idnits 2.17.1 draft-ietf-ipcdn-pktc-mtamib-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 19. -- Found old boilerplate from RFC 3978, Section 5.5 on line 3025. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 3000. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 3007. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 3015. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 21, 2005) is 6663 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 3280' is mentioned on line 409, but not defined ** Obsolete undefined reference: RFC 3280 (Obsoleted by RFC 5280) ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) ** Downref: Normative reference to an Informational RFC: RFC 3617 -- Possible downref: Non-RFC (?) normative reference: ref. 'RFCxxxx' -- Possible downref: Non-RFC (?) normative reference: ref. 'PKT-SP-PROV' -- Possible downref: Non-RFC (?) normative reference: ref. 'PKT-SP-SEC' -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU-T-J112' -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU-T-J168' -- Obsolete informational reference (is this intentional?): RFC 2279 (Obsoleted by RFC 3629) Summary: 7 errors (**), 0 flaws (~~), 4 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPCDN Working Group Eugene Nechamkin 3 Internet-Draft Broadcom Corp. 4 Expires: June 21, 2006 Jean-Francois 5 Mule 6 CableLabs 8 December 21, 2005 10 Multimedia Terminal Adapter (MTA) Management Information Base 11 for PacketCable and IPCablecom compliant devices 12 draft-ietf-ipcdn-pktc-mtamib-09.txt 14 Status of this Memo 16 By submitting this Internet-Draft, each author represents that any 17 applicable patent or other IPR claims of which he or she is aware 18 have been or will be disclosed, and any of which he or she becomes 19 aware will be disclosed, in accordance with Section 6 of BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as 24 Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six 27 months and may be updated, replaced, or obsoleted by other documents 28 at any time. It is inappropriate to use Internet-Drafts as 29 reference material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 Copyright Notice 38 Copyright (C) The Internet Society (2005). 40 IPCDN MTA MIB December 2005 42 Abstract 44 This memo defines a portion of the Management Information Base (MIB) 45 for use with network management protocols in the Internet community. 46 In particular, it defines a basic set of managed objects for 47 SNMP-based management of PacketCable and IPCablecom compliant 48 Multimedia Terminal Adapter devices. 50 Table of Contents 52 1. The Internet-Standard Management Framework..................2 53 2. Terminology.............................................3 54 3. Introduction............................................5 55 3.1 Structure of the MTA MIB..............................5 56 3.2 pktcMtaDevBase.......................................6 57 3.3 pktcMtaDevServer.....................................6 58 3.4 pktcMtaDevSecurity...................................7 59 3.5 Relationship between MIB Objects in the MTA MIB..........7 60 3.6 Secure Software Download..............................8 61 3.7 X.509 Certificates Dependencies........................9 62 4. Definitions............................................10 63 5. Acknowledgments........................................53 64 6. Normative References....................................53 65 7. Informative References..................................56 66 8. Security Considerations.................................57 67 9. IANA Considerations.....................................59 68 10. Authors' Addresses.....................................60 70 1. The Internet-Standard Management Framework 72 For a detailed overview of the documents that describe the current 73 Internet-Standard Management Framework, please refer to section 7 of 74 RFC 3410 [RFC3410]. 76 Managed objects are accessed via a virtual information store, termed 77 the Management Information Base or MIB. MIB objects are generally 78 accessed through the Simple Network Management Protocol (SNMP). 79 Objects in the MIB are defined using the mechanisms defined in the 80 Structure of Management Information (SMI). This memo specifies a 81 MIB module that is compliant to the SMIv2, which is described in STD 82 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 83 2580 [RFC2580]. 85 IPCDN MTA MIB December 2005 87 2. Terminology 89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 91 "OPTIONAL", when used in the guidelines in this memo, are to be 92 interpreted as described in RFC 2119 [RFC2119]. 94 The terms "MIB module" and "information module" are used 95 interchangeably in this memo. As used here, both terms refer to any 96 of the three types of information modules defined in section 3 of 97 RFC 2578 [RFC2578]. 99 Some of the terms used in this memo are defined below. Some 100 additional terms are also defined in the PacketCable MTA Device 101 Provisioning Specification [PKT-SP-PROV] and the PacketCable 102 Security Specification [PKT-SP-SEC]. 104 DOCSIS 105 The CableLabs(R) Certified(TM) Cable Modem project, also known as 106 DOCSIS(R) (Data Over Cable Service Interface Specification), defines 107 interface requirements for cable modems involved in high-speed data 108 distribution over cable television system networks. 109 DOCSIS also refers to the ITU-T J.112 recommendation, Annex B for 110 cable modem systems [ITU-T-J112]. 112 Cable Modem 113 A Cable Modem (CM) acts as a data transport agent used to transfer 114 call management and voice data packets over a DOCSIS compliant cable 115 system. 117 Multimedia Terminal Adapter 118 A Multimedia Terminal Adapter (MTA) is a PacketCable or IPCablecom 119 compliant device providing telephony services over a cable or hybrid 120 system used to deliver video signals to a community. It contains an 121 interface to endpoints, a network interface, CODECs, and all 122 signaling and encapsulation functions required for Voice over IP 123 transport, call signaling, and Quality of Service signaling. 124 An MTA can be an embedded or a standalone device. An Embedded MTA 125 (E-MTA) is an MTA device containing an embedded DOCSIS Cable Modem. 126 A Standalone MTA (S-MTA) is an MTA device separated from the DOCSIS 127 cable modem by non-DOCSIS MAC interface (e.g. Ethernet, USB). 129 Endpoint 130 An endpoint or MTA endpoint is a standard RJ-11 telephony physical 131 port located on the MTA and used for attaching the telephone device 132 to the MTA. 134 IPCDN MTA MIB December 2005 136 X.509 Certificate 137 A X.509 certificate is an Internet X.509 Public Key Infrastructure 138 certificate developed as part of the ITU-T X.500 Directory 139 recommendations. It is defined in RFC 3280 [RFC3280]. 141 Voice Over IP 142 Voice Over IP (VoIP) is a technology providing the means to transfer 143 the digitized packets with the voice information over IP networks. 145 Public Key Certificate 146 A Public Key Certificate (also known as a Digital Certificate) is a 147 binding between an entity's public key and one or more attributes 148 relating to its identity. 150 DHCP 151 The Dynamic Host Configuration Protocol (DHCP) is defined by 152 RFC 2131 [RFC2131]. In addition, commonly used DHCP options are 153 defined in RFC 2132 [RFC2132]. Additional DHCP options used by 154 PacketCable and IPCablecom MTAs can be found in the CableLabs Client 155 Configuration DHCP specifications, RFC 3495 [RFC3495] and RFC 3594 156 [RFC3594]. 158 TFTP 159 The Trivial File Transfer Protocol (TFTP) is defined by the RFC 1350 160 [RFC1350]. 162 HTTP 163 The Hypertext Transfer Protocol (HTTP/1.1) is defined by the RFC 164 2616 [RFC2616]. 166 Call Management Server 167 A Call Management Server (CMS) is an element of the PacketCable 168 network infrastructure which controls audio connections between 169 MTAs. 171 CODEC, COder-DECoder 172 A Coder-DECoder is a hardware or software component used in 173 audio/video systems to convert an analog signal to digital, and then 174 (possibly) to compress it so that lower bandwidth telecommunications 175 channels can be used. The signal is decompressed and converted 176 (decoded) back to analog output by a compatible CODEC at the 177 receiving end. 179 Operations Systems Support 180 An Operations Systems Support system (OSS) is a system of back 181 office software components used for fault, configuration, 183 IPCDN MTA MIB December 2005 185 accounting, performance, and security management working in 186 interaction with each other and providing the operations support in 187 deployed PacketCable systems. 189 Key Distribution Center 190 A Key Distribution Center (KDC) is an element of the OSS systems 191 functioning as a Kerberos Security Server providing mutual 192 authentication of the various components of the PacketCable system 193 (e.g. mutual authentication between an MTA and a CMS, or between an 194 MTA and the Provisioning Server). 196 Security Association 197 A Security Association (SA) is a one-way relationship between sender 198 and receiver offering security services on the communication flow. 200 3. Introduction 202 This MIB module provides a set of objects required for the 203 management of PacketCable, ETSI and ITU-T IPCablecom compliant MTA 204 devices. The MTA MIB module is intended to supersede various MTA 205 MIB modules from which it is partly derived: 206 - the PacketCable 1.0 MTA MIB Specification 207 [PKT-SP-MIB-MTA], 208 - the ITU-T IPCablecom MTA MIB requirements [ITU-T-J168], 209 - the ETSI MTA MIB [ETSITS101909-8]. The ETSI MTA MIB 210 requirements also refer to various signal characteristics 211 defined in [EN300001], chapter 3 titled 'Ringing signal 212 characteristics' and [EN300659-1]. 213 Several normative and informative references are used to help define 214 MTA MIB objects. As a convention, wherever PacketCable and 215 IPCablecom requirements are equivalent, the PacketCable reference is 216 used in the object REFERENCE clause. IPCablecom compliant MTA 217 devices MUST use the equivalent IPCablecom references. 219 3.1 Structure of the MTA MIB 221 The MTA MIB module is identified by pktcIetfMtaMib and is structured 222 in three object groups: 224 - pktcMtaDevBase defines the management information pertinent to the 225 MTA device itself, 227 - pktcMtaDevServer defines the management information pertinent to 228 the provisioning back office servers, 230 IPCDN MTA MIB December 2005 232 - pktcMtaDevSecurity defines the management information pertinent to 233 the PacketCable and IPCablecom security mechanisms. 235 The first two object groups, pktcMtaDevBase and pktcMtaDevServer, 236 contain only scalar information objects describing the corresponding 237 characteristics of the MTA device and back office servers. 239 The third group, pktcMtaDevSecurity, contains two tables controlling 240 the logical associations between KDC realms and Application Servers 241 (CMS and Provisioning Server). The rows in the various tables of 242 the MTA MIB module can be created automatically (e.g. by the device 243 according to the current state information) or they can be created 244 by the management station depending on the operational situation. 245 The tables defined in the MTA MIB module may have a mixture of both 246 types of rows. 248 3.2 pktcMtaDevBase 250 This object group contains the management information related to the 251 MTA device itself. It also contains some objects used to control 252 the MTA state. Some highlights are as follows: 254 - pktcMtaDevSerialNumber, this object contains the MTA Serial 255 Number, 257 - pktcMtaDevEndPntCount, this object contains the number of 258 endpoints present in the managed MTA, 260 - pktcMtaDevProvisioningState, this object contains the information 261 describing the completion state of the MTA initialization process, 263 - pktcMtaDevEnabled, this object controls the administrative state 264 of the MTA endpoints and allows operators to enable or disable 265 telephony services on the device, 267 - pktcMtaDevResetNow, this object is used to instruct the MTA to 268 reset. 270 3.3 pktcMtaDevServer 272 This object group contains the management information describing the 273 back office servers and the parameters related to the communication 274 timers. It also includes some objects controlling the initial MTA 275 interaction with the Provisioning Server. 277 Some highlights are as follows: 279 IPCDN MTA MIB December 2005 281 - pktcMtaDevServerDhcp1, this object contains the IP address of the 282 primary DHCP server designated for the MTA provisioning, 284 - pktcMtaDevServerDhcp2, this object contains the IP address of the 285 secondary DHCP server designated for the MTA provisioning, 287 - pktcMtaDevServerDns1, this object contains the IP address of the 288 primary DNS used by the managed MTA to resolve the Fully Qualified 289 Domain Name (FQDN) and IP addresses, 291 - pktcMtaDevServerDns2, this object contains the IP address of the 292 secondary DNS used by the managed MTA to resolve the FQDN and IP 293 addresses, 295 - pktcMtaDevConfigFile, this object contains the name of the 296 provisioning configuration file the managed MTA must download from 297 the Provisioning Server, 299 - pktcMtaDevProvConfigHash, this object contains the hash value of 300 the MTA configuration file calculated over its content. When the 301 managed MTA downloads the file, it authenticates the configuration 302 file using the hash value provided in this object. 304 3.4 pktcMtaDevSecurity 306 This object group contains the management information describing the 307 security related characteristics of the managed MTA. It contains 308 two tables describing logical dependencies and parameters necessary 309 to establish Security Associations between the MTA and other 310 Application Servers (back office components and CMSes). 311 The CMS table (pktcMtaDevCmsTable) and the realm table 312 (pktcMtaDevRealmTable) are used for managing the MTA signaling 313 security. The realm table defines the CMS domains. The CMS table 314 defines the CMS within the domains. Each MTA endpoint is associated 315 with one CMS at any given time. 316 The two tables in this object group are: 317 - pktcMtaDevRealmTable, this table is used in conjunction with any 318 Application Server that communicates securely with the managed MTA 319 (CMS or Provisioning Server), 320 - pktcMtaDevCmsTable, this table contains the parameters describing 321 the SA establishment between the MTA and CMSes. 323 3.5 Relationship between MIB Objects in the MTA MIB 325 This section clarifies the relationship between various MTA MIB 326 objects with respect to the role they play in the process of 327 establishing Security Associations. 329 IPCDN MTA MIB December 2005 331 The process of Security Association establishment between an MTA and 332 Application Servers is described in the PacketCable Security 333 Specification [PKT-SP-SEC]. In particular, an MTA communicates with 334 2 types of back office Application Servers: Call Management Servers 335 and Provisioning Servers. 