nechamkin & Mule Standards Track [Page 23] + +RFC 4682 IPCDN MTA MIB December 2006 + + + during provisioning via an SNMP SET on this object. + If the MTA SNMP Enrollment mechanism is not used, this + object MUST contain the URL value corresponding to the + 'siaddr' and 'file' fields received in the DHCP ACK to + locate the configuration file: the 'siaddr' and 'file' + fields represent the host and file of the TFTP URL, + respectively. In this case, the MTA MUST return an + 'inconsistentValue' error in response to SNMP SET + operations. + The MTA MUST return a zero-length string if the server + address (host part of the URL) is unknown. + If a value is written into an instance of + pktcMtaDevConfigFile, the agent MUST NOT retain the + supplied value across MTA re-initializations or reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + RFC 3617, URI Scheme for TFTP; RFC 2616, HTTP 1.1" + ::= { pktcMtaDevServer 9 } + + pktcMtaDevSnmpEntity OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the FQDN of the SNMP entity of the + Provisioning Server. When the MTA SNMP Enrollment + Mechanism is used, this object represents the server that + the MTA communicates with, that it receives the + configuration file URL from, and that it sends the + enrollment notification to. The SNMP entity is also the + destination entity for all the provisioning + notifications. It may be used for post-provisioning + SNMP operations. During the provisioning phase, this + SNMP entity FQDN is supplied to the MTA via DHCP option + 122, sub-option 3, as defined in RFC 3495. The MTA must + resolve the FQDN value before its very first network + interaction with the SNMP entity during the provisioning + phase." + + REFERENCE + " PacketCable MTA Device Provisioning Specification; + RFC 3495, DHCP Option for CableLabs Client Configuration." + ::= { pktcMtaDevServer 10 } + + pktcMtaDevProvConfigHash OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(20)) + MAX-ACCESS read-write + STATUS current + + + +Nechamkin & Mule Standards Track [Page 24] + +RFC 4682 IPCDN MTA MIB December 2006 + + + DESCRIPTION + " This object contains the hash value of the contents of the + configuration file. + The authentication algorithm is Secure Hashing Algorithm + 1 (SHA-1), and the length is 160 bits. The hash + calculation MUST follow the requirements defined in the + PacketCable Security Specification. When the MTA SNMP + Enrollment mechanism is used, this hash value is + calculated and sent to the MTA prior to sending the + config file. This object value is then provided by the + Provisioning server via an SNMP SET operation. + When the MTA SNMP Enrollment mechanism is not in use, the + hash value is provided in the configuration file itself, + and it is also calculated by the MTA. This object value + MUST represent the hash value calculated by the MTA. + When the MTA SNMP Enrollment mechanism is not in use, the + MTA must reject all SNMP SET operations on this object and + return an 'inconsistentValue' error. + If a value is written into an instance of + pktcMtaDevProvConfigHash, the agent MUST NOT retain the + supplied value across MTA re-initializations or reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + PacketCable Security Specification." + ::= { pktcMtaDevServer 11 } + + pktcMtaDevProvConfigKey OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object contains the key used to encrypt/decrypt + the configuration file when secure SNMPv3 provisioning + is used. + The value of this object is provided along with the + configuration file information (pktcMtaDevConfigFile) + and hash (pktcMtaDevProvConfigHash) by the Provisioning + Server via SNMP SET once the configuration file has been + created, as defined by the PacketCable Security + specification. + + The privacy algorithm is defined by the + pktcMtaDevProvConfigEncryptAlg MIB object. The + MTA requirements related to the privacy algorithm are + defined in the PacketCable Security Specification. + + If this object is set at any other provisioning step than + that allowed by the PacketCable MTA Device + + + +Nechamkin & Mule Standards Track [Page 25] + +RFC 4682 IPCDN MTA MIB December 2006 + + + Provisioning Specification, the MTA SHOULD return + an 'inconsistentValue' error. + This object must not be used in non secure provisioning + mode. In non-secure provisioning modes, the MTA SHOULD + return an 'inconsistentValue' in response to SNMP SET + operations, and the MTA SHOULD return a zero-length + string in response to SNMP GET operations. + If a value is written into an instance of + pktcMtaDevProvConfigKey, the agent MUST NOT retain the + supplied value across MTA re-initializations or reboots." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + PacketCable Security Specification." + ::= { pktcMtaDevServer 12 } + + pktcMtaDevProvConfigEncryptAlg OBJECT-TYPE + SYNTAX PktcMtaDevProvEncryptAlg + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object defines the encryption algorithm used for + privacy protection of the MTA Configuration File content." + DEFVAL { des64CbcMode } + ::= { pktcMtaDevServer 13 } + + pktcMtaDevProvSolicitedKeyTimeout OBJECT-TYPE + SYNTAX Unsigned32 (0..180) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object defines a Kerberos Key Management timer on the + MTA. It is the time period during which the MTA saves the + nonce and Server Kerberos Principal Identifier to match an + AP Request and its associated AP Reply response from the + Provisioning Server. + After the timeout has been exceeded, the client discards + this (nonce, Server Kerberos Principal Identifier) pair, + after which it will no longer accept a matching AP Reply. + This timer only applies when the Provisioning Server + initiated key management for SNMPv3 (with a + Wake Up message). + If this object is set to a zero value, the MTA MUST return + an 'inconsistentValue' in response to SNMP SET operations. + This object should not be used in non-secure provisioning + modes. In non-secure provisioning modes, the MTA MUST + return an 'inconsistentValue' in response to SNMP SET + operations, and the MTA MUST return a zero value in + + + +Nechamkin & Mule Standards Track [Page 26] + +RFC 4682 IPCDN MTA MIB December 2006 + + + response to SNMP GET operations. + If a value is written into an instance of + pktcMtaDevProvSolicitedKeyTimeout, the agent MUST NOT + retain the supplied value across MTA re-initializations + or reboots." + DEFVAL { 3 } + ::= { pktcMtaDevServer 14 } + + --================================================================= + -- + -- Unsolicited key updates are retransmitted according to an + -- exponential back-off mechanism using two timers and a maximum + -- retry counter for AS replies. + -- The initial retransmission timer value is the nominal timer + -- value (pktcMtaDevProvUnsolicitedKeyNomTimeout). The + -- retransmissions occur with an exponentially increasing interval + -- that caps at the maximum timeout value + -- (pktcMtaDevProvUnsolicitedKeyMaxTimeout). + -- Retransmissions stop when the maximum retry counter is reached + -- (pktcMtaDevProvUnsolicitedKeyMaxRetries). + -- For example, with values of 3 seconds for the nominal + -- timer, 100 seconds for the maximum timeout, and 8 retries max, + -- and with an exponential value of 2, this results in + -- retransmission intervals will be 3 s, 6 s, 12 s, 24 s, 48 s, + -- 96 s, 100 s, and 100 s; + -- retransmissions then stop because the maximum number of + -- retries (8) has been reached. + -- + --================================================================= + -- + -- Timeouts for unsolicited key management updates are only + -- pertinent before the first SNMPv3 message is sent between the + -- MTA and the Provisioning Server and before the configuration + -- file is loaded. + -- + --================================================================= + + pktcMtaDevProvUnsolicitedKeyMaxTimeout OBJECT-TYPE + SYNTAX Unsigned32 (0..600) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object