Internet-Draft E. Cardona draft-ietf-ipcdn-cable-gateway-security-mib-00.txt K. Luehrs Expires: December 2003 CableLabs S. Higgins Ashley-Laurent D. Jones YAS BBV June 2003 Cable Gateway Security Management Information Base for CableHome compliant Residential Gateways Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a basic set of managed objects for SNMP- based security management of CableHome 1.0 compliant residential gateway devices. Cardona, et. al. Expires - December 2003 [Page 1] Internet-Draft CableHome Gateway Security MIB June 2003 This memo specifies a MIB module in a manner that is compliant to the SNMP SMIv2 [5][6][7]. The set of objects is consistent with the SNMP framework and existing SNMP standards. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. Table of Contents 1. The Internet-Standard Management Framework.....................2 2. Glossary.......................................................3 2.1 CableHome Residential Gateway..............................3 2.2 Portal Services............................................3 2.3 LAN IP Device..............................................3 2.4 WAN Management (WAN-Man) Address...........................3 2.5 WAN Data (WAN-Data) Address................................3 2.6 LAN Translated (LAN-Trans) Address.........................4 2.7 LAN Passthrough (LAN-Pass) Address.........................4 2.8 Cable Gateway DHCP Portal (CDP)............................4 2.9 Denial of Service..........................................4 2.10 Firewall..................................................4 2.11 Hash......................................................4 2.12 Rule Set..................................................4 2.13 Security Policy...........................................5 3. Overview.......................................................5 3.1 Structure of the MIB.......................................5 3.2 Management Requirements....................................5 4. MIB Definitions................................................7 5. Acknowledgements..............................................29 6. Formal Syntax.................................................29 7. Security Considerations.......................................29 8. Normative References..........................................30 9. Informative References........................................31 10. Intellectual Property........................................32 11. Author's Addresses...........................................32 12. Full Copyright Statement.....................................33 1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [12]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally Cardona, et. al. Expires - December 2003 [Page 2] Internet-Draft CableHome Gateway Security MIB June 2003 accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [7], STD 58, RFC 2579 [8] and STD 58, RFC 2580 [9]. 2. Glossary The terms in this document are derived either from normal cable system usage, from normal residential gateway operation, or from the documents associated with the CableHome Specifications [21]. 2.1 CableHome Residential Gateway A CableHome Residential gateway passes data traffic between the cable operator's broadband data network (the Wide Area Network, WAN) and the Local Area Network (LAN) in the cable data service subscriber's residence or business. In addition to passing traffic between the WAN and LAN, the CableHome Residential Gateway provides several services including a DHCP client and a DHCP server (RFC2131) [22], a TFTP server (RFC1350) [23], management services as enabled by SNMPv1/v2c/v3 agent compliant with the RFCs listed in Section 1, and security services including stateful packet inspection firewall functionality and software code image verification using techniques. 2.2 Portal Services A logical element aggregating the set of CableHome-specified functionality in a CableHome compliant cable gateway device. 2.3 LAN IP Device A LAN IP Device is representative of a typical IP device expected to reside on home networks, and is assumed to contain a TCP/IP stack as well as a DHCP client. 2.4 WAN Management (WAN-Man) Address WAN Management Addresses are intended for network management traffic on the cable network between the network management system and the PS element. Typically, these addresses will reside in private IP address space. 2.5 WAN Data (WAN-Data) Address WAN Data Addresses are intended for subscriber application traffic on the cable network and beyond, such as traffic between LAN IP Devices Cardona, et. al. Expires - December 2003 [Page 3] Internet-Draft CableHome Gateway Security MIB June 2003 and Internet hosts. Typically, these addresses will reside in public IP address space. 2.6 LAN Translated (LAN-Trans) Address LAN Translated Addresses are intended for subscriber application and management traffic on the home network between LAN IP Devices and the PS element. Typically, these addresses will reside in private IP address space, and can typically be reused across subscribers. 2.7 LAN Passthrough (LAN-Pass) Address LAN Passthrough Addresses are intended for subscriber application traffic, such as traffic between LAN IP Devices and Internet hosts, on the home network, the cable network, and beyond. Typically, these addresses will reside in public IP address space. 