idnits 2.17.1 draft-ietf-ipcdn-mcns-bpi-mib-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 38 instances of too long lines in the document, the longest one being 1 character in excess of 72. ** The abstract seems to contain references ([5]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 125: '...CMTS enabled for Baseline Privacy MUST...' RFC 2119 keyword, line 135: '... The CM and CMTS MUST support viewing ...' RFC 2119 keyword, line 141: '...dling. The CMTS MUST support configur...' RFC 2119 keyword, line 144: '... values. The CM MUST support viewing ...' RFC 2119 keyword, line 150: '... MUST support viewing the curre...' (8 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: docsBpiCmtsAuthEntry OBJECT-TYPE SYNTAX DocsBpiCmtsAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing objects describing attributes of one authorization association. The CMTS MUST create one entry per CM per MAC interface, based on the receipt of an Authorization Request message, and MUST not delete the entry before the CM authorization permanently expires." INDEX { ifIndex, docsBpiCmtsAuthCmMacAddress } ::= { docsBpiCmtsAuthTable 1 } == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: docsBpiCmtsTEKEntry OBJECT-TYPE SYNTAX DocsBpiCmtsTEKEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing objects describing attributes of one TEK association on a particular CMTS MAC interface. The CMTS MUST create one entry per SID per MAC interface, based on the receipt of an Key Request message, and MUST not delete the entry before the CM authorization for the SID permanently expires." -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '12' is mentioned on line 863, but not defined == Unused Reference: '10' is defined on line 1560, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1902 (ref. '1') (Obsoleted by RFC 2578) ** Downref: Normative reference to an Historic RFC: RFC 1157 (ref. '3') ** Obsolete normative reference: RFC 1905 (ref. '4') (Obsoleted by RFC 3416) == Outdated reference: A later version (-07) exists of draft-ietf-ipcdn-rf-interface-mib-04 == Outdated reference: A later version (-08) exists of draft-ietf-ipcdn-cable-device-mib-04 -- Possible downref: Non-RFC (?) normative reference: ref. '7' -- Possible downref: Non-RFC (?) normative reference: ref. '8' -- Possible downref: Non-RFC (?) normative reference: ref. '9' -- Possible downref: Non-RFC (?) normative reference: ref. '10' ** Obsolete normative reference: RFC 2271 (ref. '11') (Obsoleted by RFC 2571) Summary: 16 errors (**), 0 flaws (~~), 8 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft R. Woundy 3 IPCDN Working Group American Internet 4 draft-ietf-ipcdn-mcns-bpi-mib-00.txt Expires: 17 January 1999 6 Baseline Privacy Interface Management Information Base 7 for MCNS Compliant Cable Modems and Cable Modem Termination Systems 9 Status of this Memo 11 This document is an Internet-Draft. Internet-Drafts are working 12 documents of the Internet Engineering Task Force (IETF), its Areas, 13 and its Working Groups. Note that other groups may also distribute 14 working documents as Internet-Drafts. 16 Internet-Drafts are draft documents valid for a maximum of six months 17 and may be updated, replaced, or obsoleted by other documents at any 18 time. It is inappropriate to use Internet-Drafts as reference 19 material or to cite them other than as a "work in progress". 21 To view the entire list of current Internet-Drafts, please check the 22 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 23 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern 24 Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific 25 Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). 27 Abstract 29 This memo defines an experimental portion of the Management 30 Information Base (MIB) for use with network management protocols in 31 the Internet community. In particular, it defines a basic set of 32 managed objects for SNMP-based management of the Baseline Privacy 33 Interface for MCNS compliant cable modems and cable modem termination 34 systems. This MIB is defined as an extension to the MCNS Radio 35 Frequency Interface MIB [5]. 37 This memo specifies a MIB module in a manner that is compliant to the 38 SNMPv2 SMI. The set of objects is consistent with the SNMP framework 39 and existing SNMP standards. 41 This memo does not specify a standard for the Internet community. 43 This memo is a product of the IPCDN working group within the Internet 44 Engineering Task Force. Comments are solicited and should be 45 addressed to the working group's mailing list at ipcdn@terayon.com 46 and/or the author. 48 1. The SNMPv2 Network Management Framework 49 The SNMPv2 Network Management Framework presently consists of three 50 major components. They are: 52 o the SMI, described in RFC 1902 [1] - the mechanisms used for 53 describing and naming objects for the purpose of management. 55 o the MIB-II, STD 17, RFC 1213 [2] - the core set of managed 56 objects for the Internet suite of protocols. 58 o the protocol, RFC 1157 [3] and/or RFC 1905 [4], - the protocol 59 for accessing managed objects. 61 The Framework permits new objects to be defined for the purpose of 62 experimentation and evaluation. 64 2. Object Definitions 66 Managed objects are accessed via a virtual information store, termed 67 the Management Information Base or MIB. Objects in the MIB are 68 defined using the subset of Abstract Syntax Notation One (ASN.1) 69 defined in the SMI. In particular, each object type is named by an 70 OBJECT IDENTIFIER, an administratively assigned name. The object 71 type together with an object instance serves to uniquely identify a 72 specific instantiation of the object. For human convenience, we 73 often use a textual string, termed the descriptor, to refer to the 74 object type. 76 3. Overview 78 This MIB provides a set of objects required for the management of the 79 Baseline Privacy Interface for MCNS compliant Cable Modems (CMs) and 80 Cable Modem Termination Systems (CMTSs). This MIB specification is 81 derived from the MCNS Baseline Privacy Interface specification [7], 82 which is an extension to the MCNS Radio Frequency Interface 83 specification [8]. 85 3.1. Structure of the MIB 87 This MIB consists of one group of CM-only objects (docsBpiCmGroup), 88 and one group of CMTS-only objects (docsBpiCmtsGroup). 90 The CM-only objects are organized into two tables: 92 o The docsBpiCmBaseTable contains objects for managing basic 93 Baseline Privacy parameters and counters, and for managing the 94 Authorization finite state machine. 96 o The docsBpiCmTEKTable contains objects for managing the Traffic 97 Encryption Key (TEK) finite state machine per SID. 99 The CMTS-only objects are organized into four groupings: 101 o The docsBpiCmtsBaseTable contains objects for managing basic 102 Baseline Privacy parameters and counters. 104 o The docsBpiCmtsAuthTable contains objects for managing the 105 Authorization association information per cable modem. 107 o The docsBpiCmtsTEKTable contains objects for managing the TEK 108 association information per SID. 110 o The docsBpiMulticastControl consists of two tables. The 111 docsBpiIpMulticastMapTable controls the mapping of downstream 112 IP multicast data traffic to downstream multicast SID values. 