idnits 2.17.1 draft-ietf-ipcdn-cable-device-mib-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 59 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 15 instances of too long lines in the document, the longest one being 5 characters in excess of 72. ** The abstract seems to contain references ([5], [6], [7]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 211 has weird spacing: '...MTS and vario...' == Line 320 has weird spacing: '...ason is a Dis...' == Line 713 has weird spacing: '...cribing acces...' == Line 940 has weird spacing: '...hese is appli...' == Line 1676 has weird spacing: '...ompared to th...' == (5 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date () is 739377 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2271 (ref. '1') (Obsoleted by RFC 2571) ** Downref: Normative reference to an Informational RFC: RFC 1215 (ref. '4') ** Obsolete normative reference: RFC 1902 (ref. '5') (Obsoleted by RFC 2578) ** Obsolete normative reference: RFC 1903 (ref. '6') (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1904 (ref. '7') (Obsoleted by RFC 2580) ** Downref: Normative reference to an Historic RFC: RFC 1157 (ref. '8') ** Downref: Normative reference to an Historic RFC: RFC 1901 (ref. '9') ** Obsolete normative reference: RFC 1906 (ref. '10') (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2272 (ref. '11') (Obsoleted by RFC 2572) ** Obsolete normative reference: RFC 2274 (ref. '12') (Obsoleted by RFC 2574) ** Obsolete normative reference: RFC 1905 (ref. '13') (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2273 (ref. '14') (Obsoleted by RFC 2573) ** Obsolete normative reference: RFC 2275 (ref. '15') (Obsoleted by RFC 2575) -- Possible downref: Non-RFC (?) normative reference: ref. '16' ** Downref: Normative reference to an Experimental RFC: RFC 1224 (ref. '17') -- Possible downref: Non-RFC (?) normative reference: ref. '18' -- Possible downref: Non-RFC (?) normative reference: ref. '20' Summary: 23 errors (**), 0 flaws (~~), 9 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Cable Device Management Information Base 2 for DOCSIS compliant Cable Modems and 3 Cable Modem Termination Systems 4 draft-ietf-ipcdn-cable-device-mib-08.txt 6 Tue Mar 30 16:39:44 PST 1999 8 Michael StJohns (editor) 9 @Home Network 10 stjohns@corp.home.net 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with all 15 the provisions of Section 10 of RFC2026. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its Areas, and 17 its Working Groups. Note that other groups may also distribute working 18 documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference material 23 or to cite them other than as a "work in progress". 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Copyright (c) The Internet Society 1998. All Rights Reserved. 33 Abstract 35 This memo defines a portion of the Management Information Base (MIB) for 36 use with network management protocols in the Internet community. In 37 particular, it defines a basic set of managed objects for SNMP-based 38 management of DOCSIS 1.0 compliant Cable Modems and Cable Modem 39 Termination Systems. 41 This memo specifies a MIB module in a manner that is compliant to the 42 SNMP SMIv2[5][6][7]. The set of objects is consistent with the SNMP 43 framework and existing SNMP standards. 45 This memo is a product of the IPCDN working group within the Internet 46 Engineering Task Force. Comments are solicited and should be addressed 47 to the working group's mailing list at ipcdn@terayon.com and/or the 48 author. 50 Table of Contents 52 1 The SNMP Management Framework ................................... 4 53 2 Glossary ........................................................ 5 54 2.1 CATV .......................................................... 5 55 2.2 CM ............................................................ 5 56 2.3 CMTS .......................................................... 5 57 2.4 DOCSIS ........................................................ 5 58 2.5 Downstream .................................................... 5 59 2.6 Head-end ...................................................... 5 60 2.7 MAC Packet .................................................... 5 61 2.8 MCNS .......................................................... 5 62 2.9 RF ............................................................ 5 63 2.10 Upstream ..................................................... 5 64 3 Overview ........................................................ 6 65 3.1 Structure of the MIB .......................................... 6 66 3.2 Management requirements ....................................... 7 67 3.2.1 Handling of Software upgrades ............................... 7 68 3.2.2 Events and Traps ............................................ 7 69 3.2.3 Trap Throttling ............................................. 8 70 3.2.3.1 Trap rate throttling ...................................... 9 71 3.2.3.2 Limiting the trap rate .................................... 9 72 3.3 Protocol Filters .............................................. 9 73 3.3.1 Inbound LLC Filters - docsDevFilterLLCTable ................. 10 74 3.3.2 Special Filters ............................................. 10 75 3.3.2.1 IP Spoofing Filters - docsDevCpeTable ..................... 10 76 3.3.2.2 SNMP Access Filters - docsDevNmAccessTable ................ 11 77 3.3.3 IP Filtering - docsDevIpFilterTable ......................... 11 78 3.3.4 Outbound LLC Filters ........................................ 13 79 4 Definitions ..................................................... 15 80 5 Acknowledgments ................................................. 50 81 6 References ...................................................... 50 82 7 Security Considerations ......................................... 52 83 8 Intellectual Property ........................................... 53 84 9 Copyright Section ............................................... 53 85 10 Author's Address ............................................... 54 86 1. The SNMP Management Framework The SNMP Management Framework 87 presently consists of five major components: 89 o An overall architecture, described in RFC 2271 [1]. 91 o Mechanisms for describing and naming objects and events for the 92 purpose of management. The first version of this Structure of 93 Management Information (SMI) is called SMIv1 and described in 94 RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version, 95 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC 96 1904 [7]. 98 o Message protocols for transferring management information. The 99 first version of the SNMP message protocol is called SNMPv1 and 100 described in RFC 1157 [8]. A second version of the SNMP message 101 protocol, which is not an Internet standards track protocol, is 102 called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. 103 The third version of the message protocol is called SNMPv3 and 104 described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12]. 106 o Protocol operations for accessing management information. The 107 first set of protocol operations and associated PDU formats is 108 described in RFC 1157 [8]. A second set of protocol operations 109 and associated PDU formats is described in RFC 1905 [13]. 111 o A set of fundamental applications described in RFC 2273 [14] and 112 the view-based access control mechanism described in RFC 2275 113 [15]. 115 Managed objects are accessed via a virtual information store, termed the 116 Management Information Base or MIB. Objects in the MIB are defined 117 using the mechanisms defined in the SMI. 119 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 120 conforming to the SMIv1 can be produced through the appropriate 121 translations. The resulting translated MIB must be semantically 122 equivalent, except where objects or events are omitted because no 123 translation is possible (use of Counter64). Some machine readable 124 information in SMIv2 will be converted into textual descriptions in 125 SMIv1 during the translation process. However, this loss of machine 126 readable information is not considered to change the semantics of the 127 MIB. 129 2. Glossary 131 The terms in this document are derived either from normal cable system 132 usage, or from the documents associated with the Data Over Cable Service 133 Interface Specification process. 135 2.1. CATV 137 Originally "Community Antenna Television", now used to refer to any 138 cable or hybrid fiber and cable system used to deliver video signals to 139 a community. 141 2.2. CM Cable Modem. A CM acts as a "slave" station in a DOCSIS 142 compliant cable data system. 144 2.3. CMTS Cable Modem Termination System. A generic term covering a 145 cable bridge or cable router in a head-end. A CMTS acts as the master 146 station in a DOCSIS compliant cable data system. It is the only station 147 that transmits downstream, and it controls the scheduling of upstream 148 transmissions by its associated CMs. 150 2.4. DOCSIS 152 "Data Over Cable Interface Specification". A term referring to the 153 ITU-T J.112 Annex B standard for cable modem systems. [20] 155 2.5. Downstream 157 The direction from the head-end towards the subscriber. 159 2.6. Head-end 161 The origination point in most cable systems of the subscriber video 162 signals. Generally also the location of the CMTS equipment. 164 2.7. MAC Packet 166 A DOCSIS PDU. 168 2.8. MCNS 170 "Multimedia Cable Network System". Generally replaced in usage by 171 DOCSIS. 173 2.9. RF 175 Radio Frequency. 177 2.10. Upstream 179 The direction from the subscriber towards the head-end. 181 3. Overview 183 This MIB provides a set of objects required for the management of DOCSIS 184 compliant Cable Modems (CM) and Cable Modem Termination Systems (CMTS). 185 The specification is derived from the DOCSIS Radio Frequency Interface 186 specification [16]. Please note that the DOCSIS 1.0 standard only 187 requires Cable Modems to implement SNMPv1 and to process IPv4 customer 188 traffic. Design choices in this MIB reflect those requirements. Future 189 versions of the DOCSIS standard are expected to require support for 190 SNMPv3 and IPv6 as well. 192 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 193 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 194 document are to be interpreted as described in [19]. 196 3.1. Structure of the MIB 198 This MIB is structured into seven groups: 200 o The docsDevBase group extends the MIB-II 'system' group with 201 objects needed for cable device system management. 203 o The docsDevNmAccessGroup provides a minimum level of SNMP access 204 security (see Section 3 of [18]). 206 o The docsDevSoftware group provides information for network- 207 downloadable software upgrades. See "Handling of Software 208 Upgrades" below.. 210 o The docsDevServer group provides information about the progress of 211 the interaction between the CM or CMTS and various provisioning 212 servers. 214 o The docsDevEvent group provides control and logging for event 215 reporting. 217 o The docsDevFilter group configures filters at link layer and IP 218 layer for bridged data traffic. This group consists of a link- 219 layer filter table, docsDevFilterLLCTable, which is used to manage 220 the processing and forwarding of non-IP traffic; an IP packet 221 classifier table, docsDevFilterIpTable, which is used to map 222 classes of packets to specific policy actions; a policy table, 223 docsDevFilterPolicyTable, which maps zero or more policy actions 224 onto a specific packet classification, and one or more policy 225 action tables. 227 At this time, this MIB specifies only one policy action table, 228 docsDevFilterTosTable, which allows the manipulation of the type of 229 services bits in an IP packet based on matching some criteria. The 230 working group may add additional policy types and action tables in 231 the future, for example to allow QOS to modem service identifier 232 assignment based on destination. 