Internet Draft Matt Osman/Eugene Nechamkin draft-ietf-ipcdn-pktc-mtamib-00.txt Cablelabs/Broadcom Corp Expires: April 25, 2002 October, 25 2002 Multimedia Terminal Adapter (MTA) Management Information Base for PacketCable 1.0 compliant devices Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. 1. Abstract This memo is a draft document of the initial version of the document. This document does not have any predecessors. This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a basic set of managed objects for SNMP- based management of PacketCable 1.0 compliant Media Terminal Adapter(MTA) devices. This memo specifies a MIB module in a manner that is compliant to the SNMP SMIv2 [5][6][7]. The set of objects are consistent with the SNMP framework and existing SNMP standards. Osman/Nechamkin [Page 1] Internet Draft PacketCable MTA MIB October 25, 2002 Table of Contents 1. Abstract.....................................................1 2. The SNMP Management Framework................................2 3. Glossary.....................................................3 3.1. DOCSIS.......................................................3 3.2. CM (Cable Modem)...........................................3 3.3. MTA (Media Terminal Adapter)...............................3 3.4. Endpoint.....................................................3 3.5. X.509 Certificate............................................3 3.6. VoIP (Voice over IP).........................................3 3.7. Public Key Certificate (also Digital certificate)............3 3.8. DHCP.........................................................3 3.9. CMS Call Management Server...................................4 3.10. CODEC COder-DECoder.........................................4 3.11. OSS Operations Systems Support..............................4 3.12. KDC Key Distribution Center.................................4 3.13. FQDN Fully Qualified Domain Name............................4 3.14. SA Security Association.....................................4 4. Overview.....................................................4 4.1. Structure of the MIB.........................................4 pktcMtaDevBase....................................................4 pktcMtaDevServer..................................................5 pktcMtaDevSecurity................................................5 4.2. Relationship between MIB Objects in MTA MIB..................5 Security Association Establishment Process........................5 Realm Table to CMS Table Relationship.............................6 SA Related Scalar MIB Objects in MTA MIB..........................6 5. Definitions..................................................7 6. Acknowledgments.............................................28 7. Revision History............................................28 8. References..................................................28 9. Security Considerations.....................................29 10. Intellectual Property.......................................29 11. Authors' Addresses..........................................30 12. Full Copyright Statement....................................30 2. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: . An overall architecture, described in RFC 2571 [1]. . Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7]. . Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12]. . Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13]. Osman/Nechamkin Expires April 25 2002 [Page 2] Internet Draft PacketCable MTA MIB October 25, 2002 . A set of fundamental applications described in RFC 2573 [14] and the view-based access control mechanism described in RFC 2575 [15]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [16]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB MUST be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 3. Glossary The terms in this document are derived either from normal PacketCable 1.0 system usage, or from the documents associated with the PacketCable 1.0 Provisioning Specification [17] and Security Specification [18]. 3.1. DOCSIS "Data Over Cable Service Interface Specification". A term referring to the ITU-T J.112 Annex B standard for cable modem systems [19]. 3.2. CM (Cable Modem) A CM acts as a data transport agent used to transfer call management and voice data packets over the DOCSIS compliant cable systems. 3.3. MTA (Media Terminal Adapter) MTA Device is used to refer to any PacketCable 1.0 compliant device providing telephony services over the cable or hybrid system used to deliver video signals to a community. MTA can be Embedded (E-MTA) or Standalone (S-MTA). E-MTA contains both an MTA and a CM. S-MTA does not contain the CM part relying on the presence of some external DOCSIS agent to provide the data transport over the cable. 3.4. Endpoint A standard RJ-11 telephony physical port located on the MTA and used for attaching the telephone device to the MTA. 3.5. X.509 Certificate A public key certificate specification developed as part of the ITU- T X.500 standards directory. 3.6. VoIP (Voice over IP) Technology providing the means to transfer the digitized packets with the voice information over the IP networks. 3.7. Public Key Certificate (also Digital certificate) A binding between an entityÆs public key and one or more attributes relating to its identity. 3.8. DHCP Dynamic Host Configuration Protocol. Osman/Nechamkin Expires April 25 2002 [Page 3] Internet Draft PacketCable MTA MIB October 25, 2002 3.9. CMS Call Management Server Call Management Server. Controls the audio connections between different TAs. 3.10. CODEC COder-DECoder Algorithm used to transform the audio information to the packets of digitized Data being transferred over the IP networks. 3.11. OSS Operations Systems Support The back office software used for configuration, performance, fault, accounting and security management. 3.12. KDC Key Distribution Center The security server which belongs to OSS and provides the mutual athentication of the various components of the PacketCable domain (e.g. MTA and CMS, or MTA and the Provisioning Server). 3.13. FQDN Fully Qualified Domain Name Refer to IETF RFC 821 and 1034 for details. 