IPCDN Working Group Doug Jones, Ed. Internet Draft YAS Broadband draft-jones-cable-gateway-security-mib-00 October, 2002 Expires April 2003 CableHome Residential Gateway Device Security MIB Security Management Information Base for CableHome compliant Residential Gateway Devices Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a basic set of managed objects for SNMP- based security management of CableHome 1.0 compliant residential gateway devices. This memo specifies a MIB module in a manner that is compliant to the SNMP SMIv2 [5][6][7]. The set of objects is consistent with the SNMP framework and existing SNMP standards. This memo is a product of the IPCDN working group within the Internet Engineering Task Force. Comments are solicited and should be addressed to the working group's mailing list at ipcdn@terayon.com and/or the author. Jones Expires April 2003 [Page 1] Internet Draft Cable Gateway Security MIB October 2002 Table of Contents 1 The SNMP Management Framework ................................... 3 2 Glossary ........................................................ 4 2.1 Cable Gateway Device .......................................... 4 2.2 Portal Services ............................................... 4 2.3 Denial of Service ............................................. 4 2.4 Firewall ...................................................... 4 2.5 Hash .......................................................... 4 2.6 Rule Set ...................................................... 4 2.7 Security Policy ............................................... 5 3 Overview ........................................................ 5 3.1 Management requirements ....................................... 5 3.1.1 Firewall Enable.............................................. 5 3.1.2 Firewall Configuration File Download ........................ 5 3.1.3 Firewall Event Management ............ ...................... 5 3.1.4 Firewall Attack Alert ....................................... 6 3.1.5 PS Certificate .............................................. 6 4 Definitions ..................................................... 6 5 Acknowledgments ................................................ 11 6 References ..................................................... 11 8 Intellectual Property .......................................... 13 9 Author's Address ............................................... 13 10 Full Copyright Statement ...................................... 13 Jones Expires April 2003 [Page 2] Internet Draft Cable Gateway Security MIB October 2002 1. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [1]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13]. o A set of fundamental applications described in RFC 2573 [14] and the view-based access control mechanism described in RFC 2575 [15]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine Jones Expires April 2003 [Page 3] Internet Draft Cable Gateway Security MIB October 2002 readable information is not considered to change the semantics of the MIB. 2. Glossary The terms in this document are derived either from normal cable system usage, or from the documents associated with the CableHome Specification process. 2.1. Cable Gateway Device A cable gateway device passes data traffic between the cable operator's broadband data network (the Wide Area Network, WAN) and the Local Area Network (LAN) in the cable data service subscriber's residence or business. In addition to passing traffic between the WAN and LAN, the cable gateway device provides several services including a DHCP client and a DHCP server [RFC2131], a TFTP server [RFC1350], management services as enabled by SNMPv1/v2c/v3 agent compliant with the RFCs listed in Section 1, and security services including stateful packet inspection firewall functionality and software code image verification using techniques described in [RFC3280]. 2.2 Portal Services (PS) A logical element aggregating the set of CableHome-specified functionality in a CableHome compliant cable gateway device. The Portal Services set of functions is described in [16]. 2.3. Denial of Service A type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. 2.4. Firewall A system designed to prevent unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. 2.5. Hash A hash value (or simply hash) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. 2.6. Rule Set The rule set is derived from the security policy and defines the collection of access control rules (filter and proxy action rules) which Jones Expires April 2003 [Page 4] Internet Draft Cable Gateway Security MIB October 2002 then determines which packets the firewall forwards and which it rejects. 2.7. Security Policy The security policy defines the desired level of security/functionality for a subscriber's firewall. 3. Overview This MIB provides a set of security objects required for the management of CableHome compliant residential gateway devices. The specification is derived from the CableHome 1.0 specification [1]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [17]. 3.1. Management requirements 3.1.1. Firewall Enable The cabhSecFwPolicyFileEnable object enables or disables firewall rule set filtering functions. 3.1.2. Firewall Configuration File Download The firewall configuration file download process is documented in [16]. From a network management station, the operator: - sets cabhSecFwPolicyFileHash to the hash value calculated using the firewall configuration file. - sets cabhSecFwPolicyFileURL to the name and IP address of the firewall configuratrion file using TFTP URL format. When this value changes, it triggers the file download. Download status and the version of the firewall configuration file can be obtained from the cabhSecFwPolicyFileOperStatus and cabhSecFwPolicyCurrentVersion MIB objects. 