tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 4131

 
 
 

Management Information Base for Data Over Cable Service Interface Specification (DOCSIS) Cable Modems and Cable Modem Termination Systems for Baseline Privacy Plus

Part 4 of 4, p. 62 to 85
Prev RFC Part

 


prevText      Top      Up      ToC       Page 62 
      docsBpi2CmtsCACertIndex OBJECT-TYPE
           SYNTAX         Unsigned32 (1.. 4294967295)
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The index for this row."
           ::= { docsBpi2CmtsCACertEntry 1 }

      docsBpi2CmtsCACertSubject OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The subject name exactly as it is encoded in the
           X509 certificate.
           The organizationName portion of the certificate's subject
           name must be present.  All other fields are optional.  Any
           optional field present must be prepended with <CR>
           (carriage return, U+000D) <LF> (line feed, U+000A).
           Ordering of fields present must conform to the following:

           organizationName <CR> <LF>
           countryName <CR> <LF>
           stateOrProvinceName <CR> <LF>
           localityName <CR> <LF>
           organizationalUnitName <CR> <LF>
           organizationalUnitName=<Manufacturing Location> <CR> <LF>
           commonName"
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2.4"
           ::= { docsBpi2CmtsCACertEntry 2 }

      docsBpi2CmtsCACertIssuer OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The issuer name exactly as it is encoded in the
           X509 certificate.
           The commonName portion of the certificate's issuer
           name must be present.  All other fields are optional.  Any
           optional field present must be prepended with <CR>
           (carriage return, U+000D) <LF> (line feed, U+000A).
           Ordering of fields present must conform to the following:

           CommonName <CR><LF>
           countryName <CR><LF>

Top      Up      ToC       Page 63 
           stateOrProvinceName <CR><LF>
           localityName <CR><LF>
           organizationName <CR><LF>
           organizationalUnitName <CR><LF>
           organizationalUnitName=<Manufacturing Location>"
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2.4"
           ::= { docsBpi2CmtsCACertEntry 3 }

      docsBpi2CmtsCACertSerialNumber OBJECT-TYPE
           SYNTAX         OCTET STRING (SIZE (1..32))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "This CA certificate's serial number, represented as
           an octet string."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2.2"
           ::= { docsBpi2CmtsCACertEntry 4 }

      docsBpi2CmtsCACertTrust OBJECT-TYPE
           SYNTAX    INTEGER {
                             trusted (1),
                             untrusted (2),
                             chained (3),
                             root (4)
                             }
           MAX-ACCESS     read-create
           STATUS    current
           DESCRIPTION
                "This object controls the trust status of this
           certificate.  Root certificates must be given root(4)
           trust; manufacturer certificates must not be given root(4)
           trust.  Trust on root certificates must not change.
           Note: Setting this object need only affect the validity of
           CM certificates sent in future authorization requests;
           instantaneous effect need not occur."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.1"
           DEFVAL { chained }
           ::= { docsBpi2CmtsCACertEntry 5 }

      docsBpi2CmtsCACertSource OBJECT-TYPE
           SYNTAX    INTEGER {
                     snmp (1),

Top      Up      ToC       Page 64 
                     configurationFile (2),
                     externalDatabase (3),
                     other (4),
                     authentInfo (5),
                     compiledIntoCode (6)
                     }
           MAX-ACCESS     read-only
           STATUS    current
           DESCRIPTION
                "This object indicates how the certificate reached
           the CMTS.  Other(4) means that it originated from a source
           not identified above."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.1"
           ::= { docsBpi2CmtsCACertEntry 6 }

      docsBpi2CmtsCACertStatus OBJECT-TYPE
           SYNTAX         RowStatus
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "The status of this conceptual row.  An attempt
           to set writable columnar values while this row is active
           behaves as follows:
           - Sets to the object docsBpi2CmtsCACertTrust are allowed.
           - Sets to the object docsBpi2CmtsCACert will return an
             error of 'inconsistentValue'.
           A newly created entry cannot be set to active until the
           value of docsBpi2CmtsCACert is being set."
           ::= { docsBpi2CmtsCACertEntry 7 }

      docsBpi2CmtsCACert  OBJECT-TYPE
           SYNTAX         DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "An X509 DER-encoded Certificate Authority
           certificate.
           To help identify certificates, either this object or
           docsBpi2CmtsCACertThumbprint must be returned by a CMTS for
           self-signed CA certificates.

