PKTC-MTA-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, IpAddress, NOTIFICATION-TYPE FROM SNMPv2-SMI TruthValue, DisplayString, RowStatus, TEXTUAL-CONVENTION FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP FROM SNMPv2-CONF clabProjPacketCable FROM CLAB-DEF-MIB ifIndex FROM IF-MIB docsDevSwCurrentVers FROM DOCS-CABLE-DEVICE-MIB; -- version 8 pktcMtaMib MODULE-IDENTITY LAST-UPDATED "0103230000Z" -- March 23, 2001 ORGANIZATION "Packet Cable OSS Group" CONTACT-INFO "Matt Osman Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: m.osman@cablelabs.com" DESCRIPTION "This MIB module supplies the basic management objects for the MTA Device Acknowledgements: Angela Lyda - Arris Interactive Chris Melle - AT&T Broadband Labs Sasha Medvinsky - Motorola Roy Spitzer - Telogy Networks, Inc. Rick Vetter - Motorola" ::= { clabProjPacketCable 1 } -- Textual conventions X509Certificate ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An X509 digital certificate encoded as an ASN.1 DER object." SYNTAX OCTET STRING (SIZE (0..4096)) -- -- PacketCable 1.0 supports embedded MTA only -- PacketCable 1.0 assumes SNMPv3 -- PacketCable 1.0 SW load management is per DOCSIS 1.1 only -- pktcMtaMibObjects OBJECT IDENTIFIER ::= { pktcMtaMib 1 } pktcMtaDevBase OBJECT IDENTIFIER ::= { pktcMtaMibObjects 1 } pktcMtaDevServer OBJECT IDENTIFIER ::= { pktcMtaMibObjects 2 } pktcMtaDevSecurity OBJECT IDENTIFIER ::= { pktcMtaMibObjects 3 } -- -- The following group describes the base objects in the MTA -- pktcMtaDevResetNow OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to true(1) causes the device to reset. Reading this object always returns false(2). When pktcMtaDevResetNow is set to true, the following actions occur: 1. All connections (if present) are flushed locally 2. All current actions such as ringing immediately terminate 3. Requests for notifications such as notification based on digit map recognition are flushed. 4. All endpoints are disabled. 5. The provisioning flow is started at step MTA - 1." ::= { pktcMtaDevBase 1 } pktcMtaDevSerialNumber OBJECT-TYPE SYNTAX DisplayString (SIZE (0..128)) MAX-ACCESS read-only STATUS current DESCRIPTION "The manufacturer's serial number for this MTA." ::= { pktcMtaDevBase 2 } pktcMtaDevHardwareVersion OBJECT-TYPE SYNTAX DisplayString (SIZE (0..48)) MAX-ACCESS read-only STATUS current DESCRIPTION "The manufacturer's hardware version for this MTA." ::= { pktcMtaDevBase 3 } pktcMtaDevMacAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The telephony MAC address for this device." ::= { pktcMtaDevBase 4 } pktcMtaDevFQDN OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The Fully Qualified Domain Name for this MTA." ::= { pktcMtaDevBase 5 } pktcMtaDevEndPntCount OBJECT-TYPE SYNTAX INTEGER (1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The physical end points for this MTA." ::= { pktcMtaDevBase 6 } pktcMtaDevEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The MTA Admin Status of this device, where True(1) means the voice feature is enabled and false(2) indicates that it is disabled." ::= { pktcMtaDevBase 7 } pktcMtaDevTypeIdentifier OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "This is a copy of the device type identifier used in the DHCP option 60 exchanged between the MTA and the DHCP server." ::= { pktcMtaDevBase 8 } pktcMtaDevProvisioningState OBJECT-TYPE SYNTAX INTEGER { pass(1), inProgress(2), fail(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object indicates the completion state of the initialization process. Pass or Fail states occur after completion of the initialization flow. InProgress occurs from MTA initialization start to MTA initialization end; detail of inProgress status is observed from pktcMtaDevProvState. Fail state requires manual intervention." ::= { pktcMtaDevBase 9 } pktcMtaDevHttpAccess OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether HTTP file access is supported for MTA configuration file transfer." ::= { pktcMtaDevBase 10 } pktcMtaDevProvisioningTimer OBJECT-TYPE SYNTAX INTEGER (0..16383) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables to set the duration of the provisening timeout timer. The value is in minutes. Setting the timer to 0 disables it. The default value for the timer is 30." DEFVAL {30} ::= {pktcMtaDevBase 11} -- -- The following group describes the security objects in the MTA -- pktcMtaDevManufacturerCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA Manufacturer's X.509 public-key certificate, called MTA Manufacturer Certificate. It is issued to each MTA manufacturer and is installed into each MTA either in the factory or with a code download. The provisioning server cannot update this certificate." ::= { pktcMtaDevSecurity 1 } pktcMtaDevCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA's X.509 public-key certificate issued by the manufacturer