337 The SA establishment process consists of two steps: 339 a. Authentication Server exchange (AS-exchange): 340 This step provides mutual authentication between the parties, i.e. 341 between an MTA and an Authentication Server. 342 The process of AS-exchange is defined by a number of parameters 343 grouped per each realm. These parameters are gathered in the Realm 344 Table (pktcMtaDevRealmTable). The Realm Table is indexed by the 345 Index Counter and contains conceptual column with the Kerberos realm 346 name. 348 b. Application server exchange (AP-exchange): 349 This step allows for the establishment of Security Associations 350 between authenticated parties. 351 The CMS table (pktcMtaDevCmsTable) contains the parameters for the 352 AP-exchange process between an MTA and a CMS. The CMS table is 353 indexed by the Index Counter and contains the CMS FQDN (the 354 conceptual column pktcMtaDevCmsFqdn). Each row contains the 355 Kerberos realm name associated with each CMS FQDN. This allows for 356 each CMS to exist in a different Kerberos realm. 358 The MTA MIB module also contains a group of scalar MIB objects in 359 the server group (pktcMtaDevServer). These objects define various 360 parameters for the AP-exchange process between an MTA and the 361 Provisioning Server. These objects are: 362 - pktcMtaDevProvUnsolicitedKeyMaxTimeout, 363 - pktcMtaDevProvUnsolicitedKeyNomTimeout, 364 - pktcMtaDevProvUnsolicitedKeyMaxRetries, 365 - pktcMtaDevProvSolicitedKeyTimeout. 367 3.6 Secure Software Download 369 E-MTAs are embedded with DOCSIS 1.1 cable modems. E-MTAs have their 370 software upgraded by the Cable Modem according to the DOCSIS 371 requirements. 372 While E-MTAs have their software upgraded by the Cable Modem 373 according to the DOCSIS requirements, S-MTAs implement a specific 374 mechanism for Secure Software Download. 375 The Secure Software Download mechanism provides means to verify the 376 code upgrade using Code Verification Certificates and is modeled 377 after the DOCSIS mechanism implemented in Cable Modems. This is the 378 reason why the MTA MIB and the S-MTA compliance modules also rely on 379 two MIB object groups: 381 IPCDN MTA MIB December 2005 383 - docsBpi2CodeDownloadGroup defined in the IETF BPI Plus MIB 384 module (DOCS-IETF-BPI2-MIB [RFC4131]), and, 385 - docsDevSoftwareGroupV2 defined in the IETF Cable Devicev2 MIB 386 module (DOCS-CABLE-DEVICE-MIB [RFCxxxx]). 387 ************************************************************ 388 * NOTES TO RFC Editor (to be removed prior to publication) * 389 * * 390 * An updated version of the I-D * 391 * < draft-ietf-ipcdn-device-mibv2-10.txt> * 392 * is expected to become RFC before this draft. * 393 * Please replace RFCxxxx with the RFC number and * 394 * update the reference statement with the correct date: * 395 * Monthxxxx, 2005 * 396 * * 397 ************************************************************ 399 3.7 X.509 Certificates Dependencies 401 As specified in the PacketCable Security Specification [PKT-SP-SEC], 402 E-MTAs must use the authentication mechanism based on the X.509 403 Public Key Infrastructure Certificates as defined in RFC 3280 404 [RFC3280]. 406 The value of the pktcMtaDevRealmOrgName MIB object should contain 407 the X.509 organization name attribute of the Telephony Service 408 Provider certificate (OrganizationName). X.509 attributes are 409 defined using UTF8String encoding [RFC2279, RFC 3280]. 411 Note that UTF-8 encoded characters can be encoded as sequences of 1 412 to 6 octets, based on the assumption that code points as high as 413 0x7ffffffff might be used ([RFC2279]). Subsequent versions of 414 Unicode and ISO 10646 have limited the upper bound to 0x10ffff 415 ([RFC3629]). Consequently, the current version of UTF-8, defined in 416 RFC 3629, does not require more than four octets to encode a valid 417 code point. 419 IPCDN MTA MIB December 2005 421 4. Definitions 423 The MIB module below makes references and citations to [RFC868], 424 [RFC3280] and [RFC3617]. 426 PKTC-IETF-MTA-MIB DEFINITIONS ::= BEGIN 428 IMPORTS 429 MODULE-IDENTITY, 430 OBJECT-TYPE, 431 OBJECT-IDENTITY, 432 Unsigned32, 433 Counter32, 434 NOTIFICATION-TYPE, 435 mib-2 436 FROM SNMPv2-SMI -- [RFC2578] 437 TEXTUAL-CONVENTION, 438 RowStatus, 439 TruthValue 440 FROM SNMPv2-TC -- [RFC2579] 441 OBJECT-GROUP, 442 MODULE-COMPLIANCE, 443 NOTIFICATION-GROUP 444 FROM SNMPv2-CONF -- [RFC2580] 445 InetAddressType, 446 InetAddress 447 FROM INET-ADDRESS-MIB -- [RFC4001] 448 sysDescr 449 FROM SNMPv2-MIB -- [RFC3418] 450 SnmpAdminString 451 FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 452 docsDevSoftwareGroupV2 453 FROM DOCS-CABLE-DEVICE-MIB -- [RFCxxxx] 454 -- ************************************************************ 455 -- * NOTES TO RFC Editor (to be removed prior to publication) * 456 -- * * 457 -- * The I-D * 458 -- * is expected to become RFC before this draft. * 459 -- * Please replace RFCxxxx with the RFC number of the IPCDN * 460 -- * Cable Device MIBv2 and remove this note * 461 -- * * 462 -- ************************************************************ 464 DocsX509ASN1DEREncodedCertificate, 465 docsBpi2CodeDownloadGroup 466 FROM DOCS-IETF-BPI2-MIB -- [RFC4131] 467 LongUtf8String 468 FROM SYSAPPL-MIB -- [RFC2287] 469 ifPhysAddress 471 IPCDN MTA MIB December 2005 473 FROM IF-MIB; -- [RFC2863] 475 pktcIetfMtaMib MODULE-IDENTITY 476 LAST-UPDATED "200512211700Z" -- December 21, 2005 477 ORGANIZATION "IETF IP over Cable Data Network Working Group" 478 CONTACT-INFO 479 "Eugene Nechamkin 480 Broadcom Corporation, 481 200-13711 International Place, 482 Richmond, BC, V6V 2Z8 483 CANADA 484 Phone: +1 604 233 8500 485 Email: enechamkin@broadcom.com 487 Jean-Francois Mule 488 Cable Television Laboratories, Inc. 489 858 Coal Creek Circle 490 Louisville, CO 80027-9750 491 U.S.A. 492 Phone: +1 303 661 9100 493 Email: jf.mule@cablelabs.com 495 IETF IPCDN Working Group 496 General Discussion: ipcdn@ietf.org 497 Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn 498 Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn 499 Co-Chair: Jean-Francois Mule, jf.mule@cablelabs.com 500 Co-Chair: Richard Woundy, Richard_Woundy@cable.comcast.com" 502 DESCRIPTION 503 "This MIB module defines the basic management object 504 for the Multimedia Terminal Adapter devices compliant 505 with PacketCable and IPCablecom requirements. 507 Copyright (C) The Internet Society (2005). This version of 508 this MIB module is part of RFC nnnn; see the RFC itself for 509 full legal notices." 510 -- RFC Ed: replace nnnn with actual RFC number and remove this note 512 REVISION "200512211700Z" -- December 21, 2005 514 DESCRIPTION 515 "Initial version, published as RFC nnnn." 516 -- RFC Ed: replace nnnn with actual RFC number and remove this note 518 ::= { mib-2 XXX } 519 -- RFC Ed: replace XXX with IANA-assigned number and remove this 520 -- note 522 IPCDN MTA MIB December 2005 524 -- Textual Conventions 526 PktcMtaDevProvEncryptAlg ::= TEXTUAL-CONVENTION 527 STATUS current 528 DESCRIPTION 529 " This textual convention defines various types of the 530 encryption algorithms used for the encryption of the MTA 531 configuration file. The description of the encryption 532 algorithm for each enumerated value is as follows: 534 'none(0)' no encryption is used, 535 'des64CbcMode(1)' DES 64-bit key in CBC mode, 536 't3Des192CbcMode(2)' 3DES 192-bit key in CBC mode, 537 'aes128CbcMode(3)' AES 128-bit key in CBC mode, 538 'aes256CbcMode(4)' AES 256-bit key in CBC mode." 539 SYNTAX INTEGER { 540 none (0), 541 des64CbcMode (1), 542 t3Des192CbcMode (2), 543 aes128CbcMode (3), 544 aes256CbcMode (4) 545 } 547 --================================================================= 548 -- The MTA MIB module only supports a single Provisioning Server. 549 --================================================================= 551 pktcMtaNotification OBJECT IDENTIFIER ::= { pktcIetfMtaMib 0 } 552 pktcMtaMibObjects OBJECT IDENTIFIER ::= { pktcIetfMtaMib 1 } 553 pktcMtaDevBase OBJECT IDENTIFIER ::= { pktcMtaMibObjects 1 } 554 pktcMtaDevServer OBJECT IDENTIFIER ::= { pktcMtaMibObjects 2 } 555 pktcMtaDevSecurity OBJECT IDENTIFIER ::= { pktcMtaMibObjects 3 } 556 pktcMtaDevErrors OBJECT IDENTIFIER ::= { pktcMtaMibObjects 4 } 557 pktcMtaConformance OBJECT IDENTIFIER ::= { pktcIetfMtaMib 2 } 559 -- 560 -- The following pktcMtaDevBase group describes the base MTA objects 561 -- 563 pktcMtaDevResetNow OBJECT-TYPE 564 SYNTAX TruthValue 565 MAX-ACCESS read-write 566 STATUS current 567 DESCRIPTION 569 IPCDN MTA MIB December 2005 571 " This object controls the MTA software reset. 572 Reading this object always returns 'false'. Setting this 573 object to 'true' causes the device to reset immediately 574 and the following actions occur: 575 1. All connections (if present) are flushed locally. 576 2. All current actions such as ringing immediately 577 terminate. 578 3. Requests for signaling notifications such as 579 notification based on digit map recognition are 580 flushed. 581 4. All endpoints are disabled. 582 5. The provisioning flow is started at step MTA-1. 583 If a value is written into an instance of 584 pktcMtaDevResetNow, the agent MUST NOT retain the supplied 585 value across MTA re-initializations or reboots." 586 REFERENCE 587 " PacketCable MTA Device Provisioning Specification." 588 ::= { pktcMtaDevBase 1 } 590 pktcMtaDevSerialNumber OBJECT-TYPE 591 SYNTAX SnmpAdminString 592 MAX-ACCESS read-only 593 STATUS current 594 DESCRIPTION 595 " This object specifies the manufacturer's serial 596 number of this MTA. The value of this object MUST be 597 identical to the value specified in DHCP option 43 598 sub-option 4. The list of sub-options for DHCP option 599 43 are defined in the PacketCable MTA Device 600 Provisioning Specification." 601 REFERENCE 602 " PacketCable MTA Device Provisioning Specification." 603 ::= { pktcMtaDevBase 2 } 605 pktcMtaDevSwCurrentVers OBJECT-TYPE 606 SYNTAX SnmpAdminString 607 MAX-ACCESS read-only 608 STATUS current 609 DESCRIPTION 610 " This object identifies the software version currently 611 operating in the MTA. 612 The MTA MUST return a string descriptive of the current 613 software load. This object should use the syntax 614 defined by the individual vendor to identify the software 615 version. The data presented in this object MUST be 616 identical to the software version information contained 617 in the 'sysDescr' MIB object of the MTA. The value of 618 this object MUST be identical to the value specified in 619 DHCP option 43 sub-option 6. The list of sub-options for 621 IPCDN MTA MIB December 2005 623 DHCP option 43 are defined in the PacketCable MTA Device 624 Provisioning Specification." 625 REFERENCE 626 " PacketCable MTA Device Provisioning Specification." 628 ::= { pktcMtaDevBase 3 } 630 pktcMtaDevFQDN OBJECT-TYPE 631 SYNTAX SnmpAdminString 632 MAX-ACCESS read-only 633 STATUS current 634 DESCRIPTION 635 " This object contains the Fully Qualified Domain Name for 636 this MTA. The MTA FQDN is used to uniquely identify the 637 device to the PacketCable back office elements." 638 ::= { pktcMtaDevBase 4 } 640 pktcMtaDevEndPntCount OBJECT-TYPE 641 SYNTAX Unsigned32 (1..255) 642 MAX-ACCESS read-only 643 STATUS current 644 DESCRIPTION 645 " This object contains the number of physical endpoints for 646 this MTA." 647 ::= { pktcMtaDevBase 5 } 649 pktcMtaDevEnabled OBJECT-TYPE 650 SYNTAX TruthValue 651 MAX-ACCESS read-write 652 STATUS current 653 DESCRIPTION 654 " This object contains the MTA Admin Status of this device. 655 If this object is set to 'true', the MTA is 656 administratively enabled and the MTA MUST be able to 657 interact with the PacketCable entities such as CMS, 658 Provisioning Server, KDC, and other MTAs and MGs on all 659 PacketCable interfaces. 660 If this object is set to 'false', the MTA is 661 administratively disabled and the MTA MUST perform the 662 following actions for all endpoints: 663 - shutdown all media sessions if present, 664 - shutdown NCS signaling by following the Restart in 665 Progress procedures in the PacketCable NCS 666 specification. 667 The MTA must execute all actions required to 668 enable or disable the telephony services for all 669 endpoints immediately upon receipt of an SNMP SET 671 IPCDN MTA MIB December 2005 673 operation. 674 Additionally, the MTA MUST maintain the SNMP Interface 675 for management and also SNMP Key management interface. 676 Also, the MTA MUST NOT continue Kerberized key management 677 with CMSes until this object is set to 'true'. 678 Note: MTAs MUST renew the CMS Kerberos tickets according 679 to the PacketCable Security or IPCablecom Specification. 680 If a value is written into an instance of 681 pktcMtaDevEnabled, the agent MUST NOT retain the supplied 682 value across MTA re-initializations or reboots." 683 REFERENCE 684 " PacketCable MTA Device Provisioning Specification; 685 PacketCable Security Specification; 686 PacketCable Network-Based Call Signaling Protocol 687 Specification." 688 ::= { pktcMtaDevBase 6 } 690 pktcMtaDevTypeIdentifier OBJECT-TYPE 691 SYNTAX SnmpAdminString 692 MAX-ACCESS read-only 693 STATUS current 694 DESCRIPTION 695 " This object provides the MTA device type identifier. The 696 value of this object must be a copy of the DHCP option 60 697 value exchanged between the MTA and the DHCP server. The 698 DHCP option 60 value contains an ASCII encoded string 699 identifying Capabilities of the MTA as defined in the 700 PacketCable MTA Device Provisioning Specification." 701 REFERENCE 702 " RFC 2132, DHCP Options and BOOTP Vendor Extensions; 703 PacketCable MTA Device Provisioning Specification." 704 ::= { pktcMtaDevBase 7 } 706 pktcMtaDevProvisioningState OBJECT-TYPE 707 SYNTAX INTEGER { 708 pass (1), 709 inProgress (2), 710 failConfigFileError (3), 711 passWithWarnings (4), 712 passWithIncompleteParsing (5), 713 failureInternalError (6), 714 failureOtherReason (7) 715 } 716 MAX-ACCESS read-only 717 STATUS current 718 DESCRIPTION 719 " This object indicates the completion state of the MTA 720 device provisioning process. 722 IPCDN MTA MIB December 2005 724 pass: 725 If the configuration file could be parsed successfully 726 and the MTA is able to reflect the same in its 727 MIB, the MTA MUST return the value 'pass'. 729 inProgress: 730 If the MTA is in the process of being provisioned, 731 the MTA MUST return the value 'inProgress'. 733 failConfigFileError: 734 If the configuration file was in error due to incorrect 735 values in the mandatory parameters, the MTA MUST reject 736 the configuration file and the MTA MUST return the value 737 'failConfigFileError'. 739 passWithWarnings: 740 If the configuration file had proper values for all the 741 mandatory parameters but has errors in any of the optional 742 parameters (this includes any vendor specific OIDs which 743 are incorrect or not known to the MTA), the MTA MUST 744 return the value 'passWithWarnings'. 