113 The docsBpiMulticastAuthTable controls which CMs are authorized 114 to receive downstream traffic transmitted over particular 115 multicast SIDs; a CM will receive TEKs corresponding to the 116 multicast SIDs for which it is authorized. The combination of 117 these two tables will limit the distribution of downstream IP 118 multicast data traffic to authorized CMs. 120 3.2. Management requirements 122 The Baseline Privacy Interface specification is documented in [7], 123 and is an extension to the Radio Frequency Interface specification 124 documented in [8]. In addition to the explicit requirements in this 125 specification, the CM and CMTS enabled for Baseline Privacy MUST 126 support all applicable MCNS and IETF requirements and MIB objects. 127 Specifications that identify relevant requirements and MIB objects 128 include the IETF Radio Frequency MIB [5], the IETF Cable Device MIB 129 [6], and the MCNS OSSI Specification [9]. 131 The explicit management requirements of the Baseline Privacy 132 Interface, which motivate the development of the MIB in this 133 document, are detailed below: 135 o The CM and CMTS MUST support viewing relevant RSA public keys, 136 for future subscriber authentication applications. 138 o The Baseline Privacy management interface needs to support 139 operator configuration of Authorization and TEK Finite State 140 Machine (FSM) parameters, for performance tuning and security 141 incident handling. The CMTS MUST support configuring and 142 viewing all FSM-related parameters, including baseline privacy 143 status (enabled or disabled), key lifetimes, key grace times, 144 and state timeout values. The CM MUST support viewing these 145 parameters where possible. 147 o The management interface needs to support operator analysis and 148 override of FSM behavior, for fault management, subscriber 149 service de-provisioning, and security incident handling. The CM 150 MUST support viewing the current FSM states. The CM and CMTS 151 MUST support viewing message error codes and message error 152 strings, and counters for invalid KEK and TEK events, for key 153 expirations and renewals, and for duplicate messages. The CM 154 and CMTS MUST support viewing current authorization key sequence 155 numbers and key expiration times for failure diagnosis. 157 o The management interface needs to support dynamic control of the 158 distribution of IP multicast data traffic. This control 159 includes forwarding IP multicast traffic to the correct 160 multicast group (SID), and managing the membership lists of each 161 multicast group (SID). The CMTS MUST support configuring and 162 viewing all IP multicast forwarding state, and all multicast 163 group memberships, within the MAC domains of the CMTS. 165 4. Definitions 167 DOCS-BPI-MIB DEFINITIONS ::= BEGIN 169 IMPORTS 170 MODULE-IDENTITY, OBJECT-TYPE, 171 Counter32, IpAddress 172 FROM SNMPv2-SMI 173 DisplayString, MacAddress, RowStatus, TruthValue, DateAndTime 174 FROM SNMPv2-TC 175 OBJECT-GROUP, MODULE-COMPLIANCE 176 FROM SNMPv2-CONF 177 ifIndex 178 FROM IF-MIB 179 docsIfMib, docsIfCmServiceId, docsIfCmtsServiceId 180 FROM DOCS-IF-MIB 181 ; 183 docsBpiMIB MODULE-IDENTITY 184 LAST-UPDATED "9807171930Z" 185 ORGANIZATION "IETF IPCDN Working Group" 186 CONTACT-INFO "Rich Woundy 187 Postal: American Internet 188 4 Preston Court 189 Bedford, MA 01730 190 Tel: +1 781 276 4509 191 Fax: +1 781 275 4930 192 E-mail: rwoundy@american.com" 194 DESCRIPTION 195 "This is the MIB Module for the DOCSIS Baseline Privacy Interface 196 (BPI) at cable modems (CMs) and cable modem termination systems 197 (CMTSs)." 198 ::= { docsIfMib 5 } 200 docsBpiMIBObjects OBJECT IDENTIFIER ::= { docsBpiMIB 1 } 202 -- Cable Modem Group 204 docsBpiCmObjects OBJECT IDENTIFIER ::= { docsBpiMIBObjects 1 } 206 -- 207 -- The BPI base and authorization table for CMs, indexed by ifIndex 208 -- 210 docsBpiCmBaseTable OBJECT-TYPE 211 SYNTAX SEQUENCE OF DocsBpiCmBaseEntry 212 MAX-ACCESS not-accessible 213 STATUS current 214 DESCRIPTION 215 "Describes the basic and authorization-related Baseline Privacy 216 attributes of each CM MAC interface." 217 ::= { docsBpiCmObjects 1 } 219 docsBpiCmBaseEntry OBJECT-TYPE 220 SYNTAX DocsBpiCmBaseEntry 221 MAX-ACCESS not-accessible 222 STATUS current 223 DESCRIPTION 224 "An entry containing objects describing attributes of one CM MAC 225 interface. An entry in this table exists for each ifEntry with an 226 ifType of docsCableMaclayer(127)." 227 INDEX { ifIndex } 228 ::= { docsBpiCmBaseTable 1 } 230 DocsBpiCmBaseEntry ::= SEQUENCE { 231 docsBpiCmPrivacyEnable TruthValue, 232 docsBpiCmPublicKey OCTET STRING, 233 docsBpiCmAuthState INTEGER, 234 docsBpiCmAuthKeySequenceNumber INTEGER, 235 docsBpiCmAuthExpires DateAndTime, 236 docsBpiCmAuthReset TruthValue, 237 docsBpiCmAuthGraceTime INTEGER, 238 docsBpiCmTEKGraceTime INTEGER, 239 docsBpiCmAuthWaitTimeout INTEGER, 240 docsBpiCmReauthWaitTimeout INTEGER, 241 docsBpiCmOpWaitTimeout INTEGER, 242 docsBpiCmRekeyWaitTimeout INTEGER, 243 docsBpiCmAuthRejectWaitTimeout INTEGER, 244 docsBpiCmAuthRequests Counter32, 245 docsBpiCmAuthReplies Counter32, 246 docsBpiCmAuthRejects Counter32, 247 docsBpiCmAuthInvalids Counter32, 248 docsBpiCmAuthRejectErrorCode INTEGER, 249 docsBpiCmAuthRejectErrorString DisplayString, 250 docsBpiCmAuthInvalidErrorCode INTEGER, 251 docsBpiCmAuthInvalidErrorString DisplayString 252 } 254 docsBpiCmPrivacyEnable OBJECT-TYPE 255 SYNTAX TruthValue 256 MAX-ACCESS read-only 257 STATUS current 258 DESCRIPTION 259 "This identifies whether this CM is provisioned to run Baseline 260 Privacy. This is analogous to the presence (or absence) of the 261 Baseline Privacy Configuration Setting option as described in BPI 262 Appendix A.1.1. The status of each individual SID with respect to 263 Baseline Privacy is captured in the docsBpiCmTEKPrivacyEnable object. 264 Note: this object will be read-write accessible only after the 265 ability to start and stop the authorization state machine is 266 understood." 267 ::= { docsBpiCmBaseEntry 1 } 269 docsBpiCmPublicKey OBJECT-TYPE 270 SYNTAX OCTET STRING (SIZE (0..97)) 271 MAX-ACCESS read-only 272 STATUS current 273 DESCRIPTION 274 "Public key of the CM encoded as an ASN.1 SubjectPublicKeyInfo object 275 as defined in the RSA Encryption Standard (PKCS #1) [12]." 276 ::= { docsBpiCmBaseEntry 2 } 278 docsBpiCmAuthState OBJECT-TYPE 279 SYNTAX INTEGER { 280 start(1), 281 authWait(2), 282 authorized(3), 283 reauthWait(4), 284 authRejectWait(5) 285 } 286 MAX-ACCESS read-only 287 STATUS current 288 DESCRIPTION 289 "The state of the CM authorization FSM. The start state indicates 290 that FSM is in its initial state." 291 ::= { docsBpiCmBaseEntry 3 } 293 docsBpiCmAuthKeySequenceNumber OBJECT-TYPE 294 SYNTAX INTEGER (0..15) 295 MAX-ACCESS read-only 296 STATUS current 297 DESCRIPTION 298 "The authorization key sequence number for this FSM." 299 ::= { docsBpiCmBaseEntry 4 } 301 docsBpiCmAuthExpires OBJECT-TYPE 302 SYNTAX DateAndTime 303 MAX-ACCESS read-only 304 STATUS current 305 DESCRIPTION 306 "Actual clock time when the current authorization for this FSM 307 expires. If the CM does not have an active authorization, then the 308 value is of the expiration date and time of the last active 309 authorization." 310 ::= { docsBpiCmBaseEntry 5 } 312 docsBpiCmAuthReset OBJECT-TYPE 313 SYNTAX TruthValue 314 MAX-ACCESS read-write 315 STATUS current 316 DESCRIPTION 317 "Setting this object to TRUE generates a Reauthorize event in the 318 authorization FSM, as described in section 4.1.2.3.4 of the Baseline 319 Privacy Interface Specification. Reading this object always returns 320 FALSE." 321 ::= { docsBpiCmBaseEntry 6 } 323 docsBpiCmAuthGraceTime OBJECT-TYPE 324 SYNTAX INTEGER (1..1800) 325 UNITS "seconds" 326 MAX-ACCESS read-only 327 STATUS current 328 DESCRIPTION 329 "Grace time for an authorization key. A CM is expected to start 330 trying to get a new authorization key beginning AuthGraceTime seconds 331 before the authorization key actually expires. The value of this 332 object cannot be changed while the authorization state machine is 333 running. Note: this object will be read-write accessible only after 334 the ability to start and stop the authorization state machine is 335 understood." 