Internet Draft R. Woundy
IPCDN Working Group American Internet
draft-ietf-ipcdn-mcns-bpi-mib-00.txt Expires: 17 January 1999
Baseline Privacy Interface Management Information Base
for MCNS Compliant Cable Modems and Cable Modem Termination Systems
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as a "work in progress".
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Abstract
This memo defines an experimental portion of the Management
Information Base (MIB) for use with network management protocols in
the Internet community. In particular, it defines a basic set of
managed objects for SNMP-based management of the Baseline Privacy
Interface for MCNS compliant cable modems and cable modem termination
systems. This MIB is defined as an extension to the MCNS Radio
Frequency Interface MIB [5].
This memo specifies a MIB module in a manner that is compliant to the
SNMPv2 SMI. The set of objects is consistent with the SNMP framework
and existing SNMP standards.
This memo does not specify a standard for the Internet community.
This memo is a product of the IPCDN working group within the Internet
Engineering Task Force. Comments are solicited and should be
addressed to the working group's mailing list at ipcdn@terayon.com
and/or the author.
1. The SNMPv2 Network Management Framework
Expires January 1999 [Page 1]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
The SNMPv2 Network Management Framework presently consists of three
major components. They are:
o the SMI, described in RFC 1902 [1] - the mechanisms used for
describing and naming objects for the purpose of management.
o the MIB-II, STD 17, RFC 1213 [2] - the core set of managed
objects for the Internet suite of protocols.
o the protocol, RFC 1157 [3] and/or RFC 1905 [4], - the protocol
for accessing managed objects.
The Framework permits new objects to be defined for the purpose of
experimentation and evaluation.
2. Object Definitions
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the subset of Abstract Syntax Notation One (ASN.1)
defined in the SMI. In particular, each object type is named by an
OBJECT IDENTIFIER, an administratively assigned name. The object
type together with an object instance serves to uniquely identify a
specific instantiation of the object. For human convenience, we
often use a textual string, termed the descriptor, to refer to the
object type.
3. Overview
This MIB provides a set of objects required for the management of the
Baseline Privacy Interface for MCNS compliant Cable Modems (CMs) and
Cable Modem Termination Systems (CMTSs). This MIB specification is
derived from the MCNS Baseline Privacy Interface specification [7],
which is an extension to the MCNS Radio Frequency Interface
specification [8].
3.1. Structure of the MIB
This MIB consists of one group of CM-only objects (docsBpiCmGroup),
and one group of CMTS-only objects (docsBpiCmtsGroup).
The CM-only objects are organized into two tables:
o The docsBpiCmBaseTable contains objects for managing basic
Baseline Privacy parameters and counters, and for managing the
Authorization finite state machine.
o The docsBpiCmTEKTable contains objects for managing the Traffic
Expires January 1999 [Page 2]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
Encryption Key (TEK) finite state machine per SID.
The CMTS-only objects are organized into four groupings:
o The docsBpiCmtsBaseTable contains objects for managing basic
Baseline Privacy parameters and counters.
o The docsBpiCmtsAuthTable contains objects for managing the
Authorization association information per cable modem.
o The docsBpiCmtsTEKTable contains objects for managing the TEK
association information per SID.
o The docsBpiMulticastControl consists of two tables. The
docsBpiIpMulticastMapTable controls the mapping of downstream
IP multicast data traffic to downstream multicast SID values.
The docsBpiMulticastAuthTable controls which CMs are authorized
to receive downstream traffic transmitted over particular
multicast SIDs; a CM will receive TEKs corresponding to the
multicast SIDs for which it is authorized. The combination of
these two tables will limit the distribution of downstream IP
multicast data traffic to authorized CMs.
3.2. Management requirements
The Baseline Privacy Interface specification is documented in [7],
and is an extension to the Radio Frequency Interface specification
documented in [8]. In addition to the explicit requirements in this
specification, the CM and CMTS enabled for Baseline Privacy MUST
support all applicable MCNS and IETF requirements and MIB objects.
Specifications that identify relevant requirements and MIB objects
include the IETF Radio Frequency MIB [5], the IETF Cable Device MIB
[6], and the MCNS OSSI Specification [9].
The explicit management requirements of the Baseline Privacy
Interface, which motivate the development of the MIB in this
document, are detailed below:
o The CM and CMTS MUST support viewing relevant RSA public keys,
for future subscriber authentication applications.
o The Baseline Privacy management interface needs to support
operator configuration of Authorization and TEK Finite State
Machine (FSM) parameters, for performance tuning and security
incident handling. The CMTS MUST support configuring and
viewing all FSM-related parameters, including baseline privacy
status (enabled or disabled), key lifetimes, key grace times,
and state timeout values. The CM MUST support viewing these
Expires January 1999 [Page 3]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
parameters where possible.
o The management interface needs to support operator analysis and
override of FSM behavior, for fault management, subscriber
service de-provisioning, and security incident handling. The CM
MUST support viewing the current FSM states. The CM and CMTS
MUST support viewing message error codes and message error
strings, and counters for invalid KEK and TEK events, for key
expirations and renewals, and for duplicate messages. The CM
and CMTS MUST support viewing current authorization key sequence
numbers and key expiration times for failure diagnosis.
o The management interface needs to support dynamic control of the
distribution of IP multicast data traffic. This control
includes forwarding IP multicast traffic to the correct
multicast group (SID), and managing the membership lists of each
multicast group (SID). The CMTS MUST support configuring and
viewing all IP multicast forwarding state, and all multicast
group memberships, within the MAC domains of the CMTS.
4. Definitions
DOCS-BPI-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE,
Counter32, IpAddress
FROM SNMPv2-SMI
DisplayString, MacAddress, RowStatus, TruthValue, DateAndTime
FROM SNMPv2-TC
OBJECT-GROUP, MODULE-COMPLIANCE
FROM SNMPv2-CONF
ifIndex
FROM IF-MIB
docsIfMib, docsIfCmServiceId, docsIfCmtsServiceId
FROM DOCS-IF-MIB
;
docsBpiMIB MODULE-IDENTITY
LAST-UPDATED "9807171930Z"
ORGANIZATION "IETF IPCDN Working Group"
CONTACT-INFO "Rich Woundy
Postal: American Internet
4 Preston Court
Bedford, MA 01730
Tel: +1 781 276 4509
Fax: +1 781 275 4930
E-mail: rwoundy@american.com"
Expires January 1999 [Page 4]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
DESCRIPTION
"This is the MIB Module for the DOCSIS Baseline Privacy Interface
(BPI) at cable modems (CMs) and cable modem termination systems
(CMTSs)."