746 passWithIncompleteParsing: 747 If the configuration file is valid, but the MTA cannot 748 reflect the same in its configuration (for example, too 749 many entries caused memory exhaustion), it must accept 750 the CMS configuration entries related and the MTA MUST 751 return the value 'passWithIncompleteParsing'. 753 failureInternalError: 754 If the configuration file cannot be parsed due to an 755 Internal error, the MTA MUST return the value 756 'failureInternalError'. 758 failureOtherReason: 759 If the MTA cannot accept the configuration file for any 760 other reason than the ones stated above, the MTA MUST 761 return the value 'failureOtherReason'. 763 When a final SNMP INFORM is sent as part of Step 25 of the 764 MTA Provisioning process, this parameter is also included 765 in the final INFORM message." 766 REFERENCE 767 " PacketCable MTA Device Provisioning Specification." 768 ::= { pktcMtaDevBase 8 } 770 pktcMtaDevHttpAccess OBJECT-TYPE 771 SYNTAX TruthValue 772 MAX-ACCESS read-only 774 IPCDN MTA MIB December 2005 776 STATUS current 777 DESCRIPTION 778 " This object indicates whether the HTTP protocol is 779 supported for the MTA configuration file transfer." 780 ::= { pktcMtaDevBase 9 } 782 pktcMtaDevProvisioningTimer OBJECT-TYPE 783 SYNTAX Unsigned32 (0..30) 784 UNITS "minutes" 785 MAX-ACCESS read-write 786 STATUS current 787 DESCRIPTION 788 " This object defines the time interval for the provisioning 789 flow to complete. The MTA MUST finish all provisioning 790 operations starting from the moment when an MTA receives 791 its DHCP ACK and ending at the moment when the MTA 792 downloads its configuration file (e.g., MTA5 to MTA23) 793 within the period of time set by this object. 794 Failure to comply with this condition constitutes 795 a provisioning flow failure. If the object is set to 0, 796 the MTA MUST ignore the provisioning timer condition. 797 If a value is written into an instance of 798 pktcMtaDevProvisioningTimer, the agent MUST NOT retain the 799 supplied value across MTA re-initializations or reboots." 800 REFERENCE 801 " PacketCable MTA Device Provisioning Specification." 802 DEFVAL {10} 803 ::= {pktcMtaDevBase 10} 805 pktcMtaDevProvisioningCounter OBJECT-TYPE 806 SYNTAX Counter32 807 MAX-ACCESS read-only 808 STATUS current 809 DESCRIPTION 810 "This object counts the number of times the 811 provisioning cycle has looped through step MTA-1." 812 ::= {pktcMtaDevBase 11} 814 pktcMtaDevErrorOidsTable OBJECT-TYPE 815 SYNTAX SEQUENCE OF PktcMtaDevErrorOidsEntry 816 MAX-ACCESS not-accessible 817 STATUS current 818 DESCRIPTION 819 " This table contains the list of configuration errors or 820 warnings the MTA encountered when parsing the 821 configuration file it received from the Provisioning 822 Server. 823 For each error, an entry is created in this table 824 containing the configuration parameters the MTA rejected 826 IPCDN MTA MIB December 2005 828 and the associated reason (e.g. wrong or unknown OID, 829 inappropriate object values, etc.). If the MTA 830 did not report a provisioning state of 'pass(1)' in 831 the pktcMtaDevProvisioningState object, this table MUST be 832 populated for each error or warning instance. Even if 833 different parameters share the same error type (e.g., all 834 realm name configuration parameters are invalid), all 835 observed errors or warnings must be reported as 836 different instances. Errors are placed into the table in 837 no particular order. The table MUST be cleared each time 838 the MTA reboots." 839 REFERENCE 840 " PacketCable MTA Device Provisioning Specification." 841 ::= {pktcMtaDevBase 12 } 843 pktcMtaDevErrorOidsEntry OBJECT-TYPE 844 SYNTAX PktcMtaDevErrorOidsEntry 845 MAX-ACCESS not-accessible 846 STATUS current 847 DESCRIPTION 848 " This entry contains the necessary information the MTA MUST 849 attempt to provide in case of configuration file errors or 850 warnings." 851 INDEX { pktcMtaDevErrorOidIndex } 852 ::= {pktcMtaDevErrorOidsTable 1} 854 PktcMtaDevErrorOidsEntry ::= SEQUENCE { 855 pktcMtaDevErrorOidIndex Unsigned32, 856 pktcMtaDevErrorOid SnmpAdminString, 857 pktcMtaDevErrorValue SnmpAdminString, 858 pktcMtaDevErrorReason SnmpAdminString 859 } 861 pktcMtaDevErrorOidIndex OBJECT-TYPE 862 SYNTAX Unsigned32 (1..1024) 863 MAX-ACCESS not-accessible 864 STATUS current 865 DESCRIPTION 866 " This object is the index of the MTA configuration error 867 table. It is an integer value which starts at value '1' 868 and is incremented for each encountered configuration 869 file error or warning. 871 The maximum number of errors or warnings that can be 872 recorded in the pktcMtaDevErrorOidsTable is set to 1024 as 873 a configuration file is usually validated by operators 874 before deployment. Given the possible number of 875 configuration parameter assignments in the MTA 877 IPCDN MTA MIB December 2005 879 configuration file, 1024 is perceived as a sufficient 880 limit even with future extensions. 882 If the number of the errors in the configuration file 883 exceeds 1024, all errors beyond the 1024th one MUST 884 be ignored and not be reflected in the 885 pktcMtaDevErrorOidsTable." 887 ::= {pktcMtaDevErrorOidsEntry 1} 889 pktcMtaDevErrorOid OBJECT-TYPE 890 SYNTAX SnmpAdminString 891 MAX-ACCESS read-only 892 STATUS current 893 DESCRIPTION 894 " This object contains a human readable representation 895 (character string) of the OID corresponding to the 896 configuration file parameter that caused the particular 897 error. 898 For example, if the value of the pktcMtaDevEnabled object 899 in the configuration file caused an error, then this 900 object instance will contain the human readable string of 901 '1.3.6.1.2.1.XXX.1.1.6.0'. 903 -- ************************************************************ 904 -- * NOTES TO RFC Editor (to be removed prior to publication) * 905 -- * * 906 -- * Please replace XXX with the IANA-assigned number under * 907 -- * mib-2. * 908 -- ************************************************************ 910 If the MTA generated an error because it was not able 911 to recognize a particular OID, then this object 912 instance would contain an empty value (zero-length 913 string). 914 For example, if the value of an OID in the configuration 915 file was interpreted by the MTA as being 1.2.3.4.5, and 916 the MTA was not able to recognize this OID as a valid one, 917 this object instance will contain a zero-length string. 919 If the numbers of errors in the configuration file exceeds 920 1024, then for all subsequent errors, the 921 pktcMtaDevErrorOid of the table's 1024th entry MUST 922 contain a human readable representation of the 923 pktcMtaDevErrorsTooManyErrors object, i.e. the string 924 '1.3.6.1.2.1.XXX.1.1.4.1.0'. 926 -- ************************************************************ 927 -- * NOTES TO RFC Editor (to be removed prior to publication) * 929 IPCDN MTA MIB December 2005 931 -- * * 932 -- * Please replace XXX with the IANA-assigned number under * 933 -- * mib-2. * 934 -- ************************************************************ 935 Note that the syntax of this object is SnmpAdminString 936 rather than OBJECT IDENTIFIER because the object value may 937 not be a valid OID due to human or configuration tool 938 encoding errors." 940 ::= {pktcMtaDevErrorOidsEntry 2} 942 pktcMtaDevErrorValue OBJECT-TYPE 943 SYNTAX SnmpAdminString 944 MAX-ACCESS read-only 945 STATUS current 946 DESCRIPTION 947 " This object contains the value of the OID corresponding to 948 the configuration file parameter that caused the error. 949 If the MTA cannot recognize the OID of the 950 configuration parameter causing the error, then this 951 object instance contains the OID itself as interpreted 952 by the MTA in human readable representation. 953 If the MTA can recognize the OID but generate an error due 954 to a wrong value of the parameter, then the object 955 instance contains the erroneous value of the parameter as 956 read from the configuration file. 957 In both cases, the value of this object must be 958 represented in human readable form as a character string. 959 For example, if the value of the pktcMtaDevEnabled object 960 in the configuration file was 3 (invalid value), then the 961 pktcMtaDevErrorValue object instance will contain the 962 human readable (string) representation of value '3'. 963 Similarly, if the OID in the configuration file has been 964 interpreted by the MTA as being 1.2.3.4.5, and the MTA 965 cannot recognize this OID as a valid one, then this 966 pktcMtaDevErrorValue object instance will contain human 967 readable (string) representation of value '1.2.3.4.5'. 969 If the numbers of errors in the configuration file exceeds 970 1024, then for all subsequent errors, the 971 pktcMtaDevErrorValue of the table's 1024th entry MUST 972 contain a human readable representation of the 973 pktcMtaDevErrorsTooManyErrors object, i.e. the string 974 '1.3.6.1.2.1.XXX.1.1.4.1.0'." 975 -- ************************************************************ 976 -- * NOTES TO RFC Editor (to be removed prior to publication) * 977 -- * * 978 -- * Please replace XXX with the IANA-assigned number under * 979 -- * mib-2. * 981 IPCDN MTA MIB December 2005 983 -- ************************************************************ 985 ::= {pktcMtaDevErrorOidsEntry 3} 987 pktcMtaDevErrorReason OBJECT-TYPE 988 SYNTAX SnmpAdminString 989 MAX-ACCESS read-only 990 STATUS current 991 DESCRIPTION 992 " This object indicates the reason for the error or warning, 993 as per the MTA's interpretation, in human readable form, 994 for example: 995 'VALUE NOT IN RANGE', 'VALUE DOES NOT MATCH TYPE', 996 'UNSUPPORTED VALUE', 'LAST 4 BITS MUST BE SET TO ZERO', 997 'OUT OF MEMORY - CANNOT STORE', etc. 998 This object may also contain vendor specific errors for 999 private vendor OIDs and any proprietary error codes or 1000 messages which can help diagnose configuration errors. 1002 If the number of errors in the configuration file exceeds 1003 1024, then for all subsequent errors, the 1004 pktcMtaDevErrorReason of the table's 1024th entry MUST 1005 contain a human readable string indicating the reason 1006 for an error, for example, 1007 'Too many errors in the configuration file.'." 1008 ::= {pktcMtaDevErrorOidsEntry 4} 1010 -- 1011 -- The following group describes server access and parameters used 1012 -- for the initial MTA provisioning and bootstrapping phases. 1013 -- 1015 pktcMtaDevDhcpServerAddressType OBJECT-TYPE 1016 SYNTAX InetAddressType 1017 MAX-ACCESS read-only 1018 STATUS current 1019 DESCRIPTION 1020 " This object contains the Internet address type for the 1021 PacketCable DHCP servers specified in MTA MIB." 1022 DEFVAL { ipv4 } 1023 ::= { pktcMtaDevServer 1} 1025 pktcMtaDevServerDhcp1 OBJECT-TYPE 1026 SYNTAX InetAddress 1027 MAX-ACCESS read-only 1028 STATUS current 1029 DESCRIPTION 1030 " This object contains the Internet Address of the primary 1032 IPCDN MTA MIB December 2005 1034 DHCP server the MTA uses during provisioning. 1035 The type of this address is determined by the value of 1036 the pktcMtaDevDhcpServerAddressType object. 1037 When the latter has the value 'ipv4(1)', this object 1038 contains the IP address of the primary DHCP 1039 server. It is provided by the CM to the MTA via the DHCP 1040 option code 122 sub-option 1 as defined in RFC 3495. 1042 The behavior of this object when the value of 1043 pktcMtaDevDhcpServerAddressType is other than 'ipv4(1)' 1044 is not presently specified, but may be specified 1045 in future versions of this MIB module. 1046 If this object is of value 1047 0.0.0.0, the MTA MUST stop all provisioning 1048 attempts as well as all other activities. 1049 If this object is of value 255.255.255.255, it means there 1050 was no preference given for the primary DHCP server, 1051 and, the MTA must follow the logic of RFC2131, and the 1052 value of DHCP option 122 sub-option 2 must be ignored." 1053 REFERENCE 1054 " PacketCable MTA Device Provisioning Specification; 1055 RFC 2131, Dynamic Host Configuration Protocol; 1056 RFC 3495, DHCP Option for CableLabs Client Configuration." 1057 ::= { pktcMtaDevServer 2 } 1059 pktcMtaDevServerDhcp2 OBJECT-TYPE 1060 SYNTAX InetAddress 1061 MAX-ACCESS read-only 1062 STATUS current 1063 DESCRIPTION 1064 " This object contains the Internet Address of the secondary 1065 DHCP server the MTA uses during provisioning. 1066 The type of this address is determined by the value of 1067 the pktcMtaDevDhcpServerAddressType object. 1068 When the latter has the value 'ipv4(1)', this object 1069 contains the IP address of the secondary DHCP 1070 server. It is provided by the CM to the MTA via the DHCP 1071 option code 122 sub-option 2 as defined in RFC 3495. 1073 The behavior of this object when the value of 1074 pktcMtaDevDhcpServerAddressType is other than 'ipv4(1)' 1075 is not presently specified, but may be specified 1076 in future versions of this MIB module. 1077 If there was no secondary DHCP server provided in DHCP 1078 Option 122 sub-option 2, this object must return the value 1079 0.0.0.0." 1080 REFERENCE 1081 " PacketCable MTA Device Provisioning Specification; 1082 RFC 3495, DHCP Option for CableLabs Client Configuration." 1084 IPCDN MTA MIB December 2005 1086 ::= { pktcMtaDevServer 3 } 1088 pktcMtaDevDnsServerAddressType OBJECT-TYPE 1089 SYNTAX InetAddressType 1090 MAX-ACCESS read-only 1091 STATUS current 1092 DESCRIPTION 1093 " This object contains the Internet address type for the 1094 PacketCable DNS servers specified in MTA MIB." 1095 DEFVAL { ipv4 } 1096 ::= { pktcMtaDevServer 4} 1098 pktcMtaDevServerDns1 OBJECT-TYPE 1099 SYNTAX InetAddress 1100 MAX-ACCESS read-write 1101 STATUS current 1102 DESCRIPTION 1103 " This object contains the IP Address of the primary 1104 DNS server to be used by the MTA. The type of this address 1105 is determined by the value of the 1106 pktcMtaDevDnsServerAddressType object. 1107 When the latter has the value 'ipv4(1)', this object 1108 contains the IP address of the primary DNS server. 1109 As defined in RFC 2132, PacketCable compliant MTAs receive 1110 the IP addresses of the DNS Servers in the DHCP option 6. 1111 The behavior of this object when the value of 1112 pktcMtaDevDnsServerAddressType is other than 'ipv4(1)' 1113 is not presently specified, but may be specified 1114 in future versions of this MIB module. 1115 If a value is written into an instance of 1116 pktcMtaDevServerDns1, the agent MUST NOT retain the 1117 supplied value across MTA re-initializations or reboots." 1118 REFERENCE 1119 " PacketCable MTA Device Provisioning Specification; 1120 RFC 2132, DHCP Options and BOOTP Vendor Extensions." 1121 ::= { pktcMtaDevServer 5 } 1123 pktcMtaDevServerDns2 OBJECT-TYPE 1124 SYNTAX InetAddress 1125 MAX-ACCESS read-write 1126 STATUS current 1127 DESCRIPTION 1128 " This object contains the IP Address of the secondary 1129 DNS server to be used by the MTA. The type of this address 1130 is determined by the value of the 1131 pktcMtaDevDnsServerAddressType object. 