Internet-Draft                                            E. Cardona
   draft-ietf-ipcdn-cable-gateway-security-mib-00.txt         K. Luehrs
   Expires: December 2003                                     CableLabs

                                                             S. Higgins
                                                         Ashley-Laurent

                                                               D. Jones
                                                                YAS BBV
                                                              June 2003


            Cable Gateway Security Management Information Base
               for CableHome compliant Residential Gateways


Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of Section 10 of RFC2026 [1].

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
        http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
        http://www.ietf.org/shadow.html

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.


Abstract

   This memo defines a portion of the Management Information Base (MIB)
   for use with network management protocols in the Internet community.
   In particular, it defines a basic set of managed objects for SNMP-
   based security management of CableHome 1.0 compliant residential
   gateway devices.



Cardona, et. al.       Expires - December 2003               [Page 1]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   This memo specifies a MIB module in a manner that is compliant to the
   SNMP SMIv2 [5][6][7].  The set of objects is consistent with the SNMP
   framework and existing SNMP standards.


Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119 [2].

Table of Contents

   1. The Internet-Standard Management Framework.....................2
   2. Glossary.......................................................3
      2.1 CableHome Residential Gateway..............................3
      2.2 Portal Services............................................3
      2.3 LAN IP Device..............................................3
      2.4 WAN Management (WAN-Man) Address...........................3
      2.5 WAN Data (WAN-Data) Address................................3
      2.6 LAN Translated (LAN-Trans) Address.........................4
      2.7 LAN Passthrough (LAN-Pass) Address.........................4
      2.8 Cable Gateway DHCP Portal (CDP)............................4
      2.9 Denial of Service..........................................4
      2.10 Firewall..................................................4
      2.11 Hash......................................................4
      2.12 Rule Set..................................................4
      2.13 Security Policy...........................................5
   3. Overview.......................................................5
      3.1 Structure of the MIB.......................................5
      3.2 Management Requirements....................................5
   4. MIB Definitions................................................7
   5. Acknowledgements..............................................29
   6. Formal Syntax.................................................29
   7. Security Considerations.......................................29
   8. Normative References..........................................30
   9. Informative References........................................31
   10. Intellectual Property........................................32
   11. Author's Addresses...........................................32
   12. Full Copyright Statement.....................................33


1. The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [12].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally


Cardona, et. al.       Expires - December 2003               [Page 2]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [7], STD 58, RFC 2579 [8] and STD 58, RFC 2580 [9].


2. Glossary

   The terms in this document are derived either from normal cable
   system usage, from normal residential gateway operation, or from the
   documents associated with the CableHome Specifications [21].

2.1 CableHome Residential Gateway

   A CableHome Residential gateway passes data traffic between the cable
   operator's broadband data network (the Wide Area Network, WAN) and
   the Local Area Network (LAN) in the cable data service subscriber's
   residence or business. In addition to passing traffic between the WAN
   and LAN, the CableHome Residential Gateway provides several services
   including a DHCP client and a DHCP server (RFC2131) [22], a TFTP
   server (RFC1350) [23], management services as enabled by
   SNMPv1/v2c/v3 agent compliant with the RFCs listed in Section 1, and
   security services including stateful packet inspection firewall
   functionality and software code image verification using techniques.

2.2 Portal Services

   A logical element aggregating the set of CableHome-specified
   functionality in a CableHome compliant cable gateway device.


2.3 LAN IP Device

   A LAN IP Device is representative of a typical IP device expected to
   reside on home networks, and is assumed to contain a TCP/IP stack as
   well as a DHCP client.

2.4 WAN Management (WAN-Man) Address

   WAN Management Addresses are intended for network management traffic
   on the cable network between the network management system and the PS
   element. Typically, these addresses will reside in private IP address
   space.

2.5 WAN Data (WAN-Data) Address

   WAN Data Addresses are intended for subscriber application traffic on
   the cable network and beyond, such as traffic between LAN IP Devices



Cardona, et. al.       Expires - December 2003               [Page 3]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   and Internet hosts. Typically, these addresses will reside in public
   IP address space.

2.6 LAN Translated (LAN-Trans) Address

   LAN Translated Addresses are intended for subscriber application and
   management traffic on the home network between LAN IP Devices and the
   PS element. Typically, these addresses will reside in private IP
   address space, and can typically be reused across subscribers.

2.7 LAN Passthrough (LAN-Pass) Address

   LAN Passthrough Addresses are intended for subscriber application
   traffic, such as traffic between LAN IP Devices and Internet hosts,
   on the home network, the cable network, and beyond. Typically, these
   addresses will reside in public IP address space.

2.8 Cable Gateway DHCP Portal (CDP)

   A logical element residing within the PS that encapsulates DHCP
   functionality within a Cable Gateway Device. This includes both DHCP
   client as well as DHCP server capabilities.

2.9 Denial of Service

   A type of attack on a network that is designed to bring the network
   to its knees by flooding it with useless traffic.

2.10 Firewall

   A system designed to prevent unauthorized access to or from a private
   network.  Firewalls are frequently used to prevent unauthorized
   Internet users from accessing private networks connected to the
   Internet.

2.11 Hash

   A hash value (or simply hash) is a number generated from a string of
   text. The hash is substantially smaller than the text itself, and is
   generated by a formula in such a way that it is extremely unlikely
   that some other text will produce the same hash value. Hashes play a
   role in security systems where they're used to ensure that
   transmitted messages have not been tampered with.

2.12 Rule Set

   The rule set is derived from the security policy and defines the
   collection of access control rules (filter and proxy action rules)
   which then determines which packets the firewall forwards and which
   it rejects.


Cardona, et. al.       Expires - December 2003               [Page 4]


Internet-Draft      CableHome Gateway Security MIB           June 2003


2.13 Security Policy

   The security policy defines the desired level of
   security/functionality for a subscriber's firewall.


3. Overview

   This MIB provides a set of security objects required for the
   management of CableHome compliant residential gateway devices.  The
   specification is derived from the CableHome 1.0 specification [21].

3.1 Structure of the MIB

   This MIB is structured into two groups:

  û cabhSecFwObjects is used to manage the firewall functionality.

  û cabhSecCertObjects is used to hold the gateway device certificate,
     which is used to authenticate the gateway.


3.2 Management Requirements

3.1.1.  Firewall Enable

The cabhSecFwPolicyFileEnable object enables or disables firewall rule
set filtering functions.

3.1.2.  Firewall Configuration File Download

   The firewall configuration file download process is documented in
   [21].  From a network management station, the operator:

  û sets cabhSecFwPolicyFileHash to the hash value calculated using the
     firewall configuration file.

