RFC 4131
Management Information Base for Data Over Cable Service Interface Specification (DOCSIS) Cable Modems and Cable Modem Termination Systems for Baseline Privacy Plus
docsBpi2CmtsCACertIndex OBJECT-TYPE
SYNTAX Unsigned32 (1.. 4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The index for this row."
::= { docsBpi2CmtsCACertEntry 1 }
docsBpi2CmtsCACertSubject OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The subject name exactly as it is encoded in the
X509 certificate.
The organizationName portion of the certificate's subject
name must be present. All other fields are optional. Any
optional field present must be prepended with <CR>
(carriage return, U+000D) <LF> (line feed, U+000A).
Ordering of fields present must conform to the following:
organizationName <CR> <LF>
countryName <CR> <LF>
stateOrProvinceName <CR> <LF>
localityName <CR> <LF>
organizationalUnitName <CR> <LF>
organizationalUnitName=<Manufacturing Location> <CR> <LF>
commonName"
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section 9.2.4"
::= { docsBpi2CmtsCACertEntry 2 }
docsBpi2CmtsCACertIssuer OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The issuer name exactly as it is encoded in the
X509 certificate.
The commonName portion of the certificate's issuer
name must be present. All other fields are optional. Any
optional field present must be prepended with <CR>
(carriage return, U+000D) <LF> (line feed, U+000A).
Ordering of fields present must conform to the following:
CommonName <CR><LF>
countryName <CR><LF>
stateOrProvinceName <CR><LF>
localityName <CR><LF>
organizationName <CR><LF>
organizationalUnitName <CR><LF>
organizationalUnitName=<Manufacturing Location>"
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section 9.2.4"
::= { docsBpi2CmtsCACertEntry 3 }
docsBpi2CmtsCACertSerialNumber OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This CA certificate's serial number, represented as
an octet string."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section 9.2.2"
::= { docsBpi2CmtsCACertEntry 4 }
docsBpi2CmtsCACertTrust OBJECT-TYPE
SYNTAX INTEGER {
trusted (1),
untrusted (2),
chained (3),
root (4)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object controls the trust status of this
certificate. Root certificates must be given root(4)
trust; manufacturer certificates must not be given root(4)
trust. Trust on root certificates must not change.
Note: Setting this object need only affect the validity of
CM certificates sent in future authorization requests;
instantaneous effect need not occur."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section 9.4.1"
DEFVAL { chained }
::= { docsBpi2CmtsCACertEntry 5 }
docsBpi2CmtsCACertSource OBJECT-TYPE
SYNTAX INTEGER {
snmp (1),
configurationFile (2),
externalDatabase (3),
other (4),
authentInfo (5),
compiledIntoCode (6)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object indicates how the certificate reached
the CMTS. Other(4) means that it originated from a source
not identified above."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section 9.4.1"
::= { docsBpi2CmtsCACertEntry 6 }
docsBpi2CmtsCACertStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row. An attempt
to set writable columnar values while this row is active
behaves as follows:
- Sets to the object docsBpi2CmtsCACertTrust are allowed.
- Sets to the object docsBpi2CmtsCACert will return an
error of 'inconsistentValue'.
A newly created entry cannot be set to active until the
value of docsBpi2CmtsCACert is being set."
::= { docsBpi2CmtsCACertEntry 7 }
docsBpi2CmtsCACert OBJECT-TYPE
SYNTAX DocsX509ASN1DEREncodedCertificate
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An X509 DER-encoded Certificate Authority
certificate.
To help identify certificates, either this object or
docsBpi2CmtsCACertThumbprint must be returned by a CMTS for
self-signed CA certificates.
Note: The zero-length OCTET STRING must be returned, on
reads, if the entire certificate is not retained in the
CMTS."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section 9.2."
::= { docsBpi2CmtsCACertEntry 8 }
docsBpi2CmtsCACertThumbprint OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (20))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The SHA-1 hash of a CA certificate.
