From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc2669.txt | 3083 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 3083 insertions(+) create mode 100644 doc/rfc/rfc2669.txt (limited to 'doc/rfc/rfc2669.txt') diff --git a/doc/rfc/rfc2669.txt b/doc/rfc/rfc2669.txt new file mode 100644 index 0000000..78817fc --- /dev/null +++ b/doc/rfc/rfc2669.txt @@ -0,0 +1,3083 @@ + + + + + + +Network Working Group M. St. Johns, Ed. +Request for Comments: 2669 @Home Network +Category: Proposed Standard August 1999 + + + DOCSIS Cable Device MIB + Cable Device Management Information Base + for DOCSIS compliant Cable Modems and + Cable Modem Termination Systems + + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1999). All Rights Reserved. + +Abstract + + This memo defines a portion of the Management Information Base (MIB) + for use with network management protocols in the Internet community. + In particular, it defines a basic set of managed objects for SNMP- + based management of DOCSIS 1.0 compliant Cable Modems and Cable Modem + Termination Systems. + + This memo specifies a MIB module in a manner that is compliant to the + SNMP SMIv2 [5][6][7]. The set of objects is consistent with the SNMP + framework and existing SNMP standards. + + This memo is a product of the IPCDN working group within the Internet + Engineering Task Force. Comments are solicited and should be + addressed to the working group's mailing list at ipcdn@terayon.com + and/or the author. + +Table of Contents + + 1 The SNMP Management Framework ................................... 2 + 2 Glossary ........................................................ 3 + 2.1 CATV .......................................................... 3 + 2.2 CM ............................................................ 3 + 2.3 CMTS .......................................................... 4 + 2.4 DOCSIS ........................................................ 4 + + + +St. Johns Standards [Page 1] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + 2.5 Downstream .................................................... 4 + 2.6 Head-end ...................................................... 4 + 2.7 MAC Packet .................................................... 4 + 2.8 MCNS .......................................................... 4 + 2.9 RF ............................................................ 4 + 2.10 Upstream ..................................................... 4 + 3 Overview ........................................................ 4 + 3.1 Structure of the MIB .......................................... 5 + 3.2 Management requirements ....................................... 6 + 3.2.1 Handling of Software upgrades ............................... 6 + 3.2.2 Events and Traps ............................................ 6 + 3.2.3 Trap Throttling ............................................. 8 + 3.2.3.1 Trap rate throttling ...................................... 8 + 3.2.3.2 Limiting the trap rate .................................... 8 + 3.3 Protocol Filters .............................................. 9 + 3.3.1 Inbound LLC Filters - docsDevFilterLLCTable ................ 10 + 3.3.2 Special Filters ............................................ 10 + 3.3.2.1 IP Spoofing Filters - docsDevCpeTable .................... 10 + 3.3.2.2 SNMP Access Filters - docsDevNmAccessTable ............... 10 + 3.3.3 IP Filtering - docsDevIpFilterTable ........................ 11 + 3.3.4 Outbound LLC Filters ....................................... 13 + 4 Definitions .................................................... 13 + 5 Acknowledgments ................................................ 51 + 6 References ..................................................... 51 + 7 Security Considerations ........................................ 52 + 8 Intellectual Property .......................................... 54 + 9 Author's Address ............................................... 54 + 10 Full Copyright Statement ...................................... 55 + +1. The SNMP Management Framework + + The SNMP Management Framework presently consists of five major + components: + + o An overall architecture, described in RFC 2571 [1]. + + o Mechanisms for describing and naming objects and events for the + purpose of management. The first version of this Structure of + Management Information (SMI) is called SMIv1 and described in STD + 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The + second version, called SMIv2, is described in STD 58, RFC 2578 + [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7]. + + o Message protocols for transferring management information. The + first version of the SNMP message protocol is called SNMPv1 and + described in STD 15, RFC 1157 [8]. A second version of the SNMP + message protocol, which is not an Internet standards track + protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC + + + +St. Johns Standards [Page 2] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + 1906 [10]. The third version of the message protocol is called + SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 + [12]. + + o Protocol operations for accessing management information. The + first set of protocol operations and associated PDU formats is + described in STD 15, RFC 1157 [8]. A second set of protocol + operations and associated PDU formats is described in RFC 1905 + [13]. + + o A set of fundamental applications described in RFC 2573 [14] and + the view-based access control mechanism described in RFC 2575 + [15]. + + Managed objects are accessed via a virtual information store, termed + the Management Information Base or MIB. Objects in the MIB are + defined using the mechanisms defined in the SMI. + + This memo specifies a MIB module that is compliant to the SMIv2. A + MIB conforming to the SMIv1 can be produced through the appropriate + translations. The resulting translated MIB must be semantically + equivalent, except where objects or events are omitted because no + translation is possible (use of Counter64). Some machine readable + information in SMIv2 will be converted into textual descriptions in + SMIv1 during the translation process. However, this loss of machine + readable information is not considered to change the semantics of the + MIB. + +2. Glossary + + The terms in this document are derived either from normal cable + system usage, or from the documents associated with the Data Over + Cable Service Interface Specification process. + +2.1. CATV + + Originally "Community Antenna Television", now used to refer to any + cable or hybrid fiber and cable system used to deliver video signals + to a community. + +2.2. CM Cable Modem. + + A CM acts as a "slave" station in a DOCSIS compliant cable data + system. + + + + + + + +St. Johns Standards [Page 3] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +2.3. CMTS Cable Modem Termination System. + + A generic term covering a cable bridge or cable router in a head-end. + A CMTS acts as the master station in a DOCSIS compliant cable data + system. It is the only station that transmits downstream, and it + controls the scheduling of upstream transmissions by its associated + CMs. + +2.4. DOCSIS + + "Data Over Cable Interface Specification". A term referring to the + ITU-T J.112 Annex B standard for cable modem systems [20]. + +2.5. Downstream + + The direction from the head-end towards the subscriber. + +2.6. Head-end + + The origination point in most cable systems of the subscriber video + signals. Generally also the location of the CMTS equipment. + +2.7. MAC Packet + + A DOCSIS PDU. + +2.8. MCNS + + "Multimedia Cable Network System". Generally replaced in usage by + DOCSIS. + +2.9. RF + + Radio Frequency. + +2.10. Upstream + + The direction from the subscriber towards the head-end. + +3. Overview + + This MIB provides a set of objects required for the management of + DOCSIS compliant Cable Modems (CM) and Cable Modem Termination + Systems (CMTS). The specification is derived from the DOCSIS Radio + Frequency Interface specification [16]. Please note that the DOCSIS + 1.0 standard only requires Cable Modems to implement SNMPv1 and to + + + + + +St. Johns Standards [Page 4] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + process IPv4 customer traffic. Design choices in this MIB reflect + those requirements. Future versions of the DOCSIS standard are + expected to require support for SNMPv3 and IPv6 as well. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [19]. + +3.1. Structure of the MIB + + This MIB is structured into seven groups: + + o The docsDevBase group extends the MIB-II 'system' group with + objects needed for cable device system management. + + o The docsDevNmAccessGroup provides a minimum level of SNMP + access security (see Section 3 of [18]). + + o The docsDevSoftware group provides information for network- + downloadable software upgrades. See "Handling of Software + Upgrades" below.. + + o The docsDevServer group provides information about the + progress of the interaction between the CM or CMTS and + various provisioning servers. + + o The docsDevEvent group provides control and logging for event + reporting. + + o The docsDevFilter group configures filters at link layer and + IP layer for bridged data traffic. This group consists of a + link-layer filter table, docsDevFilterLLCTable, which is used + to manage the processing and forwarding of non-IP traffic; an + IP packet classifier table, docsDevFilterIpTable, which is + used to map classes of packets to specific policy actions; a + policy table, docsDevFilterPolicyTable, which maps zero or + more policy actions onto a specific packet classification, + and one or more policy action tables. + + At this time, this MIB specifies only one policy action + table, docsDevFilterTosTable, which allows the manipulation + of the type of services bits in an IP packet based on + matching some criteria. The working group may add additional + policy types and action tables in the future, for example to + allow QOS to modem service identifier assignment based on + destination. + + + + + +St. Johns Standards [Page 5] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + o The docsDevCpe group provides control over which IP addresses + may be used by customer premises equipment (e.g. PCs) + serviced by a given cable modem. This provides anti-spoofing + control at the point of origin for a large cable modem + system. This group is separate from docsDevFilter primarily + as this group is only implemented on the Cable Modem (CM) and + MUST NOT be implemented on the Cable Modem Termination System + (CMTS). + +3.2. Management requirements + +3.2.1. Handling of Software upgrades + + The Cable Modem software upgrade process is documented in [16]. From + a network management station, the operator: + + o sets docsDevSwServer to the address of the TFTP server for + software upgrades + + o sets docsDevSwFilename to the file pathname of the software + upgrade image + + o sets docsDevSwAdminStatus to