3.14. SA Security Association A one-way relationship between sender and receiver offering security services on the communication flow. 4. Overview This MIB provides a set of objects required for the management of PacketCable compliant media Terminal Adapters (MTA). The specification is derived in part from the parameters described in PacketCable 1.0 Provisioning Specification [17]. 4.1. Structure of the MIB This MIB is structured as three groups: . Management information pertinent to MTA Device Itself (pktcMtaDevBase). . Management information pertinent to the Provisioning back office Servers (pktcMtaDevServer). . Management information pertinent to elements of and logic providing the PacketCable Security mechanisms (pktcMtaDevSecurity). First two groups contain only scalar information describing the corresponding characteristics of the MTA device and back office servers. Third group contains two tables controlling the necessary logical associations between KDC realms and back office servers (CMS and provisioning). Rows in the tables can be created automatically (e.g. by the device according to the current state information) or can be created by the management station depending on the operational situation. Tables may and generally will have a mixture of both types of rows. pktcMtaDevBase Contains management information describing the parameters of the MTA device itself. Also, this group contains some objects controlling the MTA state. Some of the MIB objects are as follows: pktcMtaDevSerialNumber - Contains the MTA Serial Number. pktcMtaDevMacAddress - Contains the MTA MAC address. Osman/Nechamkin Expires April 25 2002 [Page 4] Internet Draft PacketCable MTA MIB October 25, 2002 pktcMtaDevEndPntCount - Contains the number of End Points present in MTA. pktcMtaDevProvisioningState - This object contains the information describing the completion state of the initialization process. pktcMtaDevEnabled - Controls the state of the MTA enabling or disabling telephony services on the device. pktcMtaDevResetNow - This object is used to instruct the MTA to reset itself. pktcMtaDevServer Contains management information describing the back office servers and the parameters assigned to the communication timeouts. Also, this group contains some objects controlling the initial MTA interaction with the Provisioning Server. Some of the MIB objects are as follows: pktcMtaDevServerDhcp1 - This object contains the IP Address of the Primary DHCP server designated for MTA provisioning. pktcMtaDevServerDhcp2 - This object contains the IP Address of the Secondary DHCP server designated for MTA provisioning. pktcMtaDevServerDns1 - This object contains the IP Address of the Primary DNS used by MTA to resolve the FQDN and IP Addresses. pktcMtaDevServerDns2 - This object contains the IP Address of the Secondary DNS used by MTA to resolve the FQDN and IP Addresses. pktcMtaDevConfigFile - This object contains the name of the provisioning configuration file to download from the Provisioning Server by the MTA. pktcMtaDevProvConfigHash - This object is used to supply the hash value of MTA Configuration File calculated over its content. pktcMtaDevSecurity Contains management information describing the security related characteristics of the MTA. Also, this group contains two tables containing logical dependencies and parameters necessary to establish security association between the MTA and other components of the back office. pktcMtaDevRealmTable - This table is used in conjunction with any server which needs a Security Association with an MTA (CMS or Provisioning Sever). pktcMtaDevCmsTable - This table contains the parameters describing the SA establishment between an MTA and a CMS. 4.2. Relationship between MIB Objects in MTA MIB This section clarifies the relationship between various MIB Objects in MTA MIB in respect to the role these objects are playing in the process of the Security Association establishment. Security Association Establishment Process Relationships between the MTA MIB Objects are defined by the way how the Security Association establishment process is defined by the PacketCable Security Specification [18]. The SA establishment process between the MTA and other back office Servers (CMS or Provisioning Server) consists of two steps: . AS-exchange providing mutual authentication of the parties (MTA and the Server), . AP-exchange providing the Key Distribution between the parties (MTA and the Server). Each Server-MTA Security Association has a one-to-one correspondence Osman/Nechamkin Expires April 25 2002 [Page 5] Internet Draft PacketCable MTA MIB October 25, 2002 to a single Realm. Realm Table to CMS Table Relationship Realm Table contains the parameters defining the process of the AS- exchange between the MTA and the KDC when MTA is going to be authenticated to either of the Severs - CMS or Provisioning. Realm Table is indexed by the Realm Name. CMS Table contains the parameters defining the process of the AP- exchange between the MTA and the CMS when MTA is exchanging the keys for SA with CMS. CMS Table is indexed by the CMS FQDN. CMS Table also contains the Realm Name corresponding to each CMS FQDN (each row). This allows for multiple realms, each with its own Security Association. SA Related Scalar MIB Objects in MTA MIB MTA MIB also contains the group of the scalar MIB Objects which define the Parameters for AP-exchange process between the MTA and the Provisioning Server. These objects are: . pktcMtaDevProvUnsolicitedKeyMaxTimeout . pktcMtaDevProvUnsolicitedKeyNomTimeout . pktcMtaDevProvUnsolicitedKeyMaxRetries . pktcMtaDevProvSolicitedKeyTimeout Osman/Nechamkin Expires April 25 2002 [Page 6] Internet Draft PacketCable MTA MIB October 25, 2002 5. Definitions PKTC-MTA-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32, NOTIFICATION-TYPE, mib-2 FROM SNMPv2-SMI TruthValue, RowStatus, TEXTUAL-CONVENTION FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP FROM SNMPv2-CONF InetAddressType, InetAddress FROM INET-ADDRESS-MIB sysDescr FROM SNMPv2-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB docsDevSwCurrentVers FROM DOCS-CABLE-DEVICE-MIB; -- version 8 pktcMtaMib MODULE-IDENTITY LAST-UPDATED "200210250000Z" -- October 25, 2002 ORGANIZATION " PacketCable OSS Group " CONTACT-INFO "Matt Osman Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: m.osman@cablelabs.com Eugene Nechamkin Postal: Broadcom Corporation, 200-13711 International Place, Richmond, BC, V6V 2Z8 Canada Phone: +1 604 233 8500 Fax: +1 604 233 8501 E-mail: enechamkin@broadcom.com