idnits 2.17.1 draft-ietf-ipcdn-cable-gateway-security-mib-00.txt: -(227): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(1464): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(1470): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There are 17 instances of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([5], [6], [7]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 266 has weird spacing: '...for the cabhS...' == Line 267 has weird spacing: '...he last x hou...' == Line 616 has weird spacing: '...running on th...' == Line 825 has weird spacing: '... or log e...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 2003) is 7622 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 20 looks like a reference -- Missing reference section? '5' on line 50 looks like a reference -- Missing reference section? '6' on line 50 looks like a reference -- Missing reference section? '7' on line 101 looks like a reference -- Missing reference section? '2' on line 58 looks like a reference -- Missing reference section? '12' on line 93 looks like a reference -- Missing reference section? '8' on line 101 looks like a reference -- Missing reference section? '9' on line 101 looks like a reference -- Missing reference section? '21' on line 253 looks like a reference -- Missing reference section? '22' on line 116 looks like a reference -- Missing reference section? '23' on line 117 looks like a reference -- Missing reference section? '3' on line 1356 looks like a reference -- Missing reference section? 'RFC3410' on line 1379 looks like a reference Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet-Draft E. Cardona 3 draft-ietf-ipcdn-cable-gateway-security-mib-00.txt K. Luehrs 4 Expires: December 2003 CableLabs 6 S. Higgins 7 Ashley-Laurent 9 D. Jones 10 YAS BBV 11 June 2003 13 Cable Gateway Security Management Information Base 14 for CableHome compliant Residential Gateways 16 Status of this Memo 18 This document is an Internet-Draft and is subject to all provisions 19 of Section 10 of RFC2026 [1]. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html 37 Copyright Notice 39 Copyright (C) The Internet Society (2003). All Rights Reserved. 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it defines a basic set of managed objects for SNMP- 46 based security management of CableHome 1.0 compliant residential 47 gateway devices. 49 This memo specifies a MIB module in a manner that is compliant to the 50 SNMP SMIv2 [5][6][7]. The set of objects is consistent with the SNMP 51 framework and existing SNMP standards. 53 Conventions used in this document 55 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 56 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 57 document are to be interpreted as described in RFC-2119 [2]. 59 Table of Contents 61 1. The Internet-Standard Management Framework.....................2 62 2. Glossary.......................................................3 63 2.1 CableHome Residential Gateway..............................3 64 2.2 Portal Services............................................3 65 2.3 LAN IP Device..............................................3 66 2.4 WAN Management (WAN-Man) Address...........................3 67 2.5 WAN Data (WAN-Data) Address................................3 68 2.6 LAN Translated (LAN-Trans) Address.........................4 69 2.7 LAN Passthrough (LAN-Pass) Address.........................4 70 2.8 Cable Gateway DHCP Portal (CDP)............................4 71 2.9 Denial of Service..........................................4 72 2.10 Firewall..................................................4 73 2.11 Hash......................................................4 74 2.12 Rule Set..................................................4 75 2.13 Security Policy...........................................5 76 3. Overview.......................................................5 77 3.1 Structure of the MIB.......................................5 78 3.2 Management Requirements....................................5 79 4. MIB Definitions................................................7 80 5. Acknowledgements..............................................29 81 6. Formal Syntax.................................................29 82 7. Security Considerations.......................................29 83 8. Normative References..........................................30 84 9. Informative References........................................31 85 10. Intellectual Property........................................32 86 11. Author's Addresses...........................................32 87 12. Full Copyright Statement.....................................33 89 1. The Internet-Standard Management Framework 91 For a detailed overview of the documents that describe the current 92 Internet-Standard Management Framework, please refer to section 7 of 93 RFC 3410 [12]. 95 Managed objects are accessed via a virtual information store, termed 96 the Management Information Base or MIB. MIB objects are generally 97 accessed through the Simple Network Management Protocol (SNMP). 98 Objects in the MIB are defined using the mechanisms defined in the 99 Structure of Management Information (SMI). This memo specifies a MIB 100 module that is compliant to the SMIv2, which is described in STD 58, 101 RFC 2578 [7], STD 58, RFC 2579 [8] and STD 58, RFC 2580 [9]. 103 2. Glossary 105 The terms in this document are derived either from normal cable 106 system usage, from normal residential gateway operation, or from the 107 documents associated with the CableHome Specifications [21]. 109 2.1 CableHome Residential Gateway 111 A CableHome Residential gateway passes data traffic between the cable 112 operator's broadband data network (the Wide Area Network, WAN) and 113 the Local Area Network (LAN) in the cable data service subscriber's 114 residence or business. In addition to passing traffic between the WAN 115 and LAN, the CableHome Residential Gateway provides several services 116 including a DHCP client and a DHCP server (RFC2131) [22], a TFTP 117 server (RFC1350) [23], management services as enabled by 118 SNMPv1/v2c/v3 agent compliant with the RFCs listed in Section 1, and 119 security services including stateful packet inspection firewall 120 functionality and software code image verification using techniques. 122 2.2 Portal Services 124 A logical element aggregating the set of CableHome-specified 125 functionality in a CableHome compliant cable gateway device. 127 2.3 LAN IP Device 129 A LAN IP Device is representative of a typical IP device expected to 130 reside on home networks, and is assumed to contain a TCP/IP stack as 131 well as a DHCP client. 133 2.4 WAN Management (WAN-Man) Address 135 WAN Management Addresses are intended for network management traffic 136 on the cable network between the network management system and the PS 137 element. Typically, these addresses will reside in private IP address 138 space. 