defines the timeout value that applies to + an MTA-initiated AP-REQ/REP key management exchange with + the Provisioning Server in SNMPv3 provisioning. + It is the maximum timeout value, and it may not be exceeded + in the exponential back-off algorithm. If the DHCP option + + + +Nechamkin & Mule Standards Track [Page 27] + +RFC 4682 IPCDN MTA MIB December 2006 + + + code 122, sub-option 5, is provided to the MTA, it + overwrites this value. + In non-secure provisioning modes, the MTA MUST + return a zero value in response to SNMP GET + operations." + REFERENCE + " PacketCable Security Specification." + DEFVAL {600} + ::= { pktcMtaDevServer 15 } + + pktcMtaDevProvUnsolicitedKeyNomTimeout OBJECT-TYPE + SYNTAX Unsigned32 (0..600) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object defines the starting value of the timeout + for the AP-REQ/REP Backoff and Retry mechanism + with exponential timeout in SNMPv3 provisioning. + If the DHCP option code 122, sub-option 5, is provided + the MTA, it overwrites this value. + In non-secure provisioning modes, the MTA MUST + return a zero value in response to SNMP GET + operations." + REFERENCE + " PacketCable Security Specification." + DEFVAL {3} + ::= { pktcMtaDevServer 16} + + pktcMtaDevProvUnsolicitedKeyMaxRetries OBJECT-TYPE + SYNTAX Unsigned32 (0..32) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains a retry counter that applies to + an MTA-initiated AP-REQ/REP key management exchange with + the Provisioning Server in secure SNMPv3 provisioning. + It is the maximum number of retries before the MTA stops + attempting to establish a Security Association with + Provisioning Server. + If the DHCP option code 122, sub-option 5, is provided to + the MTA, it overwrites this value. + If this object is set to a zero value, the MTA MUST return + an 'inconsistentValue' in response to SNMP SET operations. + In non-secure provisioning modes, the MTA MUST + return a zero value in response to SNMP GET + operations." + REFERENCE + + + +Nechamkin & Mule Standards Track [Page 28] + +RFC 4682 IPCDN MTA MIB December 2006 + + + " PacketCable Security Specification." + DEFVAL {8} + ::= { pktcMtaDevServer 17 } + + pktcMtaDevProvKerbRealmName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the name of the associated + provisioning Kerberos realm acquired during the MTA4 + provisioning step (DHCP Ack) for SNMPv3 provisioning. + The uppercase ASCII representation of the associated + Kerberos realm name MUST be used by both the Manager (SNMP + entity) and the MTA. + The Kerberos realm name for the Provisioning Server is + supplied to the MTA via DHCP option code 122, sub-option 6, + as defined in RFC 3495. In secure SNMP provisioning mode, + the value of the Kerberos realm name for the Provisioning + Server supplied in the MTA configuration file must match + the value supplied in the DHCP option code 122, + sub-option 6. Otherwise, the value of this object must + contain the value supplied in DHCP Option 122, + sub-option 6." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + RFC 3495, DHCP Option for CableLabs Client Configuration." + ::= { pktcMtaDevServer 18 } + + pktcMtaDevProvState OBJECT-TYPE + SYNTAX INTEGER { + operational (1), + waitingForSnmpSetInfo (2), + waitingForTftpAddrResponse (3), + waitingForConfigFile (4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object defines the MTA provisioning state. + If the state is: + + 'operational(1)', the device has completed the loading + and processing of the initialization parameters. + + 'waitingForSnmpSetInfo(2)', the device is waiting on + its configuration file download access information. + Note that this state is only reported when the MTA + + + +Nechamkin & Mule Standards Track [Page 29] + +RFC 4682 IPCDN MTA MIB December 2006 + + + SNMP enrollment mechanism is used. + + 'waitingForTftpAddrResponse(3)', the device has sent a + DNS request to resolve the server providing the + configuration file, and it is awaiting for a response. + Note that this state is only reported when the MTA + SNMP enrollment mechanism is used. + + 'waitingForConfigFile(4)', the device has sent a + request via TFTP or HTTP for the download of its + configuration file, and it is awaiting for a response or + the file download is in progress." + REFERENCE + " PacketCable MTA Device Provisioning Specification, + PacketCable Security Specification." + ::= { pktcMtaDevServer 19 } + + -- + -- The following object group describes the security objects. + -- + + pktcMtaDevManufacturerCertificate OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the MTA Manufacturer Certificate. + The object value must be the ASN.1 DER encoding of the MTA + manufacturer's X.509 public key certificate. The MTA + Manufacturer Certificate is issued to each MTA + manufacturer and is installed into each MTA at the time of + manufacture or with a secure code download. The specific + requirements related to this certificate are defined in + the PacketCable or IPCablecom Security specifications." + REFERENCE + " PacketCable Security Specification." + + ::= {pktcMtaDevSecurity 1} + + pktcMtaDevCertificate OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the MTA Device Certificate. + The object value must be the ASN.1 DER encoding of the + MTA's X.509 public-key certificate issued by the + manufacturer and installed into the MTA at the time of + + + +Nechamkin & Mule Standards Track [Page 30] + +RFC 4682 IPCDN MTA MIB December 2006 + + + manufacture or with a secure code download. + This certificate contains the MTA MAC address. The + specific requirements related to this certificate are + defined in the PacketCable or IPCablecom Security + specifications." + REFERENCE + " PacketCable Security Specification." + ::= { pktcMtaDevSecurity 2 } + + pktcMtaDevCorrelationId OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains a correlation ID, an arbitrary value + generated by the MTA that will be exchanged as part of the + device capability data to the Provisioning Application. + This random value is used as an identifier to correlate + related events in the MTA provisioning sequence. + This value is intended for use only during the MTA + initialization and configuration file download." + REFERENCE + " PacketCable MTA Device Provisioning Specification." + ::= { pktcMtaDevSecurity 3 } + + pktcMtaDevTelephonyRootCertificate OBJECT-TYPE + SYNTAX DocsX509ASN1DEREncodedCertificate + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the telephony Service Provider Root + certificate. The object value is the ASN.1 DER encoding of + the IP Telephony Service Provider Root X.509 public key + certificate. This certification is stored in the MTA + non-volatile memory and can be updated with a secure code + download. This certificate is used to validate the initial + AS Reply received by the MTA from the Key Distribution + Center (KDC) during the MTA initialization. The specific + requirements related to this certificate are defined in + the PacketCable or IPCablecom Security specifications." + REFERENCE + " PacketCable Security Specification." + ::= { pktcMtaDevSecurity 4 } + + --================================================================= + -- + -- Informative Procedures for Setting up Security Associations + -- + + + +Nechamkin & Mule Standards Track [Page 31] + +RFC 4682 IPCDN MTA MIB December 2006 + + + -- A Security Association may be set up either via configuration or + -- via NCS signaling. + -- + -- I. Security association setup via configuration. + -- + -- The realm must be configured first. Associated with the realm + -- is a KDC. The realm table (pktcMtaDevRealmTable) indicates + -- information about the realm (e.g., name, organization name) and + -- parameters associated with KDC communications (e.g., grace + -- periods, AS Request/AS Reply adaptive back-off parameters). + -- + -- Once the realm is established, one or more CMS(es) may be + -- defined in the realm. Associated