1132 When the latter has the value 'ipv4(1)', this object 1133 contains the IP address of the secondary DNS 1135 IPCDN MTA MIB December 2005 1137 server. As defined in RFC 2132, PacketCable compliant MTAs 1138 receive the IP addresses of the DNS Servers in the DHCP 1139 option 6. 1140 The behavior of this object when the value of 1141 pktcMtaDevDnsServerAddressType is other than 'ipv4(1)' 1142 is not presently specified, but may be specified 1143 in future versions of this MIB module. 1144 If a value is written into an instance of 1145 pktcMtaDevServerDns2, the agent MUST NOT retain the 1146 supplied value across MTA re-initializations or reboots." 1147 REFERENCE 1148 " PacketCable MTA Device Provisioning Specification; 1149 RFC 2132, DHCP Options and BOOTP Vendor Extensions." 1150 ::= { pktcMtaDevServer 6 } 1152 pktcMtaDevTimeServerAddressType OBJECT-TYPE 1153 SYNTAX InetAddressType 1154 MAX-ACCESS read-only 1155 STATUS current 1156 DESCRIPTION 1157 " This object contains the Internet address type for the 1158 PacketCable Time servers specified in MTA MIB." 1159 DEFVAL { ipv4 } 1160 ::= { pktcMtaDevServer 7} 1162 pktcMtaDevTimeServer OBJECT-TYPE 1163 SYNTAX InetAddress 1164 MAX-ACCESS read-write 1165 STATUS current 1166 DESCRIPTION 1167 " This object contains the Internet Address of the Time 1168 Server used by an S-MTA for Time Synchronization. The type 1169 of this address is determined by the value of the 1170 pktcMtaDevTimeServerAddressType object. 1171 When the latter has the value 'ipv4(1)', this object 1172 contains the IP address of the Time Server used for Time 1173 Synchronization. 1174 In the case of an S-MTA, this object must be 1175 populated with a value other than 0.0.0.0 as obtained 1176 from DHCP Option 4. The protocol by which the time of day 1177 MUST be retrieved is defined in RFC 868. 1178 In the case of an E-MTA, this object must contain a 1179 value of 0.0.0.0 if the address type is 'ipv4(1)' since 1180 an E-MTA does not use the Time Protocol for time 1181 synchronization (an E-MTA uses the time retrieved by the 1182 DOCSIS cable modem). 1183 The behavior of this object when the value of 1184 pktcMtaDevTimeServerAddressType is other than 'ipv4(1)' 1185 is not presently specified, but may be specified in future 1187 IPCDN MTA MIB December 2005 1189 versions of this MIB module. 1190 If a value is written into an instance of 1191 pktcMtaDevTimeServer, the agent MUST NOT retain the 1192 supplied value across MTA re-initializations or reboots." 1193 REFERENCE 1194 " RFC 868, Time Protocol; 1195 RFC 2131, Dynamic Host Configuration Protocol; 1196 RFC 2132, DHCP Options and BOOTP Vendor Extensions." 1197 ::= { pktcMtaDevServer 8} 1199 pktcMtaDevConfigFile OBJECT-TYPE 1200 SYNTAX SnmpAdminString 1201 MAX-ACCESS read-write 1202 STATUS current 1203 DESCRIPTION 1204 " This object specifies the MTA device configuration file 1205 information, including the access method, the server name 1206 and the configuration file name. The value of this object 1207 is the Uniform Resource Locator (URL) of the configuration 1208 file for TFTP or HTTP download. 1209 If this object value is a TFTP URL, it must be formatted 1210 as defined in RFC 3617. 1211 If this object value is an HTTP URL, it must be formatted 1212 as defined in RFC 2616. 1213 If the MTA SNMP Enrollment mechanism is used, then the MTA 1214 must download the file provided by the Provisioning Server 1215 during provisioning via an SNMP SET on this object. 1216 If the MTA SNMP Enrollment mechanism is not used, this 1217 object MUST contain the URL value corresponding to the 1218 'siaddr' and 'file' fields received in the DHCP ACK to 1219 locate the configuration file: the 'siaddr' & 'file' 1220 fields represents the host and file of the TFTP URL. 1221 In this case, the MTA MUST return an 1222 'inconsistentValue' error in response to SNMP SET 1223 operations. 1224 The MTA MUST return a zero-length string if the server 1225 address (host part of the URL) is unknown. 1226 If a value is written into an instance of 1227 pktcMtaDevConfigFile, the agent MUST NOT retain the 1228 supplied value across MTA re-initializations or reboots." 1229 REFERENCE 1230 " PacketCable MTA Device Provisioning Specification; 1231 RFC 3617, URI Scheme for TFTP; RFC 2616, HTTP 1.1" 1232 ::= { pktcMtaDevServer 9 } 1234 pktcMtaDevSnmpEntity OBJECT-TYPE 1235 SYNTAX SnmpAdminString 1236 MAX-ACCESS read-only 1237 STATUS current 1239 IPCDN MTA MIB December 2005 1241 DESCRIPTION 1242 " This object contains the FQDN of the SNMP entity of the 1243 Provisioning Server. When the MTA SNMP Enrollment 1244 Mechanism is used, this object represents the server the 1245 MTA communicates with, to receive the configuration file 1246 URL from, and, to send the enrollment notification to. 1247 The SNMP entity is also the destination entity for all 1248 the provisioning notifications. It may be used for 1249 post-provisioning SNMP operations. 1250 During the provisioning phase, this SNMP 1251 entity FQDN is supplied to the MTA via the DHCP option 122 1252 sub-option 3 as defined in RFC 3495. The MTA must resolve 1253 the FQDN value before its very first network interaction 1254 with the SNMP entity during the provisioning phase." 1256 REFERENCE 1257 " PacketCable MTA Device Provisioning Specification; 1258 RFC 3495, DHCP Option for CableLabs Client Configuration." 1259 ::= { pktcMtaDevServer 10 } 1261 pktcMtaDevProvConfigHash OBJECT-TYPE 1262 SYNTAX OCTET STRING (SIZE(20)) 1263 MAX-ACCESS read-write 1264 STATUS current 1265 DESCRIPTION 1266 " This object contains the hash value of the contents of the 1267 configuration file. 1268 The authentication algorithm is SHA-1, and the length 1269 is 160 bits. The hash calculation MUST follow the 1270 requirements defined in the PacketCable Security 1271 Specification. 1272 When the MTA SNMP Enrollment mechanism is used, this 1273 hash value is calculated and sent to the MTA prior 1274 to sending the config file. This object value is then 1275 provided by the Provisioning server via an SNMP 1276 SET operation 1277 When the MTA SNMP Enrollment mechanism is not in use, the 1278 hash value is provided in the configuration file itself 1279 and it is also calculated by the MTA. This object value 1280 MUST represent the hash value calculated by the MTA. 1281 When the MTA SNMP Enrollment mechanism is not in use, the 1282 MTA must reject all SNMP SET operations on this object and 1283 return an 'inconsistentValue' error. 1284 If a value is written into an instance of 1285 pktcMtaDevProvConfigHash, the agent MUST NOT retain the 1286 supplied value across MTA re-initializations or reboots." 1287 REFERENCE 1288 " PacketCable MTA Device Provisioning Specification; 1290 IPCDN MTA MIB December 2005 1292 PacketCable Security Specification." 1293 ::= { pktcMtaDevServer 11 } 1295 pktcMtaDevProvConfigKey OBJECT-TYPE 1296 SYNTAX OCTET STRING (SIZE(32)) 1297 MAX-ACCESS read-write 1298 STATUS current 1299 DESCRIPTION 1300 " This object contains the key used to encrypt/decrypt 1301 the configuration file when secure SNMPv3 provisioning 1302 is used. 1303 The value of this object is provided along with the 1304 configuration file information (pktcMtaDevConfigFile) 1305 and hash (pktcMtaDevProvConfigHash) by the Provisioning 1306 Server via SNMP SET once the configuration file has been 1307 created as defined by the PacketCable Security 1308 specification. 1310 The privacy algorithm is defined by the 1311 pktcMtaDevProvConfigEncryptAlg MIB object. The 1312 MTA requirements related to the privacy algorithm are 1313 defined in the PacketCable Security Specification. 1315 If this object is set at any other provisioning steps than 1316 the one(s) allowed by the PacketCable MTA Device 1317 Provisioning Specification, the MTA SHOULD return 1318 an 'inconsistentValue' error. 1319 This object must not be used in non secure provisioning 1320 mode. In non secure provisioning modes, the MTA SHOULD 1321 return an 'inconsistentValue' in response to SNMP SET 1322 operations, and, the MTA SHOULD return a zero-length 1323 string in response to SNMP GET operations. 1324 If a value is written into an instance of 1325 pktcMtaDevProvConfigKey, the agent MUST NOT retain the 1326 supplied value across MTA re-initializations or reboots." 1327 REFERENCE 1328 " PacketCable MTA Device Provisioning Specification; 1329 PacketCable Security Specification." 1330 ::= { pktcMtaDevServer 12 } 1332 pktcMtaDevProvConfigEncryptAlg OBJECT-TYPE 1333 SYNTAX PktcMtaDevProvEncryptAlg 1334 MAX-ACCESS read-write 1335 STATUS current 1336 DESCRIPTION 1337 " This object defines the encryption algorithm used for 1338 privacy protection of the MTA Configuration File content." 1339 DEFVAL { des64CbcMode } 1340 ::= { pktcMtaDevServer 13 } 1342 IPCDN MTA MIB December 2005 1344 pktcMtaDevProvSolicitedKeyTimeout OBJECT-TYPE 1345 SYNTAX Unsigned32 (0..180) 1346 UNITS "seconds" 1347 MAX-ACCESS read-write 1348 STATUS current 1349 DESCRIPTION 1350 " This object defines a Kerberos Key Management timer on the 1351 MTA. It is the time period during which the MTA saves the 1352 nonce and Server Kerberos Principal Identifier to match an 1353 AP Request and its associated AP Reply response from the 1354 Provisioning Server. 1355 After the timeout has been exceeded, the client discards 1356 this (nonce, Server Kerberos Principal Identifier) pair, 1357 after which it will no longer accept a matching AP Reply. 1358 This timer only applies when the Provisioning Server 1359 initiated key management for SNMPv3 (with a 1360 Wake Up message). 1361 If this object is set to a zero value, the MTA MUST return 1362 an 'inconsistentValue' in response to SNMP SET operations. 1363 This object should not be used in non secure provisioning 1364 modes. In non secure provisioning modes, the MTA MUST 1365 return an 'inconsistentValue' in response to SNMP SET 1366 operations, and the MTA MUST return a zero value in 1367 response to SNMP GET operations. 1368 If a value is written into an instance of 1369 pktcMtaDevProvSolicitedKeyTimeout, the agent MUST NOT 1370 retain the supplied value across MTA re-initializations 1371 or reboots." 1372 DEFVAL { 3 } 1373 ::= { pktcMtaDevServer 14 } 1375 --================================================================= 1376 -- 1377 -- Unsolicited key updates are retransmitted based on an 1378 -- exponential back-off mechanism using two timers and a maximum 1379 -- retry counter for AS replies. 1380 -- The initial retransmission timer value is the nominal timer 1381 -- value (pktcMtaDevProvUnsolicitedKeyNomTimeout). The 1382 -- retransmissions occur with an exponentially increasing interval 1383 -- that caps at the maximum timeout value 1384 -- (pktcMtaDevProvUnsolicitedKeyMaxTimeout). 1385 -- Retransmissions stop when the maximum retry counter is reached 1386 -- (pktcMtaDevProvUnsolicitedKeyMaxRetries). 1387 -- For example, with values of 3 seconds for the nominal 1388 -- timer, 100 seconds for the maximum timeout, 8 retries max and 1389 -- an exponential value of 2, this results in retransmission 1390 -- intervals of 3 s, 6 s, 12 s, 24 s, 48 s, 96 s, 100 s, 100 s, and 1392 IPCDN MTA MIB December 2005 1394 -- then retransmissions stop because the maximum number of 1395 -- retries (8) has been reached. 1396 -- 1397 --================================================================= 1398 -- 1399 -- Timeouts for unsolicited key management updates are only 1400 -- pertinent before the first SNMPv3 message is sent between the 1401 -- MTA and the Provisioning Server and before the configuration 1402 -- file is loaded. 1403 -- 1404 --================================================================= 1406 pktcMtaDevProvUnsolicitedKeyMaxTimeout OBJECT-TYPE 1407 SYNTAX Unsigned32 (0..600) 1408 UNITS "seconds" 1409 MAX-ACCESS read-only 1410 STATUS current 1411 DESCRIPTION 1412 " This object defines the timeout value that applies to 1413 an MTA-initiated AP-REQ/REP key management exchange with 1414 the Provisioning Server in SNMPv3 provisioning. 1415 It is the maximum timeout value and it may not be exceeded 1416 in the exponential back-off algorithm. If the DHCP option 1417 code 122 sub-option 5 is provided to the MTA, it 1418 overwrites this value. 1419 In non secure provisioning modes, the MTA MUST 1420 MTA MUST return a zero value in response to SNMP GET 1421 operations." 1422 REFERENCE 1423 " PacketCable Security Specification." 1424 DEFVAL {600} 1425 ::= { pktcMtaDevServer 15 } 1427 pktcMtaDevProvUnsolicitedKeyNomTimeout OBJECT-TYPE 1428 SYNTAX Unsigned32 (0..600) 1429 UNITS "seconds" 1430 MAX-ACCESS read-only 1431 STATUS current 1432 DESCRIPTION 1433 " This object defines the starting value of the timeout 1434 for the AP-REQ/REP Backoff and Retry mechanism 1435 with exponential timeout in SNMPv3 provisioning. 1436 If the DHCP option code 122 sub-option 5 is provided 1437 the MTA, it overwrites this value. 1438 In non secure provisioning modes, the MTA MUST 1439 MTA MUST return a zero value in response to SNMP GET 1440 operations." 1441 REFERENCE 1442 " PacketCable Security Specification." 1444 IPCDN MTA MIB December 2005 1446 DEFVAL {3} 1447 ::= { pktcMtaDevServer 16} 1449 pktcMtaDevProvUnsolicitedKeyMaxRetries OBJECT-TYPE 1450 SYNTAX Unsigned32 (0..32) 1451 MAX-ACCESS read-only 1452 STATUS current 1453 DESCRIPTION 1454 " This object contains a retry counter that applies to 1455 an MTA-initiated AP-REQ/REP key management exchange with 1456 the Provisioning Server in secure SNMPv3 provisioning. 1457 It is the maximum number of retries before the MTA stops 1458 attempting to establish a Security Association with 1459 Provisioning Server. 1460 If the DHCP option code 122 sub-option 5 is provided to 1461 the MTA, it overwrites this value. 1462 If this object is set to a zero value, the MTA MUST return 1463 an 'inconsistentValue' in response to SNMP SET operations. 1464 In non secure provisioning modes, the MTA MUST 1465 MTA MUST return a zero value in response to SNMP GET 1466 operations." 1467 REFERENCE 1468 " PacketCable Security Specification." 1469 DEFVAL {8} 1470 ::= { pktcMtaDevServer 17 } 1472 pktcMtaDevProvKerbRealmName OBJECT-TYPE 1473 SYNTAX SnmpAdminString (SIZE(1..255)) 1474 MAX-ACCESS read-only 1475 STATUS current 1476 DESCRIPTION 1477 " This object contains the name of the associated 1478 provisioning Kerberos realm acquired during the MTA4 1479 provisioning step (DHCP Ack) for SNMPv3 provisioning. 1480 The upper case ASCII representation of the associated 1481 Kerberos realm name MUST be used by both the Manager (SNMP 1482 entity) and the MTA. 1483 The Kerberos realm name for the Provisioning Server is 1484 supplied to the MTA via DHCP option code 122 sub-option 6 1485 as defined in RFC 3495. In secure SNMP provisioning mode 1486 the value of the Kerberos realm name for the Provisioning 1487 Server supplied in the MTA configuration file must match 1488 the value supplied in the DHCP option code 122 1489 sub-option 6. Otherwise the value of this object must 1490 contain the value supplied in DHCP Option 122 1491 sub-option 6." 