336 ::= { docsBpiCmBaseEntry 7 } 337 docsBpiCmTEKGraceTime OBJECT-TYPE 338 SYNTAX INTEGER (1..1800) 339 UNITS "seconds" 340 MAX-ACCESS read-only 341 STATUS current 342 DESCRIPTION 343 "Grace time for a TEK. A CM is expected to start trying to get a new 344 TEK beginning TEKGraceTime seconds before the TEK actually expires. 345 The value of this object cannot be changed while the authorization 346 state machine is running. Note: this object will be read-write 347 accessible only after the ability to start and stop the authorization 348 state machine is understood." 349 ::= { docsBpiCmBaseEntry 8 } 351 docsBpiCmAuthWaitTimeout OBJECT-TYPE 352 SYNTAX INTEGER (2..30) 353 UNITS "seconds" 354 MAX-ACCESS read-only 355 STATUS current 356 DESCRIPTION 357 "Authorize Wait Timeout. The value of this object cannot be changed 358 while the authorization state machine is running. Note: this object 359 will be read-write accessible only after the ability to start and 360 stop the authorization state machine is understood." 361 ::= { docsBpiCmBaseEntry 9 } 363 docsBpiCmReauthWaitTimeout OBJECT-TYPE 364 SYNTAX INTEGER (2..30) 365 UNITS "seconds" 366 MAX-ACCESS read-only 367 STATUS current 368 DESCRIPTION 369 "Reauthorize Wait Timeout in seconds. The value of this object cannot 370 be changed while the authorization state machine is running. Note: 371 this object will be read-write accessible only after the ability to 372 start and stop the authorization state machine is understood." 373 ::= { docsBpiCmBaseEntry 10 } 375 docsBpiCmOpWaitTimeout OBJECT-TYPE 376 SYNTAX INTEGER (1..10) 377 UNITS "seconds" 378 MAX-ACCESS read-only 379 STATUS current 380 DESCRIPTION 381 "Operational Wait Timeout in seconds. The value of this object cannot 382 be changed while the authorization state machine is running. Note: 383 this object will be read-write accessible only after the ability to 384 start and stop the authorization state machine is understood." 385 ::= { docsBpiCmBaseEntry 11 } 387 docsBpiCmRekeyWaitTimeout OBJECT-TYPE 388 SYNTAX INTEGER (1..10) 389 UNITS "seconds" 390 MAX-ACCESS read-only 391 STATUS current 392 DESCRIPTION 393 "Rekey Wait Timeout in seconds. The value of this object cannot be 394 changed while the authorization state machine is running. Note: this 395 object will be read-write accessible only after the ability to start 396 and stop the authorization state machine is understood." 397 ::= { docsBpiCmBaseEntry 12 } 399 docsBpiCmAuthRejectWaitTimeout OBJECT-TYPE 400 SYNTAX INTEGER (60..1800) 401 UNITS "seconds" 402 MAX-ACCESS read-only 403 STATUS current 404 DESCRIPTION 405 "Authorization Reject Wait Timeout in seconds. The value of this 406 object cannot be changed while the authorization state machine is 407 running. Note: this object will be read-write accessible only after 408 the ability to start and stop the authorization state machine is 409 understood." 410 ::= { docsBpiCmBaseEntry 13 } 412 docsBpiCmAuthRequests OBJECT-TYPE 413 SYNTAX Counter32 414 MAX-ACCESS read-only 415 STATUS current 416 DESCRIPTION 417 "Count of times the CM has transmitted an Authorization Request 418 message." 419 ::= { docsBpiCmBaseEntry 14 } 421 docsBpiCmAuthReplies OBJECT-TYPE 422 SYNTAX Counter32 423 MAX-ACCESS read-only 424 STATUS current 425 DESCRIPTION 426 "Count of times the CM has received an Authorization Reply message." 427 ::= { docsBpiCmBaseEntry 15 } 429 docsBpiCmAuthRejects OBJECT-TYPE 430 SYNTAX Counter32 431 MAX-ACCESS read-only 432 STATUS current 433 DESCRIPTION 434 "Count of times the CM has received an Authorization Reject message." 435 ::= { docsBpiCmBaseEntry 16 } 437 docsBpiCmAuthInvalids OBJECT-TYPE 438 SYNTAX Counter32 439 MAX-ACCESS read-only 440 STATUS current 441 DESCRIPTION 442 "Count of times the CM has received an Authorization Invalid message." 443 ::= { docsBpiCmBaseEntry 17 } 445 docsBpiCmAuthRejectErrorCode OBJECT-TYPE 446 SYNTAX INTEGER { 447 none(1), 448 unknown(2), 449 unauthorizedCm(3), 450 unauthorizedSid(4) 451 } 452 MAX-ACCESS read-only 453 STATUS current 454 DESCRIPTION 455 "Error-Code in most recent Authorization Reject message received by 456 the CM. This has value unknown(2) if the last Error-Code value was 457 0, and none(1) if no Authorization Reject message has been received 458 since reboot." 459 ::= { docsBpiCmBaseEntry 18 } 461 docsBpiCmAuthRejectErrorString OBJECT-TYPE 462 SYNTAX DisplayString (SIZE (0..128)) 463 MAX-ACCESS read-only 464 STATUS current 465 DESCRIPTION 466 "Display-String in most recent Authorization Reject message received 467 by the CM. This is a zero length string if no Authorization Reject 468 message has been received since reboot." 469 ::= { docsBpiCmBaseEntry 19 } 471 docsBpiCmAuthInvalidErrorCode OBJECT-TYPE 472 SYNTAX INTEGER { 473 none(1), 474 unknown(2), 475 unauthorizedCm(3), 476 unsolicited(5), 477 invalidKeySequence(6), 478 keyRequestAuthenticationFailure(7) 479 } 480 MAX-ACCESS read-only 481 STATUS current 482 DESCRIPTION 483 "Error-Code in most recent Authorization Invalid message received by 484 the CM. This has value unknown(2) if the last Error-Code value was 485 0, and none(1) if no Authorization Invalid message has been received 486 since reboot." 487 ::= { docsBpiCmBaseEntry 20 } 489 docsBpiCmAuthInvalidErrorString OBJECT-TYPE 490 SYNTAX DisplayString (SIZE (0..128)) 491 MAX-ACCESS read-only 492 STATUS current 493 DESCRIPTION 494 "Display-String in most recent Authorization Invalid message received 495 by the CM. This is a zero length string if no Authorization Invalid 496 message has been received since reboot." 497 ::= { docsBpiCmBaseEntry 21 } 499 -- 500 -- The CM TEK Table, indexed by ifIndex and SID 501 -- 503 docsBpiCmTEKTable OBJECT-TYPE 504 SYNTAX SEQUENCE OF DocsBpiCmTEKEntry 505 MAX-ACCESS not-accessible 506 STATUS current 507 DESCRIPTION 508 "Describes the attributes of each CM Traffic Encryption Key (TEK) 509 association. The CM maintains (no more than) one TEK association per 510 SID per CM MAC interface." 511 ::= { docsBpiCmObjects 2 } 513 docsBpiCmTEKEntry OBJECT-TYPE 514 SYNTAX DocsBpiCmTEKEntry 515 MAX-ACCESS not-accessible 516 STATUS current 517 DESCRIPTION 518 "An entry containing objects describing the TEK association attributes 519 of one SID. The CM MUST create one entry per unicast or multicast SID, 520 regardless of whether the SID was obtained from a Registration 521 Response message, from an Authorization Reply message, or from any 522 future dynamic SID establishment mechanisms. " 523 INDEX { ifIndex, docsIfCmServiceId } 524 ::= { docsBpiCmTEKTable 1 } 526 DocsBpiCmTEKEntry ::= SEQUENCE { 527 docsBpiCmTEKPrivacyEnable TruthValue, 528 docsBpiCmTEKState INTEGER, 529 docsBpiCmTEKExpiresOld DateAndTime, 530 docsBpiCmTEKExpiresNew DateAndTime, 531 docsBpiCmTEKKeyRequests Counter32, 532 docsBpiCmTEKKeyReplies Counter32, 533 docsBpiCmTEKKeyRejects Counter32, 534 docsBpiCmTEKInvalids Counter32, 535 docsBpiCmTEKAuthPends Counter32, 536 docsBpiCmTEKKeyRejectErrorCode INTEGER, 537 docsBpiCmTEKKeyRejectErrorString DisplayString, 538 docsBpiCmTEKInvalidErrorCode INTEGER, 539 docsBpiCmTEKInvalidErrorString DisplayString 540 } 542 docsBpiCmTEKPrivacyEnable OBJECT-TYPE 543 SYNTAX TruthValue 544 MAX-ACCESS read-write 545 STATUS current 546 DESCRIPTION 547 "This identifies whether this SID is provisioned to run Baseline 548 Privacy. This is analogous to enabling Baseline Privacy on a 549 provisioned SID using the Class-of-Service Privacy Enable option as 550 described in BPI Appendix A.1.2. This object may be set to TRUE or 551 FALSE at any time (causing the CM to send a Reauth event to the 552 authorization machine), regardless of whether Baseline Privacy is 553 enabled for the CM. However, Baseline Privacy is not effectively 554 enabled for any SID unless Baseline Privacy is enabled for the CM, 555 which is managed via the docsBpiCmPrivacyEnable object." 