To help identify certificates, either this object or
docsBpi2CmtsCACert must be returned by a CMTS for
self-signed CA certificates.
Note: The zero-length OCTET STRING must be returned, on
reads, if the CA certificate thumb print is not retained
in the CMTS."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section 9.4.3"
::= { docsBpi2CmtsCACertEntry 9 }
--
-- Authenticated Software Download Objects
--
--
-- Note: the authenticated software download objects are a
-- CM requirement only.
--
docsBpi2CodeDownloadControl OBJECT IDENTIFIER
::= { docsBpi2MIBObjects 4 }
docsBpi2CodeDownloadStatusCode OBJECT-TYPE
SYNTAX INTEGER {
configFileCvcVerified (1),
configFileCvcRejected (2),
snmpCvcVerified (3),
snmpCvcRejected (4),
codeFileVerified (5),
codeFileRejected (6),
other (7)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value indicates the result of the latest config
file CVC verification, SNMP CVC verification, or code file
verification."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Sections D.3.3.2 and D.3.5.1."
::= { docsBpi2CodeDownloadControl 1 }
docsBpi2CodeDownloadStatusString OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object indicates the additional
information to the status code. The value will include
the error code and error description, which will be defined
separately."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.7"
::= { docsBpi2CodeDownloadControl 2 }
docsBpi2CodeMfgOrgName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the device manufacturer's
organizationName."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.2.2."
::= { docsBpi2CodeDownloadControl 3 }
docsBpi2CodeMfgCodeAccessStart OBJECT-TYPE
SYNTAX DateAndTime (SIZE(11))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the device manufacturer's
current codeAccessStart value. This value will always
refer to Greenwich Mean Time (GMT), and the value
format must contain TimeZone information (fields 8-10)."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.2.2."
::= { docsBpi2CodeDownloadControl 4 }
docsBpi2CodeMfgCvcAccessStart OBJECT-TYPE
SYNTAX DateAndTime (SIZE(11))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the device manufacturer's
current cvcAccessStart value. This value will always
refer to Greenwich Mean Time (GMT), and the value
format must contain TimeZone information (fields 8-10)."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.2.2."
::= { docsBpi2CodeDownloadControl 5 }
docsBpi2CodeCoSignerOrgName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the co-signer's
organizationName. The value is a zero length string if
the co-signer is not specified."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.2.2."
::= { docsBpi2CodeDownloadControl 6 }
docsBpi2CodeCoSignerCodeAccessStart OBJECT-TYPE
SYNTAX DateAndTime (SIZE(11))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the co-signer's current
codeAccessStart value. This value will always refer to
Greenwich Mean Time (GMT), and the value format must contain
TimeZone information (fields 8-10).
If docsBpi2CodeCoSignerOrgName is a zero
length string, the value of this object is meaningless."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.2.2."
::= { docsBpi2CodeDownloadControl 7 }
docsBpi2CodeCoSignerCvcAccessStart OBJECT-TYPE
SYNTAX DateAndTime (SIZE(11))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of this object is the co-signer's current
cvcAccessStart value. This value will always refer to
Greenwich Mean Time (GMT), and the value format must contain
TimeZone information (fields 8-10).
If docsBpi2CodeCoSignerOrgName is a zero
length string, the value of this object is meaningless."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.2.2."
::= { docsBpi2CodeDownloadControl 8 }
docsBpi2CodeCvcUpdate OBJECT-TYPE
SYNTAX DocsX509ASN1DEREncodedCertificate
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting a CVC to this object triggers the device
to verify the CVC and update the cvcAccessStart values.
The content of this object is then discarded.
If the device is not enabled to upgrade codefiles, or if
the CVC verification fails, the CVC will be rejected.
Reading this object always returns the zero-length OCTET
STRING."
REFERENCE
"DOCSIS Baseline Privacy Plus Interface Specification,
Section D.3.3.2.2."