1492 REFERENCE 1493 " PacketCable MTA Device Provisioning Specification; 1495 IPCDN MTA MIB December 2005 1497 RFC 3495, DHCP Option for CableLabs Client Configuration." 1498 ::= { pktcMtaDevServer 18 } 1500 pktcMtaDevProvState OBJECT-TYPE 1501 SYNTAX INTEGER { 1502 operational (1), 1503 waitingForSnmpSetInfo (2), 1504 waitingForTftpAddrResponse (3), 1505 waitingForConfigFile (4) 1506 } 1507 MAX-ACCESS read-only 1508 STATUS current 1509 DESCRIPTION 1510 " This object defines the MTA provisioning state. 1511 If the state is: 1512 'operational(1)', the device has completed the loading 1513 and processing of the initialization parameters. 1515 'waitingForSnmpSetInfo(2)', the device is waiting on 1516 its configuration file download access information. 1517 Note that this state is only reported when the MTA 1518 SNMP enrollment mechanism is used. 1520 'waitingForTftpAddrResponse(3)', the device has sent a 1521 DNS request to resolve the server providing the 1522 configuration file and it is awaiting for a response. 1523 Note that this state is only reported when the MTA 1524 SNMP enrollment mechanism is used. 1526 'waitingForConfigFile(4)', the device has sent a 1527 request via TFTP or HTTP for the download of its 1528 configuration file and it is awaiting for a response or 1529 the file download is in progress." 1530 REFERENCE 1531 " PacketCable MTA Device Provisioning Specification, 1532 PacketCable Security Specification." 1533 ::= { pktcMtaDevServer 19 } 1535 -- 1536 -- The following object group describes the security objects. 1537 -- 1539 pktcMtaDevManufacturerCertificate OBJECT-TYPE 1540 SYNTAX DocsX509ASN1DEREncodedCertificate 1541 MAX-ACCESS read-only 1542 STATUS current 1544 IPCDN MTA MIB December 2005 1546 DESCRIPTION 1547 " This object contains the MTA Manufacturer Certificate. 1548 The object value must be the ASN.1 DER encoding of the MTA 1549 manufacturer's X.509 public key certificate. The MTA 1550 Manufacturer Certificate is issued to each MTA 1551 manufacturer and is installed into each MTA at the time of 1552 manufacture or with a secure code download. The specific 1553 requirements related to this certificate are defined in 1554 the PacketCable or IPCablecom Security specifications." 1555 REFERENCE 1556 " PacketCable Security Specification." 1558 ::= {pktcMtaDevSecurity 1} 1560 pktcMtaDevCertificate OBJECT-TYPE 1561 SYNTAX DocsX509ASN1DEREncodedCertificate 1562 MAX-ACCESS read-only 1563 STATUS current 1564 DESCRIPTION 1565 " This object contains the MTA Device Certificate. 1566 The object value must be the ASN.1 DER encoding of the 1567 MTA's X.509 public-key certificate issued by the 1568 manufacturer and installed into the MTA at the time of 1569 manufacture or with a secure code download. 1570 This certificate contains the MTA MAC address. The 1571 specific requirements related to this certificate are 1572 defined in the PacketCable or IPCablecom Security 1573 specifications." 1574 REFERENCE 1575 " PacketCable Security Specification." 1576 ::= { pktcMtaDevSecurity 2 } 1578 pktcMtaDevCorrelationId OBJECT-TYPE 1579 SYNTAX Unsigned32 1580 MAX-ACCESS read-only 1581 STATUS current 1582 DESCRIPTION 1583 " This object contains a correlation ID, an arbitrary value 1584 generated by the MTA that will be exchanged as part of the 1585 device capability data to the Provisioning Application. 1586 This random value is used as an identifier to correlate 1587 related events in the MTA provisioning sequence. 1588 This value is intended for use only during the MTA 1589 initialization and configuration file download." 1590 REFERENCE 1591 " PacketCable MTA Device Provisioning Specification." 1592 ::= { pktcMtaDevSecurity 3 } 1594 pktcMtaDevTelephonyRootCertificate OBJECT-TYPE 1596 IPCDN MTA MIB December 2005 1598 SYNTAX DocsX509ASN1DEREncodedCertificate 1599 MAX-ACCESS read-only 1600 STATUS current 1601 DESCRIPTION 1602 " This object contains the telephony Service Provider Root 1603 certificate. The object value is the ASN.1 DER encoding of 1604 the IP Telephony Service Provider Root X.509 public key 1605 certificate. This certification is stored in the MTA 1606 non-volatile memory and can be updated with a secure code 1607 download. This certificate is used to validate the initial 1608 AS Reply received by the MTA from the KDC during the MTA 1609 initialization. The specific requirements related to this 1610 certificate are defined in the PacketCable or IPCablecom 1611 Security specifications." 1612 REFERENCE 1613 " PacketCable Security Specification." 1614 ::= { pktcMtaDevSecurity 4 } 1616 --================================================================= 1617 -- 1618 -- Informative procedures for setting up Security Associations: 1619 -- 1620 -- A Security Association may be setup either via configuration or 1621 -- via NCS signaling. 1622 -- 1623 -- I. Security association setup via configuration. 1624 -- 1625 -- The realm must be configured first. Associated with the realm 1626 -- is a KDC. The realm table (pktcMtaDevRealmTable) indicates 1627 -- information about the realm (e.g., name, organization name) and 1628 -- parameters associated with KDC communications (e.g., grace 1629 -- periods, AS Request/AS Reply adaptive back-off parameters). 1630 -- 1631 -- Once the realm is established, one or more CMS(es) may be 1632 -- defined in the realm. Associated with each CMS 1633 -- entry in the pktcMtaDevCmsTable is an explicit reference 1634 -- to a Realm via the realm name( pktcMtaDevCmsKerbRealmName), 1635 -- the FQDN of the CMS, and parameters associated with IPSec 1636 -- key management with the CMS (e.g., clock skew, AP Request/ 1637 -- AP Reply adaptive back-off parameters). 1638 -- 1639 -- II. Security association setup via NCS signaling. 1640 -- 1641 -- The procedure of establishing the Security Associations 1642 -- for NCS signaling is described in the PacketCable Security 1643 -- specification. 1644 -- It involves the analysis of the pktcNcsEndPntConfigTable row 1645 -- for the corresponding endpoint number and correlating 1647 IPCDN MTA MIB December 2005 1649 -- the CMS FQDN from this row with the CMS Table and 1650 -- consequently - with the Realm Table. Both of these tables 1651 -- are defined below. The pktcNcsEndPntConfigTable is defined in 1652 -- the IPCDN NCS Signaling MIB [RFCzzz]. 1653 -- ************************************************************ 1654 -- * NOTES TO RFC Editor (to be removed prior to publication) * 1655 -- * * 1656 -- * Please replace RFCzzz with this RFC number for * 1657 -- * see informative reference section for details and remove * 1658 -- * the note. * 1659 -- ************************************************************ 1661 -- 1662 -- III. When the MTA receives wake-up or re-key messages from a 1663 -- CMS, it performs key management based on the corresponding 1664 -- entry in the CMS table. If the matching CMS entry does not 1665 -- exist, it must ignore the wake-up or re-key messages. 1666 -- 1667 --================================================================= 1668 --================================================================= 1669 -- 1670 -- pktcMtaDevRealmTable 1671 -- 1672 -- The pktcMtaDevRealmTable shows the KDC realms. The table is 1673 -- indexed with pktcMtaDevRealmIndex. The Realm Table contains the 1674 -- pktcMtaDevRealmName in conjunction with any server which needs 1675 -- a Security Association with the MTA. Upper case must be used 1676 -- to compare the pktcMtaDevRealmName content. 1677 -- 1678 --================================================================= 1680 pktcMtaDevRealmAvailSlot OBJECT-TYPE 1681 SYNTAX Unsigned32 (0..64) 1682 MAX-ACCESS read-only 1683 STATUS current 1684 DESCRIPTION 1685 " This object contains the index number of the first 1686 available entry in the realm table (pktcMtaDevRealmTable). 1687 If all the entries in the realm table have been assigned, 1688 this object contains the value of zero. 1689 A management station should create new entries in the 1690 realm table using the following procedure: 1691 first, issue a management protocol retrieval operation 1692 to determine the value of the first available index in the 1693 realm table (pktcMtaDevRealmAvailSlot); 1694 second, issue a management protocol SET operation 1695 to create an instance of the pktcMtaDevRealmStatus 1696 object by setting its value to 'createAndWait(5)'. 1697 third, if the SET operation succeeded, continue 1699 IPCDN MTA MIB December 2005 1701 modifying the object instances corresponding to the newly 1702 created conceptual row, without fear of collision with 1703 other management stations. When all necessary conceptual 1704 columns of the row are properly populated (via SET 1705 operations or default values), the management station may 1706 SET the pktcMtaDevRealmStatus object to 'active(1)'." 1707 ::= { pktcMtaDevSecurity 5 } 1709 pktcMtaDevRealmTable OBJECT-TYPE 1710 SYNTAX SEQUENCE OF PktcMtaDevRealmEntry 1711 MAX-ACCESS not-accessible 1712 STATUS current 1713 DESCRIPTION 1714 " This object contains the realm table. 1715 The CMS table (pktcMtaDevCmsTable) and the realm table 1716 (pktcMtaDevRealmTable) are used for managing the MTA-CMS 1717 Security Associations. The realm table defines the 1718 Kerberos realms for the Application Servers (CMSes & the 1719 Provisioning Server)." 1720 ::= { pktcMtaDevSecurity 6 } 1722 pktcMtaDevRealmEntry OBJECT-TYPE 1723 SYNTAX PktcMtaDevRealmEntry 1724 MAX-ACCESS not-accessible 1725 STATUS current 1726 DESCRIPTION 1727 " This table entry object lists the MTA security parameters 1728 for a single Kerberos realm. The conceptual rows MUST NOT 1729 persist across MTA reboots." 1730 INDEX { pktcMtaDevRealmIndex } 1731 ::= { pktcMtaDevRealmTable 1 } 1733 PktcMtaDevRealmEntry ::= SEQUENCE { 1734 pktcMtaDevRealmIndex Unsigned32, 1735 pktcMtaDevRealmName SnmpAdminString, 1736 pktcMtaDevRealmPkinitGracePeriod Unsigned32, 1737 pktcMtaDevRealmTgsGracePeriod Unsigned32, 1738 pktcMtaDevRealmOrgName LongUtf8String, 1739 pktcMtaDevRealmUnsolicitedKeyMaxTimeout Unsigned32, 1740 pktcMtaDevRealmUnsolicitedKeyNomTimeout Unsigned32, 1741 pktcMtaDevRealmUnsolicitedKeyMaxRetries Unsigned32, 1742 pktcMtaDevRealmStatus RowStatus 1743 } 1745 pktcMtaDevRealmIndex OBJECT-TYPE 1746 SYNTAX Unsigned32 (1..64) 1747 MAX-ACCESS not-accessible 1748 STATUS current 1750 IPCDN MTA MIB December 2005 1752 DESCRIPTION 1753 " This object defines the realm table index." 1754 ::= { pktcMtaDevRealmEntry 1} 1756 pktcMtaDevRealmName OBJECT-TYPE 1757 SYNTAX SnmpAdminString (SIZE(1..255)) 1758 MAX-ACCESS read-create 1759 STATUS current 1760 DESCRIPTION 1761 " This object identifies the Kerberos realm name in all 1762 capitals. The MTA MUST prohibit the instantiation of any 1763 two rows with identical Kerberos realm names. The MTA MUST 1764 also verify that any search operation involving Kerberos 1765 realm names is done using the upper case ASCII 1766 representation of the characters." 1767 ::= { pktcMtaDevRealmEntry 2 } 1769 pktcMtaDevRealmPkinitGracePeriod OBJECT-TYPE 1770 SYNTAX Unsigned32 (15..600) 1771 UNITS "minutes" 1772 MAX-ACCESS read-create 1773 STATUS current 1774 DESCRIPTION 1775 " This object contains the PKINIT Grace Period. For the 1776 purpose of key management with Application Servers (CMSes 1777 or the Provisioning Server), the MTA must utilize the 1778 PKINIT exchange to obtain Application Server tickets. The 1779 MTA may utilize the PKINIT exchange to obtain Ticket 1780 Granting Tickets (TGTs), which are then used to obtain 1781 Application Server tickets in a TGS exchange. 1782 The PKINIT exchange occurs based on the current Ticket 1783 Expiration Time (TicketEXP) and on the PKINIT Grace Period 1784 (PKINITGP). The MTA MUST initiate the PKINIT exchange at 1785 the time: TicketEXP - PKINITGP." 1786 REFERENCE 1787 " PacketCable Security Specification." 1788 DEFVAL { 15 } 1789 ::= { pktcMtaDevRealmEntry 3 } 1791 pktcMtaDevRealmTgsGracePeriod OBJECT-TYPE 1792 SYNTAX Unsigned32 (1..600) 1793 UNITS "minutes" 1794 MAX-ACCESS read-create 1795 STATUS current 1796 DESCRIPTION 1797 " This object contains the Ticket Granting Server Grace 1798 Period (TGSGP). The Ticket Granting Server (TGS) 1799 Request / Reply exchange may be performed by the MTA 1801 IPCDN MTA MIB December 2005 1803 on-demand whenever an Application Server ticket is 1804 needed to establish security parameters. If the MTA 1805 possesses a ticket that corresponds to the Provisioning 1806 Server or a CMS that currently exists in the CMS table, 1807 the MTA MUST initiate the TGS Request / Reply exchange 1808 at the time: TicketEXP - TGSGP." 1809 REFERENCE 1810 " PacketCable Security Specification." 1811 DEFVAL { 10 } 1812 ::= { pktcMtaDevRealmEntry 4 } 1814 pktcMtaDevRealmOrgName OBJECT-TYPE 1815 SYNTAX LongUtf8String 1816 MAX-ACCESS read-create 1817 STATUS current 1818 DESCRIPTION 1819 " This object contains the X.500 organization name attribute 1820 as defined in the subject name of the service provider 1821 certificate." 1822 REFERENCE 1823 " PacketCable Security Specification; 1824 RFC 3280, Internet X.509 Public Key Infrastructure 1825 Certificate and Certificate Revocation List (CRL) Profile" 1826 ::= { pktcMtaDevRealmEntry 5 } 1828 pktcMtaDevRealmUnsolicitedKeyMaxTimeout OBJECT-TYPE 1829 SYNTAX Unsigned32 (1..600) 1830 UNITS "seconds" 1831 MAX-ACCESS read-create 1832 STATUS current 1833 DESCRIPTION 1834 " This object specifies the maximum time the MTA will 1835 attempt to perform the exponential back-off algorithm. 1836 This timer only applies when the MTA initiated key 1837 management. If the DHCP option code 122 sub-option 4 is 1838 provided to the MTA, it overwrites this value. 1840 Unsolicited key updates are retransmitted based on an 1841 exponential back-off mechanism using two timers and a 1842 maximum retry counter for AS replies. 1843 The initial retransmission timer value is the nominal 1844 timer value (pktcMtaDevRealmUnsolicitedKeyNomTimeout). The 1845 retransmissions occur with an exponentially increasing 1846 interval that caps at the maximum timeout value 1847 (pktcMtaDevRealmUnsolicitedKeyMaxTimeout). 1848 Retransmissions stop when the maximum retry counter is 1849 reached (pktcMatDevRealmUnsolicitedMaxRetries). 1851 IPCDN MTA MIB December 2005 1853 For example, with values of 3 seconds for the nominal 1854 timer, 20 seconds for the maximum timeout and 5 retries 1855 max, this results in retransmission intervals of 3 s, 6 s, 1856 12 s, 20 s, 20 s, and then retransmissions stop because 1857 the maximum number of retries has been reached." 1858 REFERENCE 1859 " PacketCable Security Specification." 