234 o The docsDevCpe group provides control over which IP addresses may 235 be used by customer premises equipment (e.g. PCs) serviced by a 236 given cable modem. This provides anti-spoofing control at the 237 point of origin for a large cable modem system. This group is 238 separate from docsDevFilter primarily as this group is only 239 implemented on the Cable Modem (CM) and MUST NOT be implemented on 240 the Cable Modem Termination System (CMTS). 242 3.2. Management requirements 244 3.2.1. Handling of Software upgrades 246 The Cable Modem software upgrade process is documented in [16]. From a 247 network management station, the operator: 249 o sets docsDevSwServer to the address of the TFTP server for software 250 upgrades 252 o sets docsDevSwFilename to the file pathname of the software upgrade 253 image 255 o sets docsDevSwAdminStatus to upgrade-from-mgt 257 One reason for the SNMP-initiated upgrade is to allow loading of a 258 temporary software image (e.g., special diagnostic software) that 259 differs from the software normally used on that device without changing 260 the provisioning database. 262 Note that software upgrades should not be accepted blindly by the cable 263 device. The cable device may refuse an upgrade if: 265 o The download is incomplete. 267 o The file contents are incomplete or damaged. 269 o The software is not intended for that hardware device (may include 270 the case of a feature set that has not been purchased for this 271 device). 273 3.2.2. Events and Traps 275 This MIB provides control facilities for reporting events through 276 syslog, traps, and non-volatile logging. If events are reported through 277 traps, the specified conventions must be followed. Other means of event 278 reporting are outside the scope of this document. 280 The definition and coding of events is vendor-specific. In deference to 281 the network operator who must troubleshoot multi-vendor networks, the 282 circumstances and meaning of each event should be reported as human- 283 readable text. Vendors SHOULD provide time-of-day clocks in CMs to 284 provide useful timestamping of events. 286 For each vendor-specific event that is reportable via TRAP, the vendor 287 must create an enterprise-specific trap definition. Trap definitions 288 MUST include the event reason encoded as DisplayString and should be 289 defined as: 291 trapName NOTIFICATION-TYPE 292 OBJECTS { 293 ifIndex, 294 eventReason, 295 other useful objects 296 } 297 STATUS current 298 DESCRIPTION 299 "trap description" 300 ::= Object Id 302 Note that ifIndex is only included if the event or trap is interface 303 related. 305 An example (fake) vendor defined trap might be: 307 xyzVendorModemDropout NOTIFICATION-TYPE 308 OBJECTS { 309 eventReason, 310 xyzModemHighWatermarkCount 311 } 312 STATUS current 313 DESCRIPTION 314 "Sent by a CMTS when a configurable number of modems 315 (xyzModemHysteresis) de-register or become unreachable during 316 the sampling period (5 minutes). Used to warn a management 317 station about a catastrophic cable plant outage." 318 ::= { xyzTraps 23 } 320 In this example eventReason is a DisplayString providing a human 321 readable error message, and xyzModemHighWatermarkCount is a Gauge32 322 which indicates the maximum number of modems during the epoch. 324 The last digit of the trap OID for enterprise-specific traps must match 325 docsDevEvId. For SNMPv1-capable Network Management systems, this is 326 necessary to correlate the event type to the trap type. Many Network 327 Management systems are only capable of trap filtering on an enterprise 328 and single-last-digit basis. 330 3.2.3. Trap Throttling 332 The CM and CMTS MUST provide support for trap message throttling as 333 described below. The network operator can employ message rate 334 throttling or trap limiting by manipulating the appropriate MIB 335 variables. 337 3.2.3.1. Trap rate throttling 339 Network operators may employ either of two rate control methods. In the 340 first method, the device ceases to send traps when the rate exceeds the 341 specified maximum message rate. It resumes sending traps only if 342 reactivated by a network management station request. 344 In the second method, the device resumes sending traps when the rate 345 falls below the specified maximum message rate. 347 The network operator configures the specified maximum message rate by 348 setting the measurement interval (in seconds), and the maximum number of 349 traps to be transmitted within the measurement interval. The operator 350 can query the operational throttling state (to determine whether traps 351 are enabled or blocked by throttling) of the device, as well as query 352 and set the administrative throttling state (to manage the rate control 353 method) of the device. 355 3.2.3.2. Limiting the trap rate 357 Network operators may wish to limit the number of traps sent by a device 358 over a specified time period. The device ceases to send traps when the 359 number of traps exceeds the specified threshold. It resumes sending 360 traps only when the measurement interval has passed. 362 The network operator defines the maximum number of traps he is willing 363 to handle and sets the measurement interval to a large number (in 364 hundredths of a second). For this case, the administrative throttling 365 state is set to stop at threshold which is the maximum number of traps. 367 See "Techniques for Managing Asynchronously Generated Alerts" [17] for 368 further information. 370 3.3. Protocol Filters 372 The Cable Device MIB provides objects for both LLC and IP protocol 373 filters. The LLC protocol filter entries can be used to limit CM 374 forwarding to a restricted set of network-layer protocols (such as IP, 375 IPX, NetBIOS, and Appletalk). 377 The IP protocol filter entries can be used to restrict upstream or 378 downstream traffic based on source and destination IP addresses, 379 transport-layer protocols (such as TCP, UDP, and ICMP), and source and 380 destination TCP/UDP port numbers. 382 In general, a cable modem applies filters (or more properly, 383 classifiers) in an order appropriate to the layering model. 384 Specifically, the inbound MAC (or LLC) layer filters are applied first, 385 then the "special" filters, then the IP layer inbound filters, then the 386 IP layer outbound filters, then any final LLC outbound filters. Since 387 the cable modem does not generally do any IP processing (other than that 388 specified by the filters) the processing of the IP in filters and IP out 389 filters can usually be combined into a single step. 391 *************** 392 * LLC Filters * 393 *************** 394 | | | 395 v | v 396 ************ | *************** 397 * IP Spoof * | * SNMP Access * 398 ************ | *************** 399 | | | 400 v v v 401 **************** 402 * IP Filter In * 403 **************** 404 | 405 v 406 ***************** 407 * IP Filter Out * 408 ***************** 409 | 410 v 411 *********** 412 * LLC Out * 413 *********** 415 3.3.1. Inbound LLC Filters - docsDevFilterLLCTable 417 The inbound LLC (or MAC or level-2) filters are contained in the 418 docsDevFilterLLCTable and are applied to level-2 frames entering the 419 cable modem from either the RF MAC interface or from one of the CPE 420 (ethernet or other) interfaces. These filters are used to prohibit the 421 processing and forwarding of certain types of level-2 traffic that may 422 be disruptive to the network. The filters, as currently specified, can 423 be set to cause the modem to either drop frames which match at least one 424 filter, or to process a frame which matches at least filter. Some 425 examples of possible configurations would be to only permit IP (and ARP) 426 traffic, or to drop NETBUEI traffic. 428 3.3.2. Special Filters 430 Special filters are applied after the packet is accepted from the MAC 431 layer by the IP module, but before any other processing is done. They 432 are filters that apply only to a very specific class of traffic. 434 3.3.2.1. IP Spoofing Filters - docsDevCpeTable 436 IP spoofing filters are applied to packets entering the modem from one 437 of the CPE interfaces and are intended to prevent a subscriber from 438 stealing or mis-using IP addresses that were not assigned to the 439 subscriber. If the filters are active (enabled), the source address of 440 the IP packet must match at least one IP address in this table or it is 441 discarded without further processing. 443 The table can be automatically populated where the first N different IP 444 addresses seen from the CPE side of the cable modem are used to 445 automatically populate the table. The spoofing filters are specified in 446 the docsDevCpeTable and the policy for automatically creating filters in 447 that table is controlled by docsDevCpeEnroll and docsDevCpeMax as well 448 as the network management agent. 450 3.3.2.2. SNMP Access Filters - docsDevNmAccessTable 452 The SNMP access filters are applied to SNMP packets entering from any 453 interface and destined for the cable modem. If the packets enter from a 454 CPE interface, the SNMP filters are applied after the IP spoofing 455 filters. The filters only apply to SNMPv1 or SNMPv2c traffic, and are 456 not consulted for SNMPv3 traffic (and need not be implemented by a v3 457 only agent). SNMPv3 access control is specified in the User Security 458 Model MIB in [12]. 460 3.3.3. IP Filtering - docsDevIpFilterTable 462 The IP Filtering table acts as a classifier table. Each row in the 463 table describes a template against which IP packets are compared. The 464 template includes source and destination addresses (and their associated 465 masks), upper level protocol (e.g. TCP, UDP), source and destination 466 port ranges, TOS and TOS mask. A row also contains interface and traffic 467 direction match values which have to be considered in combination. All 468 columns of a particular row must match the appropriate fields in the 469 packet, and must match the interface and direction items for the packet 470 to result in a match to the packet. 472 When classifying a packet, the table is scanned beginning with the 473 lowest number filter. If the agent finds a match, it applies the group 474 of policies specified. If the matched filter has the continue bit set, 475 the agent continues the scan possibly matching additional filters and 476 applying additional policies. This allows the agent to take one set of 477 actions for the 24.0.16/255.255.255.0 group and one set of actions for 478 telnet packets to/from 24.0.16.30 and these sets of actions may not be 479 mutually exclusive. 481 Once a packet is matched, one of three actions happen based on the 482 setting of docsDevFilterIpControl in the row. The packet may be 483 dropped, in which case no further processing is required. The packet 484 may be accepted and processing of the packet continues. Lastly, the 485 packet may have a set of policy actions applied to it. If 486 docsDevFilterIpContinue is set to true, scanning of the table continues 487 and additional matches may result. 489 When a packet matches, and docsDevFilterIpControl in the filter matched 490 is set to 'policy', the value of docsDevFilterIpPolicyId is used as a 491 selector into the docsDevFilterPolicyTable. The first level of 492 indirection may result in zero or more actions being taken based on the 493 match. The docsDevFilterPolicyTable is scanned in row order and all 494 rows where docsDevFilterPolicyId equals docsDevFilterIpPolicyId have the 495 action specified by docsDevFilterPolicyValue 'executed'. For example, a 496 value pointing to an entry in the docsDevFilterTosTable may result in 497 the re-writing of the TOS bits in the IP packet which was matched. 498 Another possibility may be to assign an output packet to a specific 499 output upstream queue. An even more complex action might be to re-write 500 the TOS value, assign the packet to an upstream service ID, and drop it 501 into a particular IPSEC tunnel. 