::= { docsBpi2CodeDownloadControl 9 }
--
-- The BPI+ MIB Conformance Statements (with a placeholder for
-- notifications)
--
docsBpi2Notification OBJECT IDENTIFIER
::= { docsBpi2MIB 0 }
docsBpi2Conformance OBJECT IDENTIFIER
::= { docsBpi2MIB 2 }
docsBpi2Compliances OBJECT IDENTIFIER
::= { docsBpi2Conformance 1 }
docsBpi2Groups OBJECT IDENTIFIER
::= { docsBpi2Conformance 2 }
docsBpi2CmCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"This is the compliance statement for CMs that
implement the DOCSIS Baseline Privacy Interface Plus."
MODULE -- docsBpi2MIB
-- unconditionally mandatory group
MANDATORY-GROUPS {
docsBpi2CmGroup,
docsBpi2CodeDownloadGroup
}
-- constrain on Encryption algorithms
OBJECT docsBpi2CmTEKDataEncryptAlg
SYNTAX DocsBpkmDataEncryptAlg {
none(0),
des56CbcMode(1),
des40CbcMode(2)
}
DESCRIPTION
"It is compliant to support des56CbcMode(1) and
des40CbcMode(2) for data encryption algorithms."
-- constrain on Integrity algorithms
OBJECT docsBpi2CmTEKDataAuthentAlg
SYNTAX DocsBpkmDataAuthentAlg {
none(0)
}
DESCRIPTION
"It is compliant to not support data message
authentication algorithms."
-- constrain on IP addressing
OBJECT docsBpi2CmIpMulticastAddressType
SYNTAX InetAddressType { ipv4(1) }
DESCRIPTION
"An implementation is only required to support IPv4
addresses. Support for other address types may be defined
in future versions of this MIB module."
-- constrain on IP addressing
OBJECT docsBpi2CmIpMulticastAddress
SYNTAX InetAddress (SIZE(4))
DESCRIPTION
"An implementation is only required to support IPv4
addresses Other address types support may be defined in
future versions of this MIB module."
-- constrain on Encryption algorithms
OBJECT docsBpi2CmCryptoSuiteDataEncryptAlg
SYNTAX DocsBpkmDataEncryptAlg {
none(0),
des56CbcMode(1),
des40CbcMode(2)
}
DESCRIPTION
"It is compliant to only support des56CbcMode(1)
and des40CbcMode(2) for data encryption algorithms."
-- constrain on Integrity algorithms
OBJECT docsBpi2CmCryptoSuiteDataAuthentAlg
SYNTAX DocsBpkmDataAuthentAlg {
none(0)
}
DESCRIPTION
"It is compliant to not support data message
authentication algorithms."
::= { docsBpi2Compliances 1 }
docsBpi2CmtsCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"This is the compliance statement for CMTSs that
implement the DOCSIS Baseline Privacy Interface Plus."
MODULE -- docsBpi2MIB
-- unconditionally mandatory group
MANDATORY-GROUPS {
docsBpi2CmtsGroup
}
-- unconditionally optional group
GROUP docsBpi2CodeDownloadGroup
DESCRIPTION
"This group is optional for CMTSes. The implementation
decision of this group is left to the vendor"
-- constrain on mandatory range
OBJECT docsBpi2CmtsDefaultAuthLifetime
SYNTAX Integer32 (86400..6048000)
DESCRIPTION
"The refined range corresponds to the minimum and
maximum values in operational networks."
-- constrain on mandatory range
OBJECT docsBpi2CmtsDefaultTEKLifetime
SYNTAX Integer32 (1800..604800)
DESCRIPTION
"The refined range corresponds to the minimum and
maximum values in operational networks."
-- constrain on mandatory range
OBJECT docsBpi2CmtsAuthCmLifetime
SYNTAX Integer32 (86400..6048000)
DESCRIPTION
"The refined range corresponds to the minimum and
maximum values in operational networks."