::= { docsIfMib 5 }
docsBpiMIBObjects OBJECT IDENTIFIER ::= { docsBpiMIB 1 }
-- Cable Modem Group
docsBpiCmObjects OBJECT IDENTIFIER ::= { docsBpiMIBObjects 1 }
--
-- The BPI base and authorization table for CMs, indexed by ifIndex
--
docsBpiCmBaseTable OBJECT-TYPE
SYNTAX SEQUENCE OF DocsBpiCmBaseEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Describes the basic and authorization-related Baseline Privacy
attributes of each CM MAC interface."
::= { docsBpiCmObjects 1 }
docsBpiCmBaseEntry OBJECT-TYPE
SYNTAX DocsBpiCmBaseEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing objects describing attributes of one CM MAC
interface. An entry in this table exists for each ifEntry with an
ifType of docsCableMaclayer(127)."
INDEX { ifIndex }
::= { docsBpiCmBaseTable 1 }
DocsBpiCmBaseEntry ::= SEQUENCE {
docsBpiCmPrivacyEnable TruthValue,
docsBpiCmPublicKey OCTET STRING,
docsBpiCmAuthState INTEGER,
docsBpiCmAuthKeySequenceNumber INTEGER,
docsBpiCmAuthExpires DateAndTime,
docsBpiCmAuthReset TruthValue,
docsBpiCmAuthGraceTime INTEGER,
docsBpiCmTEKGraceTime INTEGER,
docsBpiCmAuthWaitTimeout INTEGER,
docsBpiCmReauthWaitTimeout INTEGER,
docsBpiCmOpWaitTimeout INTEGER,
Expires January 1999 [Page 5]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmRekeyWaitTimeout INTEGER,
docsBpiCmAuthRejectWaitTimeout INTEGER,
docsBpiCmAuthRequests Counter32,
docsBpiCmAuthReplies Counter32,
docsBpiCmAuthRejects Counter32,
docsBpiCmAuthInvalids Counter32,
docsBpiCmAuthRejectErrorCode INTEGER,
docsBpiCmAuthRejectErrorString DisplayString,
docsBpiCmAuthInvalidErrorCode INTEGER,
docsBpiCmAuthInvalidErrorString DisplayString
}
docsBpiCmPrivacyEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This identifies whether this CM is provisioned to run Baseline
Privacy. This is analogous to the presence (or absence) of the
Baseline Privacy Configuration Setting option as described in BPI
Appendix A.1.1. The status of each individual SID with respect to
Baseline Privacy is captured in the docsBpiCmTEKPrivacyEnable object.
Note: this object will be read-write accessible only after the
ability to start and stop the authorization state machine is
understood."
::= { docsBpiCmBaseEntry 1 }
docsBpiCmPublicKey OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..97))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Public key of the CM encoded as an ASN.1 SubjectPublicKeyInfo object
as defined in the RSA Encryption Standard (PKCS #1) [12]."
::= { docsBpiCmBaseEntry 2 }
docsBpiCmAuthState OBJECT-TYPE
SYNTAX INTEGER {
start(1),
authWait(2),
authorized(3),
reauthWait(4),
authRejectWait(5)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The state of the CM authorization FSM. The start state indicates
Expires January 1999 [Page 6]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
that FSM is in its initial state."
::= { docsBpiCmBaseEntry 3 }
docsBpiCmAuthKeySequenceNumber OBJECT-TYPE
SYNTAX INTEGER (0..15)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The authorization key sequence number for this FSM."
::= { docsBpiCmBaseEntry 4 }
docsBpiCmAuthExpires OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Actual clock time when the current authorization for this FSM
expires. If the CM does not have an active authorization, then the
value is of the expiration date and time of the last active
authorization."
::= { docsBpiCmBaseEntry 5 }
docsBpiCmAuthReset OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to TRUE generates a Reauthorize event in the
authorization FSM, as described in section 4.1.2.3.4 of the Baseline
Privacy Interface Specification. Reading this object always returns
FALSE."
::= { docsBpiCmBaseEntry 6 }
docsBpiCmAuthGraceTime OBJECT-TYPE
SYNTAX INTEGER (1..1800)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Grace time for an authorization key. A CM is expected to start
trying to get a new authorization key beginning AuthGraceTime seconds
before the authorization key actually expires. The value of this
object cannot be changed while the authorization state machine is
running. Note: this object will be read-write accessible only after
the ability to start and stop the authorization state machine is
understood."
::= { docsBpiCmBaseEntry 7 }
Expires January 1999 [Page 7]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmTEKGraceTime OBJECT-TYPE
SYNTAX INTEGER (1..1800)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Grace time for a TEK. A CM is expected to start trying to get a new
TEK beginning TEKGraceTime seconds before the TEK actually expires.
The value of this object cannot be changed while the authorization
state machine is running. Note: this object will be read-write
accessible only after the ability to start and stop the authorization
state machine is understood."
::= { docsBpiCmBaseEntry 8 }
docsBpiCmAuthWaitTimeout OBJECT-TYPE
SYNTAX INTEGER (2..30)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Authorize Wait Timeout. The value of this object cannot be changed
while the authorization state machine is running. Note: this object
will be read-write accessible only after the ability to start and
stop the authorization state machine is understood."
::= { docsBpiCmBaseEntry 9 }
docsBpiCmReauthWaitTimeout OBJECT-TYPE
SYNTAX INTEGER (2..30)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Reauthorize Wait Timeout in seconds. The value of this object cannot
be changed while the authorization state machine is running. Note:
this object will be read-write accessible only after the ability to
start and stop the authorization state machine is understood."
::= { docsBpiCmBaseEntry 10 }
docsBpiCmOpWaitTimeout OBJECT-TYPE
SYNTAX INTEGER (1..10)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Operational Wait Timeout in seconds. The value of this object cannot
be changed while the authorization state machine is running. Note:
this object will be read-write accessible only after the ability to
start and stop the authorization state machine is understood."