and installed into the embedded-MTA in the factory. This certificate, called MTA Device Certificate, contains the MTA's MAC address. It cannot be updated by the provisioning server." ::= { pktcMtaDevSecurity 2 } --************************************************************************* --************************** THIS OBJECT IS OBSOLETE ********************** --************************************************************************* pktcMtaDevSignature OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..256)) MAX-ACCESS read-only STATUS obsolete DESCRIPTION "A unique signature created by the MTA for each SNMP Inform or SNMP Trap or SNMP GetResponse message exchanged prior to enabling SNMPv3 security ASN.1 encoded Digital signature in the Cryptographic message syntax (includes nonce). " ::= { pktcMtaDevSecurity 3 } pktcMtaDevCorrelationId OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION " Random value generated by the MTA for use in registration authorization. It is for use only in the MTA initialization messages and for MTA configuration file download " ::= { pktcMtaDevSecurity 4 } --======================================================================== -- -- pktcMtaDevSecurityTable -- -- The pktcMtaDevSecurityTable shows security association information relating -- to a particular MTA endpoint. The MTA endpoint is indexed with ifIndex. -- --========================================================================= --************************************************************************* --************************** THIS TABLE IS OBSOLETE *********************** --************************************************************************* pktcMtaDevSecurityTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevSecurityEntry MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "Contains per endpoint security information." ::= { pktcMtaDevSecurity 5 } pktcMtaDevSecurityEntry OBJECT-TYPE SYNTAX PktcMtaDevSecurityEntry MAX-ACCESS not-accessible STATUS obsolete DESCRIPTION "List of security attributes for a single packet cable endpoint interface." INDEX { ifIndex } ::= { pktcMtaDevSecurityTable 1 } PktcMtaDevSecurityEntry ::= SEQUENCE { pktcMtaDevServProviderCertificate X509Certificate, pktcMtaDevTelephonyCertificate X509Certificate, pktcMtaDevKerberosRealm OCTET STRING, pktcMtaDevKerbPrincipalName DisplayString, pktcMtaDevServGracePeriod Integer32, pktcMtaDevLocalSystemCertificate X509Certificate, pktcMtaDevKeyMgmtTimeout1 Integer32, pktcMtaDevKeyMgmtTimeout2 Integer32 } pktcMtaDevServProviderCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-write STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "ASN.1 DER encoding of the Telephony Service Provider's X.509 public-key certificate, called Telephony Service Provider Certificate. It serves as the root of the intra-domain trust hierarchy. Each MTA is configured with this certificate so that it can authenticate TGSs owned by the same service provider. The provisioning server needs the ability to update this certificate in the MTAs via both SNMP and configuration files" ::= { pktcMtaDevSecurityEntry 1 } pktcMtaDevTelephonyCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-write STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "ASN.1 DER encoding of the MTA's X.509 public-key certificate issued by the Service Provider with either the Service Provider CA or a Local System CA. This certificate, called MTA Telephony Certificate, contains the same public key as the MTA Device Certificate issued by the manufacturer. It is used to authenticate the identity of the MTA to the TGS (during PKINIT exchanges). The provisioning server needs the ability to update this certificate in the MTAs via both SNMP and configuration files" ::= { pktcMtaDevSecurityEntry 2 } pktcMtaDevKerberosRealm OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..1280)) MAX-ACCESS read-write STATUS obsolete -- moved to realm table DESCRIPTION " Specifies a Kerberos realm (i.e. administrative domain), required for Packet Cable key management]." ::= { pktcMtaDevSecurityEntry 3 } pktcMtaDevKerbPrincipalName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..40)) MAX-ACCESS read-write STATUS obsolete -- eco sec-o-00079 DESCRIPTION "Kerberos principal name for the Call Agent. This information is required in order for the MTA to obtain Call Agent Kerberos tickets. This principal name does not include the realm, which is specified as a separate field in this configuration file. A Single Kerberos principal name MAY be shared among several Call Agents." ::= { pktcMtaDevSecurityEntry 4 } pktcMtaDevServGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-write STATUS obsolete -- moved to realm table DESCRIPTION " The MTA MUST obtain a new Kerberos ticket (with a PKINIT exchange) this many minutes before the old ticket expires. The minimum