556 ::= { docsBpiCmTEKEntry 1 } 558 docsBpiCmTEKState OBJECT-TYPE 559 SYNTAX INTEGER { 560 start (1), 561 opWait (2), 562 opReauthWait (3), 563 operational (4), 564 rekeyWait (5), 565 rekeyReauthWait (6) 566 } 567 MAX-ACCESS read-only 568 STATUS current 569 DESCRIPTION 570 "The state of the indicated TEK FSM. The start(1) state indicates that 571 FSM is in its initial state." 572 ::= { docsBpiCmTEKEntry 2 } 574 docsBpiCmTEKExpiresOld OBJECT-TYPE 575 SYNTAX DateAndTime 576 MAX-ACCESS read-only 577 STATUS current 578 DESCRIPTION 579 "Actual clock time for expiration of the oldest active key for this 580 FSM. If this FSM has no active keys, then the value is of the 581 expiration date and time of the last active key." 582 ::= { docsBpiCmTEKEntry 3 } 584 docsBpiCmTEKExpiresNew OBJECT-TYPE 585 SYNTAX DateAndTime 586 MAX-ACCESS read-only 587 STATUS current 588 DESCRIPTION 589 "Actual clock time for expiration of the newest active key for this 590 FSM. If this FSM has no active keys, then the value is of the 591 expiration date and time of the last active key." 592 ::= { docsBpiCmTEKEntry 4 } 594 docsBpiCmTEKKeyRequests OBJECT-TYPE 595 SYNTAX Counter32 596 MAX-ACCESS read-only 597 STATUS current 598 DESCRIPTION 599 "Count of times the CM has transmitted a Key Request message." 600 ::= { docsBpiCmTEKEntry 5 } 602 docsBpiCmTEKKeyReplies OBJECT-TYPE 603 SYNTAX Counter32 604 MAX-ACCESS read-only 605 STATUS current 606 DESCRIPTION 607 "Count of times the CM has received a Key Reply message." 608 ::= { docsBpiCmTEKEntry 6 } 610 docsBpiCmTEKKeyRejects OBJECT-TYPE 611 SYNTAX Counter32 612 MAX-ACCESS read-only 613 STATUS current 614 DESCRIPTION 615 "Count of times the CM has received a Key Reject message." 616 ::= { docsBpiCmTEKEntry 7 } 618 docsBpiCmTEKInvalids OBJECT-TYPE 619 SYNTAX Counter32 620 MAX-ACCESS read-only 621 STATUS current 622 DESCRIPTION 623 "Count of times the CM has received a TEK Invalid message." 624 ::= { docsBpiCmTEKEntry 8 } 625 docsBpiCmTEKAuthPends OBJECT-TYPE 626 SYNTAX Counter32 627 MAX-ACCESS read-only 628 STATUS current 629 DESCRIPTION 630 "Count of times an Authorization Pending (Auth Pend) event occurred in 631 this FSM." 632 ::= { docsBpiCmTEKEntry 9 } 634 docsBpiCmTEKKeyRejectErrorCode OBJECT-TYPE 635 SYNTAX INTEGER { 636 none(1), 637 unknown(2), 638 unauthorizedSid(4) 639 } 640 MAX-ACCESS read-only 641 STATUS current 642 DESCRIPTION 643 "Error-Code in most recent Key Reject message received by the CM. This 644 has value unknown(2) if the last Error-Code value was 0, and none(1) 645 if no Key Reject message has been received since reboot." 646 ::= { docsBpiCmTEKEntry 10 } 648 docsBpiCmTEKKeyRejectErrorString OBJECT-TYPE 649 SYNTAX DisplayString (SIZE (0..128)) 650 MAX-ACCESS read-only 651 STATUS current 652 DESCRIPTION 653 "Display-String in most recent Key Reject message received by the CM. 654 This is a zero length string if no Key Reject message has been 655 received since reboot." 656 ::= { docsBpiCmTEKEntry 11 } 658 docsBpiCmTEKInvalidErrorCode OBJECT-TYPE 659 SYNTAX INTEGER { 660 none(1), 661 unknown(2), 662 invalidKeySequence(6) 663 } 664 MAX-ACCESS read-only 665 STATUS current 666 DESCRIPTION 667 "Error-Code in most recent TEK Invalid message received by the CM. 668 This has value unknown(2) if the last Error-Code value was 0, and 669 none(1) if no TEK Invalid message has been received since reboot." 670 ::= { docsBpiCmTEKEntry 12 } 672 docsBpiCmTEKInvalidErrorString OBJECT-TYPE 673 SYNTAX DisplayString (SIZE (0..128)) 674 MAX-ACCESS read-only 675 STATUS current 676 DESCRIPTION 677 "Display-String in most recent TEK Invalid message received by the CM. 678 This is a zero length string if no TEK Invalid message has been 679 received since reboot." 680 ::= { docsBpiCmTEKEntry 13 } 682 -- Cable Modem Termination System Group 684 docsBpiCmtsObjects OBJECT IDENTIFIER ::= { docsBpiMIBObjects 2 } 686 -- 687 -- The BPI base table for CMTSs, indexed by ifIndex 688 -- 690 docsBpiCmtsBaseTable OBJECT-TYPE 691 SYNTAX SEQUENCE OF DocsBpiCmtsBaseEntry 692 MAX-ACCESS not-accessible 693 STATUS current 694 DESCRIPTION 695 "Describes the basic Baseline Privacy attributes of each CMTS MAC 696 interface." 697 ::= { docsBpiCmtsObjects 1 } 699 docsBpiCmtsBaseEntry OBJECT-TYPE 700 SYNTAX DocsBpiCmtsBaseEntry 701 MAX-ACCESS not-accessible 702 STATUS current 703 DESCRIPTION 704 "An entry containing objects describing attributes of one CMTS MAC 705 interface. An entry in this table exists for each ifEntry with an 706 ifType of docsCableMaclayer(127)." 707 INDEX { ifIndex } 708 ::= { docsBpiCmtsBaseTable 1 } 710 DocsBpiCmtsBaseEntry ::= SEQUENCE { 711 docsBpiCmtsDefaultAuthLifetime INTEGER, 712 docsBpiCmtsDefaultTEKLifetime INTEGER, 713 docsBpiCmtsDefaultAuthGraceTime INTEGER, 714 docsBpiCmtsDefaultTEKGraceTime INTEGER, 715 docsBpiCmtsAuthRequests Counter32, 716 docsBpiCmtsAuthReplies Counter32, 717 docsBpiCmtsAuthRejects Counter32, 718 docsBpiCmtsAuthInvalids Counter32 719 } 720 docsBpiCmtsDefaultAuthLifetime OBJECT-TYPE 721 SYNTAX INTEGER (1..6048000) 722 UNITS "seconds" 723 MAX-ACCESS read-write 724 STATUS current 725 DESCRIPTION 726 "Default lifetime, in seconds, the CMTS assigns to a new authorization 727 key." 728 ::= { docsBpiCmtsBaseEntry 1 } 730 docsBpiCmtsDefaultTEKLifetime OBJECT-TYPE 731 SYNTAX INTEGER (1..604800) 732 UNITS "seconds" 733 MAX-ACCESS read-write 734 STATUS current 735 DESCRIPTION 736 "Default lifetime, in seconds, the CMTS assigns to a new Traffic 737 Encryption Key (TEK)." 738 ::= { docsBpiCmtsBaseEntry 2 } 740 docsBpiCmtsDefaultAuthGraceTime OBJECT-TYPE 741 SYNTAX INTEGER (1..1800) 742 UNITS "seconds" 743 MAX-ACCESS read-write 744 STATUS current 745 DESCRIPTION 746 "Default grace time, in seconds, the CMTS uses for an authorization 747 key. This controls how far in advance of authorization key expiration 748 that the CMTS is expected to produce the next generation of keying 749 material. This value is expected to agree with the Authorization Grace 750 Time that the provisioning system provides to CMs." 751 ::= { docsBpiCmtsBaseEntry 3 } 753 docsBpiCmtsDefaultTEKGraceTime OBJECT-TYPE 754 SYNTAX INTEGER (1..1800) 755 UNITS "seconds" 756 MAX-ACCESS read-write 757 STATUS current 758 DESCRIPTION 759 "Default grace time, in seconds, the CMTS uses for a Traffic 760 Encryption Key (TEK). This controls how far in advance of TEK 761 expiration that the CMTS is expected to produce the next generation 762 of keying material. This value is expected to agree with the TEK Grace 763 Time that the provisioning system provides to CMs. Note that this 764 object is particularly relevant for multicast SIDs, where multiple 765 grace time values cannot be honored." 