           Note: The zero-length OCTET STRING must be returned, on
           reads, if the entire certificate is not retained in the
           CMTS."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,

Top      Up      ToC       Page 65 
           Section 9.2."
           ::= { docsBpi2CmtsCACertEntry 8 }

      docsBpi2CmtsCACertThumbprint OBJECT-TYPE
           SYNTAX         OCTET STRING (SIZE (20))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The SHA-1 hash of a CA certificate.
           To help identify certificates, either this object or
           docsBpi2CmtsCACert must be returned by a CMTS for
           self-signed CA certificates.

           Note: The zero-length OCTET STRING must be returned, on
           reads, if the CA certificate thumb print is not retained
           in the CMTS."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.3"
           ::= { docsBpi2CmtsCACertEntry 9 }

      --
      -- Authenticated Software Download Objects
      --

      --
      -- Note: the authenticated software download objects are a
      -- CM requirement only.
      --

      docsBpi2CodeDownloadControl OBJECT IDENTIFIER
           ::= { docsBpi2MIBObjects 4 }

      docsBpi2CodeDownloadStatusCode     OBJECT-TYPE
           SYNTAX    INTEGER {
                             configFileCvcVerified (1),
                             configFileCvcRejected (2),
                             snmpCvcVerified (3),
                             snmpCvcRejected (4),
                             codeFileVerified (5),
                             codeFileRejected (6),
                             other (7)
                             }
           MAX-ACCESS     read-only
           STATUS    current
           DESCRIPTION
               "The value indicates the result of the latest config
           file CVC verification, SNMP CVC verification, or code file

Top      Up      ToC       Page 66 
           verification."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections D.3.3.2 and D.3.5.1."
           ::= { docsBpi2CodeDownloadControl 1 }

      docsBpi2CodeDownloadStatusString   OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object indicates the additional
           information to the status code.  The value will include
           the error code and error description, which will be defined
           separately."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.7"
           ::= { docsBpi2CodeDownloadControl 2 }

      docsBpi2CodeMfgOrgName   OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the device manufacturer's
           organizationName."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 3 }

      docsBpi2CodeMfgCodeAccessStart     OBJECT-TYPE
           SYNTAX         DateAndTime  (SIZE(11))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the device manufacturer's
           current codeAccessStart value.  This value will always
           refer to Greenwich Mean Time (GMT), and the value
           format must contain TimeZone information (fields 8-10)."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 4 }

      docsBpi2CodeMfgCvcAccessStart OBJECT-TYPE
           SYNTAX         DateAndTime (SIZE(11))

Top      Up      ToC       Page 67 
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the device manufacturer's
           current cvcAccessStart value.  This value will always
           refer to Greenwich Mean Time (GMT), and the value
           format must contain TimeZone information (fields 8-10)."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 5 }

      docsBpi2CodeCoSignerOrgName   OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the co-signer's
           organizationName.  The value is a zero length string if
           the co-signer is not specified."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 6 }

      docsBpi2CodeCoSignerCodeAccessStart     OBJECT-TYPE
           SYNTAX         DateAndTime (SIZE(11))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the co-signer's current
           codeAccessStart value.  This value will always refer to
           Greenwich Mean Time (GMT), and the value format must contain
           TimeZone information (fields 8-10).
           If docsBpi2CodeCoSignerOrgName is a zero
           length string, the value of this object is meaningless."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 7 }

      docsBpi2CodeCoSignerCvcAccessStart OBJECT-TYPE
           SYNTAX         DateAndTime (SIZE(11))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the co-signer's current
           cvcAccessStart value.  This value will always refer to

Top      Up      ToC       Page 68 
           Greenwich Mean Time (GMT), and the value format must contain
           TimeZone information (fields 8-10).
           If docsBpi2CodeCoSignerOrgName is a zero
           length string, the value of this object is meaningless."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 8 }

      docsBpi2CodeCvcUpdate    OBJECT-TYPE
           SYNTAX         DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
               "Setting a CVC to this object triggers the device
           to verify the CVC and update the cvcAccessStart values.
           The content of this object is then discarded.
           If the device is not enabled to upgrade codefiles, or if
           the CVC verification fails, the CVC will be rejected.
           Reading this object always returns the zero-length OCTET
           STRING."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.3.2.2."
           ::= { docsBpi2CodeDownloadControl 9 }

      --
      -- The BPI+ MIB Conformance Statements (with a placeholder for
      -- notifications)
      --

      docsBpi2Notification     OBJECT IDENTIFIER
           ::= { docsBpi2MIB 0 }
      docsBpi2Conformance OBJECT IDENTIFIER
           ::= { docsBpi2MIB 2 }
      docsBpi2Compliances OBJECT IDENTIFIER
           ::= { docsBpi2Conformance 1 }
      docsBpi2Groups      OBJECT IDENTIFIER
           ::= { docsBpi2Conformance 2 }


      docsBpi2CmCompliance MODULE-COMPLIANCE
           STATUS         current
           DESCRIPTION
                "This is the compliance statement for CMs that
           implement the DOCSIS Baseline Privacy Interface Plus."