  û sets cabhSecFwPolicyFileURL to the name and IP address of the
     firewall configuratrion file using TFTP URL format.  When this
     value changes, it triggers the file download.

   Download status and the version of the firewall configuration file
   can be obtained from the cabhSecFwPolicyFileOperStatus and
   cabhSecFwPolicyCurrentVersion MIB objects.

3.1.3  Firewall Event Management





Cardona, et. al.       Expires - December 2003               [Page 5]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   There are three types of firewall events that can be logged.  The
   following objects allow the operator to enable or disable the logging
   of these events:

  û cabhSecFwEventType1Enable controls the logging of Type 1 event
     messages which indicate attempts from both private and public
     clients to traverse the firewall that violate the security policy.

  û cabhSecFwEventType2Enable controls the logging of Type 2 event
     messages which indicate the detection of Denial-of-Service attacks.

  û cabhSecFwEventType3Enable controls the logging of Type 3 event
     messages which indicate changes in firewall management parameters.

   Event messaging details are documented in [21].

3.1.4  Firewall Attack Alert

   The Firewall Attack Alert MIB objects enable an MSO to be notified
   when a firewall as been attacked a certain number of times within a
   given period.

   The cabhSecFwEventAttackAlertThreshold object is set with the number
   of Type 1 or Type 2 hacker attacks that are allowed within the time
   period attacks exceed this number an event message MUST be logged.

   The cabhSecFwEventAttackAlertPeriod object indicates the period to be
   used (in hours) for the  cabhSecFwEventAttackAlertThreshold. This MIB
   object should always keep track of the last  x hours of event meaning
   that if the variable is set to track events for 10 hours then when
   the 11th hour is reached, the 1st hour of events is deleted from the
   tracking log. A default value is set to zero, meaning zero time, so
   that this MIB variable will not track any events unless configured.

3.1.5  PS Certificate

   The cabhSecCertPsCert provides the ability to read the certificate
   information in a compliant CableHome residential gateway device. The
   PS certicate is used to in the process to authenticate the device.













Cardona, et. al.       Expires - December 2003               [Page 6]


Internet-Draft      CableHome Gateway Security MIB           June 2003



4. MIB Definitions


   CABH-IETF-SEC-MIB DEFINITIONS ::= BEGIN

   IMPORTS
       MODULE-IDENTITY,
       Unsigned32,
       zeroDotZero,
       OBJECT-TYPE,
       mib-2                      FROM SNMPv2-SMI  -- RFC2578

       DateAndTime,
       TruthValue,
       TimeStamp,
       VariablePointer            FROM SNMPv2-TC  -- RFC2579

       OBJECT-GROUP,
       MODULE-COMPLIANCE          FROM SNMPv2-CONF -- RFC2580
       InetPortNumber,
       InetAddressType,
       InetAddress                FROM INET-ADDRESS-MIB --RFC3291

       SnmpAdminString            FROM SNMP-FRAMEWORK-MIB --RFC2571

       DocsX509ASN1DEREncodedCertificate FROM DOCS-BPI2-MIB
       --TC available in draft-ietf-ipcdn-bpiplus-mib-09.txt or after

       ZeroBasedCounter32         FROM RMON2-MIB

       docsDevFilterIpEntry       FROM DOCS-CABLE-DEVICE-MIB;

   cabhSecMib MODULE-IDENTITY
       LAST-UPDATED    "200306210000Z" -- Jun 21, 2003
       ORGANIZATION    "IETF IPCDN Working Group"
       CONTACT-INFO
               "Kevin Luehrs
               Postal: Cable Television Laboratories, Inc.
               400 Centennial Parkway
               Louisville, Colorado 80027-1266
               U.S.A.
               Phone:  +1 303-661-9100
               Fax:    +1 303-661-9199
               E-mail: k.luehrs@cablelabs.com; mibs@cablelabs.com

               IETF IPCDN Working Group
               General Discussion: ipcdn@ietf.org
               Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn


Cardona, et. al.       Expires - December 2003               [Page 7]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn
               Co-chairs: Richard Woundy,
                          Richard_Woundy@cable.comcast.com
                          Jean-Francois Mule, jf.mule@cablelabs.com"
       DESCRIPTION
               "This MIB module supplies the basic management
               objects for the Security Portal Services.

               Copyright (C) The Internet Society (2003). This version
               of this MIB module is part of RFC xxxx; see the RFC
   itself
               for full legal notices."
       REVISION         "200306210000Z" -- Jun 21, 2003
       DESCRIPTION
               "Initial version, published as RFC xxxx."
               -- RFC editor to assign xxxx
       ::= { mib-2 xx }
       -- xx to be assigned by IANA

   -- Textual Conventions

      cabhSecMibObjects  OBJECT IDENTIFIER ::= { cabhSecMib 1 }
      cabhSecFwObjects   OBJECT IDENTIFIER ::= { cabhSecMibObjects 1 }
      cabhSecFwBase      OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 }
      cabhSecFwLogCtl    OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 }

      cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 2 }
      cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 }
      cabhSecKerbBase    OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 }

      cabhSec2FwObjects  OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 }
      cabhSec2FwBase     OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 }
      cabhSec2FwEvent    OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 }
      cabhSec2FwLog      OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 }
      cabhSec2FwFilter   OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 }


   --
   --    CableHome 1.0 Base Firewall Functions
   --

   cabhSecFwPolicyFileEnable OBJECT-TYPE
       SYNTAX      INTEGER {
                       enable(1),
                       disable(2)
                   }
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "This parameter indicates whether or not to enable the


Cardona, et. al.       Expires - December 2003               [Page 8]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               firewall functionality."
       DEFVAL {enable}
       ::= { cabhSecFwBase 1 }

   cabhSecFwPolicyFileURL OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "Contains the location of the last successfull downloaded
               policy rule set file in the format pointed in the
               reference. A policy rule set file download is triggered
               when the value used to SET this MIB is different than the
               value in the cabhSecFwPolicySuccessfulFileURL object."
       REFERENCE
               "CableHome 1.0 Specification, CH-SP-I04-030411,
               11.3.5.2 Firewall Rule Set Management Parameters"
       ::= { cabhSecFwBase 2 }

   cabhSecFwPolicyFileHash OBJECT-TYPE
       SYNTAX OCTET STRING (SIZE(0|20))
       MAX-ACCESS read-write
       STATUS current
       DESCRIPTION
               "Hash of the contents of the rules set file, calculated
               and sent to the PS prior to sending the rules set file.
               For the SHA-1 authentication algorithm the length of the
               hash is 160 bits. This hash value is encoded in binary
               format."
       DEFVAL {''h}
       ::= { cabhSecFwBase 3 }

   cabhSecFwPolicyFileOperStatus OBJECT-TYPE
       SYNTAX     INTEGER    {
                       inProgress(1),
                       complete(2),
                     -- completeFromMgt(3), deprecated
                       failed(4)
                  }
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
               "inProgress(1) indicates a firewall configuration file
               download is underway.
               complete (2) indicates the firewall configuration file
               downloaded and configured successfully.
               completeFromMgt(3) This state is deprecated.
               failed(4) indicates the last attempted firewall
               configuration file download or processing failed
               ordinarily due to TFTP timeout."