140 2.5 WAN Data (WAN-Data) Address 142 WAN Data Addresses are intended for subscriber application traffic on 143 the cable network and beyond, such as traffic between LAN IP Devices 144 and Internet hosts. Typically, these addresses will reside in public 145 IP address space. 147 2.6 LAN Translated (LAN-Trans) Address 149 LAN Translated Addresses are intended for subscriber application and 150 management traffic on the home network between LAN IP Devices and the 151 PS element. Typically, these addresses will reside in private IP 152 address space, and can typically be reused across subscribers. 154 2.7 LAN Passthrough (LAN-Pass) Address 156 LAN Passthrough Addresses are intended for subscriber application 157 traffic, such as traffic between LAN IP Devices and Internet hosts, 158 on the home network, the cable network, and beyond. Typically, these 159 addresses will reside in public IP address space. 161 2.8 Cable Gateway DHCP Portal (CDP) 163 A logical element residing within the PS that encapsulates DHCP 164 functionality within a Cable Gateway Device. This includes both DHCP 165 client as well as DHCP server capabilities. 167 2.9 Denial of Service 169 A type of attack on a network that is designed to bring the network 170 to its knees by flooding it with useless traffic. 172 2.10 Firewall 174 A system designed to prevent unauthorized access to or from a private 175 network. Firewalls are frequently used to prevent unauthorized 176 Internet users from accessing private networks connected to the 177 Internet. 179 2.11 Hash 181 A hash value (or simply hash) is a number generated from a string of 182 text. The hash is substantially smaller than the text itself, and is 183 generated by a formula in such a way that it is extremely unlikely 184 that some other text will produce the same hash value. Hashes play a 185 role in security systems where they're used to ensure that 186 transmitted messages have not been tampered with. 188 2.12 Rule Set 190 The rule set is derived from the security policy and defines the 191 collection of access control rules (filter and proxy action rules) 192 which then determines which packets the firewall forwards and which 193 it rejects. 195 2.13 Security Policy 197 The security policy defines the desired level of 198 security/functionality for a subscriber's firewall. 200 3. Overview 202 This MIB provides a set of security objects required for the 203 management of CableHome compliant residential gateway devices. The 204 specification is derived from the CableHome 1.0 specification [21]. 206 3.1 Structure of the MIB 208 This MIB is structured into two groups: 210 � cabhSecFwObjects is used to manage the firewall functionality. 212 � cabhSecCertObjects is used to hold the gateway device certificate, 213 which is used to authenticate the gateway. 215 3.2 Management Requirements 217 3.1.1. Firewall Enable 219 The cabhSecFwPolicyFileEnable object enables or disables firewall rule 220 set filtering functions. 222 3.1.2. Firewall Configuration File Download 224 The firewall configuration file download process is documented in 225 [21]. From a network management station, the operator: 227 � sets cabhSecFwPolicyFileHash to the hash value calculated using the 228 firewall configuration file. 230 � sets cabhSecFwPolicyFileURL to the name and IP address of the 231 firewall configuratrion file using TFTP URL format. When this 232 value changes, it triggers the file download. 234 Download status and the version of the firewall configuration file 235 can be obtained from the cabhSecFwPolicyFileOperStatus and 236 cabhSecFwPolicyCurrentVersion MIB objects. 238 3.1.3 Firewall Event Management 239 There are three types of firewall events that can be logged. The 240 following objects allow the operator to enable or disable the logging 241 of these events: 243 � cabhSecFwEventType1Enable controls the logging of Type 1 event 244 messages which indicate attempts from both private and public 245 clients to traverse the firewall that violate the security policy. 247 � cabhSecFwEventType2Enable controls the logging of Type 2 event 248 messages which indicate the detection of Denial-of-Service attacks. 250 � cabhSecFwEventType3Enable controls the logging of Type 3 event 251 messages which indicate changes in firewall management parameters. 253 Event messaging details are documented in [21]. 255 3.1.4 Firewall Attack Alert 257 The Firewall Attack Alert MIB objects enable an MSO to be notified 258 when a firewall as been attacked a certain number of times within a 259 given period. 261 The cabhSecFwEventAttackAlertThreshold object is set with the number 262 of Type 1 or Type 2 hacker attacks that are allowed within the time 263 period attacks exceed this number an event message MUST be logged. 265 The cabhSecFwEventAttackAlertPeriod object indicates the period to be 266 used (in hours) for the cabhSecFwEventAttackAlertThreshold. This MIB 267 object should always keep track of the last x hours of event meaning 268 that if the variable is set to track events for 10 hours then when 269 the 11th hour is reached, the 1st hour of events is deleted from the 270 tracking log. A default value is set to zero, meaning zero time, so 271 that this MIB variable will not track any events unless configured. 273 3.1.5 PS Certificate 275 The cabhSecCertPsCert provides the ability to read the certificate 276 information in a compliant CableHome residential gateway device. The 277 PS certicate is used to in the process to authenticate the device. 279 4. MIB Definitions 281 CABH-IETF-SEC-MIB DEFINITIONS ::= BEGIN 283 IMPORTS 284 MODULE-IDENTITY, 285 Unsigned32, 286 zeroDotZero, 287 OBJECT-TYPE, 288 mib-2 FROM SNMPv2-SMI -- RFC2578 290 DateAndTime, 291 TruthValue, 292 TimeStamp, 293 VariablePointer FROM SNMPv2-TC -- RFC2579 295 OBJECT-GROUP, 296 MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC2580 297 InetPortNumber, 298 InetAddressType, 299 InetAddress FROM INET-ADDRESS-MIB --RFC3291 301 SnmpAdminString FROM SNMP-FRAMEWORK-MIB --RFC2571 303 DocsX509ASN1DEREncodedCertificate FROM DOCS-BPI2-MIB 304 --TC available in draft-ietf-ipcdn-bpiplus-mib-09.txt or after 306 ZeroBasedCounter32 FROM RMON2-MIB 308 docsDevFilterIpEntry FROM DOCS-CABLE-DEVICE-MIB; 310 cabhSecMib MODULE-IDENTITY 311 LAST-UPDATED "200306210000Z" -- Jun 21, 2003 312 ORGANIZATION "IETF IPCDN Working Group" 313 CONTACT-INFO 314 "Kevin Luehrs 315 Postal: Cable Television Laboratories, Inc. 316 400 Centennial Parkway 317 Louisville, Colorado 80027-1266 318 U.S.A. 319 Phone: +1 303-661-9100 320 Fax: +1 303-661-9199 321 E-mail: k.luehrs@cablelabs.com; mibs@cablelabs.com 323 IETF IPCDN Working Group 324 General Discussion: ipcdn@ietf.org 325 Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn 326 Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn 327 Co-chairs: Richard Woundy, 328 Richard_Woundy@cable.comcast.com 329 Jean-Francois Mule, jf.mule@cablelabs.com" 330 DESCRIPTION 331 "This MIB module supplies the basic management 332 objects for the Security Portal Services. 