           MODULE  -- docsBpi2MIB

Top      Up      ToC       Page 69 
           -- unconditionally mandatory group
           MANDATORY-GROUPS {
                  docsBpi2CmGroup,
                  docsBpi2CodeDownloadGroup
           }

      -- constrain on Encryption algorithms
      OBJECT docsBpi2CmTEKDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)
                     }
           DESCRIPTION
                "It is compliant to support des56CbcMode(1) and
           des40CbcMode(2) for data encryption algorithms."

      -- constrain on Integrity algorithms
      OBJECT docsBpi2CmTEKDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           DESCRIPTION
                "It is compliant to not support data message
           authentication algorithms."

      -- constrain on IP addressing
      OBJECT    docsBpi2CmIpMulticastAddressType
           SYNTAX InetAddressType { ipv4(1) }
           DESCRIPTION
                "An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      -- constrain on IP addressing
      OBJECT    docsBpi2CmIpMulticastAddress
           SYNTAX  InetAddress (SIZE(4))
           DESCRIPTION
                "An implementation is only required to support IPv4
           addresses Other address types support may be defined in
           future versions of this MIB module."

      -- constrain on Encryption algorithms
      OBJECT docsBpi2CmCryptoSuiteDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)

Top      Up      ToC       Page 70 
                     }
           DESCRIPTION
                "It is compliant to only support des56CbcMode(1)
           and des40CbcMode(2) for data encryption algorithms."

      -- constrain on Integrity algorithms
      OBJECT docsBpi2CmCryptoSuiteDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           DESCRIPTION
                "It is compliant to not support data message
           authentication algorithms."

      ::= { docsBpi2Compliances 1 }


      docsBpi2CmtsCompliance MODULE-COMPLIANCE
           STATUS         current
           DESCRIPTION
                "This is the compliance statement for CMTSs that
           implement the DOCSIS Baseline Privacy Interface Plus."

           MODULE  -- docsBpi2MIB
           -- unconditionally mandatory group
           MANDATORY-GROUPS {
                  docsBpi2CmtsGroup
           }

      -- unconditionally optional group
      GROUP     docsBpi2CodeDownloadGroup
           DESCRIPTION
                "This group is optional for CMTSes.  The implementation
           decision of this group is left to the vendor"

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsDefaultAuthLifetime
           SYNTAX    Integer32 (86400..6048000)
           DESCRIPTION
                "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsDefaultTEKLifetime
           SYNTAX    Integer32 (1800..604800)
           DESCRIPTION

Top      Up      ToC       Page 71 
               "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsAuthCmLifetime
           SYNTAX    Integer32 (86400..6048000)
           DESCRIPTION
               "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on Encryption algorithms

   OBJECT   docsBpi2CmtsTEKDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)
                     }
           DESCRIPTION
                "It is compliant to only support des56CbcMode(1)
           and des40CbcMode(2) for data encryption."

      -- constrain on Integrity algorithms

   OBJECT docsBpi2CmtsTEKDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           DESCRIPTION
                "It is compliant to not support data message
           authentication algorithms."

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsTEKLifetime
           SYNTAX    Integer32 (1800..604800)
           DESCRIPTION
               "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on access
      -- constrain on IP Addressing

      OBJECT    docsBpi2CmtsIpMulticastAddressType
           SYNTAX      InetAddressType { ipv4(1) }
           MIN-ACCESS  read-only
           DESCRIPTION

Top      Up      ToC       Page 72 
               "Write access is not required.
           An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      OBJECT    docsBpi2CmtsIpMulticastAddress
           SYNTAX  InetAddress (SIZE(4))
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      OBJECT    docsBpi2CmtsIpMulticastMask
           SYNTAX  InetAddress (SIZE(4))
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      -- constrain on access

      OBJECT    docsBpi2CmtsIpMulticastSAId
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required."

