Internet Draft Matt Osman/Eugene Nechamkin draft-osman-pktc-ipcdn-mtamib-00.txt Cablelabs/Broadcom Corp Expires: December 24, 2002 June, 24 2002 Multimedia Terminal Adapter (MTA) Management Information Base for PacketCable 1.0 compliant devices Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This memo is a draft document of the initial version of the document. This document does not have any predecessors. This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a basic set of managed objects for SNMP- based management of PacketCable 1.0 compliant Media Terminal Adapter (MTA) devices. This memo specifies a MIB module in a manner that is compliant to the SNMP SMIv2 [5][6][7]. The set of objects are consistent with the SNMP framework and existing SNMP standards. Osman/Nechamkin [Page 1] Internet Draft PacketCable MTA MIB June 24, 2002 Table of Contents 1 The SNMP Management Framework ................................... 2 2 Glossary ........................................................ 3 2.1 DOCSIS ........................................................ 3 2.2 CM ............................................................ 3 2.3 MTA ........................................................... 4 2.4 Endpoint ...................................................... 4 2.5 X.509 Certificate.............................................. 4 2.6 VoIP .......................................................... 4 2.7 RJ-11 ......................................................... 4 2.8 Public Key Certificate ........................................ 4 2.9 DHCP .......................................................... 4 2.10 CMS .......................................................... 4 2.11 CODEC ........................................................ 4 2.12 OSS .......................................................... 4 2.13 KDC .......................................................... 5 2.14 FQDN ......................................................... 5 2.15 SA ........................................................... 5 3 Overview ........................................................ 5 3.1 Structure of the MIB .......................................... 5 3.1.1 pktcMtaDevBase .............................................. 5 3.1.2 pktcMtaDevServer ............................................ 6 3.1.3 pktcMtaDevSecurity .......................................... 6 3.2 Relationship between MIB Objects in MTA MIB ................... 7 3.2.1 Security Association Establishment Process .................. 7 3.2.2 Realm Table to CMS Table Relationship ....................... 7 3.2.3 SA Related Scalar MIB Objects in MTA MIB .................... 7 4 Definitions ..................................................... 8 5 Acknowledgments ................................................ 36 6 Revision History ............................................... 37 7 References ..................................................... 37 8 Security Considerations ........................................ 38 9 Intellectual Property .......................................... 39 10 Author's Address .............................................. 40 11 Full Copyright Statement ...................................... 40 1. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [1]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7]. Osman/Nechamkin Expires December 24 2002 [Page 2] Internet Draft PacketCable MTA MIB June 24, 2002 o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13]. o A set of fundamental applications described in RFC 2573 [14] and the view-based access control mechanism described in RFC 2575 [15]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [16]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB MUST be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2. Glossary The terms in this document are derived either from normal PacketCable 1.0 system usage, or from the documents associated with the PacketCable 1.0 Provisioning Specification [17] and Security Specification [18]. 2.1. DOCSIS "Data Over Cable Service Interface Specification". A term referring to the ITU-T J.112 Annex B standard for cable modem systems [19]. 2.2. CM Cable Modem. A CM acts as a data transport agent used to transfer call management and voice data packets over the DOCSIS compliant cable systems. Osman/Nechamkin Expires December 24 2002 [Page 3] Internet Draft PacketCable MTA MIB June 24, 2002 2.3. MTA Media Terminal Adaptor MTA Device is used to refer to any PacketCable 1.0 compliant device providing telephony services over the cable or hybrid system used to deliver video signals to a community. MTA can be Embedded (E-MTA) or Standalone (S-MTA). E-MTA contains both an MTA and a CM. S-MTA does not contain the CM part relying on the presence of some external DOCSIS agent to provide the data transport over the cable. 2.4. Endpoint A standard RJ-11 telephony physical port located on the MTA and used for attaching the telephone device to the MTA. 2.5. X.509 Certificate A public key certificate specification developed as part of the ITU-T X.500 standards directory. 2.6. VoIP Voice over IP Technology providing the means to transfer the digitized packets with the voice information over the IP networks. 2.7. Public Key Certificate (also Digital certificate) A binding between an entityÆs public key and one or more attributes relating to its identity. 2.8. DHCP Dynamic Host Configuration Protocol. 2.9. CMS Call Management Server Call Management Server. Controls the audio connections between different MTAs. 2.10. CODEC COder-DECoder Algorithm used to transform the audio information to the packets of digitized Data being transferred over the IP networks. 2.11. OSS Operations Systems Support. The back office software used for configuration, performance, fault, accounting and security management. 2.12. KDC Key Distribution Center The security server which belongs to OSS and provides the mutual authentication of the various components of the PacketCable domain (e.g. MTA and CMS, or MTA and the Provisioning Server). Osman/Nechamkin Expires December 24 2002 [Page 4] Internet Draft PacketCable MTA MIB June 24, 2002 2.13. FQDN Fully Qualified Domain Name Refer to IETF RFC 821 and 1034 for details. 2.14. SA Security Association A one-way relationship between sender and receiver offering security services on the communication flow . 3. Overview This MIB provides a set of objects required for the management of PacketCable compliant media Terminal Adapters (MTA). The specification is derived in part from the parameters described in PacketCable 1.0 Provisioning Specification [17]. 