334 Copyright (C) The Internet Society (2003). This version 335 of this MIB module is part of RFC xxxx; see the RFC 336 itself 337 for full legal notices." 338 REVISION "200306210000Z" -- Jun 21, 2003 339 DESCRIPTION 340 "Initial version, published as RFC xxxx." 341 -- RFC editor to assign xxxx 342 ::= { mib-2 xx } 343 -- xx to be assigned by IANA 345 -- Textual Conventions 347 cabhSecMibObjects OBJECT IDENTIFIER ::= { cabhSecMib 1 } 348 cabhSecFwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 1 } 349 cabhSecFwBase OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 } 350 cabhSecFwLogCtl OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 } 352 cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 2 } 353 cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 } 354 cabhSecKerbBase OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 } 356 cabhSec2FwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 } 357 cabhSec2FwBase OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 } 358 cabhSec2FwEvent OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 } 359 cabhSec2FwLog OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 } 360 cabhSec2FwFilter OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 } 362 -- 363 -- CableHome 1.0 Base Firewall Functions 364 -- 366 cabhSecFwPolicyFileEnable OBJECT-TYPE 367 SYNTAX INTEGER { 368 enable(1), 369 disable(2) 370 } 371 MAX-ACCESS read-write 372 STATUS current 373 DESCRIPTION 374 "This parameter indicates whether or not to enable the 375 firewall functionality." 376 DEFVAL {enable} 377 ::= { cabhSecFwBase 1 } 379 cabhSecFwPolicyFileURL OBJECT-TYPE 380 SYNTAX SnmpAdminString 381 MAX-ACCESS read-write 382 STATUS current 383 DESCRIPTION 384 "Contains the location of the last successfull downloaded 385 policy rule set file in the format pointed in the 386 reference. A policy rule set file download is triggered 387 when the value used to SET this MIB is different than the 388 value in the cabhSecFwPolicySuccessfulFileURL object." 389 REFERENCE 390 "CableHome 1.0 Specification, CH-SP-I04-030411, 391 11.3.5.2 Firewall Rule Set Management Parameters" 392 ::= { cabhSecFwBase 2 } 394 cabhSecFwPolicyFileHash OBJECT-TYPE 395 SYNTAX OCTET STRING (SIZE(0|20)) 396 MAX-ACCESS read-write 397 STATUS current 398 DESCRIPTION 399 "Hash of the contents of the rules set file, calculated 400 and sent to the PS prior to sending the rules set file. 401 For the SHA-1 authentication algorithm the length of the 402 hash is 160 bits. This hash value is encoded in binary 403 format." 404 DEFVAL {''h} 405 ::= { cabhSecFwBase 3 } 407 cabhSecFwPolicyFileOperStatus OBJECT-TYPE 408 SYNTAX INTEGER { 409 inProgress(1), 410 complete(2), 411 -- completeFromMgt(3), deprecated 412 failed(4) 413 } 414 MAX-ACCESS read-only 415 STATUS current 416 DESCRIPTION 417 "inProgress(1) indicates a firewall configuration file 418 download is underway. 419 complete (2) indicates the firewall configuration file 420 downloaded and configured successfully. 421 completeFromMgt(3) This state is deprecated. 422 failed(4) indicates the last attempted firewall 423 configuration file download or processing failed 424 ordinarily due to TFTP timeout." 426 ::= { cabhSecFwBase 4 } 428 cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE 429 SYNTAX SnmpAdminString 430 MAX-ACCESS read-only 431 STATUS current 432 DESCRIPTION 433 "The rule set version currently operating in the PS 434 device. This object should be in the syntax used by the 435 individual vendor to identify software versions. Any PS 436 element MUST return a string descriptive of the current 437 rule set file load. If this is not applicable, this 438 object MUST contain an empty string." 439 ::= { cabhSecFwBase 5 } 441 cabhSecFwPolicySuccessfulFileURL OBJECT-TYPE 442 SYNTAX SnmpAdminString 443 MAX-ACCESS read-only 444 STATUS current 445 DESCRIPTION 446 "Contains the location of the last successfull downloaded 447 policy rule set file in the format pointed in the 448 reference. If a successful download has not yet occurred, 449 this MIB object should report empty string." 450 REFERENCE 451 "CableHome 1.0 Specification, CH-SP-I04-030411, 452 11.3.5.2 Firewall Rule Set Management Parameters" 453 ::= { cabhSecFwBase 6 } 455 -- 456 -- CableHome 1.0 Firewall Event MIBs 457 -- 459 cabhSecFwEventType1Enable OBJECT-TYPE 460 SYNTAX INTEGER { 461 enable (1), -- log event 462 disable (2) -- do not log event 463 } 464 MAX-ACCESS read-write 465 STATUS current 466 DESCRIPTION 467 "This object enables or disables logging of type 1 468 firewall event messages. Type 1 event messages report 469 attempts from both private and public clients to traverse 470 the firewall that violate the Security Policy." 471 DEFVAL { disable } 472 ::= { cabhSecFwLogCtl 1 } 474 cabhSecFwEventType2Enable OBJECT-TYPE 475 SYNTAX INTEGER { 476 enable (1), -- log event 477 disable (2) -- do not log event 478 } 479 MAX-ACCESS read-write 480 STATUS current 481 DESCRIPTION 482 "This object enables or disables logging of type 2 483 firewall event messages. Type 2 event messages report 484 identified Denial of Service attack attempts." 485 DEFVAL { disable } 486 ::= { cabhSecFwLogCtl 2 } 488 cabhSecFwEventType3Enable OBJECT-TYPE 489 SYNTAX INTEGER { 490 enable (1), -- log event 491 disable (2) -- do not log event 492 } 493 MAX-ACCESS read-write 494 STATUS current 495 DESCRIPTION 496 "Enables or disables logging of type 3 firewall event 497 messages. 498 Type 3 event messages report changes made to the 499 following firewall management parameters: 500 cabhSecFwPolicyFileURL, 501 cabhSecFwPolicyFileCurrentVersion, 502 cabhSecFwPolicyFileEnable" 503 DEFVAL { disable } 504 ::= { cabhSecFwLogCtl 3 } 506 cabhSecFwEventAttackAlertThreshold OBJECT-TYPE 507 SYNTAX INTEGER (0..65535) 508 MAX-ACCESS read-write 509 STATUS current 510 DESCRIPTION 511 "If the number of type 1 or 2 hacker attacks exceeds 512 this threshold in the period define by 513 cabhSecFwEventAttackAlertPeriod, a firewall message 514 event MUST be logged with priority level 4." 515 DEFVAL { 65535 } 516 ::= { cabhSecFwLogCtl 4 } 518 cabhSecFwEventAttackAlertPeriod OBJECT-TYPE 519 SYNTAX INTEGER (0..65535) 520 MAX-ACCESS read-write 521 STATUS current 522 DESCRIPTION 523 "Indicates the period to be used (in hours) for the 524 cabhSecFwEventAttackAlertThreshold. This MIB variable 525 should always keep track of the last x hours of events 526 meaning that if the variable is set to track events for 527 10 hours then when the 11th hour is reached, the 1st hour 528 of events is deleted from the tracking log. A default 529 value is set to zero, meaning zero time, so that this MIB 530 variable will not track any events unless configured." 