      OBJECT    docsBpi2CmtsIpMulticastSAType
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required."

      -- constrain on access
      -- constrain on Encryption algorithms

      OBJECT    docsBpi2CmtsIpMulticastDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)
                     }
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           It is compliant to only support des56CbcMode(1)

Top      Up      ToC       Page 73 
           and des40CbcMode(2) for data encryption"

      -- constrain on access
      -- constrain on Integrity algorithms

      OBJECT    docsBpi2CmtsIpMulticastDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           It is compliant to not support data message
           authentication algorithms."

      -- constrain on access

      OBJECT    docsBpi2CmtsMulticastAuthControl
           MIN-ACCESS  read-only
           DESCRIPTION
          "Write access is not required."

           ::= { docsBpi2Compliances 2 }

      docsBpi2CmGroup     OBJECT-GROUP
           OBJECTS   {
                docsBpi2CmPrivacyEnable,
                docsBpi2CmPublicKey,
                docsBpi2CmAuthState,
                docsBpi2CmAuthKeySequenceNumber,
                docsBpi2CmAuthExpiresOld,
                docsBpi2CmAuthExpiresNew,
                docsBpi2CmAuthReset,
                docsBpi2CmAuthGraceTime,
                docsBpi2CmTEKGraceTime,
                docsBpi2CmAuthWaitTimeout,
                docsBpi2CmReauthWaitTimeout,
                docsBpi2CmOpWaitTimeout,
                docsBpi2CmRekeyWaitTimeout,
                docsBpi2CmAuthRejectWaitTimeout,
                docsBpi2CmSAMapWaitTimeout,
                docsBpi2CmSAMapMaxRetries,
                docsBpi2CmAuthentInfos,
                docsBpi2CmAuthRequests,
                docsBpi2CmAuthReplies,
                docsBpi2CmAuthRejects,
                docsBpi2CmAuthInvalids,
                docsBpi2CmAuthRejectErrorCode,

Top      Up      ToC       Page 74 
                docsBpi2CmAuthRejectErrorString,
                docsBpi2CmAuthInvalidErrorCode,
                docsBpi2CmAuthInvalidErrorString,
                docsBpi2CmTEKSAType,
                docsBpi2CmTEKDataEncryptAlg,
                docsBpi2CmTEKDataAuthentAlg,
                docsBpi2CmTEKState,
                docsBpi2CmTEKKeySequenceNumber,
                docsBpi2CmTEKExpiresOld,
                docsBpi2CmTEKExpiresNew,
                docsBpi2CmTEKKeyRequests,
                docsBpi2CmTEKKeyReplies,
                docsBpi2CmTEKKeyRejects,
                docsBpi2CmTEKInvalids,
                docsBpi2CmTEKAuthPends,
                docsBpi2CmTEKKeyRejectErrorCode,
                docsBpi2CmTEKKeyRejectErrorString,
                docsBpi2CmTEKInvalidErrorCode,
                docsBpi2CmTEKInvalidErrorString,
                docsBpi2CmIpMulticastAddressType,
                docsBpi2CmIpMulticastAddress,
                docsBpi2CmIpMulticastSAId,
                docsBpi2CmIpMulticastSAMapState,
                docsBpi2CmIpMulticastSAMapRequests,
                docsBpi2CmIpMulticastSAMapReplies,
                docsBpi2CmIpMulticastSAMapRejects,
                docsBpi2CmIpMulticastSAMapRejectErrorCode,
                docsBpi2CmIpMulticastSAMapRejectErrorString,
                docsBpi2CmDeviceCmCert,
                docsBpi2CmDeviceManufCert,
                docsBpi2CmCryptoSuiteDataEncryptAlg,
                docsBpi2CmCryptoSuiteDataAuthentAlg
                }
           STATUS         current
           DESCRIPTION
                "This collection of objects provides CM BPI+ status
           and control."
      ::= { docsBpi2Groups 1 }

      docsBpi2CmtsGroup   OBJECT-GROUP
           OBJECTS {
                docsBpi2CmtsDefaultAuthLifetime,
                docsBpi2CmtsDefaultTEKLifetime,
                docsBpi2CmtsDefaultSelfSignedManufCertTrust,
                docsBpi2CmtsCheckCertValidityPeriods,
                docsBpi2CmtsAuthentInfos,
                docsBpi2CmtsAuthRequests,
                docsBpi2CmtsAuthReplies,