1860 DEFVAL { 100 } 1861 ::= { pktcMtaDevRealmEntry 6 } 1863 pktcMtaDevRealmUnsolicitedKeyNomTimeout OBJECT-TYPE 1864 SYNTAX Unsigned32 (100..600000) 1865 UNITS "milliseconds" 1866 MAX-ACCESS read-create 1867 STATUS current 1868 DESCRIPTION 1869 " This object specifies the initial timeout value 1870 for the AS-REQ/AS-REP exponential back-off and retry 1871 mechanism. If the DHCP option code 122 sub-option 4 is 1872 provided to the MTA, it overwrites this value. 1873 This value should account for the average roundtrip 1874 time between the MTA and the KDC as well as the 1875 processing delay on the KDC. 1877 Unsolicited key updates are retransmitted based on an 1878 exponential back-off mechanism using two timers and a 1879 maximum retry counter for AS replies. 1880 The initial retransmission timer value is the nominal 1881 timer value (pktcMtaDevRealmUnsolicitedKeyNomTimeout). The 1882 retransmissions occur with an exponentially increasing 1883 interval that caps at the maximum timeout value 1884 (pktcMtaDevRealmUnsolicitedKeyMaxTimeout). 1885 Retransmissions stop when the maximum retry counter is 1886 reached (pktcMatDevRealmUnsolicitedMaxRetries). 1888 For example, with values of 3 seconds for the nominal 1889 timer, 20 seconds for the maximum timeout and 5 retries 1890 max, this results in retransmission intervals of 3 s, 6 s, 1891 12 s, 20 s, 20 s, and then retransmissions stop because 1892 the maximum number of retries has been reached." 1893 REFERENCE 1894 " PacketCable Security Specification." 1895 DEFVAL { 3000 } 1896 ::= { pktcMtaDevRealmEntry 7 } 1898 pktcMtaDevRealmUnsolicitedKeyMaxRetries OBJECT-TYPE 1899 SYNTAX Unsigned32 (0..1024) 1900 MAX-ACCESS read-create 1901 STATUS current 1903 IPCDN MTA MIB December 2005 1905 DESCRIPTION 1906 " This object specifies the maximum number of retries the 1907 MTA attempts to obtain a ticket from the KDC. 1909 Unsolicited key updates are retransmitted based on an 1910 exponential back-off mechanism using two timers and a 1911 maximum retry counter for AS replies. 1912 The initial retransmission timer value is the nominal 1913 timer value (pktcMtaDevRealmUnsolicitedKeyNomTimeout). The 1914 retransmissions occur with an exponentially increasing 1915 interval that caps at the maximum timeout value 1916 (pktcMtaDevRealmUnsolicitedKeyMaxTimeout). 1917 Retransmissions stop when the maximum retry counter is 1918 reached (pktcMatDevRealmUnsolicitedMaxRetries). 1920 For example, with values of 3 seconds for the nominal 1921 timer, 20 seconds for the maximum timeout and 5 retries 1922 max, this results in retransmission intervals of 3 s, 6 s, 1923 12 s, 20 s, 20 s, and then retransmissions stop because 1924 the maximum number of retries has been reached." 1925 REFERENCE 1926 " PacketCable Security Specification." 1927 DEFVAL { 5 } 1928 ::= { pktcMtaDevRealmEntry 8 } 1930 pktcMtaDevRealmStatus OBJECT-TYPE 1931 SYNTAX RowStatus 1932 MAX-ACCESS read-create 1933 STATUS current 1934 DESCRIPTION 1935 " This object defines the row status of this realm in the 1936 realm table (pktcMtaDevRealmTable). 1938 An entry in this table is not qualified for activation 1939 until the object instances of all corresponding columns 1940 have been initialized, either by default values, or via 1941 explicit SET operations. Until all object instances in 1942 this row are initialized, the status value for this realm 1943 must be 'notReady(3)'. 1944 In particular, two columnar objects must be explicitly 1945 SET: the realm name (pktcMtaDevRealmName) and the 1946 organization name (pktcMtaDevRealmOrgName). Once these 2 1947 objects have been set and the row status is SET to 1948 'active(1)', the MTA MUST NOT allow any modification of 1949 these 2 object values. 1950 The value of this object has no effect on whether other 1951 columnar objects in this row can be modified." 1952 ::= { pktcMtaDevRealmEntry 9 } 1954 IPCDN MTA MIB December 2005 1956 --================================================================= 1957 -- 1958 -- The CMS table, pktcMtaDevCmsTable 1959 -- 1960 -- The CMS table and the realm table (pktcMtaDevRealmTable) are used 1961 -- for managing the MTA signaling security. The CMS table defines 1962 -- the CMSes the MTA is allowed to communicate with and contains 1963 -- the parameters describing the SA establishment between the MTA 1964 -- and a CMS. 1965 -- The CMS table is indexed by pktcMtaDevCmsIndex. The table 1966 -- contains the CMS FQDN (pktcMtaDevCmsFQDN) and the associated 1967 -- Kerberos realm name (pktcMtaDevCmsKerbRealmName) so that the MTA 1968 -- can find the corresponding Kerberos realm name in the 1969 -- pktcMtaDevRealmTable. 1970 -- 1971 --================================================================= 1973 pktcMtaDevCmsAvailSlot OBJECT-TYPE 1974 SYNTAX Unsigned32 (0..128) 1975 MAX-ACCESS read-only 1976 STATUS current 1977 DESCRIPTION 1978 " This object contains the index number of the first 1979 available entry in the CMS table (pktcMtaDevCmsTable). 1980 If all the entries in the CMS table have been assigned, 1981 this object contains the value of zero. 1982 A management station should create new entries in the 1983 CMS table using the following procedure: 1984 first, issue a management protocol retrieval operation 1985 to determine the value of the first available index in the 1986 CMS table (pktcMtaDevCmsAvailSlot); 1987 second, issue a management protocol SET operation 1988 to create an instance of the pktcMtaDevCmsStatus 1989 object by setting its value to 'createAndWait(5)'. 1990 third, if the SET operation succeeded, continue 1991 modifying the object instances corresponding to the newly 1992 created conceptual row, without fear of collision with 1993 other management stations. When all necessary conceptual 1994 columns of the row are properly populated (via SET 1995 operations or default values), the management station may 1996 SET the pktcMtaDevCmsStatus object to 'active(1)'." 1997 ::= { pktcMtaDevSecurity 7 } 1999 pktcMtaDevCmsTable OBJECT-TYPE 2000 SYNTAX SEQUENCE OF PktcMtaDevCmsEntry 2001 MAX-ACCESS not-accessible 2002 STATUS current 2003 DESCRIPTION 2005 IPCDN MTA MIB December 2005 2007 " This object defines the CMS table. 2008 The CMS table (pktcMtaDevCmsTable) and the realm table 2009 (pktcMtaDevRealmTable) are used for managing security 2010 between the MTA and CMSes. Each CMS table entry defines 2011 a CMS the managed MTA is allowed to communicate with 2012 and contains security parameters for key management with 2013 that CMS." 2014 ::= { pktcMtaDevSecurity 8 } 2016 pktcMtaDevCmsEntry OBJECT-TYPE 2017 SYNTAX PktcMtaDevCmsEntry 2018 MAX-ACCESS not-accessible 2019 STATUS current 2020 DESCRIPTION 2021 " This table entry object lists the MTA key management 2022 parameters used when establishing Security Associations 2023 with a CMS. The conceptual rows MUST NOT persist across 2024 MTA reboots." 2025 INDEX { pktcMtaDevCmsIndex } 2026 ::= { pktcMtaDevCmsTable 1 } 2028 PktcMtaDevCmsEntry ::= SEQUENCE { 2029 pktcMtaDevCmsIndex Unsigned32, 2030 pktcMtaDevCmsFqdn SnmpAdminString, 2031 pktcMtaDevCmsKerbRealmName SnmpAdminString, 2032 pktcMtaDevCmsMaxClockSkew Unsigned32, 2033 pktcMtaDevCmsSolicitedKeyTimeout Unsigned32, 2034 pktcMtaDevCmsUnsolicitedKeyMaxTimeout Unsigned32, 2035 pktcMtaDevCmsUnsolicitedKeyNomTimeout Unsigned32, 2036 pktcMtaDevCmsUnsolicitedKeyMaxRetries Unsigned32, 2037 pktcMtaDevCmsIpsecCtrl TruthValue, 2038 pktcMtaDevCmsStatus RowStatus 2039 } 2041 pktcMtaDevCmsIndex OBJECT-TYPE 2042 SYNTAX Unsigned32 (1..128) 2043 MAX-ACCESS not-accessible 2044 STATUS current 2045 DESCRIPTION 2046 " This object defines the CMS table index." 2047 ::= { pktcMtaDevCmsEntry 1 } 2049 pktcMtaDevCmsFqdn OBJECT-TYPE 2050 SYNTAX SnmpAdminString (SIZE(1..255)) 2051 MAX-ACCESS read-create 2052 STATUS current 2053 DESCRIPTION 2054 " This object specifies the CMS FQDN. The MTA must 2055 prohibit the instantiation of any two rows with identical 2057 IPCDN MTA MIB December 2005 2059 FQDNs. The MTA must also verify that any search and/or 2060 comparison operation involving a CMS FQDN is case 2061 insensitive. The MTA must resolve the CMS FQDN as required 2062 by the corresponding PacketCable Specifications." 2063 REFERENCE 2064 " PacketCable MTA Device Provisioning Specification; 2065 PacketCable Security Specification; 2066 PacketCable Network-Based Call Signaling Protocol 2067 Specification." 2068 ::= { pktcMtaDevCmsEntry 2 } 2070 pktcMtaDevCmsKerbRealmName OBJECT-TYPE 2071 SYNTAX SnmpAdminString (SIZE(1..255)) 2072 MAX-ACCESS read-create 2073 STATUS current 2074 DESCRIPTION 2075 " This object identifies the Kerberos realm name in upper 2076 case characters associated with the CMS defined in this 2077 conceptual row. The object value is a reference 2078 point to the corresponding Kerberos realm name in the 2079 realm table (pktcMtaDevRealmTable)." 2080 ::= { pktcMtaDevCmsEntry 3 } 2082 pktcMtaDevCmsMaxClockSkew OBJECT-TYPE 2083 SYNTAX Unsigned32 (1..1800) 2084 UNITS "seconds" 2085 MAX-ACCESS read-create 2086 STATUS current 2087 DESCRIPTION 2088 " This object specifies the maximum allowable clock skew 2089 between the MTA and the CMS defined in this row." 2090 DEFVAL { 300 } 2091 ::= { pktcMtaDevCmsEntry 4 } 2093 pktcMtaDevCmsSolicitedKeyTimeout OBJECT-TYPE 2094 SYNTAX Unsigned32 (100..30000) 2095 UNITS "milliseconds" 2096 MAX-ACCESS read-create 2097 STATUS current 2098 DESCRIPTION 2099 " This object defines a Kerberos Key Management timer on the 2100 MTA. It is the time period during which the MTA saves the 2101 nonce and Server Kerberos Principal Identifier to match an 2102 AP Request and its associated AP Reply response from the 2103 CMS. This timer only applies when the CMS initiated key 2104 management (with a Wake Up message or a Rekey message)." 2105 REFERENCE 2106 " PacketCable Security Specification." 2107 DEFVAL { 1000 } 2109 IPCDN MTA MIB December 2005 2111 ::= { pktcMtaDevCmsEntry 5 } 2113 --================================================================= 2114 -- 2115 -- Unsolicited key updates are retransmitted based on an 2116 -- exponential back-off mechanism using two timers and a maximum 2117 -- retry counter for AS replies. 2118 -- The initial retransmission timer value is the nominal timer 2119 -- value (pktcMtaDevCmsUnsolicitedKeyNomTimeout). The 2120 -- retransmissions occur with an exponentially increasing interval 2121 -- that caps at the maximum timeout value 2122 -- (pktcMtaDevCmsUnsolicitedKeyMaxTimeout). 2123 -- Retransmissions stop when the maximum retry counter is reached 2124 -- (pktcMatDevCmsUnsolicitedMaxRetries). 2125 -- For example, with values of 3 seconds for the nominal 2126 -- timer, 20 seconds for the maximum timeout and 5 retries max, 2127 -- this results in retransmission intervals of 3 s, 6 s, 12 s, 2128 -- 20 s, 20 s, and then retransmissions stop due to the 2129 -- maximum number of retries reached. 2130 -- 2131 --================================================================= 2133 pktcMtaDevCmsUnsolicitedKeyMaxTimeout OBJECT-TYPE 2134 SYNTAX Unsigned32 (1..600) 2135 UNITS "seconds" 2136 MAX-ACCESS read-create 2137 STATUS current 2138 DESCRIPTION 2139 " This object defines the timeout value that only applies 2140 to an MTA-initiated key management exchange. It is the 2141 maximum timeout and it may not be exceeded in the 2142 exponential back-off algorithm." 2143 REFERENCE 2144 " PacketCable Security Specification." 2145 DEFVAL { 600 } 2146 ::= { pktcMtaDevCmsEntry 6 } 2148 pktcMtaDevCmsUnsolicitedKeyNomTimeout OBJECT-TYPE 2149 SYNTAX Unsigned32 (100..30000) 2150 UNITS "milliseconds" 2151 MAX-ACCESS read-create 2152 STATUS current 2153 DESCRIPTION 2154 " This object defines the starting value of the timeout 2155 for an MTA-initiated key management. It should account for 2156 the average roundtrip time between the MTA and the CMS and 2157 the processing time on the CMS." 2158 REFERENCE 2159 " PacketCable Security Specification." 2161 IPCDN MTA MIB December 2005 2163 DEFVAL { 500 } 2164 ::= { pktcMtaDevCmsEntry 7 } 2166 pktcMtaDevCmsUnsolicitedKeyMaxRetries OBJECT-TYPE 2167 SYNTAX Unsigned32 (0..1024) 2168 MAX-ACCESS read-create 2169 STATUS current 2170 DESCRIPTION 2171 " This object contains the maximum number of retries before 2172 the MTA stops attempting to establish a Security 2173 Association with the CMS." 2174 REFERENCE 2175 " PacketCable Security Specification." 2176 DEFVAL { 5 } 2177 ::= { pktcMtaDevCmsEntry 8 } 2179 pktcMtaDevCmsIpsecCtrl OBJECT-TYPE 2180 SYNTAX TruthValue 2181 MAX-ACCESS read-only 2182 STATUS current 2183 DESCRIPTION 2184 " This object specifies the MTA IPSec control flag. 2185 If the object value is 'true', the MTA must use Kerberos 2186 Key Management and IPsec to communicate with this CMS. If 2187 it is 'false', IPSec Signaling Security and Kerberos key 2188 management are disabled for this specific CMS." 2189 DEFVAL { true } 2190 ::= { pktcMtaDevCmsEntry 9 } 2192 pktcMtaDevCmsStatus OBJECT-TYPE 2193 SYNTAX RowStatus 2194 MAX-ACCESS read-create 2195 STATUS current 2196 DESCRIPTION 2197 " This object defines the row status associated with this 2198 particular CMS in the CMS table (pktcMtaDevCmsTable). 2200 An entry in this table is not qualified for activation 2201 until the object instances of all corresponding columns 2202 have been initialized, either by default values, or via 2203 explicit SET operations. Until all object instances in 2204 this row are initialized, the status value for this realm 2205 must be 'notReady(3)'. 2206 In particular, two columnar objects must be SET: the 2207 CMS FQDN (pktcMtaDevCmsFqdn) and the Kerberos realm name 2208 (pktcMtaDevCmsKerbRealmName). Once these 2 objects have 2209 been set and the row status is SET to 'active(1)', the MTA 2210 MUST NOT allow any modification of these 2 object values. 2212 IPCDN MTA MIB December 2005 2214 The value of this object has no effect on 2215 whether other columnar objects in this row can be 2216 modified." 2217 ::= { pktcMtaDevCmsEntry 10 } 2219 pktcMtaDevResetKrbTickets OBJECT-TYPE 2220 SYNTAX BITS { 2221 invalidateProvOnReboot (0), 2222 invalidateAllCmsOnReboot (1) 2223 } 2224 MAX-ACCESS read-write 2225 STATUS current 2226 DESCRIPTION 2227 " This object defines a Kerberos Ticket Control Mask that 2228 instructs the MTA to invalidate the specific Application 2229 Server Kerberos ticket(s) that are stored locally in the 2230 MTA NVRAM (non-volatile or persistent memory). 2231 If the MTA does not store Kerberos tickets in NVRAM, it 2232 MUST ignore setting of this object, and MUST report a BITS 2233 value of zero when the object is read. 2234 If the MTA supports Kerberos tickets storage in NVRAM, the 2235 object value is encoded as follows: 2236 - setting the invalidateProvOnReboot bit (bit 0) to 1 2237 means that the MTA MUST invalidate the Kerberos 2238 Application Ticket(s) for the Provisioning Application 2239 at the next MTA reboot if secure SNMP provisioning mode 2240 is used. In non secure provisioning modes, the MTA MUST 2241 return an 'inconsistentValue' in response to SNMP SET 2242 operations with a bit 0 set to 1. 