IETF IPCDN Working Group General Discussion: ipcdn@ietf.org Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn Co-chairs: Richard Woundy, rwoundy@cisco.com Jean-Francois Mule, jf.mule@cablelabs.com" DESCRIPTION "This is the MIB module for PacketCable 1.x Osman/Nechamkin Expires April 25 2002 [Page 7] Internet Draft PacketCable MTA MIB October 25, 2002 compliant Multimedia Terminal Adapter Devices in Telephony-Over-Cable Systems" REVISION "200210250000Z" DESCRIPTION "Initial Introduction of the draft of the document." ::= { mib-2 99991 } -- to be assigned by IANA -- Textual Conventions X509Certificate ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An X509 digital certificate encoded as an ASN.1 DER object." SYNTAX OCTET STRING (SIZE (0..4096)) -- ================================================================ -- -- The MTA MIB only supports a single provisioning server. -- -- ================================================================ pktcMtaMibObjects OBJECT IDENTIFIER ::= { pktcMtaMib 1 } pktcMtaDevBase OBJECT IDENTIFIER ::= { pktcMtaMibObjects 1 } pktcMtaDevServer OBJECT IDENTIFIER ::= { pktcMtaMibObjects 2 } pktcMtaDevSecurity OBJECT IDENTIFIER ::= { pktcMtaMibObjects 3 } -- -- The following group describes the base objects in the MTA -- pktcMtaDevResetNow OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to true(1) causes the device to reset. Reading this object always returns false(2). When pktcMtaDevResetNow is set to true, the following actions occur: 1. All connections (if present) are flushed locally. 2. All current actions such as ringing immediately terminate. 3. Requests for notifications such as notification based on digit map recognition are flushed. 4. All endpoints are disabled. 5. The provisioning flow is started at step MTA-1." ::= { pktcMtaDevBase 1 } pktcMtaDevSerialNumber OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..128)) MAX-ACCESS read-only STATUS current DESCRIPTION "The manufacturer's serial number for this MTA." ::= { pktcMtaDevBase 2 } pktcMtaDevMacAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current Osman/Nechamkin Expires April 25 2002 [Page 8] Internet Draft PacketCable MTA MIB October 25, 2002 DESCRIPTION "The telephony MAC address for this device." ::= { pktcMtaDevBase 3 } pktcMtaDevFQDN OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The Fully Qualified Domain Name for this MTA." ::= { pktcMtaDevBase 4 } pktcMtaDevEndPntCount OBJECT-TYPE SYNTAX Integer32 (1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The physical end points for this MTA." ::= { pktcMtaDevBase 5 } pktcMtaDevEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The MTA Admin Status of this device, where True(1) means the voice feature is enabled and false(2) indicates that it is disabled." ::= { pktcMtaDevBase 6 } pktcMtaDevTypeIdentifier OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This is a copy of the device type identifier used in the DHCP option 60 exchanged between the MTA and the DHCP server." ::= { pktcMtaDevBase 7 } pktcMtaDevProvisioningState OBJECT-TYPE SYNTAX INTEGER { pass(1), inProgress(2), failConfigFileError(3), passWithWarning(4), passWithIncompleteParsing(5), failureInternalError(6), failOtherReason(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "This parameter indicates the completion state of the MTA Device provisioning process. This parameter is sent as part of the final INFORM (step 25 of the MTA provisioning process) refer to the MTA Device provisioning spec for explanation on how an MTA chooses a particular state to report." ::= { pktcMtaDevBase 8 } pktcMtaDevHttpAccess OBJECT-TYPE Osman/Nechamkin Expires April 25 2002 [Page 9] Internet Draft PacketCable MTA MIB October 25, 2002 SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether HTTP file access is supported for MTA configuration file transfer." ::= { pktcMtaDevBase 9 } pktcMtaDevProvisioningTimer OBJECT-TYPE SYNTAX Integer32 (0..30) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables setting the duration of the provisioning timeout timer. The timer covers the provisioning sequence from step MTA-1 to step MTA-23. The value is in minutes and setting the timer to 0 disables this timer." DEFVAL {10} ::= {pktcMtaDevBase 10} pktcMtaDevProvisioningCounter OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object is the count of the number of times the provisioning cycle has looped through step MTA-1 since the last reboot." ::= {pktcMtaDevBase 11} pktcMtaDevErrorOidsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevErrorOidsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "If pktcMtaDevProvisioningSate reported with anything other than a pass(1) then this table is populated with the necessary information, each pertaining to observations of the configuration file. Even if different parameters share the same error (ex., All Realm Names are invalid), all recognized errors must be reported as different instances." ::= {pktcMtaDevBase 12} pktcMtaDevErrorOidsEntry OBJECT-TYPE SYNTAX PktcMtaDevErrorOidsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This contains the necessary information an MTA must attempt to provide in case the configuration file is not parsed and/or accepted in its entirety." INDEX { pktcMtaDevErrorOidIndex } ::= {pktcMtaDevErrorOidsTable 1} PktcMtaDevErrorOidsEntry ::= SEQUENCE { pktcMtaDevErrorOidIndex Integer32, pktcMtaDevErrorOid SnmpAdminString, pktcMtaDevErrorValueGiven SnmpAdminString, pktcMtaDevErrorReason SnmpAdminString } Osman/Nechamkin Expires April 25 2002 [Page 10] Internet Draft PacketCable MTA MIB October 25, 2002 pktcMtaDevErrorOidIndex OBJECT-TYPE SYNTAX Integer32 (1..1024) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is the index to pktcMtaDevErrorOidsEntry. This is an integer value and will start from the value of 1 and be incremented for each error encountered in the configuration file. These indices need not necessarily reflect the order of error occurrences in the configuration file." ::= {pktcMtaDevErrorOidsEntry 1} pktcMtaDevErrorOid OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This is the OID associated with the particular error. If the error was not due to an identifiable OID, then this can be populated with impartial identifiers, in hexadecimal or numeric format." ::= {pktcMtaDevErrorOidsEntry 2} pktcMtaDevErrorValueGiven OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "If the error was due to the value associated with the corresponding pktcMtaDevErrorOid, then this contains the value of the OID as interpreted by the MTA in the configuration file provided. If the error was not due to the value of an OID this must be set to an empty string. This is provided to eliminate errors due to misrepresentation/misinterpretation of data." ::= {pktcMtaDevErrorOidsEntry 3} pktcMtaDevErrorReason OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates the reason for the error, as per the MTA's interpretation, in human readable form. EX.: 'VALUE NOT IN RANGE', 'VALUE DOES NOT MATCH TYPE', 'UNSUPPORTED VALUE', 'LAST 4 BITS MUST BE SET TO ZERO', 'OUT OF MEMORY - CANNOT STORE', ..etc. This may also contain vendor specific errors for vendor specific OIDs and any proprietary error codes/messages which can help diagnose errors better, in a manner the vendor deems fit." ::= {pktcMtaDevErrorOidsEntry 4} -- -- The following group describes server access and parameters -- used for initial provisioning and bootstrapping. -- pktcMtaDevServerDns1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write Osman/Nechamkin Expires April 25 2002 [Page 11] Internet Draft PacketCable MTA MIB October 25, 2002 STATUS current DESCRIPTION "The IP address of the primary DNS server to be used by the MTA to resolve the FQDNs and IP addresses." ::= { pktcMtaDevServer 1 } pktcMtaDevServerDns2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the Secondary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. Contains 0.0.0.0 if there is no Secondary DNS server specified for the MTA under consideration." ::= { pktcMtaDevServer 2 } pktcMtaDevConfigFile OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The URL of the TFTP/HTTP file for downloading provisioning and configuration parameters to this device. Returns NULL if the server address is unknown. Supports both TFTP and HTTP." ::= { pktcMtaDevServer 3 } pktcMtaDevSnmpEntity OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The FQDN of the SNMP V3 entity of the Provisioning Server to which the MTA has to communicate in order to receive the access method, location and the name of the Configuration file during MTA provisioning. This would also be the entity which caters to the End-point provisioning needs of the MTA and is the destination for all provisioning informs. It may be also used for post-provisioning SNMP operations." ::= { pktcMtaDevServer 4 } pktcMtaDevProvConfigHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the config file, calculated and sent to the MTA prior to sending the config file. If the authenthenication algorithm is MD5, the length is 128 bits, If the authentication algorithm is SHA-1, the length is 160 bits." ::= { pktcMtaDevServer 5 } pktcMtaDevProvConfigKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|8)) MAX-ACCESS read-write STATUS current Osman/Nechamkin Expires April 25 2002 [Page 12] Internet Draft PacketCable MTA MIB October 25, 2002 DESCRIPTION "Key used to encrypt/decrypt the config file, sent to the MTA prior to sending the config file. If the privacy algorithm is null, the length is 0. If the privacy algorithm is DES, the length is 64 bits." ::= { pktcMtaDevServer 6 } pktcMtaDevProvSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This timeout applies only when the Provisioning Server initiated key management (with a Wake Up message) for SNMPv3. It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the Provisioning Server." DEFVAL { 120 } ::= { pktcMtaDevServer 7 } -- ================================================================= -- -- Unsolicited Key Updates are based on an exponential backoff -- mechanism with two timers for AS replies. The fast timers -- has a maximum timer -- (pktcMtaDevProvUnsolicitedKeyMaxTimeout seconds) and a -- nominal timer (pktcMtaDevProvUnsolicitedKeyNomTimeout -- seconds) from which the backoff timer determinations -- are made. -- -- ================================================================= -- ================================================================= -- -- Timeouts for unsolicited key management updates are only -- pertinent before the first SNMP message is sent between the -- MTA and the CMS and before the configuration file is -- loaded. No SNMP communications can -- exist under PacketCable without the security association -- existing. The following object is provided only for -- diagnosistic purposes and are only useful if the MTA can be -- brought up without any security. -- -- ================================================================= pktcMtaDevProvUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies to MTA initiated AP-REQ/REP key management exchange with Provisioning Server. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE Osman/Nechamkin Expires April 25 2002 [Page 13] Internet Draft PacketCable MTA MIB October 25, 2002 "PacketCable Security Specification [18]" DEFVAL {600} ::= { pktcMtaDevServer 8 } pktcMtaDevProvUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies only when the MTA initiated AP-REQ/REP key management. Typically this is the average roundtrip time between the MTA and the Provisioning server." REFERENCE "PacketCable Security Specification [18]" DEFVAL {30} ::= { pktcMtaDevServer 9 } pktcMtaDevProvUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (1..32) MAX-ACCESS read-only STATUS current DESCRIPTION "This retries number applies to MTA initiated AP-REQ/REP key management exchange with Provisioning Server. This is the maximum number of retries before the MTA gives up attempting to establish an SNMPv3 security association with Provisioning Server." REFERENCE "PacketCable Security Specification [18]" DEFVAL {8} ::= { pktcMtaDevServer 10 } pktcMtaDevProvKerbRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The name of the associated Provisioning Kerberos Realm acquired during MTA4 ( DHCP Ack ). This is used as an index into the pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of the associated Kerberos Realm name MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevServer 11 } pktcMtaDevProvState OBJECT-TYPE SYNTAX INTEGER { operational (1), disabled (2), other (3), unknown (4), waitingToStart (10), waitingForDhcpOffer (12), waitingForDhcpAckResponse (14), waitingForProvRealmKdcNameResponse (16), waitingForProvRealmKdcAddrResponse (18), waitingForAsReply (20), waitingForTgsReply (22), waitingForApReply (24), Osman/Nechamkin Expires April 25 2002 [Page 14] Internet Draft PacketCable MTA MIB October 25, 2002 waitingForSnmpGetRequest (26), waitingForSnmpSetInfo (28), waitingForTftpAddrResponse (30), waitingForConfigFile (32), waitingForTelRealmKdcNameResponse (34), waitingForTelRealmKdcAddrResponse (36), waitingForPkinitAsReply (38), waitingForCmsKerbTickTgsReply (40), waitingForCmsKerbTickApReply (42) } MAX-ACCESS read-only STATUS current DESCRIPTION "If operational(1), the device has completed loading and processing of initialization parameters. If disabled(2) then the device was administratively disabled, possibly by being refused network access in the configuration file. If waitingToStart(10) then the MTA is has not received a signal to start initialization. If waitingForDhcpOffer(12) then a DHCP Discover has been transmitted and no offer has yet been received. If waitingForDhcpAckResponse(14) then a DHCP Request has been transmitted and no response has yet been received. If waitingProvRealmKdcNameResponse(16) then a DNS Srv request has been transmitted and no reply has yet been received. If waitingForProvRealmKdcAddrResponse(18) then a DNS request has been transmitted and no reply has yet been received. If waitingForAsReply(20) then an AS request has been and no MSO KDC AS Kerberos ticket reply has yet been received. If waitingForTgsReply(22) then a TGS request has been transmitted and no TGS ticket reply has yet been received. If waitingForApReply(24) then an AP request has been transmitted and no SNMPv3 key info reply has yet been received. If waitingForSnmpGetRequest(26) then an INFORM message has been transmitted and the device is waiting on optional/iterative GET requests. If waitingForSnmpSetInfo(28) then the device is waiting on config file download access information. If waitingForTftpAddrResponse(30) then a DNS request has been transmitted and no reply has yet been received. If waitingForConfigFile(32) then a TFTP request has been transmitted and no reply has yet been received or a download is in progress. If waitingForTelRealmKdcNameResponse(34) then a DNS Srv request has been transmitted and no name reply has yet been received. If waitingForTelRealmKdcAddrResponse(36) then a DNS request has been transmitted and no address reply has yet been received. If waitingForPkinitAsReply(38) then an AS request has been transmitted and no ticket reply has yet been received. Osman/Nechamkin Expires April 25 2002 [Page 15] Internet Draft PacketCable MTA MIB October 25, 2002 If waitingForCmsKerbTickTgsReply(40) then a TGS request has been transmitted and no ticket reply has yet been received. If waitingForCmsKerbTickApReply(42) then a AP request has been transmitted and no Ipsec parameters reply has yet been received." REFERENCE "PacketCable Provisioning Specification PacketCable Security Specification [18]" ::= { pktcMtaDevServer 12 } pktcMtaDevServerDhcp1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the primary DHCP server which would cater to the MTA during its provisioning. Contains 255.255.255.255 if there was no preference given with respect to the DHCP servers for MTA provisioning." ::= { pktcMtaDevServer 13 } pktcMtaDevServerDhcp2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the Secondary DHCP server which could cater to the MTA during its provisioning. Contains 0.0.0.0 if there is no specific secondary DHCP server to be considered during MTA provisioning." ::= { pktcMtaDevServer 14 } pktcMtaDevTimeServer OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This holds the IP address of the Time Server used for Time Synchronization and must be populated in the case of SMTA. Contains 0.0.0.0 if the Time Protocol is not used for time synchronization." ::= { pktcMtaDevServer 15} pktcMtaDevServerDns1AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the primary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. An Internet address of DNS-type must not be used." ::= { pktcMtaDevServer 16 } pktcMtaDevServerDns2AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the Secondary DNS Osman/Nechamkin Expires April 25 2002 [Page 16] Internet Draft PacketCable MTA MIB October 25, 2002 server to be used by the MTA to resolve the FQDNs and IP addresses. An Internet address of DNS-type must not be used." ::= { pktcMtaDevServer 17 } pktcMtaDevServerDhcp1AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of Internet address of the primary DHCP server which would cater to the MTA during its provisioning." ::= { pktcMtaDevServer 18 } pktcMtaDevServerDhcp2AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of Internet address of the secondary DHCP server which would cater to the MTA during its provisioning." ::= { pktcMtaDevServer 19 } pktcMtaDevTimeServerAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the Time Server used to obtain the time." ::= { pktcMtaDevServer 20} -- -- The following group describes the security objects in the MTA. -- pktcMtaDevManufacturerCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA Manufacturer's X.509 public-key certificate, called MTA Manufacturer Certificate. It is issued to each MTA manufacturer and is installed into each MTA either in the factory or with a code download. The provisioning server cannot update this certificate." ::= {pktcMtaDevSecurity 1} pktcMtaDevCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA's X.509 public-key certificate issued by the manufacturer and installed into the embedded-MTA in the factory. This certificate, called MTA Device Certificate, contains the MTA's MAC address. It cannot be updated by the provisioning server." ::= { pktcMtaDevSecurity 2 } Osman/Nechamkin Expires April 25 2002 [Page 17] Internet Draft PacketCable MTA MIB October 25, 2002 pktcMtaDevCorrelationId OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "Random value generated by the MTA for use in registration authorization. It is for use only in the MTA initialization messages and for MTA configuration file download." ::= { pktcMtaDevSecurity 3 } pktcMtaDevTelephonyRootCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the IP Telephony Root X.509 public-key certificate stored in the MTA non- volatile memory and updateable with a code download. This certificate is used to validate the initial AS Reply from the KDC received during the