Cardona, et. al.       Expires - December 2003               [Page 9]


Internet-Draft      CableHome Gateway Security MIB           June 2003

       ::= { cabhSecFwBase 4 }


   cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The rule set version currently operating in the PS
               device. This object should be in the syntax used by the
               individual vendor to identify software versions.  Any PS
               element MUST return a string descriptive of the current
               rule set file load. If this is not applicable, this
               object MUST contain an empty string."
       ::= { cabhSecFwBase 5 }

   cabhSecFwPolicySuccessfulFileURL OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "Contains the location of the last successfull downloaded
               policy rule set file in the format pointed in the
               reference. If a successful download has not yet occurred,
               this MIB object should report empty string."
       REFERENCE
               "CableHome 1.0 Specification, CH-SP-I04-030411,
               11.3.5.2 Firewall Rule Set Management Parameters"
       ::= { cabhSecFwBase 6 }

   --
   --    CableHome 1.0 Firewall Event MIBs
   --


   cabhSecFwEventType1Enable OBJECT-TYPE
       SYNTAX    INTEGER {
                     enable (1), -- log event
                     disable (2) -- do not log event
                 }
       MAX-ACCESS read-write
       STATUS    current
       DESCRIPTION
               "This object enables or disables logging of type 1
               firewall event messages. Type 1 event messages report
               attempts from both private and public clients to traverse
               the firewall that violate the Security Policy."
       DEFVAL { disable }
       ::= { cabhSecFwLogCtl 1 }



Cardona, et. al.       Expires - December 2003              [Page 10]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   cabhSecFwEventType2Enable OBJECT-TYPE
       SYNTAX    INTEGER {
                    enable (1), -- log event
                    disable (2) -- do not log event
                 }
       MAX-ACCESS read-write
       STATUS current
       DESCRIPTION
               "This object enables or disables logging of type 2
               firewall event messages. Type 2 event messages report
               identified Denial of Service attack attempts."
       DEFVAL { disable }
       ::= { cabhSecFwLogCtl 2 }

   cabhSecFwEventType3Enable OBJECT-TYPE
       SYNTAX INTEGER {
                 enable (1), -- log event
                 disable (2) -- do not log event
              }
       MAX-ACCESS read-write
       STATUS current
       DESCRIPTION
               "Enables or disables logging of type 3 firewall event
               messages.
               Type 3 event messages report changes made to the
               following firewall management parameters:
               cabhSecFwPolicyFileURL,
               cabhSecFwPolicyFileCurrentVersion,
               cabhSecFwPolicyFileEnable"
       DEFVAL { disable }
       ::= { cabhSecFwLogCtl 3 }

   cabhSecFwEventAttackAlertThreshold  OBJECT-TYPE
       SYNTAX     INTEGER    (0..65535)
       MAX-ACCESS read-write
       STATUS current
       DESCRIPTION
               "If the number of type 1 or 2 hacker attacks exceeds
               this threshold in the period define by
               cabhSecFwEventAttackAlertPeriod, a firewall message
               event MUST be logged with priority level 4."
       DEFVAL { 65535 }
       ::= { cabhSecFwLogCtl 4 }


   cabhSecFwEventAttackAlertPeriod OBJECT-TYPE
       SYNTAX    INTEGER (0..65535)
       MAX-ACCESS read-write
       STATUS current
       DESCRIPTION


Cardona, et. al.       Expires - December 2003              [Page 11]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               "Indicates the period to be used (in hours) for the
               cabhSecFwEventAttackAlertThreshold. This MIB variable
               should always keep track of the last x hours of events
               meaning that if the variable is set to track events for
               10 hours then when the 11th hour is reached, the 1st hour
               of events is deleted from the tracking log. A default
               value is set to zero, meaning zero time, so that this MIB
               variable will not track any events unless configured."
       DEFVAL { 0 }
       ::= { cabhSecFwLogCtl 5 }


   --
   -- CableHome PS device certificate
   --

       cabhSecCertPsCert OBJECT-TYPE
       SYNTAX         DocsX509ASN1DEREncodedCertificate
       MAX-ACCESS    read-only
       STATUS         current
       DESCRIPTION
               "The X509 DER-encoded PS certificate."
       ::= { cabhSecCertObjects 1 }



   --
   --  CableHome 1.1 Firewall Management MIBs
   --

   cabhSec2FwEnable OBJECT-TYPE
       SYNTAX      INTEGER    {
                      enabled(1),
                      disabled(2)
                    }
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "This parameter indicates whether to enable or disable
               the firewall."
       DEFVAL {enabled }
       ::= { cabhSec2FwBase 1 }


   cabhSec2FwPolicyFileURL OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "Contains the location of the last successfull downloaded


Cardona, et. al.       Expires - December 2003              [Page 12]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               policy rule set file in the format pointed in the
               reference. A policy rule set file download is triggered
               when the value used to SET this MIB is different than the
               value in the cabhSec2FwPolicySuccessfulFileURL object."
        REFERENCE
                "CableHome 1.1 Specification, CH-1.1-SP-I01-030418,
                11.6.4.7.1 Firewall Rule Set Management MIB Objects"
       ::= { cabhSec2FwBase 2 }


   cabhSec2FwPolicyFileHash OBJECT-TYPE
       SYNTAX OCTET STRING (SIZE(0|20))
       MAX-ACCESS read-write
       STATUS current
       DESCRIPTION
               "Hash of the contents of the firewall configuration file.
               For the SHA-1 authentication algorithm the length of the
               hash is 160 bits. This hash value is encoded in binary
               format."
       DEFVAL { ''h}
       ::= { cabhSec2FwBase 3 }


   cabhSec2FwPolicyFileOperStatus OBJECT-TYPE
       SYNTAX      INTEGER {
                       inProgress(1),
                       complete(2),
                       failed(3)
                   }
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "InProgress(1) indicates a firewall configuration file
               download is underway. Complete(2) indicates the firewall
               configuration file was downloaded and processed
               successfully. Failed(3) indicates that the last attempted
               firewall configuration file download or processing
               failed."
       ::= { cabhSec2FwBase 4 }


   cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "A label set by the cable operator that can be used to
               track various versions of configured rulesets. Once the
               label is set it and configured rules are changed, it may
               not accurately reflect the version of configured rules