2.8 Cable Gateway DHCP Portal (CDP) A logical element residing within the PS that encapsulates DHCP functionality within a Cable Gateway Device. This includes both DHCP client as well as DHCP server capabilities. 2.9 Denial of Service A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. 2.10 Firewall A system designed to prevent unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. 2.11 Hash A hash value (or simply hash) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. 2.12 Rule Set The rule set is derived from the security policy and defines the collection of access control rules (filter and proxy action rules) which then determines which packets the firewall forwards and which it rejects. Cardona, et. al. Expires - December 2003 [Page 4] Internet-Draft CableHome Gateway Security MIB June 2003 2.13 Security Policy The security policy defines the desired level of security/functionality for a subscriber's firewall. 3. Overview This MIB provides a set of security objects required for the management of CableHome compliant residential gateway devices. The specification is derived from the CableHome 1.0 specification [21]. 3.1 Structure of the MIB This MIB is structured into two groups: û cabhSecFwObjects is used to manage the firewall functionality. û cabhSecCertObjects is used to hold the gateway device certificate, which is used to authenticate the gateway. 3.2 Management Requirements 3.1.1. Firewall Enable The cabhSecFwPolicyFileEnable object enables or disables firewall rule set filtering functions. 3.1.2. Firewall Configuration File Download The firewall configuration file download process is documented in [21]. From a network management station, the operator: û sets cabhSecFwPolicyFileHash to the hash value calculated using the firewall configuration file. û sets cabhSecFwPolicyFileURL to the name and IP address of the firewall configuratrion file using TFTP URL format. When this value changes, it triggers the file download. Download status and the version of the firewall configuration file can be obtained from the cabhSecFwPolicyFileOperStatus and cabhSecFwPolicyCurrentVersion MIB objects. 3.1.3 Firewall Event Management Cardona, et. al. Expires - December 2003 [Page 5] Internet-Draft CableHome Gateway Security MIB June 2003 There are three types of firewall events that can be logged. The following objects allow the operator to enable or disable the logging of these events: û cabhSecFwEventType1Enable controls the logging of Type 1 event messages which indicate attempts from both private and public clients to traverse the firewall that violate the security policy. û cabhSecFwEventType2Enable controls the logging of Type 2 event messages which indicate the detection of Denial-of-Service attacks. û cabhSecFwEventType3Enable controls the logging of Type 3 event messages which indicate changes in firewall management parameters. Event messaging details are documented in [21]. 3.1.4 Firewall Attack Alert The Firewall Attack Alert MIB objects enable an MSO to be notified when a firewall as been attacked a certain number of times within a given period. The cabhSecFwEventAttackAlertThreshold object is set with the number of Type 1 or Type 2 hacker attacks that are allowed within the time period attacks exceed this number an event message MUST be logged. The cabhSecFwEventAttackAlertPeriod object indicates the period to be used (in hours) for the cabhSecFwEventAttackAlertThreshold. This MIB object should always keep track of the last x hours of event meaning that if the variable is set to track events for 10 hours then when the 11th hour is reached, the 1st hour of events is deleted from the tracking log. A default value is set to zero, meaning zero time, so that this MIB variable will not track any events unless configured. 3.1.5 PS Certificate The cabhSecCertPsCert provides the ability to read the certificate information in a compliant CableHome residential gateway device. The PS certicate is used to in the process to authenticate the device. Cardona, et. al. Expires - December 2003 [Page 6] Internet-Draft CableHome Gateway Security MIB June 2003 4. MIB Definitions CABH-IETF-SEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, Unsigned32, zeroDotZero, OBJECT-TYPE, mib-2 FROM SNMPv2-SMI -- RFC2578 DateAndTime, TruthValue, TimeStamp, VariablePointer FROM SNMPv2-TC -- RFC2579 OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC2580 InetPortNumber, InetAddressType, InetAddress FROM INET-ADDRESS-MIB --RFC3291 SnmpAdminString FROM SNMP-FRAMEWORK-MIB --RFC2571 DocsX509ASN1DEREncodedCertificate FROM DOCS-BPI2-MIB --TC available in draft-ietf-ipcdn-bpiplus-mib-09.txt or after ZeroBasedCounter32 FROM RMON2-MIB docsDevFilterIpEntry FROM DOCS-CABLE-DEVICE-MIB; cabhSecMib MODULE-IDENTITY LAST-UPDATED "200306210000Z" -- Jun 21, 2003 ORGANIZATION "IETF IPCDN Working Group" CONTACT-INFO "Kevin Luehrs Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: k.luehrs@cablelabs.com; mibs@cablelabs.com IETF IPCDN Working Group General Discussion: ipcdn@ietf.org Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn Cardona, et. al. Expires - December 2003 [Page 7] Internet-Draft CableHome Gateway Security MIB June 2003 Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn Co-chairs: Richard Woundy, Richard_Woundy@cable.comcast.com Jean-Francois Mule, jf.mule@cablelabs.com" DESCRIPTION "This MIB module supplies the basic management objects for the Security Portal Services. Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC xxxx; see the RFC itself for full legal notices." REVISION "200306210000Z" -- Jun 21, 2003 DESCRIPTION "Initial version, published as RFC xxxx." -- RFC editor to assign xxxx ::= { mib-2 xx } -- xx to be assigned by IANA -- Textual Conventions cabhSecMibObjects OBJECT IDENTIFIER ::= { cabhSecMib 1 } cabhSecFwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 1 } cabhSecFwBase OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 } cabhSecFwLogCtl OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 } cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 2 } cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 } cabhSecKerbBase OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 } cabhSec2FwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 } cabhSec2FwBase OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 } cabhSec2FwEvent OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 } cabhSec2FwLog OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 } cabhSec2FwFilter OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 } -- -- CableHome 1.0 Base Firewall Functions -- cabhSecFwPolicyFileEnable OBJECT-TYPE SYNTAX INTEGER { enable(1), disable(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This parameter indicates whether or not to enable the Cardona, et. al. Expires - December 2003 [Page 8] Internet-Draft CableHome Gateway Security MIB June 2003 firewall functionality." DEFVAL {enable} ::= { cabhSecFwBase 1 } cabhSecFwPolicyFileURL OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "Contains the location of the last successfull downloaded policy rule set file in the format pointed in the reference. A policy rule set file download is triggered when the value used to SET this MIB is different than the value in the cabhSecFwPolicySuccessfulFileURL object." REFERENCE "CableHome 1.0 Specification, CH-SP-I04-030411, 11.3.5.2 Firewall Rule Set Management Parameters" ::= { cabhSecFwBase 2 } cabhSecFwPolicyFileHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the rules set file, calculated and sent to the PS prior to sending the rules set file. For the SHA-1 authentication algorithm the length of the hash is 160 bits. This hash value is encoded in binary format." DEFVAL {''h} ::= { cabhSecFwBase 3 } cabhSecFwPolicyFileOperStatus OBJECT-TYPE SYNTAX INTEGER { inProgress(1), complete(2), -- completeFromMgt(3), deprecated failed(4) } MAX-ACCESS read-only STATUS current DESCRIPTION "inProgress(1) indicates a firewall configuration file download is underway. complete (2) indicates the firewall configuration file downloaded and configured successfully. completeFromMgt(3) This state is deprecated. failed(4) indicates the last attempted firewall configuration file download or processing failed ordinarily due to TFTP timeout." Cardona, et. al. Expires - December 2003 [Page 9] Internet-Draft CableHome Gateway Security MIB June 2003 ::= { cabhSecFwBase 4 } cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The rule set version currently operating in the PS device. This object should be in the syntax used by the individual vendor to identify software versions. Any PS element MUST return a string descriptive of the current rule set file load. If this is not applicable, this object MUST contain an empty string." ::= { cabhSecFwBase 5 } cabhSecFwPolicySuccessfulFileURL OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Contains the location of the last successfull downloaded policy rule set file in the format pointed in the reference. If a successful download has not yet occurred, this MIB object should report empty string." REFERENCE "CableHome 1.0 Specification, CH-SP-I04-030411, 11.3.5.2 Firewall Rule Set Management Parameters" ::= { cabhSecFwBase 6 } -- -- CableHome 1.0 Firewall Event MIBs -- cabhSecFwEventType1Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables or disables logging of type 1 firewall event messages. Type 1 event messages report attempts from both private and public clients to traverse the firewall that violate the Security Policy." DEFVAL { disable } ::= { cabhSecFwLogCtl 1 } Cardona, et. al. Expires - December 2003 [Page 10] Internet-Draft CableHome Gateway Security MIB June 2003 cabhSecFwEventType2Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables or disables logging of type 2 firewall event messages. Type 2 event messages report identified Denial of Service attack attempts." DEFVAL { disable } ::= { cabhSecFwLogCtl 2 } cabhSecFwEventType3Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables or disables logging of type 3 firewall event messages. Type 3 event messages report changes made to the following firewall management parameters: cabhSecFwPolicyFileURL, cabhSecFwPolicyFileCurrentVersion, cabhSecFwPolicyFileEnable" DEFVAL { disable } ::= { cabhSecFwLogCtl 3 } cabhSecFwEventAttackAlertThreshold OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "If the number of type 1 or 2 hacker attacks exceeds this threshold in the period define by cabhSecFwEventAttackAlertPeriod, a firewall message event MUST be logged with priority level 4." DEFVAL { 65535 } ::= { cabhSecFwLogCtl 4 } cabhSecFwEventAttackAlertPeriod OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION Cardona, et. al. Expires - December 2003 [Page 11] Internet-Draft CableHome Gateway Security MIB June 2003 "Indicates the period to be used (in hours) for the