531 DEFVAL { 0 } 532 ::= { cabhSecFwLogCtl 5 } 534 -- 535 -- CableHome PS device certificate 536 -- 538 cabhSecCertPsCert OBJECT-TYPE 539 SYNTAX DocsX509ASN1DEREncodedCertificate 540 MAX-ACCESS read-only 541 STATUS current 542 DESCRIPTION 543 "The X509 DER-encoded PS certificate." 544 ::= { cabhSecCertObjects 1 } 546 -- 547 -- CableHome 1.1 Firewall Management MIBs 548 -- 550 cabhSec2FwEnable OBJECT-TYPE 551 SYNTAX INTEGER { 552 enabled(1), 553 disabled(2) 554 } 555 MAX-ACCESS read-write 556 STATUS current 557 DESCRIPTION 558 "This parameter indicates whether to enable or disable 559 the firewall." 560 DEFVAL {enabled } 561 ::= { cabhSec2FwBase 1 } 563 cabhSec2FwPolicyFileURL OBJECT-TYPE 564 SYNTAX SnmpAdminString 565 MAX-ACCESS read-write 566 STATUS current 567 DESCRIPTION 568 "Contains the location of the last successfull downloaded 569 policy rule set file in the format pointed in the 570 reference. A policy rule set file download is triggered 571 when the value used to SET this MIB is different than the 572 value in the cabhSec2FwPolicySuccessfulFileURL object." 573 REFERENCE 574 "CableHome 1.1 Specification, CH-1.1-SP-I01-030418, 575 11.6.4.7.1 Firewall Rule Set Management MIB Objects" 576 ::= { cabhSec2FwBase 2 } 578 cabhSec2FwPolicyFileHash OBJECT-TYPE 579 SYNTAX OCTET STRING (SIZE(0|20)) 580 MAX-ACCESS read-write 581 STATUS current 582 DESCRIPTION 583 "Hash of the contents of the firewall configuration file. 584 For the SHA-1 authentication algorithm the length of the 585 hash is 160 bits. This hash value is encoded in binary 586 format." 587 DEFVAL { ''h} 588 ::= { cabhSec2FwBase 3 } 590 cabhSec2FwPolicyFileOperStatus OBJECT-TYPE 591 SYNTAX INTEGER { 592 inProgress(1), 593 complete(2), 594 failed(3) 595 } 596 MAX-ACCESS read-only 597 STATUS current 598 DESCRIPTION 599 "InProgress(1) indicates a firewall configuration file 600 download is underway. Complete(2) indicates the firewall 601 configuration file was downloaded and processed 602 successfully. Failed(3) indicates that the last attempted 603 firewall configuration file download or processing 604 failed." 605 ::= { cabhSec2FwBase 4 } 607 cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE 608 SYNTAX SnmpAdminString 609 MAX-ACCESS read-write 610 STATUS current 611 DESCRIPTION 612 "A label set by the cable operator that can be used to 613 track various versions of configured rulesets. Once the 614 label is set it and configured rules are changed, it may 615 not accurately reflect the version of configured rules 616 running on the box. 617 This object MUST contain the string 'null' if has never 618 been configured." 619 DEFVAL { "null" } 620 ::= { cabhSec2FwBase 5 } 622 cabhSec2FwClearPreviousRuleset OBJECT-TYPE 623 SYNTAX INTEGER { 624 increment(1), 625 complete(2), 626 incrementDefault(3) 627 } 628 MAX-ACCESS read-write 629 STATUS current 630 DESCRIPTION 631 "Allows PS or firewall configuration files to contain 632 either a complete firewall configured ruleset or an 633 incremental to the already established configured ruleset 634 depending up on its existence in the configuration file. 635 If the PS receives a configuration file with firewall 636 settings which includes a cabhSec2FwClearPreviousRuleset 637 object setting marked as increment(1) or if this object 638 setting is not included in a configuration file which 639 contains filter settings for the firewall, then the PS 640 MUST treat the firewall filter settings in the 641 configuration file as an increment to the configured 642 ruleset. If the PS receives a configuration file with 643 firewall settings which includes a 644 cabhSec2FwClearPreviousRuleset object setting marked as 645 incrementDefault(3) then the PS MUST remove all 646 previously configured rules from the configured ruleset, 647 including any rules in the filter schedule table and 648 increment the newly downloaded rules on top of (i.e. 649 subsequent to) the factory default policy. If the PS 650 receives a configuration file with firewall settings 651 which includes a cabhSec2FwClearPreviousRuleset object 652 setting marked as complete(2), then the PS MUST remove 653 all previously configured rules from the configured 654 ruleset, including any rules in 655 cabhSec2FwFilterScheduleTable table before applying 656 the firewall filter settings contained in the 657 configuration file. 659 If cabhSec2FwClearPreviousRuleset is set to increment(1) 660 using SNMP, the PS MUST treat all of the following 661 firewall filter settings using SNMP as an increment to 662 the configured ruleset. 664 If cabhSec2FwClearPreviousRuleset is set to 665 incrementDefault(3) using SNMP, the PS MUST remove all 666 previously configured rules from the configured ruleset, 667 including any rules in the filter schedule table and 668 treat all of the following firewall filter settings using 669 SNMP as an increment on top of the factory default 670 policy. If cabhSec2FwClearPreviousRuleset is set to 671 complete(2), then the PS MUST remove all rules from the 672 configured ruleset, including any rules in the filter 673 schedule table. In this scenario the PS will operate 674 without any configured rules, (e.g. there will be no 675 defined filtering rules, but the firewall will still 676 provide the minimum set of capabilities and 677 architecture)." 678 REFERENCE 679 "CableHome 1.1 Specification, CH-1.1-SP-I01-030418, 680 11.6.4.4 Firewall Filtering" 681 DEFVAL { increment } 682 ::= { cabhSec2FwBase 6 } 684 cabhSec2FwPolicySelection OBJECT-TYPE 685 SYNTAX INTEGER { 686 factoryDefault(1), 687 configuredRuleset(2) 688 } 689 MAX-ACCESS read-write 690 STATUS current 691 DESCRIPTION 692 "This parameter indicates which policy should currently 693 be running in the firewall, either the factoryDefault 694 policy or the configuredRuleset." 695 DEFVAL { factoryDefault } 696 ::= { cabhSec2FwBase 7 } 698 cabhSec2FwEventSetToFactory OBJECT-TYPE 699 SYNTAX TruthValue 700 MAX-ACCESS read-write 701 STATUS current 702 DESCRIPTION 703 "If set to 'true', entries in cabhSec2FwEventControlEntry 704 are set to their default values. Reading this value 705 always returns false." 706 DEFVAL { false } 707 ::= { cabhSec2FwBase 8 } 709 cabhSec2FwEventLastSetToFactory OBJECT-TYPE 710 SYNTAX TimeStamp 711 MAX-ACCESS read-only 712 STATUS current 713 DESCRIPTION 714 "The value of sysUpTime when cabhSec2FwEventSetToFactory 715 was last set to true. Zero if never reset." 716 ::= { cabhSec2FwBase 9 } 718 cabhSec2FwPolicySuccessfulFileURL OBJECT-TYPE 719 SYNTAX SnmpAdminString 720 MAX-ACCESS read-only 721 STATUS current 722 DESCRIPTION 723 "Contains the location of the last successfull downloaded 724 policy rule set file in the format pointed in the 725 reference. If a successful download has not yet occurred, 726 this MIB object should report empty string." 