allowable value is 15 mins. The default is 30 mins." DEFVAL { 30 } ::= { pktcMtaDevSecurityEntry 5 } pktcMtaDevLocalSystemCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-write STATUS obsolete -- eco sec-o-00079 DESCRIPTION "Telephony Service Provider CA may delegate the issuance of certificates to a regional Certification Authority called Local System CA (with the corresponding Local System Certificate). This parameter is the ASN.1 DER encoding of the Local System Certificate. It MUST have a non-empty value when the MTA Telephony certificate is signed by a Local System CA. Otherwise, the value MUST be of length 0." ::= { pktcMtaDevSecurityEntry 6 } pktcMtaDevKeyMgmtTimeout1 OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS obsolete -- moved to cms table DESCRIPTION "This timeout applies only when the MTA initiated key management. It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" ::= { pktcMtaDevSecurityEntry 7 } pktcMtaDevKeyMgmtTimeout2 OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS obsolete -- changed to adaptive backoff and moved -- to cms table DESCRIPTION "This timeout applies only when the CMS initiated key management (with a Wake Up or Rekey message). It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" ::= { pktcMtaDevSecurityEntry 8 } -- -- Ticket Granting Server information -- --************************************************************************* --************************** THIS TABLE IS OBSOLETE *********************** --************************************************************************* pktcMtaDevTgsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevTgsEntry MAX-ACCESS not-accessible STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "Contains per endpoint Ticket Granting Server information." ::= { pktcMtaDevSecurity 8 } pktcMtaDevTgsEntry OBJECT-TYPE SYNTAX PktcMtaDevTgsEntry MAX-ACCESS not-accessible STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "List of Tgs attributes for a single packet cable endpoint interface." INDEX { ifIndex, pktcMtaDevTgsIndex } ::= { pktcMtaDevTgsTable 1 } PktcMtaDevTgsEntry ::= SEQUENCE { pktcMtaDevTgsIndex Integer32, pktcMtaDevTgsLocation DisplayString, pktcMtaDevTgsStatus RowStatus } pktcMtaDevTgsIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "Index into the TGS table for TGS locations. IfType specifies the endpoint, TgsIndex specifies a TGS." ::= { pktcMtaDevTgsEntry 1 } pktcMtaDevTgsLocation OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) MAX-ACCESS read-create STATUS obsolete -- Secure Provisioning ECR DESCRIPTION " Name of the TGS Ticket Granting Server, which is the Kerberos Server. This parameter is a FQDN or Ipv4 address. There may be multiple entries of this type. The order in which these entries are listed is the priority order in which the MTA will attempt to contact them for this endpoint." ::= { pktcMtaDevTgsEntry 2 } pktcMtaDevTgsStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS obsolete -- Secure Provisioning ECR DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevTgsTable." ::= { pktcMtaDevTgsEntry 3 } pktcMtaDevTelephonyRootCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the IP Telephony Root X.509 public-key certificate stored in the MTA non-volatile memory and updateable with a code download. This certificate is used to validate the initial AS Reply from the KDC received during the MTA initialization." ::= { pktcMtaDevSecurity 9 } --======================================================================== -- -- Procedures for setting up security associations: -- -- A security association may be setup either via configuration or via -- NCS signaling. -- -- I. Security association setup via configuration. -- -- The realm must be configured first. Associated with the realm -- is a KDC. The realm table (pktcMtaDevRealmTable) indicates -- information about realm (e.g., name, organization name) and -- parameters associated with KDC communications (e.g., grace -- periods, AS request/AS reply adaptive backoff parameters). -- -- Once the realm is established, one or more servers may be -- defined in the realm. For PacketCable 1.0, these are Call -- Management Servers (CMSs). Associated with each CMS -- entry in the pktcMtaDevCmsTable is an explicit reference -- to a Realm via the realm index (pktcMtaDevCmsKerbRealmIndex), -- the FQDN of the CMS, and parameters associated with IPSec -- key management with the CMS (e.g., clock skew, AP request/ -- AP reply adaptive backoff parameters). -- -- If the associated CMS security association establishment -- failed, an entry in the CMS MAP table (pktcMtaCmsMapTable) -- is marked inactive. The CMS Map table associates an MTA -- endpoint (ifIndex) with zero or more CMSs -- (pktcMtaCmsMapCmsIndex). -- -- II. Security association setup via NCS signaling -- -- Note: The following process is done automatically