Expires January 1999 [Page 8]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
::= { docsBpiCmBaseEntry 11 }
docsBpiCmRekeyWaitTimeout OBJECT-TYPE
SYNTAX INTEGER (1..10)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Rekey Wait Timeout in seconds. The value of this object cannot be
changed while the authorization state machine is running. Note: this
object will be read-write accessible only after the ability to start
and stop the authorization state machine is understood."
::= { docsBpiCmBaseEntry 12 }
docsBpiCmAuthRejectWaitTimeout OBJECT-TYPE
SYNTAX INTEGER (60..1800)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Authorization Reject Wait Timeout in seconds. The value of this
object cannot be changed while the authorization state machine is
running. Note: this object will be read-write accessible only after
the ability to start and stop the authorization state machine is
understood."
::= { docsBpiCmBaseEntry 13 }
docsBpiCmAuthRequests OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CM has transmitted an Authorization Request
message."
::= { docsBpiCmBaseEntry 14 }
docsBpiCmAuthReplies OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CM has received an Authorization Reply message."
::= { docsBpiCmBaseEntry 15 }
docsBpiCmAuthRejects OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
Expires January 1999 [Page 9]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
DESCRIPTION
"Count of times the CM has received an Authorization Reject message."
::= { docsBpiCmBaseEntry 16 }
docsBpiCmAuthInvalids OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CM has received an Authorization Invalid message."
::= { docsBpiCmBaseEntry 17 }
docsBpiCmAuthRejectErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
unknown(2),
unauthorizedCm(3),
unauthorizedSid(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Error-Code in most recent Authorization Reject message received by
the CM. This has value unknown(2) if the last Error-Code value was
0, and none(1) if no Authorization Reject message has been received
since reboot."
::= { docsBpiCmBaseEntry 18 }
docsBpiCmAuthRejectErrorString OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in most recent Authorization Reject message received
by the CM. This is a zero length string if no Authorization Reject
message has been received since reboot."
::= { docsBpiCmBaseEntry 19 }
docsBpiCmAuthInvalidErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
unknown(2),
unauthorizedCm(3),
unsolicited(5),
invalidKeySequence(6),
keyRequestAuthenticationFailure(7)
}
MAX-ACCESS read-only
Expires January 1999 [Page 10]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
STATUS current
DESCRIPTION
"Error-Code in most recent Authorization Invalid message received by
the CM. This has value unknown(2) if the last Error-Code value was
0, and none(1) if no Authorization Invalid message has been received
since reboot."
::= { docsBpiCmBaseEntry 20 }
docsBpiCmAuthInvalidErrorString OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in most recent Authorization Invalid message received
by the CM. This is a zero length string if no Authorization Invalid
message has been received since reboot."
::= { docsBpiCmBaseEntry 21 }
--
-- The CM TEK Table, indexed by ifIndex and SID
--
docsBpiCmTEKTable OBJECT-TYPE
SYNTAX SEQUENCE OF DocsBpiCmTEKEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Describes the attributes of each CM Traffic Encryption Key (TEK)
association. The CM maintains (no more than) one TEK association per
SID per CM MAC interface."
::= { docsBpiCmObjects 2 }
docsBpiCmTEKEntry OBJECT-TYPE
SYNTAX DocsBpiCmTEKEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing objects describing the TEK association attributes
of one SID. The CM MUST create one entry per unicast or multicast SID,
regardless of whether the SID was obtained from a Registration
Response message, from an Authorization Reply message, or from any
future dynamic SID establishment mechanisms. "
INDEX { ifIndex, docsIfCmServiceId }
::= { docsBpiCmTEKTable 1 }
DocsBpiCmTEKEntry ::= SEQUENCE {
docsBpiCmTEKPrivacyEnable TruthValue,
docsBpiCmTEKState INTEGER,
Expires January 1999 [Page 11]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmTEKExpiresOld DateAndTime,
docsBpiCmTEKExpiresNew DateAndTime,
docsBpiCmTEKKeyRequests Counter32,
docsBpiCmTEKKeyReplies Counter32,
docsBpiCmTEKKeyRejects Counter32,
docsBpiCmTEKInvalids Counter32,
docsBpiCmTEKAuthPends Counter32,
docsBpiCmTEKKeyRejectErrorCode INTEGER,
docsBpiCmTEKKeyRejectErrorString DisplayString,
docsBpiCmTEKInvalidErrorCode INTEGER,
docsBpiCmTEKInvalidErrorString DisplayString
}
docsBpiCmTEKPrivacyEnable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This identifies whether this SID is provisioned to run Baseline
Privacy. This is analogous to enabling Baseline Privacy on a
provisioned SID using the Class-of-Service Privacy Enable option as
described in BPI Appendix A.1.2. This object may be set to TRUE or
FALSE at any time (causing the CM to send a Reauth event to the
authorization machine), regardless of whether Baseline Privacy is
enabled for the CM. However, Baseline Privacy is not effectively
enabled for any SID unless Baseline Privacy is enabled for the CM,
which is managed via the docsBpiCmPrivacyEnable object."
::= { docsBpiCmTEKEntry 1 }
docsBpiCmTEKState OBJECT-TYPE
SYNTAX INTEGER {
start (1),
opWait (2),
opReauthWait (3),
operational (4),
rekeyWait (5),
rekeyReauthWait (6)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The state of the indicated TEK FSM. The start(1) state indicates that
FSM is in its initial state."
::= { docsBpiCmTEKEntry 2 }
docsBpiCmTEKExpiresOld OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
Expires January 1999 [Page 12]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
STATUS current
DESCRIPTION
"Actual clock time for expiration of the oldest active key for this
FSM. If this FSM has no active keys, then the value is of the
expiration date and time of the last active key."
::= { docsBpiCmTEKEntry 3 }
docsBpiCmTEKExpiresNew OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Actual clock time for expiration of the newest active key for this
FSM. If this FSM has no active keys, then the value is of the
expiration date and time of the last active key."
::= { docsBpiCmTEKEntry 4 }
docsBpiCmTEKKeyRequests OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CM has transmitted a Key Request message."