Cardona, et. al.       Expires - December 2003              [Page 13]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               running  on the box.
               This object MUST contain the string 'null' if has never
               been configured."
       DEFVAL { "null" }
       ::= { cabhSec2FwBase 5 }


   cabhSec2FwClearPreviousRuleset OBJECT-TYPE
       SYNTAX      INTEGER    {
                      increment(1),
                      complete(2),
                      incrementDefault(3)
                    }
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "Allows PS or firewall configuration files to contain
               either a complete firewall configured ruleset or an
               incremental to the already established configured ruleset
               depending up on its existence in the configuration file.
               If the PS receives a configuration file with firewall
               settings which includes a cabhSec2FwClearPreviousRuleset
               object setting marked as increment(1) or if this object
               setting is not included in a configuration file which
               contains filter settings for the firewall, then the PS
               MUST treat the firewall filter settings in the
               configuration file as an increment to the configured
               ruleset. If the PS receives a configuration file with
               firewall settings which includes a
               cabhSec2FwClearPreviousRuleset object setting marked as
               incrementDefault(3) then the PS MUST remove all
               previously configured rules from the configured ruleset,
               including any rules in the filter schedule table and
               increment the newly downloaded rules on top of (i.e.
               subsequent to) the factory default policy.  If the PS
               receives a configuration file with firewall settings
               which includes a cabhSec2FwClearPreviousRuleset object
               setting marked as complete(2), then the PS MUST remove
               all previously configured rules from the configured
               ruleset, including any rules in
               cabhSec2FwFilterScheduleTable table before applying
               the firewall filter settings contained in the
               configuration file.

               If cabhSec2FwClearPreviousRuleset is set to increment(1)
               using SNMP, the PS MUST treat all of the following
               firewall filter settings using SNMP as an increment to
               the configured ruleset.

               If cabhSec2FwClearPreviousRuleset is set to


Cardona, et. al.       Expires - December 2003              [Page 14]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               incrementDefault(3) using SNMP, the PS MUST remove all
               previously configured rules from the configured ruleset,
               including any rules in the filter schedule table and
               treat all of the following firewall filter settings using
               SNMP as an increment on top of the factory default
               policy. If cabhSec2FwClearPreviousRuleset is set to
               complete(2), then the PS MUST remove all rules from the
               configured ruleset, including any rules in the filter
               schedule table. In this scenario the PS will operate
               without any configured rules, (e.g. there will be no
               defined filtering rules, but the firewall will still
               provide the minimum set of capabilities and
               architecture)."
       REFERENCE
               "CableHome 1.1 Specification, CH-1.1-SP-I01-030418,
               11.6.4.4 Firewall Filtering"
       DEFVAL { increment }
       ::= { cabhSec2FwBase 6 }

   cabhSec2FwPolicySelection  OBJECT-TYPE
       SYNTAX      INTEGER {
                      factoryDefault(1),
                      configuredRuleset(2)
                   }
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "This parameter indicates which policy should currently
               be running in the firewall, either the factoryDefault
               policy or the configuredRuleset."
       DEFVAL { factoryDefault }
       ::= { cabhSec2FwBase 7 }

   cabhSec2FwEventSetToFactory  OBJECT-TYPE
       SYNTAX      TruthValue
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "If set to 'true', entries in cabhSec2FwEventControlEntry
               are set to their default values. Reading this value
               always returns false."
       DEFVAL { false }
       ::= { cabhSec2FwBase 8 }


   cabhSec2FwEventLastSetToFactory OBJECT-TYPE
       SYNTAX       TimeStamp
       MAX-ACCESS   read-only
       STATUS       current
       DESCRIPTION


Cardona, et. al.       Expires - December 2003              [Page 15]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               "The value of sysUpTime when cabhSec2FwEventSetToFactory
               was last set to true. Zero if never reset."
       ::= { cabhSec2FwBase 9 }


   cabhSec2FwPolicySuccessfulFileURL OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "Contains the location of the last successfull downloaded
               policy rule set file in the format pointed in the
               reference. If a successful download has not yet occurred,
               this MIB object should report empty string."
       REFERENCE
               "CableHome 1.1 Specification, CH-1.1-SP-I01-030418,
               11.6.4.7.1 Firewall Rule Set Management MIB Objects"
       ::= { cabhSec2FwBase 10 }

   --
   -- CableHome 1.1 Firewall Event MIBS
   --


   cabhSec2FwEventControlTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF CabhSec2FwEventControlEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
               "This table controls the reporting of the Firewall
               Attacks events"
       ::= { cabhSec2FwEvent 1 }


   cabhSec2FwEventControlEntry OBJECT-TYPE
       SYNTAX      CabhSec2FwEventControlEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
               "Allows configuration of the reporting mechanisms for a
               particular type of attack."
       INDEX { cabhSec2FwEventType }
       ::= { cabhSec2FwEventControlTable 1 }

   CabhSec2FwEventControlEntry ::= SEQUENCE {
       cabhSec2FwEventType        INTEGER,
       cabhSec2FwEventEnable      INTEGER,
       cabhSec2FwEventThreshold   Unsigned32,
       cabhSec2FwEventInterval    Unsigned32,
       cabhSec2FwEventCount       ZeroBasedCounter32,


Cardona, et. al.       Expires - December 2003              [Page 16]


Internet-Draft      CableHome Gateway Security MIB           June 2003

       cabhSec2FwEventLogReset    TruthValue,
       cabhSec2FwEventLogLastReset TimeStamp

