Network Working Group S. Green Request for Comments: 4131 Consultant Category: Standards Track K. Ozawa Toshiba E. Cardona, Ed. CableLabs A. Katsnelson September 2005 Management Information Base for Data Over Cable Service Interface Specification (DOCSIS) Cable Modems and Cable Modem Termination Systems for Baseline Privacy Plus Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005).Abstract
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a set of managed objects for Simple Network Management Protocol (SNMP) based management of the Baseline Privacy Plus features of DOCSIS 1.1 and DOCSIS 2.0 (Data-over-Cable Service Interface Specification) compliant Cable Modems and Cable Modem Termination Systems.Table of Contents
1. The Internet-Standard Management Framework..................... 2 2. Overview....................................................... 2 2.1. Structure of the MIB...................................... 3 2.2. Relationship of BPI+ and BPI MIB Modules.................. 4 2.3. BPI+ MIB Module Relationship with The Interfaces Group MIB 5 3. Definitions.................................................... 5 4. Acknowledgements............................................... 77 5. Normative References........................................... 77 6. Informative References......................................... 78 7. Security Considerations........................................ 79 8. IANA Considerations............................................ 83
1. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].2. Overview
This MIB module (BPI+ MIB) provides a set of objects required for the management of the Baseline Privacy Interface Plus features of DOCSIS 1.1 and DOCSIS 2.0 Cable Modem (CM) and Cable Modem Termination System (CMTS). The specification is derived from the operational model described in the DOCSIS Baseline Privacy Interface Plus Specification [DOCSIS]. DOCSIS Baseline Privacy Plus is composed of four distinct functional and manageable areas: o Key exchange and data encryption o Cable modem authentication o Multicast encryption o Authentication of downloaded software images This MIB module is an extension of the DOCSIS 1.0 Baseline Privacy MIB module [RFC3083] (BPI MIB), which is derived from the Operational model described in the DOCSIS Baseline Privacy Interface Specification [DOCSIS-1.0]. The original Baseline Privacy MIB structure has mostly been preserved in the Baseline Privacy Plus MIB. Please note that the referenced DOCSIS specifications only require that Cable Modems process IPv4 customer traffic. Design choices in this MIB module reflect those requirements. Future versions of the DOCSIS specifications are expected to require support for IPv6 as well.
Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119].2.1. Structure of the MIB
This MIB module is structured into several tables and objects.2.1.1. Cable Modem
o The docsBpi2CmBaseTable contains authorization key exchange information for one CM MAC interface. o The docsBpi2CmTEKTable contains traffic key exchange and data encryption information for a particular security association ID of the cable modem. o Multicast Encryption information is maintained under Docsbpi2CmMulticastObjects. There is currently one multicast table object that manages IP multicast encryption, docsBpi2CmIpMulticastMapTable. o Digital certificates used for cable modem authentication are accessible via docsBpi2CmDeviceCertTable. o Cryptographic suite capabilities for a CM MAC are maintained in the docsBpi2CmCryptoSuiteTable.2.1.2. Cable Modem Termination System
o The docsBpi2CmtsBaseTable contains default settings and summary counters for the cable modem termination system. o The DocsBpi2CmtsAuthTable contains Authorization Key Exchange information for each CM MAC interface, as well as data from CM certificates used in cable modem authentication. o The docsBpi2CmtsTEKTable contains traffic key exchange and data encryption information for a particular security association ID. o Multicast Encryption information is maintained under Docsbpi2CmtsMulticastObjects. There are currently two multicast table objects. The Table docsBpi2CmtsIpMulticastMapTable is
specifically designed for IP multicast encryption, whereas docsBpi2CmtsMulticastAuthTable is meant to manage all multicast security associations. In particular, the table docsBpi2CmtsIpMulticastMapTable defines the object docsBpi2CmtsIpMulticastMask, which could be a non-contiguous netmask; this is why the object syntax is based on the INET-ADDRESS-MIB MIB Module [RFC4001] Textual Convention InetAddress instead of InetAddressPrefixLength. This is to facilitate the assignment of same DOCSIS Security Association ID (SAID) to one or more IPv6 multicast group IDs matching one or more IPv6 multicast scope types within an entry in this table. For example, multicast scopes labeled "unassigned" [RFC3513] may be allocated by administrators to a particular SAID, regardless of their multicast scope; such mapping transient multicast group 'Y' to SAID 'z' for ANY multicast scope. The non-contiguous netmask will be FF10:Y. See [RFC3513] for details on IPv6 multicast addressing. o DocsBpi2CmtsCertObjects contains 2 manageable tables: one for provisioned cable modem certificates and one for certification authority certificates.2.1.3. Common
o The docsBpi2CodeDownloadControl objects manage the authenticated software download process for a given device.2.2. Relationship of BPI+ and BPI MIB Modules
This section describes the relationship between the BPI+ MIB module defined in this document and the BPI MIB module defined in RFC 3083 [RFC3083]. The BPI+ protocol interface is an enhancement to the BPI protocol, and it is a distinct protocol from BPI. The associated BPI+ managed objects should be considered separate from the BPI MIB objects defined in RFC 3083. DOCSIS 1.1 and 2.0 systems implement both the BPI+ and BPI protocols to be backward compatible with 1.0 systems. For more information regarding the interoperability between BPI and BPI+ compliant systems, refer to appendix C of the DOCSIS BPI+ specification [DOCSIS]. For MIB modules requirements, refer to section 4.6.1, Figure 9, of the DOCSIS 1.1 OSSI specification [DOCSIS-1.1] and to section 7.6.1, Tables 7-9, of the DOCSIS 2.0 OSSI specification [DOCSIS-2.0].
2.3. BPI+ MIB Module Relationship with the Interfaces Group MIB
The BPI+ MIB module is the management framework of Baseline Privacy Plus Interface Specification [DOCSIS], which provides the MAC layer (Media Access Control) security services of DOCSIS through the Baseline Privacy Key Management (BPKM) protocol. The BPI+ MIB module objects are organized as extensions of the Radio Frequency (RF) Interface Management [RFC2670]. The MIB table structures of this MIB Module are extensions of the DOCSIS CATV (Community Antenna Television) MAC layer interface (DocsCableMaclayer by [IANA]). In particular, the provisions of the Interface Group MIB [RFC2863] for counter discontinuities and system re-initialization apply to CM and CMTS to validate the difference between two consecutive counter polls. All BPI+ MIB module counters are 32 bits and are based on the minimum time to wrap up considerations of [RFC2863] and their possible frequency occurrence as BPI+ FSM (Finite State Machine) event counters. See [DOCSIS] for BPI+ FSM parameter guidelines.