upgrade-from-mgt + + One reason for the SNMP-initiated upgrade is to allow loading of a + temporary software image (e.g., special diagnostic software) that + differs from the software normally used on that device without + changing the provisioning database. + + Note that software upgrades should not be accepted blindly by the + cable device. The cable device may refuse an upgrade if: + + o The download is incomplete. + + o The file contents are incomplete or damaged. + + o The software is not intended for that hardware device (may + include the case of a feature set that has not been purchased + for this device). + +3.2.2. Events and Traps + + This MIB provides control facilities for reporting events through + syslog, traps, and non-volatile logging. If events are reported + through traps, the specified conventions must be followed. Other + means of event reporting are outside the scope of this document. + + + + + +St. Johns Standards [Page 6] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + The definition and coding of events is vendor-specific. In deference + to the network operator who must troubleshoot multi-vendor networks, + the circumstances and meaning of each event should be reported as + human-readable text. Vendors SHOULD provide time-of-day clocks in + CMs to provide useful timestamping of events. + + For each vendor-specific event that is reportable via TRAP, the + vendor must create an enterprise-specific trap definition. Trap + definitions MUST include the event reason encoded as DisplayString + and should be defined as: + + trapName NOTIFICATION-TYPE + OBJECTS { + ifIndex, + eventReason, + other useful objects + } + STATUS current + DESCRIPTION + "trap description" + ::= Object Id + + Note that ifIndex is only included if the event or trap is interface + related. + + An example (fake) vendor defined trap might be: + + xyzVendorModemDropout NOTIFICATION-TYPE + OBJECTS { + eventReason, + xyzModemHighWatermarkCount + } + STATUS current + DESCRIPTION + "Sent by a CMTS when a configurable number of modems + (xyzModemHysteresis) de-register or become unreachable during + the sampling period (5 minutes). Used to warn a management + station about a catastrophic cable plant outage." + ::= { xyzTraps 23 } + + In this example eventReason is a DisplayString providing a human + readable error message, and xyzModemHighWatermarkCount is a Gauge32 + which indicates the maximum number of modems during the epoch. + + + + + + + + +St. Johns Standards [Page 7] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + The last digit of the trap OID for enterprise-specific traps must + match docsDevEvId. For SNMPv1-capable Network Management systems, + this is necessary to correlate the event type to the trap type. Many + Network Management systems are only capable of trap filtering on an + enterprise and single-last-digit basis. + +3.2.3. Trap Throttling + + The CM and CMTS MUST provide support for trap message throttling as + described below. The network operator can employ message rate + throttling or trap limiting by manipulating the appropriate MIB + variables. + +3.2.3.1. Trap rate throttling + + Network operators may employ either of two rate control methods. In + the first method, the device ceases to send traps when the rate + exceeds the specified maximum message rate. It resumes sending traps + only if reactivated by a network management station request. + + In the second method, the device resumes sending traps when the rate + falls below the specified maximum message rate. + + The network operator configures the specified maximum message rate by + setting the measurement interval (in seconds), and the maximum number + of traps to be transmitted within the measurement interval. The + operator can query the operational throttling state (to determine + whether traps are enabled or blocked by throttling) of the device, as + well as query and set the administrative throttling state (to manage + the rate control method) of the device. + +3.2.3.2. Limiting the trap rate + + Network operators may wish to limit the number of traps sent by a + device over a specified time period. The device ceases to send traps + when the number of traps exceeds the specified threshold. It resumes + sending traps only when the measurement interval has passed. + + The network operator defines the maximum number of traps he is + willing to handle and sets the measurement interval to a large number + (in hundredths of a second). For this case, the administrative + throttling state is set to stop at threshold which is the maximum + number of traps. + + See "Techniques for Managing Asynchronously Generated Alerts" [17] + for further information. + + + + + +St. Johns Standards [Page 8] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +3.3. Protocol Filters + + The Cable Device MIB provides objects for both LLC and IP protocol + filters. The LLC protocol filter entries can be used to limit CM + forwarding to a restricted set of network-layer protocols (such as + IP, IPX, NetBIOS, and Appletalk). + + The IP protocol filter entries can be used to restrict upstream or + downstream traffic based on source and destination IP addresses, + transport-layer protocols (such as TCP, UDP, and ICMP), and source + and destination TCP/UDP port numbers. + + In general, a cable modem applies filters (or more properly, + classifiers) in an order appropriate to the layering model. + Specifically, the inbound MAC (or LLC) layer filters are applied + first, then the "special" filters, then the IP layer inbound filters, + then the IP layer outbound filters, then any final LLC outbound + filters. Since the cable modem does not generally do any IP + processing (other than that specified by the filters) the processing + of the IP in filters and IP out filters can usually be combined into + a single step. + + *************** + * LLC Filters * + *************** + | | | + v | v + ************ | *************** + * IP Spoof * | * SNMP Access * + ************ | *************** + | | | + v v v + **************** + * IP Filter In * + **************** + | + v + ***************** + * IP Filter Out * + ***************** + | + v + *********** + * LLC Out * + *********** + + + + + + +St. Johns Standards [Page 9] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +3.3.1. Inbound LLC Filters - docsDevFilterLLCTable + + The inbound LLC (or MAC or level-2) filters are contained in the + docsDevFilterLLCTable and are applied to level-2 frames entering the + cable modem from either the RF MAC interface or from one of the CPE + (ethernet or other) interfaces. These filters are used to prohibit + the processing and forwarding of certain types of level-2 traffic + that may be disruptive to the network. The filters, as currently + specified, can be set to cause the modem to either drop frames which + match at least one filter, or to process a frame which matches at + least filter. Some examples of possible configurations would be to + only permit IP (and ARP) traffic, or to drop NETBUEI traffic. + +3.3.2. Special Filters + + Special filters are applied after the packet is accepted from the MAC + layer by the IP module, but before any other processing is done. + They are filters that apply only to a very specific class of traffic. + +3.3.2.1. IP Spoofing Filters - docsDevCpeTable + + IP spoofing filters are applied to packets entering the modem from + one of the CPE interfaces and are intended to prevent a subscriber + from stealing or mis-using IP addresses that were not assigned to the + subscriber. If the filters are active (enabled), the source address + of the IP packet must match at least one IP address in this table or + it is discarded without further processing. + + The table can be automatically populated where the first N different + IP addresses seen from the CPE side of the cable modem are used to + automatically populate the table. The spoofing filters are specified + in the docsDevCpeTable and the policy for automatically creating + filters in that table is controlled by docsDevCpeEnroll and + docsDevCpeMax as well as the network management agent. + +3.3.2.2. SNMP Access Filters - docsDevNmAccessTable + + The SNMP access filters are applied to SNMP packets entering from any + interface and destined for the cable modem. If the packets enter + from a CPE interface, the SNMP filters are applied after the IP + spoofing filters. The filters only apply to SNMPv1 or SNMPv2c + traffic, and are not consulted for SNMPv3 traffic (and need not be + implemented by a v3 only agent). SNMPv3 access control is specified + in the User Security Model MIB in [12]. + + + + + + + +St. Johns Standards [Page 10] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +3.3.3. IP Filtering - docsDevIpFilterTable + + The IP Filtering table acts as a classifier table. Each row in the + table describes a template against which IP packets are compared. + The template includes source and destination addresses (and their + associated masks), upper level protocol (e.g. TCP, UDP), source and + destination port ranges, TOS and TOS mask. A row also contains + interface and traffic direction match values which have to be + considered in combination. All columns of a particular row must + match the appropriate fields in the packet, and must match the + interface and direction items for the packet to result in a match to + the packet. + + When classifying a packet, the table is scanned beginning with the + lowest number filter. If the agent finds a match, it applies the + group of policies specified. If the matched filter has the continue + bit set, the agent continues the scan possibly matching additional + filters and applying additional policies. This allows the agent to + take one set of actions for the 24.0.16/255.255.255.0 group and one + set of actions for telnet packets to/from 24.0.16.30 and these sets + of actions may not be mutually exclusive. + + Once a packet is matched, one of three actions happen based on the + setting of docsDevFilterIpControl in the row. The packet may be + dropped, in which case no further processing is required. The packet + may be accepted and processing of the packet continues. Lastly, the + packet may have a set of policy actions applied to it. If + docsDevFilterIpContinue is set to true, scanning of the table + continues and additional matches may result. + + When a packet matches, and docsDevFilterIpControl in the filter + matched is set to 'policy', the value of docsDevFilterIpPolicyId is + used as a selector into the docsDevFilterPolicyTable. The first + level of indirection may result in zero or more actions being taken + based on the match. The docsDevFilterPolicyTable is scanned in row + order and all rows where docsDevFilterPolicyId equals + docsDevFilterIpPolicyId have the action specified by + docsDevFilterPolicyValue 'executed'. For example, a value pointing + to an entry in the docsDevFilterTosTable may result in the re-writing + of the TOS bits in the IP packet which was matched. Another + possibility may be to assign an output packet to a specific output + upstream queue. An even more complex action might be to re-write the + TOS value, assign the packet to an upstream service ID, and drop it + into a particular IPSEC tunnel. + + + + + + + +St. Johns Standards [Page 11] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + Example: + + docsDevFilterIpTable + + # Index, SrcIP/Mask, DstIP/Mask,ULP, SrcPts,DstPts,Tos/Mask, + # Int/Dir, Pgroup, [continue] + # drop any netbios traffic + 10, 0/0, 0/0, TCP, any, 137-139, 0/0, any/any, drop + + # traffic to the proxy gets better service - other matches possible + 20, 0/0, proxy/32, TCP, any,any, 0/0, cpe/in, 10, continue + + # Traffic from CPE 1 gets 'Gold' service, other matches possible + 30, cpe1/32, 0/0, any, any,any, 0/0, cpe/in, 20, continue + + # Traffic from CPE2 to work goes, other traffic dropped + 40, cpe2/32, workIPs/24, any, 0/0, cpe/in, accept + 45, cpe2/32, 0/0, any, any,ayn, 0/0, cpe/in, drop + + # Traffic with TOS=4 gets queued on the "silver" queue. + 50, 0/0, 0/0, any, any,any, 4/255, cpe/in, 30 + + # Inbound "server" traffic to low numbered ports gets dropped. + 60, 0/0, 0/0, TCP, any,1-1023, 0/0, cpe/out, drop + 65, 0/0, 0/0, UDP, any,1-1023, 0/0, cpe/out, drop + + docsDevFilterIpPolicyTable + + # + # index, policy group, policy + 10, 10, queueEntry.20 -- special queue for traffic to proxy + + 15, 20, queueEntry.15 -- Gold Service queue + 20, 20, docsDevFilterTosStatus.10 -- Mark this packet with TOS 5 + + 25, 30, queueEntry.10 -- Silver service queue + + This table describes some special processing for packets originating + from either the first or second CPE device which results in their + queuing on to special upstream traffic queues and for the "gold" + service results in having the packets marked with a TOS of 5. The + 10, 20, 60 and 65 entries are generic entries that would generally be + applied to all traffic to this CM. The 30, 40 and 45 entries are + specific to a particular CPE's service assignments. The ordering + here is a bit contrived, but is close to what may actually be + required by the operator to control various classes of customers. + + + + + +St. Johns Standards [Page 12] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +3.3.4. Outbound LLC Filters + + Lastly, any outbound LLC filters are applied to the packet just prior + to it being emitted on the appropriate interface. This MIB does not + specify any outbound LLC filters, but it is anticipated that the QOS + additions to the DOCSIS standard may include some outbound LLC + filtering requirements. If so, those filters would be applied as + described here. + +4. Definitions + +DOCS-CABLE-DEVICE-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, + OBJECT-TYPE, +-- do not import BITS, + IpAddress, + Unsigned32, + Counter32, + Integer32, + zeroDotZero, + mib-2 + FROM SNMPv2-SMI + RowStatus, + RowPointer, + DateAndTime, + TruthValue + FROM SNMPv2-TC + OBJECT-GROUP, + MODULE-COMPLIANCE + FROM SNMPv2-CONF + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB + InterfaceIndexOrZero + FROM IF-MIB; -- RFC2233 + +docsDev MODULE-IDENTITY + LAST-UPDATED "9908190000Z" -- August 19, 1999 + ORGANIZATION "IETF IPCDN Working Group" + CONTACT-INFO + " Michael StJohns + Postal: @Home Network + 425 Broadway + Redwood City, CA 94063 + U.S.A. + Phone: +1 650 569 5368 + E-mail: stjohns@corp.home.net" + + + +St. Johns Standards [Page 13] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + DESCRIPTION + "This is the MIB Module for MCNS-compliant cable modems and + cable-modem termination systems." + REVISION "9908190000Z" + DESCRIPTION + "Initial Version, published as RFC 2669. + Modified by Mike StJohns to add/revise filtering, TOS + support, software version information objects." + ::= { mib-2 69 } + +docsDevMIBObjects OBJECT IDENTIFIER ::= { docsDev 1 } +docsDevBase OBJECT IDENTIFIER ::= { docsDevMIBObjects 1 } + +-- +-- For the following object, there is no concept in the +-- RFI specification corresponding to a backup CMTS. The +-- enumeration is provided here in case someone is able +-- to define such a role or device. +-- + +docsDevRole OBJECT-TYPE + SYNTAX INTEGER { + cm(1), + cmtsActive(2), + cmtsBackup(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Defines the current role of this device. cm (1) is + a Cable Modem, cmtsActive(2) is a Cable Modem Termination + System which is controlling the system of cable modems, + and cmtsBackup(3) is a CMTS which is currently connected, + but not controlling the system (not currently used). + + In general, if this device is a 'cm', its role will not + change during operation or between reboots. If the + device is a 'cmts' it may change between cmtsActive and + cmtsBackup and back again during normal operation. NB: + At this time, the DOCSIS standards do not support the + concept of a backup CMTS, cmtsBackup is included for + completeness." + ::= { docsDevBase 1 } + +docsDevDateTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-write + STATUS current + + + +St. Johns Standards [Page 14] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + DESCRIPTION + "The date and time, with optional timezone + information." + ::= { docsDevBase 2 } + +docsDevResetNow OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting this object to true(1) causes the device to reset. + Reading this object always returns false(2)." + ::= { docsDevBase 3 } + +docsDevSerialNumber OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The manufacturer's serial number for this device." + ::= { docsDevBase 4 } + +docsDevSTPControl OBJECT-TYPE + SYNTAX INTEGER { + stEnabled(1), + noStFilterBpdu(2), + noStPassBpdu(3) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object controls operation of the spanning tree + protocol (as distinguished from transparent bridging). + If set to stEnabled(1) then the spanning tree protocol + is enabled, subject to bridging constraints. If + noStFilterBpdu(2), then spanning tree is not active, + and Bridge PDUs received are discarded. + If noStPassBpdu(3) then spanning tree is not active + and Bridge PDUs are transparently forwarded. Note that + a device need not implement all of these options, + but that noStFilterBpdu(2) is required." + ::= { docsDevBase 5 } + +-- +-- The following table provides one level of security for access +-- to the device by network management stations. +-- Note that access is also constrained by the +-- community strings and any vendor-specific security. + + + +St. Johns Standards [Page 15] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +-- + +docsDevNmAccessTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevNmAccessEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table controls access to SNMP objects by network + management stations. If the table is empty, access + to SNMP objects is unrestricted. This table exists only + on SNMPv1 or v2c agents and does not exist on SNMPv3 + agents. See the conformance section for details. + Specifically, for v3 agents, the appropriate MIBs and + security models apply in lieu of this table." + ::= { docsDevMIBObjects 2 } + +docsDevNmAccessEntry OBJECT-TYPE + SYNTAX DocsDevNmAccessEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing access to SNMP objects by a + particular network management station. An entry in + this table is not readable unless the management station + has read-write permission (either implicit if the table + is empty, or explicit through an entry in this table. + Entries are ordered by docsDevNmAccessIndex. The first + matching entry (e.g. matching IP address and community + string) is used to derive access." + INDEX { docsDevNmAccessIndex } + ::= { docsDevNmAccessTable 1 } + +DocsDevNmAccessEntry ::= SEQUENCE { + docsDevNmAccessIndex Integer32, + docsDevNmAccessIp IpAddress, + docsDevNmAccessIpMask IpAddress, + docsDevNmAccessCommunity OCTET STRING, + docsDevNmAccessControl INTEGER, + docsDevNmAccessInterfaces OCTET STRING, + docsDevNmAccessStatus RowStatus + } + +docsDevNmAccessIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Index used to order the application of access + + + +St. Johns Standards [Page 16] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + entries." + ::= { docsDevNmAccessEntry 1 } + +docsDevNmAccessIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The IP address (or subnet) of the network management + station. The address 255.255.255.255 is defined to mean + any NMS. If traps are enabled for this entry, then the + value must be the address of a specific device." + DEFVAL { 'ffffffff'h } + ::= { docsDevNmAccessEntry 2 } + +docsDevNmAccessIpMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The IP subnet mask of the network management stations. + If traps are enabled for this entry, then the value must + be 255.255.255.255." + DEFVAL { 'ffffffff'h } + ::= { docsDevNmAccessEntry 3 } + +docsDevNmAccessCommunity OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The community string to be matched for access by this + entry. If set to a zero length string then any community + string will match. When read, this object SHOULD return + a zero length string." + DEFVAL { "public" } + ::= { docsDevNmAccessEntry 4 } + +docsDevNmAccessControl OBJECT-TYPE + SYNTAX INTEGER { + none(1), + read(2), + readWrite(3), + roWithTraps(4), + rwWithTraps(5), + trapsOnly(6) + } + MAX-ACCESS read-create + + + +St. Johns Standards [Page 17] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + STATUS current + DESCRIPTION + "Specifies the type of access allowed to this NMS. Setting + this object to none(1) causes the table entry to be + destroyed. Read(2) allows access by 'get' and 'get-next' + PDUs. ReadWrite(3) allows access by 'set' as well. + RoWithtraps(4), rwWithTraps(5), and trapsOnly(6) + control distribution of Trap PDUs transmitted by this + device." + DEFVAL { read } + ::= { docsDevNmAccessEntry 5 } + +-- The syntax of the following object was copied from RFC1493, +-- dot1dStaticAllowedToGoTo. + +docsDevNmAccessInterfaces OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the set of interfaces from which requests from + this NMS will be accepted. + Each octet within the value of this object specifies a set + of eight interfaces, with the first octet specifying ports + 1 through 8, the second octet specifying interfaces 9 + through 16, etc. Within each octet, the most significant + bit represents the lowest numbered interface, and the least + significant bit represents the highest numbered interface. + Thus, each interface is represented by a single bit within + the value of this object. If that bit has a value of '1' + then that interface is included in the set. + + Note that entries in this table apply only to link-layer + interfaces (e.g., Ethernet and CATV MAC). Upstream and + downstream channel interfaces must not be specified." +-- DEFVAL is the bitmask corresponding to all interfaces + ::= { docsDevNmAccessEntry 6 } + +docsDevNmAccessStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Controls and reflects the status