-- constrain on Encryption algorithms
OBJECT docsBpi2CmtsTEKDataEncryptAlg
SYNTAX DocsBpkmDataEncryptAlg {
none(0),
des56CbcMode(1),
des40CbcMode(2)
}
DESCRIPTION
"It is compliant to only support des56CbcMode(1)
and des40CbcMode(2) for data encryption."
-- constrain on Integrity algorithms
OBJECT docsBpi2CmtsTEKDataAuthentAlg
SYNTAX DocsBpkmDataAuthentAlg {
none(0)
}
DESCRIPTION
"It is compliant to not support data message
authentication algorithms."
-- constrain on mandatory range
OBJECT docsBpi2CmtsTEKLifetime
SYNTAX Integer32 (1800..604800)
DESCRIPTION
"The refined range corresponds to the minimum and
maximum values in operational networks."
-- constrain on access
-- constrain on IP Addressing
OBJECT docsBpi2CmtsIpMulticastAddressType
SYNTAX InetAddressType { ipv4(1) }
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
An implementation is only required to support IPv4
addresses. Support for other address types may be defined
in future versions of this MIB module."
OBJECT docsBpi2CmtsIpMulticastAddress
SYNTAX InetAddress (SIZE(4))
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
An implementation is only required to support IPv4
addresses. Support for other address types may be defined
in future versions of this MIB module."
OBJECT docsBpi2CmtsIpMulticastMask
SYNTAX InetAddress (SIZE(4))
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
An implementation is only required to support IPv4
addresses. Support for other address types may be defined
in future versions of this MIB module."
-- constrain on access
OBJECT docsBpi2CmtsIpMulticastSAId
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT docsBpi2CmtsIpMulticastSAType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
-- constrain on access
-- constrain on Encryption algorithms
OBJECT docsBpi2CmtsIpMulticastDataEncryptAlg
SYNTAX DocsBpkmDataEncryptAlg {
none(0),
des56CbcMode(1),
des40CbcMode(2)
}
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
It is compliant to only support des56CbcMode(1)
and des40CbcMode(2) for data encryption"
-- constrain on access
-- constrain on Integrity algorithms
OBJECT docsBpi2CmtsIpMulticastDataAuthentAlg
SYNTAX DocsBpkmDataAuthentAlg {
none(0)
}
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
It is compliant to not support data message
authentication algorithms."
-- constrain on access
OBJECT docsBpi2CmtsMulticastAuthControl
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { docsBpi2Compliances 2 }
docsBpi2CmGroup OBJECT-GROUP
OBJECTS {
docsBpi2CmPrivacyEnable,
docsBpi2CmPublicKey,
docsBpi2CmAuthState,
docsBpi2CmAuthKeySequenceNumber,
docsBpi2CmAuthExpiresOld,
docsBpi2CmAuthExpiresNew,
docsBpi2CmAuthReset,
docsBpi2CmAuthGraceTime,
docsBpi2CmTEKGraceTime,
docsBpi2CmAuthWaitTimeout,
docsBpi2CmReauthWaitTimeout,
docsBpi2CmOpWaitTimeout,
docsBpi2CmRekeyWaitTimeout,
docsBpi2CmAuthRejectWaitTimeout,
docsBpi2CmSAMapWaitTimeout,
docsBpi2CmSAMapMaxRetries,
docsBpi2CmAuthentInfos,
docsBpi2CmAuthRequests,
docsBpi2CmAuthReplies,
docsBpi2CmAuthRejects,