503 Example: 505 docsDevFilterIpTable 507 # Index, SrcIP/Mask, DstIP/Mask,ULP, SrcPts,DstPts,Tos/Mask, 508 # Int/Dir, Pgroup, [continue] 509 # drop any netbios traffic 510 10, 0/0, 0/0, TCP, any, 137-139, 0/0, any/any, drop 512 # traffic to the proxy gets better service - other matches possible 513 20, 0/0, proxy/32, TCP, any,any, 0/0, cpe/in, 10, continue 515 # Traffic from CPE 1 gets 'Gold' service, other matches possible 516 30, cpe1/32, 0/0, any, any,any, 0/0, cpe/in, 20, continue 518 # Traffic from CPE2 to work goes, other traffic dropped 519 40, cpe2/32, workIPs/24, any, 0/0, cpe/in, accept 520 45, cpe2/32, 0/0, any, any,ayn, 0/0, cpe/in, drop 522 # Traffic with TOS=4 gets queued on the "silver" queue. 523 50, 0/0, 0/0, any, any,any, 4/255, cpe/in, 30 525 # Inbound "server" traffic to low numbered ports gets dropped. 526 60, 0/0, 0/0, TCP, any,1-1023, 0/0, cpe/out, drop 527 65, 0/0, 0/0, UDP, any,1-1023, 0/0, cpe/out, drop 529 docsDevFilterIpPolicyTable 531 # 532 # index, policy group, policy 533 10, 10, queueEntry.20 -- special queue for traffic to proxy 535 15, 20, queueEntry.15 -- Gold Service queue 536 20, 20, docsDevFilterTosStatus.10 -- Mark this packet with TOS 5 538 25, 30, queueEntry.10 -- Silver service queue 540 This table describes some special processing for packets originating 541 from either the first or second CPE device which results in their 542 queuing on to special upstream traffic queues and for the "gold" service 543 results in having the packets marked with a TOS of 5. The 10, 20, 60 544 and 65 entries are generic entries that would generally be applied to 545 all traffic to this CM. The 30, 40 and 45 entries are specific to a 546 particular CPE's service assignments. The ordering here is a bit 547 contrived, but is close to what may actually be required by the operator 548 to control various classes of customers. 550 3.3.4. Outbound LLC Filters 552 Lastly, any outbound LLC filters are applied to the packet just prior to 553 it being emitted on the appropriate interface. This MIB does not 554 specify any outbound LLC filters, but it is anticipated that the QOS 555 additions to the DOCSIS standard may include some outbound LLC filtering 556 requirements. If so, those filters would be applied as described here. 558 4. Definitions 560 DOCS-CABLE-DEVICE-MIB DEFINITIONS ::= BEGIN 562 IMPORTS 563 MODULE-IDENTITY, 564 OBJECT-TYPE, 565 -- do not import BITS, 566 IpAddress, 567 Unsigned32, 568 Counter32, 569 Integer32, 570 experimental, 571 zeroDotZero 572 FROM SNMPv2-SMI 573 RowStatus, 574 RowPointer, 575 DateAndTime, 576 TruthValue 577 FROM SNMPv2-TC 578 OBJECT-GROUP, 579 MODULE-COMPLIANCE 580 FROM SNMPv2-CONF 581 SnmpAdminString 582 FROM SNMP-FRAMEWORK-MIB 583 InterfaceIndexOrZero 584 FROM IF-MIB; -- RFC2233 586 docsDev MODULE-IDENTITY 587 LAST-UPDATED "9903301647Z" -- Mar 30, 1999 588 ORGANIZATION "IETF IPCDN Working Group" 589 CONTACT-INFO 590 " Michael StJohns 591 Postal: @Home Network 592 425 Broadway 593 Redwood City, CA 94063 594 U.S.A. 595 Phone: +1 650 569 5368 596 E-mail: stjohns@corp.home.net" 597 DESCRIPTION 598 "This is the MIB Module for MCNS-compliant cable modems and 599 cable-modem termination systems." 600 REVISION "9810131935Z" 601 DESCRIPTION 602 "Modified by Mike StJohns to add/revise filtering, TOS 603 support, software version information objects." 604 ::= { experimental 83 } 605 -- ::= { mib-2 xx } -- RFC Editor to assign 607 docsDevMIBObjects OBJECT IDENTIFIER ::= { docsDev 1 } 608 docsDevBase OBJECT IDENTIFIER ::= { docsDevMIBObjects 1 } 609 -- 610 -- For the following object, there is no concept in the 611 -- RFI specification corresponding to a backup CMTS. The 612 -- enumeration is provided here in case someone is able 613 -- to define such a role or device. 614 -- 616 docsDevRole OBJECT-TYPE 617 SYNTAX INTEGER { 618 cm(1), 619 cmtsActive(2), 620 cmtsBackup(3) 621 } 622 MAX-ACCESS read-only 623 STATUS current 624 DESCRIPTION 625 "Defines the current role of this device. cm (1) is 626 a Cable Modem, cmtsActive(2) is a Cable Modem Termination 627 System which is controlling the system of cable modems, 628 and cmtsBackup(3) is a CMTS which is currently connected, 629 but not controlling the system (not currently used). 631 In general, if this device is a 'cm', its role will not 632 change during operation or between reboots. If the 633 device is a 'cmts' it may change between cmtsActive and 634 cmtsBackup and back again during normal operation. NB: 635 At this time, the DOCSIS standards do not support the 636 concept of a backup CMTS, cmtsBackup is included for 637 completeness." 638 ::= { docsDevBase 1 } 640 docsDevDateTime OBJECT-TYPE 641 SYNTAX DateAndTime 642 MAX-ACCESS read-write 643 STATUS current 644 DESCRIPTION 645 "The date and time, with optional timezone 646 information." 647 ::= { docsDevBase 2 } 649 docsDevResetNow OBJECT-TYPE 650 SYNTAX TruthValue 651 MAX-ACCESS read-write 652 STATUS current 653 DESCRIPTION 654 "Setting this object to true(1) causes the device to reset. 655 Reading this object always returns false(2)." 656 ::= { docsDevBase 3 } 658 docsDevSerialNumber OBJECT-TYPE 659 SYNTAX SnmpAdminString 660 MAX-ACCESS read-only 661 STATUS current 662 DESCRIPTION 663 "The manufacturer's serial number for this device." 664 ::= { docsDevBase 4 } 666 docsDevSTPControl OBJECT-TYPE 667 SYNTAX INTEGER { 668 stEnabled(1), 669 noStFilterBpdu(2), 670 noStPassBpdu(3) 671 } 672 MAX-ACCESS read-write 673 STATUS current 674 DESCRIPTION 675 "This object controls operation of the spanning tree 676 protocol (as distinguished from transparent bridging). 677 If set to stEnabled(1) then the spanning tree protocol 678 is enabled, subject to bridging constraints. If 679 noStFilterBpdu(2), then spanning tree is not active, 680 and Bridge PDUs received are discarded. 681 If noStPassBpdu(3) then spanning tree is not active 682 and Bridge PDUs are transparently forwarded. Note that 683 a device need not implement all of these options, 684 but that noStFilterBpdu(2) is required." 685 ::= { docsDevBase 5 } 687 -- 688 -- The following table provides one level of security for access 689 -- to the device by network management stations. 690 -- Note that access is also constrained by the 691 -- community strings and any vendor-specific security. 692 -- 694 docsDevNmAccessTable OBJECT-TYPE 695 SYNTAX SEQUENCE OF DocsDevNmAccessEntry 696 MAX-ACCESS not-accessible 697 STATUS current 698 DESCRIPTION 699 "This table controls access to SNMP objects by network 700 management stations. If the table is empty, access 701 to SNMP objects is unrestricted. This table exists only 702 on SNMPv1 or v2c agents and does not exist on SNMPv3 703 agents. See the conformance section for details. 704 Specifically, for v3 agents, the appropriate MIBs and 705 security models apply in lieu of this table." 706 ::= { docsDevMIBObjects 2 } 708 docsDevNmAccessEntry OBJECT-TYPE 709 SYNTAX DocsDevNmAccessEntry 710 MAX-ACCESS not-accessible 711 STATUS current 712 DESCRIPTION 713 "An entry describing access to SNMP objects by a 714 particular network management station. An entry in 715 this table is not readable unless the management station 716 has read-write permission (either implicit if the table 717 is empty, or explicit through an entry in this table. 718 Entries are ordered by docsDevNmAccessIndex. The first 719 matching entry (e.g. matching IP address and community 720 string) is used to derive access." 721 INDEX { docsDevNmAccessIndex } 722 ::= { docsDevNmAccessTable 1 } 724 DocsDevNmAccessEntry ::= SEQUENCE { 725 docsDevNmAccessIndex Integer32, 726 docsDevNmAccessIp IpAddress, 727 docsDevNmAccessIpMask IpAddress, 728 docsDevNmAccessCommunity OCTET STRING, 729 docsDevNmAccessControl INTEGER, 730 docsDevNmAccessInterfaces OCTET STRING, 731 docsDevNmAccessStatus RowStatus 732 } 734 docsDevNmAccessIndex OBJECT-TYPE 735 SYNTAX Integer32 (1..2147483647) 736 MAX-ACCESS not-accessible 737 STATUS current 738 DESCRIPTION 739 "Index used to order the application of access 740 entries." 741 ::= { docsDevNmAccessEntry 1 } 743 docsDevNmAccessIp OBJECT-TYPE 744 SYNTAX IpAddress 745 MAX-ACCESS read-create 746 STATUS current 747 DESCRIPTION 748 "The IP address (or subnet) of the network management 749 station. The address 255.255.255.255 is defined to mean 750 any NMS. If traps are enabled for this entry, then the 751 value must be the address of a specific device." 752 DEFVAL { 'ffffffff'h } 753 ::= { docsDevNmAccessEntry 2 } 755 docsDevNmAccessIpMask OBJECT-TYPE 756 SYNTAX IpAddress 757 MAX-ACCESS read-create 758 STATUS current 759 DESCRIPTION 760 "The IP subnet mask of the network management stations. 761 If traps are enabled for this entry, then the value must 762 be 255.255.255.255." 763 DEFVAL { 'ffffffff'h } 764 ::= { docsDevNmAccessEntry 3 } 766 docsDevNmAccessCommunity OBJECT-TYPE 767 SYNTAX OCTET STRING 768 MAX-ACCESS read-create 769 STATUS current 770 DESCRIPTION 771 "The community string to be matched for access by this 772 entry. If set to a zero length string then any community string 773 will match. When read, this object SHOULD return a zero 774 length string." 775 DEFVAL { "public" } 776 ::= { docsDevNmAccessEntry 4 } 778 docsDevNmAccessControl OBJECT-TYPE 779 SYNTAX INTEGER { 780 none(1), 781 read(2), 782 readWrite(3), 783 roWithTraps(4), 784 rwWithTraps(5), 785 trapsOnly(6) 786 } 787 MAX-ACCESS read-create 788 STATUS current 789 DESCRIPTION 790 "Specifies the type of access allowed to this NMS. Setting 791 this object to none(1) causes the table entry to be 792 destroyed. Read(2) allows access by 'get' and 'get-next' 793 PDUs. ReadWrite(3) allows access by 'set' as well. 794 RoWithtraps(4), rwWithTraps(5), and trapsOnly(6) 795 control distribution of Trap PDUs transmitted by this 796 device." 797 DEFVAL { read } 798 ::= { docsDevNmAccessEntry 5 } 800 -- The syntax of the following object was copied from RFC1493, 801 -- dot1dStaticAllowedToGoTo. 803 docsDevNmAccessInterfaces OBJECT-TYPE 804 SYNTAX OCTET STRING 805 MAX-ACCESS read-create 806 STATUS current 807 DESCRIPTION 808 "Specifies the set of interfaces from which requests from 809 this NMS will be accepted. 810 Each octet within the value of this object specifies a set 811 of eight interfaces, with the first octet specifying ports 812 1 through 8, the second octet specifying interfaces 9 813 through 16, etc. Within each octet, the most significant 814 bit represents the lowest numbered interface, and the least 815 significant bit represents the highest numbered interface. 816 Thus, each interface is represented by a single bit within 817 the value of this object. If that bit has a value of '1' 818 then that interface is included in the set. 820 Note that entries in this table apply only to link-layer 821 interfaces (e.g., Ethernet and CATV MAC). Upstream and 822 downstream channel interfaces must not be specified." 823 -- DEFVAL is the bitmask corresponding to all interfaces 824 ::= { docsDevNmAccessEntry 6 } 826 docsDevNmAccessStatus OBJECT-TYPE 827 SYNTAX RowStatus 828 MAX-ACCESS read-create 829 STATUS current 830 DESCRIPTION 831 "Controls and reflects the status of rows in this 832 table. Rows in this table may be created by either the 833 create-and-go or create-and-wait paradigms. There is no 834 restriction on changing values in a row of this table while the 835 row is active." 836 ::= { docsDevNmAccessEntry 7 } 838 -- 839 -- Procedures for using the following group are described in section 840 -- 3.2.1 of the DOCSIS Radio Frequence Interface Specification 841 -- 843 docsDevSoftware OBJECT IDENTIFIER ::= { docsDevMIBObjects 3 } 845 docsDevSwServer OBJECT-TYPE 846 SYNTAX IpAddress 847 MAX-ACCESS read-write 848 STATUS current 849 DESCRIPTION 850 "The address of the TFTP server used for software upgrades. 851 If the TFTP server is unknown, return 0.0.0.0." 852 ::= { docsDevSoftware 1 } 854 docsDevSwFilename OBJECT-TYPE 855 SYNTAX SnmpAdminString (SIZE (0..64)) 856 MAX-ACCESS read-write 857 STATUS current 858 DESCRIPTION 859 "The file name of the software image to be loaded into this 860 device. Unless set via SNMP, this is the file name 861 specified by the provisioning server that corresponds to 862 the software version that is desired for this device. 863 If unknown, the string '(unknown)' is returned." 