of rows in this + table. Rows in this table may be created by either the + create-and-go or create-and-wait paradigms. There is no + restriction on changing values in a row of this table while + the row is active." + + + +St. Johns Standards [Page 18] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + ::= { docsDevNmAccessEntry 7 } + +-- +-- Procedures for using the following group are described in section +-- 3.2.1 of the DOCSIS Radio Frequence Interface Specification +-- + +docsDevSoftware OBJECT IDENTIFIER ::= { docsDevMIBObjects 3 } + +docsDevSwServer OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The address of the TFTP server used for software upgrades. + If the TFTP server is unknown, return 0.0.0.0." + ::= { docsDevSoftware 1 } + +docsDevSwFilename OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..64)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The file name of the software image to be loaded into this + device. Unless set via SNMP, this is the file name + specified by the provisioning server that corresponds to + the software version that is desired for this device. + If unknown, the string '(unknown)' is returned." + ::= { docsDevSoftware 2 } + +docsDevSwAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + upgradeFromMgt(1), + allowProvisioningUpgrade(2), + ignoreProvisioningUpgrade(3) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If set to upgradeFromMgt(1), the device will initiate a + TFTP software image download using docsDevSwFilename. + After successfully receiving an image, the device will + set its state to ignoreProvisioningUpgrade(3) and reboot. + If the download process is interrupted by a reset or + power failure, the device will load the previous image + and, after re-initialization, continue to attempt loading + the image specified in docsDevSwFilename. + + + + +St. Johns Standards [Page 19] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + If set to allowProvisioningUpgrade(2), the device will + use the software version information supplied by the + provisioning server when next rebooting (this does not + cause a reboot). + + When set to ignoreProvisioningUpgrade(3), the device + will disregard software image upgrade information from the + provisioning server. + + Note that reading this object can return upgradeFromMgt(1). + This indicates that a software download is currently in + progress, and that the device will reboot after + successfully receiving an image. + + At initial startup, this object has the default value of + allowProvisioningUpgrade(2)." + ::= { docsDevSoftware 3 } + +docsDevSwOperStatus OBJECT-TYPE + SYNTAX INTEGER { + inProgress(1), + completeFromProvisioning(2), + completeFromMgt(3), + failed(4), + other(5) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "InProgress(1) indicates that a TFTP download is underway, + either as a result of a version mismatch at provisioning + or as a result of a upgradeFromMgt request. + CompleteFromProvisioning(2) indicates that the last + software upgrade was a result of version mismatch at + provisioning. CompleteFromMgt(3) indicates that the last + software upgrade was a result of setting + docsDevSwAdminStatus to upgradeFromMgt. + Failed(4) indicates that the last attempted download + failed, ordinarily due to TFTP timeout." + REFERENCE + "DOCSIS Radio Frequency Interface Specification, Section + 8.2, Downloading Cable Modem Operating Software." + ::= { docsDevSoftware 4 } + +docsDevSwCurrentVers OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + + + +St. Johns Standards [Page 20] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + DESCRIPTION + "The software version currently operating in this device. + This object should be in the syntax used by the individual + vendor to identify software versions. Any CM MUST return a + string descriptive of the current software load. For a + CMTS, this object SHOULD contain either a human readable + representation of the vendor specific designation of the + software for the chassis, or of the software for the + control processor. If neither of these is applicable, + this MUST contain an empty string." + ::= { docsDevSoftware 5 } + + +-- +-- The following group describes server access and parameters used for +-- initial provisioning and bootstrapping. +-- + +docsDevServer OBJECT IDENTIFIER ::= { docsDevMIBObjects 4 } + +docsDevServerBootState OBJECT-TYPE + SYNTAX INTEGER { + operational(1), + disabled(2), + waitingForDhcpOffer(3), + waitingForDhcpResponse(4), + waitingForTimeServer(5), + waitingForTftp(6), + refusedByCmts(7), + forwardingDenied(8), + other(9), + unknown(10) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "If operational(1), the device has completed loading and + processing of configuration parameters and the CMTS has + completed the Registration exchange. + If disabled(2) then the device was administratively + disabled, possibly by being refused network access in the + configuration file. + If waitingForDhcpOffer(3) then a DHCP Discover has been + transmitted and no offer has yet been received. + If waitingForDhcpResponse(4) then a DHCP Request has been + transmitted and no response has yet been received. + If waitingForTimeServer(5) then a Time Request has been + transmitted and no response has yet been received. + + + +St. Johns Standards [Page 21] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + If waitingForTftp(6) then a request to the TFTP parameter + server has been made and no response received. + If refusedByCmts(7) then the Registration Request/Response + exchange with the CMTS failed. + If forwardingDenied(8) then the registration process + completed, but the network access option in the received + configuration file prohibits forwarding. " + REFERENCE + "DOCSIS Radio Frequency Interface Specification, Figure + 7-1, CM Initialization Overview." + ::= { docsDevServer 1 } + +docsDevServerDhcp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of the DHCP server that assigned an IP + address to this device. Returns 0.0.0.0 if DHCP was not + used for IP address assignment." + ::= { docsDevServer 2 } + +docsDevServerTime OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of the Time server (RFC-868). Returns + 0.0.0.0 if the time server IP address is unknown." + ::= { docsDevServer 3 } + +docsDevServerTftp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of the TFTP server responsible for + downloading provisioning and configuration parameters + to this device. Returns 0.0.0.0 if the TFTP server + address is unknown." + ::= { docsDevServer 4 } + +docsDevServerConfigFile OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The name of the device configuration file read from the + + + +St. Johns Standards [Page 22] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + TFTP server. Returns an empty string if the configuration + file name is unknown." + ::= { docsDevServer 5 } + +-- +-- Event Reporting +-- + +docsDevEvent OBJECT IDENTIFIER ::= { docsDevMIBObjects 5 } + +docsDevEvControl OBJECT-TYPE + SYNTAX INTEGER { + resetLog(1), + useDefaultReporting(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting this object to resetLog(1) empties the event log. + All data is deleted. Setting it to useDefaultReporting(2) + returns all event priorities to their factory-default + reporting. Reading this object always returns + useDefaultReporting(2)." + ::= { docsDevEvent 1 } + +docsDevEvSyslog OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The IP address of the Syslog server. If 0.0.0.0, syslog + transmission is inhibited." + ::= { docsDevEvent 2 } + +docsDevEvThrottleAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + unconstrained(1), + maintainBelowThreshold(2), + stopAtThreshold(3), + inhibited(4) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Controls the transmission of traps and syslog messages + with respect to the trap pacing threshold. + unconstrained(1) causes traps and syslog messages to be + transmitted without regard to the threshold settings. + + + +St. Johns Standards [Page 23] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + maintainBelowThreshold(2) causes trap transmission and + syslog messages to be suppressed if the number of traps + would otherwise exceed the threshold. + stopAtThreshold(3) causes trap transmission to cease + at the threshold, and not resume until directed to do so. + inhibited(4) causes all trap transmission and syslog + messages to be suppressed. + + A single event is always treated as a single event for + threshold counting. That is, an event causing both a trap + and a syslog message is still treated as a single event. + + Writing to this object resets the thresholding state. + + At initial startup, this object has a default value of + unconstrained(1)." + ::= { docsDevEvent 3 } + +docsDevEvThrottleInhibited OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "If true(1), trap and syslog transmission is currently + inhibited due to thresholds and/or the current setting of + docsDevEvThrottleAdminStatus. In addition, this is set to + true(1) if transmission is inhibited due to no + syslog (docsDevEvSyslog) or trap (docsDevNmAccessEntry) + destinations having been set." + ::= { docsDevEvent 4 } + +docsDevEvThrottleThreshold OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Number of trap/syslog events per docsDevEvThrottleInterval + to be transmitted before throttling. + + A single event is always treated as a single event for + threshold counting. That is, an event causing both a trap + and a syslog message is still treated as a single event. + + At initial startup, this object returns 0." + ::= { docsDevEvent 5 } + +docsDevEvThrottleInterval OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + + + +St. Johns Standards [Page 24] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The interval over which the trap threshold applies. + At initial startup, this object has a value of 1." + + ::= { docsDevEvent 6 } + +-- +-- The following table controls the reporting of the various classes of +-- events. +-- + +docsDevEvControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevEvControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table allows control of the reporting of event classes. + For each event priority, a combination of logging and + reporting mechanisms may be chosen. The mapping of event types + to priorities is vendor-dependent. Vendors may also choose to + allow the user to control that mapping through proprietary + means." + ::= { docsDevEvent 7 } + + +docsDevEvControlEntry OBJECT-TYPE + SYNTAX DocsDevEvControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Allows configuration of the reporting mechanisms for a + particular event priority." + INDEX { docsDevEvPriority } + ::= { docsDevEvControlTable 1 } + +DocsDevEvControlEntry ::= SEQUENCE { + docsDevEvPriority INTEGER, + docsDevEvReporting BITS + } + +docsDevEvPriority OBJECT-TYPE + SYNTAX INTEGER { + emergency(1), + alert(2), + critical(3), + + + +St. Johns Standards [Page 25] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + error(4), + warning(5), + notice(6), + information(7), + debug(8) + } + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The priority level that is controlled by this + entry. These are ordered from most (emergency) to least + (debug) critical. Each event with a CM or CMTS has a + particular priority level associated with it (as defined + by the vendor). During normal operation no event more + critical than notice(6) should be generated. Events between + warning and emergency should be generated at appropriate + levels of problems (e.g. emergency when the box is about to + crash)." + ::= { docsDevEvControlEntry 1 } + +docsDevEvReporting OBJECT-TYPE + SYNTAX BITS { + local(0), + traps(1), + syslog(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Defines the action to be taken on occurrence of this + event class. Implementations may not necessarily support + all options for all event classes, but at minimum must + allow traps and syslogging to be disabled. If the + local(0) bit is set, then log to the internal log, if the + traps(1) bit is set, then generate a trap, if the + syslog(2) bit is set, then send a syslog message + (assuming the syslog address is set)." + ::= { docsDevEvControlEntry 2 } + +docsDevEventTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevEventEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Contains a log of network and device events that may be + of interest in fault isolation and troubleshooting." + ::= { docsDevEvent 8 } + + + + +St. Johns Standards [Page 26] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +docsDevEventEntry OBJECT-TYPE + SYNTAX DocsDevEventEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Describes a network or device event that may be of + interest in fault isolation and troubleshooting. Multiple + sequential identical events are represented by + incrementing docsDevEvCounts and setting + docsDevEvLastTime to the current time rather than creating + multiple rows. + + Entries are created with the first occurrance of an event. + docsDevEvControl can be used to clear the table. + Individual events can not be deleted." + INDEX { docsDevEvIndex } + + ::= { docsDevEventTable 1 } + +DocsDevEventEntry ::= SEQUENCE { + docsDevEvIndex Integer32, + docsDevEvFirstTime DateAndTime, + docsDevEvLastTime DateAndTime, + docsDevEvCounts Counter32, + docsDevEvLevel INTEGER, + docsDevEvId Unsigned32, + docsDevEvText SnmpAdminString + } + +docsDevEvIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Provides relative ordering of the objects in the event + log. This object will always increase except when + (a) the log is reset via docsDevEvControl, + (b) the device reboots and does not implement non-volatile + storage for this log, or (c) it reaches the value 2^31. + The next entry for all the above cases is 1." + ::= { docsDevEventEntry 1 } + +docsDevEvFirstTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time that this entry was created." + + + +St. Johns Standards [Page 27] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + ::= { docsDevEventEntry 2 } + +docsDevEvLastTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "If multiple events are reported via the same entry, the + time that the last event for this entry occurred, + otherwise this should have the same value as + docsDevEvFirstTime. " + ::= { docsDevEventEntry 3 } + +-- This object was renamed from docsDevEvCount to meet naming +-- requirements for Counter32 +docsDevEvCounts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of consecutive event instances reported by + this entry. This starts at 1 with the creation of this + row and increments by 1 for each subsequent duplicate + event." + ::= { docsDevEventEntry 4 } + +docsDevEvLevel OBJECT-TYPE + SYNTAX INTEGER { + emergency(1), + alert(2), + critical(3), + error(4), + warning(5), + notice(6), + information(7), + debug(8) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The priority level of this event as defined by the + vendor. These are ordered from most serious (emergency) + to least serious (debug)." + ::= { docsDevEventEntry 5 } + +-- +-- Vendors will provide their own enumerations for the following. +-- The interpretation of the enumeration is unambiguous for a + + + +St. Johns Standards [Page 28] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +-- particular value of the vendor's enterprise number in sysObjectID. +-- + +docsDevEvId OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "For this product, uniquely identifies the type of event + that is reported by this entry." + ::= { docsDevEventEntry 6 } + +docsDevEvText OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Provides a human-readable description of the event, + including all relevant context (interface numbers, + etc.)." + ::= { docsDevEventEntry 7 } + +docsDevFilter OBJECT IDENTIFIER ::= { docsDevMIBObjects 6 } + + +-- +-- Link Level Control Filtering +-- + +-- docsDevFilterLLCDefault renamed to docsDevFilterLLCUnmatchedAction + +docsDevFilterLLCUnmatchedAction OBJECT-TYPE + SYNTAX INTEGER { + discard(1), + accept(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "LLC (Link Level Control) filters can be defined on an + inclusive or exclusive basis: CMs can be configured to + forward only packets matching a set of layer three + protocols, or to drop packets matching a set of layer + three protocols. Typical use of these filters is to + filter out possibly harmful (given the context of a large + metropolitan LAN) protocols. + + If set to discard(1), any L2 packet which does not match at + + + +St. Johns Standards [Page 29] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + least one filter in the docsDevFilterLLCTable will be + discarded. If set to accept(2), any L2 packet which does not + match at least one filter in the docsDevFilterLLCTable + will be accepted for further processing (e.g., bridging). + At initial system startup, this object returns accept(2)." + ::= { docsDevFilter 1 } + +docsDevFilterLLCTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevFilterLLCEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of filters to apply to (bridged) LLC + traffic. The filters in this table are applied to + incoming traffic on the appropriate interface(s) prior + to any further processing (e.g. before handing the packet + off for level 3 processing, or for bridging). The + specific action taken when no filter is matched is + controlled by docsDevFilterLLCUnmatchedAction." + ::= { docsDevFilter 2 } + +docsDevFilterLLCEntry OBJECT-TYPE + SYNTAX DocsDevFilterLLCEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Describes a single filter to apply to (bridged) LLC traffic + received on a specified interface. " + INDEX { docsDevFilterLLCIndex } + ::= { docsDevFilterLLCTable 1 } + +DocsDevFilterLLCEntry ::= SEQUENCE { + docsDevFilterLLCIndex Integer32, + docsDevFilterLLCStatus RowStatus, + docsDevFilterLLCIfIndex InterfaceIndexOrZero, + docsDevFilterLLCProtocolType INTEGER, + docsDevFilterLLCProtocol Integer32, + docsDevFilterLLCMatches Counter32 + } + +docsDevFilterLLCIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Index used for the identification of filters (note that LLC + filter order is irrelevant)." + ::= { docsDevFilterLLCEntry 1 } + + + +St. Johns Standards [Page 30] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +docsDevFilterLLCStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Controls and reflects the status of rows in this + table. There is no restriction on changing any of the + associated columns for this row while this object is set + to active." + + ::= { docsDevFilterLLCEntry 2} + +docsDevFilterLLCIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entry interface to which this filter applies. + The value corresponds to ifIndex for either a CATV MAC + or another network interface. If the value is zero, the + filter applies to all interfaces. In Cable Modems, the + default value is the customer side interface. In Cable + Modem Termination Systems, this object has to be + specified to create a row in this table." + ::= { docsDevFilterLLCEntry 3 } + +docsDevFilterLLCProtocolType OBJECT-TYPE + SYNTAX INTEGER { + ethertype(1), + dsap(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The format of the value in docsDevFilterLLCProtocol: + either a two-byte Ethernet Ethertype, or a one-byte + 802.2 SAP value. EtherType(1) also applies to SNAP- + encapsulated frames." + DEFVAL { ethertype } + ::= { docsDevFilterLLCEntry 4 } + +docsDevFilterLLCProtocol OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The layer three protocol for which this filter applies. + The protocol value format depends on + + + +St. Johns Standards [Page 31] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + docsDevFilterLLCProtocolType. Note that for SNAP frames, + etherType filtering is performed rather than DSAP=0xAA." + DEFVAL { 0 } + ::= { docsDevFilterLLCEntry 5 } + +docsDevFilterLLCMatches OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Counts the number of times this filter was matched." + ::= { docsDevFilterLLCEntry 6 } + +-- The default behavior for (bridged) packets that do not match IP +-- filters is defined by +-- docsDevFilterIpDefault. + +docsDevFilterIpDefault OBJECT-TYPE + SYNTAX INTEGER { + discard(1), + accept(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "If set to discard(1), all packets not matching an IP filter + will be discarded. If set to accept(2), all packets not + matching an IP filter will be accepted for further + processing (e.g., bridging). + At initial system startup, this object returns accept(2)." + ::= { docsDevFilter 3 } + +docsDevFilterIpTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevFilterIpEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An ordered list of filters or classifiers to apply to + IP traffic. Filter application is ordered by the filter + index, rather than by a best match algorithm (Note that + this implies that the filter table may have gaps in the + index values). Packets which match no filters will have + policy 0 in the docsDevFilterPolicyTable applied to them if + it exists. Otherwise, Packets which match no filters + are discarded or forwarded according to the setting of + docsDevFilterIpDefault. + + Any IP packet can theoretically match multiple rows of + + + +St. Johns Standards [Page 32] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + this table. When considering a packet, the table is + scanned in row index order (e.g. filter 10 is checked + before filter 20). If the packet matches that filter + (which means that it matches ALL criteria for that row), + actions appropriate to docsDevFilterIpControl and + docsDevFilterPolicyId are taken. If the packet was + discarded processing is complete. If + docsDevFilterIpContinue is set to true, the filter + comparison continues with the next row in the table + looking for additional matches. + + If the packet matches no filter in the table, the packet + is accepted or dropped for further processing based on + the setting