766 ::= { docsBpiCmtsBaseEntry 4 } 767 docsBpiCmtsAuthRequests OBJECT-TYPE 768 SYNTAX Counter32 769 MAX-ACCESS read-only 770 STATUS current 771 DESCRIPTION 772 "Count of times the CMTS has received an Authorization Request message 773 from any CM." 774 ::= { docsBpiCmtsBaseEntry 5 } 776 docsBpiCmtsAuthReplies OBJECT-TYPE 777 SYNTAX Counter32 778 MAX-ACCESS read-only 779 STATUS current 780 DESCRIPTION 781 "Count of times the CMTS has transmitted an Authorization Reply 782 message to any CM." 783 ::= { docsBpiCmtsBaseEntry 6 } 785 docsBpiCmtsAuthRejects OBJECT-TYPE 786 SYNTAX Counter32 787 MAX-ACCESS read-only 788 STATUS current 789 DESCRIPTION 790 "Count of times the CMTS has transmitted an Authorization Reject 791 message to any CM." 792 ::= { docsBpiCmtsBaseEntry 7 } 794 docsBpiCmtsAuthInvalids OBJECT-TYPE 795 SYNTAX Counter32 796 MAX-ACCESS read-only 797 STATUS current 798 DESCRIPTION 799 "Count of times the CMTS has transmitted an Authorization Invalid 800 message to any CM." 801 ::= { docsBpiCmtsBaseEntry 8 } 803 -- 804 -- The CMTS Authorization Table, indexed by ifIndex and CM MAC address 805 -- 807 docsBpiCmtsAuthTable OBJECT-TYPE 808 SYNTAX SEQUENCE OF DocsBpiCmtsAuthEntry 809 MAX-ACCESS not-accessible 810 STATUS current 811 DESCRIPTION 812 "Describes the attributes of each CM authorization association. The 813 CMTS maintains one authorization association with each Baseline 814 Privacy-enabled CM on each CMTS MAC interface." 815 ::= { docsBpiCmtsObjects 2 } 817 docsBpiCmtsAuthEntry OBJECT-TYPE 818 SYNTAX DocsBpiCmtsAuthEntry 819 MAX-ACCESS not-accessible 820 STATUS current 821 DESCRIPTION 822 "An entry containing objects describing attributes of one 823 authorization association. The CMTS MUST create one entry per CM per 824 MAC interface, based on the receipt of an Authorization Request 825 message, and MUST not delete the entry before the CM authorization 826 permanently expires." 827 INDEX { ifIndex, docsBpiCmtsAuthCmMacAddress } 828 ::= { docsBpiCmtsAuthTable 1 } 830 DocsBpiCmtsAuthEntry ::= SEQUENCE { 831 docsBpiCmtsAuthCmMacAddress MacAddress, 832 docsBpiCmtsAuthCmPublicKey OCTET STRING, 833 docsBpiCmtsAuthCmKeySequenceNumber INTEGER, 834 docsBpiCmtsAuthCmExpires DateAndTime, 835 docsBpiCmtsAuthCmLifetime INTEGER, 836 docsBpiCmtsAuthCmGraceTime INTEGER, 837 docsBpiCmtsAuthCmReset INTEGER, 838 docsBpiCmtsAuthCmRequests Counter32, 839 docsBpiCmtsAuthCmReplies Counter32, 840 docsBpiCmtsAuthCmRejects Counter32, 841 docsBpiCmtsAuthCmInvalids Counter32, 842 docsBpiCmtsAuthRejectErrorCode INTEGER, 843 docsBpiCmtsAuthRejectErrorString DisplayString, 844 docsBpiCmtsAuthInvalidErrorCode INTEGER, 845 docsBpiCmtsAuthInvalidErrorString DisplayString 846 } 848 docsBpiCmtsAuthCmMacAddress OBJECT-TYPE 849 SYNTAX MacAddress 850 MAX-ACCESS not-accessible 851 STATUS current 852 DESCRIPTION 853 "The physical address of the CM to which the authorization association 854 applies." 855 ::= { docsBpiCmtsAuthEntry 1 } 857 docsBpiCmtsAuthCmPublicKey OBJECT-TYPE 858 SYNTAX OCTET STRING (SIZE (0..97)) 859 MAX-ACCESS read-only 860 STATUS current 861 DESCRIPTION 862 "Public key of the CM encoded as an ASN.1 SubjectPublicKeyInfo object 863 as defined in the RSA Encryption Standard (PKCS #1) [12]. This is a 864 zero-length string if the CMTS does not retain the public key." 865 ::= { docsBpiCmtsAuthEntry 2 } 867 docsBpiCmtsAuthCmKeySequenceNumber OBJECT-TYPE 868 SYNTAX INTEGER (0..15) 869 MAX-ACCESS read-only 870 STATUS current 871 DESCRIPTION 872 "The authorization key sequence number for this CM." 873 ::= { docsBpiCmtsAuthEntry 3 } 875 docsBpiCmtsAuthCmExpires OBJECT-TYPE 876 SYNTAX DateAndTime 877 MAX-ACCESS read-only 878 STATUS current 879 DESCRIPTION 880 "Actual clock time when the current authorization for this CM expires. 881 If this CM does not have an active authorization, then the value is of 882 the expiration date and time of the last active authorization." 883 ::= { docsBpiCmtsAuthEntry 4 } 885 docsBpiCmtsAuthCmLifetime OBJECT-TYPE 886 SYNTAX INTEGER (1..6048000) 887 UNITS "seconds" 888 MAX-ACCESS read-write 889 STATUS current 890 DESCRIPTION 891 "Lifetime, in seconds, the CMTS assigns to an authorization key for 892 this CM." 893 ::= { docsBpiCmtsAuthEntry 5 } 895 docsBpiCmtsAuthCmGraceTime OBJECT-TYPE 896 SYNTAX INTEGER (1..1800) 897 UNITS "seconds" 898 MAX-ACCESS read-only 899 STATUS current 900 DESCRIPTION 901 "Grace time for the authorization key in seconds. The CM is expected 902 to start trying to get a new authorization key beginning AuthGraceTime 903 seconds before the authorization key actually expires." 904 ::= { docsBpiCmtsAuthEntry 6 } 906 docsBpiCmtsAuthCmReset OBJECT-TYPE 907 SYNTAX INTEGER { 908 noResetRequested(1), 909 invalidateAuth(2), 910 sendAuthInvalid(3), 911 invalidateTeks(4) 912 } 913 MAX-ACCESS read-write 914 STATUS current 915 DESCRIPTION 916 "Setting this object to invalidateAuth(2) causes the CMTS to 917 invalidate the current CM authorization key, but not to transmit an 918 Authorization Invalid message nor to invalidate unicast TEKs. Setting 919 this object to sendAuthInvalid(3) causes the CMTS to invalidate the 920 current CM authorization key, and to transmit an Authorization Invalid 921 message to the CM, but not to invalidate unicast TEKs. Setting this 922 object to invalidateTeks(4) causes the CMTS to invalidate the current 923 CM authorization key, to transmit an Authorization Invalid message to 924 the CM, and to invalidate all unicast TEKs associated with this CM 925 authorization. Reading this object returns the most-recently-set value 926 of this object, or returns noResetRequested(1) if the object has not 927 been set since the last CMTS reboot." 928 ::= { docsBpiCmtsAuthEntry 7 } 930 docsBpiCmtsAuthCmRequests OBJECT-TYPE 931 SYNTAX Counter32 932 MAX-ACCESS read-only 933 STATUS current 934 DESCRIPTION 935 "Count of times the CMTS has received an Authorization Request message 936 from this CM." 937 ::= { docsBpiCmtsAuthEntry 8 } 939 docsBpiCmtsAuthCmReplies OBJECT-TYPE 940 SYNTAX Counter32 941 MAX-ACCESS read-only 942 STATUS current 943 DESCRIPTION 944 "Count of times the CMTS has transmitted an Authorization Reply 945 message to this CM." 946 ::= { docsBpiCmtsAuthEntry 9 } 948 docsBpiCmtsAuthCmRejects OBJECT-TYPE 949 SYNTAX Counter32 950 MAX-ACCESS read-only 951 STATUS current 952 DESCRIPTION 953 "Count of times the CMTS has transmitted an Authorization Reject 954 message to this CM." 955 ::= { docsBpiCmtsAuthEntry 10 } 957 docsBpiCmtsAuthCmInvalids OBJECT-TYPE 958 SYNTAX Counter32 959 MAX-ACCESS read-only 960 STATUS current 961 DESCRIPTION 962 "Count of times the CMTS has transmitted an Authorization Invalid 963 message to this CM." 964 ::= { docsBpiCmtsAuthEntry 11 } 966 docsBpiCmtsAuthRejectErrorCode OBJECT-TYPE 967 SYNTAX INTEGER { 968 none(1), 969 unknown(2), 970 unauthorizedCm(3), 971 unauthorizedSid(4) 972 } 973 MAX-ACCESS read-only 974 STATUS current 975 DESCRIPTION 976 "Error-Code in most recent Authorization Reject message transmitted to 977 the CM. This has value unknown(2) if the last Error-Code value was 978 0, and none(1) if no Authorization Reject message has been transmitted 979 to the CM." 980 ::= { docsBpiCmtsAuthEntry 12 } 982 docsBpiCmtsAuthRejectErrorString OBJECT-TYPE 983 SYNTAX DisplayString (SIZE (0..128)) 984 MAX-ACCESS read-only 985 STATUS current 986 DESCRIPTION 987 "Display-String in most recent Authorization Reject message 988 transmitted to the CM. This is a zero length string if no 989 Authorization Reject message has been transmitted to the CM." 990 ::= { docsBpiCmtsAuthEntry 13 } 992 docsBpiCmtsAuthInvalidErrorCode OBJECT-TYPE 993 SYNTAX INTEGER { 994 none(1), 995 unknown(2), 996 unauthorizedCm(3), 997 unsolicited(5), 998 invalidKeySequence(6), 999 keyRequestAuthenticationFailure(7) 1000 } 1001 MAX-ACCESS read-only 1002 STATUS current 1003 DESCRIPTION 1004 "Error-Code in most recent Authorization Invalid message transmitted 1005 to the CM. This has value unknown(2) if the last Error-Code value was 1006 0, and none(1) if no Authorization Invalid message has been 1007 transmitted to the CM." 1008 ::= { docsBpiCmtsAuthEntry 14 } 1010 docsBpiCmtsAuthInvalidErrorString OBJECT-TYPE 1011 SYNTAX DisplayString (SIZE (0..128)) 1012 MAX-ACCESS read-only 1013 STATUS current 1014 DESCRIPTION 1015 "Display-String in most recent Authorization Invalid message 1016 transmitted to the CM. This is a zero length string if no 1017 Authorization Invalid message has been transmitted to the CM." 1018 ::= { docsBpiCmtsAuthEntry 15 } 1020 -- 1021 -- The CMTS TEK Table, indexed by ifIndex and SID 1022 -- 1024 docsBpiCmtsTEKTable OBJECT-TYPE 1025 SYNTAX SEQUENCE OF DocsBpiCmtsTEKEntry 1026 MAX-ACCESS not-accessible 1027 STATUS current 1028 DESCRIPTION 1029 "Describes the attributes of each CM Traffic Encryption Key (TEK) 1030 association. The CMTS maintains one TEK association per SID on each 1031 CMTS MAC interface." 