by the -- MTA. The NCS is not involved in creating signaled entries. -- The current CMS signaling association being used by an -- endpoint is marked as active in CMS MAP table. If NCS -- signaling requests a change of signaling association to -- a different FQDN, the MTA checks the current CMS MAP -- table entries for the affected endpoint. If the entry -- exists in the CMS MAP table, the current CMS MAP table -- entry is marked inactive and the newly chosen CMS MAP -- table entry is marked active. -- -- If the entry does not exist in the CMS MAP table, the -- CMS table is checked to determine whether or not it -- contains the CMS specified by CMS signaling (possibly -- a redirection). If the desired CMS entry is defined, -- then a corresponding entry is created and an entry in -- the CMS MAP table is created. If the MTA does not -- have current associations with that CMS, it will now -- perform key management to establish required security -- associations. Once the desired CMS entry is established, -- the current CMS MAP table entry is marked inactive and -- the newly created CMS MAP table entry is marked active. -- Otherwise the current CMS MAP table entry remains -- active and the newly created CMS MAP table entry is marked -- in active. -- -- If the entry does not exist in the CMS MAP table and the -- CMS entry does not exist in the CMS table, a new CMS table -- entry should be created. This CMS entry should use the -- same realm as used by this endpoint. The default values -- for the clock skew and AP request/AP reply adaptive -- backoff parameters should be used. The MTA will now -- perform key management to establish required security -- associations. Once the desired CMS entry is established, -- the current CMS MAP table entry is marked inactive and -- the newly created CMS MAP table entry is marked active. -- Otherwise the current CMS MAP table entry remains -- active and the newly created CMS MAP table entry is marked -- inactive. -- -- III. When the MTA receives wake-up or rekey messages from a CMS, -- it performs key management based on the corresponding entry -- in the CMS table. If the matching CMS entry does not exist, -- it must ignore the wake-up or rekey messages. -- --========================================================================== --======================================================================== -- -- pktcMtaDevRealmTable -- -- The pktcMtaDevRealmTable shows the KDC realms. The table is indexed -- with pktcMtaDevRealmIndex. The Realm Table is used in conjunction with -- any server which needs a security association with an MTA. The server -- table (today the CMS) has a security association. Each server-MTA security -- association is associated with a single Realm. This allows for multiple -- realms, each with its own security association. -- --========================================================================= pktcMtaDevRealmTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevRealmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per Kerberos realm security parameters." ::= { pktcMtaDevSecurity 16 } pktcMtaDevRealmEntry OBJECT-TYPE SYNTAX PktcMtaDevRealmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of security parameters for a single Kerberos realm." INDEX { pktcMtaDevRealmName } ::= { pktcMtaDevRealmTable 1 } PktcMtaDevRealmEntry ::= SEQUENCE { pktcMtaDevRealmName DisplayString, pktcMtaDevRealmPkinitGracePeriod Integer32, pktcMtaDevRealmTgsGracePeriod Integer32, pktcMtaDevRealmOrgName DisplayString, pktcMtaDevRealmUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyNomTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyMeanDev Integer32, pktcMtaDevRealmUnsolicitedKeyMaxRetries Integer32, pktcMtaDevRealmStatus RowStatus } pktcMtaDevRealmName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Kerberos realm name. This is the index into pktcMtaDevTable." ::= { pktcMtaDevRealmEntry 1 } pktcMtaDevRealmPkinitGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "For the purpose of IPSec key management with a CMS, the MTA MUST obtain a new Kerberos ticket (with a PKINIT exchange) this many minutes before the old ticket expires. The minimum allowable value is 15 mins. The default is 30 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 2 } pktcMtaDevRealmTgsGracePeriod OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "When the MTA implementation uses TGS Request/TGS Reply Kerbersos messages for the purpose of IPSec key management with the CMS, the MTA MUST obtain a new service ticket for the CMS (with a TGS Request) this many minutes before the old ticket expires. The minimum allowable value is 1 min. The default is 10 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 10 } ::= { pktcMtaDevRealmEntry 3 } pktcMtaDevRealmOrgName OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of the X.500 organization