::= { docsBpiCmTEKEntry 5 }
docsBpiCmTEKKeyReplies OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CM has received a Key Reply message."
::= { docsBpiCmTEKEntry 6 }
docsBpiCmTEKKeyRejects OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CM has received a Key Reject message."
::= { docsBpiCmTEKEntry 7 }
docsBpiCmTEKInvalids OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CM has received a TEK Invalid message."
::= { docsBpiCmTEKEntry 8 }
Expires January 1999 [Page 13]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmTEKAuthPends OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times an Authorization Pending (Auth Pend) event occurred in
this FSM."
::= { docsBpiCmTEKEntry 9 }
docsBpiCmTEKKeyRejectErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
unknown(2),
unauthorizedSid(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Error-Code in most recent Key Reject message received by the CM. This
has value unknown(2) if the last Error-Code value was 0, and none(1)
if no Key Reject message has been received since reboot."
::= { docsBpiCmTEKEntry 10 }
docsBpiCmTEKKeyRejectErrorString OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in most recent Key Reject message received by the CM.
This is a zero length string if no Key Reject message has been
received since reboot."
::= { docsBpiCmTEKEntry 11 }
docsBpiCmTEKInvalidErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
unknown(2),
invalidKeySequence(6)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Error-Code in most recent TEK Invalid message received by the CM.
This has value unknown(2) if the last Error-Code value was 0, and
none(1) if no TEK Invalid message has been received since reboot."
::= { docsBpiCmTEKEntry 12 }
docsBpiCmTEKInvalidErrorString OBJECT-TYPE
Expires January 1999 [Page 14]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in most recent TEK Invalid message received by the CM.
This is a zero length string if no TEK Invalid message has been
received since reboot."
::= { docsBpiCmTEKEntry 13 }
-- Cable Modem Termination System Group
docsBpiCmtsObjects OBJECT IDENTIFIER ::= { docsBpiMIBObjects 2 }
--
-- The BPI base table for CMTSs, indexed by ifIndex
--
docsBpiCmtsBaseTable OBJECT-TYPE
SYNTAX SEQUENCE OF DocsBpiCmtsBaseEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Describes the basic Baseline Privacy attributes of each CMTS MAC
interface."
::= { docsBpiCmtsObjects 1 }
docsBpiCmtsBaseEntry OBJECT-TYPE
SYNTAX DocsBpiCmtsBaseEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing objects describing attributes of one CMTS MAC
interface. An entry in this table exists for each ifEntry with an
ifType of docsCableMaclayer(127)."
INDEX { ifIndex }
::= { docsBpiCmtsBaseTable 1 }
DocsBpiCmtsBaseEntry ::= SEQUENCE {
docsBpiCmtsDefaultAuthLifetime INTEGER,
docsBpiCmtsDefaultTEKLifetime INTEGER,
docsBpiCmtsDefaultAuthGraceTime INTEGER,
docsBpiCmtsDefaultTEKGraceTime INTEGER,
docsBpiCmtsAuthRequests Counter32,
docsBpiCmtsAuthReplies Counter32,
docsBpiCmtsAuthRejects Counter32,
docsBpiCmtsAuthInvalids Counter32
}
Expires January 1999 [Page 15]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmtsDefaultAuthLifetime OBJECT-TYPE
SYNTAX INTEGER (1..6048000)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Default lifetime, in seconds, the CMTS assigns to a new authorization
key."
::= { docsBpiCmtsBaseEntry 1 }
docsBpiCmtsDefaultTEKLifetime OBJECT-TYPE
SYNTAX INTEGER (1..604800)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Default lifetime, in seconds, the CMTS assigns to a new Traffic
Encryption Key (TEK)."
::= { docsBpiCmtsBaseEntry 2 }
docsBpiCmtsDefaultAuthGraceTime OBJECT-TYPE
SYNTAX INTEGER (1..1800)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Default grace time, in seconds, the CMTS uses for an authorization
key. This controls how far in advance of authorization key expiration
that the CMTS is expected to produce the next generation of keying
material. This value is expected to agree with the Authorization Grace
Time that the provisioning system provides to CMs."
::= { docsBpiCmtsBaseEntry 3 }
docsBpiCmtsDefaultTEKGraceTime OBJECT-TYPE
SYNTAX INTEGER (1..1800)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Default grace time, in seconds, the CMTS uses for a Traffic
Encryption Key (TEK). This controls how far in advance of TEK
expiration that the CMTS is expected to produce the next generation
of keying material. This value is expected to agree with the TEK Grace
Time that the provisioning system provides to CMs. Note that this
object is particularly relevant for multicast SIDs, where multiple
grace time values cannot be honored."
::= { docsBpiCmtsBaseEntry 4 }
Expires January 1999 [Page 16]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmtsAuthRequests OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has received an Authorization Request message
from any CM."
::= { docsBpiCmtsBaseEntry 5 }
docsBpiCmtsAuthReplies OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted an Authorization Reply
message to any CM."
::= { docsBpiCmtsBaseEntry 6 }
docsBpiCmtsAuthRejects OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted an Authorization Reject
message to any CM."
::= { docsBpiCmtsBaseEntry 7 }
docsBpiCmtsAuthInvalids OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted an Authorization Invalid
message to any CM."
::= { docsBpiCmtsBaseEntry 8 }
--
-- The CMTS Authorization Table, indexed by ifIndex and CM MAC address
--
docsBpiCmtsAuthTable OBJECT-TYPE
SYNTAX SEQUENCE OF DocsBpiCmtsAuthEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Describes the attributes of each CM authorization association. The
CMTS maintains one authorization association with each Baseline
Privacy-enabled CM on each CMTS MAC interface."
Expires January 1999 [Page 17]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
::= { docsBpiCmtsObjects 2 }
docsBpiCmtsAuthEntry OBJECT-TYPE
SYNTAX DocsBpiCmtsAuthEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing objects describing attributes of one
authorization association. The CMTS MUST create one entry per CM per
MAC interface, based on the receipt of an Authorization Request
message, and MUST not delete the entry before the CM authorization
permanently expires."