727 REFERENCE 728 "CableHome 1.1 Specification, CH-1.1-SP-I01-030418, 729 11.6.4.7.1 Firewall Rule Set Management MIB Objects" 730 ::= { cabhSec2FwBase 10 } 732 -- 733 -- CableHome 1.1 Firewall Event MIBS 734 -- 736 cabhSec2FwEventControlTable OBJECT-TYPE 737 SYNTAX SEQUENCE OF CabhSec2FwEventControlEntry 738 MAX-ACCESS not-accessible 739 STATUS current 740 DESCRIPTION 741 "This table controls the reporting of the Firewall 742 Attacks events" 743 ::= { cabhSec2FwEvent 1 } 745 cabhSec2FwEventControlEntry OBJECT-TYPE 746 SYNTAX CabhSec2FwEventControlEntry 747 MAX-ACCESS not-accessible 748 STATUS current 749 DESCRIPTION 750 "Allows configuration of the reporting mechanisms for a 751 particular type of attack." 752 INDEX { cabhSec2FwEventType } 753 ::= { cabhSec2FwEventControlTable 1 } 755 CabhSec2FwEventControlEntry ::= SEQUENCE { 756 cabhSec2FwEventType INTEGER, 757 cabhSec2FwEventEnable INTEGER, 758 cabhSec2FwEventThreshold Unsigned32, 759 cabhSec2FwEventInterval Unsigned32, 760 cabhSec2FwEventCount ZeroBasedCounter32, 761 cabhSec2FwEventLogReset TruthValue, 762 cabhSec2FwEventLogLastReset TimeStamp 764 } 766 cabhSec2FwEventType OBJECT-TYPE 767 SYNTAX INTEGER { 768 type1(1), 769 type2(2), 770 type3(3), 771 type4(4), 772 type5(5), 773 type6(6) 774 } 775 MAX-ACCESS not-accessible 776 STATUS current 777 DESCRIPTION 778 "Classification of the different types of attacks. 779 Type 1 logs all attempts from both LAN and WAN clients to 780 traverse the Firewall that violate the Security Policy. 781 Type 2 logs identified Denial of Service attack attempts. 782 Type 3 logs all changes made to the cabhSec2FwPolicyFileURL, 783 cabhSec2FwPolicyFileCurrentVersion or 784 cabhSec2FwPolicyFileEnable objects. 785 Type 4 logs all failed attempts to modify 786 cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable 787 objects. Type 5 logs allowed inbound packets from the WAN. 788 Type 6 logs allowed outbound packets from the LAN." 789 ::= { cabhSec2FwEventControlEntry 1 } 791 cabhSec2FwEventEnable OBJECT-TYPE 792 SYNTAX INTEGER { 793 enabled(1), 794 disabled(2) 795 } 796 MAX-ACCESS read-write 797 STATUS current 798 DESCRIPTION 799 "Enables or disables counting and logging of firewall 800 events by type as assigned by cabhSec2FwEventType." 801 DEFVAL { disabled } 802 ::= { cabhSec2FwEventControlEntry 2 } 804 cabhSec2FwEventThreshold OBJECT-TYPE 805 SYNTAX Unsigned32 (0..65535) 806 MAX-ACCESS read-write 807 STATUS current 808 DESCRIPTION 809 "Number of attacks to count before sending the 810 appropriate event by type as assigned by 811 cabhSec2FwEventType." 812 DEFVAL { 0 } 813 ::= { cabhSec2FwEventControlEntry 3 } 815 cabhSec2FwEventInterval OBJECT-TYPE 816 SYNTAX Unsigned32 (0..65535) 817 UNITS "hours" 818 MAX-ACCESS read-write 819 STATUS current 820 DESCRIPTION 821 "Indicates the time interval in hours to count and log 822 occurrences of a firewall event type as assigned in 823 cabhSec2FwEventType. If this MIB has a value of zero then 824 there is no interval assigned and the PS will not count 825 or log events." 826 DEFVAL { 0 } 827 ::= { cabhSec2FwEventControlEntry 4 } 829 cabhSec2FwEventCount OBJECT-TYPE 830 SYNTAX ZeroBasedCounter32 831 MAX-ACCESS read-only 832 STATUS current 833 DESCRIPTION 834 "Indicates the current count up to the 835 cabhSec2FwEventThreshold value by type as assigned by 836 cabhSec2FwEventType." 837 ::= { cabhSec2FwEventControlEntry 5 } 839 cabhSec2FwEventLogReset OBJECT-TYPE 840 SYNTAX TruthValue 841 MAX-ACCESS read-write 842 STATUS current 843 DESCRIPTION 844 "Setting this object to true clears the log table for the 845 specified event type. Reading this object always returns 846 false." 847 DEFVAL { false } 848 ::= { cabhSec2FwEventControlEntry 6 } 850 cabhSec2FwEventLogLastReset OBJECT-TYPE 851 SYNTAX TimeStamp 852 MAX-ACCESS read-only 853 STATUS current 854 DESCRIPTION 855 "The value of sysUpTime when cabhSec2FwEventLogReset was 856 last set to true. Zero if never reset." 858 ::= { cabhSec2FwEventControlEntry 7 } 860 -- 861 -- CableHome 1.1 Firewall Log Tables 862 -- 863 cabhSec2FwLogTable OBJECT-TYPE 864 SYNTAX SEQUENCE OF CabhSec2FwLogEntry 865 MAX-ACCESS not-accessible 866 STATUS current 867 DESCRIPTION 868 "Contains a log of packet information as related to 869 events enabled by the cable operator. The types are 870 defined in the CableHome 1.1 specification and require 871 various objects to be included in the log. 872 The following is a description for what is expected in 873 the log for each type Type 1, Type 2, Type 5 and Type 6 874 table MUST include cabhSec2FwEventType, 875 cabhSec2FwEventPriority, cabhSec2FwEventId, 876 cabhSec2FwLogTime, cabhSec2FwIpProtocol, 877 cabhSec2FwIpSourceAddr, cabhSec2FwIpDestAddr, 878 cabhSec2FwIpSourcePort, cabhSec2FwIpDestPort, 879 cabhSec2Fw, cabhSec2FwReplayCount. The other values not 880 used by types 1, 2, 5 and 6 are default values. Type 3 881 and Type 4 MUST include cabhSec2FwEventType, 882 cabhSec2FwEventPriority, 883 cabhSec2FwEventId, cabhSec2FwLogTime, 884 cabhSec2FwIpSourceAddr, cabhSec2FwLogMIBPointer. 885 The other values not used by type 3 and 4 are default 886 values." 887 ::= { cabhSec2FwLog 1 } 889 cabhSec2FwLogEntry OBJECT-TYPE 890 SYNTAX CabhSec2FwLogEntry 891 MAX-ACCESS not-accessible 892 STATUS current 893 DESCRIPTION 894 "Each entry contains the log of firewall events" 895 INDEX {cabhSec2FwLogIndex} 896 ::= { cabhSec2FwLogTable 1 } 898 CabhSec2FwLogEntry ::= SEQUENCE { 899 cabhSec2FwLogIndex Unsigned32, 900 cabhSec2FwLogEventType INTEGER, 901 cabhSec2FwLogEventPriority INTEGER, 902 cabhSec2FwLogEventId Unsigned32, 903 cabhSec2FwLogTime DateAndTime, 904 cabhSec2FwLogIpProtocol Unsigned32, 905 cabhSec2FwLogIpAddrType InetAddressType, 906 cabhSec2FwLogIpSourceAddr InetAddress, 907 cabhSec2FwLogIpDestAddr InetAddress, 908 cabhSec2FwLogIpSourcePort InetPortNumber, 909 cabhSec2FwLogIpDestPort InetPortNumber, 910 cabhSec2FwLogMessageType Unsigned32, 911 cabhSec2FwLogReplayCount Unsigned32, 912 cabhSec2FwLogMIBPointer VariablePointer 913 } 915 cabhSec2FwLogIndex OBJECT-TYPE 916 SYNTAX Unsigned32 (1..2147483647) 917 MAX-ACCESS not-accessible 918 STATUS current 919 DESCRIPTION 920 "A sequence number for the specific events under a 921 cabhSec2FwEventType." 922 ::= { cabhSec2FwLogEntry 1 } 924 cabhSec2FwLogEventType OBJECT-TYPE 925 SYNTAX INTEGER { 926 type1(1), 927 type2(2), 928 type3(3), 929 type4(4), 930 type5(5), 931 type6(6) 932 } 933 MAX-ACCESS read-only 934 STATUS current 935 DESCRIPTION 936 "Classification of the different types of attacks. 937 Type 1 logs all attempts from both LAN and WAN clients to 938 traverse the Firewall that violate the Security Policy. 939 Type 2 logs identified Denial of Service attack attempts. 940 Type 3 logs all changes made to the 941 cabhSec2FwPolicyFileURL, 942 cabhSec2FwPolicyFileCurrentVersion or 943 cabhSec2FwPolicyFileEnable objects. 