Top      Up      ToC       Page 75 
                docsBpi2CmtsAuthRejects,
                docsBpi2CmtsAuthInvalids,
                docsBpi2CmtsSAMapRequests,
                docsBpi2CmtsSAMapReplies,
                docsBpi2CmtsSAMapRejects,
                docsBpi2CmtsAuthCmBpiVersion,
                docsBpi2CmtsAuthCmPublicKey,
                docsBpi2CmtsAuthCmKeySequenceNumber,
                docsBpi2CmtsAuthCmExpiresOld,
                docsBpi2CmtsAuthCmExpiresNew,
                docsBpi2CmtsAuthCmLifetime,
                docsBpi2CmtsAuthCmReset,
                docsBpi2CmtsAuthCmInfos,
                docsBpi2CmtsAuthCmRequests,
                docsBpi2CmtsAuthCmReplies,
                docsBpi2CmtsAuthCmRejects,
                docsBpi2CmtsAuthCmInvalids,
                docsBpi2CmtsAuthRejectErrorCode,
                docsBpi2CmtsAuthRejectErrorString,
                docsBpi2CmtsAuthInvalidErrorCode,
                docsBpi2CmtsAuthInvalidErrorString,
                docsBpi2CmtsAuthPrimarySAId,
                docsBpi2CmtsAuthBpkmCmCertValid,
                docsBpi2CmtsAuthBpkmCmCert,
                docsBpi2CmtsAuthCACertIndexPtr,
                docsBpi2CmtsTEKSAType,
                docsBpi2CmtsTEKDataEncryptAlg,
                docsBpi2CmtsTEKDataAuthentAlg,
                docsBpi2CmtsTEKLifetime,
                docsBpi2CmtsTEKKeySequenceNumber,
                docsBpi2CmtsTEKExpiresOld,
                docsBpi2CmtsTEKExpiresNew,
                docsBpi2CmtsTEKReset,
                docsBpi2CmtsKeyRequests,
                docsBpi2CmtsKeyReplies,
                docsBpi2CmtsKeyRejects,
                docsBpi2CmtsTEKInvalids,
                docsBpi2CmtsKeyRejectErrorCode,
                docsBpi2CmtsKeyRejectErrorString,
                docsBpi2CmtsTEKInvalidErrorCode,
                docsBpi2CmtsTEKInvalidErrorString,
                docsBpi2CmtsIpMulticastAddressType,
                docsBpi2CmtsIpMulticastAddress,
                docsBpi2CmtsIpMulticastMask,
                docsBpi2CmtsIpMulticastSAId,
                docsBpi2CmtsIpMulticastSAType,
                docsBpi2CmtsIpMulticastDataEncryptAlg,
                docsBpi2CmtsIpMulticastDataAuthentAlg,

Top      Up      ToC       Page 76 
                docsBpi2CmtsIpMulticastSAMapRequests,
                docsBpi2CmtsIpMulticastSAMapReplies,
                docsBpi2CmtsIpMulticastSAMapRejects,
                docsBpi2CmtsIpMulticastSAMapRejectErrorCode,
                docsBpi2CmtsIpMulticastSAMapRejectErrorString,
                docsBpi2CmtsIpMulticastMapControl,
                docsBpi2CmtsIpMulticastMapStorageType,
                docsBpi2CmtsMulticastAuthControl,
                docsBpi2CmtsProvisionedCmCertTrust,
                docsBpi2CmtsProvisionedCmCertSource,
                docsBpi2CmtsProvisionedCmCertStatus,
                docsBpi2CmtsProvisionedCmCert,
                docsBpi2CmtsCACertSubject,
                docsBpi2CmtsCACertIssuer,
                docsBpi2CmtsCACertSerialNumber,
                docsBpi2CmtsCACertTrust,
                docsBpi2CmtsCACertSource,
                docsBpi2CmtsCACertStatus,
                docsBpi2CmtsCACert,
                docsBpi2CmtsCACertThumbprint
                }
           STATUS         current
           DESCRIPTION
                "This collection of objects provides CMTS BPI+ status
           and control."
      ::= { docsBpi2Groups 2 }

      docsBpi2CodeDownloadGroup OBJECT-GROUP
              OBJECTS {
                docsBpi2CodeDownloadStatusCode,
                docsBpi2CodeDownloadStatusString,
                docsBpi2CodeMfgOrgName,
                docsBpi2CodeMfgCodeAccessStart,
                docsBpi2CodeMfgCvcAccessStart,
                docsBpi2CodeCoSignerOrgName,
                docsBpi2CodeCoSignerCodeAccessStart,
                docsBpi2CodeCoSignerCvcAccessStart,
                docsBpi2CodeCvcUpdate
                }
           STATUS         current
           DESCRIPTION
                "This collection of objects provides authenticated
           software download support."
      ::= { docsBpi2Groups 3 }

      END

Top      Up      ToC       Page 77 
4.  Acknowledgements

   Kaz Ozawa: Authenticated Software Download objects and general
              suggestions.