INDEX { ifIndex, docsBpiCmtsAuthCmMacAddress }
::= { docsBpiCmtsAuthTable 1 }
DocsBpiCmtsAuthEntry ::= SEQUENCE {
docsBpiCmtsAuthCmMacAddress MacAddress,
docsBpiCmtsAuthCmPublicKey OCTET STRING,
docsBpiCmtsAuthCmKeySequenceNumber INTEGER,
docsBpiCmtsAuthCmExpires DateAndTime,
docsBpiCmtsAuthCmLifetime INTEGER,
docsBpiCmtsAuthCmGraceTime INTEGER,
docsBpiCmtsAuthCmReset INTEGER,
docsBpiCmtsAuthCmRequests Counter32,
docsBpiCmtsAuthCmReplies Counter32,
docsBpiCmtsAuthCmRejects Counter32,
docsBpiCmtsAuthCmInvalids Counter32,
docsBpiCmtsAuthRejectErrorCode INTEGER,
docsBpiCmtsAuthRejectErrorString DisplayString,
docsBpiCmtsAuthInvalidErrorCode INTEGER,
docsBpiCmtsAuthInvalidErrorString DisplayString
}
docsBpiCmtsAuthCmMacAddress OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The physical address of the CM to which the authorization association
applies."
::= { docsBpiCmtsAuthEntry 1 }
docsBpiCmtsAuthCmPublicKey OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..97))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Public key of the CM encoded as an ASN.1 SubjectPublicKeyInfo object
Expires January 1999 [Page 18]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
as defined in the RSA Encryption Standard (PKCS #1) [12]. This is a
zero-length string if the CMTS does not retain the public key."
::= { docsBpiCmtsAuthEntry 2 }
docsBpiCmtsAuthCmKeySequenceNumber OBJECT-TYPE
SYNTAX INTEGER (0..15)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The authorization key sequence number for this CM."
::= { docsBpiCmtsAuthEntry 3 }
docsBpiCmtsAuthCmExpires OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Actual clock time when the current authorization for this CM expires.
If this CM does not have an active authorization, then the value is of
the expiration date and time of the last active authorization."
::= { docsBpiCmtsAuthEntry 4 }
docsBpiCmtsAuthCmLifetime OBJECT-TYPE
SYNTAX INTEGER (1..6048000)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Lifetime, in seconds, the CMTS assigns to an authorization key for
this CM."
::= { docsBpiCmtsAuthEntry 5 }
docsBpiCmtsAuthCmGraceTime OBJECT-TYPE
SYNTAX INTEGER (1..1800)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Grace time for the authorization key in seconds. The CM is expected
to start trying to get a new authorization key beginning AuthGraceTime
seconds before the authorization key actually expires."
::= { docsBpiCmtsAuthEntry 6 }
docsBpiCmtsAuthCmReset OBJECT-TYPE
SYNTAX INTEGER {
noResetRequested(1),
invalidateAuth(2),
sendAuthInvalid(3),
Expires January 1999 [Page 19]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
invalidateTeks(4)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to invalidateAuth(2) causes the CMTS to
invalidate the current CM authorization key, but not to transmit an
Authorization Invalid message nor to invalidate unicast TEKs. Setting
this object to sendAuthInvalid(3) causes the CMTS to invalidate the
current CM authorization key, and to transmit an Authorization Invalid
message to the CM, but not to invalidate unicast TEKs. Setting this
object to invalidateTeks(4) causes the CMTS to invalidate the current
CM authorization key, to transmit an Authorization Invalid message to
the CM, and to invalidate all unicast TEKs associated with this CM
authorization. Reading this object returns the most-recently-set value
of this object, or returns noResetRequested(1) if the object has not
been set since the last CMTS reboot."
::= { docsBpiCmtsAuthEntry 7 }
docsBpiCmtsAuthCmRequests OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has received an Authorization Request message
from this CM."
::= { docsBpiCmtsAuthEntry 8 }
docsBpiCmtsAuthCmReplies OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted an Authorization Reply
message to this CM."
::= { docsBpiCmtsAuthEntry 9 }
docsBpiCmtsAuthCmRejects OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted an Authorization Reject
message to this CM."
::= { docsBpiCmtsAuthEntry 10 }
docsBpiCmtsAuthCmInvalids OBJECT-TYPE
SYNTAX Counter32
Expires January 1999 [Page 20]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted an Authorization Invalid
message to this CM."
::= { docsBpiCmtsAuthEntry 11 }
docsBpiCmtsAuthRejectErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
unknown(2),
unauthorizedCm(3),
unauthorizedSid(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Error-Code in most recent Authorization Reject message transmitted to
the CM. This has value unknown(2) if the last Error-Code value was
0, and none(1) if no Authorization Reject message has been transmitted
to the CM."
::= { docsBpiCmtsAuthEntry 12 }
docsBpiCmtsAuthRejectErrorString OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in most recent Authorization Reject message
transmitted to the CM. This is a zero length string if no
Authorization Reject message has been transmitted to the CM."
::= { docsBpiCmtsAuthEntry 13 }
docsBpiCmtsAuthInvalidErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
unknown(2),
unauthorizedCm(3),
unsolicited(5),
invalidKeySequence(6),
keyRequestAuthenticationFailure(7)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Error-Code in most recent Authorization Invalid message transmitted
to the CM. This has value unknown(2) if the last Error-Code value was
0, and none(1) if no Authorization Invalid message has been
Expires January 1999 [Page 21]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
transmitted to the CM."
::= { docsBpiCmtsAuthEntry 14 }
docsBpiCmtsAuthInvalidErrorString OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in most recent Authorization Invalid message
transmitted to the CM. This is a zero length string if no
Authorization Invalid message has been transmitted to the CM."
::= { docsBpiCmtsAuthEntry 15 }
--
-- The CMTS TEK Table, indexed by ifIndex and SID
--
docsBpiCmtsTEKTable OBJECT-TYPE
SYNTAX SEQUENCE OF DocsBpiCmtsTEKEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Describes the attributes of each CM Traffic Encryption Key (TEK)
association. The CMTS maintains one TEK association per SID on each
CMTS MAC interface."