with each CMS + -- entry in the pktcMtaDevCmsTable is an explicit reference + -- to a Realm via the realm name (pktcMtaDevCmsKerbRealmName), + -- the FQDN of the CMS, and parameters associated with IPSec + -- key management with the CMS (e.g., clock skew, AP Request/ + -- AP Reply adaptive back-off parameters). + -- + -- II. Security association setup via NCS signaling. + -- + -- The procedure of establishing the Security Associations + -- for NCS signaling is described in the PacketCable Security + -- specification. + -- It involves the analysis of the pktcNcsEndPntConfigTable row + -- for the corresponding endpoint number and the correlation of + -- the CMS FQDN from this row with the CMS Table and + -- consequently, with the Realm Table. Both of these tables + -- are defined below. The pktcNcsEndPntConfigTable is defined in + -- the IP over Cable Data Network (IPCDN) + -- NCS Signaling MIB [NCSSIGMIB]. + -- + -- III. When the MTA receives wake-up or re-key messages from a + -- CMS, it performs key management based on the corresponding + -- entry in the CMS table. If the matching CMS entry does not + -- exist, it must ignore the wake-up or re-key messages. + -- + --================================================================= + --================================================================= + -- + -- pktcMtaDevRealmTable + -- + -- The pktcMtaDevRealmTable shows the KDC realms. The table is + -- indexed with pktcMtaDevRealmIndex. The Realm Table contains the + -- pktcMtaDevRealmName in conjunction with any server that needs + -- a Security Association with the MTA. Uppercase must be used + -- to compare the pktcMtaDevRealmName content. + -- + + + +Nechamkin & Mule Standards Track [Page 32] + +RFC 4682 IPCDN MTA MIB December 2006 + + + --================================================================= + + pktcMtaDevRealmAvailSlot OBJECT-TYPE + SYNTAX Unsigned32 (0..64) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object contains the index number of the first + available entry in the realm table (pktcMtaDevRealmTable). + If all the entries in the realm table have been assigned, + this object contains the value of zero. + A management station should create new entries in the + realm table, using the following procedure: + + First, issue a management protocol retrieval operation + to determine the value of the first available index in the + realm table (pktcMtaDevRealmAvailSlot). + + Second, issue a management protocol SET operation + to create an instance of the pktcMtaDevRealmStatus + object by setting its value to 'createAndWait(5)'. + + Third, if the SET operation succeeded, continue + modifying the object instances corresponding to the newly + created conceptual row, without fear of collision with + other management stations. When all necessary conceptual + columns of the row are properly populated (via SET + operations or default values), the management station may + SET the pktcMtaDevRealmStatus object to 'active(1)'." + ::= { pktcMtaDevSecurity 5 } + + pktcMtaDevRealmTable OBJECT-TYPE + SYNTAX SEQUENCE OF PktcMtaDevRealmEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This object contains the realm table. + The CMS table (pktcMtaDevCmsTable) and the realm table + (pktcMtaDevRealmTable) are used for managing the MTA-CMS + Security Associations. The realm table defines the + Kerberos realms for the Application Servers (CMSes and the + Provisioning Server)." + ::= { pktcMtaDevSecurity 6 } + + pktcMtaDevRealmEntry OBJECT-TYPE + SYNTAX PktcMtaDevRealmEntry + MAX-ACCESS not-accessible + STATUS current + + + +Nechamkin & Mule Standards Track [Page 33] + +RFC 4682 IPCDN MTA MIB December 2006 + + + DESCRIPTION + " This table entry object lists the MTA security parameters + for a single Kerberos realm. The conceptual rows MUST NOT + persist across MTA reboots." + INDEX { pktcMtaDevRealmIndex } + ::= { pktcMtaDevRealmTable 1 } + + PktcMtaDevRealmEntry ::= SEQUENCE { + pktcMtaDevRealmIndex Unsigned32, + pktcMtaDevRealmName SnmpAdminString, + pktcMtaDevRealmPkinitGracePeriod Unsigned32, + pktcMtaDevRealmTgsGracePeriod Unsigned32, + pktcMtaDevRealmOrgName LongUtf8String, + pktcMtaDevRealmUnsolicitedKeyMaxTimeout Unsigned32, + pktcMtaDevRealmUnsolicitedKeyNomTimeout Unsigned32, + pktcMtaDevRealmUnsolicitedKeyMaxRetries Unsigned32, + pktcMtaDevRealmStatus RowStatus + } + + pktcMtaDevRealmIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..64) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This object defines the realm table index." + ::= { pktcMtaDevRealmEntry 1} + + pktcMtaDevRealmName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..255)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object identifies the Kerberos realm name in all + capitals. The MTA MUST prohibit the instantiation of any + two rows with identical Kerberos realm names. The MTA MUST + also verify that any search operation involving Kerberos + realm names is done using the uppercase ASCII + representation of the characters." + ::= { pktcMtaDevRealmEntry 2 } + + pktcMtaDevRealmPkinitGracePeriod OBJECT-TYPE + SYNTAX Unsigned32 (15..600) + UNITS "minutes" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object contains the PKINIT Grace Period. For the + purpose of key management with Application Servers (CMSes + + + +Nechamkin & Mule Standards Track [Page 34] + +RFC 4682 IPCDN MTA MIB December 2006 + + + or the Provisioning Server), the MTA must utilize the + PKINIT exchange to obtain Application Server tickets. The + MTA may utilize the PKINIT exchange to obtain Ticket + Granting Tickets (TGTs), which are then used to obtain + Application Server tickets in a TGS exchange. + The PKINIT exchange occurs according to the current Ticket + Expiration Time (TicketEXP) and on the PKINIT Grace Period + (PKINITGP). The MTA MUST initiate the PKINIT exchange at + the time: TicketEXP - PKINITGP." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 15 } + ::= { pktcMtaDevRealmEntry 3 } + + pktcMtaDevRealmTgsGracePeriod OBJECT-TYPE + SYNTAX Unsigned32 (1..600) + UNITS "minutes" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object contains the Ticket Granting Server Grace + Period (TGSGP). The Ticket Granting Server (TGS) + Request/Reply exchange may be performed by the MTA + on demand whenever an Application Server ticket is + needed to establish security parameters. If the MTA + possesses a ticket that corresponds to the Provisioning + Server or a CMS that currently exists in the CMS table, + the MTA MUST initiate the TGS Request/Reply exchange + at the time: TicketEXP - TGSGP." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 10 } + ::= { pktcMtaDevRealmEntry 4 } + + pktcMtaDevRealmOrgName OBJECT-TYPE + SYNTAX LongUtf8String + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object contains the X.500 organization name attribute + as defined in the subject name of the service provider + certificate." + REFERENCE + " PacketCable Security Specification; + RFCs 3280 and 4630, Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile" + ::= { pktcMtaDevRealmEntry 5 } + + + +Nechamkin & Mule Standards Track [Page 35] + +RFC 4682 IPCDN MTA MIB December 2006 + + + + pktcMtaDevRealmUnsolicitedKeyMaxTimeout OBJECT-TYPE + SYNTAX Unsigned32 (1..600) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object specifies the maximum time the MTA will + attempt to perform the exponential back-off algorithm. + This timer only applies when the MTA initiated key + management. If the DHCP option code 122, sub-option 4, is + provided to the MTA, it overwrites this value. + + Unsolicited key updates are retransmitted according to an + exponential back-off mechanism using two timers and a + maximum retry counter for AS replies. + The initial retransmission timer value is the nominal + timer value (pktcMtaDevRealmUnsolicitedKeyNomTimeout). The + retransmissions occur with an exponentially increasing + interval that caps at the maximum timeout value + (pktcMtaDevRealmUnsolicitedKeyMaxTimeout). + Retransmissions stop when the maximum retry counter is + reached (pktcMatDevRealmUnsolicitedMaxRetries). + + For example, with values of 3 seconds for the nominal + timer, 20 seconds for the maximum timeout, and 5 retries + max, retransmission intervals will be 3 s, 6 s, + 12 s, 20 s, and 20 s, and retransmissions then stop because + the maximum number of retries has been reached." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 100 } + ::= { pktcMtaDevRealmEntry 6 } + + pktcMtaDevRealmUnsolicitedKeyNomTimeout OBJECT-TYPE + SYNTAX Unsigned32 (100..600000) + UNITS "milliseconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object specifies the initial timeout value + for the AS-REQ/AS-REP exponential back-off and retry + mechanism. If the DHCP option code 122, sub-option 4, is + provided to the MTA, it overwrites this value. + This value should account for the average roundtrip + time between the MTA and the KDC, as well as the + processing delay on the KDC. + + + + +Nechamkin & Mule Standards Track [Page 36] + +RFC 4682 IPCDN MTA MIB December 2006 + + + Unsolicited key updates are retransmitted according to an + exponential back-off mechanism using two timers and a + maximum retry counter for AS replies. + The initial retransmission timer value is the nominal + timer value (pktcMtaDevRealmUnsolicitedKeyNomTimeout). The + retransmissions occur with an exponentially increasing + interval that caps at the maximum timeout value + (pktcMtaDevRealmUnsolicitedKeyMaxTimeout). + Retransmissions stop when the maximum retry counter is + reached (pktcMatDevRealmUnsolicitedMaxRetries). + + For example, with values of 3 seconds for the nominal + timer, 20 seconds for the maximum timeout, and 5 retries + max, in retransmission intervals will be 3 s, 6 s, + 12 s, 20 s, and 20 s; retransmissions then stop because + the maximum number of retries has been reached." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 3000 } + ::= { pktcMtaDevRealmEntry 7 } + + pktcMtaDevRealmUnsolicitedKeyMaxRetries OBJECT-TYPE + SYNTAX Unsigned32 (0..1024) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object specifies the maximum number of retries the + MTA attempts to obtain a ticket from the KDC. + + Unsolicited key updates are retransmitted according to an + exponential back-off mechanism using two timers and a + maximum retry counter for AS replies. + The initial retransmission timer value is the nominal + timer value (pktcMtaDevRealmUnsolicitedKeyNomTimeout). The + retransmissions occur with an exponentially increasing + interval that caps at the maximum timeout value + (pktcMtaDevRealmUnsolicitedKeyMaxTimeout). + Retransmissions stop when the maximum retry counter is + reached (pktcMatDevRealmUnsolicitedMaxRetries). + + For example, with values of 3 seconds for the nominal + timer, 20 seconds for the maximum timeout, and 5 retries + max, retransmission intervals will be 3 s, 6 s, + 12 s, 20 s, and 20 s; retransmissions then stop because + the maximum number of retries has been reached." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 5 } + + + +Nechamkin & Mule Standards Track [Page 37] + +RFC 4682 IPCDN MTA MIB December 2006 + + + ::= { pktcMtaDevRealmEntry 8 } + + pktcMtaDevRealmStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object defines the row status of this realm in the + realm table (pktcMtaDevRealmTable). + + An entry in this table is not qualified for activation + until the object instances of all corresponding columns + have been initialized, either by default values, or via + explicit SET operations. Until all object instances in + this row are initialized, the status value for this realm + must be 'notReady(3)'. + In particular, two columnar objects must be explicitly + SET: the realm name (pktcMtaDevRealmName) and the + organization name (pktcMtaDevRealmOrgName). Once these 2 + objects have been set and the row status is SET to + 'active(1)', the MTA MUST NOT allow any modification of + these 2 object values. + The value of this object has no effect on whether other + columnar objects in this row can be modified." + ::= { pktcMtaDevRealmEntry 9 } + + --================================================================= + -- + -- The CMS table, pktcMtaDevCmsTable + -- + -- The CMS table and the realm table (pktcMtaDevRealmTable) are used + -- for managing the MTA signaling security. The CMS table defines + -- the CMSes the MTA is allowed to communicate with and contains + -- the parameters describing the SA establishment between the MTA + -- and a CMS. + -- The CMS table is indexed by pktcMtaDevCmsIndex. The table + -- contains the CMS FQDN (pktcMtaDevCmsFQDN) and the associated + -- Kerberos realm name (pktcMtaDevCmsKerbRealmName) so that the MTA + -- can find the corresponding Kerberos realm name in the + -- pktcMtaDevRealmTable. + -- + --================================================================= + + pktcMtaDevCmsAvailSlot OBJECT-TYPE + SYNTAX Unsigned32 (0..128) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + + + +Nechamkin & Mule Standards Track [Page 38] + +RFC 4682 IPCDN MTA MIB December 2006 + + + " This object contains the index number of the first + available entry in the CMS table (pktcMtaDevCmsTable). + If all the entries in the CMS table have been assigned, + this object contains the value of zero. + A management station should create new entries in the + CMS table, using the following procedure: + + First, issue a management protocol retrieval operation + to determine the value of the first available index in the + CMS table (pktcMtaDevCmsAvailSlot). + + Second, issue a management protocol SET operation + to create an instance of the pktcMtaDevCmsStatus + object by setting its value to 'createAndWait(5)'. + + Third, if the SET operation succeeded, continue + modifying the object instances corresponding to the newly + created conceptual row, without fear of collision with + other management stations. When all necessary conceptual + columns of the row are properly populated (via SET + operations or default values), the management station may + SET the pktcMtaDevCmsStatus object to 'active(1)'." + ::= { pktcMtaDevSecurity 7 } + + pktcMtaDevCmsTable OBJECT-TYPE + SYNTAX SEQUENCE OF PktcMtaDevCmsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This object defines the CMS table. + The CMS table (pktcMtaDevCmsTable) and the realm table + (pktcMtaDevRealmTable) are used for managing security + between the MTA and CMSes. Each CMS table entry defines + a CMS the managed MTA is allowed to communicate with + and contains security parameters for key management with + that CMS." + ::= { pktcMtaDevSecurity 8 } + + pktcMtaDevCmsEntry OBJECT-TYPE + SYNTAX PktcMtaDevCmsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This table entry object lists the MTA key management + parameters used when establishing Security Associations + with a CMS. The conceptual rows MUST NOT persist across + MTA reboots." + INDEX { pktcMtaDevCmsIndex } + + + +Nechamkin & Mule Standards Track [Page 39] + +RFC 4682 IPCDN MTA MIB December 2006 + + + ::= { pktcMtaDevCmsTable 1 } + + PktcMtaDevCmsEntry ::= SEQUENCE { + pktcMtaDevCmsIndex Unsigned32, + pktcMtaDevCmsFqdn SnmpAdminString, + pktcMtaDevCmsKerbRealmName SnmpAdminString, + pktcMtaDevCmsMaxClockSkew Unsigned32, + pktcMtaDevCmsSolicitedKeyTimeout Unsigned32, + pktcMtaDevCmsUnsolicitedKeyMaxTimeout Unsigned32, + pktcMtaDevCmsUnsolicitedKeyNomTimeout Unsigned32, + pktcMtaDevCmsUnsolicitedKeyMaxRetries Unsigned32, + pktcMtaDevCmsIpsecCtrl TruthValue, + pktcMtaDevCmsStatus RowStatus + } + + pktcMtaDevCmsIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..128) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + " This object defines the CMS table index." + ::= { pktcMtaDevCmsEntry 1 } + + pktcMtaDevCmsFqdn OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..255)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object specifies the CMS FQDN. The MTA must + prohibit the