944 Type 4 logs all failed attempts to modify 945 cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable 946 objects. 947 Type 5 logs allowed inbound packets from the WAN. 948 Type 6 logs allowed outbound packets from the LAN." 949 ::= { cabhSec2FwLogEntry 2 } 951 cabhSec2FwLogEventPriority OBJECT-TYPE 952 SYNTAX INTEGER { 953 emergency(1), 954 alert(2), 955 critical(3), 956 error(4), 957 warning(5), 958 notice(6), 959 information(7), 960 debug(8) 961 } 962 MAX-ACCESS read-only 963 STATUS current 964 DESCRIPTION 965 "The priority level of this event as defined by CableHome 966 Specification. If a priority is not assigned in the 967 CableHome specification for a particular event then the 968 vendor or cable operator may assign priorities. These are 969 ordered from most serious (emergency) to least serious 970 (debug)." 971 ::= { cabhSec2FwLogEntry 3 } 973 cabhSec2FwLogEventId OBJECT-TYPE 974 SYNTAX Unsigned32 975 MAX-ACCESS read-only 976 STATUS current 977 DESCRIPTION 978 "The assigned event ID." 979 ::= { cabhSec2FwLogEntry 4 } 981 cabhSec2FwLogTime OBJECT-TYPE 982 SYNTAX DateAndTime 983 MAX-ACCESS read-only 984 STATUS current 985 DESCRIPTION 986 "The time that this entry was created by the PS." 987 ::= { cabhSec2FwLogEntry 5 } 989 cabhSec2FwLogIpProtocol OBJECT-TYPE 990 SYNTAX Unsigned32 (0..256) 991 MAX-ACCESS read-only 992 STATUS current 993 DESCRIPTION 994 "The IP Protocol" 995 ::= { cabhSec2FwLogEntry 6 } 997 cabhSec2FwLogIpAddrType OBJECT-TYPE 998 SYNTAX InetAddressType 999 MAX-ACCESS read-only 1000 STATUS current 1001 DESCRIPTION 1002 "The type of IP addresses in the packet" 1003 ::= { cabhSec2FwLogEntry 7 } 1005 cabhSec2FwLogIpSourceAddr OBJECT-TYPE 1006 SYNTAX InetAddress 1007 MAX-ACCESS read-only 1008 STATUS current 1009 DESCRIPTION 1010 "The Source IP Address of the packet logged. 1011 The address type of this object is specified by 1012 cabhSec2FwLogIpAddrType." 1013 ::= { cabhSec2FwLogEntry 8 } 1015 cabhSec2FwLogIpDestAddr OBJECT-TYPE 1016 SYNTAX InetAddress 1017 MAX-ACCESS read-only 1018 STATUS current 1019 DESCRIPTION 1020 "The Destination IP Address of the packet logged. 1021 The address type of this object is specified by 1022 cabhSec2FwLogIpAddrType." 1023 ::= { cabhSec2FwLogEntry 9 } 1025 cabhSec2FwLogIpSourcePort OBJECT-TYPE 1026 SYNTAX InetPortNumber 1027 MAX-ACCESS read-only 1028 STATUS current 1029 DESCRIPTION 1030 "The Source IP Port of the packet logged" 1031 ::= { cabhSec2FwLogEntry 10 } 1033 cabhSec2FwLogIpDestPort OBJECT-TYPE 1034 SYNTAX InetPortNumber 1035 MAX-ACCESS read-only 1036 STATUS current 1037 DESCRIPTION 1038 "The Source IP Port of the packet logged" 1039 ::= { cabhSec2FwLogEntry 11 } 1041 cabhSec2FwLogMessageType OBJECT-TYPE 1042 SYNTAX Unsigned32 1043 MAX-ACCESS read-only 1044 STATUS current 1045 DESCRIPTION 1046 "The ICMP defined types." 1048 ::= { cabhSec2FwLogEntry 12 } 1050 cabhSec2FwLogReplayCount OBJECT-TYPE 1051 SYNTAX Unsigned32 1052 MAX-ACCESS read-only 1053 STATUS current 1054 DESCRIPTION 1055 "The number of identical attack packets that were seen by 1056 the firewall based on cabhSec2FwLogIpProtocol, 1057 cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr, 1058 cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort and 1059 cabhSec2FwLogMessageType" 1060 DEFVAL { 0 } 1061 ::= { cabhSec2FwLogEntry 13 } 1063 cabhSec2FwLogMIBPointer OBJECT-TYPE 1064 SYNTAX VariablePointer 1065 MAX-ACCESS read-only 1066 STATUS current 1067 DESCRIPTION 1068 "Identifies if the cabhSec2FwPolicyFileURL or the 1069 cabhSec2FwEnable MIB object changed or an attempt was 1070 made to change it." 1071 DEFVAL { zeroDotZero } 1072 ::= { cabhSec2FwLogEntry 14 } 1074 -- ============================================================ 1075 -- 1076 -- CableHome 1.1 PS IP Filter Scheduling Table 1077 -- 1078 -- The cabhSec2FwFilterScheduleTable contains the firewall 1079 -- policy identification and links that policy as defined 1080 -- in RFC 2669 to specific time of day restrictions. 1081 -- 1082 -- ============================================================= 1084 cabhSec2FwFilterScheduleTable OBJECT-TYPE 1085 SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry 1086 MAX-ACCESS not-accessible 1087 STATUS current 1088 DESCRIPTION 1089 "Extends the filtering matching parameters of 1090 docsDevFilterIpTable defined in RFC 2669 for CableHome 1091 Residential Gateways to include time day intervals and 1092 days of the week." 1093 ::= { cabhSec2FwFilter 1 } 1095 cabhSec2FwFilterScheduleEntry OBJECT-TYPE 1096 SYNTAX CabhSec2FwFilterScheduleEntry 1097 MAX-ACCESS not-accessible 1098 STATUS current 1099 DESCRIPTION 1100 "Extended values for entries of docsDevFilterIpTable. 1101 If the PS has not acquired ToD the entire 1102 docsDevFilterIpEntry rule set is ignored." 1103 AUGMENTS { docsDevFilterIpEntry } 1104 ::= { cabhSec2FwFilterScheduleTable 1 } 1106 CabhSec2FwFilterScheduleEntry ::= SEQUENCE { 1107 cabhSec2FwFilterScheduleStartTime DateAndTime, 1108 cabhSec2FwFilterScheduleEndTime DateAndTime, 1109 cabhSec2FwFilterScheduleDOW BITS 1110 } 1112 cabhSec2FwFilterScheduleStartTime OBJECT-TYPE 1113 SYNTAX DateAndTime 1114 MAX-ACCESS read-create 1115 STATUS current 1116 DESCRIPTION 1117 "The start time, with optional time zone, for a firewall 1118 filter ruleset. Only the time portion of the DateAndTime 1119 TEXTUAL-CONVENTION have a meaning." 1120 ::= { cabhSec2FwFilterScheduleEntry 1 } 1122 cabhSec2FwFilterScheduleEndTime OBJECT-TYPE 1123 SYNTAX DateAndTime 1124 MAX-ACCESS read-create 1125 STATUS current 1126 DESCRIPTION 1127 "The end time, with optional time zone, for a firewall 1128 filter ruleset. Only the time portion of the DateAndTime 1129 TEXTUAL-CONVENTION have a meaning." 1130 ::= { cabhSec2FwFilterScheduleEntry 2 } 1132 cabhSec2FwFilterScheduleDOW OBJECT-TYPE 1133 SYNTAX BITS { 1134 sunday(0), 1135 monday(1), 1136 tuesday(2), 1137 wednesday(3), 1138 thursday(4), 1139 friday(5), 1140 saturday(6) 1142 } 1143 MAX-ACCESS read-create 1144 STATUS current 1145 DESCRIPTION 1146 "If the day of week bit associated with the PS given day 1147 is '1', this object criteria matches." 1148 ::= { cabhSec2FwFilterScheduleEntry 3 } 1150 -- 1151 -- Kerberos MIBs 1152 -- 1154 cabhSecKerbPKINITGracePeriod OBJECT-TYPE 1155 SYNTAX Unsigned32 (15..600) 1156 UNITS "minutes" 1157 MAX-ACCESS read-write 1158 STATUS current 1159 DESCRIPTION 1160 "The PKINIT Grace Period is needed by the PS to know when 1161 it should start retrying to get a new ticket. The PS MUST 1162 obtain a new Kerberos ticket (with a PKINIT exchange); 1163 this may be many minutes before the old ticket expires." 1164 DEFVAL { 30 } 1165 ::= { cabhSecKerbBase 1} 1167 cabhSecKerbTGSGracePeriod OBJECT-TYPE 1168 SYNTAX Unsigned32 (1..600) 1169 UNITS "minutes" 1170 MAX-ACCESS read-write 1171 STATUS current 1172 DESCRIPTION 1173 "The TGS Grace Period is needed by the PS to know when it 1174 should start retrying to get a new ticket. The PS MUST 1175 obtain a new Kerberos ticket (with a TGS Request); this 1176 may be many minutes before the old ticket expires." 