   Rich Woundy: BPI MIB and general MIB expertise.

   Mike St. Johns: BPI MIB and first version of BPI+ MIB.

   Bert Wijnen: Extensive comments in MIB syntax and accuracy.

   Thanks to Mike Sabin and Manson Wong for reviewing early BPI+ MIB
   drafts and to Jean-Francois Mule for contributing to the last
   versions.

5.  Normative References

   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2578]    McCloghrie, K., Perkins, D., and J. Schoenwaelder,
                "Structure of Management Information Version 2 (SMIv2)",
                STD 58, RFC 2578, April 1999.

   [RFC2579]    McCloghrie, K., Perkins, D., and J. Schoenwaelder,
                "Textual Conventions for SMIv2", STD 58, RFC 2579, April
                1999.

   [RFC2580]    McCloghrie, K., Perkins, D., and J. Schoenwaelder,
                "Conformance Statements for SMIv2", STD 58, RFC 2580,
                April 1999.

   [RFC3411]    Harrington, D., Presuhn, R., and B. Wijnen, "An
                Architecture for Describing Simple Network Management
                Protocol (SNMP) Management Frameworks", STD 62, RFC
                3411, December 2002.

   [RFC4001]    Daniele, M., Haberman, B., Routhier, S., and J.
                Schoenwaelder, "Textual Conventions for Internet Network
                Addresses", RFC 4001, February 2005.

   [RFC2863]    McCloghrie, K. and F. Kastenholz, "The Interfaces Group
                MIB", RFC 2863, June 2000.

Top      Up      ToC       Page 78 
   [RFC2670]    St. Johns, M., "Radio Frequency (RF) Interface
                Management Information Base for MCNS/DOCSIS compliant RF
                interfaces", RFC 2670, August 1999.

   [DOCSIS]     "Data-Over-Cable Service Interface Specifications:
                Baseline Privacy Plus Interface Specification SP-BPI+-
                I11-040407", DOCSIS, April 2004, available at
                http://www.cablemodem.com.
                http://www.cablelabs.com/specifications/archives.

6.  Informative References

   [RFC3083]    Woundy, R., "Baseline Privacy Interface Management
                Information Base for DOCSIS Compliant Cable Modems and
                Cable Modem Termination Systems", RFC 3083, March 2001.

   [RFC3410]    Case, J., Mundy, R., Partain, D., and B. Stewart,
                "Introduction and Applicability Statements for
                Internet-Standard Management Framework", RFC 3410,
                December 2002.

   [RFC3513]    Hinden, R. and S. Deering, "Internet Protocol Version 6
                (IPv6) Addressing Architecture", RFC 3513, April 2003.

   [DOCSIS-1.0] "Data-Over-Cable Service Interface Specifications:
                DOCSIS 1.0 Baseline Privacy Interface (BPI) ANSI/SCTE
                22-2 2202, Available at http://www.scte.org.

   [DOCSIS-1.1] "Data-Over-Cable Service Interface Specifications:
                Operations Support System Interface Specification SP-
                OSSIv1.1-I07-030730", DOCSIS 1.1 July 2003, available at
                http://www.cablemodem.com.
                http://www.cablelabs.com/specifications/archives.

   [DOCSIS-2.0] "Data-Over-Cable Service Interface Specifications:
                Operations Support System Interface Specification SP-
                OSSIv2.0-I05-040407", DOCSIS 2.0 April 2004,
                http://www.cablemodem.com.
                http://www.cablelabs.com/specifications/archives.

   [IANA]       "Protocol Numbers and Assignment Services", IANA,
                http://www.iana.org/assignments/ianaiftype-mib.