::= { docsBpiCmtsObjects 3 }
docsBpiCmtsTEKEntry OBJECT-TYPE
SYNTAX DocsBpiCmtsTEKEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing objects describing attributes of one TEK
association on a particular CMTS MAC interface. The CMTS MUST create
one entry per SID per MAC interface, based on the receipt of an Key
Request message, and MUST not delete the entry before the CM
authorization for the SID permanently expires."
INDEX { ifIndex, docsIfCmtsServiceId }
::= { docsBpiCmtsTEKTable 1 }
DocsBpiCmtsTEKEntry ::= SEQUENCE {
docsBpiCmtsTEKLifetime INTEGER,
docsBpiCmtsTEKGraceTime INTEGER,
docsBpiCmtsTEKExpiresOld DateAndTime,
docsBpiCmtsTEKExpiresNew DateAndTime,
docsBpiCmtsTEKReset TruthValue,
docsBpiCmtsKeyRequests Counter32,
Expires January 1999 [Page 22]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmtsKeyReplies Counter32,
docsBpiCmtsKeyRejects Counter32,
docsBpiCmtsTEKInvalids Counter32,
docsBpiCmtsKeyRejectErrorCode INTEGER,
docsBpiCmtsKeyRejectErrorString DisplayString,
docsBpiCmtsTEKInvalidErrorCode INTEGER,
docsBpiCmtsTEKInvalidErrorString DisplayString
}
docsBpiCmtsTEKLifetime OBJECT-TYPE
SYNTAX INTEGER (1..604800)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Lifetime, in seconds, the CMTS assigns to keys for this TEK
association."
::= { docsBpiCmtsTEKEntry 1 }
docsBpiCmtsTEKGraceTime OBJECT-TYPE
SYNTAX INTEGER (1..1800)
UNITS "seconds"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Grace time for the TEK in seconds. The CM is expected to start
trying to get a new TEK beginning TEKGraceTime seconds before the TEK
actually expires."
::= { docsBpiCmtsTEKEntry 2 }
docsBpiCmtsTEKExpiresOld OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Actual clock time for expiration of the oldest active key for this
TEK association. If this TEK association has no active keys, then the
value is of the expiration date and time of the last active key."
::= { docsBpiCmtsTEKEntry 3 }
docsBpiCmtsTEKExpiresNew OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Actual clock time for expiration of the newest active key for this
TEK association. If this TEK association has no active keys, then the
value is of the expiration date and time of the last active key."
Expires January 1999 [Page 23]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
::= { docsBpiCmtsTEKEntry 4 }
docsBpiCmtsTEKReset OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to TRUE causes the CMTS to invalidate the current
active TEK(s) (plural due to key transition periods), and to generate
a new TEK for the associated SID. Reading this object always returns
FALSE."
::= { docsBpiCmtsTEKEntry 5 }
docsBpiCmtsKeyRequests OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has received a Key Request message."
::= { docsBpiCmtsTEKEntry 6 }
docsBpiCmtsKeyReplies OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted a Key Reply message."
::= { docsBpiCmtsTEKEntry 7 }
docsBpiCmtsKeyRejects OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted a Key Reject message."
::= { docsBpiCmtsTEKEntry 8 }
docsBpiCmtsTEKInvalids OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Count of times the CMTS has transmitted a TEK Invalid message."
::= { docsBpiCmtsTEKEntry 9 }
docsBpiCmtsKeyRejectErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
Expires January 1999 [Page 24]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
unknown(2),
unauthorizedSid(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Error-Code in the most recent Key Reject message sent in response to
a Key Request for this BPI SID. This has value unknown(2) if the last
Error-Code value was 0, and none(1) if no Key Reject message has been
received since reboot."
::= { docsBpiCmtsTEKEntry 10 }
docsBpiCmtsKeyRejectErrorString OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in the most recent Key Reject message sent in response
to a Key Request for this BPI SID. This is a zero length string if no
Key Reject message has been received since reboot."
::= { docsBpiCmtsTEKEntry 11 }
docsBpiCmtsTEKInvalidErrorCode OBJECT-TYPE
SYNTAX INTEGER {
none(1),
unknown(2),
invalidKeySequence(6)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Error-Code in the most recent TEK Invalid message sent in association
with this BPI SID. This has value unknown(2) if the last Error-Code
value was 0, and none(1) if no TEK Invalid message has been received
since reboot."
::= { docsBpiCmtsTEKEntry 12 }
docsBpiCmtsTEKInvalidErrorString OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Display-String in the most recent TEK Invalid message sent in
association with this BPI SID. This is a zero length string if no TEK
Invalid message has been received since reboot."
::= { docsBpiCmtsTEKEntry 13 }
--
Expires January 1999 [Page 25]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
-- The CMTS Multicast Control Group
--
docsBpiMulticastControl OBJECT IDENTIFIER ::= { docsBpiCmtsObjects 4 }
--
-- The CMTS IP Multicast Mapping Table, indexed by IP multicast
-- address and prefix, and by ifindex
--
docsBpiIpMulticastMapTable OBJECT-TYPE
SYNTAX SEQUENCE OF DocsBpiIpMulticastMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Describes the mapping of IP multicast address prefixes to multicast
SIDs on each CMTS MAC interface."
::= { docsBpiMulticastControl 1 }
docsBpiIpMulticastMapEntry OBJECT-TYPE
SYNTAX DocsBpiIpMulticastMapEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing objects describing the mapping of one IP
multicast address prefix to one multicast SID on one CMTS MAC
interface. The CMTS uses the mapping when forwarding downstream IP
multicast traffic."
INDEX { ifIndex, docsBpiIpMulticastAddress,
docsBpiIpMulticastPrefixLength }
::= { docsBpiIpMulticastMapTable 1 }
DocsBpiIpMulticastMapEntry ::= SEQUENCE {
docsBpiIpMulticastAddress IpAddress,
docsBpiIpMulticastPrefixLength INTEGER,
docsBpiIpMulticastServiceId INTEGER,
docsBpiIpMulticastMapControl RowStatus
}
docsBpiIpMulticastAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IP multicast address (prefix) to be mapped."
::= { docsBpiIpMulticastMapEntry 1 }
docsBpiIpMulticastPrefixLength OBJECT-TYPE
Expires January 1999 [Page 26]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
SYNTAX INTEGER (0..32)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The IP multicast address prefix length to be mapped."