1032 ::= { docsBpiCmtsObjects 3 } 1034 docsBpiCmtsTEKEntry OBJECT-TYPE 1035 SYNTAX DocsBpiCmtsTEKEntry 1036 MAX-ACCESS not-accessible 1037 STATUS current 1038 DESCRIPTION 1039 "An entry containing objects describing attributes of one TEK 1040 association on a particular CMTS MAC interface. The CMTS MUST create 1041 one entry per SID per MAC interface, based on the receipt of an Key 1042 Request message, and MUST not delete the entry before the CM 1043 authorization for the SID permanently expires." 1045 INDEX { ifIndex, docsIfCmtsServiceId } 1046 ::= { docsBpiCmtsTEKTable 1 } 1048 DocsBpiCmtsTEKEntry ::= SEQUENCE { 1049 docsBpiCmtsTEKLifetime INTEGER, 1050 docsBpiCmtsTEKGraceTime INTEGER, 1051 docsBpiCmtsTEKExpiresOld DateAndTime, 1052 docsBpiCmtsTEKExpiresNew DateAndTime, 1053 docsBpiCmtsTEKReset TruthValue, 1054 docsBpiCmtsKeyRequests Counter32, 1055 docsBpiCmtsKeyReplies Counter32, 1056 docsBpiCmtsKeyRejects Counter32, 1057 docsBpiCmtsTEKInvalids Counter32, 1058 docsBpiCmtsKeyRejectErrorCode INTEGER, 1059 docsBpiCmtsKeyRejectErrorString DisplayString, 1060 docsBpiCmtsTEKInvalidErrorCode INTEGER, 1061 docsBpiCmtsTEKInvalidErrorString DisplayString 1062 } 1064 docsBpiCmtsTEKLifetime OBJECT-TYPE 1065 SYNTAX INTEGER (1..604800) 1066 UNITS "seconds" 1067 MAX-ACCESS read-write 1068 STATUS current 1069 DESCRIPTION 1070 "Lifetime, in seconds, the CMTS assigns to keys for this TEK 1071 association." 1072 ::= { docsBpiCmtsTEKEntry 1 } 1074 docsBpiCmtsTEKGraceTime OBJECT-TYPE 1075 SYNTAX INTEGER (1..1800) 1076 UNITS "seconds" 1077 MAX-ACCESS read-only 1078 STATUS current 1079 DESCRIPTION 1080 "Grace time for the TEK in seconds. The CM is expected to start 1081 trying to get a new TEK beginning TEKGraceTime seconds before the TEK 1082 actually expires." 1083 ::= { docsBpiCmtsTEKEntry 2 } 1085 docsBpiCmtsTEKExpiresOld OBJECT-TYPE 1086 SYNTAX DateAndTime 1087 MAX-ACCESS read-only 1088 STATUS current 1089 DESCRIPTION 1090 "Actual clock time for expiration of the oldest active key for this 1091 TEK association. If this TEK association has no active keys, then the 1092 value is of the expiration date and time of the last active key." 1093 ::= { docsBpiCmtsTEKEntry 3 } 1095 docsBpiCmtsTEKExpiresNew OBJECT-TYPE 1096 SYNTAX DateAndTime 1097 MAX-ACCESS read-only 1098 STATUS current 1099 DESCRIPTION 1100 "Actual clock time for expiration of the newest active key for this 1101 TEK association. If this TEK association has no active keys, then the 1102 value is of the expiration date and time of the last active key." 1103 ::= { docsBpiCmtsTEKEntry 4 } 1105 docsBpiCmtsTEKReset OBJECT-TYPE 1106 SYNTAX TruthValue 1107 MAX-ACCESS read-write 1108 STATUS current 1109 DESCRIPTION 1110 "Setting this object to TRUE causes the CMTS to invalidate the current 1111 active TEK(s) (plural due to key transition periods), and to generate 1112 a new TEK for the associated SID. Reading this object always returns 1113 FALSE." 1114 ::= { docsBpiCmtsTEKEntry 5 } 1116 docsBpiCmtsKeyRequests OBJECT-TYPE 1117 SYNTAX Counter32 1118 MAX-ACCESS read-only 1119 STATUS current 1120 DESCRIPTION 1121 "Count of times the CMTS has received a Key Request message." 1122 ::= { docsBpiCmtsTEKEntry 6 } 1124 docsBpiCmtsKeyReplies OBJECT-TYPE 1125 SYNTAX Counter32 1126 MAX-ACCESS read-only 1127 STATUS current 1128 DESCRIPTION 1129 "Count of times the CMTS has transmitted a Key Reply message." 1130 ::= { docsBpiCmtsTEKEntry 7 } 1132 docsBpiCmtsKeyRejects OBJECT-TYPE 1133 SYNTAX Counter32 1134 MAX-ACCESS read-only 1135 STATUS current 1136 DESCRIPTION 1137 "Count of times the CMTS has transmitted a Key Reject message." 1138 ::= { docsBpiCmtsTEKEntry 8 } 1140 docsBpiCmtsTEKInvalids OBJECT-TYPE 1141 SYNTAX Counter32 1142 MAX-ACCESS read-only 1143 STATUS current 1144 DESCRIPTION 1145 "Count of times the CMTS has transmitted a TEK Invalid message." 1146 ::= { docsBpiCmtsTEKEntry 9 } 1148 docsBpiCmtsKeyRejectErrorCode OBJECT-TYPE 1149 SYNTAX INTEGER { 1150 none(1), 1151 unknown(2), 1152 unauthorizedSid(4) 1153 } 1154 MAX-ACCESS read-only 1155 STATUS current 1156 DESCRIPTION 1157 "Error-Code in the most recent Key Reject message sent in response to 1158 a Key Request for this BPI SID. This has value unknown(2) if the last 1159 Error-Code value was 0, and none(1) if no Key Reject message has been 1160 received since reboot." 1161 ::= { docsBpiCmtsTEKEntry 10 } 1163 docsBpiCmtsKeyRejectErrorString OBJECT-TYPE 1164 SYNTAX DisplayString (SIZE (0..128)) 1165 MAX-ACCESS read-only 1166 STATUS current 1167 DESCRIPTION 1168 "Display-String in the most recent Key Reject message sent in response 1169 to a Key Request for this BPI SID. This is a zero length string if no 1170 Key Reject message has been received since reboot." 1171 ::= { docsBpiCmtsTEKEntry 11 } 1173 docsBpiCmtsTEKInvalidErrorCode OBJECT-TYPE 1174 SYNTAX INTEGER { 1175 none(1), 1176 unknown(2), 1177 invalidKeySequence(6) 1178 } 1179 MAX-ACCESS read-only 1180 STATUS current 1181 DESCRIPTION 1182 "Error-Code in the most recent TEK Invalid message sent in association 1183 with this BPI SID. This has value unknown(2) if the last Error-Code 1184 value was 0, and none(1) if no TEK Invalid message has been received 1185 since reboot." 1186 ::= { docsBpiCmtsTEKEntry 12 } 1188 docsBpiCmtsTEKInvalidErrorString OBJECT-TYPE 1189 SYNTAX DisplayString (SIZE (0..128)) 1190 MAX-ACCESS read-only 1191 STATUS current 1192 DESCRIPTION 1193 "Display-String in the most recent TEK Invalid message sent in 1194 association with this BPI SID. This is a zero length string if no TEK 1195 Invalid message has been received since reboot." 1196 ::= { docsBpiCmtsTEKEntry 13 } 1198 -- 1199 -- The CMTS Multicast Control Group 1200 -- 1202 docsBpiMulticastControl OBJECT IDENTIFIER ::= { docsBpiCmtsObjects 4 } 1204 -- 1205 -- The CMTS IP Multicast Mapping Table, indexed by IP multicast 1206 -- address and prefix, and by ifindex 1207 -- 1209 docsBpiIpMulticastMapTable OBJECT-TYPE 1210 SYNTAX SEQUENCE OF DocsBpiIpMulticastMapEntry 1211 MAX-ACCESS not-accessible 1212 STATUS current 1213 DESCRIPTION 1214 "Describes the mapping of IP multicast address prefixes to multicast 1215 SIDs on each CMTS MAC interface." 1216 ::= { docsBpiMulticastControl 1 } 1218 docsBpiIpMulticastMapEntry OBJECT-TYPE 1219 SYNTAX DocsBpiIpMulticastMapEntry 1220 MAX-ACCESS not-accessible 1221 STATUS current 1222 DESCRIPTION 1223 "An entry containing objects describing the mapping of one IP 1224 multicast address prefix to one multicast SID on one CMTS MAC 1225 interface. The CMTS uses the mapping when forwarding downstream IP 1226 multicast traffic." 1227 INDEX { ifIndex, docsBpiIpMulticastAddress, 1228 docsBpiIpMulticastPrefixLength } 1229 ::= { docsBpiIpMulticastMapTable 1 } 1231 DocsBpiIpMulticastMapEntry ::= SEQUENCE { 1232 docsBpiIpMulticastAddress IpAddress, 1233 docsBpiIpMulticastPrefixLength INTEGER, 1234 docsBpiIpMulticastServiceId INTEGER, 1235 docsBpiIpMulticastMapControl RowStatus 1236 } 1238 docsBpiIpMulticastAddress OBJECT-TYPE 1239 SYNTAX IpAddress 1240 MAX-ACCESS not-accessible 1241 STATUS current 1242 DESCRIPTION 1243 "The IP multicast address (prefix) to be mapped." 