864 ::= { docsDevSoftware 2 } 866 docsDevSwAdminStatus OBJECT-TYPE 867 SYNTAX INTEGER { 868 upgradeFromMgt(1), 869 allowProvisioningUpgrade(2), 870 ignoreProvisioningUpgrade(3) 871 } 872 MAX-ACCESS read-write 873 STATUS current 874 DESCRIPTION 875 "If set to upgradeFromMgt(1), the device will initiate a 876 TFTP software image download using docsDevSwFilename. 877 After successfully receiving an image, the device will 878 set its state to ignoreProvisioningUpgrade(3) and reboot. 879 If the download process is interrupted by a reset or 880 power failure, the device will load the previous image 881 and, after re-initialization, continue to attempt loading 882 the image specified in docsDevSwFilename. 884 If set to allowProvisioningUpgrade(2), the device will 885 use the software version information supplied by the 886 provisioning server when next rebooting (this does not 887 cause a reboot). 889 When set to ignoreProvisioningUpgrade(3), the device 890 will disregard software image upgrade information from the 891 provisioning server. 893 Note that reading this object can return upgradeFromMgt(1). 894 This indicates that a software download is currently in 895 progress, and that the device will reboot after 896 successfully receiving an image. 898 At initial startup, this object has the default value of 899 allowProvisioningUpgrade(2)." 900 ::= { docsDevSoftware 3 } 902 docsDevSwOperStatus OBJECT-TYPE 903 SYNTAX INTEGER { 904 inProgress(1), 905 completeFromProvisioning(2), 906 completeFromMgt(3), 907 failed(4), 908 other(5) 909 } 910 MAX-ACCESS read-only 911 STATUS current 912 DESCRIPTION 913 "InProgress(1) indicates that a TFTP download is underway, 914 either as a result of a version mismatch at provisioning 915 or as a result of a upgradeFromMgt request. 916 CompleteFromProvisioning(2) indicates that the last 917 software upgrade was a result of version mismatch at 918 provisioning. CompleteFromMgt(3) indicates that the last 919 software upgrade was a result of setting 920 docsDevSwAdminStatus to upgradeFromMgt. 921 Failed(4) indicates that the last attempted download 922 failed, ordinarily due to TFTP timeout." 923 REFERENCE 924 "DOCSIS Radio Frequency Interface Specification, Section 925 8.2, Downloading Cable Modem Operating Software." 926 ::= { docsDevSoftware 4 } 928 docsDevSwCurrentVers OBJECT-TYPE 929 SYNTAX SnmpAdminString 930 MAX-ACCESS read-only 931 STATUS current 932 DESCRIPTION 933 "The software version currently operating in this device. 934 This object should be in the syntax used by the individual 935 vendor to identify software versions. Any CM MUST return a 936 string descriptive of the current software load. For a 937 CMTS, this object SHOULD contain either a human readable 938 representation of the vendor specific designation of the 939 software for the chassis, or of the software for the 940 control processor. If neither of these is applicable, 941 this MUST contain an empty string." 942 ::= { docsDevSoftware 5 } 944 -- 945 -- The following group describes server access and parameters used for 946 -- initial provisioning and bootstrapping. 947 -- 949 docsDevServer OBJECT IDENTIFIER ::= { docsDevMIBObjects 4 } 951 docsDevServerBootState OBJECT-TYPE 952 SYNTAX INTEGER { 953 operational(1), 954 disabled(2), 955 waitingForDhcpOffer(3), 956 waitingForDhcpResponse(4), 957 waitingForTimeServer(5), 958 waitingForTftp(6), 959 refusedByCmts(7), 960 forwardingDenied(8), 961 other(9), 962 unknown(10) 963 } 964 MAX-ACCESS read-only 965 STATUS current 966 DESCRIPTION 967 "If operational(1), the device has completed loading and 968 processing of configuration parameters and the CMTS has 969 completed the Registration exchange. 970 If disabled(2) then the device was administratively 971 disabled, possibly by being refused network access in the 972 configuration file. 974 If waitingForDhcpOffer(3) then a DHCP Discover has been 975 transmitted and no offer has yet been received. 976 If waitingForDhcpResponse(4) then a DHCP Request has been 977 transmitted and no response has yet been received. 978 If waitingForTimeServer(5) then a Time Request has been 979 transmitted and no response has yet been received. 980 If waitingForTftp(6) then a request to the TFTP parameter 981 server has been made and no response received. 982 If refusedByCmts(7) then the Registration Request/Response 983 exchange with the CMTS failed. 984 If forwardingDenied(8) then the registration process 985 completed, but the network access option in the received 986 configuration file prohibits forwarding. " 987 REFERENCE 988 "DOCSIS Radio Frequency Interface Specification, Figure 989 7-1, CM Initialization Overview." 990 ::= { docsDevServer 1 } 992 docsDevServerDhcp OBJECT-TYPE 993 SYNTAX IpAddress 994 MAX-ACCESS read-only 995 STATUS current 996 DESCRIPTION 997 "The IP address of the DHCP server that assigned an IP 998 address to this device. Returns 0.0.0.0 if DHCP was not 999 used for IP address assignment." 1000 ::= { docsDevServer 2 } 1002 docsDevServerTime OBJECT-TYPE 1003 SYNTAX IpAddress 1004 MAX-ACCESS read-only 1005 STATUS current 1006 DESCRIPTION 1007 "The IP address of the Time server (RFC-868). Returns 1008 0.0.0.0 if the time server IP address is unknown." 1009 ::= { docsDevServer 3 } 1011 docsDevServerTftp OBJECT-TYPE 1012 SYNTAX IpAddress 1013 MAX-ACCESS read-only 1014 STATUS current 1015 DESCRIPTION 1016 "The IP address of the TFTP server responsible for 1017 downloading provisioning and configuration parameters 1018 to this device. Returns 0.0.0.0 if the TFTP server 1019 address is unknown." 1020 ::= { docsDevServer 4 } 1022 docsDevServerConfigFile OBJECT-TYPE 1023 SYNTAX SnmpAdminString 1024 MAX-ACCESS read-only 1025 STATUS current 1026 DESCRIPTION 1027 "The name of the device configuration file read from the 1028 TFTP server. Returns an empty string if the configuration 1029 file name is unknown." 1030 ::= { docsDevServer 5 } 1032 -- 1033 -- Event Reporting 1034 -- 1036 docsDevEvent OBJECT IDENTIFIER ::= { docsDevMIBObjects 5 } 1038 docsDevEvControl OBJECT-TYPE 1039 SYNTAX INTEGER { 1040 resetLog(1), 1041 useDefaultReporting(2) 1042 } 1043 MAX-ACCESS read-write 1044 STATUS current 1045 DESCRIPTION 1046 "Setting this object to resetLog(1) empties the event log. 1047 All data is deleted. Setting it to useDefaultReporting(2) 1048 returns all event priorities to their factory-default 1049 reporting. Reading this object always returns 1050 useDefaultReporting(2)." 1051 ::= { docsDevEvent 1 } 1053 docsDevEvSyslog OBJECT-TYPE 1054 SYNTAX IpAddress 1055 MAX-ACCESS read-write 1056 STATUS current 1057 DESCRIPTION 1058 "The IP address of the Syslog server. If 0.0.0.0, syslog 1059 transmission is inhibited." 1060 ::= { docsDevEvent 2 } 1062 docsDevEvThrottleAdminStatus OBJECT-TYPE 1063 SYNTAX INTEGER { 1064 unconstrained(1), 1065 maintainBelowThreshold(2), 1066 stopAtThreshold(3), 1067 inhibited(4) 1068 } 1069 MAX-ACCESS read-write 1070 STATUS current 1071 DESCRIPTION 1072 "Controls the transmission of traps and syslog messages 1073 with respect to the trap pacing threshold. 1074 unconstrained(1) causes traps and syslog messages to be 1075 transmitted without regard to the threshold settings. 1076 maintainBelowThreshold(2) causes trap transmission and 1077 syslog messages to be suppressed if the number of traps 1078 would otherwise exceed the threshold. 1079 stopAtThreshold(3) causes trap transmission to cease 1080 at the threshold, and not resume until directed to do so. 1081 inhibited(4) causes all trap transmission and syslog 1082 messages to be suppressed. 1084 A single event is always treated as a single event for 1085 threshold counting. That is, an event causing both a trap 1086 and a syslog message is still treated as a single event. 1088 Writing to this object resets the thresholding state. 1090 At initial startup, this object has a default value of 1091 unconstrained(1)." 1092 ::= { docsDevEvent 3 } 1094 docsDevEvThrottleInhibited OBJECT-TYPE 1095 SYNTAX TruthValue 1096 MAX-ACCESS read-only 1097 STATUS current 1098 DESCRIPTION 1099 "If true(1), trap and syslog transmission is currently 1100 inhibited due to thresholds and/or the current setting of 1101 docsDevEvThrottleAdminStatus. In addition, this is set to 1102 true(1) if transmission is inhibited due to no 1103 syslog (docsDevEvSyslog) or trap (docsDevNmAccessEntry) 1104 destinations having been set." 1105 ::= { docsDevEvent 4 } 1107 docsDevEvThrottleThreshold OBJECT-TYPE 1108 SYNTAX Unsigned32 1109 MAX-ACCESS read-write 1110 STATUS current 1111 DESCRIPTION 1112 "Number of trap/syslog events per docsDevEvThrottleInterval 1113 to be transmitted before throttling. 1115 A single event is always treated as a single event for 1116 threshold counting. That is, an event causing both a trap 1117 and a syslog message is still treated as a single event. 1119 At initial startup, this object returns 0." 1120 ::= { docsDevEvent 5 } 1122 docsDevEvThrottleInterval OBJECT-TYPE 1123 SYNTAX Integer32 (1..2147483647) 1124 UNITS "seconds" 1125 MAX-ACCESS read-write 1126 STATUS current 1127 DESCRIPTION 1128 "The interval over which the trap threshold applies. 1129 At initial startup, this object has a value of 1." 1131 ::= { docsDevEvent 6 } 1133 -- 1134 -- The following table controls the reporting of the various classes of 1135 -- events. 1136 -- 1138 docsDevEvControlTable OBJECT-TYPE 1139 SYNTAX SEQUENCE OF DocsDevEvControlEntry 1140 MAX-ACCESS not-accessible 1141 STATUS current 1142 DESCRIPTION 1143 "This table allows control of the reporting of event classes. 1144 For each event priority, a combination of logging and 1145 reporting mechanisms may be chosen. The mapping of event types 1146 to priorities is vendor-dependent. Vendors may also choose to 1147 allow the user to control that mapping through proprietary means." 1148 ::= { docsDevEvent 7 } 1150 docsDevEvControlEntry OBJECT-TYPE 1151 SYNTAX DocsDevEvControlEntry 1152 MAX-ACCESS not-accessible 1153 STATUS current 1154 DESCRIPTION 1155 "Allows configuration of the reporting mechanisms for a 1156 particular event priority." 1157 INDEX { docsDevEvPriority } 1158 ::= { docsDevEvControlTable 1 } 1160 DocsDevEvControlEntry ::= SEQUENCE { 1161 docsDevEvPriority INTEGER, 1162 docsDevEvReporting BITS 1163 } 1165 docsDevEvPriority OBJECT-TYPE 1166 SYNTAX INTEGER { 1167 emergency(1), 1168 alert(2), 1169 critical(3), 1170 error(4), 1171 warning(5), 1172 notice(6), 1173 information(7), 1174 debug(8) 1175 } 1176 MAX-ACCESS not-accessible 1177 STATUS current 1178 DESCRIPTION 1179 "The priority level that is controlled by this 1180 entry. These are ordered from most (emergency) to least (debug) 1181 critical. Each event with a CM or CMTS has a particular 1183 priority level associated with it (as defined by the 1184 vendor). During normal operation no event more critical than 1185 notice(6) should be generated. Events between warning and 1186 emergency should be generated at appropriate levels of 1187 problems (e.g. emergency when the box is about to 1188 crash)." 1189 ::= { docsDevEvControlEntry 1 } 1191 docsDevEvReporting OBJECT-TYPE 1192 SYNTAX BITS { 1193 local(0), 1194 traps(1), 1195 syslog(2) 1196 } 1197 MAX-ACCESS read-write 1198 STATUS current 1199 DESCRIPTION 1200 "Defines the action to be taken on occurrence of this 1201 event class. Implementations may not necessarily support 1202 all options for all event classes, but at minimum must 1203 allow traps and syslogging to be disabled. If the 1204 local(0) bit is set, then log to the internal log, if the 1205 traps(1) bit is set, then generate a trap, if the 1206 syslog(2) bit is set, then send a syslog message 1207 (assuming the syslog address is set)." 1208 ::= { docsDevEvControlEntry 2 } 1210 docsDevEventTable OBJECT-TYPE 1211 SYNTAX SEQUENCE OF DocsDevEventEntry 1212 MAX-ACCESS not-accessible 1213 STATUS current 1214 DESCRIPTION 1215 "Contains a log of network and device events that may be 1216 of interest in fault isolation and troubleshooting." 1217 ::= { docsDevEvent 8 } 1219 docsDevEventEntry OBJECT-TYPE 1220 SYNTAX DocsDevEventEntry 1221 MAX-ACCESS not-accessible 1222 STATUS current 1223 DESCRIPTION 1224 "Describes a network or device event that may be of 1225 interest in fault isolation and troubleshooting. Multiple 1226 sequential identical events are represented by 1227 incrementing docsDevEvCounts and setting 1228 docsDevEvLastTime to the current time rather than creating 1229 multiple rows. 1231 Entries are created with the first occurrance of an event. 