cabhSecFwEventAttackAlertThreshold. This MIB variable should always keep track of the last x hours of events meaning that if the variable is set to track events for 10 hours then when the 11th hour is reached, the 1st hour of events is deleted from the tracking log. A default value is set to zero, meaning zero time, so that this MIB variable will not track any events unless configured." DEFVAL { 0 } ::= { cabhSecFwLogCtl 5 } -- -- CableHome PS device certificate -- cabhSecCertPsCert OBJECT-TYPE SYNTAX DocsX509ASN1DEREncodedCertificate MAX-ACCESS read-only STATUS current DESCRIPTION "The X509 DER-encoded PS certificate." ::= { cabhSecCertObjects 1 } -- -- CableHome 1.1 Firewall Management MIBs -- cabhSec2FwEnable OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This parameter indicates whether to enable or disable the firewall." DEFVAL {enabled } ::= { cabhSec2FwBase 1 } cabhSec2FwPolicyFileURL OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "Contains the location of the last successfull downloaded Cardona, et. al. Expires - December 2003 [Page 12] Internet-Draft CableHome Gateway Security MIB June 2003 policy rule set file in the format pointed in the reference. A policy rule set file download is triggered when the value used to SET this MIB is different than the value in the cabhSec2FwPolicySuccessfulFileURL object." REFERENCE "CableHome 1.1 Specification, CH-1.1-SP-I01-030418, 11.6.4.7.1 Firewall Rule Set Management MIB Objects" ::= { cabhSec2FwBase 2 } cabhSec2FwPolicyFileHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the firewall configuration file. For the SHA-1 authentication algorithm the length of the hash is 160 bits. This hash value is encoded in binary format." DEFVAL { ''h} ::= { cabhSec2FwBase 3 } cabhSec2FwPolicyFileOperStatus OBJECT-TYPE SYNTAX INTEGER { inProgress(1), complete(2), failed(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "InProgress(1) indicates a firewall configuration file download is underway. Complete(2) indicates the firewall configuration file was downloaded and processed successfully. Failed(3) indicates that the last attempted firewall configuration file download or processing failed." ::= { cabhSec2FwBase 4 } cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "A label set by the cable operator that can be used to track various versions of configured rulesets. Once the label is set it and configured rules are changed, it may not accurately reflect the version of configured rules Cardona, et. al. Expires - December 2003 [Page 13] Internet-Draft CableHome Gateway Security MIB June 2003 running on the box. This object MUST contain the string 'null' if has never been configured." DEFVAL { "null" } ::= { cabhSec2FwBase 5 } cabhSec2FwClearPreviousRuleset OBJECT-TYPE SYNTAX INTEGER { increment(1), complete(2), incrementDefault(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "Allows PS or firewall configuration files to contain either a complete firewall configured ruleset or an incremental to the already established configured ruleset depending up on its existence in the configuration file. If the PS receives a configuration file with firewall settings which includes a cabhSec2FwClearPreviousRuleset object setting marked as increment(1) or if this object setting is not included in a configuration file which contains filter settings for the firewall, then the PS MUST treat the firewall filter settings in the configuration file as an increment to the configured ruleset. If the PS receives a configuration file with firewall settings which includes a cabhSec2FwClearPreviousRuleset object setting marked as incrementDefault(3) then the PS MUST remove all previously configured rules from the configured ruleset, including any rules in the filter schedule table and increment the newly downloaded rules on top of (i.e. subsequent to) the factory default policy. If the PS receives a configuration file with firewall settings which includes a cabhSec2FwClearPreviousRuleset object setting marked as complete(2), then the PS MUST remove all previously configured rules from the configured ruleset, including any rules in cabhSec2FwFilterScheduleTable table before applying the firewall filter settings contained in the configuration file. If cabhSec2FwClearPreviousRuleset is set to increment(1) using SNMP, the PS MUST treat all of the following firewall filter settings using SNMP as an increment to the configured ruleset. If cabhSec2FwClearPreviousRuleset is set to Cardona, et. al. Expires - December 2003 [Page 14] Internet-Draft CableHome Gateway Security MIB June 2003 incrementDefault(3) using SNMP, the PS MUST remove all previously configured rules from the configured ruleset, including any rules in the filter schedule table and treat all of the following firewall filter settings using SNMP as an increment on top of the factory default policy. If cabhSec2FwClearPreviousRuleset is set to complete(2), then the PS MUST remove all rules from the configured ruleset, including any rules in the filter schedule table. In this scenario the PS will operate without any configured rules, (e.g. there will be no defined filtering rules, but the firewall will still provide the minimum set of capabilities and architecture)." REFERENCE "CableHome 1.1 Specification, CH-1.1-SP-I01-030418, 11.6.4.4 Firewall Filtering" DEFVAL { increment } ::= { cabhSec2FwBase 6 } cabhSec2FwPolicySelection OBJECT-TYPE