1244 ::= { docsBpiIpMulticastMapEntry 1 } 1246 docsBpiIpMulticastPrefixLength OBJECT-TYPE 1247 SYNTAX INTEGER (0..32) 1248 MAX-ACCESS not-accessible 1249 STATUS current 1250 DESCRIPTION 1251 "The IP multicast address prefix length to be mapped." 1252 ::= { docsBpiIpMulticastMapEntry 2 } 1254 docsBpiIpMulticastServiceId OBJECT-TYPE 1255 SYNTAX INTEGER (8192..16368) 1256 MAX-ACCESS read-create 1257 STATUS current 1258 DESCRIPTION 1259 "The multicast SID to be used in this IP multicast address prefix 1260 mapping entry." 1261 -- DEFVAL is unused multicast SID value chosen by CMTS. 1262 ::= { docsBpiIpMulticastMapEntry 3 } 1264 docsBpiIpMulticastMapControl OBJECT-TYPE 1265 SYNTAX RowStatus 1266 MAX-ACCESS read-create 1267 STATUS current 1268 DESCRIPTION 1269 "Controls and reflects the IP multicast address prefix mapping entry." 1270 ::= { docsBpiIpMulticastMapEntry 4 } 1272 -- 1273 -- The CMTS Multicast SID Authorization Table, indexed by ifIndex by 1274 -- multicast SID by CM MAC address 1275 -- 1277 docsBpiMulticastAuthTable OBJECT-TYPE 1278 SYNTAX SEQUENCE OF DocsBpiMulticastAuthEntry 1279 MAX-ACCESS not-accessible 1280 STATUS current 1281 DESCRIPTION 1282 "Describes the multicast SID authorization for each CM on each CMTS 1283 MAC interface." 1284 ::= { docsBpiMulticastControl 2 } 1286 docsBpiMulticastAuthEntry OBJECT-TYPE 1287 SYNTAX DocsBpiMulticastAuthEntry 1288 MAX-ACCESS not-accessible 1289 STATUS current 1290 DESCRIPTION 1291 "An entry containing objects describing the key authorization of one 1292 cable modem for one multicast SID for one CMTS MAC interface." 1293 INDEX { ifIndex, docsBpiMulticastServiceId, 1294 docsBpiMulticastCmMacAddress } 1296 ::= { docsBpiMulticastAuthTable 1 } 1298 DocsBpiMulticastAuthEntry ::= SEQUENCE { 1299 docsBpiMulticastServiceId INTEGER, 1300 docsBpiMulticastCmMacAddress MacAddress, 1301 docsBpiMulticastAuthControl RowStatus 1302 } 1304 docsBpiMulticastServiceId OBJECT-TYPE 1305 SYNTAX INTEGER (8192..16368) 1306 MAX-ACCESS not-accessible 1307 STATUS current 1308 DESCRIPTION 1309 "The multicast SID for authorization." 1310 ::= { docsBpiMulticastAuthEntry 1 } 1312 docsBpiMulticastCmMacAddress OBJECT-TYPE 1313 SYNTAX MacAddress 1314 MAX-ACCESS not-accessible 1315 STATUS current 1316 DESCRIPTION 1317 "The MAC address of the CM to which the multicast SID authorization 1318 applies." 1319 ::= { docsBpiMulticastAuthEntry 2 } 1321 docsBpiMulticastAuthControl OBJECT-TYPE 1322 SYNTAX RowStatus 1323 MAX-ACCESS read-create 1324 STATUS current 1325 DESCRIPTION 1326 "Controls and reflects the CM authorization for each multicast SID." 1327 ::= { docsBpiMulticastAuthEntry 3 } 1329 -- 1330 -- The BPI MIB Conformance Statements (with a placeholder for 1331 -- notifications) 1332 -- 1334 docsBpiNotification OBJECT IDENTIFIER ::= { docsBpiMIB 2 } 1335 docsBpiConformance OBJECT IDENTIFIER ::= { docsBpiMIB 3 } 1336 docsBpiCompliances OBJECT IDENTIFIER ::= { docsBpiConformance 1 } 1337 docsBpiGroups OBJECT IDENTIFIER ::= { docsBpiConformance 2 } 1339 docsBpiBasicCompliance MODULE-COMPLIANCE 1340 STATUS current 1341 DESCRIPTION 1342 "The compliance statement for devices which implement the DOCS 1343 Baseline Privacy Interface." 1344 MODULE -- docsBpiMIB 1346 -- conditionally mandatory group 1347 GROUP docsBpiCmGroup 1348 DESCRIPTION 1349 "This group is implemented only in CMs, not in CMTSs." 1351 -- conditionally mandatory group 1352 GROUP docsBpiCmtsGroup 1353 DESCRIPTION 1354 "This group is implemented only in CMTSs, not in CMs." 1356 -- relaxation on mandatory range 1357 OBJECT docsBpiCmAuthGraceTime 1358 SYNTAX INTEGER (300..1800) 1359 DESCRIPTION 1360 "The refined range corresponds to the minimum and maximum values in 1361 operational networks, according to Appendix A.2 in [7]." 1363 -- relaxation on mandatory range 1364 OBJECT docsBpiCmTEKGraceTime 1365 SYNTAX INTEGER (300..1800) 1366 DESCRIPTION 1367 "The refined range corresponds to the minimum and maximum values in 1368 operational networks, according to Appendix A.2 in [7]." 1370 -- relaxation on mandatory range 1371 OBJECT docsBpiCmtsDefaultAuthLifetime 1372 SYNTAX INTEGER (86400..6048000) 1373 DESCRIPTION 1374 "The refined range corresponds to the minimum and maximum values in 1375 operational networks, according to Appendix A.2 in [7]." 1377 -- relaxation on mandatory range 1378 OBJECT docsBpiCmtsDefaultTEKLifetime 1379 SYNTAX INTEGER (1800..604800) 1380 DESCRIPTION 1381 "The refined range corresponds to the minimum and maximum values in 1382 operational networks, according to Appendix A.2 in [7]." 1384 -- relaxation on mandatory range 1385 OBJECT docsBpiCmtsDefaultAuthGraceTime 1386 SYNTAX INTEGER (300..1800) 1387 DESCRIPTION 1388 "The refined range corresponds to the minimum and maximum values in 1389 operational networks, according to Appendix A.2 in [7]." 1391 -- relaxation on mandatory range 1392 OBJECT docsBpiCmtsDefaultTEKGraceTime 1393 SYNTAX INTEGER (300..1800) 1394 DESCRIPTION 1395 "The refined range corresponds to the minimum and maximum values in 1396 operational networks, according to Appendix A.2 in [7]." 1398 -- relaxation on mandatory range 1399 OBJECT docsBpiCmtsAuthCmLifetime 1400 SYNTAX INTEGER (86400..6048000) 1401 DESCRIPTION 1402 "The refined range corresponds to the minimum and maximum values in 1403 operational networks, according to Appendix A.2 in [7]." 1405 -- relaxation on mandatory range 1406 OBJECT docsBpiCmtsAuthCmGraceTime 1407 SYNTAX INTEGER (300..1800) 1408 DESCRIPTION 1409 "The refined range corresponds to the minimum and maximum values in 1410 operational networks, according to Appendix A.2 in [7]." 1412 -- relaxation on mandatory range 1413 OBJECT docsBpiCmtsTEKLifetime 1414 SYNTAX INTEGER (1800..604800) 1415 DESCRIPTION 1416 "The refined range corresponds to the minimum and maximum values in 1417 operational networks, according to Appendix A.2 in [7]." 1419 -- relaxation on mandatory range 1420 OBJECT docsBpiCmtsTEKGraceTime 1421 SYNTAX INTEGER (300..1800) 1422 DESCRIPTION 1423 "The refined range corresponds to the minimum and maximum values in 1424 operational networks, according to Appendix A.2 in [7]." 1426 ::= { docsBpiCompliances 1 } 1428 docsBpiCmGroup OBJECT-GROUP 1429 OBJECTS { 1430 docsBpiCmPrivacyEnable, 1431 docsBpiCmPublicKey, 1432 docsBpiCmAuthState, 1433 docsBpiCmAuthKeySequenceNumber, 1434 docsBpiCmAuthExpires, 1435 docsBpiCmAuthReset, 1436 docsBpiCmAuthGraceTime, 1437 docsBpiCmTEKGraceTime, 1438 docsBpiCmAuthWaitTimeout, 1439 docsBpiCmReauthWaitTimeout, 1440 docsBpiCmOpWaitTimeout, 1441 docsBpiCmRekeyWaitTimeout, 1442 docsBpiCmAuthRejectWaitTimeout, 1443 docsBpiCmAuthRequests, 1444 docsBpiCmAuthReplies, 1445 docsBpiCmAuthRejects, 1446 docsBpiCmAuthInvalids, 1447 docsBpiCmAuthRejectErrorCode, 1448 docsBpiCmAuthRejectErrorString, 1449 docsBpiCmAuthInvalidErrorCode, 1450 docsBpiCmAuthInvalidErrorString, 1451 docsBpiCmTEKPrivacyEnable, 1452 docsBpiCmTEKState, 1453 docsBpiCmTEKExpiresOld, 1454 docsBpiCmTEKExpiresNew, 1455 docsBpiCmTEKKeyRequests, 1456 docsBpiCmTEKKeyReplies, 1457 docsBpiCmTEKKeyRejects, 1458 docsBpiCmTEKInvalids, 1459 docsBpiCmTEKAuthPends, 1460 docsBpiCmTEKKeyRejectErrorCode, 1461 docsBpiCmTEKKeyRejectErrorString, 1462 docsBpiCmTEKInvalidErrorCode, 1463 docsBpiCmTEKInvalidErrorString 1464 } 1465 STATUS current 1466 DESCRIPTION 1467 "A collection of objects providing CM BPI status and control." 