docsBpi2CmAuthInvalids,
docsBpi2CmAuthRejectErrorCode,
docsBpi2CmAuthRejectErrorString,
docsBpi2CmAuthInvalidErrorCode,
docsBpi2CmAuthInvalidErrorString,
docsBpi2CmTEKSAType,
docsBpi2CmTEKDataEncryptAlg,
docsBpi2CmTEKDataAuthentAlg,
docsBpi2CmTEKState,
docsBpi2CmTEKKeySequenceNumber,
docsBpi2CmTEKExpiresOld,
docsBpi2CmTEKExpiresNew,
docsBpi2CmTEKKeyRequests,
docsBpi2CmTEKKeyReplies,
docsBpi2CmTEKKeyRejects,
docsBpi2CmTEKInvalids,
docsBpi2CmTEKAuthPends,
docsBpi2CmTEKKeyRejectErrorCode,
docsBpi2CmTEKKeyRejectErrorString,
docsBpi2CmTEKInvalidErrorCode,
docsBpi2CmTEKInvalidErrorString,
docsBpi2CmIpMulticastAddressType,
docsBpi2CmIpMulticastAddress,
docsBpi2CmIpMulticastSAId,
docsBpi2CmIpMulticastSAMapState,
docsBpi2CmIpMulticastSAMapRequests,
docsBpi2CmIpMulticastSAMapReplies,
docsBpi2CmIpMulticastSAMapRejects,
docsBpi2CmIpMulticastSAMapRejectErrorCode,
docsBpi2CmIpMulticastSAMapRejectErrorString,
docsBpi2CmDeviceCmCert,
docsBpi2CmDeviceManufCert,
docsBpi2CmCryptoSuiteDataEncryptAlg,
docsBpi2CmCryptoSuiteDataAuthentAlg
}
STATUS current
DESCRIPTION
"This collection of objects provides CM BPI+ status
and control."
::= { docsBpi2Groups 1 }
docsBpi2CmtsGroup OBJECT-GROUP
OBJECTS {
docsBpi2CmtsDefaultAuthLifetime,
docsBpi2CmtsDefaultTEKLifetime,
docsBpi2CmtsDefaultSelfSignedManufCertTrust,
docsBpi2CmtsCheckCertValidityPeriods,
docsBpi2CmtsAuthentInfos,
docsBpi2CmtsAuthRequests,
docsBpi2CmtsAuthReplies,
docsBpi2CmtsAuthRejects,
docsBpi2CmtsAuthInvalids,
docsBpi2CmtsSAMapRequests,
docsBpi2CmtsSAMapReplies,
docsBpi2CmtsSAMapRejects,
docsBpi2CmtsAuthCmBpiVersion,
docsBpi2CmtsAuthCmPublicKey,
docsBpi2CmtsAuthCmKeySequenceNumber,
docsBpi2CmtsAuthCmExpiresOld,
docsBpi2CmtsAuthCmExpiresNew,
docsBpi2CmtsAuthCmLifetime,
docsBpi2CmtsAuthCmReset,
docsBpi2CmtsAuthCmInfos,
docsBpi2CmtsAuthCmRequests,
docsBpi2CmtsAuthCmReplies,
docsBpi2CmtsAuthCmRejects,
docsBpi2CmtsAuthCmInvalids,
docsBpi2CmtsAuthRejectErrorCode,
docsBpi2CmtsAuthRejectErrorString,
docsBpi2CmtsAuthInvalidErrorCode,
docsBpi2CmtsAuthInvalidErrorString,
docsBpi2CmtsAuthPrimarySAId,
docsBpi2CmtsAuthBpkmCmCertValid,
docsBpi2CmtsAuthBpkmCmCert,
docsBpi2CmtsAuthCACertIndexPtr,
docsBpi2CmtsTEKSAType,
docsBpi2CmtsTEKDataEncryptAlg,
docsBpi2CmtsTEKDataAuthentAlg,
docsBpi2CmtsTEKLifetime,
docsBpi2CmtsTEKKeySequenceNumber,
docsBpi2CmtsTEKExpiresOld,
docsBpi2CmtsTEKExpiresNew,
docsBpi2CmtsTEKReset,
docsBpi2CmtsKeyRequests,
docsBpi2CmtsKeyReplies,
docsBpi2CmtsKeyRejects,
docsBpi2CmtsTEKInvalids,
docsBpi2CmtsKeyRejectErrorCode,
docsBpi2CmtsKeyRejectErrorString,
docsBpi2CmtsTEKInvalidErrorCode,
docsBpi2CmtsTEKInvalidErrorString,
docsBpi2CmtsIpMulticastAddressType,
docsBpi2CmtsIpMulticastAddress,
docsBpi2CmtsIpMulticastMask,
docsBpi2CmtsIpMulticastSAId,
docsBpi2CmtsIpMulticastSAType,
docsBpi2CmtsIpMulticastDataEncryptAlg,
docsBpi2CmtsIpMulticastDataAuthentAlg,
docsBpi2CmtsIpMulticastSAMapRequests,
docsBpi2CmtsIpMulticastSAMapReplies,
docsBpi2CmtsIpMulticastSAMapRejects,
docsBpi2CmtsIpMulticastSAMapRejectErrorCode,
docsBpi2CmtsIpMulticastSAMapRejectErrorString,