       }

   cabhSec2FwEventType OBJECT-TYPE
       SYNTAX INTEGER     {
                 type1(1),
                 type2(2),
                 type3(3),
                 type4(4),
                 type5(5),
                 type6(6)
              }
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Classification of the different types of attacks.
           Type 1 logs all attempts from both LAN and WAN clients to
           traverse the Firewall that violate the Security Policy.
           Type 2 logs identified Denial of Service attack attempts.
           Type 3 logs all changes made to the cabhSec2FwPolicyFileURL,
           cabhSec2FwPolicyFileCurrentVersion or
           cabhSec2FwPolicyFileEnable objects.
           Type 4 logs all failed attempts to modify
           cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable
           objects. Type 5 logs allowed inbound packets from the WAN.
           Type 6 logs allowed outbound packets from the LAN."
       ::= { cabhSec2FwEventControlEntry 1 }

   cabhSec2FwEventEnable OBJECT-TYPE
       SYNTAX      INTEGER    {
                      enabled(1),
                      disabled(2)
                    }
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
               "Enables or disables counting and logging of firewall
               events by type as assigned by cabhSec2FwEventType."
       DEFVAL { disabled }
       ::= { cabhSec2FwEventControlEntry 2 }


   cabhSec2FwEventThreshold OBJECT-TYPE
       SYNTAX       Unsigned32 (0..65535)
       MAX-ACCESS   read-write
       STATUS       current
       DESCRIPTION
               "Number of attacks to count before sending the


Cardona, et. al.       Expires - December 2003              [Page 17]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               appropriate event by type as assigned by
               cabhSec2FwEventType."
       DEFVAL { 0 }
       ::= { cabhSec2FwEventControlEntry 3 }


   cabhSec2FwEventInterval OBJECT-TYPE
       SYNTAX       Unsigned32 (0..65535)
       UNITS        "hours"
       MAX-ACCESS   read-write
       STATUS      current
       DESCRIPTION
               "Indicates the time interval in hours to count and log
               occurrences of a firewall event type as assigned in
               cabhSec2FwEventType. If this MIB has a value of zero then
               there is no interval assigned and the PS will not count
               or  log events."
       DEFVAL { 0 }
       ::= { cabhSec2FwEventControlEntry 4 }

   cabhSec2FwEventCount OBJECT-TYPE
       SYNTAX       ZeroBasedCounter32
       MAX-ACCESS   read-only
       STATUS       current
       DESCRIPTION
               "Indicates the current count up to the
               cabhSec2FwEventThreshold value by type as assigned by
               cabhSec2FwEventType."
       ::= { cabhSec2FwEventControlEntry 5 }


   cabhSec2FwEventLogReset OBJECT-TYPE
       SYNTAX       TruthValue
       MAX-ACCESS   read-write
       STATUS       current
       DESCRIPTION
               "Setting this object to true clears the log table for the
               specified event type. Reading this object always returns
               false."
       DEFVAL { false }
       ::= { cabhSec2FwEventControlEntry 6 }


   cabhSec2FwEventLogLastReset     OBJECT-TYPE
       SYNTAX       TimeStamp
       MAX-ACCESS   read-only
       STATUS       current
       DESCRIPTION
               "The value of sysUpTime when cabhSec2FwEventLogReset was
               last set to true. Zero if never reset."


Cardona, et. al.       Expires - December 2003              [Page 18]


Internet-Draft      CableHome Gateway Security MIB           June 2003

       ::= { cabhSec2FwEventControlEntry 7 }



   --
   -- CableHome 1.1 Firewall Log Tables
   --
   cabhSec2FwLogTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF CabhSec2FwLogEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
               "Contains a log of packet information as related to
               events enabled by the cable operator. The types are
               defined in the CableHome 1.1 specification and require
               various objects to be included in the log.
               The following is a description for what is expected in
               the log for each type Type 1, Type 2, Type 5 and Type 6
               table MUST include cabhSec2FwEventType,
               cabhSec2FwEventPriority, cabhSec2FwEventId,
               cabhSec2FwLogTime, cabhSec2FwIpProtocol,
               cabhSec2FwIpSourceAddr, cabhSec2FwIpDestAddr,
               cabhSec2FwIpSourcePort, cabhSec2FwIpDestPort,
               cabhSec2Fw, cabhSec2FwReplayCount. The other values not
               used by types 1, 2, 5 and 6 are default values. Type 3
               and Type 4 MUST include cabhSec2FwEventType,
               cabhSec2FwEventPriority,
               cabhSec2FwEventId, cabhSec2FwLogTime,
               cabhSec2FwIpSourceAddr, cabhSec2FwLogMIBPointer.
               The other values not used by type 3 and 4 are default
               values."
       ::= { cabhSec2FwLog 1 }

   cabhSec2FwLogEntry OBJECT-TYPE
       SYNTAX      CabhSec2FwLogEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "Each entry contains the log of firewall events"
       INDEX {cabhSec2FwLogIndex}
       ::= { cabhSec2FwLogTable 1 }

   CabhSec2FwLogEntry ::= SEQUENCE {
       cabhSec2FwLogIndex             Unsigned32,
       cabhSec2FwLogEventType         INTEGER,
       cabhSec2FwLogEventPriority     INTEGER,
       cabhSec2FwLogEventId           Unsigned32,
       cabhSec2FwLogTime              DateAndTime,
       cabhSec2FwLogIpProtocol        Unsigned32,
       cabhSec2FwLogIpAddrType        InetAddressType,


Cardona, et. al.       Expires - December 2003              [Page 19]


Internet-Draft      CableHome Gateway Security MIB           June 2003

       cabhSec2FwLogIpSourceAddr      InetAddress,
       cabhSec2FwLogIpDestAddr        InetAddress,
       cabhSec2FwLogIpSourcePort      InetPortNumber,
       cabhSec2FwLogIpDestPort        InetPortNumber,
       cabhSec2FwLogMessageType       Unsigned32,
       cabhSec2FwLogReplayCount       Unsigned32,
       cabhSec2FwLogMIBPointer        VariablePointer
   }

   cabhSec2FwLogIndex OBJECT-TYPE
       SYNTAX      Unsigned32 (1..2147483647)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
               "A sequence number for the specific events under a
               cabhSec2FwEventType."
       ::= { cabhSec2FwLogEntry 1 }

   cabhSec2FwLogEventType OBJECT-TYPE
       SYNTAX INTEGER     {
                 type1(1),
                 type2(2),
                 type3(3),
                 type4(4),
                 type5(5),
                 type6(6)
               }
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "Classification of the different types of attacks.
               Type 1 logs all attempts from both LAN and WAN clients to
               traverse the Firewall that violate the Security Policy.
               Type 2 logs identified Denial of Service attack attempts.
               Type 3 logs all changes made to the
               cabhSec2FwPolicyFileURL,
               cabhSec2FwPolicyFileCurrentVersion or
               cabhSec2FwPolicyFileEnable objects.
               Type 4 logs all failed attempts to modify
               cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable
               objects.
               Type 5 logs allowed inbound packets from the WAN.
               Type 6 logs allowed outbound packets from the LAN."
       ::= { cabhSec2FwLogEntry 2 }

   cabhSec2FwLogEventPriority OBJECT-TYPE
       SYNTAX     INTEGER     {
                     emergency(1),
                     alert(2),
                     critical(3),