1468 ::= { docsBpiGroups 1 } 1470 docsBpiCmtsGroup OBJECT-GROUP 1471 OBJECTS { 1472 docsBpiCmtsDefaultAuthLifetime, 1473 docsBpiCmtsDefaultTEKLifetime, 1474 docsBpiCmtsDefaultAuthGraceTime, 1475 docsBpiCmtsDefaultTEKGraceTime, 1476 docsBpiCmtsAuthRequests, 1477 docsBpiCmtsAuthReplies, 1478 docsBpiCmtsAuthRejects, 1479 docsBpiCmtsAuthInvalids, 1480 docsBpiCmtsAuthCmPublicKey, 1481 docsBpiCmtsAuthCmKeySequenceNumber, 1482 docsBpiCmtsAuthCmExpires, 1483 docsBpiCmtsAuthCmLifetime, 1484 docsBpiCmtsAuthCmGraceTime, 1485 docsBpiCmtsAuthCmReset, 1486 docsBpiCmtsAuthCmRequests, 1487 docsBpiCmtsAuthCmReplies, 1488 docsBpiCmtsAuthCmRejects, 1489 docsBpiCmtsAuthCmInvalids, 1490 docsBpiCmtsAuthRejectErrorCode, 1491 docsBpiCmtsAuthRejectErrorString, 1492 docsBpiCmtsAuthInvalidErrorCode, 1493 docsBpiCmtsAuthInvalidErrorString, 1494 docsBpiCmtsTEKLifetime, 1495 docsBpiCmtsTEKGraceTime, 1496 docsBpiCmtsTEKExpiresOld, 1497 docsBpiCmtsTEKExpiresNew, 1498 docsBpiCmtsTEKReset, 1499 docsBpiCmtsKeyRequests, 1500 docsBpiCmtsKeyReplies, 1501 docsBpiCmtsKeyRejects, 1502 docsBpiCmtsTEKInvalids, 1503 docsBpiCmtsKeyRejectErrorCode, 1504 docsBpiCmtsKeyRejectErrorString, 1505 docsBpiCmtsTEKInvalidErrorCode, 1506 docsBpiCmtsTEKInvalidErrorString, 1507 docsBpiIpMulticastServiceId, 1508 docsBpiIpMulticastMapControl, 1509 docsBpiMulticastAuthControl 1510 } 1511 STATUS current 1512 DESCRIPTION 1513 "A collection of objects providing CMTS BPI status and control." 1514 ::= { docsBpiGroups 2 } 1516 END 1518 5. Acknowledgments 1520 This document was produced by the IPCDN Working Group. Much of the 1521 content of this MIB was conceived by Chet Birger from Yas Corporation, 1522 and Mike StJohns from @Home Network. 1524 6. References 1526 [1] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and 1527 S. Waldbusser, "Structure of Management Information for Version 2 1528 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, 1529 January 1996. 1531 [2] McCloghrie, K., and M. Rose, Editors, "Management Information 1532 Base for Network Management of TCP/IP-based internets: MIB-II", 1533 STD 17, RFC 1213, March 1991. 1535 [3] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "A Simple 1536 Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990. 1538 [4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and 1539 S. Waldbusser, "Protocol Operations for Version 2 of the Simple 1540 Network Management Protocol (SNMPv2)", RFC 1905, January 1996. 1542 [5] Roeck, G., editor, "Radio Frequency (RF) Interface Management 1543 Information Base for MCNS compliant RF Interfaces", Internet 1544 draft draft-ietf-ipcdn-rf-interface-mib-04.txt, May 1998. 1546 [6] Roeck, G., editor, "Cable Device Management Information 1547 Base for MCNS compliant Cable Modems and Cable Modem 1548 Termination Systems", Internet draft 1549 draft-ietf-ipcdn-cable-device-mib-04.txt, May 1998. 1551 [7] "MCNS Data Over Cable Services, Baseline Privacy Interface 1552 Specification, SP-BPI-I01-970922", CableLabs, September 1997. 1554 [8] "MCNS Data Over Cable Services, Radio Frequency Interface 1555 Specification, SP-RFI-I02-971008", CableLabs, October 1997. 1557 [9] "MCNS Data Over Cable Services, OSSI Specification, RF Interface, 1558 SP-OSSI-RFI-I02-980410", CableLabs, April 1998. 1560 [10] RSA Laboratories, "The Public-Key Cryptography Standards", 1561 RSA Data Security Inc., Redwood City, CA. 1563 [11] Harrington, D., Presuhn, R., and Wijnen, B., "An Architecture 1564 for Describing SNMP Management Frameworks", RFC 2271, January 1565 1998. 1567 7. Security Considerations 1569 The Baseline Privacy Interface provides data encryption for MCNS 1570 data-over-cable services. Baseline Privacy-capable cable modems have 1571 RSA private/public key pairs installed by manufacturers. The public 1572 key is used to encrypt an Authorization key, and the Authorization 1573 key is used to encrypt one or more Traffic Encryption Keys (TEKs). 1574 The TEKs are used to encrypt both upstream and downstream data 1575 traffic. Please refer to [7] to obtain further information on the 1576 Baseline Privacy specification. 1578 In particular, the Baseline Privacy Interface does not provide an 1579 authentication service. CMTS implementors are encouraged not to rely 1580 on the MAC address of the CM for service authorization (in 1581 particular, for the docsBpiMulticastAuthTable in this MIB), without 1582 verifying the association between the MAC address and the RSA public 1583 key. The mechanism to verify the MAC address to RSA public key 1584 association is beyond the scope of this specification. 1586 This MIB specification contains a number of read-write objects, that 1587 should be protected from unauthorized modification to prevent denial 1588 of service and theft of service attacks: in particular, objects that 1589 manage enabling/disabling privacy (ex. docsBpiCmTEKPrivacyEnable), 1590 resetting state machines (ex. docsBpiCmAuthReset), key lifetimes (ex. 1591 docsBpiCmtsDefaultAuthLifetime), rekeying grace times (ex. 1592 docsBpiCmtsDefaultAuthGraceTime), and multicast traffic control (i.e. 1593 any object in the docsBpiMulticastControl group). 1595 The desired means to protect these objects from unwarranted access is 1596 to implement the SNMPv3 Management Frameworks [11] on CMs and CMTSs, 1597 with implementations of a Security Model and an Access Control Model 1598 that satisfy the security and access control needs of the cable 1599 service provider. SNMPv3 agent implementations are currently not 1600 required for the MCNS data over cable service. 1602 Other means to protect CMs from unauthorized access include using the 1603 docsDevNmAccessTable from the Cable Device MIB [6] to disallow 1604 configuration changes from unauthorized network management stations, 1605 and using the SNMP MIB Object and SNMP Write-Access Control 1606 configuration file options from the Radio Frequency Interface [8] to 1607 set MIB object values and disable SNMP SET operations at cable modem 1608 boot time. Note that these mechanisms may be vulnerable to an 1609 unauthorized network management station "spoofing" the source address 1610 of a legitimate network management station. 1612 8. Author's Address 1614 Richard Woundy 1615 American Internet Corporation 1616 4 Preston Court 1617 Bedford, MA 01730 1618 U.S.A. 1620 Phone: +1 781 276 4509 1621 Email: rwoundy@american.com 1623 9. Copyright Statement 1625 Copyright (C) The Internet Society (1998). All Rights Reserved. 1627 This document and translations of it may be copied and furnished to 1628 others, and derivative works that comment on or otherwise explain it 1629 or assist in its implementation may be prepared, copied, published 1630 and distributed, in whole or in part, without restriction of any 1631 kind, provided that the above copyright notice and this paragraph are 1632 included on all such copies and derivative works. However, this 1633 document itself may not be modified in any way, such as by removing 1634 the copyright notice or references to the Internet Society or other 1635 Internet organizations, except as needed for the purpose of 1636 developing Internet standards in which case the procedures for 1637 copyrights defined in the Internet Standards process must be 1638 followed, or as required to translate it into languages other than 1639 English. 1641 The limited permissions granted above are perpetual and will not be 1642 revoked by the Internet Society or its successors or assigns. 1644 This document and the information contained herein is provided on an 1645 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1646 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1647 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1648 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1649 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."