name attribute in the subject name of the Service provider certificate" ::= { pktcMtaDevRealmEntry 4 } --=========================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff mechanism with -- two timers for AS replies. The backoff timers has a maximum value of -- pktcMtaDevRealmUnsolicitedKeyMaxTimeout seconds and a nominal timer has a -- pktcMtaDevRealmUnsolicitedKeyNomTimeout seconds from which the backoff timer -- determinations are made. After pktcMatDevRealmUnsolicitedMaxRetries have -- occurred no more attempts are made. -- --============================================================================== pktcMtaDevRealmUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 600 } ::= { pktcMtaDevRealmEntry 5 } pktcMtaDevRealmUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. Typically this is the average roundtrip time between the MTA and the KDC." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 6 } pktcMtaDevRealmUnsolicitedKeyMeanDev OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This is measurement of the mean deviation for the round trip delay timings." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 2 } ::= { pktcMtaDevRealmEntry 7 } pktcMtaDevRealmUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (1..1024) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 20 } ::= { pktcMtaDevRealmEntry 8 } pktcMtaDevRealmStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevRealmTable." ::= { pktcMtaDevRealmEntry 9 } --======================================================================== -- -- pktcMtaDevCmsTable -- -- The pktcMtaDevCmsTable shows the IPSec key management policy -- relating to a particular CMS. The table is indexed with -- pktcMtaDevCmsName. -- --========================================================================= pktcMtaDevCmsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per CMS key management policy." ::= { pktcMtaDevSecurity 17 } pktcMtaDevCmsEntry OBJECT-TYPE SYNTAX PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of key management parameters for a single MTA-CMS interface." INDEX { pktcMtaDevCmsFqdn } ::= { pktcMtaDevCmsTable 1 } PktcMtaDevCmsEntry ::= SEQUENCE { pktcMtaDevCmsFqdn DisplayString, pktcMtaDevCmsKerbRealmName DisplayString, pktcMtaDevCmsSolicitedKeyTimeout Integer32, pktcMtaDevCmsMaxClockSkew Integer32, pktcMtaDevCmsUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevCmsUnsolicitedKeyNomTimeout Integer32, pktcMtaDevCmsUnsolicitedKeyMeanDev Integer32, pktcMtaDevCmsUnsolicitedKeyMaxRetries Integer32, pktcMtaDevCmsStatus RowStatus } pktcMtaDevCmsFqdn OBJECT-TYPE SYNTAX DisplayString (SIZE(0..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The fully qualified domain name of the CMS. This is the index for the a CMS entry." ::= { pktcMtaDevCmsEntry 1 } pktcMtaDevCmsKerbRealmName OBJECT-TYPE SYNTAX DisplayString (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name for the assoicated Kerberos Realm. This is the index into the pktcMtaDevRealmTable." ::= { pktcMtaDevCmsEntry 2 } pktcMtaDevCmsMaxClockSkew OBJECT-TYPE SYNTAX Integer32 (1..1800) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum allowable clock skew between the MTA and CMS" DEFVAL { 300 } ::= { pktcMtaDevCmsEntry 3 } pktcMtaDevCmsSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the CMS initiated key management (with a Wake Up or Rekey message). It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" ::= { pktcMtaDevCmsEntry 4 } --=========================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff mechanism with -- two timers for AP replies. The backoff timers has a maximum value of -- pktcMtaDevCmsUnsolicitedKeyMaxTimeout seconds and a nominal timer has a -- pktcMtaDevCmsUnsolicitedKeyNomTimeout seconds from which the backoff timer -- determinations are made. After pktcMatDevCmsUnsolicitedMaxRetries have -- occurred no more attempts are made. -- --============================================================================== pktcMtaDevCmsUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 600 } ::= { pktcMtaDevCmsEntry 5 } pktcMtaDevCmsUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. Typically this is the average roundtrip time between the MTA and the CMS." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 30 } ::= { pktcMtaDevCmsEntry 6 } pktcMtaDevCmsUnsolicitedKeyMeanDev OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This is the measurement of the mean deviation for the round trip delay timings." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 2 } ::= { pktcMtaDevCmsEntry 7 } pktcMtaDevCmsUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (15..600) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" DEFVAL { 20 } ::= { pktcMtaDevCmsEntry 8 } pktcMtaDevCmsStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevCmsTable." ::= { pktcMtaDevCmsEntry 9 } --======================================================================== -- -- pktcMtaCmsMapTable -- -- The pktcMtaCmsMapTable contains the signaling associations -- between MTA endpoints and CMSs. It maps the endpoint to -- zero or more entries in pktcMtaDevCmsTable. -- -- The table contains the following indexes and rows: -- ifIndex - the index of the physical port -- pktcMtaCmsMapCmsIndex - the index of the CMS entry in the -- pktcMtaDevCmsTable. Valid indices -- are equal to current pktcMtaDevCmsIndex -- values. -- pktcMtaCmsMapOperStatus - this value indicates which signaling -- association the endpoint is actively using -- pktcMtaCmsMapAdminStatus - this flag indicates whether or not -- an endpoint should use a particular CMS -- and its security association. By setting -- this flag to inhibit, this associated CMS -- cannot provide signaling to the referenced -- endpoint. -- pktcMtaCmsMapRowStatus - allows for the creation and deletion of -- endpoint mappings via the NMS -- --========================================================================= pktcMtaCmsMapTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaCmsMapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per endpoint CMS signaling associations." ::= { pktcMtaDevSecurity 18 } pktcMtaCmsMapEntry OBJECT-TYPE SYNTAX PktcMtaCmsMapEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of signaling associations." INDEX { ifIndex, pktcMtaCmsMapCmsFqdn } ::= { pktcMtaCmsMapTable 1 } PktcMtaCmsMapEntry ::= SEQUENCE { pktcMtaCmsMapCmsFqdn DisplayString, pktcMtaCmsMapOperStatus INTEGER, pktcMtaCmsMapAdminStatus INTEGER, pktcMtaCmsMapRowStatus RowStatus } pktcMtaCmsMapCmsFqdn OBJECT-TYPE SYNTAX DisplayString (SIZE(1..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index for the associated CMS. Valid indices are equal to current pktcMtaDevCmsFqdn values." ::= { pktcMtaCmsMapEntry 1 } pktcMtaCmsMapOperStatus OBJECT-TYPE SYNTAX INTEGER { inactive (1), active (2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The operational status of signaling association. The meaning of the status is as follows: inactive - signaling is not currently active active - signaling is active." ::= { pktcMtaCmsMapEntry 2 } pktcMtaCmsMapAdminStatus OBJECT-TYPE SYNTAX INTEGER { inhibit (1), allow (2) } MAX-ACCESS read-create STATUS current DESCRIPTION "The administrative status for signaling over the indicated security association. The meaning of the status is as follows: inhibit - signaling is not currently allowed allow - signaling is allowed." ::= { pktcMtaCmsMapEntry 3 } pktcMtaCmsMapRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used for creating and deleting an entry in this table via an elment manager." ::= { pktcMtaCmsMapEntry 4 } --======================================================================== -- -- pktcMtaDevServer -- -- The pktcMtaDevProvGroup shows the key management policy -- relating to the Provisioning Server. The MTA MIB only supports a -- single provisioning server. -- --========================================================================= -- -- The following group describes server access and parameters used for -- initial provisioning and bootstrapping. -- --************************************************************************* --***************************This object is obsolete*********************** --************************************************************************* pktcMtaDevServerBootState OBJECT-TYPE SYNTAX INTEGER { operational (1), disabled (2), waitingForDhcpOffer (3), waitingForDhcpResponse (4), waitingForConfig (5), refusedByCmts (6), other (7), unknown (8) } MAX-ACCESS read-only STATUS obsolete DESCRIPTION "If operational(1), the device has completed loading and processing of configuration parameters and the CMTS has completed the Registration exchange. If disabled(2) then the device was administratively disabled, possibly by being refused network access in the configuration file. If waitingForDhcpOffer(3) then a DHCP Discover has been transmitted and no offer has yet been received. If waitingForDhcpResponse(4) then a DHCP Request has been transmitted and no response has yet been received. If waitingForConfig(5) then a request to the config parameter server has been made and no response received. If refusedByCmts(6) then the Registration Request/Response exchange with the CMTS failed. " REFERENCE "DOCSIS Radio Frequency Interface Specification, Figure 7-1, CM Initialization Overview." ::= { pktcMtaDevServer 1 } pktcMtaDevServerDhcp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the DHCP server that assigned an IP address to this device. Returns 0.0.0.0 if DHCP was not used for IP address assignment." ::= { pktcMtaDevServer 2 } pktcMtaDevServerDns1 OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the primary DNS server that resolved an IP address for this device. " ::= { pktcMtaDevServer 