2243 - setting the invalidateAllCmsOnReboot bit (bit 1) to 1 2244 means that the MTA MUST invalidate the Kerberos 2245 Application Ticket(s) for all CMSes currently assigned 2246 to the MTA endpoints. 2247 If a value is written into an instance of 2248 pktcMtaDevResetKrbTickets, the agent MUST retain the 2249 supplied value across an MTA re-initialization or 2250 reboot." 2251 REFERENCE 2252 "PacketCable Security Specification." 2253 DEFVAL { { } } 2254 ::= { pktcMtaDevSecurity 9 } 2256 -- 2257 -- The following group, pktcMtaDevErrors defines an OID 2258 -- corresponding to error conditions encountered during the MTA 2259 -- provisioning. 2260 -- 2262 IPCDN MTA MIB December 2005 2264 pktcMtaDevErrorsTooManyErrors OBJECT-IDENTITY 2265 STATUS current 2266 DESCRIPTION 2267 "This object defines the OID corresponding to the error 2268 condition when too many errors are encountered in the 2269 MTA configuration file during provisioning." 2270 ::= { pktcMtaDevErrors 1 } 2272 pktcMtaDevProvisioningEnrollment NOTIFICATION-TYPE 2273 OBJECTS { 2274 sysDescr, 2275 pktcMtaDevSwCurrentVers, 2276 pktcMtaDevTypeIdentifier, 2277 ifPhysAddress, 2278 pktcMtaDevCorrelationId 2279 } 2280 STATUS current 2281 DESCRIPTION 2282 " This INFORM notification is issued by the MTA to initiate 2283 the PacketCable provisioning process when the MTA SNMP 2284 enrollment mechanism is used. 2285 It contains the system description, the current software 2286 version, the MTA device type identifier, the MTA MAC 2287 address (obtained in the MTA ifTable in the ifPhysAddress 2288 object that corresponds to the ifIndex 1) and a 2289 correlation ID." 2290 ::= { pktcMtaNotification 1 } 2292 pktcMtaDevProvisioningStatus NOTIFICATION-TYPE 2293 OBJECTS { 2294 ifPhysAddress, 2295 pktcMtaDevCorrelationId, 2296 pktcMtaDevProvisioningState 2297 } 2298 STATUS current 2299 DESCRIPTION 2300 " This INFORM notification may be issued by the MTA to 2301 confirm the completion of the PacketCable provisioning 2302 process, and to report its provisioning completion 2303 status. 2304 It contains the MTA MAC address (obtained in the MTA 2305 ifTable in the ifPhysAddress object that corresponds 2306 to the ifIndex 1), a correlation ID and the MTA 2307 provisioning state as defined in 2308 pktcMtaDevProvisioningState." 2309 ::= { pktcMtaNotification 2 } 2311 -- 2312 -- Compliance Statements 2314 IPCDN MTA MIB December 2005 2316 -- 2318 pktcMtaCompliances OBJECT IDENTIFIER ::= { pktcMtaConformance 1 } 2319 pktcMtaGroups OBJECT IDENTIFIER ::= { pktcMtaConformance 2 } 2321 pktcMtaBasicCompliance MODULE-COMPLIANCE 2322 STATUS current 2323 DESCRIPTION 2324 " The compliance statement for MTA devices that implement 2325 PacketCable or IPCablecom requirements. 2327 This compliance statement applies to MTA implementations 2328 that support PacketCable 1.0 or IPCablecom requirements, 2329 which are not IPv6-capable at the time of this 2330 RFC publication." 2332 MODULE -- Unconditionally mandatory groups for MTAs 2334 MANDATORY-GROUPS { 2335 pktcMtaGroup, 2336 pktcMtaNotificationGroup 2337 } 2339 OBJECT pktcMtaDevDhcpServerAddressType 2340 SYNTAX InetAddressType { ipv4(1) } 2341 DESCRIPTION 2342 " Support for address types other than 'ipv4(1)' 2343 is not presently specified and therefore, is not 2344 required. It may be defined in future versions of 2345 this MIB module." 2347 OBJECT pktcMtaDevDnsServerAddressType 2348 SYNTAX InetAddressType { ipv4(1) } 2349 DESCRIPTION 2350 " Support for address types other than 'ipv4(1)' 2351 is not presently specified and therefore, is not 2352 required. It may be defined in future versions of 2353 this MIB module." 2355 OBJECT pktcMtaDevTimeServerAddressType 2356 SYNTAX InetAddressType { ipv4(1) } 2357 DESCRIPTION 2358 " Support for address types other than 'ipv4(1)' 2359 is not presently specified and therefore, is not 2360 required. It may be defined in future versions of 2361 this MIB module." 2363 OBJECT pktcMtaDevServerDhcp1 2364 SYNTAX InetAddress (SIZE(4)) 2366 IPCDN MTA MIB December 2005 2368 DESCRIPTION 2369 "An implementation is only required to support IPv4 2370 addresses. Other address types support may be defined in 2371 future versions of this MIB module." 2373 OBJECT pktcMtaDevServerDhcp2 2374 SYNTAX InetAddress (SIZE(4)) 2375 DESCRIPTION 2376 "An implementation is only required to support IPv4 2377 addresses. Other address types support may be defined in 2378 future versions of this MIB module." 2380 OBJECT pktcMtaDevServerDns1 2381 SYNTAX InetAddress (SIZE(4)) 2382 DESCRIPTION 2383 "An implementation is only required to support IPv4 2384 addresses. Other address types support may be defined in 2385 future versions of this MIB module." 2387 OBJECT pktcMtaDevServerDns2 2388 SYNTAX InetAddress (SIZE(4)) 2389 DESCRIPTION 2390 "An implementation is only required to support IPv4 2391 addresses. Other address types support may be defined in 2392 future versions of this MIB module." 2394 OBJECT pktcMtaDevTimeServer 2395 SYNTAX InetAddress (SIZE(4)) 2396 DESCRIPTION 2397 "An implementation is only required to support IPv4 2398 addresses. Other address types support may be defined in 2399 future versions of this MIB module." 2401 OBJECT pktcMtaDevProvConfigEncryptAlg 2402 SYNTAX PktcMtaDevProvEncryptAlg 2403 DESCRIPTION 2404 "An implementation is only required to support 2405 values of none(0) and des64Cbcmode(1). 2406 An IV of zero is used to encrypt in des64Cbcmode, and 2407 the length of pktcMtaDevProvConfigKey is 64 bits as 2408 defined in the PacketCable Security specification. 2409 Other encryption types may be defined the in future 2410 versions of this MIB module." 2412 OBJECT pktcMtaDevRealmOrgName 2413 SYNTAX LongUtf8String (SIZE (1..384)) 2414 DESCRIPTION 2415 "The Organization Name field in X.509 certificates 2417 IPCDN MTA MIB December 2005 2419 can contain up to 64 UTF-8 encoded 2420 characters as defined in RFC3280. Therefore, compliant 2421 devices are only required to support Organization 2422 Name values of up to 64 UTF-8 encoded characters. 2423 Given that RFC3280 defines the UTF-8 encoding, 2424 compliant devices must support a maximum size of 384 2425 octets for pktcMtaDevRealmOrgName. The calculation of 2426 384 octets comes from the RFC2279 UTF-8 encoding 2427 definition whereby the UTF-8 encoded characters 2428 are encoded as sequences of 1 to 6 octets, based on the 2429 assumption that code points as high as 0x7ffffffff 2430 might be used. Subsequent versions of Unicode and ISO 2431 10646 have limited the upper bound to 0x10ffff. 2432 Consequently, the current version of UTF-8, defined in 2433 RFC 3629 does not require more than four octets to 2434 encode a valid code point." 2436 ::= { pktcMtaCompliances 1 } 2438 pktcMtaGroup OBJECT-GROUP 2439 OBJECTS { 2440 pktcMtaDevResetNow, 2441 pktcMtaDevSerialNumber, 2442 pktcMtaDevSwCurrentVers, 2443 pktcMtaDevFQDN, 2444 pktcMtaDevEndPntCount, 2445 pktcMtaDevEnabled, 2446 pktcMtaDevProvisioningCounter, 2447 pktcMtaDevErrorOid, 2448 pktcMtaDevErrorValue, 2449 pktcMtaDevErrorReason, 2450 pktcMtaDevTypeIdentifier, 2451 pktcMtaDevProvisioningState, 2452 pktcMtaDevHttpAccess, 2453 pktcMtaDevCertificate, 2454 pktcMtaDevCorrelationId, 2455 pktcMtaDevManufacturerCertificate, 2456 pktcMtaDevDhcpServerAddressType, 2457 pktcMtaDevDnsServerAddressType, 2458 pktcMtaDevTimeServerAddressType, 2459 pktcMtaDevProvConfigEncryptAlg, 2460 pktcMtaDevServerDhcp1, 2461 pktcMtaDevServerDhcp2, 2462 pktcMtaDevServerDns1, 2463 pktcMtaDevServerDns2, 2464 pktcMtaDevTimeServer, 2465 pktcMtaDevConfigFile, 2466 pktcMtaDevSnmpEntity, 2468 IPCDN MTA MIB December 2005 2470 pktcMtaDevRealmPkinitGracePeriod, 2471 pktcMtaDevRealmTgsGracePeriod, 2472 pktcMtaDevRealmAvailSlot, 2473 pktcMtaDevRealmName, 2474 pktcMtaDevRealmOrgName, 2475 pktcMtaDevRealmUnsolicitedKeyMaxTimeout, 2476 pktcMtaDevRealmUnsolicitedKeyNomTimeout, 2477 pktcMtaDevRealmUnsolicitedKeyMaxRetries, 2478 pktcMtaDevRealmStatus, 2479 pktcMtaDevCmsAvailSlot, 2480 pktcMtaDevCmsFqdn, 2481 pktcMtaDevCmsKerbRealmName, 2482 pktcMtaDevCmsUnsolicitedKeyMaxTimeout, 2483 pktcMtaDevCmsUnsolicitedKeyNomTimeout, 2484 pktcMtaDevCmsUnsolicitedKeyMaxRetries, 2485 pktcMtaDevCmsSolicitedKeyTimeout, 2486 pktcMtaDevCmsMaxClockSkew, 2487 pktcMtaDevCmsIpsecCtrl, 2488 pktcMtaDevCmsStatus, 2489 pktcMtaDevResetKrbTickets, 2490 pktcMtaDevProvUnsolicitedKeyMaxTimeout, 2491 pktcMtaDevProvUnsolicitedKeyNomTimeout, 2492 pktcMtaDevProvUnsolicitedKeyMaxRetries, 2493 pktcMtaDevProvKerbRealmName, 2494 pktcMtaDevProvSolicitedKeyTimeout, 2495 pktcMtaDevProvConfigHash, 2496 pktcMtaDevProvConfigKey, 2497 pktcMtaDevProvState, 2498 pktcMtaDevProvisioningTimer, 2499 pktcMtaDevTelephonyRootCertificate 2500 } 2501 STATUS current 2502 DESCRIPTION 2503 " A collection of objects for managing PacketCable or 2504 IPCablecom MTA implementations." 2505 ::= { pktcMtaGroups 1 } 2507 pktcMtaNotificationGroup NOTIFICATION-GROUP 2508 NOTIFICATIONS { 2509 pktcMtaDevProvisioningStatus, 2510 pktcMtaDevProvisioningEnrollment 2511 } 2512 STATUS current 2513 DESCRIPTION 2514 " A collection of notifications dealing with the change of 2515 MTA provisioning status." 2516 ::= { pktcMtaGroups 2 } 2518 IPCDN MTA MIB December 2005 2520 pktcMtaBasicSmtaCompliance MODULE-COMPLIANCE 2521 STATUS current 2522 DESCRIPTION 2523 " The compliance statement for S-MTA devices 2524 that implement PacketCable or IPCablecom requirements. 2526 This compliance statement applies to S-MTA implementations 2527 that support PacketCable or IPCablecom requirements, 2528 which are not IPv6-capable at the time of this 2529 RFC publication." 2531 MODULE -- Unconditionally Mandatory Groups for S-MTA devices 2532 MANDATORY-GROUPS { 2533 pktcMtaGroup, 2534 pktcMtaNotificationGroup 2535 } 2537 OBJECT pktcMtaDevDhcpServerAddressType 2538 SYNTAX InetAddressType { ipv4(1) } 2539 DESCRIPTION 2540 " Support for address types other than 'ipv4(1)' 2541 is not presently specified and therefore, is not 2542 required. It may be defined in future versions of 2543 this MIB module." 2545 OBJECT pktcMtaDevDnsServerAddressType 2546 SYNTAX InetAddressType { ipv4(1) } 2547 DESCRIPTION 2548 " Support for address types other than 'ipv4(1)' 2549 is not presently specified and therefore, is not 2550 required. It may be defined in future versions of 2551 this MIB module." 2553 OBJECT pktcMtaDevTimeServerAddressType 2554 SYNTAX InetAddressType { ipv4(1) } 2555 DESCRIPTION 2556 " Support for address types other than 'ipv4(1)' 2557 is not presently specified and therefore, is not 2558 required. It may be defined in future versions of 2559 this MIB module." 2561 OBJECT pktcMtaDevServerDhcp1 2562 SYNTAX InetAddress (SIZE(4)) 2563 DESCRIPTION 2564 "An implementation is only required to support IPv4 2565 addresses. Other address types support may be defined in 2566 future versions of this MIB module." 2568 IPCDN MTA MIB December 2005 2570 OBJECT pktcMtaDevServerDhcp2 2571 SYNTAX InetAddress (SIZE(4)) 2572 DESCRIPTION 2573 "An implementation is only required to support IPv4 2574 addresses. Other address types support may be defined in 2575 future versions of this MIB module." 2577 OBJECT pktcMtaDevServerDns1 2578 SYNTAX InetAddress (SIZE(4)) 2579 DESCRIPTION 2580 "An implementation is only required to support IPv4 2581 addresses. Other address types support may be defined in 2582 future versions of this MIB module." 2584 OBJECT pktcMtaDevServerDns2 2585 SYNTAX InetAddress (SIZE(4)) 2586 DESCRIPTION 2587 "An implementation is only required to support IPv4 2588 addresses. Other address types support may be defined in 2589 future versions of this MIB module." 2591 OBJECT pktcMtaDevTimeServer 2592 SYNTAX InetAddress (SIZE(4)) 2593 DESCRIPTION 2594 "An implementation is only required to support IPv4 2595 addresses. Other address types support may be defined in 2596 future versions of this MIB module." 2598 OBJECT pktcMtaDevProvConfigEncryptAlg 2599 SYNTAX PktcMtaDevProvEncryptAlg 2600 DESCRIPTION 2601 "An implementation is only required to support 2602 values of none(0) and des64Cbcmode(1). 2603 An IV of zero is used to encrypt in des64Cbcmode, and 2604 the length of pktcMtaDevProvConfigKey is 64 bits as 2605 defined in the PacketCable Security specification. 2606 Other encryption types may be defined the in future 2607 versions of this MIB module." 2609 OBJECT pktcMtaDevRealmOrgName 2610 SYNTAX LongUtf8String (SIZE (1..384)) 2611 DESCRIPTION 2612 "The Organization Name field in X.509 certificates 2613 can contain up to 64 UTF-8 encoded 2614 characters as defined in RFC3280. Therefore, compliant 2615 devices are only required to support Organization 2616 Name values of up to 64 UTF-8 encoded characters. 2617 Given that RFC3280 defines the UTF-8 encoding, 2618 compliant devices must support a maximum size of 384 2620 IPCDN MTA MIB December 2005 2622 octets for pktcMtaDevRealmOrgName. The calculation of 2623 384 octets comes from the RFC2279 UTF-8 encoding 2624 definition whereby the UTF-8 encoded characters 2625 are encoded as sequences of 1 to 6 octets, based on the 2626 the assumption that code points as high as 0x7ffffffff 2627 might be used. Subsequent versions of Unicode and ISO 2628 10646 have limited the upper bound to 0x10ffff. 2629 Consequently, the current version of UTF-8, defined in 2630 RFC 3629 does not require more than four octets to 2631 encode a valid code point." 2632 MODULE DOCS-CABLE-DEVICE-MIB 2633 MANDATORY-GROUPS { 2634 docsDevSoftwareGroupV2 2635 } 2637 MODULE DOCS-IETF-BPI2-MIB 2638 MANDATORY-GROUPS { 2639 docsBpi2CodeDownloadGroup 2640 } 2642 ::= { pktcMtaCompliances 2 } 2644 END 2646 5. Acknowledgments 2648 The current editors would like to thank the members of the IETF 2649 IPCDN working group and the CableLabs PacketCable Provisioning and 2650 OSS focus team for their comments and suggestions. 2651 In particular, we wish to express our gratitude for the 2652 contributions made by the following individuals (in no particular 2653 order): Angela Lyda,Sumanth Channabasappa, Matt A. Osman, Klaus 2654 Hermanns, Paul Duffy, Rick Vetter, Sasha Medvinsky, Roy Spitzer, 2655 Itay Sherman, Satish Kumar and Eric Rosenfeld. 2656 Finally, special thanks to our area director Bert Wijnen, Rich 2657 Woundy, Randy Presuhn, Mike Heard and Dave Thaler. 2659 6. Normative References 2661 [RFC868] Postel, J., "Time Protocol", STD 26, RFC 868, May 1983. 2663 [RFC1350] Sollins, K., "THE TFTP PROTOCOL (REVISION 2)", STD 33, 2664 RFC 1350, July 1992. 2666 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2667 Requirement Levels", BCP 14, RFC 2119, March 1997. 2669 [RFC2131] Droms, R. "Dynamic Host Configuration Protocol", March 2671 IPCDN MTA MIB December 2005 2673 1997. 2675 [RFC2132] Alexander S., Droms R., "DHCP Options and BOOTP Vendor 2676 Extensions", March 1997. 2678 [RFC2287] Krupczak, C., Saperia, J., "Definitions of System-Level 2679 Managed Objects for Applications", February 1998. 