3.1. Structure of the MIB This MIB is structured as three groups: o Management information pertinent to MTA Device Itself (pktcMtaDevBase). o Management information pertinent to the Provisioning back office Servers (pktcMtaDevServer). o Management information pertinent to elements of and logic providing the PacketCable Security mechanisms (pktcMtaDevSecurity). First two groups contain only scalar information describing the corresponding characteristics of the MTA device and back office servers. Third group contains two tables controlling the necessary logical associations between KDC realms and back office servers (CMS and Provisioning). Rows in the tables can be created automatically (e.g. by the device according to the current state information) or can be created by the management station depending on the operational situation. Tables may and generally will have a mixture of both types of rows. 3.1.1. pktcMtaDevBase Contains management information describing the parameters of the MTA device itself. Also, this group contains some objects controlling the MTA state. Some of the MIB objects are as follows: pktcMtaDevSerialNumber - - Contains the MTA Serial Number. pktcMtaDevMacAddress - Contains the MTA MAC address. pktcMtaDevEndPntCount - - Contains the number of End Points present in MTA. Osman/Nechamkin Expires December 24 2002 [Page 5] Internet Draft PacketCable MTA MIB June 24, 2002 pktcMtaDevProvisioningState - - This object contains the information describing the completion state of the initialization process. pktcMtaDevEnabled - - Controls the state of the MTA enabling or disabling telephony services on the device. pktcMtaDevResetNow - This object is used to instruct the MTA to reset itself. 3.1.2. pktcMtaDevServer Contains management information describing the back office servers and the parameters assigned to the communication timeouts. Also, this group contains some objects controlling the initial MTA interaction with the Provisioning Server. Some of the MIB objects are as follows: pktcMtaDevServerDhcp1 - - This object contains the IP Address of the Primary DHCP server designated for MTA provisioning. pktcMtaDevServerDhcp2 - - This object contains the IP Address of the Secondary DHCP server designated for MTA provisioning. pktcMtaDevServerDns1 - - This object contains the IP Address of the Primary DNS used by MTA to resolve the FQDN and IP Addresses. pktcMtaDevServerDns2 - - This object contains the IP Address of the Secondary DNS used by MTA to resolve the FQDN and IP Addresses. pktcMtaDevConfigFile - - This object contains the name of the provisioning configuration file to download from the Provisioning Server by the MTA. pktcMtaDevProvConfigHash - - This object is used to supply the hash value of MTA Configuration File calculated over its content. 3.1.3. pktcMtaDevSecurity Contains management information describing the security related characteristics of the MTA. Also, this group contains two tables containing logical dependencies and parameters necessary to establish security association between the MTA and other components of the back office. pktcMtaDevRealmTable - This table is used in conjunction with any server which needs a Security Association with an MTA (CMS or Provisioning Sever). pktcMtaDevCmsTable - This table contains the parameters describing the SA establishment between an MTA and a CMS. 3.2. Relationship between MIB Objects in MTA MIB Osman/Nechamkin Expires December 24 2002 [Page 6] Internet Draft PacketCable MTA MIB June 24, 2002 This section clarifies the relationship between various MIB Objects in MTA MIB in respect to the role these objects are playing in the process of the Security Association establishment. 3.2.1. Security Association Establishment Process Relationships between the MTA MIB Objects are defined by the way how the Security Association establishment process is defined by the PacketCable Security Specification [18]. The SA establishment process between the MTA and other back office Servers (CMS or Provisioning Server) consists of two steps: o AS-exchange providing mutual authentication of the parties (MTA and the Server), o AP-exchange providing the Key Distribution between the parties (MTA and the Server). Each Server-MTA Security Association has a one-to-one correspondence to a single Realm. 3.2.2. Realm Table to CMS Table Relationship Realm Table contains the parameters defining the process of the AS-exchange between the MTA and the KDC when MTA is going to be authenticated to either of the Severs - - CMS or Provisioning. Realm Table is indexed by the Realm Name. CMS Table contains the parameters defining the process of the AP-exchange between the MTA and the CMS when MTA is exchanging the keys for SA with CMS. CMS Table is indexed by the CMS FQDN. CMS Table also contains the Realm Name corresponding to each CMS FQDN (each row). This allows for multiple realms, each with its own Security Association. 3.2.3. SA Related Scalar MIB Objects in MTA MIB MTA MIB also contains the group of the scalar MIB Objects which define the Parameters for AP-exchange process between the MTA and the Provisioning Server. These objects are: o pktcMtaDevProvUnsolicitedKeyMaxTimeout o pktcMtaDevProvUnsolicitedKeyNomTimeout o pktcMtaDevProvUnsolicitedKeyMaxRetries o pktcMtaDevProvSolicitedKeyTimeout 4. Definitions Osman/Nechamkin Expires December 24 2002 [Page 7] Internet Draft PacketCable MTA MIB June 24, 2002 PKTC-MTA-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32, NOTIFICATION-TYPE FROM SNMPv2-SMI TruthValue, RowStatus, TEXTUAL-CONVENTION FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE, InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB NOTIFICATION-GROUP FROM SNMPv2-CONF clabProjPacketCable FROM CLAB-DEF-MIB ifIndex FROM IF-MIB docsDevSwCurrentVers FROM DOCS-CABLE-DEVICE-MIB; -- version 8 pktcMtaMib MODULE-IDENTITY LAST-UPDATED "0206240000Z" -- June 24, 2002 ORGANIZATION " PacketCable OSS Group " CONTACT-INFO ææ Matt Osman Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: m.osman@cablelabs.com Eugene Nechamkin Postal: Broadcom Corporation, 200-13711 Internationial Place, Richmond, BC, V6V 2Z8 Canada Phone: +1 604 233 8500 Fax: +1 604 233 8501 E-mail: enechamkin@broadcom.com IETF IPCDN Working Group General Discussion: ipcdn@ietf.org Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn Osman/Nechamkin Expires December 24 2002 [Page 8] Internet Draft PacketCable MTA MIB June 24, 2002 Co-chairs: Richard Woundy, rwoundy@cisco.com Andrew Valentine, a.valentine@eu.hns.com" DESCRIPTION "This is the MIB module for PacketCable 1.x compliant Multimedia Terminal Adapter Devices in Telephony-Over-Cable Systems ÆÆ REVISION ææ0206240000Z ÆÆ DESCRIPTION ææInitial Introduction of the draft of the document. ÆÆ ::= { clabProjPacketCable 1 } -- Textual Conventions X509Certificate ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An X509 digital certificate encoded as an ASN.1 DER object." SYNTAX OCTET STRING (SIZE (0..4096)) --======================================================================== -- -- The MTA MIB only supports a single provisioning server. -- --========================================================================= pktcMtaMibObjects OBJECT IDENTIFIER ::= { pktcMtaMib 1 } pktcMtaDevBase OBJECT IDENTIFIER ::= { pktcMtaMibObjects 1 } pktcMtaDevServer OBJECT IDENTIFIER ::= { pktcMtaMibObjects 2 } pktcMtaDevSecurity OBJECT IDENTIFIER ::= { pktcMtaMibObjects 3 } -- -- The following group describes the base objects in the MTA -- pktcMtaDevResetNow OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to true(1) causes the device to reset. Reading this object always returns false(2). When pktcMtaDevResetNow is set to true, the following actions occur: 1. All connections (if present) are flushed locally 2. All current actions such as ringing immediately terminate 3. Requests for notifications such as notification based on digit map recognition are flushed. 4. All endpoints are disabled. 