MTA initialization." ::= { pktcMtaDevSecurity 4 } -- =================================================================== -- -- Procedures for setting up security associations: -- -- A security association may be setup either via -- configuration or via NCS signaling. -- -- I. Security association setup via configuration. -- -- The realm must be configured first. Associated with -- the realm is a KDC. The realm table -- (pktcMtaDevRealmTable) indicates information about -- realm (e.g., name, organization name) and -- parameters associated with KDC communications (e.g., -- grace periods, AS request/AS reply adaptive backoff -- parameters). -- -- Once the realm is established, one or more servers may -- be defined in the realm. For PacketCable 1.0, these are -- Call Management Servers (CMSs). Associated with each CMS -- entry in the pktcMtaDevCmsTable is an explicit reference -- to a Realm via the realm index -- (pktcMtaDevCmsKerbRealmName), the FQDN of the CMS, and -- parameters associated with IPSec key management with the -- CMS (e.g., clock skew, AP request/AP reply adaptive -- backoff parameters). -- -- -- -- II. Security association setup via NCS signaling. -- -- Note: The following process is done automatically by -- the MTA. The NCS is not involved in creating signaled -- entries. -- The current CMS signaling association being used by an -- endpoint is marked as active in CMS MAP table. If NCS -- signaling requests a change of signaling association to Osman/Nechamkin Expires April 25 2002 [Page 18] Internet Draft PacketCable MTA MIB October 25, 2002 -- a different FQDN, the MTA checks the current CMS MAP -- table entries for the affected endpoint. If the entry -- exists in the CMS MAP table, the current CMS MAP table -- entry is marked inactive and the newly chosen CMS MAP -- table entry is marked active. -- -- If the entry does not exist in the CMS MAP table, the -- CMS table is checked to determine whether or not it -- contains the CMS specified by CMS signaling (possibly -- a redirection). If the desired CMS entry is defined, -- then a corresponding entry is created and an entry in -- the CMS MAP table is created. If the MTA does not -- have current associations with that CMS, it will now -- perform key management to establish required security -- associations. Once the desired CMS entry is -- established, the current CMS MAP table entry is marked -- inactive and the newly created CMS MAP table entry is -- marked active. Otherwise the current CMS MAP table -- entry remains active and the newly created CMS MAP -- table entry is marked in active. -- -- If the entry does not exist in the CMS MAP table and -- the CMS entry does not exist in the CMS table, a new -- CMS table entry should be created. This CMS entry -- should use the same realm as used by this endpoint. The -- default values for the clock skew and AP request/AP -- reply adaptive backoff parameters should be used. The -- MTA will now perform key management to establish -- required security associations. Once the desired CMS -- entry is established, the current CMS MAP table entry -- is marked inactive and the newly created CMS MAP table -- entry is marked active. Otherwise the current CMS MAP -- table entry remains active and the newly created CMS -- MAP table entry is marked inactive. -- -- III. When the MTA receives wake-up or re-key messages from a -- CMS, it performs key management based on the -- corresponding entry in the CMS table. If the matching -- CMS entry does not exist, it must ignore the wake-up or -- re-key messages. -- -- ================================================================== -- ================================================================== -- -- pktcMtaDevRealmTable -- -- The pktcMtaDevRealmTable shows the KDC realms. The table is -- indexed withpktcMtaDevRealmName. The Realm Table is used in -- conjunction with any server which needs a security -- association with an MTA. The server table (today the CMS) -- has a security association. Each server-MTA security -- association is associated with a single Realm. This allows -- for multiple realms, each with its own security -- association. -- -- ================================================================== pktcMtaDevRealmTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevRealmEntry MAX-ACCESS not-accessible Osman/Nechamkin Expires April 25 2002 [Page 19] Internet Draft PacketCable MTA MIB October 25, 2002 STATUS current DESCRIPTION "Contains per Kerberos realm security parameters." ::= { pktcMtaDevSecurity 5 } pktcMtaDevRealmEntry OBJECT-TYPE SYNTAX PktcMtaDevRealmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of security parameters for a single Kerberos realm." INDEX { IMPLIED pktcMtaDevRealmName } ::= { pktcMtaDevRealmTable 1 } PktcMtaDevRealmEntry ::= SEQUENCE { pktcMtaDevRealmName SnmpAdminString, pktcMtaDevRealmPkinitGracePeriod Integer32, pktcMtaDevRealmTgsGracePeriod Integer32, pktcMtaDevRealmOrgName OCTET STRING, pktcMtaDevRealmUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyNomTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyMaxRetries Integer32, pktcMtaDevRealmStatus RowStatus } pktcMtaDevRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The corresponding Kerberos Realm name. This is used as an index into pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of Realm Name MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevRealmEntry 1 } pktcMtaDevRealmPkinitGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "For the purposes of the key management with an Application Server (CMS or Provisioning Server), the MTA MUST obtain a new Kerberos ticket (with a PKINIT exchange) this many minutes before the old ticket expires. The minimum allowable value is 15 mins. The default is 30 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 2 } pktcMtaDevRealmTgsGracePeriod OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "When the MTA implementation uses TGS Request/TGS Reply Kerbersos messages for the purpose of the Osman/Nechamkin Expires April 25 2002 [Page 20] Internet Draft PacketCable MTA MIB October 25, 2002 key management with an Application Server (CMS or Provisioning Server), the MTA MUST obtain a new service ticket for the Application Server (with a TGS Request) this many minutes before the old ticket expires. The minimum allowable value is 1 min. The default is 10 