::= { docsBpiIpMulticastMapEntry 2 }
docsBpiIpMulticastServiceId OBJECT-TYPE
SYNTAX INTEGER (8192..16368)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The multicast SID to be used in this IP multicast address prefix
mapping entry."
-- DEFVAL is unused multicast SID value chosen by CMTS.
::= { docsBpiIpMulticastMapEntry 3 }
docsBpiIpMulticastMapControl OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Controls and reflects the IP multicast address prefix mapping entry."
::= { docsBpiIpMulticastMapEntry 4 }
--
-- The CMTS Multicast SID Authorization Table, indexed by ifIndex by
-- multicast SID by CM MAC address
--
docsBpiMulticastAuthTable OBJECT-TYPE
SYNTAX SEQUENCE OF DocsBpiMulticastAuthEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Describes the multicast SID authorization for each CM on each CMTS
MAC interface."
::= { docsBpiMulticastControl 2 }
docsBpiMulticastAuthEntry OBJECT-TYPE
SYNTAX DocsBpiMulticastAuthEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry containing objects describing the key authorization of one
cable modem for one multicast SID for one CMTS MAC interface."
INDEX { ifIndex, docsBpiMulticastServiceId,
docsBpiMulticastCmMacAddress }
Expires January 1999 [Page 27]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
::= { docsBpiMulticastAuthTable 1 }
DocsBpiMulticastAuthEntry ::= SEQUENCE {
docsBpiMulticastServiceId INTEGER,
docsBpiMulticastCmMacAddress MacAddress,
docsBpiMulticastAuthControl RowStatus
}
docsBpiMulticastServiceId OBJECT-TYPE
SYNTAX INTEGER (8192..16368)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The multicast SID for authorization."
::= { docsBpiMulticastAuthEntry 1 }
docsBpiMulticastCmMacAddress OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The MAC address of the CM to which the multicast SID authorization
applies."
::= { docsBpiMulticastAuthEntry 2 }
docsBpiMulticastAuthControl OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Controls and reflects the CM authorization for each multicast SID."
::= { docsBpiMulticastAuthEntry 3 }
--
-- The BPI MIB Conformance Statements (with a placeholder for
-- notifications)
--
docsBpiNotification OBJECT IDENTIFIER ::= { docsBpiMIB 2 }
docsBpiConformance OBJECT IDENTIFIER ::= { docsBpiMIB 3 }
docsBpiCompliances OBJECT IDENTIFIER ::= { docsBpiConformance 1 }
docsBpiGroups OBJECT IDENTIFIER ::= { docsBpiConformance 2 }
docsBpiBasicCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for devices which implement the DOCS
Baseline Privacy Interface."
Expires January 1999 [Page 28]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
MODULE -- docsBpiMIB
-- conditionally mandatory group
GROUP docsBpiCmGroup
DESCRIPTION
"This group is implemented only in CMs, not in CMTSs."
-- conditionally mandatory group
GROUP docsBpiCmtsGroup
DESCRIPTION
"This group is implemented only in CMTSs, not in CMs."
-- relaxation on mandatory range
OBJECT docsBpiCmAuthGraceTime
SYNTAX INTEGER (300..1800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmTEKGraceTime
SYNTAX INTEGER (300..1800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmtsDefaultAuthLifetime
SYNTAX INTEGER (86400..6048000)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmtsDefaultTEKLifetime
SYNTAX INTEGER (1800..604800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmtsDefaultAuthGraceTime
SYNTAX INTEGER (300..1800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
Expires January 1999 [Page 29]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
OBJECT docsBpiCmtsDefaultTEKGraceTime
SYNTAX INTEGER (300..1800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmtsAuthCmLifetime
SYNTAX INTEGER (86400..6048000)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmtsAuthCmGraceTime
SYNTAX INTEGER (300..1800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmtsTEKLifetime
SYNTAX INTEGER (1800..604800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
-- relaxation on mandatory range
OBJECT docsBpiCmtsTEKGraceTime
SYNTAX INTEGER (300..1800)
DESCRIPTION
"The refined range corresponds to the minimum and maximum values in
operational networks, according to Appendix A.2 in [7]."
::= { docsBpiCompliances 1 }
docsBpiCmGroup OBJECT-GROUP
OBJECTS {
docsBpiCmPrivacyEnable,
docsBpiCmPublicKey,
docsBpiCmAuthState,
docsBpiCmAuthKeySequenceNumber,
docsBpiCmAuthExpires,
docsBpiCmAuthReset,
docsBpiCmAuthGraceTime,
docsBpiCmTEKGraceTime,
docsBpiCmAuthWaitTimeout,
docsBpiCmReauthWaitTimeout,
Expires January 1999 [Page 30]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmOpWaitTimeout,
docsBpiCmRekeyWaitTimeout,
docsBpiCmAuthRejectWaitTimeout,
docsBpiCmAuthRequests,
docsBpiCmAuthReplies,
docsBpiCmAuthRejects,
docsBpiCmAuthInvalids,
docsBpiCmAuthRejectErrorCode,
docsBpiCmAuthRejectErrorString,
docsBpiCmAuthInvalidErrorCode,
docsBpiCmAuthInvalidErrorString,
docsBpiCmTEKPrivacyEnable,
docsBpiCmTEKState,
docsBpiCmTEKExpiresOld,
docsBpiCmTEKExpiresNew,
docsBpiCmTEKKeyRequests,
docsBpiCmTEKKeyReplies,
docsBpiCmTEKKeyRejects,
docsBpiCmTEKInvalids,
docsBpiCmTEKAuthPends,
docsBpiCmTEKKeyRejectErrorCode,
docsBpiCmTEKKeyRejectErrorString,
docsBpiCmTEKInvalidErrorCode,
docsBpiCmTEKInvalidErrorString
}
STATUS current
DESCRIPTION
"A collection of objects providing CM BPI status and control."