1177 DEFVAL { 10 } 1178 ::= { cabhSecKerbBase 2} 1180 cabhSecKerbUnsolicitedKeyMaxTimeout OBJECT-TYPE 1181 SYNTAX Unsigned32 (15..600) 1182 UNITS "seconds" 1183 MAX-ACCESS read-write 1184 STATUS current 1185 DESCRIPTION 1186 "This timeout applies to PS initiated AP-REQ/REP key 1187 management exchange with NMS. The maximum timeout is the 1188 value which may not be exceeded in the exponential 1189 backoff algorithm." 1190 DEFVAL { 600 } 1191 ::= { cabhSecKerbBase 3} 1193 cabhSecKerbUnsolicitedKeyMaxRetries OBJECT-TYPE 1194 SYNTAX Unsigned32 (1..32) 1195 MAX-ACCESS read-write 1196 STATUS current 1197 DESCRIPTION 1198 "The number of retries the PS is allowed for AP-REQ/REP 1199 key management exchange initiation with the NMS. This is 1200 the maximum number of retries before the PS gives up 1201 attempting to establish an SNMPv3 security association 1202 with NMS." 1203 DEFVAL { 8 } 1204 ::= { cabhSecKerbBase 4} 1206 cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 2 } 1207 cabhSecConformance OBJECT IDENTIFIER ::= { cabhSecMib 3 } 1208 cabhSecCompliances OBJECT IDENTIFIER ::= { cabhSecConformance 1 } 1209 cabhSecGroups OBJECT IDENTIFIER ::= { cabhSecConformance 2 } 1211 -- 1212 -- Notification Group for future extension 1213 -- 1215 -- compliance statements 1217 cabhSecCompliance MODULE-COMPLIANCE 1218 STATUS current 1219 DESCRIPTION 1220 "The compliance statement for CableHome Security." 1221 MODULE --cabhSecMib 1223 -- unconditionally mandatory groups 1225 MANDATORY-GROUPS { 1226 cabhSecCertGroup, 1227 cabhSecKerbGroup 1228 } 1230 -- conditional mandatory groups 1232 GROUP cabhSecGroup 1233 DESCRIPTION 1234 "This group is implemented only for CH 1.0 gateways." 1236 GROUP cabhSec2Group 1237 DESCRIPTION 1238 "This group is implemented only for CH 1.1 gateways." 1240 OBJECT cabhSec2FwLogIpAddrType 1241 SYNTAX InetAddressType { ipv4(1) } 1242 DESCRIPTION 1243 "An implementation is only required to support IPv4 1244 addresses." 1246 OBJECT cabhSec2FwLogIpSourceAddr 1247 SYNTAX InetAddress (SIZE(4)) 1248 DESCRIPTION 1249 "An implementation is only required to support IPv4 1250 addresses." 1252 OBJECT cabhSec2FwLogIpDestAddr 1253 SYNTAX InetAddress (SIZE(4)) 1254 DESCRIPTION 1255 "An implementation is only required to support IPv4 1256 addresses." 1258 ::= { cabhSecCompliances 1} 1260 cabhSecGroup OBJECT-GROUP 1261 OBJECTS { 1262 cabhSecFwPolicyFileEnable, 1263 cabhSecFwPolicyFileURL, 1264 cabhSecFwPolicyFileHash, 1265 cabhSecFwPolicyFileOperStatus, 1266 cabhSecFwPolicyFileCurrentVersion, 1267 cabhSecFwPolicySuccessfulFileURL, 1269 cabhSecFwEventType1Enable, 1270 cabhSecFwEventType2Enable, 1271 cabhSecFwEventType3Enable, 1272 cabhSecFwEventAttackAlertThreshold, 1273 cabhSecFwEventAttackAlertPeriod 1274 } 1275 STATUS current 1276 DESCRIPTION 1277 "Group of objects in CableHome 1.0 Firewall MIB." 1278 ::= { cabhSecGroups 1 } 1280 cabhSecCertGroup OBJECT-GROUP 1281 OBJECTS { 1282 cabhSecCertPsCert 1283 } 1284 STATUS current 1285 DESCRIPTION 1286 "Group of objects in CableHome gateway for PS 1287 Certificate." 1288 ::= { cabhSecGroups 2 } 1290 cabhSecKerbGroup OBJECT-GROUP 1291 OBJECTS { 1292 cabhSecKerbPKINITGracePeriod, 1293 cabhSecKerbTGSGracePeriod, 1294 cabhSecKerbUnsolicitedKeyMaxTimeout, 1295 cabhSecKerbUnsolicitedKeyMaxRetries 1296 } 1297 STATUS current 1298 DESCRIPTION 1299 "Group of objects in CableHome gateway for Kerberos." 1300 ::= { cabhSecGroups 3 } 1302 cabhSec2Group OBJECT-GROUP 1303 OBJECTS { 1304 cabhSec2FwEnable, 1305 cabhSec2FwPolicyFileURL, 1306 cabhSec2FwPolicyFileHash, 1307 cabhSec2FwPolicyFileOperStatus, 1308 cabhSec2FwPolicyFileCurrentVersion, 1309 cabhSec2FwClearPreviousRuleset, 1310 cabhSec2FwPolicySelection, 1311 cabhSec2FwEventSetToFactory, 1312 cabhSec2FwEventLastSetToFactory, 1313 cabhSec2FwPolicySuccessfulFileURL, 1314 cabhSec2FwEventEnable, 1315 cabhSec2FwEventThreshold, 1316 cabhSec2FwEventInterval, 1317 cabhSec2FwEventCount, 1318 cabhSec2FwEventLogReset, 1319 cabhSec2FwEventLogLastReset, 1320 cabhSec2FwLogEventType, 1321 cabhSec2FwLogEventPriority, 1322 cabhSec2FwLogEventId, 1323 cabhSec2FwLogTime, 1324 cabhSec2FwLogIpProtocol, 1325 cabhSec2FwLogIpAddrType, 1326 cabhSec2FwLogIpSourceAddr, 1327 cabhSec2FwLogIpDestAddr, 1328 cabhSec2FwLogIpSourcePort, 1329 cabhSec2FwLogIpDestPort, 1330 cabhSec2FwLogMessageType, 1331 cabhSec2FwLogReplayCount, 1332 cabhSec2FwLogMIBPointer, 1333 cabhSec2FwFilterScheduleStartTime, 1334 cabhSec2FwFilterScheduleEndTime, 1335 cabhSec2FwFilterScheduleDOW 1336 } 1337 STATUS current 1338 DESCRIPTION 1339 "Group of objects in CableHome 1.1 Firewall MIB." 1340 ::= { cabhSecGroups 4 } 1342 END 1344 5. Acknowledgements 1346 Nancy Davoust � YAS Broadband Ventures 1347 Jim Hinsey � Broadcom 1348 John Bevilacqua � YAS Broadband Ventures 1350 Funding for the RFC Editor function is currently provided by the 1351 Internet Society. 1353 6. Formal Syntax 1355 The following syntax specification uses the augmented Backus-Naur 1356 Form (BNF) as described in RFC-2234 [3]. 1358 7. Security Considerations 1360 There are a number of management objects defined in this MIB that 1361 have a MAX-ACCESS clause of read-write and/or read-create. Such 1362 objects may be considered sensitive or vulnerable in some network 1363 environments. The support for SET operations in a non-secure 1364 environment without proper protection can have a negative effect on 1365 network operations. 1367 It is thus important to control even GET access to these objects and 1368 possibly to even encrypt the values of these objects when sending 1369 them over the network via SNMP. Not all versions of SNMP provide 1370 features for such a secure environment. 1372 SNMP versions prior to SNMPv3 did not include adequate security. 1373 Even if the network itself is secure (for example by using IPSec), 1374 even then, there is no control as to who on the secure network is 1375 allowed to access and GET/SET (read/change/create/delete) the objects 1376 in this MIB module. 1378 It is RECOMMENDED that implementers consider the security features as 1379 provided by the SNMPv3 framework (see [RFC3410], section 8), 1380 including full support for the SNMPv3 cryptographic mechanisms (for 1381 authentication and privacy). 1383 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1384 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1385 enable cryptographic security. It is then a customer/operator 1386 responsibility to ensure that the SNMP entity giving access to an 1387 instance of this MIB module, is properly configured to give access to 1388 the objects only to those principals (users) that have legitimate 1389 rights to indeed GET or SET (change/create/delete) them. 1391 8. Normative References 1393 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 1394 9, RFC 2026, October 1996. 