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 10 } ::= { pktcMtaDevRealmEntry 3 } pktcMtaDevRealmOrgName OBJECT-TYPE SYNTAX OCTET STRING (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of the X.500 organization name attribute in the subject name of the Service provider certificate." ::= { pktcMtaDevRealmEntry 4 } -- ================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff -- mechanism with two timers for AS replies. The backoff -- timers has a maximum value of -- pktcMtaDevRealmUnsolicitedKeyMaxTimeout seconds and a -- nominal timer has a -- pktcMtaDevRealmUnsolicitedKeyNomTimeout seconds from which -- the backoff timer determinations are made. After -- pktcMatDevRealmUnsolicitedMaxRetries have occurred no more -- attempts are made. -- -- =================================================================== pktcMtaDevRealmUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 5 } pktcMtaDevRealmUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (100..600000) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. This value should account for the average roundtrip time between the MTA and the KDC as well as for the processing delay on the KDC." REFERENCE Osman/Nechamkin Expires April 25 2002 [Page 21] Internet Draft PacketCable MTA MIB October 25, 2002 "PacketCable Security Specification [18]" DEFVAL { 10000 } ::= { pktcMtaDevRealmEntry 6 } pktcMtaDevRealmUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (0..1024) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 5 } ::= { pktcMtaDevRealmEntry 7 } pktcMtaDevRealmStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevRealmTable." ::= { pktcMtaDevRealmEntry 8 } -- ================================================================== -- -- pktcMtaDevCmsTable -- -- The pktcMtaDevCmsTable shows the IPSec key management policy -- relating to a particular CMS. The table is indexed with -- pktcMtaDevCmsFQDN. -- -- =================================================================== pktcMtaDevCmsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per CMS key management policy." ::= { pktcMtaDevSecurity 6 } pktcMtaDevCmsEntry OBJECT-TYPE SYNTAX PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of key management parameters for a single MTA-CMS interface." INDEX { IMPLIED pktcMtaDevCmsFqdn } ::= { pktcMtaDevCmsTable 1 } PktcMtaDevCmsEntry ::= SEQUENCE { pktcMtaDevCmsFqdn SnmpAdminString, pktcMtaDevCmsKerbRealmName SnmpAdminString, pktcMtaDevCmsSolicitedKeyTimeout Integer32, pktcMtaDevCmsMaxClockSkew Integer32, pktcMtaDevCmsUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevCmsUnsolicitedKeyNomTimeout Integer32, Osman/Nechamkin Expires April 25 2002 [Page 22] Internet Draft PacketCable MTA MIB October 25, 2002 pktcMtaDevCmsUnsolicitedKeyMaxRetries Integer32, pktcMtaDevCmsStatus RowStatus, pktcMtaDevCmsIpsecCtrl TruthValue } pktcMtaDevCmsFqdn OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The fully qualified domain name of the CMS. This is the index into the pktcMtaDevCmsTable. When used as an index, the upper case ASCII representation of the associated CMS FQDN MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevCmsEntry 1 } pktcMtaDevCmsKerbRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "The Kerberos Realm Name of the associated CMS. This is the index into the pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of the associated CMS FQDN MUST be used by both the Manager (SNMPv3 Entity) and the MTA." ::= { pktcMtaDevCmsEntry 2 } pktcMtaDevCmsMaxClockSkew OBJECT-TYPE SYNTAX Integer32 (1..1800) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum allowable clock skew between the MTA and CMS." DEFVAL { 300 } ::= { pktcMtaDevCmsEntry 3 } pktcMtaDevCmsSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (100..30000) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the CMS initiated key management (with a Wake Up or Rekey message). It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 1000 } ::= { pktcMtaDevCmsEntry 4 } -- =================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff Osman/Nechamkin Expires April 25 2002 [Page 23] Internet Draft PacketCable MTA MIB October 25, 2002 -- mechanism with two timers for AP replies. The backoff timers -- has a maximum value of pktcMtaDevCmsUnsolicitedKeyMaxTimeout -- seconds and a nominal timer has a -- pktcMtaDevCmsUnsolicitedKeyNomTimeout seconds from which the -- backoff timer determinations are made. After -- pktcMatDevCmsUnsolicitedMaxRetries have occurred no more -- attempts are made. -- -- ================================================================== pktcMtaDevCmsUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 8 } ::= { pktcMtaDevCmsEntry 5 } pktcMtaDevCmsUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (100..30000) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. Typically this is the average roundtrip time between the MTA and the CMS." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 500 } ::= { pktcMtaDevCmsEntry 6 } pktcMtaDevCmsUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (0..1024) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 5 } ::= { pktcMtaDevCmsEntry 7 } pktcMtaDevCmsStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevCmsTable." ::= { pktcMtaDevCmsEntry 8 } pktcMtaDevCmsIpsecCtrl OBJECT-TYPE Osman/Nechamkin Expires April 25 2002 [Page 24] Internet Draft PacketCable MTA MIB October 25, 2002 SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This value of 'true(1)' indicates that IPSec and IPSec key Management MUST be used to communicate with the CMS. The value of 'fales(2)' indicates that IPSec Signaling Security is disabled for both IPSec Key Management and IPSec protocol (for the specific CMS)." DEFVAL { true } ::= { pktcMtaDevCmsEntry 9 } -- -- notification group is for future extension. -- pktcMtaNotification OBJECT IDENTIFIER ::= { pktcMtaMib 2 } pktcMtaNotificationPrefix OBJECT IDENTIFIER ::= { pktcMtaNotification 0 } pktcMtaConformance OBJECT IDENTIFIER ::= { pktcMtaMib 3 } pktcMtaCompliances OBJECT IDENTIFIER ::= { pktcMtaConformance 1 } pktcMtaGroups OBJECT IDENTIFIER ::= { pktcMtaConformance 2 } -- -- Notification Group -- pktcMtaDevProvisioningEnrollment NOTIFICATION-TYPE OBJECTS { sysDescr, docsDevSwCurrentVers, pktcMtaDevTypeIdentifier, pktcMtaDevMacAddress, pktcMtaDevCorrelationId } STATUS current DESCRIPTION "This inform is issued to initiate