2681 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2682 Rose, M. and S. Waldbusser, "Structure of Management 2683 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 2684 1999. 2685 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2686 Rose, M. and S. Waldbusser, "Textual Conventions for 2687 SMIv2", STD 58, RFC 2579, April 1999. 2689 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2690 Rose, M. and S. Waldbusser, "Conformance Statements for 2691 SMIv2", STD 58, RFC 2580, April 1999. 2693 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 2694 Masinter, L., Leach P., and Berners-Lee T., "Hypertext 2695 Transfer Protocol -- HTTP/1.1.", RFC 2616, June 1999. 2697 [RFC2863] McCloghrie, K., Kastenholz, F., "The Interfaces Group 2698 MIB", June 2000. 2700 [RFC3280] Housley, R., Ford, W., Polk, W. and Solo, D. "Internet 2701 X.509 Public Key Infrastructure Certificate and 2702 Certificate Revocation List (CRL) Profile", RFC 3280, 2704 [RFC3411] Harrington, D., Presuhn, R., and Wijnen, B., "An 2705 Architecture for Describing Simple Network Management 2706 Protocol (SNMP) Management Frameworks", STD 62, 2707 December 2002. 2709 [RFC3418] Presuhn, R., Case, J., McCloghrie, K., Rose, M., 2710 and Waldbusser, S., "Management Information Base (MIB) 2711 for the Simple Network Management Protocol (SNMP)", 2712 STD 62, December 2002. 2714 [RFC3495] B. Beser, P. Duffy, Ed., "Dynamic Host Configuration 2715 Protocol (DHCP) Option for CableLabs Client 2716 Configuration.", RFC 3495, March 2003. 2718 [RFC3594] P. Duffy, "PacketCable Security Ticket Control Sub-Option 2719 PacketCable Security Ticket Control Sub-Option.", 2720 September 2003. 2722 IPCDN MTA MIB December 2005 2724 [RFC3617] E. Lear, "Uniform Resource Identifier (URI) Scheme and 2725 Applicability Statement for the Trivial File Transfer 2726 Protocol (TFTP).", RFC 3617, October 2003. 2728 [RFC4001] Daniele, M., Haberman, B., Routhier, S., Schoenwaelder, 2729 J., "Textual Conventions for Internet Network Addresses", 2730 RFC 4001, February 2005. 2732 [RFC4131] S. Green, K. Ozawa, A. Katsnelson, E. Cardona, "Management 2733 Information Base for DOCSIS Cable Modems and Cable Modem 2734 Termination Systems for Baseline Privacy Plus", RFC4131, 2735 September, 2005. 2737 [RFCxxxx] R. Woundy, "Cable Device Management Information Base for 2738 DOCSIS compliant Cable Modems and Cable Modem 2739 Termination Systems", RFCxxxx, Monthxxxx, 2005. 2741 ************************************************************ 2742 * NOTES TO RFC Editor (to be removed prior to publication) * 2743 * * 2744 * An updated version of the I-D * 2745 * < draft-ietf-ipcdn-device-mibv2-10.txt> * 2746 * is expected to become RFC before this draft. * 2747 * Please replace RFCxxxx with the RFC number and * 2748 * update the reference statement with the correct date: * 2749 * Monthxxxx, 2005 * 2750 * * 2751 ************************************************************ 2753 [PKT-SP-PROV] Packetcable MTA Device Provisioning Specification, 2754 Issued, PKT-SP-PROV-I11-050812, August 2005. 2755 http://www.packetcable.com/specifications/ 2756 http://www.cablelabs.com/specifications/archives/ 2758 [PKT-SP-SEC] PacketCable Security Specification, 2759 Issued, PKT-SP-SEC-I12-050812, August 2005. 2760 http://www.packetcable.com/specifications/ 2761 http://www.cablelabs.com/specifications/archives/ 2763 [ITU-T-J112] Transmission Systems for Interactive Cable Television 2764 Services, Annex B, J.112, ITU-T, March, 1998. 2766 [ITU-T-J168] IPCablecom Multimedia Terminal Adapter (MTA) MIB 2767 requirements, J.168, ITU-T, March, 2001. 2769 IPCDN MTA MIB December 2005 2771 7. Informative References 2773 [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 2774 10646", RFC 2279, January 1998. 2776 [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, 2777 "Introduction and Applicability Statements for 2778 Internet-Standard Management Framework", RFC 3410, 2779 December 2002. 2781 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 2782 10646", RFC 3629, November 2003. 2784 [PKT-SP-MIB-MTA] Packetcable MTA MIB Specification, 2785 Issued, PKT-SP-MIB-MTA-I10-050812, August 2005. 2786 http://www.packetcable.com/specifications/ 2787 http://www.cablelabs.com/specifications/archives/ 2789 [ETSITS101909-8] ETSI TS 101 909-8: "Access and Terminals (AT); 2790 Digital Broadband Cable Access to the Public 2791 Telecommunications Network; IP Multimedia Time 2792 Critical Services; Part 8: Media Terminal 2793 Adaptor (MTA) Management Information Base 2794 (MIB)". 2796 [EN300001] EN 300 001 V1.5.1 (1998-10):"European Standard 2797 (Telecommunications series) Attachments to Public 2798 Switched Telephone Network (PSTN); General technical 2799 requirements for equipment connected to an analogue 2800 subscriber interface in the PSTN". 2802 [EN300659-1] EN 300 659-1: "Public Switched Telephone Network 2803 (PSTN); Subscriber line protocol over the local loop 2804 for display (and related) services; Part 1: On hook 2805 data transmission". 2807 [RFCzzz] Beacham G., Kumar S., Channabasappa S., "Network Control 2808 Signaling (NCS) Signaling MIB for PacketCable and 2809 IPCablecom Multimedia Terminal Adapters (MTAs)", RFCzzz, 2810 Monthzzz, 2005. 2812 ************************************************************ 2813 * NOTES TO RFC Editor (to be removed prior to publication) * 2814 * * 2815 * The I-D < draft-ietf-ipcdn-pktc-signaling-10.txt> * 2816 * is expected to become RFC with this draft. * 2817 * Please replace RFCzzz with the RFC number of pktc-sig and* 2818 * update the reference statement with the correct date: * 2820 IPCDN MTA MIB December 2005 2822 * Monthzzz, 2005 * 2823 * * 2824 ************************************************************ 2826 8. Security Considerations 2828 There are a number of management objects defined in this MIB module 2829 with a MAX-ACCESS clause of read-write and/or read-create. Such 2830 objects may be considered sensitive or vulnerable in some network 2831 environments. The support for SET operations in a non-secure 2832 environment without proper protection can have a negative effect on 2833 network operations. Improper manipulation of the objects defined in 2834 this MIB may result in random behavior of MTA devices and may result 2835 in service disruption. These are the tables and objects and their 2836 sensitivity/vulnerability: 2838 - The following objects, if SET maliciously would cause the MTA 2839 device to reset and/or stop its service: 2840 pktcMtaDevResetNow, 2841 pktcMtaDevEnabled. 2843 - All writable objects in the pktcMtaDevServer group and some in the 2844 pktcMtaDevRealmTable share the potential, if SET maliciously, to 2845 prevent the MTA from provisioning properly. Hence they are 2846 considered very sensitive for service delivery. The objects in 2847 question are: 2848 pktcMtaDevProvisioningTimer, 2849 pktcMtaDevDhcpServerAddressType, 2850 pktcMtaDevDnsServerAddressType, 2851 pktcMtaDevTimeServerAddressType, 2852 pktcMtaDevProvConfigEncryptAlg, 2853 pktcMtaDevServerDns1, 2854 pktcMtaDevServerDns2, 2855 pktcMtaDevTimeServer, 2856 pktcMtaDevConfigFile, 2857 pktcMtaDevProvConfigHash, 2858 pktcMtaDevProvConfigKey, 2859 pktcMtaDevProvSolicitedKeyTimeout, 2860 pktcMtaDevRealmName, 2861 pktcMtaDevRealmOrgName, 2862 pktcMtaDevRealmUnsolicitedKeyMaxTimeout, 2863 pktcMtaDevRealmUnsolicitedKeyNomTimeout, 2864 pktcMtaDevRealmUnsolicitedKeyMaxRetries, 2865 pktcMtaDevRealmStatus. 2866 Certain of the above objects have additional specific 2867 vulnerabilities: 2869 IPCDN MTA MIB December 2005 2871 o pktcMtaDevServerDns1 and pktcMtaDevServerDns2, if SET 2872 maliciously, could prevent the MTA from being authenticated and 2873 consequently from getting telephony services. 2874 o pktcMtaDevRealmStatus, if SET maliciously, could cause the 2875 whole row of the table to be deleted which may prevent MTA from 2876 getting telephony services. 2878 - All writable objects in the pktcMtaDevCmsTable table share the 2879 potential, if SET maliciously, to disrupt the telephony service by 2880 altering which Call Management Server the MTA must send signaling 2881 registration to, in particular: 2882 pktcMtaDevCmsFqdn, 2883 pktcMtaDevCmsKerbRealmName, 2884 pktcMtaDevCmsMaxClockSkew, 2885 pktcMtaDevCmsSolicitedKeyTimeout, 2886 pktcMtaDevCmsUnsolicitedKeyMaxTimeout, 2887 pktcMtaDevCmsUnsolicitedKeyNomTimeout, 2888 pktcMtaDevCmsUnsolicitedKeyMaxRetries - this object, if set to a 2889 zero value '0', may prevent the MTA from retrying its attempt to 2890 establish a Security Association with the CMS, 2891 pktcMtaDevCmsStatus. 2893 - Some writable objects in the pktcMtaDevRealmTable table will not 2894 have an immediate effect on service, if SET maliciously. However, 2895 they may impact the service performance and cause avalanche attacks 2896 on provisioning and Kerberos KDC servers, especially after massive 2897 device reboots occur. The objects in question are: 2898 pktcMtaDevResetKrbTickets: this object, if set to 'true' value, 2899 will cause the MTA to request a new Kerberos ticket at reboot, 2900 pktcMtaDevRealmPkinitGracePeriod, pktcMtaDevRealmTgsGracePeriod: 2901 these 2 objects, if set to short time periods, will cause the MTA to 2902 renew its tickets more frequently. 2904 Some of the readable objects in this MIB module(i.e., objects with a 2905 MAX-ACCESS other than not-accessible) may be considered sensitive or 2906 vulnerable in some network environments. Some of these objects may 2907 contain information that may be sensitive from a business or 2908 customer perspective. It is thus important to control even GET 2909 and/or NOTIFY access to these objects and possibly to even encrypt 2910 the values of these objects when sending them over the network via 2911 SNMP. 2912 These are the tables and objects and their sensitivity and 2913 vulnerability: 2915 - Some readable objects in the pktcMtaDevBase, pktcMtaDevServer and 2916 pktcMtaDevSecurity groups share the potential, if read maliciously, 2918 IPCDN MTA MIB December 2005 2920 to facilitate Denial-of-Service (DoS) attacks against provisioning 2921 or Kerberos servers. The object in question are: 2922 pktcMtaDevServerDhcp1, pktcMtaDevServerDhcp2 and 2923 pktcMtaDevSnmpEntity: the values of these objects may be used to 2924 launch DoS attacks on the Telephony Service Provider DHCP or 2925 Provisioning servers, 2926 pktcMtaDevProvKerbRealmName, pktcMtaDevManufacturerCertificate, 2927 pktcMtaDevCertificate and pktcMtaDevTelephonyRootCertificate: the 2928 values of these objects may be used by attackers to launch DoS 2929 attacks against Kerberos servers. 2931 - One additional readable object may expose some security threats, 2932 pktcMtaDevFQDN. This object may include sensitive information about 2933 the domain name and potentially, the domain topology. 2935 SNMP versions prior to SNMPv3 did not include adequate security. 2936 Even if the network itself is secure (for example by using IPSec), 2937 even then, there is no control as to who on the secure network is 2938 allowed to access and GET/SET (read/change/create/delete) the 2939 objects in this MIB module. 2941 It is RECOMMENDED that implementers consider the security features 2942 as provided by the SNMPv3 framework (see [RFC3410], section 8), 2943 including full support for the SNMPv3 cryptographic mechanisms (for 2944 authentication and privacy). 2946 Further, deployment of SNMP versions prior to SNMPv3 is NOT 2947 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 2948 enable cryptographic security. It is then a customer/operator 2949 responsibility to ensure that the SNMP entity giving access to an 2950 instance of this MIB module is properly configured to give access to 2951 the objects only to those principals (users) that have legitimate 2952 rights to indeed GET or SET (change/create/delete) them. 2954 9. IANA Considerations 2956 The MIB module defined in this document uses the following 2957 IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers 2958 registry: 2960 Descriptor OBJECT IDENTIFIER value 2961 ---------- ----------------------- 2962 pktcIetfMtaMib { mib-2 XXX } 2964 IPCDN MTA MIB December 2005 2966 -- Editor's Note (to be removed prior to publication): the IANA is 2967 requested to assign a value for "XXX" under the 'mib-2' sub-tree and 2968 to record the assignment in the SMI Numbers registry. 2969 When the assignment has been made, the RFC Editor is asked to 2970 replace "XXX" (here and in the MIB module) with the assigned value 2971 and to remove this note. 2973 10. Authors' Addresses 2975 Eugene Nechamkin 2976 Broadcom Corporation, 2977 200 - 13711 International Place 2978 Richmond, BC, V6V 2Z8 2979 CANADA 2980 Phone: +1 604 233 8500 2981 E-mail: enechamkin@broadcom.com 2983 Jean-Francois Mule 2984 Cable Television Laboratories, Inc. 2985 858 Coal Creek Circle 2986 Louisville, Colorado 80027-9750 2987 U.S.A. 2988 Phone: +1 303 661 9100 2989 E-mail: jf.mule@cablelabs.com 2991 Intellectual Property Statement 2993 The IETF takes no position regarding the validity or scope of any 2994 Intellectual Property Rights or other rights that might be claimed 2995 to pertain to the implementation or use of the technology described 2996 in this document or the extent to which any license under such 2997 rights might or might not be available; nor does it represent that 2998 it has made any independent effort to identify any such rights. 2999 Information on the procedures with respect to rights in RFC 3000 documents can be found in BCP 78 and BCP 79. 3002 Copies of IPR disclosures made to the IETF Secretariat and any 3003 assurances of licenses to be made available, or the result of an 3004 attempt made to obtain a general license or permission for the use 3005 of such proprietary rights by implementers or users of this 3006 specification can be obtained from the IETF on-line IPR repository 3007 at http://www.ietf.org/ipr. 3009 IPCDN MTA MIB December 2005 3011 The IETF invites any interested party to bring to its attention any 3012 copyrights, patents or patent applications, or other proprietary 3013 rights that may cover technology that may be required to implement 3014 this standard. Please address the information to the IETF at 3015 ietf-ipr@ietf.org. 3017 Disclaimer of Validity 3019 This document and the information contained herein are provided on 3020 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 3021 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE 3022 INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR 3023 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 3024 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 3025 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3027 Copyright Statement 3029 Copyright (C) The Internet Society (2005). This document is subject 3030 to the rights, licenses and restrictions contained in BCP 78, and 3031 except as set forth therein, the authors retain all their rights. 3033 Acknowledgment 3035 Funding for the RFC Editor function is currently provided by the 3036 Internet Society.