3.1.3 Firewall Event Management There are three types of firewall events that can be logged. The following objects allow the operator to enable or disable the logging of these events: - cabhSecFwEventType1Enable controls the logging of Type 1 event messages which indicate attempts from both private and public clients to traverse the firewall that violate the security policy. - cabhSecFwEventType2Enable controls the logging of Type 2 event messages which indicate the detection of Denial-of-Service attacks. Jones Expires April 2003 [Page 5] Internet Draft Cable Gateway Security MIB October 2002 - cabhSecFwEventType3Enable controls the logging of Type 3 event messages which indicate changes in firewall management parameters. Event messaging details are documented in [16]. 3.1.4 Firewall Attack Alert The Firewall Attack Alert MIB objects enable an MSO to be notified when a firewall as been attacked a certain number of times within a given period. The cabhSecFwEventAttackAlertThreshold object is set with the number of Type 1 or Type 2 hacker attacks that are allowed within the time period defined by cabhSecFwEventAttackAlertPeriod. If the total number of attacks exceed this number an event message MUST be logged. The cabhSecFwEventAttackAlertPeriod object indicates the period to be used (in hours) for the cabhSecFwEventAttackAlertThreshold. This MIB variable should always keep track of the last x hours of events meaning that if the variable is set to track events for 10 hours then when the 11th hour is reached, the 1st hour of events is deleted from the tracking log. A default value is set to zero, meaning zero time, so that this MIB variable will not track any events unless configured. 3.1.5 PS Certificate The cabhSecCertPsCert provides the ability to read the certificate information in a compliant CableHome residential gateway device. The PS certicate is used to in the process to authenticate the device. 4. Definitions CABH-SEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE FROM SNMPv2-SMI OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB X509Certificate FROM DOCS-BPI2-MIB clabProjCableHome FROM CLAB-DEF-MIB; --========================================================================== -- -- History: -- Jones Expires April 2003 [Page 6] Internet Draft Cable Gateway Security MIB October 2002 -- Date Modified by Reason -- 04/05/02 Issued I01 -- 09/20/02 Issued I02 -- 10/25/02 IETF I-D revisions -- --========================================================================== cabhSecMib MODULE-IDENTITY LAST-UPDATED "200210250000Z" -- October 25, 2002 ORGANIZATION "CableLabs Broadband Access Department" CONTACT-INFO "Kevin Luehrs Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: k.luehrs@cablelabs.com" DESCRIPTION "This MIB module supplies the basic management objects for the security functionality of the CableHome Portal Services. Acknowledgements: Roy Spitzer - Consultant to CableLabs Chris Zacker - Broadcom Visiting Engineer" ::= { clabProjCableHome 2 } -- Textual conventions cabhSecFwObjects OBJECT IDENTIFIER ::= { cabhSecMib 1 } cabhSecFwBase OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 } cabhSecFwLogCtl OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 } cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMib 2 } -- -- The following group describes the base objects in the Cable Home -- Firewall. -- cabhSecFwPolicyFileEnable OBJECT-TYPE SYNTAX INTEGER { enable (1), disable (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This parameter indicates whether or not to enable the firewall functionality." DEFVAL {enable} ::= { cabhSecFwBase 1 } cabhSecFwPolicyFileURL OBJECT-TYPE Jones Expires April 2003 [Page 7] Internet Draft Cable Gateway Security MIB October 2002 SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "This object contains the name and IP address of the policy rule set file in a TFTP URL format. Once this object has been updated, it will trigger the file download." ::= { cabhSecFwBase 2 } cabhSecFwPolicyFileHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the rules set file, calculated and sent to the PS prior to sending the rules set file. For the SHA-1 authentication algorithm the length of the hash is 160 bits. This hash value is encoded in binary format." ::= { cabhSecFwBase 3 } cabhSecFwPolicyFileOperStatus OBJECT-TYPE SYNTAX INTEGER { inProgress(1), completeFromProvisioning(2), completeFromMgt(3), failed(4) } MAX-ACCESS read-only STATUS current DESCRIPTION "InProgress(1) indicates that a TFTP download is underway, either as a result of a version mismatch at provisioning or as a result of a upgradeFromMgt request. CompleteFromProvisioning(2) indicates that the last software upgrade was a result of version mismatch at provisioning. CompleteFromMgt(3) indicates that the last software upgrade was a result of setting docsDevSwAdminStatus to upgradeFromMgt. Failed(4) indicates that the last attempted download failed, ordinarily due to TFTP timeout." ::= { cabhSecFwBase 4 } cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The rule set version currently operating in the PS device. This object should be in the syntax used by the individual vendor to identify software versions. Any PS element MUST return a string descriptive of the current rule set file load. If this is not applicable, this object MUST contain an Jones