of docsDevFilterIpDefault. If the packet is + accepted, the actions specified by policy group 0 + (e.g. the rows in docsDevFilterPolicyTable which have a + value of 0 for docsDevFilterPolicyId) are taken if that + policy group exists. + + Logically, this table is consulted twice during the + processing of any IP packet - once upon its acceptance + from the L2 entity, and once upon its transmission to the + L2 entity. In actuality, for cable modems, IP filtering + is generally the only IP processing done for transit + traffic. This means that inbound and outbound filtering + can generally be done at the same time with one pass + through the filter table." + ::= { docsDevFilter 4 } + +docsDevFilterIpEntry OBJECT-TYPE + SYNTAX DocsDevFilterIpEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Describes a filter to apply to IP traffic received on a + specified interface. All identity objects in this table + (e.g. source and destination address/mask, protocol, + source/dest port, TOS/mask, interface and direction) must + match their respective fields in the packet for any given + filter to match. + + To create an entry in this table, docsDevFilterIpIfIndex + must be specified." + INDEX { docsDevFilterIpIndex } + ::= { docsDevFilterIpTable 1 } + +DocsDevFilterIpEntry ::= SEQUENCE { + docsDevFilterIpIndex Integer32, + + + +St. Johns Standards [Page 33] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + docsDevFilterIpStatus RowStatus, + docsDevFilterIpControl INTEGER, + docsDevFilterIpIfIndex InterfaceIndexOrZero, + docsDevFilterIpDirection INTEGER, + docsDevFilterIpBroadcast TruthValue, + docsDevFilterIpSaddr IpAddress, + docsDevFilterIpSmask IpAddress, + docsDevFilterIpDaddr IpAddress, + docsDevFilterIpDmask IpAddress, + docsDevFilterIpProtocol Integer32, + docsDevFilterIpSourcePortLow Integer32, + docsDevFilterIpSourcePortHigh Integer32, + docsDevFilterIpDestPortLow Integer32, + docsDevFilterIpDestPortHigh Integer32, + docsDevFilterIpMatches Counter32, + docsDevFilterIpTos OCTET STRING, + docsDevFilterIpTosMask OCTET STRING, + docsDevFilterIpContinue TruthValue, + docsDevFilterIpPolicyId Integer32 + } + +docsDevFilterIpIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Index used to order the application of filters. + The filter with the lowest index is always applied + first." + ::= { docsDevFilterIpEntry 1 } + +docsDevFilterIpStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Controls and reflects the status of rows in this + table. Specifying only this object (with the appropriate + index) on a CM is sufficient to create a filter row which + matches all inbound packets on the ethernet interface, + and results in the packets being + discarded. docsDevFilterIpIfIndex (at least) must be + specified on a CMTS to create a row. Creation of the + rows may be done via either create-and-wait or + create-and-go, but the filter is not applied until this + object is set to (or changes to) active. There is no + restriction in changing any object in a row while this + object is set to active." + + + +St. Johns Standards [Page 34] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + ::= { docsDevFilterIpEntry 2 } + +docsDevFilterIpControl OBJECT-TYPE + SYNTAX INTEGER { + discard(1), + accept(2), + policy(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If set to discard(1), all packets matching this filter + will be discarded and scanning of the remainder of the + filter list will be aborted. If set to accept(2), all + packets matching this filter will be accepted for further + processing (e.g., bridging). If docsDevFilterIpContinue + is set to true, see if there are other matches, otherwise + done. If set to policy (3), execute the policy entries + matched by docsDevIpFilterPolicyId in + docsDevIpFilterPolicyTable. + + If is docsDevFilterIpContinue is set to true, continue + scanning the table for other matches, otherwise done." + DEFVAL { discard } + ::= { docsDevFilterIpEntry 3 } + +docsDevFilterIpIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entry interface to which this filter applies. The + value corresponds to ifIndex for either a CATV MAC or + another network interface. If the value is zero, the + filter applies to all interfaces. Default value in Cable + Modems is the index of the customer-side (e.g. ethernet) + interface. In Cable Modem Termination Systems, this + object MUST be specified to create a row in this table." + ::= { docsDevFilterIpEntry 4 } + +docsDevFilterIpDirection OBJECT-TYPE + SYNTAX INTEGER { + inbound(1), + outbound(2), + both(3) + } + MAX-ACCESS read-create + STATUS current + + + +St. Johns Standards [Page 35] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + DESCRIPTION + "Determines whether the filter is applied to inbound(1) + traffic, outbound(2) traffic, or traffic in both(3) + directions." + DEFVAL { inbound } + ::= { docsDevFilterIpEntry 5 } + +docsDevFilterIpBroadcast OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If set to true(1), the filter only applies to multicast + and broadcast traffic. If set to false(2), the filter + applies to all traffic." + DEFVAL { false } + ::= { docsDevFilterIpEntry 6 } + +docsDevFilterIpSaddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The source IP address, or portion thereof, that is to be + matched for this filter. The source address is first + masked (and'ed) against docsDevFilterIpSmask before being + compared to this value. A value of 0 for this object + and 0 for the mask matches all IP addresses." + DEFVAL { '00000000'h } + ::= { docsDevFilterIpEntry 7 } + +docsDevFilterIpSmask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A bit mask that is to be applied to the source address + prior to matching. This mask is not necessarily the same + as a subnet mask, but 1's bits must be leftmost and + contiguous." + DEFVAL { '00000000'h } + ::= { docsDevFilterIpEntry 8 } + +docsDevFilterIpDaddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + + + +St. Johns Standards [Page 36] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + "The destination IP address, or portion thereof, that is + to be matched for this filter. The destination address is + first masked (and'ed) against docsDevFilterIpDmask before + being compared to this value. A value of 0 for this + object and 0 for the mask matches all IP addresses." + DEFVAL { '00000000'h } + ::= { docsDevFilterIpEntry 9 } + +docsDevFilterIpDmask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A bit mask that is to be applied to the destination + address prior to matching. This mask is not necessarily + the same as a subnet mask, but 1's bits must be leftmost + and contiguous." + DEFVAL { '00000000'h } + ::= { docsDevFilterIpEntry 10 } + +docsDevFilterIpProtocol OBJECT-TYPE + SYNTAX Integer32 (0..256) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The IP protocol value that is to be matched. For example: + icmp is 1, tcp is 6, udp is 17. A value of 256 matches + ANY protocol." + DEFVAL { 256 } + ::= { docsDevFilterIpEntry 11 } + +docsDevFilterIpSourcePortLow OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If docsDevFilterIpProtocol is udp or tcp, this is the + inclusive lower bound of the transport-layer source port + range that is to be matched, otherwise it is ignored + during matching." + DEFVAL { 0 } + ::= { docsDevFilterIpEntry 12 } + +docsDevFilterIpSourcePortHigh OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + + + +St. Johns Standards [Page 37] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + "If docsDevFilterIpProtocol is udp or tcp, this is the + inclusive upper bound of the transport-layer source port + range that is to be matched, otherwise it is ignored + during matching." + DEFVAL { 65535 } + ::= { docsDevFilterIpEntry 13 } + +docsDevFilterIpDestPortLow OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If docsDevFilterIpProtocol is udp or tcp, this is the + inclusive lower bound of the transport-layer destination + port range that is to be matched, otherwise it is ignored + during matching." + DEFVAL { 0 } + ::= { docsDevFilterIpEntry 14 } + +docsDevFilterIpDestPortHigh OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If docsDevFilterIpProtocol is udp or tcp, this is the + inclusive upper bound of the transport-layer destination + port range that is to be matched, otherwise it is ignored + during matching." + DEFVAL { 65535 } + ::= { docsDevFilterIpEntry 15 } + +docsDevFilterIpMatches OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Counts the number of times this filter was matched. + This object is initialized to 0 at boot, or at row + creation, and is reset only upon reboot." + ::= { docsDevFilterIpEntry 16 } + +docsDevFilterIpTos OBJECT-TYPE + SYNTAX OCTET STRING ( SIZE (1)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This is the value to be matched to the packet's + TOS (Type of Service) value (after the TOS value + + + +St. Johns Standards [Page 38] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + is AND'd with docsDevFilterIpTosMask). A value for this + object of 0 and a mask of 0 matches all TOS values." + DEFVAL { '00'h } + ::= { docsDevFilterIpEntry 17 } + +docsDevFilterIpTosMask OBJECT-TYPE + SYNTAX OCTET STRING ( SIZE (1) ) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The mask to be applied to the packet's TOS value before + matching." + DEFVAL { '00'h } + ::= { docsDevFilterIpEntry 18 } + +docsDevFilterIpContinue OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If this value is set to true, and docsDevFilterIpControl + is anything but discard (1), continue scanning and + applying policies." + DEFVAL { false } + ::= { docsDevFilterIpEntry 19 } + +docsDevFilterIpPolicyId OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object points to an entry in docsDevFilterPolicyTable. + If docsDevFilterIpControl is set to policy (3), execute + all matching policies in docsDevFilterPolicyTable. + If no matching policy exists, treat as if + docsDevFilterIpControl were set to accept (1). + If this object is set to the value of 0, there is no + matching policy, and docsDevFilterPolicyTable MUST NOT be + consulted." + DEFVAL { 0 } + ::= { docsDevFilterIpEntry 20 } + +-- +-- + +docsDevFilterPolicyTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevFilterPolicyEntry + MAX-ACCESS not-accessible + + + +St. Johns Standards [Page 39] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + STATUS current + DESCRIPTION + "A Table which maps between a policy group ID and a set of + policies to be applied. All rows with the same + docsDevFilterPolicyId are part of the same policy group + and are applied in the order in which they are in this + table. + + docsDevFilterPolicyTable exists to allow multiple policy + actions to be applied to any given classified packet. The + policy actions are applied in index order For example: + + Index ID Type Action + 1 1 TOS 1 + 9 5 TOS 1 + 12 1 IPSEC 3 + + This says that a packet which matches a filter with + policy id 1, first has TOS policy 1 applied (which might + set the TOS bits to