1232 docsDevEvControl can be used to clear the table. 1233 Individual events can not be deleted." 1234 INDEX { docsDevEvIndex } 1235 ::= { docsDevEventTable 1 } 1237 DocsDevEventEntry ::= SEQUENCE { 1238 docsDevEvIndex Integer32, 1239 docsDevEvFirstTime DateAndTime, 1240 docsDevEvLastTime DateAndTime, 1241 docsDevEvCounts Counter32, 1242 docsDevEvLevel INTEGER, 1243 docsDevEvId Unsigned32, 1244 docsDevEvText SnmpAdminString 1245 } 1247 docsDevEvIndex OBJECT-TYPE 1248 SYNTAX Integer32 (1..2147483647) 1249 MAX-ACCESS not-accessible 1250 STATUS current 1251 DESCRIPTION 1252 "Provides relative ordering of the objects in the event 1253 log. This object will always increase except when 1254 (a) the log is reset via docsDevEvControl, 1255 (b) the device reboots and does not implement non-volatile 1256 storage for this log, or (c) it reaches the value 2^31. 1257 The next entry for all the above cases is 1." 1258 ::= { docsDevEventEntry 1 } 1260 docsDevEvFirstTime OBJECT-TYPE 1261 SYNTAX DateAndTime 1262 MAX-ACCESS read-only 1263 STATUS current 1264 DESCRIPTION 1265 "The time that this entry was created." 1266 ::= { docsDevEventEntry 2 } 1268 docsDevEvLastTime OBJECT-TYPE 1269 SYNTAX DateAndTime 1270 MAX-ACCESS read-only 1271 STATUS current 1272 DESCRIPTION 1273 "If multiple events are reported via the same entry, the 1274 time that the last event for this entry occurred, 1275 otherwise this should have the same value as 1276 docsDevEvFirstTime. " 1277 ::= { docsDevEventEntry 3 } 1279 -- This object was renamed from docsDevEvCount to meet naming 1280 -- requirements for Counter32 1281 docsDevEvCounts OBJECT-TYPE 1282 SYNTAX Counter32 1283 MAX-ACCESS read-only 1284 STATUS current 1285 DESCRIPTION 1286 "The number of consecutive event instances reported by 1287 this entry. This starts at 1 with the creation of this 1288 row and increments by 1 for each subsequent duplicate event." 1289 ::= { docsDevEventEntry 4 } 1291 docsDevEvLevel OBJECT-TYPE 1292 SYNTAX INTEGER { 1293 emergency(1), 1294 alert(2), 1295 critical(3), 1296 error(4), 1297 warning(5), 1298 notice(6), 1299 information(7), 1300 debug(8) 1301 } 1302 MAX-ACCESS read-only 1303 STATUS current 1304 DESCRIPTION 1305 "The priority level of this event as defined by the 1306 vendor. These are ordered from most serious (emergency) 1307 to least serious (debug)." 1308 ::= { docsDevEventEntry 5 } 1310 -- 1311 -- Vendors will provide their own enumerations for the following. 1312 -- The interpretation of the enumeration is unambiguous for a 1313 -- particular value of the vendor's enterprise number in sysObjectID. 1314 -- 1316 docsDevEvId OBJECT-TYPE 1317 SYNTAX Unsigned32 1318 MAX-ACCESS read-only 1319 STATUS current 1320 DESCRIPTION 1321 "For this product, uniquely identifies the type of event 1322 that is reported by this entry." 1323 ::= { docsDevEventEntry 6 } 1325 docsDevEvText OBJECT-TYPE 1326 SYNTAX SnmpAdminString 1327 MAX-ACCESS read-only 1328 STATUS current 1329 DESCRIPTION 1330 "Provides a human-readable description of the event, 1331 including all relevant context (interface numbers, 1332 etc.)." 1333 ::= { docsDevEventEntry 7 } 1335 docsDevFilter OBJECT IDENTIFIER ::= { docsDevMIBObjects 6 } 1337 -- 1338 -- Link Level Control Filtering 1339 -- 1341 -- docsDevFilterLLCDefault renamed to docsDevFilterLLCUnmatchedAction 1343 docsDevFilterLLCUnmatchedAction OBJECT-TYPE 1344 SYNTAX INTEGER { 1345 discard(1), 1346 accept(2) 1347 } 1348 MAX-ACCESS read-write 1349 STATUS current 1350 DESCRIPTION 1351 "LLC (Link Level Control) filters can be defined on an 1352 inclusive or exclusive basis: CMs can be configured to 1353 forward only packets matching a set of layer three 1354 protocols, or to drop packets matching a set of layer 1355 three protocols. Typical use of these filters is to 1356 filter out possibly harmful (given the context of a large 1357 metropolitan LAN) protocols. 1359 If set to discard(1), any L2 packet which does not match at 1360 least one filter in the docsDevFilterLLCTable will be 1361 discarded. If set to accept(2), any L2 packet which does not 1362 match at least one filter in the docsDevFilterLLCTable 1363 will be accepted for further processing (e.g., bridging). 1364 At initial system startup, this object returns accept(2)." 1365 ::= { docsDevFilter 1 } 1367 docsDevFilterLLCTable OBJECT-TYPE 1368 SYNTAX SEQUENCE OF DocsDevFilterLLCEntry 1369 MAX-ACCESS not-accessible 1370 STATUS current 1371 DESCRIPTION 1372 "A list of filters to apply to (bridged) LLC 1373 traffic. The filters in this table are applied to 1374 incoming traffic on the appropriate interface(s) prior 1375 to any further processing (e.g. before handing the packet 1376 off for level 3 processing, or for bridging). The 1377 specific action taken when no filter is matched is 1378 controlled by docsDevFilterLLCUnmatchedAction." 1379 ::= { docsDevFilter 2 } 1381 docsDevFilterLLCEntry OBJECT-TYPE 1382 SYNTAX DocsDevFilterLLCEntry 1383 MAX-ACCESS not-accessible 1384 STATUS current 1385 DESCRIPTION 1386 "Describes a single filter to apply to (bridged) LLC traffic 1387 received on a specified interface. " 1388 INDEX { docsDevFilterLLCIndex } 1389 ::= { docsDevFilterLLCTable 1 } 1391 DocsDevFilterLLCEntry ::= SEQUENCE { 1392 docsDevFilterLLCIndex Integer32, 1393 docsDevFilterLLCStatus RowStatus, 1394 docsDevFilterLLCIfIndex InterfaceIndexOrZero, 1395 docsDevFilterLLCProtocolType INTEGER, 1396 docsDevFilterLLCProtocol Integer32, 1397 docsDevFilterLLCMatches Counter32 1398 } 1400 docsDevFilterLLCIndex OBJECT-TYPE 1401 SYNTAX Integer32 (1..2147483647) 1402 MAX-ACCESS not-accessible 1403 STATUS current 1404 DESCRIPTION 1405 "Index used for the identification of filters (note that LLC 1406 filter order is irrelevant)." 1407 ::= { docsDevFilterLLCEntry 1 } 1409 docsDevFilterLLCStatus OBJECT-TYPE 1410 SYNTAX RowStatus 1411 MAX-ACCESS read-create 1412 STATUS current 1413 DESCRIPTION 1414 "Controls and reflects the status of rows in this 1415 table. There is no restriction on changing any of the 1416 associated columns for this row while this object is set 1417 to active." 1419 ::= { docsDevFilterLLCEntry 2} 1421 docsDevFilterLLCIfIndex OBJECT-TYPE 1422 SYNTAX InterfaceIndexOrZero 1423 MAX-ACCESS read-create 1424 STATUS current 1425 DESCRIPTION 1426 "The entry interface to which this filter applies. 1427 The value corresponds to ifIndex for either a CATV MAC 1428 or another network interface. If the value is zero, the 1429 filter applies to all interfaces. In Cable Modems, the 1430 default value is the customer side interface. In Cable 1431 Modem Termination Systems, this object has to be 1432 specified to create a row in this table." 1433 ::= { docsDevFilterLLCEntry 3 } 1435 docsDevFilterLLCProtocolType OBJECT-TYPE 1436 SYNTAX INTEGER { 1437 ethertype(1), 1438 dsap(2) 1439 } 1440 MAX-ACCESS read-create 1441 STATUS current 1442 DESCRIPTION 1443 "The format of the value in docsDevFilterLLCProtocol: 1444 either a two-byte Ethernet Ethertype, or a one-byte 1445 802.2 SAP value. EtherType(1) also applies to SNAP- 1446 encapsulated frames." 1447 DEFVAL { ethertype } 1448 ::= { docsDevFilterLLCEntry 4 } 1450 docsDevFilterLLCProtocol OBJECT-TYPE 1451 SYNTAX Integer32 (0..65535) 1452 MAX-ACCESS read-create 1453 STATUS current 1454 DESCRIPTION 1455 "The layer three protocol for which this filter applies. 1456 The protocol value format depends on 1457 docsDevFilterLLCProtocolType. Note that for SNAP frames, 1458 etherType filtering is performed rather than DSAP=0xAA." 1459 DEFVAL { 0 } 1460 ::= { docsDevFilterLLCEntry 5 } 1462 docsDevFilterLLCMatches OBJECT-TYPE 1463 SYNTAX Counter32 1464 MAX-ACCESS read-only 1465 STATUS current 1466 DESCRIPTION 1467 "Counts the number of times this filter was matched." 1468 ::= { docsDevFilterLLCEntry 6 } 1470 -- The default behavior for (bridged) packets that do not match IP 1471 -- filters is defined by 1472 -- docsDevFilterIpDefault. 1474 docsDevFilterIpDefault OBJECT-TYPE 1475 SYNTAX INTEGER { 1476 discard(1), 1477 accept(2) 1478 } 1479 MAX-ACCESS read-write 1480 STATUS current 1481 DESCRIPTION 1482 "If set to discard(1), all packets not matching an IP filter 1483 will be discarded. If set to accept(2), all packets not 1484 matching an IP filter will be accepted for further 1485 processing (e.g., bridging). 1486 At initial system startup, this object returns accept(2)." 1487 ::= { docsDevFilter 3 } 1489 docsDevFilterIpTable OBJECT-TYPE 1490 SYNTAX SEQUENCE OF DocsDevFilterIpEntry 1491 MAX-ACCESS not-accessible 1492 STATUS current 1493 DESCRIPTION 1494 "An ordered list of filters or classifiers to apply to 1495 IP traffic. Filter application is ordered by the filter 1496 index, rather than by a best match algorithm (Note that 1497 this implies that the filter table may have gaps in the 1498 index values). Packets which match no filters will have 1499 policy 0 in the docsDevFilterPolicyTable applied to them if 1500 it exists. Otherwise, Packets which match no filters 1501 are discarded or forwarded according to the setting of 1502 docsDevFilterIpDefault. 1504 Any IP packet can theoretically match multiple rows of 1505 this table. When considering a packet, the table is 1506 scanned in row index order (e.g. filter 10 is checked 1507 before filter 20). If the packet matches that filter 1508 (which means that it matches ALL criteria for that row), 1509 actions appropriate to docsDevFilterIpControl and 1510 docsDevFilterPolicyId are taken. If the packet was 1511 discarded processing is complete. If 1512 docsDevFilterIpContinue is set to true, the filter 1513 comparison continues with the next row in the table 1514 looking for additional matches. 1516 If the packet matches no filter in the table, the packet 1517 is accepted or dropped for further processing based on 1518 the setting of docsDevFilterIpDefault. If the packet is 1519 accepted, the actions specified by policy group 0 1520 (e.g. the rows in docsDevFilterPolicyTable which have a 1521 value of 0 for docsDevFilterPolicyId) are taken if that 1522 policy group exists. 1524 Logically, this table is consulted twice during the 1525 processing of any IP packet - once upon its acceptance 1526 from the L2 entity, and once upon its transmission to the 1527 L2 entity. In actuality, for cable modems, IP filtering 1528 is generally the only IP processing done for transit 1529 traffic. This means that inbound and outbound filtering 1530 can generally be done at the same time with one pass 1531 through the filter table." 1532 ::= { docsDevFilter 4 } 1534 docsDevFilterIpEntry OBJECT-TYPE 1535 SYNTAX DocsDevFilterIpEntry 1536 MAX-ACCESS not-accessible 1537 STATUS current 1538 DESCRIPTION 1539 "Describes a filter to apply to IP traffic received on a 1540 specified interface. All identity objects in this table 1541 (e.g. source and destination address/mask, protocol, 1542 source/dest port, TOS/mask, interface and direction) must 1543 match their respective fields in the packet for any given 1544 filter to match. 1546 To create an entry in this table, docsDevFilterIpIfIndex 1547 must be specified." 1548 INDEX { docsDevFilterIpIndex } 1549 ::= { docsDevFilterIpTable 1 } 1551 DocsDevFilterIpEntry ::= SEQUENCE { 1552 docsDevFilterIpIndex Integer32, 1553 docsDevFilterIpStatus RowStatus, 1554 docsDevFilterIpControl INTEGER, 1555 docsDevFilterIpIfIndex InterfaceIndexOrZero, 1556 docsDevFilterIpDirection INTEGER, 1557 docsDevFilterIpBroadcast TruthValue, 1558 docsDevFilterIpSaddr IpAddress, 1559 docsDevFilterIpSmask IpAddress, 1560 docsDevFilterIpDaddr IpAddress, 1561 docsDevFilterIpDmask IpAddress, 1562 docsDevFilterIpProtocol Integer32, 1563 docsDevFilterIpSourcePortLow Integer32, 1564 docsDevFilterIpSourcePortHigh Integer32, 1565 docsDevFilterIpDestPortLow Integer32, 1566 docsDevFilterIpDestPortHigh Integer32, 1567 docsDevFilterIpMatches Counter32, 1568 docsDevFilterIpTos OCTET STRING, 1569 docsDevFilterIpTosMask OCTET STRING, 1570 docsDevFilterIpContinue TruthValue, 1571 docsDevFilterIpPolicyId Integer32 1572 } 1574 docsDevFilterIpIndex OBJECT-TYPE 1575 SYNTAX Integer32 (1..2147483647) 1576 MAX-ACCESS not-accessible 1577 STATUS current 1578 DESCRIPTION 1579 "Index used to order the application of filters. 