3 } pktcMtaDevServerDns2 OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the secondary DNS server that resolved an IP address for this device. " ::= { pktcMtaDevServer 4 } pktcMtaDevConfigFile OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The URL of the TFTP/HTTP file for downloading provisioning and configuration parameters to this device. Returns NULL if the server address is unknown. Supports both TFTP and HTTP." ::= { pktcMtaDevServer 5 } pktcMtaDevSnmpEntity OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address or FQDN of the SNMP entity for provisioning trap handling that assigned an IP address to this device. Returns 0.0.0.0 if DHCP was not used for IP address assignment." ::= { pktcMtaDevServer 6 } pktcMtaDevProvConfigHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the config file, calculated and sent to the MTA prior to sending the config file. If the authenthenication algorithm is MD5, the length is 128 bits, If the authentication algorithm is SHA-1, the length is 160 bits." ::= { pktcMtaDevServer 7 } pktcMtaDevProvConfigKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|8)) MAX-ACCESS read-write STATUS current DESCRIPTION "Key used to encrypt/decrypt the config file, sent to the MTA prior to sending the config file. If the privacy algorithm is null, the length is 0. If the privacy algorithm is DES, the length is 64 bits." ::= { pktcMtaDevServer 8 } pktcMtaDevProvSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This timeout applies only when the Provisioning Server initiated key management (with a Wake Up message) for SNMPv3. It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the Provisioning Server." DEFVAL { 120 } ::= { pktcMtaDevServer 9 } --=========================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff mechanism with -- two timers for AS replies. The fast timers has a maximum timer -- (pktcMtaDevProvUnsolicitedKeyMaxTimeout seconds) and a nominal timer -- pktcMtaDevProvUnsolicitedKeyNomTimeout seconds) from which the backoff timer -- determinations are made. -- --============================================================================== --========================================================================= -- -- Timeouts for unsolicited key management updates are only pertinent before -- the first SNMP message is sent between the MTA and the CMS and before the -- configuration file is loaded. No SNMP communications can exist under -- PacketCable without the security association existing. The following -- object is provided only for diagnosistic purposes and are only useful -- if the MTA can be brought up without any security. -- --========================================================================== pktcMtaDevProvUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" ::= { pktcMtaDevServer 10 } pktcMtaDevProvUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. Typically this is the average roundtrip time between the MTA and the Provisioing server." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-0012292" ::= { pktcMtaDevServer 11 } pktcMtaDevProvUnsolicitedKeyMeanDev OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This is the mean deviation for the round trip delay timings." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" ::= { pktcMtaDevServer 12 } pktcMtaDevProvUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (15..600) MAX-ACCESS read-only STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification PKT-SP-SEC_I02-001229" ::= { pktcMtaDevServer 13 } pktcMtaDevProvKerbRealmName OBJECT-TYPE SYNTAX DisplayString (SIZE(1..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The name for the associated Kerberos Realm. This is the same realm as indicated in the DHCP response. This is the index into the pktcMtaDevRealmTable." ::= { pktcMtaDevServer 14 } pktcMtaDevProvState OBJECT-TYPE SYNTAX INTEGER { operational (1), disabled (2), other (3), unknown (4), waitingToStart (10), waitingForDhcpOffer (12), waitingForDhcpAckResponse (14), waitingForProvRealmKdcNameResponse (16), waitingForProvRealmKdcAddrResponse (18), waitingForAsReply (20), waitingForTgsReply (22), waitingForApReply (24), waitingForSnmpGetRequest (26), waitingForSnmpSetInfo (28), waitingForTftpAddrResponse (30), waitingForConfigFile (32), waitingForTelRealmKdcNameResponse (34), waitingForTelRealmKdcAddrResponse (36), waitingForPkinitAsReply (38), waitingForCmsKerbTickTgsReply (40), waitingForCmsKerbTickApReply (42) } MAX-ACCESS read-only STATUS current DESCRIPTION "If operational(1), the device has completed loading and processing of initialization parameters. If disabled(2) then the device was administratively disabled, possibly by being refused network access in the configuration file. If waitingToStart(10) then the MTA is has not received a signal to start initialization. If waitingForDhcpOffer(12) then