Cardona, et. al.       Expires - December 2003              [Page 20]


Internet-Draft      CableHome Gateway Security MIB           June 2003

                     error(4),
                     warning(5),
                     notice(6),
                     information(7),
                     debug(8)
                  }
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The priority level of this event as defined by CableHome
               Specification. If a priority is not assigned in the
               CableHome specification for a particular event then the
               vendor or cable operator may assign priorities. These are
               ordered from most serious (emergency) to least serious
               (debug)."
       ::= { cabhSec2FwLogEntry 3 }


   cabhSec2FwLogEventId  OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The assigned event ID."
       ::= { cabhSec2FwLogEntry 4 }


   cabhSec2FwLogTime OBJECT-TYPE
       SYNTAX      DateAndTime
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The time that this entry was created by the PS."
       ::= { cabhSec2FwLogEntry 5 }


   cabhSec2FwLogIpProtocol OBJECT-TYPE
       SYNTAX      Unsigned32 (0..256)
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The IP Protocol"
       ::= { cabhSec2FwLogEntry 6 }


   cabhSec2FwLogIpAddrType OBJECT-TYPE
       SYNTAX      InetAddressType
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION


Cardona, et. al.       Expires - December 2003              [Page 21]


Internet-Draft      CableHome Gateway Security MIB           June 2003

               "The type of IP addresses in the packet"
       ::= { cabhSec2FwLogEntry 7 }


   cabhSec2FwLogIpSourceAddr OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The Source IP Address of the packet logged.
               The address type of this object is specified by
               cabhSec2FwLogIpAddrType."
       ::= { cabhSec2FwLogEntry 8 }


   cabhSec2FwLogIpDestAddr OBJECT-TYPE
       SYNTAX      InetAddress
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The Destination IP Address of the packet logged.
               The address type of this object is specified by
               cabhSec2FwLogIpAddrType."
       ::= { cabhSec2FwLogEntry 9 }


   cabhSec2FwLogIpSourcePort OBJECT-TYPE
       SYNTAX      InetPortNumber
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The Source IP Port of the packet logged"
       ::= { cabhSec2FwLogEntry 10 }


   cabhSec2FwLogIpDestPort OBJECT-TYPE
       SYNTAX      InetPortNumber
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The Source IP Port of the packet logged"
       ::= { cabhSec2FwLogEntry 11 }


   cabhSec2FwLogMessageType OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The ICMP defined types."


Cardona, et. al.       Expires - December 2003              [Page 22]


Internet-Draft      CableHome Gateway Security MIB           June 2003

       ::= { cabhSec2FwLogEntry 12 }


   cabhSec2FwLogReplayCount OBJECT-TYPE
       SYNTAX      Unsigned32
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "The number of identical attack packets that were seen by
               the firewall based on cabhSec2FwLogIpProtocol,
               cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr,
               cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort and
               cabhSec2FwLogMessageType"
       DEFVAL { 0 }
       ::= { cabhSec2FwLogEntry 13 }

   cabhSec2FwLogMIBPointer OBJECT-TYPE
       SYNTAX      VariablePointer
       MAX-ACCESS  read-only
       STATUS      current
       DESCRIPTION
               "Identifies if the cabhSec2FwPolicyFileURL or the
               cabhSec2FwEnable MIB object changed or an attempt was
               made to change it."
       DEFVAL { zeroDotZero }
       ::= { cabhSec2FwLogEntry 14 }


   -- ============================================================
   --
   --  CableHome 1.1 PS IP Filter Scheduling Table
   --
   --  The cabhSec2FwFilterScheduleTable contains the firewall
   --  policy identification and links that policy as defined
   --  in RFC 2669 to specific time of day restrictions.
   --
   -- =============================================================


   cabhSec2FwFilterScheduleTable OBJECT-TYPE
       SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry
       MAX-ACCESS    not-accessible
       STATUS        current
       DESCRIPTION
               "Extends the filtering matching parameters of
               docsDevFilterIpTable defined in RFC 2669 for CableHome
               Residential Gateways to include time day intervals and
               days of the week."
       ::= { cabhSec2FwFilter 1 }



Cardona, et. al.       Expires - December 2003              [Page 23]


Internet-Draft      CableHome Gateway Security MIB           June 2003


   cabhSec2FwFilterScheduleEntry OBJECT-TYPE
       SYNTAX CabhSec2FwFilterScheduleEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
               "Extended values for entries of docsDevFilterIpTable.
               If the PS has not acquired ToD the entire
               docsDevFilterIpEntry rule set is ignored."
       AUGMENTS { docsDevFilterIpEntry }
       ::= { cabhSec2FwFilterScheduleTable 1 }


   CabhSec2FwFilterScheduleEntry ::= SEQUENCE {
       cabhSec2FwFilterScheduleStartTime    DateAndTime,
       cabhSec2FwFilterScheduleEndTime      DateAndTime,
       cabhSec2FwFilterScheduleDOW          BITS
       }


   cabhSec2FwFilterScheduleStartTime OBJECT-TYPE
       SYNTAX         DateAndTime
       MAX-ACCESS     read-create
       STATUS        current
       DESCRIPTION
               "The start time, with optional time zone, for a firewall
               filter ruleset. Only the time portion of the DateAndTime
               TEXTUAL-CONVENTION have a meaning."
       ::= { cabhSec2FwFilterScheduleEntry 1 }

   cabhSec2FwFilterScheduleEndTime OBJECT-TYPE
       SYNTAX            DateAndTime
       MAX-ACCESS        read-create
       STATUS            current
       DESCRIPTION
               "The end time, with optional time zone, for a firewall
               filter ruleset. Only the time portion of the DateAndTime
               TEXTUAL-CONVENTION have a meaning."
       ::= { cabhSec2FwFilterScheduleEntry 2 }


   cabhSec2FwFilterScheduleDOW OBJECT-TYPE
       SYNTAX BITS {
                sunday(0),
                monday(1),
                tuesday(2),
                wednesday(3),
                thursday(4),
                friday(5),
                saturday(6)


Cardona, et. al.       Expires - December 2003              [Page 24]


Internet-Draft      CableHome Gateway Security MIB           June 2003

              }
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION
               "If the day of week bit associated with the PS given day
               is '1', this object criteria matches."
       ::= { cabhSec2FwFilterScheduleEntry 3 }