::= { docsBpiGroups 1 }
docsBpiCmtsGroup OBJECT-GROUP
OBJECTS {
docsBpiCmtsDefaultAuthLifetime,
docsBpiCmtsDefaultTEKLifetime,
docsBpiCmtsDefaultAuthGraceTime,
docsBpiCmtsDefaultTEKGraceTime,
docsBpiCmtsAuthRequests,
docsBpiCmtsAuthReplies,
docsBpiCmtsAuthRejects,
docsBpiCmtsAuthInvalids,
docsBpiCmtsAuthCmPublicKey,
docsBpiCmtsAuthCmKeySequenceNumber,
docsBpiCmtsAuthCmExpires,
docsBpiCmtsAuthCmLifetime,
docsBpiCmtsAuthCmGraceTime,
docsBpiCmtsAuthCmReset,
docsBpiCmtsAuthCmRequests,
docsBpiCmtsAuthCmReplies,
Expires January 1999 [Page 31]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
docsBpiCmtsAuthCmRejects,
docsBpiCmtsAuthCmInvalids,
docsBpiCmtsAuthRejectErrorCode,
docsBpiCmtsAuthRejectErrorString,
docsBpiCmtsAuthInvalidErrorCode,
docsBpiCmtsAuthInvalidErrorString,
docsBpiCmtsTEKLifetime,
docsBpiCmtsTEKGraceTime,
docsBpiCmtsTEKExpiresOld,
docsBpiCmtsTEKExpiresNew,
docsBpiCmtsTEKReset,
docsBpiCmtsKeyRequests,
docsBpiCmtsKeyReplies,
docsBpiCmtsKeyRejects,
docsBpiCmtsTEKInvalids,
docsBpiCmtsKeyRejectErrorCode,
docsBpiCmtsKeyRejectErrorString,
docsBpiCmtsTEKInvalidErrorCode,
docsBpiCmtsTEKInvalidErrorString,
docsBpiIpMulticastServiceId,
docsBpiIpMulticastMapControl,
docsBpiMulticastAuthControl
}
STATUS current
DESCRIPTION
"A collection of objects providing CMTS BPI status and control."
::= { docsBpiGroups 2 }
END
5. Acknowledgments
This document was produced by the IPCDN Working Group. Much of the
content of this MIB was conceived by Chet Birger from Yas Corporation,
and Mike StJohns from @Home Network.
6. References
[1] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and
S. Waldbusser, "Structure of Management Information for Version 2
of the Simple Network Management Protocol (SNMPv2)", RFC 1902,
January 1996.
[2] McCloghrie, K., and M. Rose, Editors, "Management Information
Base for Network Management of TCP/IP-based internets: MIB-II",
STD 17, RFC 1213, March 1991.
[3] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "A Simple
Expires January 1999 [Page 32]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.
[4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and
S. Waldbusser, "Protocol Operations for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1905, January 1996.
[5] Roeck, G., editor, "Radio Frequency (RF) Interface Management
Information Base for MCNS compliant RF Interfaces", Internet
draft draft-ietf-ipcdn-rf-interface-mib-04.txt, May 1998.
[6] Roeck, G., editor, "Cable Device Management Information
Base for MCNS compliant Cable Modems and Cable Modem
Termination Systems", Internet draft
draft-ietf-ipcdn-cable-device-mib-04.txt, May 1998.
[7] "MCNS Data Over Cable Services, Baseline Privacy Interface
Specification, SP-BPI-I01-970922", CableLabs, September 1997.
[8] "MCNS Data Over Cable Services, Radio Frequency Interface
Specification, SP-RFI-I02-971008", CableLabs, October 1997.
[9] "MCNS Data Over Cable Services, OSSI Specification, RF Interface,
SP-OSSI-RFI-I02-980410", CableLabs, April 1998.
[10] RSA Laboratories, "The Public-Key Cryptography Standards",
RSA Data Security Inc., Redwood City, CA.
[11] Harrington, D., Presuhn, R., and Wijnen, B., "An Architecture
for Describing SNMP Management Frameworks", RFC 2271, January
1998.
7. Security Considerations
The Baseline Privacy Interface provides data encryption for MCNS
data-over-cable services. Baseline Privacy-capable cable modems have
RSA private/public key pairs installed by manufacturers. The public
key is used to encrypt an Authorization key, and the Authorization
key is used to encrypt one or more Traffic Encryption Keys (TEKs).
The TEKs are used to encrypt both upstream and downstream data
traffic. Please refer to [7] to obtain further information on the
Baseline Privacy specification.
In particular, the Baseline Privacy Interface does not provide an
authentication service. CMTS implementors are encouraged not to rely
on the MAC address of the CM for service authorization (in
particular, for the docsBpiMulticastAuthTable in this MIB), without
verifying the association between the MAC address and the RSA public
key. The mechanism to verify the MAC address to RSA public key
Expires January 1999 [Page 33]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
association is beyond the scope of this specification.
This MIB specification contains a number of read-write objects, that
should be protected from unauthorized modification to prevent denial
of service and theft of service attacks: in particular, objects that
manage enabling/disabling privacy (ex. docsBpiCmTEKPrivacyEnable),
resetting state machines (ex. docsBpiCmAuthReset), key lifetimes (ex.
docsBpiCmtsDefaultAuthLifetime), rekeying grace times (ex.
docsBpiCmtsDefaultAuthGraceTime), and multicast traffic control (i.e.
any object in the docsBpiMulticastControl group).
The desired means to protect these objects from unwarranted access is
to implement the SNMPv3 Management Frameworks [11] on CMs and CMTSs,
with implementations of a Security Model and an Access Control Model
that satisfy the security and access control needs of the cable
service provider. SNMPv3 agent implementations are currently not
required for the MCNS data over cable service.
Other means to protect CMs from unauthorized access include using the
docsDevNmAccessTable from the Cable Device MIB [6] to disallow
configuration changes from unauthorized network management stations,
and using the SNMP MIB Object and SNMP Write-Access Control
configuration file options from the Radio Frequency Interface [8] to
set MIB object values and disable SNMP SET operations at cable modem
boot time. Note that these mechanisms may be vulnerable to an
unauthorized network management station "spoofing" the source address
of a legitimate network management station.
8. Author's Address
Richard Woundy
American Internet Corporation
4 Preston Court
Bedford, MA 01730
U.S.A.
Phone: +1 781 276 4509
Email: rwoundy@american.com
9. Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
Expires January 1999 [Page 34]
INTERNET-DRAFT MCNS Baseline Privacy MIB July 1998
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Expires January 1999 [Page 35]