instantiation of any two rows with identical + FQDNs. The MTA must also verify that any search and/or + comparison operation involving a CMS FQDN is case + insensitive. The MTA must resolve the CMS FQDN as required + by the corresponding PacketCable Specifications." + REFERENCE + " PacketCable MTA Device Provisioning Specification; + PacketCable Security Specification; + PacketCable Network-Based Call Signaling Protocol + Specification." + ::= { pktcMtaDevCmsEntry 2 } + + pktcMtaDevCmsKerbRealmName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..255)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object identifies the Kerberos realm name in uppercase + characters associated with the CMS defined in this + + + +Nechamkin & Mule Standards Track [Page 40] + +RFC 4682 IPCDN MTA MIB December 2006 + + + conceptual row. The object value is a reference + point to the corresponding Kerberos realm name in the + realm table (pktcMtaDevRealmTable)." + ::= { pktcMtaDevCmsEntry 3 } + + pktcMtaDevCmsMaxClockSkew OBJECT-TYPE + SYNTAX Unsigned32 (1..1800) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object specifies the maximum allowable clock skew + between the MTA and the CMS defined in this row." + DEFVAL { 300 } + ::= { pktcMtaDevCmsEntry 4 } + + pktcMtaDevCmsSolicitedKeyTimeout OBJECT-TYPE + SYNTAX Unsigned32 (100..30000) + UNITS "milliseconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object defines a Kerberos Key Management timer on the + MTA. It is the time period during which the MTA saves the + nonce and Server Kerberos Principal Identifier to match an + AP Request and its associated AP Reply response from the + CMS. This timer only applies when the CMS initiated key + management (with a Wake Up message or a Rekey message)." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 1000 } + ::= { pktcMtaDevCmsEntry 5 } + + --================================================================= + -- + -- Unsolicited key updates are retransmitted according to an + -- exponential back-off mechanism using two timers and a maximum + -- retry counter for AS replies. + -- The initial retransmission timer value is the nominal timer + -- value (pktcMtaDevCmsUnsolicitedKeyNomTimeout). The + -- retransmissions occur with an exponentially increasing interval + -- that caps at the maximum timeout value + -- (pktcMtaDevCmsUnsolicitedKeyMaxTimeout). + -- Retransmissions stop when the maximum retry counter is reached + -- (pktcMatDevCmsUnsolicitedMaxRetries). + -- For example, with values of 3 seconds for the nominal + -- timer, 20 seconds for the maximum timeout, and 5 retries max, + -- retransmission intervals will be 3 s, 6 s, 12 s, + + + +Nechamkin & Mule Standards Track [Page 41] + +RFC 4682 IPCDN MTA MIB December 2006 + + + -- 20 s, and 20 s; retransmissions then stop due to the + -- maximum number of retries reached. + -- + --================================================================= + + pktcMtaDevCmsUnsolicitedKeyMaxTimeout OBJECT-TYPE + SYNTAX Unsigned32 (1..600) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object defines the timeout value that only applies + to an MTA-initiated key management exchange. It is the + maximum timeout, and it may not be exceeded in the + exponential back-off algorithm." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 600 } + ::= { pktcMtaDevCmsEntry 6 } + + pktcMtaDevCmsUnsolicitedKeyNomTimeout OBJECT-TYPE + SYNTAX Unsigned32 (100..30000) + UNITS "milliseconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object defines the starting value of the timeout + for an MTA-initiated key management. It should account for + the average roundtrip time between the MTA and the CMS and + the processing time on the CMS." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 500 } + ::= { pktcMtaDevCmsEntry 7 } + + pktcMtaDevCmsUnsolicitedKeyMaxRetries OBJECT-TYPE + SYNTAX Unsigned32 (0..1024) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object contains the maximum number of retries before + the MTA stops attempting to establish a Security + Association with the CMS." + REFERENCE + " PacketCable Security Specification." + DEFVAL { 5 } + ::= { pktcMtaDevCmsEntry 8 } + + + + +Nechamkin & Mule Standards Track [Page 42] + +RFC 4682 IPCDN MTA MIB December 2006 + + + pktcMtaDevCmsIpsecCtrl OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + " This object specifies the MTA IPSec control flag. + If the object value is 'true', the MTA must use Kerberos + Key Management and IPsec to communicate with this CMS. If + it is 'false', IPSec Signaling Security and Kerberos key + management are disabled for this specific CMS." + DEFVAL { true } + ::= { pktcMtaDevCmsEntry 9 } + + pktcMtaDevCmsStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + " This object defines the row status associated with this + particular CMS in the CMS table (pktcMtaDevCmsTable). + + An entry in this table is not qualified for activation + until the object instances of all corresponding columns + have been initialized, either by default values or via + explicit SET operations. Until all object instances in + this row are initialized, the status value for this realm + must be 'notReady(3)'. + In particular, two columnar objects must be SET: the + CMS FQDN (pktcMtaDevCmsFqdn) and the Kerberos realm name + (pktcMtaDevCmsKerbRealmName). Once these 2 objects have + been set and the row status is SET to 'active(1)', the MTA + MUST NOT allow any modification of these 2 object values. + + The value of this object has no effect on + whether other columnar objects in this row can be + modified." + ::= { pktcMtaDevCmsEntry 10 } + + pktcMtaDevResetKrbTickets OBJECT-TYPE + SYNTAX BITS { + invalidateProvOnReboot (0), + invalidateAllCmsOnReboot (1) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + " This object defines a Kerberos Ticket Control Mask that + instructs the MTA to invalidate the specific Application + + + +Nechamkin & Mule Standards Track [Page 43] + +RFC 4682 IPCDN MTA MIB December 2006 + + + Server Kerberos ticket(s) that are stored locally in the + MTA NVRAM (non-volatile or persistent memory). + If the MTA does not store Kerberos tickets in NVRAM, it + MUST ignore setting of this object and MUST report a BITS + value of zero when the object is read. + If the MTA supports Kerberos tickets storage in NVRAM, the + object value is encoded as follows: + - Setting the invalidateProvOnReboot bit (bit 0) to 1 + means that the MTA MUST invalidate the Kerberos + Application Ticket(s) for the Provisioning Application + at the next MTA reboot if secure SNMP provisioning mode + is used. In non-secure provisioning modes, the MTA MUST + return an 'inconsistentValue' in response to SNMP SET + operations with a bit 0 set to 1. + - Setting the invalidateAllCmsOnReboot bit (bit 1) to 1 + means that the MTA MUST invalidate the Kerberos + Application Ticket(s) for all CMSes currently assigned + to the MTA endpoints. + If a value is written into an instance of + pktcMtaDevResetKrbTickets, the agent MUST retain the + supplied value across an MTA re-initialization or + reboot." + REFERENCE + "PacketCable Security Specification." + DEFVAL { { } } + ::= { pktcMtaDevSecurity 9 } + + -- + -- The following group, pktcMtaDevErrors, defines an OID + -- corresponding to error conditions encountered during the MTA + -- provisioning. + -- + + pktcMtaDevErrorsTooManyErrors OBJECT-IDENTITY + STATUS current + DESCRIPTION + "This object defines the OID corresponding to the error + condition when too many errors are encountered in the + MTA configuration file during provisioning." + ::= { pktcMtaDevErrors 1 } + + pktcMtaDevProvisioningEnrollment NOTIFICATION-TYPE + OBJECTS { + sysDescr, + pktcMtaDevSwCurrentVers, + pktcMtaDevTypeIdentifier, + ifPhysAddress, + pktcMtaDevCorrelationId + + + +Nechamkin & Mule Standards Track [Page 44] + +RFC 4682 IPCDN MTA MIB December 2006 + + + } + STATUS current + DESCRIPTION + " This INFORM notification is issued by the MTA to initiate + the