enable a higher priority), and next + has the IPSEC policy 3 applied (which may result in the + packet being dumped into a secure VPN to a remote + encryptor). + + Policy ID 0 is reserved for default actions and is + applied only to packets which match no filters in + docsDevIpFilterTable." + ::= { docsDevFilter 5 } + +docsDevFilterPolicyEntry OBJECT-TYPE + SYNTAX DocsDevFilterPolicyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the docsDevFilterPolicyTable. Entries are + created by Network Management. To create an entry, + docsDevFilterPolicyId and docsDevFilterPolicyAction + must be specified." + INDEX { docsDevFilterPolicyIndex } + ::= { docsDevFilterPolicyTable 1 } + +DocsDevFilterPolicyEntry ::= SEQUENCE { + docsDevFilterPolicyIndex Integer32, + docsDevFilterPolicyId Integer32, +-- docsDevFilterPolicyType INTEGER, +-- docsDevFilterPolicyAction Integer32, + docsDevFilterPolicyStatus RowStatus, + docsDevFilterPolicyPtr RowPointer + + + +St. Johns Standards [Page 40] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + } + +docsDevFilterPolicyIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Index value for the table." + ::= { docsDevFilterPolicyEntry 1 } + +docsDevFilterPolicyId OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Policy ID for this entry. A policy ID can apply to + multiple rows of this table, all relevant policies are + executed. Policy 0 (if populated) is applied to all + packets which do not match any of the filters. N.B. If + docsDevFilterIpPolicyId is set to 0, it DOES NOT match + policy 0 of this table. " + ::= { docsDevFilterPolicyEntry 2 } + +-- docsDevFilterPolicyType ::= { docsDevFilterPolicyEntry 3} Removed +-- docsDevFilterPolicyAction ::= { docsDevFilterPolicyEntry 4 } removed + +docsDevFilterPolicyStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Object used to create an entry in this table." + ::= { docsDevFilterPolicyEntry 5 } + + +docsDevFilterPolicyPtr OBJECT-TYPE + SYNTAX RowPointer + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object points to a row in an applicable filter policy + table. Currently, the only standard policy table is + docsDevFilterTosTable. Per the textual convention, this + object points to the first accessible object in the row. + E.g. to point to a row in docsDevFilterTosTable with an + index of 21, the value of this object would be the object + identifier docsDevTosStatus.21. + + Vendors must adhere to the same convention when adding + + + +St. Johns Standards [Page 41] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + vendor specific policy table extensions. + + The default upon row creation is a null pointer which + results in no policy action being taken." + DEFVAL { zeroDotZero } + ::= { docsDevFilterPolicyEntry 6 } + +-- +-- TOS Policy action table +-- + +docsDevFilterTosTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevFilterTosEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Table used to describe Type of Service (TOS) bits + processing. + + This table is an adjunct to the docsDevFilterIpTable, and + the docsDevFilterPolicy table. Entries in the latter + table can point to specific rows in this (and other) + tables and cause specific actions to be taken. This table + permits the manipulation of the value of the Type of + Service bits in the IP header of the matched packet as + follows: + Set the tosBits of the packet to + (tosBits & docsDevFilterTosAndMask) | + docsDevFilterTosOrMask + + This construct allows you to do a clear and set of all + the TOS bits in a flexible manner." + ::= { docsDevFilter 6 } + +docsDevFilterTosEntry OBJECT-TYPE + SYNTAX DocsDevFilterTosEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A TOS policy entry." + INDEX { docsDevFilterTosIndex } + ::= { docsDevFilterTosTable 1 } + +DocsDevFilterTosEntry ::= SEQUENCE { + docsDevFilterTosIndex Integer32, + docsDevFilterTosStatus RowStatus, + docsDevFilterTosAndMask OCTET STRING (SIZE (1)), + docsDevFilterTosOrMask OCTET STRING (SIZE (1)) + + + +St. Johns Standards [Page 42] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + } + +docsDevFilterTosIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The unique index for this row. There are no ordering + requirements for this table and any valid index may be + specified." + ::= { docsDevFilterTosEntry 1 } + +docsDevFilterTosStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to create and delete entries in this + table. A row created by specifying just this object + results in a row which specifies no change to the TOS + bits. A row may be created using either the create-and-go + or create-and-wait paradigms. There is no restriction on + the ability to change values in this row while the row is + active." + ::= { docsDevFilterTosEntry 2 } + +docsDevFilterTosAndMask OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (1)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + + "This value is bitwise AND'd with the matched packet's + TOS bits." + DEFVAL { 'ff'h } + ::= { docsDevFilterTosEntry 3 } + +docsDevFilterTosOrMask OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (1)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "After bitwise AND'ing with the above bits, the packet's + TOS bits are bitwise OR'd with these bits." + DEFVAL { '00'h } + ::= { docsDevFilterTosEntry 4 } + + + + + +St. Johns Standards [Page 43] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +-- +-- CPE IP Management and anti spoofing group. Only implemented on +-- Cable Modems. +-- + +docsDevCpe OBJECT IDENTIFIER ::= { docsDevMIBObjects 7} + +docsDevCpeEnroll OBJECT-TYPE + SYNTAX INTEGER { + none(1), + any(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object controls the population of docsDevFilterCpeTable. + If set to none, the filters must be set manually. + If set to any, the CM wiretaps the packets originating + from the ethernet and enrolls up to docsDevCpeIpMax + addresses based on the source IP addresses of those + packets. At initial system startup, default value for this + object is any(2)." + ::= { docsDevCpe 1 } + +docsDevCpeIpMax OBJECT-TYPE + SYNTAX Integer32 (-1..2147483647) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object controls the maximum number of CPEs allowed to + connect behind this device. If set to zero, any number of + CPEs may connect up to the maximum permitted for the device. + If set to -1, no filtering is done on CPE source addresses, + and no entries are made in the docsDevFilterCpeTable. If an + attempt is made to set this to a number greater than that + permitted for the device, it is set to that maximum. + At iniitial system startup, default value for this object + is 1." + ::= { docsDevCpe 2 } + +docsDevCpeTable OBJECT-TYPE + SYNTAX SEQUENCE OF DocsDevCpeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table lists the IP addresses seen (or permitted) as + source addresses in packets originating from the customer + interface on this device. In addition, this table can be + + + +St. Johns Standards [Page 44] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + provisioned with the specific addresses permitted for the + CPEs via the normal row creation mechanisms." + ::= { docsDevCpe 3 } + +docsDevCpeEntry OBJECT-TYPE + SYNTAX DocsDevCpeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the docsDevFilterCpeTable. There is one entry + for each IP CPE seen or provisioned. If docsDevCpeIpMax + is set to -1, this table is ignored, otherwise: Upon receipt + of an IP packet from the customer interface of the CM, the + source IP address is checked against this table. If the + address is in the table, packet processing continues. + If the address is not in the table, but docsDevCpeEnroll + is set to any and the table size is less than + docsDevCpeIpMax, the address is added to the table and + packet processing continues. Otherwise, the packet is + dropped. + + The filtering actions specified by this table occur after + any LLC filtering (docsDevFilterLLCTable), but prior + to any IP filtering (docsDevFilterIpTable, + docsDevNmAccessTable)." + INDEX { docsDevCpeIp } + ::= {docsDevCpeTable 1 } + +DocsDevCpeEntry ::= SEQUENCE { + docsDevCpeIp IpAddress, + docsDevCpeSource INTEGER, + docsDevCpeStatus RowStatus + } + +docsDevCpeIp OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP address to which this entry applies." + ::= { docsDevCpeEntry 1 } + +docsDevCpeSource OBJECT-TYPE + SYNTAX INTEGER { + other(1), + manual(2), + learned(3) + } + + + +St. Johns Standards [Page 45] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object describes how this entry was created. If the + value is manual(2), this row was created by a network + management action (either configuration, or SNMP set). + If set to learned(3), then it was found via + looking at the source IP address of a received packet." + ::= { docsDevCpeEntry 2 } + +docsDevCpeStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Standard object to manipulate rows. To create a row in this + table, you only need to specify this object. Management + stations SHOULD use the create-and-go mechanism for + creating rows in this table." + ::= { docsDevCpeEntry 3 } + +-- +-- Placeholder for notifications/traps. +-- +docsDevNotification OBJECT IDENTIFIER ::= { docsDev 2 } + + +-- +-- Conformance definitions +-- +docsDevConformance OBJECT IDENTIFIER ::= { docsDev 3 } +docsDevGroups OBJECT IDENTIFIER ::= { docsDevConformance 1 } +docsDevCompliances OBJECT IDENTIFIER ::= { docsDevConformance 2 } + +docsDevBasicCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for MCNS Cable Modems and + Cable Modem Termination Systems." + +MODULE -- docsDev + +-- conditionally mandatory groups + +GROUP docsDevBaseGroup + DESCRIPTION + "Mandatory in Cable Modems, optional in Cable Modem + Termination Systems." + + + +St. Johns Standards [Page 46] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +GROUP docsDevEventGroup + DESCRIPTION + "Mandatory in Cable Modems, optional in Cable Modem + Termination Systems." + +GROUP docsDevFilterGroup + DESCRIPTION + "Mandatory in Cable Modems, optional in Cable Modem + Termination Systems." + +GROUP docsDevNmAccessGroup + DESCRIPTION + "This group is only implemented in devices which do not + implement SNMPv3 User Security Model. It SHOULD NOT be + implemented by SNMPv3 conformant devices. + + For devices which do not implement SNMPv3 or later, this + group is Mandatory in Cable Modems and is optional + in Cable Modem Termination Systems." + +GROUP docsDevServerGroup + DESCRIPTION + "This group is implemented only in Cable Modems and is + not implemented in Cable Modem Termination Systems." + +GROUP docsDevSoftwareGroup + DESCRIPTION + "This group is Mandatory in Cable Modems and optional in + Cable Modem Termination Systems." + +GROUP docsDevCpeGroup + DESCRIPTION + "This group is Mandatory in Cable Modems, and is + not implemented in Cable Modem Termination Systems. A + similar capability for CMTS devices may be proposed later + after study." + +OBJECT docsDevSTPControl + MIN-ACCESS read-only + DESCRIPTION + "It is