5. The provisioning flow is started at step MTA - 1." Osman/Nechamkin Expires December 24 2002 [Page 9] Internet Draft PacketCable MTA MIB June 24, 2002 ::= { pktcMtaDevBase 1 } pktcMtaDevSerialNumber OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..128)) MAX-ACCESS read-only STATUS current DESCRIPTION "The manufacturer's serial number for this MTA." ::= { pktcMtaDevBase 2 } pktcMtaDevHardwareVersion OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..48)) MAX-ACCESS read-only STATUS current DESCRIPTION "The manufacturer's hardware version for this MTA." ::= { pktcMtaDevBase 3 } pktcMtaDevMacAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The telephony MAC address for this device." ::= { pktcMtaDevBase 4 } pktcMtaDevFQDN OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The Fully Qualified Domain Name for this MTA." ::= { pktcMtaDevBase 5 } pktcMtaDevEndPntCount OBJECT-TYPE SYNTAX INTEGER (1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The physical end points for this MTA." ::= { pktcMtaDevBase 6 } pktcMtaDevEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The MTA Admin Status of this device, where True(1) means the voice feature is enabled and false(2) indicates that it is disabled." Osman/Nechamkin Expires December 24 2002 [Page 10] Internet Draft PacketCable MTA MIB June 24, 2002 ::= { pktcMtaDevBase 7 } pktcMtaDevTypeIdentifier OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This is a copy of the device type identifier used in the DHCP option 60 exchanged between the MTA and the DHCP server." ::= { pktcMtaDevBase 8 } pktcMtaDevProvisioningState OBJECT-TYPE SYNTAX INTEGER { pass(1), inProgress(2), fail(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the completion state of the initialization process. Pass or Fail states occur after completion of the initialization flow. InProgress occurs from MTA initialization start to MTA initialization end; detail of inProgress status is observed from pktcMtaDevProvState. Fail state requires manual intervention." ::= { pktcMtaDevBase 9 } pktcMtaDevHttpAccess OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether HTTP file access is supported for MTA configuration file transfer." ::= { pktcMtaDevBase 10 } pktcMtaDevProvisioningTimer OBJECT-TYPE SYNTAX INTEGER (0..30) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables setting the duration of the provisioning timeout timer. The timer covers the provisioning sequence from step MTA-1 to step MTA-23. The value is in minutes and setting the timer to 0 disables this timer." DEFVAL {10} ::= {pktcMtaDevBase 11} pktcMtaDevProvisioningCounter OBJECT-TYPE SYNTAX Counter32 Osman/Nechamkin Expires December 24 2002 [Page 11] Internet Draft PacketCable MTA MIB June 24, 2002 MAX-ACCESS read-only STATUS current DESCRIPTION "This object is the count of the number of times the provisioning cycle has looped through step MTA-1 since the last reboot." ::= {pktcMtaDevBase 12} -- -- The following group describes server access and parameters used for -- initial provisioning and bootstrapping. -- pktcMtaDevServerBootState OBJECT-TYPE SYNTAX INTEGER { operational (1), disabled (2), waitingForDhcpOffer (3), waitingForDhcpResponse (4), waitingForConfig (5), refusedByCmts (6), other (7), unknown (8) } MAX-ACCESS read-only STATUS obsolete DESCRIPTION "If operational(1), the device has completed loading and processing of configuration parameters and the CMTS has completed the Registration exchange. If disabled(2) then the device was administratively disabled, possibly by being refused network access in the configuration file. If waitingForDhcpOffer(3) then a DHCP Discover has been transmitted and no offer has yet been received. If waitingForDhcpResponse(4) then a DHCP Request has been transmitted and no response has yet been received. If waitingForConfig(5) then a request to the config parameter server has been made and no response received. If refusedByCmts(6) then the Registration Request/Response exchange with the CMTS failed. " REFERENCE "DOCSIS Radio Frequency Interface Specification, Figure 7-1, CM Initialization Overview." ::= { pktcMtaDevServer 1 } pktcMtaDevServerDhcp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS obsolete DESCRIPTION "The IP address of the DHCP server that assigned an IP Osman/Nechamkin Expires December 24 2002 [Page 12] Internet Draft PacketCable MTA MIB June 24, 2002 address to this device. Returns 0.0.0.0 if DHCP was not used for IP address assignment." ::= { pktcMtaDevServer 2 } pktcMtaDevServerDns1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the primary DNS server to be used by the MTA to resolve the FQDNs and IP addresses." ::= { pktcMtaDevServer 3 } pktcMtaDevServerDns1AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the primary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. An Internet address of DNS-type must not be used." ::= { pktcMtaDevServer 19 } pktcMtaDevServerDns2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the Secondary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. Contains 0.0.0.0 if there is no Secondary DNS server specified for the MTA under consideration." ::= { pktcMtaDevServer 4 } pktcMtaDevServerDns2AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the Secondary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. An Internet address of DNS-type must not be used." ::= { pktcMtaDevServer 20 } pktcMtaDevConfigFile OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The URL of the TFTP/HTTP file for downloading provisioning and configuration parameters to this device. Returns NULL if the Osman/Nechamkin Expires December 24 2002 [Page 13] Internet Draft PacketCable MTA MIB June 24, 2002 server address is unknown. Supports both TFTP and HTTP." ::= { pktcMtaDevServer 5 } pktcMtaDevSnmpEntity OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The FQDN of the SNMP V3 entity of the Provisioning Server to which the MTA has to communicate in order to receive the access method, location and the name of the Configuration file during MTA provisioning.This would also be the entity which caters to the End-point provisioning needs of the MTA and is the destination for all provisioning informs. It may be also used for post-provisioning SNMP operations" ::= { pktcMtaDevServer 6 } pktcMtaDevProvConfigHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the config file, calculated and sent to the MTA prior to sending the config file. If the authenthenication algorithm is MD5, the length is 128 bits, If the authentication algorithm is SHA-1, the length is 160 bits." ::= { pktcMtaDevServer 7 } pktcMtaDevProvConfigKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|8)) MAX-ACCESS read-write STATUS current DESCRIPTION "Key used to encrypt/decrypt the config file, sent to the MTA prior to sending the config file. If the privacy algorithm is null, the length is 0. If the privacy algorithm is DES, the length is 64 bits." ::= { pktcMtaDevServer 8 } pktcMtaDevProvSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This timeout applies only when the Provisioning Server initiated key management (with a Wake Up message) for SNMPv3. It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the Provisioning Server." DEFVAL { 120 } Osman/Nechamkin Expires December 24 2002 [Page 14] Internet Draft PacketCable MTA MIB June 24, 2002 ::= { pktcMtaDevServer 9 } --=========================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff mechanism with -- two timers for AS replies. The fast timers has a maximum timer -- (pktcMtaDevProvUnsolicitedKeyMaxTimeout seconds) and a nominal timer -- pktcMtaDevProvUnsolicitedKeyNomTimeout seconds) from which the backoff -- timer determinations are made. -- -- ============================================================================== --========================================================================= -- -- Timeouts for unsolicited key management updates are only pertinent before -- the first SNMP message is sent between the MTA and the CMS and before the -- configuration file is loaded. No SNMP communications can exist under -- PacketCable without the security association existing. The following -- object is provided only for diagnosistic purposes and are only useful -- if the MTA can be brought up without any security. -- --========================================================================== pktcMtaDevProvUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies to MTA initiated AP-REQ/REP key management exchange with Provisoning Server. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL {600} ::= { pktcMtaDevServer 10 } pktcMtaDevProvUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies only when the MTA initiated AP-REQ/REP key management. Typically this is the average roundtrip time between the MTA and the Provisioing server." REFERENCE "PacketCable Security Specification [18]" DEFVAL {30} ::= { pktcMtaDevServer 11 } Osman/Nechamkin Expires December 24 2002 [Page 15] Internet Draft PacketCable MTA MIB June 24, 2002 pktcMtaDevProvUnsolicitedKeyMeanDev OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS obsolete DESCRIPTION "This is the mean deviation for the round trip delay timings." REFERENCE "PacketCable Security Specification PKT-SP-SEC-I05-020116" ::= { pktcMtaDevServer 12 } pktcMtaDevProvUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (1..32) MAX-ACCESS read-only STATUS current DESCRIPTION "This retries number applies to MTA initiated AP-REQ/REP key management exchange with Provisioning Server. This is the maximum number of retries before the MTA gives up attempting to establish an SNMPv3 security association with Provisioning Server." REFERENCE "PacketCable Security Specification [18]" DEFVAL {8} ::= { pktcMtaDevServer 13 } pktcMtaDevProvKerbRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The name of the associated Provisioning Kerberos Realm acquired during MTA4 ( DHCP Ack ). This is used as an index into the pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of the associated Kerberos Realm name MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevServer 14 } pktcMtaDevProvState OBJECT-TYPE SYNTAX INTEGER { operational (1), disabled (2), other (3), unknown (4), waitingToStart (10), waitingForDhcpOffer (12), waitingForDhcpAckResponse (14), waitingForProvRealmKdcNameResponse (16), waitingForProvRealmKdcAddrResponse (18), waitingForAsReply (20), waitingForTgsReply (22), waitingForApReply (24), Osman/Nechamkin Expires December 24 2002 [Page 16] Internet Draft PacketCable MTA MIB June 24, 2002 waitingForSnmpGetRequest (26), waitingForSnmpSetInfo (28), waitingForTftpAddrResponse (30), waitingForConfigFile (32), waitingForTelRealmKdcNameResponse (34), waitingForTelRealmKdcAddrResponse (36), waitingForPkinitAsReply (38), waitingForCmsKerbTickTgsReply (40), waitingForCmsKerbTickApReply (42) } MAX-ACCESS read-only STATUS current DESCRIPTION "If operational(1), the device has completed loading and processing of initialization parameters. If disabled(2) then the device was administratively disabled, possibly by being refused network access in the configuration file. If waitingToStart(10) then the MTA is has not received a signal to start initialization. If waitingForDhcpOffer(12) then a DHCP Discover has been transmitted and no offer has yet been received. If waitingForDhcpAckResponse(14) then a DHCP Request has been transmitted and no response has yet been received. If waitingProvRealmKdcNameResponse(16) then a DNS Srv request has been transmitted and no reply has yet been received. If waitingForProvRealmKdcAddrResponse(18) then a DNS request has been transmitted and no reply has yet been received. If waitingForAsReply(20) then an AS request has been and no MSO KDC AS Kerberos ticket reply has yet been received. If waitingForTgsReply(22) then a TGS request has been transmitted and no TGS ticket reply has yet been received. If waitingForApReply(24) then an AP request has been transmitted and no SNMPv3 key info reply has yet been received. If waitingForSnmpGetRequest(26) then an INFORM message has been transmitted and the device is waiting on optional/iterative GET requests. If waitingForSnmpSetInfo(28) then the device is waiting on config file download access information. If waitingForTftpAddrResponse(30) then a DNS request has been transmitted and no reply has yet been received. If waitingForConfigFile(32) then a TFTP request has been transmitted and no reply has yet been received or a download is in progress. If waitingForTelRealmKdcNameResponse(34) then a DNS Srv request has been transmitted and no name reply Osman/Nechamkin Expires December 24 2002 [Page 17] Internet Draft PacketCable MTA MIB June 24, 2002 has yet been received. If waitingForTelRealmKdcAddrResponse(36) then a DNS request has been transmitted and no address reply has yet been received. If waitingForPkinitAsReply(38) then an AS request has been transmitted and no ticket reply has yet been received. If waitingForCmsKerbTickTgsReply(40) then a TGS request has been transmitted and no ticket reply has yet been received. If waitingForCmsKerbTickApReply(42) then a AP request has been transmitted and no Ipsec parameters reply has yet been received. " REFERENCE "PacketCable Provisioning Specification PacketCable Security Specification" ::= { pktcMtaDevServer 15 } pktcMtaDevServerDhcp1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the primary DHCP server which would cater to the MTA during its provisioning. Contains 255.255.255.255 if there was no preference given with respect to the DHCP servers for MTA provisioning." ::= { pktcMtaDevServer 16 } pktcMtaDevServerDhcp1AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of Internet address of the primary DHCP server which would cater to the MTA during its provisioning." ::= { pktcMtaDevServer 21 } pktcMtaDevServerDhcp2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the Secondary DHCP server which could cater to the MTA during its provisioning. Contains 0.0.0.0 if there is no specific secondary DHCP server to be considered during MTA provisioning." ::= { pktcMtaDevServer 17 } pktcMtaDevServerDhcp2AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only Osman/Nechamkin Expires December 24 2002 [Page 18] Internet Draft PacketCable MTA MIB June 24, 2002 STATUS current DESCRIPTION "The type of Internet address of the secondary DHCP server which would cater to the MTA during its provisioning." ::= { pktcMtaDevServer 22 } pktcMtaDevTimeServer OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION " This holds the IP address of the Time Server used for Time Synchronization and must be populated in the case of SMTA. Contains 0.0.0.0 if the Time Protocol is not used for time synchronization." ::= { pktcMtaDevServer 18} pktcMtaDevTimeServerAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the