Top      Up      ToC       Page 79 
7.  Security Considerations

   There are a number of management objects defined in this MIB module
   with a MAX-ACCESS clause of read-write and/or read-create.  Such
   objects may be considered sensitive or vulnerable in some network
   environments.  The support for SET operations in a non-secure
   environment without proper protection can have a negative effect on
   network operations.  These are the tables and objects and their
   sensitivity/vulnerability:

   - The following objects, if SNMP SET maliciously, could constitute
     denial of service or theft of service attacks or compromise the
     intended data privacy of users:

   Objects related to the Baseline Privacy Key Management (BPKM)

      docsBpi2CmAuthReset,
      docsBpi2CmtsAuthCmReset,
      docsBpi2CmtsTEKReset:
          These objects are used for initiating a re-key process.  A
          malicious massive SET attack may cause CMTS processing
          overload and may compromise the service.

      docsBpi2CmtsDefaultAuthLifetime,
      docsBpi2CmtsDefaultTEKLifetime,
      docsBpi2CmtsAuthCmLifetime,
      docsBpi2CmtsTEKLifetime:
          To minimize the risk of malicious or unintended short periods
          of time when key updates may lead to degradation or denial of
          service, implementers are encouraged to follow these objects'
          range constraints, as defined in the docsBpi2CmtsCompliance
          MODULE-COMPLIANCE clause for operational deployments.

      docsBpi2CmtsDefaultSelfSignedManufCertTrust:
          A malicious SET in a self-signed certificate as reject
          message, which may constitute denial of service.  This object
          is designed for testing purposes; therefore, it is not
          RECOMMENDED for use in commercial deployments [DOCSIS].
          Administrators can make use of View-based Access Control
          (VACM) introduced in section 7.9 of [RFC3410] to restrict
          write access to this object.

      docsBpi2CmtsCheckCertValidityPeriods:
          A malicious SET in this object that enables the period
          validity and a wrong clock time in the CMTS could cause denial
          of service, as CM authorization requests will be rejected.

Top      Up      ToC       Page 80 
      For more details in the validation of CM certificates, refer to
      section 9 of [DOCSIS] .

   Objects related to the CM only:

      Objects in docsBpi2CmDeviceCertTable

      docsBpi2CmDeviceCmCert:
          This object is not harmful, considering that a CM received a
          Certificate during the manufacturing process.  Therefore, the
          object access becomes read-only.  See the object DESCRIPTION
          clause in section 3 for details.

      Objects for Secure Software Download in table
      docsBpi2CodeDownloadControl:

      docsBpi2CodeCvcUpdate:
          A malicious SET on this object may not constitute a risk,
          since the CM holds the DOCSIS root key to verify the CVC
          authenticity.  The operator, if configured, could receive a
          notification for event occurrences, which may lead to
          detecting the source of the attack.  Moreover, [DOCSIS]
          recommends that CMs CVC be regularly updated to minimize the
          risk of potential code-signing keys being compromised (e.g.,
          by configuration file).

      Objects related to the CMTS only:

      Objects in docsBpi2CmtsProvisionedCmCertTable and
      docsBpi2CmtsCACertTable containing CM Certificates and Certificate
      Authority information, respectively:

      docsBpi2CmtsProvisionedCmCertTrust,
      docsBpi2CmtsProvisionedCmCertStatus,
      docsBpi2CmtsProvisionedCmCert,
      docsBpi2CmtsCACertStatus,
      docsBpi2CmtsCACert:
          A malicious SET on these objects may constitute a denial of
          service attack that will be experienced after the CMs perform
          authorization requests.  It does not affect CMs in the
          authorized state.

      Objects in multicast tables docsBpi2CmtsIpMulticastMapTable and
      docsBpi2CmtsMulticastAuthTable:

      docsBpi2CmtsIpMulticastAddressType,
      docsBpi2CmtsIpMulticastAddress,
      docsBpi2CmtsIpMulticastMaskType,

Top      Up      ToC       Page 81 
      docsBpi2CmtsIpMulticastMask,
      docsBpi2CmtsIpMulticastSAId,
      docsBpi2CmtsIpMulticastSAType:
          Malicious SET on these objects may cause misconfiguration,
          causing interruption of the users' active multicast
          applications.

      docsBpi2CmtsIpMulticastDataEncryptAlg,
      docsBpi2CmtsIpMulticastDataAuthentAlg:
          Malicious SETs on these objects may create service
          misconfiguration, causing service interruption or theft of
          service if encryption algorithms are removed for the multicast
          groups.

      docsBpi2CmtsIpMulticastMapControl,
      docsBpi2CmtsMulticastAuthControl:
          Malicious SETs on these objects may remove and/or disable
          customers and/or multicast groups, causing service disruption.
          This may also constitute theft of service by authorizing non-
          subscribed users to multicast groups or by adding other
          multicast groups in the forward path.