   --
   -- Kerberos MIBs
   --


   cabhSecKerbPKINITGracePeriod    OBJECT-TYPE
       SYNTAX                  Unsigned32 (15..600)
       UNITS                   "minutes"
       MAX-ACCESS              read-write
       STATUS                  current
       DESCRIPTION
               "The PKINIT Grace Period is needed by the PS to know when
               it should start retrying to get a new ticket. The PS MUST
               obtain a new Kerberos ticket (with a PKINIT exchange);
               this may be many minutes before the old ticket expires."
       DEFVAL { 30 }
       ::= { cabhSecKerbBase 1}

       cabhSecKerbTGSGracePeriod    OBJECT-TYPE
       SYNTAX            Unsigned32 (1..600)
       UNITS             "minutes"
       MAX-ACCESS        read-write
       STATUS            current
       DESCRIPTION
               "The TGS Grace Period is needed by the PS to know when it
               should start retrying to get a new ticket. The PS MUST
               obtain a new Kerberos ticket (with a TGS Request); this
               may be many minutes before the old ticket expires."
       DEFVAL { 10 }
       ::= { cabhSecKerbBase 2}

   cabhSecKerbUnsolicitedKeyMaxTimeout    OBJECT-TYPE
       SYNTAX            Unsigned32 (15..600)
       UNITS             "seconds"
       MAX-ACCESS        read-write
       STATUS            current
       DESCRIPTION
               "This timeout applies to PS initiated AP-REQ/REP key
               management exchange with NMS. The maximum timeout is the
               value which may not be exceeded in the exponential
               backoff algorithm."
       DEFVAL { 600 }


Cardona, et. al.       Expires - December 2003              [Page 25]


Internet-Draft      CableHome Gateway Security MIB           June 2003

       ::= { cabhSecKerbBase 3}


   cabhSecKerbUnsolicitedKeyMaxRetries    OBJECT-TYPE
       SYNTAX              Unsigned32 (1..32)
       MAX-ACCESS          read-write
       STATUS              current
       DESCRIPTION
               "The number of retries the PS is allowed for AP-REQ/REP
               key management exchange initiation with the NMS. This is
               the maximum number of retries before the PS gives up
               attempting to establish an SNMPv3 security association
               with NMS."
       DEFVAL { 8 }
         ::= { cabhSecKerbBase 4}

   cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 2 }
   cabhSecConformance  OBJECT IDENTIFIER ::= { cabhSecMib 3 }
   cabhSecCompliances  OBJECT IDENTIFIER ::= { cabhSecConformance 1 }
   cabhSecGroups       OBJECT IDENTIFIER ::= { cabhSecConformance 2 }

   --
   --    Notification Group for future extension
   --

   -- compliance statements

       cabhSecCompliance MODULE-COMPLIANCE
       STATUS     current
       DESCRIPTION
               "The compliance statement for CableHome Security."
       MODULE   --cabhSecMib



   -- unconditionally mandatory groups

   MANDATORY-GROUPS {
           cabhSecCertGroup,
           cabhSecKerbGroup
           }


   -- conditional mandatory groups

   GROUP cabhSecGroup
       DESCRIPTION
               "This group is implemented only for CH 1.0 gateways."




Cardona, et. al.       Expires - December 2003              [Page 26]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   GROUP  cabhSec2Group
       DESCRIPTION
               "This group is implemented only for CH 1.1 gateways."

   OBJECT cabhSec2FwLogIpAddrType
          SYNTAX InetAddressType { ipv4(1) }
          DESCRIPTION
              "An implementation is only required to support IPv4
               addresses."

   OBJECT cabhSec2FwLogIpSourceAddr
          SYNTAX  InetAddress (SIZE(4))
          DESCRIPTION
              "An implementation is only required to support IPv4
               addresses."

   OBJECT cabhSec2FwLogIpDestAddr
          SYNTAX  InetAddress (SIZE(4))
          DESCRIPTION
              "An implementation is only required to support IPv4
               addresses."

   ::= { cabhSecCompliances 1}

   cabhSecGroup OBJECT-GROUP
       OBJECTS {
           cabhSecFwPolicyFileEnable,
           cabhSecFwPolicyFileURL,
           cabhSecFwPolicyFileHash,
           cabhSecFwPolicyFileOperStatus,
           cabhSecFwPolicyFileCurrentVersion,
           cabhSecFwPolicySuccessfulFileURL,

           cabhSecFwEventType1Enable,
           cabhSecFwEventType2Enable,
           cabhSecFwEventType3Enable,
           cabhSecFwEventAttackAlertThreshold,
           cabhSecFwEventAttackAlertPeriod
        }
       STATUS    current
       DESCRIPTION
               "Group of objects in CableHome 1.0 Firewall MIB."
       ::= { cabhSecGroups 1 }


   cabhSecCertGroup OBJECT-GROUP
       OBJECTS {
           cabhSecCertPsCert
       }
       STATUS    current


Cardona, et. al.       Expires - December 2003              [Page 27]


Internet-Draft      CableHome Gateway Security MIB           June 2003

       DESCRIPTION
               "Group of objects in CableHome gateway for PS
               Certificate."
       ::= { cabhSecGroups 2 }


   cabhSecKerbGroup OBJECT-GROUP
       OBJECTS {
           cabhSecKerbPKINITGracePeriod,
           cabhSecKerbTGSGracePeriod,
           cabhSecKerbUnsolicitedKeyMaxTimeout,
           cabhSecKerbUnsolicitedKeyMaxRetries
       }
       STATUS    current
       DESCRIPTION
               "Group of objects in CableHome gateway for Kerberos."
       ::= { cabhSecGroups 3 }

   cabhSec2Group OBJECT-GROUP
       OBJECTS {
           cabhSec2FwEnable,
           cabhSec2FwPolicyFileURL,
           cabhSec2FwPolicyFileHash,
           cabhSec2FwPolicyFileOperStatus,
           cabhSec2FwPolicyFileCurrentVersion,
           cabhSec2FwClearPreviousRuleset,
           cabhSec2FwPolicySelection,
           cabhSec2FwEventSetToFactory,
           cabhSec2FwEventLastSetToFactory,
           cabhSec2FwPolicySuccessfulFileURL,
           cabhSec2FwEventEnable,
           cabhSec2FwEventThreshold,
           cabhSec2FwEventInterval,
           cabhSec2FwEventCount,
           cabhSec2FwEventLogReset,
           cabhSec2FwEventLogLastReset,
           cabhSec2FwLogEventType,
           cabhSec2FwLogEventPriority,
           cabhSec2FwLogEventId,
           cabhSec2FwLogTime,
           cabhSec2FwLogIpProtocol,
           cabhSec2FwLogIpAddrType,
           cabhSec2FwLogIpSourceAddr,
           cabhSec2FwLogIpDestAddr,
           cabhSec2FwLogIpSourcePort,
           cabhSec2FwLogIpDestPort,
           cabhSec2FwLogMessageType,
           cabhSec2FwLogReplayCount,
           cabhSec2FwLogMIBPointer,
           cabhSec2FwFilterScheduleStartTime,