Time Server used to obtain the time." ::= { pktcMtaDevServer 23} -- -- The following group describes the security objects in the MTA -- pktcMtaDevManufacturerCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA Manufacturer's X.509 public-key certificate, called MTA Manufacturer Certificate. It is issued to each MTA manufacturer and is installed into each MTA either in the factory or with a code download. The provisioning server cannot update this certificate." ::= {pktcMtaDevSecurity 1} pktcMtaDevCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA's X.509 public-key certificate issued by the manufacturer and installed Osman/Nechamkin Expires December 24 2002 [Page 19] Internet Draft PacketCable MTA MIB June 24, 2002 into the embedded-MTA in the factory. This certificate, called MTA Device Certificate, contains the MTA's MAC address. It cannot be updated by the provisioning server." ::= { pktcMtaDevSecurity 2 } pktcMtaDevSignature OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..256)) MAX-ACCESS read-only STATUS obsolete DESCRIPTION "A unique signature created by the MTA for each SNMP Inform or SNMP Trap or SNMP GetResponse message exchanged prior to enabling SNMPv3 security ASN.1 encoded Digital signature in the Cryptographic message syntax (includes nonce). " ::= { pktcMtaDevSecurity 3 } pktcMtaDevCorrelationId OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "Random value generated by the MTA for use in registration authorization. It is for use only in the MTA initialization messages and for MTA configuration file download " ::= { pktcMtaDevSecurity 4 } pktcMtaDevSecurityTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevSecurityEntry MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "Contains per endpoint security information." ::= { pktcMtaDevSecurity 5 } pktcMtaDevSecurityEntry OBJECT-TYPE SYNTAX PktcMtaDevSecurityEntry MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "List of security attributes for a single packet cable endpoint interface." INDEX { ifIndex } ::= { pktcMtaDevSecurityTable 1 } PktcMtaDevSecurityEntry ::= SEQUENCE { PktcMtaDevServProviderCertificate X509Certificate, PktcMtaDevTelephonyCertificate X509Certificate, PktcMtaDevKerberosRealm OCTET STRING, PktcMtaDevKerbPrincipalName DisplayString, PktcMtaDevServGracePeriod Integer32, PktcMtaDevLocalSystemCertificate X509Certificate, pktcMtaDevKeyMgmtTimeout1 Integer32, Osman/Nechamkin Expires December 24 2002 [Page 20] Internet Draft PacketCable MTA MIB June 24, 2002 pktcMtaDevKeyMgmtTimeout2 Integer32 } pktcMtaDevServProviderCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-write STATUS obsolete DESCRIPTION "ASN.1 DER encoding of the Telephony Service Provider's X.509 public-key certificate, called Telephony Service Provider Certificate. It serves as the root of the intra-domain trust hierarchy. Each MTA is configured with this certificate so that it can authenticate TGSs owned by the same service provider. The provisioning server needs the ability to update this certificate in the MTAs via both SNMP and configuration files" ::= { pktcMtaDevSecurityEntry 1 } pktcMtaDevTelephonyCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-write STATUS obsolete DESCRIPTION "ASN.1 DER encoding of the MTA's X.509 public-key certificate issued by the Service Provider with either the Service Provider CA or a Local System CA. This certificate, called MTA Telephony Certificate, contains the same public key as the MTA Device Certificate issued by the manufacturer. It is used to authenticate the identity of the MTA to the TGS (during PKINIT exchanges). The provisioning server needs the ability to update this certificate in the MTAs via both SNMP and configuration files" ::= { pktcMtaDevSecurityEntry 2 } pktcMtaDevKerberosRealm OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..1280)) MAX-ACCESS read-write STATUS obsolete -- moved to realm table DESCRIPTION "Specifies a Kerberos realm (i.e. administrative domain), required for Packet Cable key management]." ::= { pktcMtaDevSecurityEntry 3 } pktcMtaDevKerbPrincipalName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..40)) MAX-ACCESS read-write STATUS obsolete DESCRIPTION "Kerberos principal name for the Call Agent. This information is required in order for the MTA to obtain Call Agent Kerberos tickets. This principal name does not include the realm, which is specified as a separate field in this configuration file. A Osman/Nechamkin Expires December 24 2002 [Page 21] Internet Draft PacketCable MTA MIB June 24, 2002 Single Kerberos principal name MAY be shared among several Call Agents." ::= { pktcMtaDevSecurityEntry 4 } pktcMtaDevServGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-write STATUS obsolete -- moved to realm table DESCRIPTION "The MTA MUST obtain a new Kerberos ticket (with a PKINIT exchange) this many minutes before the old ticket expires. The minimum allowable value is 15 mins. The default is 30 mins." DEFVAL { 30 } ::= { pktcMtaDevSecurityEntry 5 } pktcMtaDevLocalSystemCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-write STATUS obsolete DESCRIPTION "Telephony Service Provider CA may delegate the issuance of certificates to a regional Certification Authority called Local System CA (with the corresponding Local System Certificate). This parameter is the ASN.1 DER encoding of the Local System Certificate. It MUST have a non-empty value when the MTA Telephony certificate is signed by a Local System CA. Otherwise, the value MUST be of length 0." ::= { pktcMtaDevSecurityEntry 6 } pktcMtaDevKeyMgmtTimeout1 OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS obsolete -- moved to cms table DESCRIPTION "This timeout applies only when the MTA initiated key management. It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification PKT-SP-SEC-I05-020116" ::= { pktcMtaDevSecurityEntry 7 } pktcMtaDevKeyMgmtTimeout2 OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS obsolete -- changed to adaptive backoff and moved to -- cms table DESCRIPTION "This timeout applies only when the CMS initiated key management Osman/Nechamkin Expires December 24 2002 [Page 22] Internet Draft PacketCable MTA MIB June 24, 2002 (with a Wake Up or Rekey message). It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification PKT-SP-SEC-I05-020116" ::= { pktcMtaDevSecurityEntry 8 } -- -- Ticket Granting Server information -- pktcMtaDevTgsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevTgsEntry MAX-ACCESS not-accessible STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "Contains per endpoint Ticket Granting Server information." ::= { pktcMtaDevSecurity 8 } pktcMtaDevTgsEntry OBJECT-TYPE SYNTAX PktcMtaDevTgsEntry MAX-ACCESS not-accessible STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "List of Tgs attributes for a single packet cable endpoint interface." INDEX { ifIndex, pktcMtaDevTgsIndex } ::= { pktcMtaDevTgsTable 1 } PktcMtaDevTgsEntry ::= SEQUENCE { pktcMtaDevTgsIndex Integer32, pktcMtaDevTgsLocation DisplayString, pktcMtaDevTgsStatus RowStatus } pktcMtaDevTgsIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "Index into the TGS table for TGS locations. IfType specifies the endpoint, TgsIndex specifies a TGS." ::= { pktcMtaDevTgsEntry 1 } pktcMtaDevTgsLocation OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) MAX-ACCESS read-create STATUS obsolete