compliant to implement this object as read-only. + Devices need only support noStFilterBpdu(2)." + +OBJECT docsDevEvReporting + MIN-ACCESS read-only + DESCRIPTION + "It is compliant to implement this object as read-only. + Devices need only support local(0)." + + + +St. Johns Standards [Page 47] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + ::= { docsDevCompliances 1 } + +docsDevBaseGroup OBJECT-GROUP + OBJECTS { + docsDevRole, + docsDevDateTime, + docsDevResetNow, + docsDevSerialNumber, + docsDevSTPControl + } + STATUS current + DESCRIPTION + "A collection of objects providing device status and + control." + ::= { docsDevGroups 1 } + +docsDevNmAccessGroup OBJECT-GROUP + OBJECTS { + docsDevNmAccessIp, + docsDevNmAccessIpMask, + docsDevNmAccessCommunity, + docsDevNmAccessControl, + docsDevNmAccessInterfaces, + docsDevNmAccessStatus + } + STATUS current + DESCRIPTION + "A collection of objects for controlling access to SNMP + objects." + ::= { docsDevGroups 2 } + +docsDevSoftwareGroup OBJECT-GROUP + OBJECTS { + docsDevSwServer, + docsDevSwFilename, + docsDevSwAdminStatus, + docsDevSwOperStatus, + docsDevSwCurrentVers + } + STATUS current + DESCRIPTION + "A collection of objects for controlling software + downloads." + ::= { docsDevGroups 3 } + +docsDevServerGroup OBJECT-GROUP + OBJECTS { + docsDevServerBootState, + + + +St. Johns Standards [Page 48] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + docsDevServerDhcp, + docsDevServerTime, + docsDevServerTftp, + docsDevServerConfigFile + } + STATUS current + DESCRIPTION + "A collection of objects providing status about server + provisioning." + ::= { docsDevGroups 4 } + +docsDevEventGroup OBJECT-GROUP + OBJECTS { + docsDevEvControl, + docsDevEvSyslog, + docsDevEvThrottleAdminStatus, + docsDevEvThrottleInhibited, + docsDevEvThrottleThreshold, + docsDevEvThrottleInterval, + docsDevEvReporting, + docsDevEvFirstTime, + docsDevEvLastTime, + docsDevEvCounts, + docsDevEvLevel, + docsDevEvId, + docsDevEvText + } + STATUS current + DESCRIPTION + "A collection of objects used to control and monitor + events." + ::= { docsDevGroups 5 } + +docsDevFilterGroup OBJECT-GROUP + OBJECTS { + docsDevFilterLLCUnmatchedAction, + docsDevFilterIpDefault, + docsDevFilterLLCStatus, + docsDevFilterLLCIfIndex, + docsDevFilterLLCProtocolType, + docsDevFilterLLCProtocol, + docsDevFilterLLCMatches, + docsDevFilterIpControl, + docsDevFilterIpIfIndex, + docsDevFilterIpStatus, + docsDevFilterIpDirection, + docsDevFilterIpBroadcast, + docsDevFilterIpSaddr, + + + +St. Johns Standards [Page 49] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + docsDevFilterIpSmask, + docsDevFilterIpDaddr, + docsDevFilterIpDmask, + docsDevFilterIpProtocol, + docsDevFilterIpSourcePortLow, + docsDevFilterIpSourcePortHigh, + docsDevFilterIpDestPortLow, + docsDevFilterIpDestPortHigh, + docsDevFilterIpMatches, + docsDevFilterIpTos, + docsDevFilterIpTosMask, + docsDevFilterIpContinue, + docsDevFilterIpPolicyId, + docsDevFilterPolicyId, + docsDevFilterPolicyStatus, + docsDevFilterPolicyPtr, + docsDevFilterTosStatus, + docsDevFilterTosAndMask, + docsDevFilterTosOrMask + } + STATUS current + DESCRIPTION + "A collection of objects to specify filters at link layer + and IP layer." + ::= { docsDevGroups 6 } + +docsDevCpeGroup OBJECT-GROUP + OBJECTS { + docsDevCpeEnroll, + docsDevCpeIpMax, + docsDevCpeSource, + docsDevCpeStatus + } + STATUS current + DESCRIPTION + "A collection of objects used to control the number + and specific values of IP addresses allowed for + associated Customer Premises Equipment (CPE)." + ::= { docsDevGroups 7 } + +END + + + + + + + + + + +St. Johns Standards [Page 50] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +5. Acknowledgments + + This document was produced by the IPCDN Working Group. It is based + on a document written by Pam Anderson from CableLabs, Wilson Sawyer + from BayNetworks, and Rich Woundy from Continental Cablevision. The + original working group editor, Guenter Roeck of cisco Systems, did + much of the grunt work of putting the document into its current form. + + Special thanks is also due to Azlina Palmer, who helped a lot + reviewing the document. + +6. References + + [1] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for + Describing SNMP Management Frameworks", RFC 2571, April 1999. + + [2] Rose, M. and K. McCloghrie, "Structure and Identification of + Management Information for TCP/IP-based Internets", STD 16, RFC + 1155, May 1990. + + [3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, + RFC 1212, March 1991. + + [4] Rose, M., "A Convention for Defining Traps for use with the + SNMP", RFC 1215, March 1991. + + [5] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of + Management Information for Version 2 (SMIv2)", STD 58, RFC 2578, + April 1999. + + [6] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual + Conventions for SMIv2", STD 58, RFC 2579, April 1999. + + [7] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance + Statements for SMIv2", STD 58, RFC 2580, April 1999. + + [8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple + Network Management Protocol", STD 15, RFC 1157, May 1990. + + [9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, + "Introduction to Community-based SNMPv2", RFC 1901, January + 1996. + + [10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport + Mappings for Version 2 of the Simple Network Management Protocol + (SNMPv2)", RFC 1906, January 1996. + + + + + +St. Johns Standards [Page 51] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message + Processing and Dispatching for the Simple Network Management + Protocol (SNMP)", RFC 2572, April 1999. + + [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) + for version 3 of the Simple Network Management Protocol + (SNMPv3)", RFC 2574, April 1999. + + [13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol + Operations for Version 2 of the Simple Network Management + Protocol (SNMPv2)", RFC 1905, January 1996. + + [14] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC + 2573, April 1999. + + [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access + Control Model (VACM) for the Simple Network Management Protocol + (SNMP)", RFC 2575, April 1999. + + [16] "Data-Over-Cable Service Interface Specifications: Cable Modem + Radio Frequency Interface Specification SP-RFI-I04-980724", + DOCSIS, July 1998, + http://www.cablemodem.com/public/pubtechspec/SP-RFI-I04- + 980724.pdf. + + [17] Steinberg, L., "Techniques for Managing Asynchronously Generated + Alerts", RFC 1224, May 1991. + + [18] "Data-Over-Cable Service Interface Specifications: Operations + Support System Interface Specification RF Interface SP-OSSI-RF- + I02-980410", DOCSIS, April 1998, + http://www.cablemodem.com/public/pubtechspec/ossi/sp-ossi.PDF. + + [19] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [20] "Data-Over-Cable Service Interface Specifications: Baseline + Privacy Interface Specification SP-BPI-I01-970922", DOCSIS, + September 1977, + http://www.cablemodem.com/public/pubtechspec/ss/SP-BPI-I01- + 970922.pdf + +7. Security Considerations + + This MIB relates to a system which will provide metropolitan public + internet access. As such, improper manipulation of the objects + represented by this MIB may result in denial of service to a large + number of end-users. In addition, manipulation of the + + + +St. Johns Standards [Page 52] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + docsDevNmAccessTable, docsDevFilterLLCTable, docsDevFilterIpTable and + the elements of the docsDevCpe group may allow an end-user to + increase their service levels, spoof their IP addresses, change the + permitted management stations, or affect other end-users in either a + positive or negative manner. + + There are a number of management objects defined in this MIB that + have a MAX-ACCESS clause of read-write and/or read-create. Such + objects may be considered sensitive or vulnerable in some network + environments. The support for SET operations in a non-secure + environment without proper protection can have a negative effect on + network operations. In addition to those mentioned above: + + o The use of docsDevNmAccessTable to specify management stations + is considered to be only limited protection and does not protect + against attacks which spoof the management station's IP address. + The use of stronger mechanisms such as SNMPv3 security should be + considered where possible. Specifically, SNMPv3 VACM and USM + MUST be used with any v3 agent which implements this MIB. + Administrators may also wish to consider whether even read + access to docsDevNmAccessTable may be undesirable under certain + circumstances. + + o The CM may have its software changed by the actions of the + management system. An improper software load may result in + substantial vulnerabilities and the loss of the ability of the + management system to control the cable modem. + + o The device may be reset by setting docsDevResetNow = true(1). + This causes the device to reload its configuration files as well + as eliminating all previous non-persistent network management + settings. As such, this may provide a vector for attacking the + system. + + o Setting docsDevEvThrottleAdminStatus = unconstrained(1) (which + is also the DEFVAL) may cause flooding of traps, which can + disrupt network service. + + This MIB does not affect confidentiality of services on a cable modem + system. [20] specifies the implementation of the DOCSIS Baseline + privacy mechanism. The working group expects to issue a MIB for the + management of this mechanism at a later time. + + SNMPv1 by itself is not a secure environment. Even if the network + itself is secure (for example by using IPSec), even then, there is no + control as to who on the secure network is allowed to access and + GET/SET (read/change/create/delete) the objects in this MIB. + + + + +St. Johns Standards [Page 53] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + + It is recommended that the implementers consider the security + features as provided by the SNMPv3 framework. Specifically, the use + of the User-based Security Model [12] and the View-based Access + Control Model [15] is recommended. + + It is then a customer/user responsibility to ensure that the SNMP + entity giving access to an instance of this MIB, is properly + configured to give access to the objects only to those principals + (users) that have legitimate rights to indeed GET or SET + (change/create/delete) them. + +8. Intellectual Property + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + +9. Author's Address + + Michael StJohns + @Home Network + 425 Broadway + Redwood City, CA 94063 + U.S.A + + Phone: +1 650 569 5368 + EMail: stjohns@corp.home.net + + + + + + + + +St. Johns Standards [Page 54] + +RFC 2669 DOCSIS Cable Device MIB August 1999 + + +10. Full Copyright Statement + + Copyright (C) The Internet Society (1999). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +St. Johns Standards [Page 55] + -- cgit v1.2.3