1580 The filter with the lowest index is always applied 1581 first." 1582 ::= { docsDevFilterIpEntry 1 } 1584 docsDevFilterIpStatus OBJECT-TYPE 1585 SYNTAX RowStatus 1586 MAX-ACCESS read-create 1587 STATUS current 1588 DESCRIPTION 1589 "Controls and reflects the status of rows in this 1590 table. Specifying only this object (with the appropriate 1591 index) on a CM is sufficient to create a filter row which 1592 matches all inbound packets on the ethernet interface, 1593 and results in the packets being 1594 discarded. docsDevFilterIpIfIndex (at least) must be 1595 specified on a CMTS to create a row. Creation of the 1596 rows may be done via either create-and-wait or 1597 create-and-go, but the filter is not applied until this 1598 object is set to (or changes to) active. There is no 1600 restriction in changing any object in a row while this 1601 object is set to active." 1602 ::= { docsDevFilterIpEntry 2 } 1604 docsDevFilterIpControl OBJECT-TYPE 1605 SYNTAX INTEGER { 1606 discard(1), 1607 accept(2), 1608 policy(3) 1609 } 1610 MAX-ACCESS read-create 1611 STATUS current 1612 DESCRIPTION 1613 "If set to discard(1), all packets matching this filter 1614 will be discarded and scanning of the remainder of the 1615 filter list will be aborted. If set to accept(2), all 1616 packets matching this filter will be accepted for further 1617 processing (e.g., bridging). If docsDevFilterIpContinue 1618 is set to true, see if there are other matches, otherwise 1619 done. If set to policy (3), execute the policy entries 1620 matched by docsDevIpFilterPolicyId in 1621 docsDevIpFilterPolicyTable. 1623 If is docsDevFilterIpContinue is set to true, continue 1624 scanning the table for other matches, otherwise done." 1625 DEFVAL { discard } 1626 ::= { docsDevFilterIpEntry 3 } 1628 docsDevFilterIpIfIndex OBJECT-TYPE 1629 SYNTAX InterfaceIndexOrZero 1630 MAX-ACCESS read-create 1631 STATUS current 1632 DESCRIPTION 1633 "The entry interface to which this filter applies. The 1634 value corresponds to ifIndex for either a CATV MAC or 1635 another network interface. If the value is zero, the 1636 filter applies to all interfaces. Default value in Cable 1637 Modems is the index of the customer-side (e.g. ethernet) 1638 interface. In Cable Modem Termination Systems, this 1639 object MUST be specified to create a row in this table." 1640 ::= { docsDevFilterIpEntry 4 } 1642 docsDevFilterIpDirection OBJECT-TYPE 1643 SYNTAX INTEGER { 1644 inbound(1), 1645 outbound(2), 1646 both(3) 1647 } 1648 MAX-ACCESS read-create 1649 STATUS current 1650 DESCRIPTION 1651 "Determines whether the filter is applied to inbound(1) 1652 traffic, outbound(2) traffic, or traffic in both(3) 1653 directions." 1654 DEFVAL { inbound } 1655 ::= { docsDevFilterIpEntry 5 } 1657 docsDevFilterIpBroadcast OBJECT-TYPE 1658 SYNTAX TruthValue 1659 MAX-ACCESS read-create 1660 STATUS current 1661 DESCRIPTION 1662 "If set to true(1), the filter only applies to multicast 1663 and broadcast traffic. If set to false(2), the filter 1664 applies to all traffic." 1665 DEFVAL { false } 1666 ::= { docsDevFilterIpEntry 6 } 1668 docsDevFilterIpSaddr OBJECT-TYPE 1669 SYNTAX IpAddress 1670 MAX-ACCESS read-create 1671 STATUS current 1672 DESCRIPTION 1673 "The source IP address, or portion thereof, that is to be 1674 matched for this filter. The source address is first 1675 masked (and'ed) against docsDevFilterIpSmask before being 1676 compared to this value. A value of 0 for this object 1677 and 0 for the mask matches all IP addresses." 1678 DEFVAL { '00000000'h } 1679 ::= { docsDevFilterIpEntry 7 } 1681 docsDevFilterIpSmask OBJECT-TYPE 1682 SYNTAX IpAddress 1683 MAX-ACCESS read-create 1684 STATUS current 1685 DESCRIPTION 1686 "A bit mask that is to be applied to the source address 1687 prior to matching. This mask is not necessarily the same 1688 as a subnet mask, but 1's bits must be leftmost and 1689 contiguous." 1690 DEFVAL { '00000000'h } 1691 ::= { docsDevFilterIpEntry 8 } 1693 docsDevFilterIpDaddr OBJECT-TYPE 1694 SYNTAX IpAddress 1695 MAX-ACCESS read-create 1696 STATUS current 1697 DESCRIPTION 1698 "The destination IP address, or portion thereof, that is 1699 to be matched for this filter. The destination address is 1700 first masked (and'ed) against docsDevFilterIpDmask before being 1701 compared to this value. A value of 0 for this object 1702 and 0 for the mask matches all IP addresses." 1703 DEFVAL { '00000000'h } 1704 ::= { docsDevFilterIpEntry 9 } 1706 docsDevFilterIpDmask OBJECT-TYPE 1707 SYNTAX IpAddress 1708 MAX-ACCESS read-create 1709 STATUS current 1710 DESCRIPTION 1711 "A bit mask that is to be applied to the destination 1712 address prior to matching. This mask is not necessarily 1713 the same as a subnet mask, but 1's bits must be leftmost 1714 and contiguous." 1715 DEFVAL { '00000000'h } 1716 ::= { docsDevFilterIpEntry 10 } 1718 docsDevFilterIpProtocol OBJECT-TYPE 1719 SYNTAX Integer32 (0..256) 1720 MAX-ACCESS read-create 1721 STATUS current 1722 DESCRIPTION 1723 "The IP protocol value that is to be matched. For example: 1724 icmp is 1, tcp is 6, udp is 17. A value of 256 matches 1725 ANY protocol." 1726 DEFVAL { 256 } 1727 ::= { docsDevFilterIpEntry 11 } 1729 docsDevFilterIpSourcePortLow OBJECT-TYPE 1730 SYNTAX Integer32 (0..65535) 1731 MAX-ACCESS read-create 1732 STATUS current 1733 DESCRIPTION 1734 "If docsDevFilterIpProtocol is udp or tcp, this is the 1735 inclusive lower bound of the transport-layer source port 1736 range that is to be matched, otherwise it is ignored 1737 during matching." 1738 DEFVAL { 0 } 1739 ::= { docsDevFilterIpEntry 12 } 1741 docsDevFilterIpSourcePortHigh OBJECT-TYPE 1742 SYNTAX Integer32 (0..65535) 1743 MAX-ACCESS read-create 1744 STATUS current 1745 DESCRIPTION 1746 "If docsDevFilterIpProtocol is udp or tcp, this is the 1747 inclusive upper bound of the transport-layer source port 1748 range that is to be matched, otherwise it is ignored 1749 during matching." 1750 DEFVAL { 65535 } 1751 ::= { docsDevFilterIpEntry 13 } 1753 docsDevFilterIpDestPortLow OBJECT-TYPE 1754 SYNTAX Integer32 (0..65535) 1755 MAX-ACCESS read-create 1756 STATUS current 1757 DESCRIPTION 1758 "If docsDevFilterIpProtocol is udp or tcp, this is the 1759 inclusive lower bound of the transport-layer destination 1760 port range that is to be matched, otherwise it is ignored 1761 during matching." 1762 DEFVAL { 0 } 1763 ::= { docsDevFilterIpEntry 14 } 1765 docsDevFilterIpDestPortHigh OBJECT-TYPE 1766 SYNTAX Integer32 (0..65535) 1767 MAX-ACCESS read-create 1768 STATUS current 1769 DESCRIPTION 1770 "If docsDevFilterIpProtocol is udp or tcp, this is the 1771 inclusive upper bound of the transport-layer destination 1772 port range that is to be matched, otherwise it is ignored 1773 during matching." 1774 DEFVAL { 65535 } 1775 ::= { docsDevFilterIpEntry 15 } 1777 docsDevFilterIpMatches OBJECT-TYPE 1778 SYNTAX Counter32 1779 MAX-ACCESS read-only 1780 STATUS current 1781 DESCRIPTION 1782 "Counts the number of times this filter was matched. 1783 This object is initialized to 0 at boot, or at row 1784 creation, and is reset only upon reboot." 1785 ::= { docsDevFilterIpEntry 16 } 1787 docsDevFilterIpTos OBJECT-TYPE 1788 SYNTAX OCTET STRING ( SIZE (1)) 1789 MAX-ACCESS read-create 1790 STATUS current 1791 DESCRIPTION 1792 "This is the value to be matched to the packet's 1793 TOS (Type of Service) value (after the TOS value 1794 is AND'd with docsDevFilterIpTosMask). A value for this 1795 object of 0 and a mask of 0 matches all TOS values." 1796 DEFVAL { '00'h } 1797 ::= { docsDevFilterIpEntry 17 } 1799 docsDevFilterIpTosMask OBJECT-TYPE 1800 SYNTAX OCTET STRING ( SIZE (1) ) 1801 MAX-ACCESS read-create 1802 STATUS current 1803 DESCRIPTION 1804 "The mask to be applied to the packet's TOS value before 1805 matching." 1806 DEFVAL { '00'h } 1807 ::= { docsDevFilterIpEntry 18 } 1809 docsDevFilterIpContinue OBJECT-TYPE 1810 SYNTAX TruthValue 1811 MAX-ACCESS read-create 1812 STATUS current 1813 DESCRIPTION 1814 "If this value is set to true, and docsDevFilterIpControl 1815 is anything but discard (1), continue scanning and 1816 applying policies." 1817 DEFVAL { false } 1818 ::= { docsDevFilterIpEntry 19 } 1820 docsDevFilterIpPolicyId OBJECT-TYPE 1821 SYNTAX Integer32 (0..2147483647) 1822 MAX-ACCESS read-create 1823 STATUS current 1824 DESCRIPTION 1825 "This object points to an entry in docsDevFilterPolicyTable. 1826 If docsDevFilterIpControl is set to policy (3), execute 1827 all matching policies in docsDevFilterPolicyTable. 1828 If no matching policy exists, treat as if 1829 docsDevFilterIpControl were set to accept (1). 1830 If this object is set to the value of 0, there is no 1831 matching policy, and docsDevFilterPolicyTable MUST NOT be 1832 consulted." 1833 DEFVAL { 0 } 1834 ::= { docsDevFilterIpEntry 20 } 1836 -- 1837 -- 1839 docsDevFilterPolicyTable OBJECT-TYPE 1840 SYNTAX SEQUENCE OF DocsDevFilterPolicyEntry 1841 MAX-ACCESS not-accessible 1842 STATUS current 1843 DESCRIPTION 1844 "A Table which maps between a policy group ID and a set of 1845 policies to be applied. All rows with the same 1846 docsDevFilterPolicyId are part of the same policy group 1847 and are applied in the order in which they are in this 1848 table. 1850 docsDevFilterPolicyTable exists to allow multiple policy actions 1851 to be applied to any given classified packet. The policy actions 1852 are applied in index order For example: 1854 Index ID Type Action 1855 1 1 TOS 1 1856 9 5 TOS 1 1857 12 1 IPSEC 3 1859 This says that a packet which matches a filter with 1860 policy id 1, first has TOS policy 1 applied (which might 1862 set the TOS bits to enable a higher priority), and next 1863 has the IPSEC policy 3 applied (which may result in the 1864 packet being dumped into a secure VPN to a remote 1865 encryptor). 1867 Policy ID 0 is reserved for default actions and is 1868 applied only to packets which match no filters in 1869 docsDevIpFilterTable." 1870 ::= { docsDevFilter 5 } 1872 docsDevFilterPolicyEntry OBJECT-TYPE 1873 SYNTAX DocsDevFilterPolicyEntry 1874 MAX-ACCESS not-accessible 1875 STATUS current 1876 DESCRIPTION 1877 "An entry in the docsDevFilterPolicyTable. Entries are 1878 created by Network Management. To create an entry, 1879 docsDevFilterPolicyId and docsDevFilterPolicyAction 1880 must be specified." 1881 INDEX { docsDevFilterPolicyIndex } 1882 ::= { docsDevFilterPolicyTable 1 } 1884 DocsDevFilterPolicyEntry ::= SEQUENCE { 1885 docsDevFilterPolicyIndex Integer32, 1886 docsDevFilterPolicyId Integer32, 1887 -- docsDevFilterPolicyType INTEGER, 1888 -- docsDevFilterPolicyAction Integer32, 1889 docsDevFilterPolicyStatus RowStatus, 1890 docsDevFilterPolicyPtr RowPointer 1891 } 1893 docsDevFilterPolicyIndex OBJECT-TYPE 1894 SYNTAX Integer32 (1..2147483647) 1895 MAX-ACCESS not-accessible 1896 STATUS current 1897 DESCRIPTION "Index value for the table." 1898 ::= { docsDevFilterPolicyEntry 1 } 1900 docsDevFilterPolicyId OBJECT-TYPE 1901 SYNTAX Integer32 (0..2147483647) 1902 MAX-ACCESS read-create 1903 STATUS current 1904 DESCRIPTION 1905 "Policy ID for this entry. A policy ID can apply to 1906 multiple rows of this table, all relevant policies are 1907 executed. Policy 0 (if populated) is applied to all 1908 packets which do not match any of the filters. N.B. If 1909 docsDevFilterIpPolicyId is set to 0, it DOES NOT match 1910 policy 0 of this table. " 1911 ::= { docsDevFilterPolicyEntry 2 } 1913 -- docsDevFilterPolicyType ::= { docsDevFilterPolicyEntry 3} Removed 1914 -- docsDevFilterPolicyAction ::= { docsDevFilterPolicyEntry 4 } removed 1916 docsDevFilterPolicyStatus OBJECT-TYPE 1917 SYNTAX RowStatus 1918 MAX-ACCESS read-create 1919 STATUS current 1920 DESCRIPTION 1921 "Object used to create an entry in this table." 