PacketCable provisioning process when the MTA SNMP + enrollment mechanism is used. + It contains the system description, the current software + version, the MTA device type identifier, the MTA MAC + address (obtained in the MTA ifTable in the ifPhysAddress + object that corresponds to the ifIndex 1), and a + correlation ID." + ::= { pktcMtaNotification 1 } + + pktcMtaDevProvisioningStatus NOTIFICATION-TYPE + OBJECTS { + ifPhysAddress, + pktcMtaDevCorrelationId, + pktcMtaDevProvisioningState + } + STATUS current + DESCRIPTION + " This INFORM notification may be issued by the MTA to + confirm the completion of the PacketCable provisioning + process, and to report its provisioning completion + status. + It contains the MTA MAC address (obtained in the MTA + ifTable in the ifPhysAddress object that corresponds + to the ifIndex 1), a correlation ID and the MTA + provisioning state as defined in + pktcMtaDevProvisioningState." + ::= { pktcMtaNotification 2 } + + -- + -- Compliance Statements + -- + + pktcMtaCompliances OBJECT IDENTIFIER ::= { pktcMtaConformance 1 } + pktcMtaGroups OBJECT IDENTIFIER ::= { pktcMtaConformance 2 } + + pktcMtaBasicCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + " The compliance statement for MTA devices that implement + PacketCable or IPCablecom requirements. + + This compliance statement applies to MTA implementations + that support PacketCable 1.0 or IPCablecom requirements, + which are not IPv6-capable at the time of this + + + +Nechamkin & Mule Standards Track [Page 45] + +RFC 4682 IPCDN MTA MIB December 2006 + + + RFC publication." + + MODULE -- Unconditionally mandatory groups for MTAs + + MANDATORY-GROUPS { + pktcMtaGroup, + pktcMtaNotificationGroup + } + + OBJECT pktcMtaDevDhcpServerAddressType + SYNTAX InetAddressType { ipv4(1) } + DESCRIPTION + " Support for address types other than 'ipv4(1)' + is not presently specified and therefore is not + required. It may be defined in future versions of + this MIB module." + + OBJECT pktcMtaDevDnsServerAddressType + SYNTAX InetAddressType { ipv4(1) } + DESCRIPTION + " Support for address types other than 'ipv4(1)' + is not presently specified and therefore is not + required. It may be defined in future versions of + this MIB module." + + OBJECT pktcMtaDevTimeServerAddressType + SYNTAX InetAddressType { ipv4(1) } + DESCRIPTION + " Support for address types other than 'ipv4(1)' + is not presently specified and therefore is not + required. It may be defined in future versions of + this MIB module." + + OBJECT pktcMtaDevServerDhcp1 + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevServerDhcp2 + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevServerDns1 + + + +Nechamkin & Mule Standards Track [Page 46] + +RFC 4682 IPCDN MTA MIB December 2006 + + + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevServerDns2 + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevTimeServer + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevProvConfigEncryptAlg + SYNTAX PktcMtaDevProvEncryptAlg + DESCRIPTION + "An implementation is only required to support + values of none(0) and des64Cbcmode(1). + An IV of zero is used to encrypt in des64Cbcmode, and + the length of pktcMtaDevProvConfigKey is 64 bits, as + defined in the PacketCable Security specification. + Other encryption types may be defined in future + versions of this MIB module." + + OBJECT pktcMtaDevRealmOrgName + SYNTAX LongUtf8String (SIZE (1..384)) + DESCRIPTION + "The Organization Name field in X.509 certificates + can contain up to 64 UTF-8 encoded characters, + as defined in RFCs 3280 and 4630. Therefore, compliant + devices are only required to support Organization + Name values of up to 64 UTF-8 encoded characters. + Given that RFCs 3280 and 4630 define the UTF-8 encoding, + compliant devices must support a maximum size of 384 + octets for pktcMtaDevRealmOrgName. The calculation of + 384 octets comes from the RFC 3629 UTF-8 encoding + definition whereby the UTF-8 encoded characters + are encoded as sequences of 1 to 6 octets, + assuming that code points as high as 0x7ffffffff + might be used. Subsequent versions of Unicode and ISO + 10646 have limited the upper bound to 0x10ffff. + + + +Nechamkin & Mule Standards Track [Page 47] + +RFC 4682 IPCDN MTA MIB December 2006 + + + Consequently, the current version of UTF-8, defined in + RFC 3629, does not require more than four octets to + encode a valid code point." + + ::= { pktcMtaCompliances 1 } + + pktcMtaGroup OBJECT-GROUP + OBJECTS { + pktcMtaDevResetNow, + pktcMtaDevSerialNumber, + pktcMtaDevSwCurrentVers, + pktcMtaDevFQDN, + pktcMtaDevEndPntCount, + pktcMtaDevEnabled, + pktcMtaDevProvisioningCounter, + pktcMtaDevErrorOid, + pktcMtaDevErrorValue, + pktcMtaDevErrorReason, + pktcMtaDevTypeIdentifier, + pktcMtaDevProvisioningState, + pktcMtaDevHttpAccess, + pktcMtaDevCertificate, + pktcMtaDevCorrelationId, + pktcMtaDevManufacturerCertificate, + pktcMtaDevDhcpServerAddressType, + pktcMtaDevDnsServerAddressType, + pktcMtaDevTimeServerAddressType, + pktcMtaDevProvConfigEncryptAlg, + pktcMtaDevServerDhcp1, + pktcMtaDevServerDhcp2, + pktcMtaDevServerDns1, + pktcMtaDevServerDns2, + pktcMtaDevTimeServer, + pktcMtaDevConfigFile, + pktcMtaDevSnmpEntity, + pktcMtaDevRealmPkinitGracePeriod, + pktcMtaDevRealmTgsGracePeriod, + pktcMtaDevRealmAvailSlot, + pktcMtaDevRealmName, + pktcMtaDevRealmOrgName, + pktcMtaDevRealmUnsolicitedKeyMaxTimeout, + pktcMtaDevRealmUnsolicitedKeyNomTimeout, + pktcMtaDevRealmUnsolicitedKeyMaxRetries, + pktcMtaDevRealmStatus, + pktcMtaDevCmsAvailSlot, + pktcMtaDevCmsFqdn, + pktcMtaDevCmsKerbRealmName, + pktcMtaDevCmsUnsolicitedKeyMaxTimeout, + + + +Nechamkin & Mule Standards Track [Page 48] + +RFC 4682 IPCDN MTA MIB December 2006 + + + pktcMtaDevCmsUnsolicitedKeyNomTimeout, + pktcMtaDevCmsUnsolicitedKeyMaxRetries, + pktcMtaDevCmsSolicitedKeyTimeout, + pktcMtaDevCmsMaxClockSkew, + pktcMtaDevCmsIpsecCtrl, + pktcMtaDevCmsStatus, + pktcMtaDevResetKrbTickets, + pktcMtaDevProvUnsolicitedKeyMaxTimeout, + pktcMtaDevProvUnsolicitedKeyNomTimeout, + pktcMtaDevProvUnsolicitedKeyMaxRetries, + pktcMtaDevProvKerbRealmName, + pktcMtaDevProvSolicitedKeyTimeout, + pktcMtaDevProvConfigHash, + pktcMtaDevProvConfigKey, + pktcMtaDevProvState, + pktcMtaDevProvisioningTimer, + pktcMtaDevTelephonyRootCertificate + } + STATUS current + DESCRIPTION + " A collection of objects for managing PacketCable or + IPCablecom MTA implementations." + ::= { pktcMtaGroups 1 } + + pktcMtaNotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { + pktcMtaDevProvisioningStatus, + pktcMtaDevProvisioningEnrollment + } + STATUS current + DESCRIPTION + " A collection of notifications dealing with the change of + MTA provisioning status." + ::= { pktcMtaGroups 2 } + + pktcMtaBasicSmtaCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + " The compliance statement for S-MTA devices + that implement PacketCable or IPCablecom requirements. + + This compliance statement applies to S-MTA implementations + that support PacketCable or IPCablecom requirements, + which are not IPv6-capable at the time of this + RFC publication." + + MODULE -- Unconditionally Mandatory Groups for S-MTA devices + MANDATORY-GROUPS { + + + +Nechamkin & Mule Standards Track [Page 49] + +RFC 4682 IPCDN MTA MIB December 2006 + + + pktcMtaGroup, + pktcMtaNotificationGroup + } + + OBJECT pktcMtaDevDhcpServerAddressType + SYNTAX InetAddressType { ipv4(1) } + DESCRIPTION + " Support for address types other than 'ipv4(1)' + is not presently specified and therefore is not + required. It may be defined in future versions of + this MIB module." + + OBJECT pktcMtaDevDnsServerAddressType + SYNTAX InetAddressType { ipv4(1) } + DESCRIPTION + " Support for address types other than 'ipv4(1)' + is not presently specified and therefore is not + required. It may be defined in future versions of + this MIB module." + + OBJECT pktcMtaDevTimeServerAddressType + SYNTAX InetAddressType { ipv4(1) } + DESCRIPTION + " Support for address types other than 