SYNTAX INTEGER { factoryDefault(1), configuredRuleset(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This parameter indicates which policy should currently be running in the firewall, either the factoryDefault policy or the configuredRuleset." DEFVAL { factoryDefault } ::= { cabhSec2FwBase 7 } cabhSec2FwEventSetToFactory OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "If set to 'true', entries in cabhSec2FwEventControlEntry are set to their default values. Reading this value always returns false." DEFVAL { false } ::= { cabhSec2FwBase 8 } cabhSec2FwEventLastSetToFactory OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION Cardona, et. al. Expires - December 2003 [Page 15] Internet-Draft CableHome Gateway Security MIB June 2003 "The value of sysUpTime when cabhSec2FwEventSetToFactory was last set to true. Zero if never reset." ::= { cabhSec2FwBase 9 } cabhSec2FwPolicySuccessfulFileURL OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Contains the location of the last successfull downloaded policy rule set file in the format pointed in the reference. If a successful download has not yet occurred, this MIB object should report empty string." REFERENCE "CableHome 1.1 Specification, CH-1.1-SP-I01-030418, 11.6.4.7.1 Firewall Rule Set Management MIB Objects" ::= { cabhSec2FwBase 10 } -- -- CableHome 1.1 Firewall Event MIBS -- cabhSec2FwEventControlTable OBJECT-TYPE SYNTAX SEQUENCE OF CabhSec2FwEventControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table controls the reporting of the Firewall Attacks events" ::= { cabhSec2FwEvent 1 } cabhSec2FwEventControlEntry OBJECT-TYPE SYNTAX CabhSec2FwEventControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Allows configuration of the reporting mechanisms for a particular type of attack." INDEX { cabhSec2FwEventType } ::= { cabhSec2FwEventControlTable 1 } CabhSec2FwEventControlEntry ::= SEQUENCE { cabhSec2FwEventType INTEGER, cabhSec2FwEventEnable INTEGER, cabhSec2FwEventThreshold Unsigned32, cabhSec2FwEventInterval Unsigned32, cabhSec2FwEventCount ZeroBasedCounter32, Cardona, et. al. Expires - December 2003 [Page 16] Internet-Draft CableHome Gateway Security MIB June 2003 cabhSec2FwEventLogReset TruthValue, cabhSec2FwEventLogLastReset TimeStamp } cabhSec2FwEventType OBJECT-TYPE SYNTAX INTEGER { type1(1), type2(2), type3(3), type4(4), type5(5), type6(6) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "Classification of the different types of attacks. Type 1 logs all attempts from both LAN and WAN clients to traverse the Firewall that violate the Security Policy. Type 2 logs identified Denial of Service attack attempts. Type 3 logs all changes made to the cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileCurrentVersion or cabhSec2FwPolicyFileEnable objects. Type 4 logs all failed attempts to modify cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable objects. Type 5 logs allowed inbound packets from the WAN. Type 6 logs allowed outbound packets from the LAN." ::= { cabhSec2FwEventControlEntry 1 } cabhSec2FwEventEnable OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables or disables counting and logging of firewall events by type as assigned by cabhSec2FwEventType." DEFVAL { disabled } ::= { cabhSec2FwEventControlEntry 2 } cabhSec2FwEventThreshold OBJECT-TYPE SYNTAX Unsigned32 (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "Number of attacks to count before sending the Cardona, et. al. Expires - December 2003 [Page 17] Internet-Draft CableHome Gateway Security MIB June 2003 appropriate event by type as assigned by cabhSec2FwEventType." DEFVAL { 0 } ::= { cabhSec2FwEventControlEntry 3 } cabhSec2FwEventInterval OBJECT-TYPE SYNTAX Unsigned32 (0..65535) UNITS "hours" MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates the time interval in hours to count and log occurrences of a firewall event type as assigned in cabhSec2FwEventType. If this MIB has a value of zero then there is no interval assigned and the PS will not count or log events." DEFVAL { 0 } ::= { cabhSec2FwEventControlEntry 4 } cabhSec2FwEventCount OBJECT-TYPE SYNTAX ZeroBasedCounter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the current count up to the cabhSec2FwEventThreshold value by type as assigned by cabhSec2FwEventType." ::= { cabhSec2FwEventControlEntry 5 } cabhSec2FwEventLogReset OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to true clears the log table for the specified event type. Reading this object always returns false." DEFVAL { false } ::= { cabhSec2FwEventControlEntry 6 } cabhSec2FwEventLogLastReset OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when cabhSec2FwEventLogReset was last set to true. Zero if never reset." Cardona, et. al. Expires - December 2003 [Page 18] Internet-Draft CableHome Gateway Security MIB June 2003 ::= { cabhSec2FwEventControlEntry 7 } -- -- CableHome 1.1 Firewall Log Tables -- cabhSec2FwLogTable OBJECT-TYPE SYNTAX SEQUENCE OF CabhSec2FwLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains a log of packet information as related to events enabled by the cable operator. The types are defined in the CableHome 1.1 specification and require various objects to be included in the log. The following is a description for what is expected in the log for each type Type 1, Type 2, Type 5 and Type 6 table MUST include