1922 ::= { docsDevFilterPolicyEntry 5 } 1924 docsDevFilterPolicyPtr OBJECT-TYPE 1925 SYNTAX RowPointer 1926 MAX-ACCESS read-create 1927 STATUS current 1928 DESCRIPTION 1929 "This object points to a row in an applicable filter policy 1930 table. Currently, the only standard policy table is 1931 docsDevFilterTosTable. Per the textual convention, this 1932 object points to the first accessible object in the row. 1933 E.g. to point to a row in docsDevFilterTosTable with an 1934 index of 21, the value of this object would be the object 1935 identifier docsDevTosStatus.21. 1937 Vendors must adhere to the same convention when adding 1938 vendor specific policy table extensions. 1940 The default upon row creation is a null pointer which 1941 results in no policy action being taken." 1942 DEFVAL { zeroDotZero } 1943 ::= { docsDevFilterPolicyEntry 6 } 1945 -- 1946 -- TOS Policy action table 1947 -- 1949 docsDevFilterTosTable OBJECT-TYPE 1950 SYNTAX SEQUENCE OF DocsDevFilterTosEntry 1951 MAX-ACCESS not-accessible 1952 STATUS current 1953 DESCRIPTION 1954 "Table used to describe Type of Service (TOS) bits 1955 processing. 1957 This table is an adjunct to the docsDevFilterIpTable, and 1958 the docsDevFilterPolicy table. Entries in the latter 1959 table can point to specific rows in this (and other) 1960 tables and cause specific actions to be taken. This table 1961 permits the manipulation of the value of the Type of 1962 Service bits in the IP header of the matched packet as 1963 follows: 1965 Set the tosBits of the packet to 1966 (tosBits & docsDevFilterTosAndMask) | docsDevFilterTosOrMask 1968 This construct allows you to do a clear and set of all 1969 the TOS bits in a flexible manner." 1970 ::= { docsDevFilter 6 } 1972 docsDevFilterTosEntry OBJECT-TYPE 1973 SYNTAX DocsDevFilterTosEntry 1974 MAX-ACCESS not-accessible 1975 STATUS current 1976 DESCRIPTION 1977 "A TOS policy entry." 1978 INDEX { docsDevFilterTosIndex } 1979 ::= { docsDevFilterTosTable 1 } 1981 DocsDevFilterTosEntry ::= SEQUENCE { 1982 docsDevFilterTosIndex Integer32, 1983 docsDevFilterTosStatus RowStatus, 1984 docsDevFilterTosAndMask OCTET STRING (SIZE (1)), 1985 docsDevFilterTosOrMask OCTET STRING (SIZE (1)) 1986 } 1988 docsDevFilterTosIndex OBJECT-TYPE 1989 SYNTAX Integer32 (1..2147483647) 1990 MAX-ACCESS not-accessible 1991 STATUS current 1992 DESCRIPTION 1993 "The unique index for this row. There are no ordering 1994 requirements for this table and any valid index may be 1995 specified." 1996 ::= { docsDevFilterTosEntry 1 } 1998 docsDevFilterTosStatus OBJECT-TYPE 1999 SYNTAX RowStatus 2000 MAX-ACCESS read-create 2001 STATUS current 2002 DESCRIPTION 2003 "The object used to create and delete entries in this 2004 table. A row created by specifying just this object 2005 results in a row which specifies no change to the TOS 2006 bits. A row may be created using either the create-and-go 2007 or create-and-wait paradigms. There is no restriction on 2008 the ability to change values in this row while the row is 2009 active." 2010 ::= { docsDevFilterTosEntry 2 } 2012 docsDevFilterTosAndMask OBJECT-TYPE 2013 SYNTAX OCTET STRING (SIZE (1)) 2014 MAX-ACCESS read-create 2015 STATUS current 2016 DESCRIPTION 2017 "This value is bitwise AND'd with the matched packet's 2018 TOS bits." 2019 DEFVAL { 'ff'h } 2020 ::= { docsDevFilterTosEntry 3 } 2022 docsDevFilterTosOrMask OBJECT-TYPE 2023 SYNTAX OCTET STRING (SIZE (1)) 2024 MAX-ACCESS read-create 2025 STATUS current 2026 DESCRIPTION 2027 "After bitwise AND'ing with the above bits, the packet's 2028 TOS bits are bitwise OR'd with these bits." 2029 DEFVAL { '00'h } 2030 ::= { docsDevFilterTosEntry 4 } 2032 -- 2033 -- CPE IP Management and anti spoofing group. Only implemented on 2034 -- Cable Modems. 2035 -- 2037 docsDevCpe OBJECT IDENTIFIER ::= { docsDevMIBObjects 7} 2039 docsDevCpeEnroll OBJECT-TYPE 2040 SYNTAX INTEGER { 2041 none(1), 2042 any(2) 2043 } 2044 MAX-ACCESS read-write 2045 STATUS current 2046 DESCRIPTION 2047 "This object controls the population of docsDevFilterCpeTable. 2048 If set to none, the filters must be set manually. 2049 If set to any, the CM wiretaps the packets originating 2050 from the ethernet and enrolls up to docsDevCpeIpMax 2051 addresses based on the source IP addresses of those 2052 packets. At initial system startup, default value for this 2053 object is any(2)." 2054 ::= { docsDevCpe 1 } 2056 docsDevCpeIpMax OBJECT-TYPE 2057 SYNTAX Integer32 (-1..2147483647) 2058 MAX-ACCESS read-write 2059 STATUS current 2060 DESCRIPTION 2061 "This object controls the maximum number of CPEs allowed to 2062 connect behind this device. If set to zero, any number of 2063 CPEs may connect up to the maximum permitted for the device. 2064 If set to -1, no filtering is done on CPE source addresses, 2065 and no entries are made in the docsDevFilterCpeTable. If an 2066 attempt is made to set this to a number greater than that 2067 permitted for the device, it is set to that maximum. 2069 At iniitial system startup, default value for this object 2070 is 1." 2071 ::= { docsDevCpe 2 } 2073 docsDevCpeTable OBJECT-TYPE 2074 SYNTAX SEQUENCE OF DocsDevCpeEntry 2075 MAX-ACCESS not-accessible 2076 STATUS current 2077 DESCRIPTION 2078 "This table lists the IP addresses seen (or permitted) as 2079 source addresses in packets originating from the customer 2080 interface on this device. In addition, this table can be 2081 provisioned with the specific addresses permitted for the 2082 CPEs via the normal row creation mechanisms." 2083 ::= { docsDevCpe 3 } 2085 docsDevCpeEntry OBJECT-TYPE 2086 SYNTAX DocsDevCpeEntry 2087 MAX-ACCESS not-accessible 2088 STATUS current 2089 DESCRIPTION 2090 "An entry in the docsDevFilterCpeTable. There is one entry 2091 for each IP CPE seen or provisioned. If docsDevCpeIpMax 2092 is set to -1, this table is ignored, otherwise: Upon receipt 2093 of an IP packet from the customer interface of the CM, the 2094 source IP address is checked against this table. If the 2095 address is in the table, packet processing continues. 2096 If the address is not in the table, but docsDevCpeEnroll 2097 is set to any and the table size is less than 2098 docsDevCpeIpMax, the address is added to the table and 2099 packet processing continues. Otherwise, the packet is 2100 dropped. 2102 The filtering actions specified by this table occur after 2103 any LLC filtering (docsDevFilterLLCTable), but prior 2104 to any IP filtering (docsDevFilterIpTable, 2105 docsDevNmAccessTable)." 2106 INDEX { docsDevCpeIp } 2107 ::= {docsDevCpeTable 1 } 2109 DocsDevCpeEntry ::= SEQUENCE { 2110 docsDevCpeIp IpAddress, 2111 docsDevCpeSource INTEGER, 2112 docsDevCpeStatus RowStatus 2113 } 2115 docsDevCpeIp OBJECT-TYPE 2116 SYNTAX IpAddress 2117 MAX-ACCESS not-accessible 2118 STATUS current 2119 DESCRIPTION 2120 "The IP address to which this entry applies." 2122 ::= { docsDevCpeEntry 1 } 2124 docsDevCpeSource OBJECT-TYPE 2125 SYNTAX INTEGER { 2126 other(1), 2127 manual(2), 2128 learned(3) 2129 } 2130 MAX-ACCESS read-only 2131 STATUS current 2132 DESCRIPTION 2133 "This object describes how this entry was created. If the 2134 value is manual(2), this row was created by a network 2135 management action (either configuration, or SNMP set). 2136 If set to learned(3), then it was found via 2137 looking at the source IP address of a received packet." 2138 ::= { docsDevCpeEntry 2 } 2140 docsDevCpeStatus OBJECT-TYPE 2141 SYNTAX RowStatus 2142 MAX-ACCESS read-create 2143 STATUS current 2144 DESCRIPTION 2145 "Standard object to manipulate rows. To create a row in this 2146 table, you only need to specify this object. Management 2147 stations SHOULD use the create-and-go mechanism for 2148 creating rows in this table." 2149 ::= { docsDevCpeEntry 3 } 2151 -- 2152 -- Placeholder for notifications/traps. 2153 -- 2154 docsDevNotification OBJECT IDENTIFIER ::= { docsDev 2 } 2156 -- 2157 -- Conformance definitions 2158 -- 2159 docsDevConformance OBJECT IDENTIFIER ::= { docsDev 3 } 2160 docsDevGroups OBJECT IDENTIFIER ::= { docsDevConformance 1 } 2161 docsDevCompliances OBJECT IDENTIFIER ::= { docsDevConformance 2 } 2163 docsDevBasicCompliance MODULE-COMPLIANCE 2164 STATUS current 2165 DESCRIPTION 2166 "The compliance statement for MCNS Cable Modems and 2167 Cable Modem Termination Systems." 2169 MODULE -- docsDev 2171 -- conditionally mandatory groups 2172 GROUP docsDevBaseGroup 2173 DESCRIPTION 2174 "Mandatory in Cable Modems, optional in Cable Modem 2175 Termination Systems." 2177 GROUP docsDevEventGroup 2178 DESCRIPTION 2179 "Mandatory in Cable Modems, optional in Cable Modem 2180 Termination Systems." 2182 GROUP docsDevFilterGroup 2183 DESCRIPTION 2184 "Mandatory in Cable Modems, optional in Cable Modem 2185 Termination Systems." 2187 GROUP docsDevNmAccessGroup 2188 DESCRIPTION 2189 "This group is only implemented in devices which do not 2190 implement SNMPv3 User Security Model. It SHOULD NOT be 2191 implemented by SNMPv3 conformant devices. 2193 For devices which do not implement SNMPv3 or later, this 2194 group is Mandatory in Cable Modems and is optional 2195 in Cable Modem Termination Systems." 2197 GROUP docsDevServerGroup 2198 DESCRIPTION 2199 "This group is implemented only in Cable Modems and is 2200 not implemented in Cable Modem Termination Systems." 2202 GROUP docsDevSoftwareGroup 2203 DESCRIPTION 2204 "This group is Mandatory in Cable Modems and optional in 2205 Cable Modem Termination Systems." 2207 GROUP docsDevCpeGroup 2208 DESCRIPTION 2209 "This group is Mandatory in Cable Modems, and is 2210 not implemented in Cable Modem Termination Systems. A 2211 similar capability for CMTS devices may be proposed later 2212 after study." 2214 OBJECT docsDevSTPControl 2215 MIN-ACCESS read-only 2216 DESCRIPTION 2217 "It is compliant to implement this object as read-only. 2218 Devices need only support noStFilterBpdu(2)." 2220 OBJECT docsDevEvReporting 2221 MIN-ACCESS read-only 2222 DESCRIPTION 2223 "It is compliant to implement this object as read-only. 2225 Devices need only support local(0)." 2227 ::= { docsDevCompliances 1 } 2229 docsDevBaseGroup OBJECT-GROUP 2230 OBJECTS { 2231 docsDevRole, 2232 docsDevDateTime, 2233 docsDevResetNow, 2234 docsDevSerialNumber, 2235 docsDevSTPControl 2236 } 2237 STATUS current 2238 DESCRIPTION 2239 "A collection of objects providing device status and 2240 control." 2241 ::= { docsDevGroups 1 } 2243 docsDevNmAccessGroup OBJECT-GROUP 2244 OBJECTS { 2245 docsDevNmAccessIp, 2246 docsDevNmAccessIpMask, 2247 docsDevNmAccessCommunity, 2248 docsDevNmAccessControl, 2249 docsDevNmAccessInterfaces, 2250 docsDevNmAccessStatus 2251 } 2252 STATUS current 2253 DESCRIPTION 2254 "A collection of objects for controlling access to SNMP 2255 objects." 2256 ::= { docsDevGroups 2 } 2258 docsDevSoftwareGroup OBJECT-GROUP 2259 OBJECTS { 2260 docsDevSwServer, 2261 docsDevSwFilename, 2262 docsDevSwAdminStatus, 2263 docsDevSwOperStatus, 2264 docsDevSwCurrentVers 2265 } 2266 STATUS current 2267 DESCRIPTION 2268 "A collection of objects for controlling software 2269 downloads." 2270 ::= { docsDevGroups 3 } 2272 docsDevServerGroup OBJECT-GROUP 2273 OBJECTS { 2274 docsDevServerBootState, 2275 docsDevServerDhcp, 2276 docsDevServerTime, 2277 docsDevServerTftp, 2278 docsDevServerConfigFile 2279 } 2280 STATUS current 2281 DESCRIPTION 2282 "A collection of objects providing status about server 2283 provisioning." 2284 ::= { docsDevGroups 4 } 2286 docsDevEventGroup OBJECT-GROUP 2287 OBJECTS { 2288 docsDevEvControl, 2289 docsDevEvSyslog, 2290 docsDevEvThrottleAdminStatus, 2291 docsDevEvThrottleInhibited, 2292 docsDevEvThrottleThreshold, 2293 docsDevEvThrottleInterval, 2294 docsDevEvReporting, 2295 docsDevEvFirstTime, 2296 docsDevEvLastTime, 2297 docsDevEvCounts, 2298 docsDevEvLevel, 2299 docsDevEvId, 2300 docsDevEvText 2301 } 2302 STATUS current 2303 DESCRIPTION 2304 "A collection of objects used to control and monitor 2305 events." 