docsBpi2CmtsIpMulticastMapControl,
docsBpi2CmtsIpMulticastMapStorageType,
docsBpi2CmtsMulticastAuthControl,
docsBpi2CmtsProvisionedCmCertTrust,
docsBpi2CmtsProvisionedCmCertSource,
docsBpi2CmtsProvisionedCmCertStatus,
docsBpi2CmtsProvisionedCmCert,
docsBpi2CmtsCACertSubject,
docsBpi2CmtsCACertIssuer,
docsBpi2CmtsCACertSerialNumber,
docsBpi2CmtsCACertTrust,
docsBpi2CmtsCACertSource,
docsBpi2CmtsCACertStatus,
docsBpi2CmtsCACert,
docsBpi2CmtsCACertThumbprint
}
STATUS current
DESCRIPTION
"This collection of objects provides CMTS BPI+ status
and control."
::= { docsBpi2Groups 2 }
docsBpi2CodeDownloadGroup OBJECT-GROUP
OBJECTS {
docsBpi2CodeDownloadStatusCode,
docsBpi2CodeDownloadStatusString,
docsBpi2CodeMfgOrgName,
docsBpi2CodeMfgCodeAccessStart,
docsBpi2CodeMfgCvcAccessStart,
docsBpi2CodeCoSignerOrgName,
docsBpi2CodeCoSignerCodeAccessStart,
docsBpi2CodeCoSignerCvcAccessStart,
docsBpi2CodeCvcUpdate
}
STATUS current
DESCRIPTION
"This collection of objects provides authenticated
software download support."
::= { docsBpi2Groups 3 }
END
4. Acknowledgements
Kaz Ozawa: Authenticated Software Download objects and general suggestions. Rich Woundy: BPI MIB and general MIB expertise. Mike St. Johns: BPI MIB and first version of BPI+ MIB. Bert Wijnen: Extensive comments in MIB syntax and accuracy. Thanks to Mike Sabin and Manson Wong for reviewing early BPI+ MIB drafts and to Jean-Francois Mule for contributing to the last versions.5. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000.
[RFC2670] St. Johns, M., "Radio Frequency (RF) Interface Management Information Base for MCNS/DOCSIS compliant RF interfaces", RFC 2670, August 1999. [DOCSIS] "Data-Over-Cable Service Interface Specifications: Baseline Privacy Plus Interface Specification SP-BPI+- I11-040407", DOCSIS, April 2004, available at http://www.cablemodem.com. http://www.cablelabs.com/specifications/archives.6. Informative References
[RFC3083] Woundy, R., "Baseline Privacy Interface Management Information Base for DOCSIS Compliant Cable Modems and Cable Modem Termination Systems", RFC 3083, March 2001. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002. [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6) Addressing Architecture", RFC 3513, April 2003. [DOCSIS-1.0] "Data-Over-Cable Service Interface Specifications: DOCSIS 1.0 Baseline Privacy Interface (BPI) ANSI/SCTE 22-2 2202, Available at http://www.scte.org. [DOCSIS-1.1] "Data-Over-Cable Service Interface Specifications: Operations Support System Interface Specification SP- OSSIv1.1-I07-030730", DOCSIS 1.1 July 2003, available at http://www.cablemodem.com. http://www.cablelabs.com/specifications/archives. [DOCSIS-2.0] "Data-Over-Cable Service Interface Specifications: Operations Support System Interface Specification SP- OSSIv2.0-I05-040407", DOCSIS 2.0 April 2004, http://www.cablemodem.com. http://www.cablelabs.com/specifications/archives. [IANA] "Protocol Numbers and Assignment Services", IANA, http://www.iana.org/assignments/ianaiftype-mib.