cabhSec2FwEventType, cabhSec2FwEventPriority, cabhSec2FwEventId, cabhSec2FwLogTime, cabhSec2FwIpProtocol, cabhSec2FwIpSourceAddr, cabhSec2FwIpDestAddr, cabhSec2FwIpSourcePort, cabhSec2FwIpDestPort, cabhSec2Fw, cabhSec2FwReplayCount. The other values not used by types 1, 2, 5 and 6 are default values. Type 3 and Type 4 MUST include cabhSec2FwEventType, cabhSec2FwEventPriority, cabhSec2FwEventId, cabhSec2FwLogTime, cabhSec2FwIpSourceAddr, cabhSec2FwLogMIBPointer. The other values not used by type 3 and 4 are default values." ::= { cabhSec2FwLog 1 } cabhSec2FwLogEntry OBJECT-TYPE SYNTAX CabhSec2FwLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the log of firewall events" INDEX {cabhSec2FwLogIndex} ::= { cabhSec2FwLogTable 1 } CabhSec2FwLogEntry ::= SEQUENCE { cabhSec2FwLogIndex Unsigned32, cabhSec2FwLogEventType INTEGER, cabhSec2FwLogEventPriority INTEGER, cabhSec2FwLogEventId Unsigned32, cabhSec2FwLogTime DateAndTime, cabhSec2FwLogIpProtocol Unsigned32, cabhSec2FwLogIpAddrType InetAddressType, Cardona, et. al. Expires - December 2003 [Page 19] Internet-Draft CableHome Gateway Security MIB June 2003 cabhSec2FwLogIpSourceAddr InetAddress, cabhSec2FwLogIpDestAddr InetAddress, cabhSec2FwLogIpSourcePort InetPortNumber, cabhSec2FwLogIpDestPort InetPortNumber, cabhSec2FwLogMessageType Unsigned32, cabhSec2FwLogReplayCount Unsigned32, cabhSec2FwLogMIBPointer VariablePointer } cabhSec2FwLogIndex OBJECT-TYPE SYNTAX Unsigned32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A sequence number for the specific events under a cabhSec2FwEventType." ::= { cabhSec2FwLogEntry 1 } cabhSec2FwLogEventType OBJECT-TYPE SYNTAX INTEGER { type1(1), type2(2), type3(3), type4(4), type5(5), type6(6) } MAX-ACCESS read-only STATUS current DESCRIPTION "Classification of the different types of attacks. Type 1 logs all attempts from both LAN and WAN clients to traverse the Firewall that violate the Security Policy. Type 2 logs identified Denial of Service attack attempts. Type 3 logs all changes made to the cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileCurrentVersion or cabhSec2FwPolicyFileEnable objects. Type 4 logs all failed attempts to modify cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable objects. Type 5 logs allowed inbound packets from the WAN. Type 6 logs allowed outbound packets from the LAN." ::= { cabhSec2FwLogEntry 2 } cabhSec2FwLogEventPriority OBJECT-TYPE SYNTAX INTEGER { emergency(1), alert(2), critical(3), Cardona, et. al. Expires - December 2003 [Page 20] Internet-Draft CableHome Gateway Security MIB June 2003 error(4), warning(5), notice(6), information(7), debug(8) } MAX-ACCESS read-only STATUS current DESCRIPTION "The priority level of this event as defined by CableHome Specification. If a priority is not assigned in the CableHome specification for a particular event then the vendor or cable operator may assign priorities. These are ordered from most serious (emergency) to least serious (debug)." ::= { cabhSec2FwLogEntry 3 } cabhSec2FwLogEventId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The assigned event ID." ::= { cabhSec2FwLogEntry 4 } cabhSec2FwLogTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The time that this entry was created by the PS." ::= { cabhSec2FwLogEntry 5 } cabhSec2FwLogIpProtocol OBJECT-TYPE SYNTAX Unsigned32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP Protocol" ::= { cabhSec2FwLogEntry 6 } cabhSec2FwLogIpAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION Cardona, et. al. Expires - December 2003 [Page 21] Internet-Draft CableHome Gateway Security MIB June 2003 "The type of IP addresses in the packet" ::= { cabhSec2FwLogEntry 7 } cabhSec2FwLogIpSourceAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The Source IP Address of the packet logged. The address type of this object is specified by cabhSec2FwLogIpAddrType." ::= { cabhSec2FwLogEntry 8 } cabhSec2FwLogIpDestAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The Destination IP Address of the packet logged. The address type of this object is specified by cabhSec2FwLogIpAddrType." ::= { cabhSec2FwLogEntry 9 } cabhSec2FwLogIpSourcePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The Source IP Port of the packet logged" ::= { cabhSec2FwLogEntry 10 } cabhSec2FwLogIpDestPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The Source IP Port of the packet logged" ::= { cabhSec2FwLogEntry 11 } cabhSec2FwLogMessageType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The ICMP defined types." Cardona, et. al. Expires - December 2003 [Page 22] Internet-Draft CableHome Gateway Security MIB June 2003 ::= { cabhSec2FwLogEntry 12 } cabhSec2FwLogReplayCount OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of identical attack packets that were seen by the firewall based on cabhSec2FwLogIpProtocol, cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort and cabhSec2FwLogMessageType" DEFVAL { 0 } ::= { cabhSec2FwLogEntry 13 } cabhSec2FwLogMIBPointer OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-only STATUS current DESCRIPTION "Identifies if the cabhSec2FwPolicyFileURL or the cabhSec2FwEnable MIB object changed or an attempt was made to change it." DEFVAL { zeroDotZero } ::= { cabhSec2FwLogEntry 14 } -- ============================================================ -- -- CableHome 1.1 PS IP Filter Scheduling Table -- -- The cabhSec2FwFilterScheduleTable contains the firewall -- policy identification and links that policy as defined -- in RFC 2669 to specific time of day