the PacketCable process provisioning." REFERENCE "Inform as defined in [20]" ::= { pktcMtaNotificationPrefix 1 } pktcMtaDevProvisioningStatus NOTIFICATION-TYPE OBJECTS { pktcMtaDevMacAddress, pktcMtaDevCorrelationId, pktcMtaDevProvisioningState } STATUS current DESCRIPTION "This inform is issued to confirm completion of the PacketCable provisioning process, and indicate the completion state." REFERENCE "Inform as defined in [20]" ::= { pktcMtaNotificationPrefix 2 } -- compliance statements pktcMtaBasicCompliance MODULE-COMPLIANCE STATUS current Osman/Nechamkin Expires April 25 2002 [Page 25] Internet Draft PacketCable MTA MIB October 25, 2002 DESCRIPTION "The compliance statement for devices that implement MTA feature." MODULE --pktcMtaMib -- unconditionally mandatory groups MANDATORY-GROUPS { pktcMtaGroup } ::= { pktcMtaCompliances 1 } pktcMtaGroup OBJECT-GROUP OBJECTS { pktcMtaDevResetNow, pktcMtaDevSerialNumber, pktcMtaDevMacAddress, pktcMtaDevFQDN, pktcMtaDevEndPntCount, pktcMtaDevEnabled, pktcMtaDevErrorOid, pktcMtaDevErrorValueGiven, pktcMtaDevErrorReason, pktcMtaDevTypeIdentifier, pktcMtaDevProvisioningState, pktcMtaDevHttpAccess, pktcMtaDevCertificate, pktcMtaDevCorrelationId, pktcMtaDevManufacturerCertificate, pktcMtaDevServerDhcp1, pktcMtaDevServerDhcp2, pktcMtaDevServerDhcp1AddressType, pktcMtaDevServerDhcp2AddressType, pktcMtaDevServerDns1, pktcMtaDevServerDns2, pktcMtaDevServerDns1AddressType, pktcMtaDevServerDns2AddressType, pktcMtaDevTimeServer, pktcMtaDevTimeServerAddressType, pktcMtaDevConfigFile, pktcMtaDevSnmpEntity, pktcMtaDevRealmPkinitGracePeriod, pktcMtaDevRealmTgsGracePeriod, pktcMtaDevRealmOrgName, pktcMtaDevRealmUnsolicitedKeyMaxTimeout, pktcMtaDevRealmUnsolicitedKeyNomTimeout, pktcMtaDevRealmUnsolicitedKeyMaxRetries, pktcMtaDevRealmStatus, pktcMtaDevCmsKerbRealmName, pktcMtaDevCmsUnsolicitedKeyMaxTimeout, pktcMtaDevCmsUnsolicitedKeyNomTimeout, pktcMtaDevCmsUnsolicitedKeyMaxRetries, pktcMtaDevCmsSolicitedKeyTimeout, pktcMtaDevCmsMaxClockSkew, pktcMtaDevCmsStatus, pktcMtaDevCmsIpsecCtrl, pktcMtaDevProvUnsolicitedKeyMaxTimeout, pktcMtaDevProvUnsolicitedKeyNomTimeout, pktcMtaDevProvUnsolicitedKeyMaxRetries, pktcMtaDevProvKerbRealmName, pktcMtaDevProvSolicitedKeyTimeout, pktcMtaDevProvConfigHash, pktcMtaDevProvConfigKey, Osman/Nechamkin Expires April 25 2002 [Page 26] Internet Draft PacketCable MTA MIB October 25, 2002 pktcMtaDevProvState, pktcMtaDevProvisioningTimer, pktcMtaDevProvisioningCounter, pktcMtaDevTelephonyRootCertificate } STATUS current DESCRIPTION "Group of objects for PacketCable MTA MIB." ::= { pktcMtaGroups 1 } pktcMtaNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { pktcMtaDevProvisioningStatus, pktcMtaDevProvisioningEnrollment } STATUS current DESCRIPTION "These notifications deal with change in status of MTA Device." ::= { pktcMtaGroups 2 } END Osman/Nechamkin Expires April 25 2002 [Page 27] Internet Draft PacketCable MTA MIB October 25, 2002 6. Acknowledgments This document is a production of the PacketCable 1.0 Provisioning Specification Focus Team. The current editors wish to express gratitude to Angela Lyda, Chris Melle, Sasha Medvinsky, Roy Spitzer, Rick Vetter, Satish Kumar, Sumanth Channabasappa, Jean-Francois Mule. 7. Revision History The MTA MIB in this document has been developed to accommodate PacketCable 1.0 MTA devices and their system capabilities. This is the initial version of the document. 8. References [1] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999. [2] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990. [3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. [4] Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991. [5] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of Management Information for Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [6] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [7] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Management Protocol", STD 15, RFC 1157, May 1990. [9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999. [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999. [13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [14] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC 2573, April 1999. [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Osman/Nechamkin Expires April 25 2002 [Page 28] Internet Draft PacketCable MTA MIB October 25, 2002 Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999. [16] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", RFC 2570, April 1999. [17] PacketCable MTA Device Provisioning Specification,issued, PKT-SP-PROV-I04-021018 [18] PacketCable Security Specification, issued, PKT-SP-SEC-I06-021018 [19] "Transmission Systems for Interactive Cable Television Services, Annex B", J.112, International Telecommunications Union, March 1998. [20] RFC 1902 9. Security Considerations This MIB relates to a system which will provide metropolitan public internet access. As such, improper manipulation of the objects represented by this MIB may result in denial of service to a large number of end-users. In addition, manipulation of the Realm Table, CMS Table, and several other vital MIB objects such as (not limited to) PktcMtaDevConfigFile, pktccMtaDevProvConfigHash, pktcMtaDevProvConfigKey, may lead to the theft of service or significant disruption of the functionality of the MTA. There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB. PacketCable 1.0 complaint MTA devices are required to implement secure SNMPv3 access to MTA MIB. It is highly recommended that the other Potential implementers will consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 2574 [12] and the View- based Access Control Model RFC 2575 [15] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 10. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of Osman/Nechamkin Expires April 25 2002 [Page 29] Internet Draft PacketCable MTA MIB October 25, 2002 claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 11. Authors' Addresses Matt Osman Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 E-mail: m.osman@cablelabs.com Eugene Nechamkin Broadcom Corporation 200 - - 13711 International Place Richmond, BC, V6V 2Z8 CANADA Phone: +1 604 233 8500 E-mail: enechamkin@broadcom.com 12. Full Copyright Statement Copyright(C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Osman/Nechamkin Expires April 25 2002 [Page 30]