'ipv4(1)' + is not presently specified and therefore is not + required. It may be defined in future versions of + this MIB module." + + OBJECT pktcMtaDevServerDhcp1 + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevServerDhcp2 + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevServerDns1 + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + + +Nechamkin & Mule Standards Track [Page 50] + +RFC 4682 IPCDN MTA MIB December 2006 + + + + OBJECT pktcMtaDevServerDns2 + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevTimeServer + SYNTAX InetAddress (SIZE(4)) + DESCRIPTION + "An implementation is only required to support IPv4 + addresses. Other address types support may be defined in + future versions of this MIB module." + + OBJECT pktcMtaDevProvConfigEncryptAlg + SYNTAX PktcMtaDevProvEncryptAlg + DESCRIPTION + "An implementation is only required to support + values of none(0) and des64Cbcmode(1). + An IV of zero is used to encrypt in des64Cbcmode, and + the length of pktcMtaDevProvConfigKey is 64 bits, as + defined in the PacketCable Security specification. + Other encryption types may be defined in future + versions of this MIB module." + + OBJECT pktcMtaDevRealmOrgName + SYNTAX LongUtf8String (SIZE (1..384)) + DESCRIPTION + "The Organization Name field in X.509 certificates + can contain up to 64 UTF-8 encoded characters, as + defined in RFCs 3280 and 4630. Therefore, compliant + devices are only required to support Organization + Name values of up to 64 UTF-8 encoded characters. + Given that RFCs 3280 and 4630 define the UTF-8 encoding, + compliant devices must support a maximum size of 384 + octets for pktcMtaDevRealmOrgName. The calculation of + 384 octets comes from the RFC 3629 UTF-8 encoding + definition whereby the UTF-8 encoded characters + are encoded as sequences of 1 to 6 octets, + assuming that code points as high as 0x7ffffffff + might be used. Subsequent versions of Unicode and ISO + 10646 have limited the upper bound to 0x10ffff. + Consequently, the current version of UTF-8, defined in + RFC 3629 does not require more than four octets to + encode a valid code point." + MODULE DOCS-CABLE-DEVICE-MIB + MANDATORY-GROUPS { + + + +Nechamkin & Mule Standards Track [Page 51] + +RFC 4682 IPCDN MTA MIB December 2006 + + + docsDevSoftwareGroupV2 + } + + MODULE DOCS-IETF-BPI2-MIB + MANDATORY-GROUPS { + docsBpi2CodeDownloadGroup + } + + ::= { pktcMtaCompliances 2 } + + END + +5. Acknowledgements + + The current editors would like to thank the members of the IETF IPCDN + working group and the CableLabs PacketCable Provisioning and OSS + focus team for their comments and suggestions. In particular, we + wish to express our gratitude for the contributions made by the + following individuals (in no particular order): Angela Lyda,Sumanth + Channabasappa, Matt A. Osman, Klaus Hermanns, Paul Duffy, Rick + Vetter, Sasha Medvinsky, Roy Spitzer, Itay Sherman, Satish Kumar and + Eric Rosenfeld. Finally, special thanks to our area director Bert + Wijnen, Rich Woundy, Randy Presuhn, Mike Heard, and Dave Thaler. + +6. Security Considerations + + There are a number of management objects defined in this MIB module + with a MAX-ACCESS clause of read-write and/or read-create. Such + objects may be considered sensitive or vulnerable in some network + environments. The support for SET operations in a non-secure + environment without proper protection can have a negative effect on + network operations. Improper manipulation of the objects defined in + this MIB may result in random behavior of MTA devices and may result + in service disruption. These are the tables and objects and their + sensitivity/vulnerability: + + - The following objects, if SET maliciously, would cause the MTA + device to reset and/or stop its service: + + pktcMtaDevResetNow. + pktcMtaDevEnabled. + + - All writable objects in the pktcMtaDevServer group and some in the + pktcMtaDevRealmTable share the potential, if SET maliciously, to + prevent the MTA from provisioning properly. Thus, they are + considered very sensitive for service delivery. The objects in + question are: + + + + +Nechamkin & Mule Standards Track [Page 52] + +RFC 4682 IPCDN MTA MIB December 2006 + + + pktcMtaDevProvisioningTimer, + pktcMtaDevDhcpServerAddressType, + pktcMtaDevDnsServerAddressType, + pktcMtaDevTimeServerAddressType, + pktcMtaDevProvConfigEncryptAlg, + pktcMtaDevServerDns1, + pktcMtaDevServerDns2, + pktcMtaDevTimeServer, + pktcMtaDevConfigFile, + pktcMtaDevProvConfigHash, + pktcMtaDevProvConfigKey, + pktcMtaDevProvSolicitedKeyTimeout, + pktcMtaDevRealmName, + pktcMtaDevRealmOrgName, + pktcMtaDevRealmUnsolicitedKeyMaxTimeout, + pktcMtaDevRealmUnsolicitedKeyNomTimeout, + pktcMtaDevRealmUnsolicitedKeyMaxRetries, and + pktcMtaDevRealmStatus. + + Certain of the above objects have additional specific + vulnerabilities: + + o pktcMtaDevServerDns1 and pktcMtaDevServerDns2, if SET + maliciously, could prevent the MTA from being authenticated and + consequently from getting telephony services. + + o pktcMtaDevRealmStatus, if SET maliciously, could cause the + whole row of the table to be deleted, which may prevent MTA + from getting telephony services. + + - All writable objects in the pktcMtaDevCmsTable table share the + potential, if SET maliciously, to disrupt the telephony service by + altering which Call Management Server the MTA must send signaling + registration to; in particular: + + pktcMtaDevCmsFqdn, + pktcMtaDevCmsKerbRealmName, + pktcMtaDevCmsMaxClockSkew, + pktcMtaDevCmsSolicitedKeyTimeout, + pktcMtaDevCmsUnsolicitedKeyMaxTimeout, + pktcMtaDevCmsUnsolicitedKeyNomTimeout, + pktcMtaDevCmsUnsolicitedKeyMaxRetries (this object, if set to a + zero value '0', may prevent the MTA from retrying its attempt + to establish a Security Association with the CMS), and + pktcMtaDevCmsStatus. + + + + + + +Nechamkin & Mule Standards Track [Page 53] + +RFC 4682 IPCDN MTA MIB December 2006 + + + - Some writable objects in the pktcMtaDevRealmTable table will not + have an immediate effect on service, if SET maliciously. However, + they may impact the service performance and cause avalanche + attacks on provisioning and Kerberos KDC servers, especially after + massive device reboots occur. The objects in question are as + follows: + + pktcMtaDevResetKrbTickets: This object, if set to 'true', will + cause the MTA to request a new Kerberos ticket at reboot. + + pktcMtaDevRealmPkinitGracePeriod, pktcMtaDevRealmTgsGracePeriod: + These 2 objects, if set to short time periods, will cause the MTA + to renew its tickets more frequently. + + Some of the readable objects in this MIB module (i.e., objects with a + MAX-ACCESS other than not-accessible) may be considered sensitive or + vulnerable in some network environments. Some of these objects may + contain information that may be sensitive from a business or customer + perspective. It is thus important to control even GET and/or NOTIFY + access to these objects and possibly to even encrypt the values of + these objects when sending them over the network via SNMP. + + These are the tables and objects and their sensitivity and + vulnerability: + + - Some readable objects in the pktcMtaDevBase, pktcMtaDevServer, and + pktcMtaDevSecurity groups share the potential, if read + maliciously, to facilitate Denial-of-Service (DoS) attacks against + provisioning or Kerberos servers. The object in question are as + follows: + + pktcMtaDevServerDhcp1, pktcMtaDevServerDhcp2, and + pktcMtaDevSnmpEntity. The values of these objects may be used to + launch DoS attacks on the Telephony Service Provider DHCP or + Provisioning servers. + + pktcMtaDevProvKerbRealmName, pktcMtaDevManufacturerCertificate, + pktcMtaDevCertificate and pktcMtaDevTelephonyRootCertificate. The + values of these objects may be used by attackers to launch DoS + attacks against Kerberos servers. + + - One additional readable object may expose some security threats: + pktcMtaDevFQDN. This object may include sensitive information + about the domain name, and potentially, the domain topology. + + SNMP versions prior to SNMPv3 did not include adequate security. + Even if the network itself is secure (for example by using IPSec), + even then, there is no control as to who on the secure network is + + + +Nechamkin & Mule Standards Track [Page 54] + +RFC 4682 IPCDN MTA MIB December 2006 + + + allowed to access and GET/SET (read/change/create/delete) the objects + in this MIB module. + + It is RECOMMENDED that implementers consider the security features as + provided by the SNMPv3 framework (see Section 8 in [RFC3410]), + including full support for the SNMPv3 cryptographic mechanisms (for + authentication and privacy). + + Further, deployment of SNMP versions prior to SNMPv3 is NOT + RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to + enable cryptographic security. It is then a customer/operator + responsibility to ensure that the SNMP entity giving access to an + instance of this MIB module is properly configured to give access to + the objects only to those principals (users) that have legitimate + rights to indeed GET or SET (change/create/delete) them. + +7. IANA Considerations + + The MIB module defined in this document uses the following IANA- + assigned OBJECT IDENTIFIER values, recorded in the SMI Numbers + registry: + + Descriptor OBJECT IDENTIFIER value + ---------- ----------------------- + pktcIetfMtaMib { mib-2 140 } + +8. Normative References + + [RFC868] Postel, J. and K. Harrenstien, "Time Protocol", STD + 26, RFC 868, May 1983. + + [RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD + 33, RFC 1350, July 1992. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", + RFC 2131, March 1997. + + [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP + Vendor Extensions", RFC 2132, March 1997. + + [RFC2287] Krupczak, C. and J. Saperia, "Definitions of + System-Level Managed Objects for Applications", RFC + 2287, February 1998. + + + + + +Nechamkin & Mule Standards Track [Page 55] + +RFC 4682 IPCDN MTA MIB December 2006 + + + [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder J., Case, + J. Rose, M. and S. Waldbusser, "Structure of + Management Information Version 2 (SMIv2)", STD 58, + RFC 2578, April 1999. + + [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J. Case, + J. Rose, M. and S. Waldbusser, "Textual Conventions + for SMIv2", STD 58, RFC 2579, April 1999. + + [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder J., Case, + J., Rose, M. and S. Waldbusser, "Conformance + Statements for SMIv2", STD 58, RFC 2580, April 1999. + + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., + Masinter, L., Leach, P., and T. Berners-Lee, + "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, + June 1999. + + [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces + Group MIB", RFC 2863, June 2000. + + [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, + "Internet X.509 Public Key Infrastructure + Certificate and Certificate Revocation List (CRL) + Profile", RFC 3280, April 2002. + + [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An + Architecture for Describing Simple Network + Management Protocol (SNMP) Management Frameworks", + STD 62, RFC 3411, December 2002. + + [RFC3418] Presuhn, R., "Management Information Base (MIB) for + the Simple Network Management Protocol (SNMP)", STD + 62, RFC 3418, December 2002. + + [RFC3495] Beser, B. and P. Duffy, "Dynamic Host Configuration + Protocol (DHCP) Option for CableLabs Client + Configuration", RFC 3495, March 2003. + + [RFC3594] Duffy, P., "PacketCable Security Ticket Control + Sub-Option for the DHCP CableLabs Client + Configuration (CCC) Option", RFC 3594, September + 2003. + + [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. + Schoenwaelder, "Textual Conventions for Internet + Network Addresses", RFC 4001, February 2005. + + + + +Nechamkin & Mule Standards Track [Page 56] + +RFC 4682 IPCDN MTA MIB December 2006 + + + [RFC4131] Green, S., Ozawa, K., Cardona, E., and A. + Katsnelson, "Management Information Base for Data + Over Cable Service Interface Specification (DOCSIS) + Cable Modems and Cable Modem Termination Systems for + Baseline Privacy Plus", RFC 4131, September 2005. + + [RFC4630] Housley, R. and S. Santesson, "Update to + DirectoryString Processing in the Internet X.509 + Public Key Infrastructure Certificate and + Certificate Revocation List (CRL) Profile", RFC + 4630, August 2006. + + [RFC4639] Woundy, R. and K. Marez, "Cable Device Management + Information Base for Data-Over-Cable Service + Interface Specification (DOCSIS) Compliant Cable + Modems and Cable Modem Termination Systems", RFC + 4639, December 2006. + + [PKT-SP-PROV] Packetcable MTA Device Provisioning Specification, + Issued, PKT-SP-PROV-I11-050812, August 2005. + http://www.packetcable.com/specifications/ + http://www.cablelabs.com/specifications/archives/ + + [PKT-SP-SEC] PacketCable Security Specification, Issued, PKT-SP- + SEC-I12-050812, August 2005. + http://www.packetcable.com/specifications/ + http://www.cablelabs.com/specifications/archives/ + + [ITU-T-J112] Transmission Systems for Interactive Cable + Television Services, Annex B, J.112, ITU-T, March, + 1998. + + [ITU-T-J168] IPCablecom Multimedia Terminal Adapter (MTA) MIB + requirements, J.168, ITU-T, March, 2001. + +9. Informative References + + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, + "Introduction and Applicability Statements for + Internet-Standard Management Framework", RFC 3410, + December 2002. + + [RFC3617] Lear, E., "Uniform Resource Identifier (URI) Scheme + and Applicability Statement for the Trivial File + Transfer Protocol (TFTP)", RFC 3617, October 2003. + + + + + + +Nechamkin & Mule Standards Track [Page 57] + +RFC 4682 IPCDN MTA MIB December 2006 + + + [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", STD 63, RFC 3629, November 2003. + + [PKT-SP-MIB-MTA] Packetcable MTA MIB Specification, Issued, PKT-SP- + MIB-MTA-I10-050812, August 2005. + http://www.packetcable.com/specifications/ + http://www.cablelabs.com/specifications/archives/ + + [ETSITS101909-8] ETSI TS 101 909-8: "Access and Terminals (AT); + Digital Broadband Cable Access to the Public + Telecommunications Network; IP Multimedia Time + Critical Services; Part 8: Media Terminal Adaptor + (MTA) Management Information Base (MIB)". + + [EN300001] EN 300 001 V1.5.1 (1998-10):"European Standard + (Telecommunications series) Attachments to Public + Switched Telephone Network (PSTN); General technical + requirements for equipment connected to an analogue + subscriber interface in the PSTN". + + [EN300659-1] EN 300 659-1: "Public Switched Telephone Network + (PSTN); Subscriber line protocol over the local loop + for display (and related) services; Part 1: On hook + data transmission". + + [NCSSIGMIB] Beacham G., Kumar S., Channabasappa S., "Network + Control Signaling (NCS) Signaling MIB for + PacketCable and IPCablecom Multimedia Terminal + Adapters (MTAs)", Work in Progress, June 2006. + + + + + + + + + + + + + + + + + + + + + + +Nechamkin & Mule Standards Track [Page 58] + +RFC 4682 IPCDN MTA MIB December 2006 + + +Authors' Addresses + + Eugene Nechamkin + Broadcom Corporation, + 200 - 13711 International Place + Richmond, BC, V6V 2Z8 + CANADA + + Phone: +1 604 233 8500 + EMail: enechamkin@broadcom.com + + + Jean-Francois Mule + Cable Television Laboratories, Inc. + 858 Coal Creek Circle + Louisville, Colorado 80027-9750 + U.S.A. + + Phone: +1 303 661 9100 + EMail: jf.mule@cablelabs.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Nechamkin & Mule Standards Track [Page 59] + +RFC 4682 IPCDN MTA MIB December 2006 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST, + AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT + THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY + IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR + PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + +Nechamkin & Mule Standards Track [Page 60] + |