Cardona, et. al.       Expires - December 2003              [Page 28]


Internet-Draft      CableHome Gateway Security MIB           June 2003

           cabhSec2FwFilterScheduleEndTime,
           cabhSec2FwFilterScheduleDOW
           }
       STATUS    current
       DESCRIPTION
               "Group of objects in CableHome 1.1 Firewall MIB."
       ::= { cabhSecGroups 4 }

   END



5. Acknowledgements

   Nancy Davoust û YAS Broadband Ventures
   Jim Hinsey û Broadcom
   John Bevilacqua û YAS Broadband Ventures

   Funding for the RFC Editor function is currently provided by the
   Internet Society.

6. Formal Syntax


   The following syntax specification uses the augmented Backus-Naur
   Form (BNF) as described in RFC-2234 [3].


7. Security Considerations

   There are a number of management objects defined in this MIB that
   have a MAX-ACCESS clause of read-write and/or read-create.  Such
   objects may be considered sensitive or vulnerable in some network
   environments.  The support for SET operations in a non-secure
   environment without proper protection can have a negative effect on
   network operations.

   It is thus important to control even GET access to these objects and
   possibly to even encrypt the values of these objects when sending
   them over the network via SNMP.  Not all versions of SNMP provide
   features for such a secure environment.

   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPSec),
   even then, there is no control as to who on the secure network is
   allowed to access and GET/SET (read/change/create/delete) the objects
   in this MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),


Cardona, et. al.       Expires - December 2003              [Page 29]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module, is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.



8. Normative References

   1  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
      9, RFC 2026, October 1996.

   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement
      Levels", BCP 14, RFC 2119, March 1997

   3  Crocker, D. and Overell, P.(Editors), "Augmented BNF for Syntax
      Specifications: ABNF", RFC 2234, Internet Mail Consortium and
      Demon Internet Ltd., November 1997

   4  Rose, M. and K. McCloghrie, "Structure and Identification of
      Management Information for TCP/IP-based Internets", STD 16, RFC
      1155, May 1990.

   5  Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC
      1212, March 1991.

   6  Rose, M., "A Convention for Defining Traps for use with the SNMP",
      RFC 1215, March 1991.

   7  McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of
      Management Information for Version 2 (SMIv2)", STD 58, RFC 2578,
      April 1999.

   8  McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual
      Conventions for SMIv2", STD 58, RFC 2579, April 1999.

   9 McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance
      Statements for SMIv2", STD 58, RFC 2580, April 1999.

   10 Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network
      Management Protocol", STD 15, RFC 1157, May 1990.





Cardona, et. al.       Expires - December 2003              [Page 30]


Internet-Draft      CableHome Gateway Security MIB           June 2003


   11 Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
      "Introduction to Community-based SNMPv2", RFC 1901, January 1996.

   12 Case, J., Mundy, R., Partain, D, and B. Stewart, "Introduction and
      Applicability Statements for Internet Standard Management
      Framework", RFC 3410, December 2002.

   13 Harrington D., Presuhn R. and B. Wijnen, "An Architecture for
      Describing Simple Network Management Protocol (SNMP) Management
      Frameworks", RFC 3411, December 2002.

   14 Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message
      Processing and Dispatching for the Simple Network Management
      Protocol (SNMP)", RFC 3412, December 2002.

   15 Levi, D., Meyer, P., and B. Stewart, ôSimple Network Management
      Protocol (SNMP) Applications", RFC 3413, December 2002.

   16 Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for
      version 3 of the Simple Network Management Protocol (SNMPv3)", RFC
      3414, December 2002.

   17 Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
      Control Model (VACM) for the Simple Network Management Protocol
      (SNMP)", RFC 3415, December 2002.

   18 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
      "Version 2 of the Protocol Operations for the Simple Network
      Management Protocol (SNMPv2)", RFC 3416, Decemeber 2002.

   19 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
      "Transport Mappings for the Simple Network Management Protocol
      (SNMPv2)", RFC 3417, December 2002.

   20 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
      "Management Information Base (MIB) for the Simple Network
      Management Protocol (SNMP)", RFC 3418, December 2002.

   21 Cable Television Laboratories, ôCableHome 1.0 Specificationö, CH-
     SP-I02-020920, September 2002,
     http://www.cablelabs.com/projects/cablehome/specifications.


9. Informative References

   22 Drums, R., ôDynamic Host Configuration Protocolö, RFC 2131, March
      1997.




Cardona, et. al.       Expires - December 2003              [Page 31]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   23 Hollins, K., ôThe TFTP Protocol (Revision 2)ö, RFC 1350, July
     1992.

   24 Harrington, R., Presuhn, R., and B. Wijnen, ôAn Architecture for
     Describing SNMP Management Frameworksö, RFC 2571, April 1999.

   25 Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder,
     ôTextual Contentions for Internet Network Addressesö, May 2002.





10. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementers or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.






11. Author's Addresses

   Eduardo Cardona
   Cable Television Laboratories
   400 Centennial Parkway
   Louisville, CO  80027
   Phone: +1 303.661.9100
   Email: e.cardona@cablelabs.com




Cardona, et. al.       Expires - December 2003              [Page 32]


Internet-Draft      CableHome Gateway Security MIB           June 2003

   Kevin Luehrs
   Cable Television Laboratories
   400 Centennial Parkway
   Louisville, CO 80027
   Phone: +1 303.661.9100
   Email: k.luehrs@cablelabs.com

   Scott Higgins
   Ashley-Laurent
   Austin, TX
   Phone: +1 512.322.0676 x112
   Email: shiggins@ashleylaurent.com

   Doug Jones
   YAS Broadband Ventures
   300 Brickstone Square
   Andover, MA  01810
   Phone: +1 303.661.3823
   Email: doug@yas.com


12. Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."




Cardona, et. al.       Expires - December 2003              [Page 33]