restrictions. -- -- ============================================================= cabhSec2FwFilterScheduleTable OBJECT-TYPE SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Extends the filtering matching parameters of docsDevFilterIpTable defined in RFC 2669 for CableHome Residential Gateways to include time day intervals and days of the week." ::= { cabhSec2FwFilter 1 } Cardona, et. al. Expires - December 2003 [Page 23] Internet-Draft CableHome Gateway Security MIB June 2003 cabhSec2FwFilterScheduleEntry OBJECT-TYPE SYNTAX CabhSec2FwFilterScheduleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Extended values for entries of docsDevFilterIpTable. If the PS has not acquired ToD the entire docsDevFilterIpEntry rule set is ignored." AUGMENTS { docsDevFilterIpEntry } ::= { cabhSec2FwFilterScheduleTable 1 } CabhSec2FwFilterScheduleEntry ::= SEQUENCE { cabhSec2FwFilterScheduleStartTime DateAndTime, cabhSec2FwFilterScheduleEndTime DateAndTime, cabhSec2FwFilterScheduleDOW BITS } cabhSec2FwFilterScheduleStartTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The start time, with optional time zone, for a firewall filter ruleset. Only the time portion of the DateAndTime TEXTUAL-CONVENTION have a meaning." ::= { cabhSec2FwFilterScheduleEntry 1 } cabhSec2FwFilterScheduleEndTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The end time, with optional time zone, for a firewall filter ruleset. Only the time portion of the DateAndTime TEXTUAL-CONVENTION have a meaning." ::= { cabhSec2FwFilterScheduleEntry 2 } cabhSec2FwFilterScheduleDOW OBJECT-TYPE SYNTAX BITS { sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4), friday(5), saturday(6) Cardona, et. al. Expires - December 2003 [Page 24] Internet-Draft CableHome Gateway Security MIB June 2003 } MAX-ACCESS read-create STATUS current DESCRIPTION "If the day of week bit associated with the PS given day is '1', this object criteria matches." ::= { cabhSec2FwFilterScheduleEntry 3 } -- -- Kerberos MIBs -- cabhSecKerbPKINITGracePeriod OBJECT-TYPE SYNTAX Unsigned32 (15..600) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "The PKINIT Grace Period is needed by the PS to know when it should start retrying to get a new ticket. The PS MUST obtain a new Kerberos ticket (with a PKINIT exchange); this may be many minutes before the old ticket expires." DEFVAL { 30 } ::= { cabhSecKerbBase 1} cabhSecKerbTGSGracePeriod OBJECT-TYPE SYNTAX Unsigned32 (1..600) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "The TGS Grace Period is needed by the PS to know when it should start retrying to get a new ticket. The PS MUST obtain a new Kerberos ticket (with a TGS Request); this may be many minutes before the old ticket expires." DEFVAL { 10 } ::= { cabhSecKerbBase 2} cabhSecKerbUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Unsigned32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This timeout applies to PS initiated AP-REQ/REP key management exchange with NMS. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." DEFVAL { 600 } Cardona, et. al. Expires - December 2003 [Page 25] Internet-Draft CableHome Gateway Security MIB June 2003 ::= { cabhSecKerbBase 3} cabhSecKerbUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Unsigned32 (1..32) MAX-ACCESS read-write STATUS current DESCRIPTION "The number of retries the PS is allowed for AP-REQ/REP key management exchange initiation with the NMS. This is the maximum number of retries before the PS gives up attempting to establish an SNMPv3 security association with NMS." DEFVAL { 8 } ::= { cabhSecKerbBase 4} cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 2 } cabhSecConformance OBJECT IDENTIFIER ::= { cabhSecMib 3 } cabhSecCompliances OBJECT IDENTIFIER ::= { cabhSecConformance 1 } cabhSecGroups OBJECT IDENTIFIER ::= { cabhSecConformance 2 } -- -- Notification Group for future extension -- -- compliance statements cabhSecCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for CableHome Security." MODULE --cabhSecMib -- unconditionally mandatory groups MANDATORY-GROUPS { cabhSecCertGroup, cabhSecKerbGroup } -- conditional mandatory groups GROUP cabhSecGroup DESCRIPTION "This group is implemented only for CH 1.0 gateways." Cardona, et. al. Expires - December 2003 [Page 26] Internet-Draft CableHome Gateway Security MIB June 2003 GROUP cabhSec2Group DESCRIPTION "This group is implemented only for CH 1.1 gateways." OBJECT cabhSec2FwLogIpAddrType SYNTAX InetAddressType { ipv4(1) } DESCRIPTION "An implementation is only required to support IPv4 addresses." OBJECT cabhSec2FwLogIpSourceAddr SYNTAX InetAddress (SIZE(4)) DESCRIPTION "An implementation is only required to support IPv4 addresses." OBJECT cabhSec2FwLogIpDestAddr SYNTAX InetAddress (SIZE(4)) DESCRIPTION "An implementation is only required to support IPv4 addresses." ::= { cabhSecCompliances 1} cabhSecGroup OBJECT-GROUP OBJECTS { cabhSecFwPolicyFileEnable, cabhSecFwPolicyFileURL, cabhSecFwPolicyFileHash, cabhSecFwPolicyFileOperStatus, cabhSecFwPolicyFileCurrentVersion, cabhSecFwPolicySuccessfulFileURL, cabhSecFwEventType1Enable, cabhSecFwEventType2Enable, cabhSecFwEventType3Enable, cabhSecFwEventAttackAlertThreshold, cabhSecFwEventAttackAlertPeriod } STATUS current DESCRIPTION "Group of objects in CableHome 1.0 Firewall MIB." ::= { cabhSecGroups 1 } cabhSecCertGroup OBJECT-GROUP OBJECTS { cabhSecCertPsCert } STATUS current Cardona, et. al. Expires - December 2003 [Page 