7. Security Considerations
There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability: - The following objects, if SNMP SET maliciously, could constitute denial of service or theft of service attacks or compromise the intended data privacy of users: Objects related to the Baseline Privacy Key Management (BPKM) docsBpi2CmAuthReset, docsBpi2CmtsAuthCmReset, docsBpi2CmtsTEKReset: These objects are used for initiating a re-key process. A malicious massive SET attack may cause CMTS processing overload and may compromise the service. docsBpi2CmtsDefaultAuthLifetime, docsBpi2CmtsDefaultTEKLifetime, docsBpi2CmtsAuthCmLifetime, docsBpi2CmtsTEKLifetime: To minimize the risk of malicious or unintended short periods of time when key updates may lead to degradation or denial of service, implementers are encouraged to follow these objects' range constraints, as defined in the docsBpi2CmtsCompliance MODULE-COMPLIANCE clause for operational deployments. docsBpi2CmtsDefaultSelfSignedManufCertTrust: A malicious SET in a self-signed certificate as reject message, which may constitute denial of service. This object is designed for testing purposes; therefore, it is not RECOMMENDED for use in commercial deployments [DOCSIS]. Administrators can make use of View-based Access Control (VACM) introduced in section 7.9 of [RFC3410] to restrict write access to this object. docsBpi2CmtsCheckCertValidityPeriods: A malicious SET in this object that enables the period validity and a wrong clock time in the CMTS could cause denial of service, as CM authorization requests will be rejected.
For more details in the validation of CM certificates, refer to
section 9 of [DOCSIS] .
Objects related to the CM only:
Objects in docsBpi2CmDeviceCertTable
docsBpi2CmDeviceCmCert:
This object is not harmful, considering that a CM received a
Certificate during the manufacturing process. Therefore, the
object access becomes read-only. See the object DESCRIPTION
clause in section 3 for details.
Objects for Secure Software Download in table
docsBpi2CodeDownloadControl:
docsBpi2CodeCvcUpdate:
A malicious SET on this object may not constitute a risk,
since the CM holds the DOCSIS root key to verify the CVC
authenticity. The operator, if configured, could receive a
notification for event occurrences, which may lead to
detecting the source of the attack. Moreover, [DOCSIS]
recommends that CMs CVC be regularly updated to minimize the
risk of potential code-signing keys being compromised (e.g.,
by configuration file).
Objects related to the CMTS only:
Objects in docsBpi2CmtsProvisionedCmCertTable and
docsBpi2CmtsCACertTable containing CM Certificates and Certificate
Authority information, respectively:
docsBpi2CmtsProvisionedCmCertTrust,
docsBpi2CmtsProvisionedCmCertStatus,
docsBpi2CmtsProvisionedCmCert,
docsBpi2CmtsCACertStatus,
docsBpi2CmtsCACert:
A malicious SET on these objects may constitute a denial of
service attack that will be experienced after the CMs perform
authorization requests. It does not affect CMs in the
authorized state.