DESCRIPTION "Name of the TGS Ticket Granting Server, which is the Kerberos Server. This parameter is a FQDN or Ipv4 address. There may be multiple entries of this type. The order in which these entries Osman/Nechamkin Expires December 24 2002 [Page 23] Internet Draft PacketCable MTA MIB June 24, 2002 are listed is the priority order in which the MTA will attempt to contact them for this endpoint." ::= { pktcMtaDevTgsEntry 2 } pktcMtaDevTgsStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS obsolete DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevTgsTable." ::= { pktcMtaDevTgsEntry 3 } pktcMtaDevTelephonyRootCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the IP Telephony Root X.509 public-key certificate stored in the MTA non-volatile memory and updateable with a code download. This certificate is used to validate the initial AS Reply from the KDC received during the MTA initialization." ::= { pktcMtaDevSecurity 9 } --======================================================================== -- -- Procedures for setting up security associations: -- -- A security association may be setup either via configuration or via -- NCS signaling. -- -- I. Security association setup via configuration. -- -- The realm must be configured first. Associated with the realm -- is a KDC. The realm table (pktcMtaDevRealmTable) indicates -- information about realm (e.g., name, organization name) and -- parameters associated with KDC communications (e.g., grace -- periods, AS request/AS reply adaptive backoff parameters). -- -- Once the realm is established, one or more servers may be -- defined in the realm. For PacketCable 1.0, these are Call -- Management Servers (CMSs). Associated with each CMS -- entry in the pktcMtaDevCmsTable is an explicit reference -- to a Realm via the realm index ( pktcMtaDevCmsKerbRealmName), -- the FQDN of the CMS, and parameters associated with IPSec -- key management with the CMS (e.g., clock skew, AP request/ -- AP reply adaptive backoff parameters). -- -- Osman/Nechamkin Expires December 24 2002 [Page 24] Internet Draft PacketCable MTA MIB June 24, 2002 -- -- II. Security association setup via NCS signaling -- -- Note: The following process is done automatically by the -- MTA. The NCS is not involved in creating signaled entries. -- The current CMS signaling association being used by an -- endpoint is marked as active in CMS MAP table. If NCS -- signaling requests a change of signaling association to -- a different FQDN, the MTA checks the current CMS MAP -- table entries for the affected endpoint. If the entry -- exists in the CMS MAP table, the current CMS MAP table -- entry is marked inactive and the newly chosen CMS MAP -- table entry is marked active. -- -- If the entry does not exist in the CMS MAP table, the -- CMS table is checked to determine whether or not it -- contains the CMS specified by CMS signaling (possibly -- a redirection). If the desired CMS entry is defined, -- then a corresponding entry is created and an entry in -- the CMS MAP table is created. If the MTA does not -- have current associations with that CMS, it will now -- perform key management to establish required security -- associations. Once the desired CMS entry is established, -- the current CMS MAP table entry is marked inactive and -- the newly created CMS MAP table entry is marked active. -- Otherwise the current CMS MAP table entry remains -- active and the newly created CMS MAP table entry is marked -- in active. -- -- If the entry does not exist in the CMS MAP table and the -- CMS entry does not exist in the CMS table, a new CMS table -- entry should be created. This CMS entry should use the -- same realm as used by this endpoint. The default values -- for the clock skew and AP request/AP reply adaptive -- backoff parameters should be used. The MTA will now -- perform key management to establish required security -- associations. Once the desired CMS entry is established, -- the current CMS MAP table entry is marked inactive and -- the newly created CMS MAP table entry is marked active. -- Otherwise the current CMS MAP table entry remains -- active and the newly created CMS MAP table entry is marked -- inactive. -- -- III. When the MTA receives wake-up or rekey messages from a CMS, -- it performs key management based on the corresponding entry -- in the CMS table. If the matching CMS entry does not exist, -- it must ignore the wake-up or rekey messages. -- --========================================================================== --======================================================================== Osman/Nechamkin Expires December 24 2002 [Page 25] Internet Draft PacketCable MTA MIB June 24, 2002 -- -- pktcMtaDevRealmTable -- -- The pktcMtaDevRealmTable shows the KDC realms. The table is indexed -- withpktcMtaDevRealmName. The Realm Table is used in conjunction with -- any server which needs a security association with an MTA. The server -- table (today the CMS) has a security association. Each server-MTA security -- association is associated with a single Realm. This allows for multiple -- realms, each with its own security association. -- --========================================================================= pktcMtaDevRealmTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevRealmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per Kerberos realm security parameters." ::= { pktcMtaDevSecurity 16 } pktcMtaDevRealmEntry OBJECT-TYPE SYNTAX PktcMtaDevRealmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of security parameters for a single Kerberos realm." INDEX { IMPLIED pktcMtaDevRealmName } ::= { pktcMtaDevRealmTable 1 } PktcMtaDevRealmEntry ::= SEQUENCE { pktcMtaDevRealmName SnmpAdminString, pktcMtaDevRealmPkinitGracePeriod Integer32, pktcMtaDevRealmTgsGracePeriod Integer32, pktcMtaDevRealmOrgName OCTET STRING, pktcMtaDevRealmUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyNomTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyMeanDev Integer32, pktcMtaDevRealmUnsolicitedKeyMaxRetries Integer32, pktcMtaDevRealmStatus RowStatus } pktcMtaDevRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The corresponding Kerberos Realm name. This is used as an index into pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of Realm Name MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevRealmEntry 1 } Osman/Nechamkin Expires December 24 2002 [Page 26] Internet Draft PacketCable MTA MIB June 24, 2002 pktcMtaDevRealmPkinitGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "For the purposes of the key management with an Application Server (CMS or Provisioning Server), the MTA MUST obtain a new Kerberos ticket (with a PKINIT exchange) this many minutes before the old ticket expires. The minimum allowable value is 15 mins. The default is 30 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 2 } pktcMtaDevRealmTgsGracePeriod OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "When the MTA implementation uses TGS Request/TGS Reply Kerbersos messages for the purpose of the key management with an Application Server (CMS or Provisioning Server), the MTA MUST obtain a new service ticket for the Application Server (with a TGS Request) this many minutes before the old ticket expires. The minimum allowable value is 1 min. The default is 10 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 10 } ::= { pktcMtaDevRealmEntry 3 } pktcMtaDevRealmOrgName OBJECT-TYPE SYNTAX OCTET STRING (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of the X.500 organization name attribute in the subject name of the Service provider certificate" ::= { pktcMtaDevRealmEntry 4 } --=========================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff mechanism with -- two timers for AS replies. The backoff timers has a maximum value of -- pktcMtaDevRealmUnsolicitedKeyMaxTimeout seconds and a nominal timer has a -- pktcMtaDevRealmUnsolicitedKeyNomTimeout seconds from which the backoff -- timer determinations are made. After pktcMatDevRealmUnsolicitedMaxRetries -- have occurred no more attempts are made. -- --============================================================================= pktcMtaDevRealmUnsolicitedKeyMaxTimeout OBJECT-TYPE Osman/Nechamkin Expires December 24 2002 [Page 27] Internet Draft PacketCable MTA MIB June 24, 2002 SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 600 } ::= { pktcMtaDevRealmEntry 5 } pktcMtaDevRealmUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. Typically this is the average roundtrip time between the MTA and the KDC." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 6 } pktcMtaDevRealmUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (1..1024) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 20 } ::= { pktcMtaDevRealmEntry 8 } pktcMtaDevRealmStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevRealmTable." ::= { pktcMtaDevRealmEntry 9 } --======================================================================== -- -- pktcMtaDevCmsTable -- Osman/Nechamkin Expires December 24 2002 [Page 28] Internet Draft PacketCable MTA MIB June 24, 2002 -- The pktcMtaDevCmsTable shows the IPSec key management policy -- relating to a particular CMS. The table is indexed with -- pktcMtaDevCmsFQDN. -- --========================================================================= pktcMtaDevCmsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per CMS key management policy." ::= { pktcMtaDevSecurity 17 } pktcMtaDevCmsEntry OBJECT-TYPE SYNTAX PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of key management parameters for a single MTA-CMS interface." INDEX { IMPLIED pktcMtaDevCmsFqdn } ::= { pktcMtaDevCmsTable 1 } PktcMtaDevCmsEntry ::= SEQUENCE { pktcMtaDevCmsFqdn SnmpAdminString, pktcMtaDevCmsKerbRealmName SnmpAdminString, pktcMtaDevCmsSolicitedKeyTimeout Integer32, pktcMtaDevCmsMaxClockSkew Integer32, pktcMtaDevCmsUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevCmsUnsolicitedKeyNomTimeout Integer32, pktcMtaDevCmsUnsolicitedKeyMeanDev Integer32, pktcMtaDevCmsUnsolicitedKeyMaxRetries Integer32, pktcMtaDevCmsStatus RowStatus } pktcMtaDevCmsFqdn OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The fully qualified domain name of the CMS. This is the index into the pktcMtaDevCmsTable. When used as an index, the upper case ASCII representation of the associated CMS FQDN MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevCmsEntry 1 } pktcMtaDevCmsKerbRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) Osman/Nechamkin Expires December 24 2002 [Page 29] Internet Draft PacketCable MTA MIB June 24, 2002 MAX-ACCESS read-create STATUS current DESCRIPTION "The Kerberos Realm Name of the associated CMS. This is the index into the pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of the associated CMS FQDN MUST be used by both the Manager(SNMPv3 Entity) and the MTA " ::= { pktcMtaDevCmsEntry 2 } pktcMtaDevCmsMaxClockSkew OBJECT-TYPE SYNTAX Integer32 (1..1800) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum allowable clock skew between the MTA and CMS" DEFVAL { 300 } ::= { pktcMtaDevCmsEntry 3 } pktcMtaDevCmsSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (200..30000) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the CMS initiated key management (with a Wake Up or Rekey message). It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 400 } ::= { pktcMtaDevCmsEntry 4 } --=========================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff mechanism with -- two timers for AP replies. The backoff timers has a maximum value of -- pktcMtaDevCmsUnsolicitedKeyMaxTimeout seconds and a nominal timer has a -- pktcMtaDevCmsUnsolicitedKeyNomTimeout seconds from which the backoff timer -- determinations are made. After pktcMatDevCmsUnsolicitedMaxRetries have -- occurred no more attempts are made. -- --============================================================================= pktcMtaDevCmsUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create Osman/Nechamkin Expires December 24 2002 [Page 30] Internet Draft PacketCable MTA MIB June 24, 2002 STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 600 } ::= { pktcMtaDevCmsEntry 5 } pktcMtaDevCmsUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (1..32) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. Typically this is the average roundtrip time between the MTA and the CMS." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 30 } ::= { pktcMtaDevCmsEntry 6 } pktcMtaDevCmsUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (15..600) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 20 } ::= { pktcMtaDevCmsEntry 8 } pktcMtaDevCmsStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevCmsTable." ::= { pktcMtaDevCmsEntry 9 } pktcMtaCmsMapTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaCmsMapEntry MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "Contains per endpoint CMS signaling associations." Osman/Nechamkin Expires December 24 2002 [Page 31] Internet Draft PacketCable MTA MIB June 24, 2002 ::= { pktcMtaDevSecurity 18 } pktcMtaCmsMapEntry OBJECT-TYPE SYNTAX PktcMtaCmsMapEntry MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "List of signaling associations." INDEX { ifIndex, pktcMtaCmsMapCmsFqdn } ::= { pktcMtaCmsMapTable 1 } PktcMtaCmsMapEntry ::= SEQUENCE { PktcMtaCmsMapCmsFqdn DisplayString, pktcMtaCmsMapOperStatus INTEGER, pktcMtaCmsMapAdminStatus INTEGER, pktcMtaCmsMapRowStatus RowStatus } pktcMtaCmsMapCmsFqdn OBJECT-TYPE SYNTAX DisplayString (SIZE(1..255)) MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "The index for the associated CMS. Valid indices are equal to current pktcMtaDevCmsFqdn values." ::= { pktcMtaCmsMapEntry 1 } pktcMtaCmsMapOperStatus OBJECT-TYPE SYNTAX INTEGER { Inactive (1), active (2) } MAX-ACCESS read-only STATUS obsolete DESCRIPTION "The operational status of signaling association. The meaning of the status is as follows: inactive - signaling is not currently active active - signaling is active." ::= { pktcMtaCmsMapEntry 2 } pktcMtaCmsMapAdminStatus OBJECT-TYPE SYNTAX INTEGER { Inhibit (1), Allow (2) } MAX-ACCESS read-create STATUS obsolete DESCRIPTION "The administrative status for signaling over the indicated security association. The meaning of the status is as follows: inhibit - signaling is not currently allowed Osman/Nechamkin Expires December 24 2002 [Page 32] Internet Draft PacketCable MTA MIB June 24, 2002 allow - signaling is allowed." ::= { pktcMtaCmsMapEntry 3 } pktcMtaCmsMapRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS obsolete DESCRIPTION "This object is used for creating and deleting an entry in this table via an elment manager." ::= { pktcMtaCmsMapEntry 4 } -- -- notification group is for future extension. -- pktcMtaNotification