2306 ::= { docsDevGroups 5 } 2308 docsDevFilterGroup OBJECT-GROUP 2309 OBJECTS { 2310 docsDevFilterLLCUnmatchedAction, 2311 docsDevFilterIpDefault, 2312 docsDevFilterLLCStatus, 2313 docsDevFilterLLCIfIndex, 2314 docsDevFilterLLCProtocolType, 2315 docsDevFilterLLCProtocol, 2316 docsDevFilterLLCMatches, 2317 docsDevFilterIpControl, 2318 docsDevFilterIpIfIndex, 2319 docsDevFilterIpStatus, 2320 docsDevFilterIpDirection, 2321 docsDevFilterIpBroadcast, 2322 docsDevFilterIpSaddr, 2323 docsDevFilterIpSmask, 2324 docsDevFilterIpDaddr, 2325 docsDevFilterIpDmask, 2326 docsDevFilterIpProtocol, 2327 docsDevFilterIpSourcePortLow, 2328 docsDevFilterIpSourcePortHigh, 2329 docsDevFilterIpDestPortLow, 2330 docsDevFilterIpDestPortHigh, 2331 docsDevFilterIpMatches, 2332 docsDevFilterIpTos, 2333 docsDevFilterIpTosMask, 2334 docsDevFilterIpContinue, 2335 docsDevFilterIpPolicyId, 2336 docsDevFilterPolicyId, 2337 docsDevFilterPolicyStatus, 2338 docsDevFilterPolicyPtr, 2339 docsDevFilterTosStatus, 2340 docsDevFilterTosAndMask, 2341 docsDevFilterTosOrMask 2342 } 2343 STATUS current 2344 DESCRIPTION 2345 "A collection of objects to specify filters at link layer 2346 and IP layer." 2347 ::= { docsDevGroups 6 } 2349 docsDevCpeGroup OBJECT-GROUP 2350 OBJECTS { 2351 docsDevCpeEnroll, 2352 docsDevCpeIpMax, 2353 docsDevCpeSource, 2354 docsDevCpeStatus 2355 } 2356 STATUS current 2357 DESCRIPTION 2358 "A collection of objects used to control the number 2359 and specific values of IP addresses allowed for 2360 associated Customer Premises Equipment (CPE)." 2361 ::= { docsDevGroups 7 } 2363 END 2364 5. Acknowledgments 2366 This document was produced by the IPCDN Working Group. It is based on a 2367 document written by Pam Anderson from CableLabs, Wilson Sawyer from 2368 BayNetworks, and Rich Woundy from Continental Cablevision. The original 2369 working group editor, Guenter Roeck of cisco Systems, did much of the 2370 grunt work of putting the document into its current form. 2372 Special thanks is also due to Azlina Palmer, who helped a lot reviewing 2373 the document. 2375 6. References 2377 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 2378 Describing SNMP Management Frameworks", RFC 2271, Cabletron 2379 Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research, 2380 January 1998 2382 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 2383 Management Information for TCP/IP-based Internets", RFC 1155, 2384 Performance Systems International, Hughes LAN Systems, May 1990 2386 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 2387 Performance Systems International, Hughes LAN Systems, March 1991 2389 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 2390 RFC 1215, Performance Systems International, March 1991 2392 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 2393 of Management Information for Version 2 of the Simple Network 2394 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco 2395 Systems, Inc., Dover Beach Consulting, Inc., International Network 2396 Services, January 1996. 2398 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 2399 Conventions for Version 2 of the Simple Network Management Protocol 2400 (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc., 2401 Dover Beach Consulting, Inc., International Network Services, 2402 January 1996. 2404 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance 2405 Statements for Version 2 of the Simple Network Management Protocol 2406 (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc., 2407 Dover Beach Consulting, Inc., International Network Services, 2408 January 1996. 2410 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 2411 Management Protocol", RFC 1157, SNMP Research, Performance Systems 2412 International, Performance Systems International, MIT Laboratory 2413 for Computer Science, May 1990. 2415 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 2416 "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research, 2417 Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 2418 International Network Services, January 1996. 2420 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 2421 Mappings for Version 2 of the Simple Network Management Protocol 2422 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 2423 Dover Beach Consulting, Inc., International Network Services, 2424 January 1996. 2426 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 2427 Processing and Dispatching for the Simple Network Management 2428 Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 2429 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998. 2431 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for 2432 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2433 2274, IBM T. J. Watson Research, January 1998. 2435 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 2436 Operations for Version 2 of the Simple Network Management Protocol 2437 (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc., 2438 Dover Beach Consulting, Inc., International Network Services, 2439 January 1996. 2441 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 2442 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 2443 Systems, January 1998 2445 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 2446 Control Model (VACM) for the Simple Network Management Protocol 2447 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 2448 Cisco Systems, Inc., January 1998 2450 [16] " Data-Over-Cable Service Interface Specifications: Cable Modem 2451 Radio Frequency Interface Specification SP-RFI-I04-980724", DOCSIS, 2452 July 1998, http://www.cablemodem.com/public/pubtechspec/SP-RFI- 2453 I04-980724.pdf. 2455 [17] L. Steinberg, "Techniques for Managing Asynchronously Generated 2456 Alerts", RFC 1224, May 1991. 2458 [18] "Data-Over-Cable Service Interface Specifications: Operations 2459 Support System Interface Specification RF Interface SP-OSSI-RF- 2460 I02-980410", DOCSIS, April 1998, 2461 http://www.cablemodem.com/public/pubtechspec/ossi/sp-ossi.PDF. 2463 [19] Bradner, S., "Key words for use in RFCs to Indicate Requirement 2464 Levels", RFC2119, Harvard University, March 1997 2466 [20] "Data-Over-Cable Service Interface Specifications: Baseline Privacy 2467 Interface Specification SP-BPI-I01-970922", DOCSIS, September 1977, 2468 http://www.cablemodem.com/public/pubtechspec/ss/SP-BPI-I01- 2469 970922.pdf 2471 7. Security Considerations 2473 This MIB relates to a system which will provide metropolitan public 2474 internet access. As such, improper manipulation of the objects 2475 represented by this MIB may result in denial of service to a large 2476 number of end-users. In addition, manipulation of the 2477 docsDevNmAccessTable, docsDevFilterLLCTable, docsDevFilterIpTable and 2478 the elements of the docsDevCpe group may allow an end-user to increase 2479 their service levels, spoof their IP addresses, change the permitted 2480 management stations, or affect other end-users in either a positive or 2481 negative manner. 2483 There are a number of management objects defined in this MIB that have a 2484 MAX-ACCESS clause of read-write and/or read-create. Such objects may be 2485 considered sensitive or vulnerable in some network environments. The 2486 support for SET operations in a non-secure environment without proper 2487 protection can have a negative effect on network operations. In 2488 addition to those mentioned above: 2490 o The use of docsDevNmAccessTable to specify management stations is 2491 considered to be only limited protection and does not protect 2492 against attacks which spoof the management station's IP address. 2493 The use of stronger mechanisms such as SNMPv3 security should be 2494 considered where possible. Specifically, SNMPv3 VACM and USM MUST 2495 be used with any v3 agent which implements this MIB. 2496 Administrators may also wish to consider whether even read access 2497 to docsDevNmAccessTable may be undesirable under certain 2498 circumstances. 2500 o The CM may have its software changed by the actions of the 2501 management system. An improper software load may result in 2502 substantial vulnerabilities and the loss of the ability of the 2503 management system to control the cable modem. 2505 o The device may be reset by setting docsDevResetNow = true(1). This 2506 causes the device to reload its configuration files as well as 2507 eliminating all previous non-persistent network management 2508 settings. As such, this may provide a vector for attacking the 2509 system. 2511 o Setting docsDevEvThrottleAdminStatus = unconstrained(1) (which is 2512 also the DEFVAL) may cause flooding of traps, which can disrupt 2513 network service. 2515 This MIB does not affect confidentiality of services on a cable modem 2516 system. [20] specifies the implementation of the DOCSIS Baseline 2517 privacy mechanism. The working group expects to issue a MIB for the 2518 management of this mechanism at a later time. 2520 SNMPv1 by itself is not a secure environment. Even if the network 2521 itself is secure (for example by using IPSec), even then, there is no 2522 control as to who on the secure network is allowed to access and GET/SET 2523 (read/change/create/delete) the objects in this MIB. 2525 It is recommended that the implementers consider the security features 2526 as provided by the SNMPv3 framework. Specifically, the use of the 2527 User-based Security Model [12] and the View-based Access Control Model 2528 [15] is recommended. 2530 It is then a customer/user responsibility to ensure that the SNMP entity 2531 giving access to an instance of this MIB, is properly configured to give 2532 access to the objects only to those principals (users) that have 2533 legitimate rights to indeed GET or SET (change/create/delete) them. 2535 8. Intellectual Property 2537 The IETF takes no position regarding the validity or scope of any 2538 intellectual property or other rights that might be claimed to pertain 2539 to the implementation or use of the technology described in this 2540 document or the extent to which any license under such rights might or 2541 might not be available; neither does it represent that it has made any 2542 effort to identify any such rights. Information on the IETF's 2543 procedures with respect to rights in standards-track and standards- 2544 related documentation can be found in BCP-11. Copies of claims of 2545 rights made available for publication and any assurances of licenses to 2546 be made available, or the result of an attempt made to obtain a general 2547 license or permission for the use of such proprietary rights by 2548 implementors or users of this specification can be obtained from the 2549 IETF Secretariat. 2551 The IETF invites any interested party to bring to its attention any 2552 copyrights, patents or patent applications, or other proprietary rights 2553 which may cover technology that may be required to practice this 2554 standard. Please address the information to the IETF Executive 2555 Director. 2557 9. Copyright Section 2559 Copyright (C) The Internet Society 1998. All Rights Reserved. 2561 This document and translations of it may be copied and furnished to 2562 others, and derivative works that comment on or otherwise explain it or 2563 assist in its implmentation may be prepared, copied, published and 2564 distributed, in whole or in part, without restriction of any kind, 2565 provided that the above copyright notice and this paragraph are included 2566 on all such copies and derivative works. However, this document itself 2567 may not be modified in any way, such as by removing the copyright notice 2568 or references to the Internet Society or other Internet organizations, 2569 except as needed for the purpose of developing Internet standards in 2570 which case the procedures for copyrights defined in the Internet 2571 Standards process must be followed, or as required to translate it into 2572 languages other than English. 2574 The limited permissions granted above are perpetual and will not be 2575 revoked by the Internet Society or its successors or assigns. 2577 This document and the information contained herein is provided on an "AS 2578 IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK 2579 FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT 2580 LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT 2581 INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR 2582 FITNESS FOR A PARTICULAR PURPOSE. 2584 10. Author's Address 2586 Michael StJohns 2587 @Home Network 2588 425 Broadway 2589 Redwood City, CA 94063 2590 U.S.A 2592 Phone: +1 650 569 5368 2593 Email: stjohns@corp.home.net