1396 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement 1397 Levels", BCP 14, RFC 2119, March 1997 1399 3 Crocker, D. and Overell, P.(Editors), "Augmented BNF for Syntax 1400 Specifications: ABNF", RFC 2234, Internet Mail Consortium and 1401 Demon Internet Ltd., November 1997 1403 4 Rose, M. and K. McCloghrie, "Structure and Identification of 1404 Management Information for TCP/IP-based Internets", STD 16, RFC 1405 1155, May 1990. 1407 5 Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1408 1212, March 1991. 1410 6 Rose, M., "A Convention for Defining Traps for use with the SNMP", 1411 RFC 1215, March 1991. 1413 7 McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of 1414 Management Information for Version 2 (SMIv2)", STD 58, RFC 2578, 1415 April 1999. 1417 8 McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual 1418 Conventions for SMIv2", STD 58, RFC 2579, April 1999. 1420 9 McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance 1421 Statements for SMIv2", STD 58, RFC 2580, April 1999. 1423 10 Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network 1424 Management Protocol", STD 15, RFC 1157, May 1990. 1426 11 Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 1427 "Introduction to Community-based SNMPv2", RFC 1901, January 1996. 1429 12 Case, J., Mundy, R., Partain, D, and B. Stewart, "Introduction and 1430 Applicability Statements for Internet Standard Management 1431 Framework", RFC 3410, December 2002. 1433 13 Harrington D., Presuhn R. and B. Wijnen, "An Architecture for 1434 Describing Simple Network Management Protocol (SNMP) Management 1435 Frameworks", RFC 3411, December 2002. 1437 14 Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message 1438 Processing and Dispatching for the Simple Network Management 1439 Protocol (SNMP)", RFC 3412, December 2002. 1441 15 Levi, D., Meyer, P., and B. Stewart, �Simple Network Management 1442 Protocol (SNMP) Applications", RFC 3413, December 2002. 1444 16 Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for 1445 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 1446 3414, December 2002. 1448 17 Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access 1449 Control Model (VACM) for the Simple Network Management Protocol 1450 (SNMP)", RFC 3415, December 2002. 1452 18 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 1453 "Version 2 of the Protocol Operations for the Simple Network 1454 Management Protocol (SNMPv2)", RFC 3416, Decemeber 2002. 1456 19 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 1457 "Transport Mappings for the Simple Network Management Protocol 1458 (SNMPv2)", RFC 3417, December 2002. 1460 20 Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 1461 "Management Information Base (MIB) for the Simple Network 1462 Management Protocol (SNMP)", RFC 3418, December 2002. 1464 21 Cable Television Laboratories, �CableHome 1.0 Specification�, CH- 1465 SP-I02-020920, September 2002, 1466 http://www.cablelabs.com/projects/cablehome/specifications. 1468 9. Informative References 1470 22 Drums, R., �Dynamic Host Configuration Protocol�, RFC 2131, March 1471 1997. 1473 23 Hollins, K., �The TFTP Protocol (Revision 2)�, RFC 1350, July 1474 1992. 1476 24 Harrington, R., Presuhn, R., and B. Wijnen, �An Architecture for 1477 Describing SNMP Management Frameworks�, RFC 2571, April 1999. 1479 25 Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, 1480 �Textual Contentions for Internet Network Addresses�, May 2002. 1482 10. Intellectual Property 1484 The IETF takes no position regarding the validity or scope of any 1485 intellectual property or other rights that might be claimed to 1486 pertain to the implementation or use of the technology described in 1487 this document or the extent to which any license under such rights 1488 might or might not be available; neither does it represent that it 1489 has made any effort to identify any such rights. Information on the 1490 IETF's procedures with respect to rights in standards-track and 1491 standards-related documentation can be found in BCP-11. Copies of 1492 claims of rights made available for publication and any assurances of 1493 licenses to be made available, or the result of an attempt made to 1494 obtain a general license or permission for the use of such 1495 proprietary rights by implementers or users of this specification can 1496 be obtained from the IETF Secretariat. 1498 The IETF invites any interested party to bring to its attention any 1499 copyrights, patents or patent applications, or other proprietary 1500 rights which may cover technology that may be required to practice 1501 this standard. Please address the information to the IETF Executive 1502 Director. 1504 11. Author's Addresses 1506 Eduardo Cardona 1507 Cable Television Laboratories 1508 400 Centennial Parkway 1509 Louisville, CO 80027 1510 Phone: +1 303.661.9100 1511 Email: e.cardona@cablelabs.com 1512 Kevin Luehrs 1513 Cable Television Laboratories 1514 400 Centennial Parkway 1515 Louisville, CO 80027 1516 Phone: +1 303.661.9100 1517 Email: k.luehrs@cablelabs.com 1519 Scott Higgins 1520 Ashley-Laurent 1521 Austin, TX 1522 Phone: +1 512.322.0676 x112 1523 Email: shiggins@ashleylaurent.com 1525 Doug Jones 1526 YAS Broadband Ventures 1527 300 Brickstone Square 1528 Andover, MA 01810 1529 Phone: +1 303.661.3823 1530 Email: doug@yas.com 1532 12. Full Copyright Statement 1534 Copyright (C) The Internet Society (2003). All Rights Reserved. 1536 This document and translations of it may be copied and furnished to 1537 others, and derivative works that comment on or otherwise explain it 1538 or assist in its implementation may be prepared, copied, published 1539 and distributed, in whole or in part, without restriction of any 1540 kind, provided that the above copyright notice and this paragraph are 1541 included on all such copies and derivative works. However, this 1542 document itself may not be modified in any way, such as by removing 1543 the copyright notice or references to the Internet Society or other 1544 Internet organizations, except as needed for the purpose of 1545 developing Internet standards in which case the procedures for 1546 copyrights defined in the Internet Standards process must be 1547 followed, or as required to translate it into languages other than 1548 English. 1550 The limited permissions granted above are perpetual and will not be 1551 revoked by the Internet Society or its successors or assigns. 1553 This document and the information contained herein is provided on an 1554 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1555 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1556 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1557 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1558 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."