OBJECT IDENTIFIER ::= { pktcMtaMib 2 0 } pktcMtaConformance OBJECT IDENTIFIER ::= { pktcMtaMib 3 } pktcMtaCompliances OBJECT IDENTIFIER ::= { pktcMtaConformance 1 } pktcMtaGroups OBJECT IDENTIFIER ::= { pktcMtaConformance 2 } -- -- Notification Group -- pktcMtaDevProvisioningEnrollment NOTIFICATION-TYPE OBJECTS { pktcMtaDevHardwareVersion, docsDevSwCurrentVers, pktcMtaDevTypeIdentifier, pktcMtaDevMacAddress, pktcMtaDevCorrelationId } STATUS current DESCRIPTION "This inform is issued to initiate the PacketCable process provisioning ." REFERENCE "Inform as defined in [20]" ::= { pktcMtaNotification 3 } pktcMtaProvisioningStatus NOTIFICATION-TYPE OBJECTS { pktcMtaDevMacAddress, pktcMtaDevCorrelationId, pktcMtaDevProvisioningState, } STATUS current DESCRIPTION "This inform is issued to confirm completion of the PacketCable provisioning process, and indicate the completion state." Osman/Nechamkin Expires December 24 2002 [Page 33] Internet Draft PacketCable MTA MIB June 24, 2002 REFERENCE "Inform as defined in [20]" ::= { pktcMtaNotification 4 } -- compliance statements pktcMtaBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for devices that implement MTA feature." MODULE --pktcMtaMib -- unconditionally mandatory groups MANDATORY-GROUPS { pktcMtaGroup } ::= { pktcMtaCompliances 3 } pktcMtaGroup OBJECT-GROUP OBJECTS { pktcMtaDevResetNow, pktcMtaDevSerialNumber, pktcMtaDevHardwareVersion, pktcMtaDevMacAddress, pktcMtaDevFQDN, pktcMtaDevEndPntCount, pktcMtaDevEnabled, pktcMtaDevTypeIdentifier, pktcMtaDevProvisioningState, pktcMtaDevHttpAccess, pktcMtaDevCertificate, pktcMtaDevCorrelationId, pktcMtaDevManufacturerCertificate, pktcMtaDevServerDhcp1, pktcMtaDevServerDhcp2, pktcMtaDevServerDns1, pktcMtaDevServerDns2, pktcMtaDevTimeServer, pktcMtaDevConfigFile, pktcMtaDevSnmpEntity, pktcMtaDevRealmPkinitGracePeriod, pktcMtaDevRealmTgsGracePeriod, pktcMtaDevRealmOrgName, pktcMtaDevRealmUnsolicitedKeyMaxTimeout, pktcMtaDevRealmUnsolicitedKeyNomTimeout, pktcMtaDevRealmUnsolicitedKeyMaxRetries, pktcMtaDevRealmStatus, pktcMtaDevCmsKerbRealmName, pktcMtaDevCmsUnsolicitedKeyMaxTimeout, pktcMtaDevCmsUnsolicitedKeyNomTimeout, Osman/Nechamkin Expires December 24 2002 [Page 34] Internet Draft PacketCable MTA MIB June 24, 2002 pktcMtaDevCmsUnsolicitedKeyMaxRetries, pktcMtaDevCmsSolicitedKeyTimeout, pktcMtaDevCmsMaxClockSkew, pktcMtaDevCmsStatus, pktcMtaDevProvUnsolicitedKeyMaxTimeout, pktcMtaDevProvUnsolicitedKeyNomTimeout, pktcMtaDevProvUnsolicitedKeyMaxRetries, pktcMtaDevProvKerbRealmName, pktcMtaDevProvSolicitedKeyTimeout, pktcMtaDevProvConfigHash, pktcMtaDevProvConfigKey, pktcMtaDevProvState, pktcMtaDevProvisioningTimer, pktcMtaDevTelephonyRootCertificate } STATUS current DESCRIPTION "Group of objects for PacketCable MTA MIB." ::= { pktcMtaGroups 1 } pktcMtaNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { pktcMtaProvisioningStatus, pktcMtaProvisioningEnrollment } STATUS current DESCRIPTION "These notifications deal with change in status of MTA Device." ::= { pktcMtaGroups 2 } pktcMtaObsoleteGroup OBJECT-GROUP OBJECTS { pktcMtaDevSignature, pktcMtaDevServProviderCertificate, pktcMtaDevTelephonyCertificate, pktcMtaDevKerberosRealm, pktcMtaDevKerbZPrincipalName, pktcMtaDevServGracePeriod, pktcMtaDevLocalSystemCertificate, pktcMtaDevKeyMgmtTimeout1, pktcMtaDevKeyMgmtTimeout2, pktcMtaDevTgsIndex, pktcMtaDevTgsLocation, pktcMtaDevTgsStatus, pktcMtaDevServerBootState, pktcMtaDevServDhcp, pktcMtaCmsMspCmsFqdn, pktcMtaCmsMapOperStatus, pktcMtaCmsMapAdminStatus, pktcMtaCmsMapRowStatus, pktcMtaDevRealmUnsolicitedKeyMeanDev, pktcMtaDevCmsUnsolicitedKeyMeanDev, pktcMtaDevProvUnsolicitedKeyMeanDev Osman/Nechamkin Expires December 24 2002 [Page 35] Internet Draft PacketCable MTA MIB June 24, 2002 } STATUS obsolete DESCRIPTION "Group of obsolete objects for PacketCable MTA MIB." ::= { pktcMtaGroups 3} END 5. Acknowledgments This document is a production of the PacketCable 1.0 Provisioning Specification Focus Team. The current editors wish to express gratitude to Angela Lyda, Chris Melle, Sasha Medvinsky, Roy Spitzer, Rick Vetter, Satish Kumar, Sumanth Channabasappa, Jean-Francois Mule. 6. Revision History The MTA MIB in this document has been developed to accommodate PacketCable 1.0 MTA devices and their system capabilities. This is the initial version of the document. 7. References [1] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999. [2] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990. [3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. [4] Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991. [5] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of Management Information for Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [6] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [7] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Management Protocol", STD 15, RFC 1157, May 1990. Osman/Nechamkin Expires December 24 2002 [Page 36] Internet Draft PacketCable MTA MIB June 24, 2002 [9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999. [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999. [13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [14] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC 2573, April 1999. [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999. [16] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", RFC 2570, April 1999. [17] ææPacketCableÖ MTA Device Provisioning Specification ÆÆ , issued, PKT-SP-PROV-I03-011221 [18] ææPacketCableÖ Security Specification ÆÆ, issued, PKT-SP-SEC-I05-020116 [19] "Transmission Systems for Interactive Cable Television Services, Annex B", J.112, International Telecommunications Union, March 1998. [20] ææRFC 1902 ÆÆ 8. Security Considerations This MIB relates to a system which will provide metropolitan public internet access. As such, improper manipulation of the objects represented by this MIB may result in denial of service to a large number of end-users. In addition, manipulation of the Realm Table, CMS Table, and several other vital MIB objects such as (not limited to) PktcMtaDevConfigFile, pktcMtaDevProvConfigHash, pktcMtaDevProvConfigKey, may lead to the theft of service or significant disruption of the functionality of the MTA. Osman/Nechamkin Expires December 24 2002 [Page 37] Internet Draft PacketCable MTA MIB June 24, 2002 There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB. PacketCable 1.0 complaint MTA devices are required to implement secure SNMPv3 access to MTA MIB. It is highly recommended that the other Potential implementers will consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 2574 [12] and the View- based Access Control Model RFC 2575 [15] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 9. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 10. Authors' Addresses Osman/Nechamkin Expires December 24 2002 [Page 38] Internet Draft PacketCable MTA MIB June 24, 2002 Matt Osman Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 E-mail: m.osman@cablelabs.com Eugene Nechamkin Broadcom Corporation 200 - - 13711 International Place Richmond, BC, V6V 2Z8 CANADA Phone: +1 604 233 8500 E-mail: enechamkin@broadcom.com 11. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Osman/Nechamkin Expires December 24 2002 [Page 39] Internet Draft PacketCable MTA MIB June 24, 2002 Osman/Nechamkin Expires December 24 2002 [Page 40]