27] Internet-Draft CableHome Gateway Security MIB June 2003 DESCRIPTION "Group of objects in CableHome gateway for PS Certificate." ::= { cabhSecGroups 2 } cabhSecKerbGroup OBJECT-GROUP OBJECTS { cabhSecKerbPKINITGracePeriod, cabhSecKerbTGSGracePeriod, cabhSecKerbUnsolicitedKeyMaxTimeout, cabhSecKerbUnsolicitedKeyMaxRetries } STATUS current DESCRIPTION "Group of objects in CableHome gateway for Kerberos." ::= { cabhSecGroups 3 } cabhSec2Group OBJECT-GROUP OBJECTS { cabhSec2FwEnable, cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileHash, cabhSec2FwPolicyFileOperStatus, cabhSec2FwPolicyFileCurrentVersion, cabhSec2FwClearPreviousRuleset, cabhSec2FwPolicySelection, cabhSec2FwEventSetToFactory, cabhSec2FwEventLastSetToFactory, cabhSec2FwPolicySuccessfulFileURL, cabhSec2FwEventEnable, cabhSec2FwEventThreshold, cabhSec2FwEventInterval, cabhSec2FwEventCount, cabhSec2FwEventLogReset, cabhSec2FwEventLogLastReset, cabhSec2FwLogEventType, cabhSec2FwLogEventPriority, cabhSec2FwLogEventId, cabhSec2FwLogTime, cabhSec2FwLogIpProtocol, cabhSec2FwLogIpAddrType, cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort, cabhSec2FwLogMessageType, cabhSec2FwLogReplayCount, cabhSec2FwLogMIBPointer, cabhSec2FwFilterScheduleStartTime, Cardona, et. al. Expires - December 2003 [Page 28] Internet-Draft CableHome Gateway Security MIB June 2003 cabhSec2FwFilterScheduleEndTime, cabhSec2FwFilterScheduleDOW } STATUS current DESCRIPTION "Group of objects in CableHome 1.1 Firewall MIB." ::= { cabhSecGroups 4 } END 5. Acknowledgements Nancy Davoust û YAS Broadband Ventures Jim Hinsey û Broadcom John Bevilacqua û YAS Broadband Ventures Funding for the RFC Editor function is currently provided by the Internet Society. 6. Formal Syntax The following syntax specification uses the augmented Backus-Naur Form (BNF) as described in RFC-2234 [3]. 7. Security Considerations There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), Cardona, et. al. Expires - December 2003 [Page 29] Internet-Draft CableHome Gateway Security MIB June 2003 including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 8. Normative References 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 3 Crocker, D. and Overell, P.(Editors), "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, Internet Mail Consortium and Demon Internet Ltd., November 1997 4 Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990. 5 Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. 6 Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991. 7 McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of Management Information for Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 8 McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. 9 McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. 10 Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. Cardona, et. al. Expires - December 2003 [Page 30] Internet-Draft CableHome Gateway Security MIB June 2003 11 Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. 12 Case, J., Mundy, R., Partain, D, and B. Stewart, "Introduction and Applicability Statements for Internet Standard Management Framework", RFC 3410, December 2002. 13 Harrington D., Presuhn R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", RFC 3411, December 2002. 14 Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 3412, December 2002. 15 Levi, D., Meyer, P., and B. Stewart, ôSimple Network Management Protocol (SNMP) Applications", RFC 3413, December 2002. 16 Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 3414, December 2002. 17 Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 3415, December 2002. 18 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMPv2)", RFC 3416, Decemeber 2002. 19 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for the Simple Network Management Protocol (SNMPv2)", RFC 3417, December 2002. 20 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", RFC 3418, December 2002. 21 Cable Television Laboratories, ôCableHome 1.0 Specificationö, CH- SP-I02-020920, September 2002, http://www.cablelabs.com/projects/cablehome/specifications. 9. Informative References 22 Drums, R., ôDynamic Host Configuration Protocolö, RFC 2131, March 1997. Cardona, et. al. Expires - December 2003 [Page 31] Internet-Draft CableHome Gateway Security MIB June 2003 23 Hollins, K., ôThe TFTP Protocol (Revision 2)ö, RFC 1350, July 1992. 24 Harrington, R., Presuhn, R., and B. Wijnen, ôAn Architecture for Describing SNMP Management Frameworksö, RFC 2571, April 1999. 25 Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, ôTextual Contentions for Internet Network Addressesö, May 2002. 10. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 11. Author's Addresses Eduardo Cardona Cable Television Laboratories 400 Centennial Parkway Louisville, CO 80027 Phone: +1 303.661.9100 Email: e.cardona@cablelabs.com Cardona, et. al. Expires - December 2003 [Page 32] Internet-Draft CableHome Gateway Security MIB June 2003 Kevin Luehrs Cable Television Laboratories 400 Centennial Parkway Louisville, CO 80027 Phone: +1 303.661.9100 Email: k.luehrs@cablelabs.com Scott Higgins Ashley-Laurent Austin, TX Phone: +1 512.322.0676 x112 Email: shiggins@ashleylaurent.com Doug Jones YAS Broadband Ventures 300 Brickstone Square Andover, MA 01810 Phone: +1 303.661.3823 Email: doug@yas.com 12. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Cardona, et. al. Expires - December 2003 [Page 33]