Expires April 2003 [Page 8] Internet Draft Cable Gateway Security MIB October 2002 empty string." ::= { cabhSecFwBase 5 } -- -- Firewall log parameters -- cabhSecFwEventType1Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables or disables logging of type 1 firewall event messages. Type 1 event messages report attempts from both private and public clients to traverse the firewall that violate the Security Policy." DEFVAL { disable } ::= { cabhSecFwLogCtl 1 } cabhSecFwEventType2Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables or disables logging of type 2 firewall event messages. Type 2 event messages report identified Denial of Service attack attempts." DEFVAL { disable } ::= { cabhSecFwLogCtl 2 } cabhSecFwEventType3Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables or disables logging of type 3 firewall event messages. Type 3 event messages report changes made to the following firewall management parameters: cabhSecFwPolicyFileURL, cabhSecFwPolicyFileCurrentVersion, cabhSecFwPolicyFileEnable" DEFVAL { disable } ::= { cabhSecFwLogCtl 3 } cabhSecFwEventAttackAlertThreshold OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write Jones Expires April 2003 [Page 9] Internet Draft Cable Gateway Security MIB October 2002 STATUS current DESCRIPTION "If the number of type 1 or 2 hacker attacks exceeds this threshold in the period define by cabhSecFwEventAttackAlertPeriod, a firewall message event MUST be logged with priority level 4." DEFVAL { 65535 } ::= { cabhSecFwLogCtl 4 } cabhSecFwEventAttackAlertPeriod OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates the period to be used (in hours) for the cabhSecFwEventAttackAlertThreshold. This MIB variable should always keep track of the last x hours of events meaning that if the variable is set to track events for 10 hours then when the 11th hour is reached, the 1st hour of events is deleted from the tracking log. A default value is set to zero, meaning zero time, so that this MIB variable will not track any events unless configured." DEFVAL {0} ::= { cabhSecFwLogCtl 5 } cabhSecCertPsCert OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "The X509 DER-encoded PS certificate." REFERENCE "CableLabs 1.0 Specification version I01 (CH-SP-I01-020405) Section 11.3 Requirements (security requirements)" ::= { cabhSecCertObjects 1 } -- -- notification group is for future extension. -- cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 3 0 } cabhSecConformance OBJECT IDENTIFIER ::= { cabhSecMib 4 } cabhSecCompliances OBJECT IDENTIFIER ::= { cabhSecConformance 1 } cabhSecGroups OBJECT IDENTIFIER ::= { cabhSecConformance 2 } -- -- Notification Group -- -- compliance statements Jones Expires April 2003 [Page 10] Internet Draft Cable Gateway Security MIB October 2002 cabhSecBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for CableHome Firewall feature." MODULE --cabhSecMib -- unconditionally mandatory groups MANDATORY-GROUPS { cabhSecGroup } ::= { cabhSecCompliances 3 } cabhSecGroup OBJECT-GROUP OBJECTS { cabhSecFwPolicyFileEnable, cabhSecFwPolicyFileURL, cabhSecFwPolicyFileHash, cabhSecFwPolicyFileOperStatus, cabhSecFwPolicyFileCurrentVersion, cabhSecFwEventType1Enable, cabhSecFwEventType2Enable, cabhSecFwEventType3Enable, cabhSecFwEventAttackAlertThreshold, cabhSecFwEventAttackAlertPeriod, cabhSecCertPsCert } STATUS current DESCRIPTION "Group of object in CableHome Firewall MIB" ::= { cabhSecGroups 1 } END 5. Acknowledgments This document was produced by the IPCDN Working Group. It is based on a document written by Stuart Hoggan from CableLabs, Nancy Davoust from YAS Broadband Ventures, consultant to CableLabs Roy Spitzer, and Chris Zacker from Broadcom. 6. References [1] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999. [2] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990. Jones Expires April 2003 [Page 11] Internet Draft Cable Gateway Security MIB October 2002 [3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. [4] Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991. [5] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of Management Information for Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [6] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [7] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. [9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, Jan 1996. [10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999. [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999. [13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [14] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC 2573, April 1999. [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999. [16] "CableHome 1.0 Specification CH-SP-I02-020920", CableHome, September 2002, http://www.cablelabs.com/projects/cablehome/ downloads/specs/CH-SP-I02-020920.pdf [17] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [18] Secure Hash Algorithm, Department of Commerce, NIST, FIPS 180-1, April, 1995. Jones Expires April 2003 [Page 12] Internet Draft Cable Gateway Security MIB October 2002 [19] ITU-T Recommendation X.509 (1997 E): Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, June 1997. 8. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 9. Author's Address Doug Jones YAS Broadband Ventures, LLC 300 Brickstone Square Andover, MA 01810 U.S.A Phone: +1 303 661 3823 email: doug@yas.com 10. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. Jones Expires April 2003 [Page 13] Internet Draft Cable Gateway Security MIB October 2002 The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Jones Expires April 2003 [Page 14]