Objects in multicast tables docsBpi2CmtsIpMulticastMapTable and
docsBpi2CmtsMulticastAuthTable:
docsBpi2CmtsIpMulticastAddressType,
docsBpi2CmtsIpMulticastAddress,
docsBpi2CmtsIpMulticastMaskType,
docsBpi2CmtsIpMulticastMask,
docsBpi2CmtsIpMulticastSAId,
docsBpi2CmtsIpMulticastSAType:
Malicious SET on these objects may cause misconfiguration,
causing interruption of the users' active multicast
applications.
docsBpi2CmtsIpMulticastDataEncryptAlg,
docsBpi2CmtsIpMulticastDataAuthentAlg:
Malicious SETs on these objects may create service
misconfiguration, causing service interruption or theft of
service if encryption algorithms are removed for the multicast
groups.
docsBpi2CmtsIpMulticastMapControl,
docsBpi2CmtsMulticastAuthControl:
Malicious SETs on these objects may remove and/or disable
customers and/or multicast groups, causing service disruption.
This may also constitute theft of service by authorizing non-
subscribed users to multicast groups or by adding other
multicast groups in the forward path.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
Objects in docsBpi2CmBaseTable, docsBpi2CmTEKTable,
docsBpi2CmtsBaseTable, docsBpi2CmtsAuthTable,
docsBpi2CmtsTEKTable, docsBpi2CmtsProvisionedCmCertTable, and
docsBpi2CmtsCACertTable:
If this information is accessible, attackers may use it to
distinguish users configured to work without data encryption
(e.g., docsBpi2CmPrivacyEnable) and to know current Baseline
Privacy parameters in the network.
Objects in docsBpi2CmIpMulticastMapTable and
docsBpi2CmtsMulticastAuthTable:
In addition to the vulnerabilities around BPI plus multicast
objects described in the previous part, the read-only objects
of this table may help attackers monitor the status of the
intrusion.
Objects in docsBpi2CodeDownloadControl:
In addition to the vulnerability of the read-write object
docsBpi2CodeCvcUpdate, attackers may be able to monitor the
status of a denial of service using Secure Software Download.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
BPI+ Encryption Algorithms:
The BPI+ Traffic Encryption Keys (TEK) defined in the DOCSIS BPI+
specification [DOCSIS] use 40-bit or 56-bit DES for encryption (DES
CBC mode). Currently, there is no mechanism or algorithm defined for
data integrity.
Due to the DES cryptographic weaknesses, future revisions of the
DOCSIS BPI+ specification should introduce more advanced encryption
algorithms, as proposed in the DocsBpkmDataEncryptAlg textual
convention, to overcome the progress in cheaper and faster hardware
or software decryption tools. Future revisions of the DOCSIS BPI+
specification [DOCSIS] should also adopt authentication algorithms,
as described in the DocsBpkmDataAuthentAlg textual convention.
It is important to note that frequent key changes do not necessarily
help in mitigating or reducing the risks of a DES attack. Indeed,
the traffic encryption keys, which are configured on a per cable
modem basis and per BPI+ multicast group, can be utilized to decrypt
old traffic, even when they are no longer in active use.
Note that, not exempt to the same recommendations above, the CM BPI+ authorization protocol uses triple DES encryption, which offers improved robustness in comparison to DES for CM authorization and TEK re-key management.8. IANA Considerations
The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER value, recorded in the SMI Numbers registry: Descriptor OBJECT IDENTIFIER Value ---------- ----------------------- docsBpi2MIB { mib-2 126 }
Authors' Addresses
Stuart M. Green EMail: rubbersoul3@yahoo.com Kaz Ozawa Automotive Systems Development Center TOSHIBA CORPORATION 1-1, Shibaura 1-Chome Minato-ku, Tokyo 105-8001 Japan Phone: +81-3-3457-8569 Fax: +81-3-5444-9325 EMail: Kazuyoshi.Ozawa@toshiba.co.jp Alexander Katsnelson Phone: +1-303-680-3924 EMail: katsnelson6@peoplepc.com Eduardo Cardona Cable Television Laboratories, Inc. 858 Coal Creek Circle Louisville, CO 80027- 9750 U.S.A. Phone: +1 303 661 9100 EMail: e.cardona@cablelabs.com
Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.