   Some of the readable objects in this MIB module (i.e., objects with a
   MAX-ACCESS other than not-accessible) may be considered sensitive or
   vulnerable in some network environments.  It is thus important to
   control even GET and/or NOTIFY access to these objects and possibly
   to even encrypt the values of these objects when sending them over
   the network via SNMP.  These are the tables and objects and their
   sensitivity/vulnerability:

      Objects in docsBpi2CmBaseTable, docsBpi2CmTEKTable,
      docsBpi2CmtsBaseTable, docsBpi2CmtsAuthTable,
      docsBpi2CmtsTEKTable, docsBpi2CmtsProvisionedCmCertTable, and
      docsBpi2CmtsCACertTable:
          If this information is accessible, attackers may use it to
          distinguish users configured to work without data encryption
          (e.g., docsBpi2CmPrivacyEnable) and to know current Baseline
          Privacy parameters in the network.

      Objects in docsBpi2CmIpMulticastMapTable and
      docsBpi2CmtsMulticastAuthTable:
          In addition to the vulnerabilities around BPI plus multicast
          objects described in the previous part, the read-only objects
          of this table may help attackers monitor the status of the
          intrusion.

Top      Up      ToC       Page 82 
      Objects in docsBpi2CodeDownloadControl:
          In addition to the vulnerability of the read-write object
          docsBpi2CodeCvcUpdate, attackers may be able to monitor the
          status of a denial of service using Secure Software Download.

   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPSec),
   even then, there is no control as to who on the secure network is
   allowed to access and GET/SET (read/change/create/delete) the objects
   in this MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

   BPI+ Encryption Algorithms:

   The BPI+ Traffic Encryption Keys (TEK) defined in the DOCSIS BPI+
   specification [DOCSIS] use 40-bit or 56-bit DES for encryption (DES
   CBC mode).  Currently, there is no mechanism or algorithm defined for
   data integrity.

   Due to the DES cryptographic weaknesses, future revisions of the
   DOCSIS BPI+ specification should introduce more advanced encryption
   algorithms, as proposed in the DocsBpkmDataEncryptAlg textual
   convention, to overcome the progress in cheaper and faster hardware
   or software decryption tools.  Future revisions of the DOCSIS BPI+
   specification [DOCSIS] should also adopt authentication algorithms,
   as described in the DocsBpkmDataAuthentAlg textual convention.

   It is important to note that frequent key changes do not necessarily
   help in mitigating or reducing the risks of a DES attack.  Indeed,
   the traffic encryption keys, which are configured on a per cable
   modem basis and per BPI+ multicast group, can be utilized to decrypt
   old traffic, even when they are no longer in active use.

Top      Up      ToC       Page 83 
   Note that, not exempt to the same recommendations above, the CM BPI+
   authorization protocol uses triple DES encryption, which offers
   improved robustness in comparison to DES for CM authorization and TEK
   re-key management.

8.  IANA Considerations

   The MIB module in this document uses the following IANA-assigned
   OBJECT IDENTIFIER value, recorded in the SMI Numbers registry:

      Descriptor     OBJECT IDENTIFIER Value
      ----------     -----------------------
      docsBpi2MIB    { mib-2 126 }

Top      Up      ToC       Page 84 
Authors' Addresses

   Stuart M. Green

   EMail: rubbersoul3@yahoo.com


   Kaz Ozawa
   Automotive Systems Development Center
   TOSHIBA CORPORATION
   1-1, Shibaura 1-Chome
   Minato-ku, Tokyo 105-8001
   Japan

   Phone: +81-3-3457-8569
   Fax: +81-3-5444-9325
   EMail: Kazuyoshi.Ozawa@toshiba.co.jp


   Alexander Katsnelson

   Phone: +1-303-680-3924
   EMail: katsnelson6@peoplepc.com


   Eduardo Cardona
   Cable Television Laboratories, Inc.
   858 Coal Creek Circle
   Louisville, CO 80027- 9750
   U.S.A.

   Phone: +1 303 661 9100
   EMail: e.cardona@cablelabs.com

Top      Up      ToC       Page 85 
Full Copyright Statement

   Copyright (C) The Internet Society (2005).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.