a DHCP Discover has been transmitted and no offer has yet been received. If waitingForDhcpAckResponse(14) then a DHCP Request has been transmitted and no response has yet been received. If waitingProvRealmKdcNameResponse(16) then a DNS Srv request has been transmitted and no reply has yet been received. If waitingForProvRealmKdcAddrResponse(18) then a DNS request has been transmitted and no reply has yet been received. If waitingForAsReply(20) then an AS request has been and no MSO KDC AS Kerberos ticket reply has yet been received. If waitingForTgsReply(22) then a TGS request has been transmitted and no TGS ticket reply has yet been received. If waitingForApReply(24) then an AP request has been transmitted and no SNMPv3 key info reply has yet been received. If waitingForSnmpGetRequest(26) then an INFORM message has been transmitted and the device is waiting on optional/iterative GET requests. If waitingForSnmpSetInfo(28) then the device is waiting on config file download access information. If waitingForTftpAddrResponse(30) then a DNS request has been transmitted and no reply has yet been received. If waitingForConfigFile(32) then a TFTP request has been transmitted and no reply has yet been received or a download is in progress. If waitingForTelRealmKdcNameResponse(34) then a DNS Srv request has been transmitted and no name reply has yet been received. If waitingForTelRealmKdcAddrResponse(36) then a DNS request has been transmitted and no address reply has yet been received. If waitingForPkinitAsReply(38) then an AS request has been transmitted and no ticket reply has yet been received. If waitingForCmsKerbTickTgsReply(40) then a TGS request has been transmitted and no ticket reply has yet been received. If waitingForCmsKerbTickApReply(42) then a AP request has been transmitted and no Ipsec parameters reply has yet been received. " REFERENCE "PacketCable Provisioning Specification PacketCable Security Specification" ::= { pktcMtaDevServer 15 } --========================================================================= -- -- Timeouts for unsolicited key management updates are only pertinent before -- the first SNMP message is sent between the MTA and the CMS and before the -- configuration file is loaded. No SNMP communications can exist under -- PacketCable without the security association existing. The following -- object is provided only for diagnosistic purposes and are only useful -- if the MTA can be brought up without any security. -- --========================================================================== -- -- notification group is for future extension. -- pktcMtaNotification OBJECT IDENTIFIER ::= { pktcMtaMib 2 } pktcMtaConformance OBJECT IDENTIFIER ::= { pktcMtaMib 3 } pktcMtaCompliances OBJECT IDENTIFIER ::= { pktcMtaConformance 1 } pktcMtaGroups OBJECT IDENTIFIER ::= { pktcMtaConformance 2 } -- -- Notification Group -- pktcMtaProvisioningEnrollment NOTIFICATION-TYPE OBJECTS { pktcMtaDevHardwareVersion, docsDevSwCurrentVers, pktcMtaDevTypeIdentifier, pktcMtaDevMacAddress, pktcMtaDevCorrelationId } STATUS current DESCRIPTION "This inform is issued to initiate the PacketCable process provisioning ." REFERENCE "Inform as defined in RFC 1902" ::= { pktcMtaNotification 1 } pktcMtaProvisioningStatus NOTIFICATION-TYPE OBJECTS { pktcMtaDevMacAddress, pktcMtaDevCorrelationId, pktcMtaDevProvisioningState } STATUS current DESCRIPTION "This inform is issued to confirm completion of the PacketCable provisioning process, and indicate the completion state." REFERENCE "Inform as defined in RFC 1902" ::= { pktcMtaNotification 2 } -- compliance statements pktcMtaBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for devices that implement MTA feature." MODULE --pktcMtaMib -- unconditionally mandatory groups MANDATORY-GROUPS { pktcMtaGroup } ::= { pktcMtaCompliances 3 } pktcMtaGroup OBJECT-GROUP OBJECTS { pktcMtaDevResetNow, pktcMtaDevSerialNumber, pktcMtaDevHardwareVersion, pktcMtaDevMacAddress, pktcMtaDevFQDN, pktcMtaDevEndPntCount, pktcMtaDevEnabled, pktcMtaDevTypeIdentifier, pktcMtaDevProvisioningState, pktcMtaDevHttpAccess, pktcMtaDevCertificate, pktcMtaDevCorrelationId, pktcMtaDevManufacturerCertificate, pktcMtaDevServerDhcp, pktcMtaDevServerDns1, pktcMtaDevServerDns2, pktcMtaDevConfigFile, pktcMtaDevSnmpEntity, pktcMtaDevRealmPkinitGracePeriod, pktcMtaDevRealmTgsGracePeriod, pktcMtaDevRealmOrgName, pktcMtaDevRealmUnsolicitedKeyMaxTimeout, pktcMtaDevRealmUnsolicitedKeyNomTimeout, pktcMtaDevRealmUnsolicitedKeyMeanDev, pktcMtaDevRealmUnsolicitedKeyMaxRetries, pktcMtaDevRealmStatus, pktcMtaDevCmsKerbRealmName, pktcMtaDevCmsUnsolicitedKeyMaxTimeout, pktcMtaDevCmsUnsolicitedKeyNomTimeout, pktcMtaDevCmsUnsolicitedKeyMeanDev, pktcMtaDevCmsUnsolicitedKeyMaxRetries, pktcMtaDevCmsSolicitedKeyTimeout, pktcMtaDevCmsMaxClockSkew, pktcMtaDevCmsStatus, pktcMtaCmsMapOperStatus, pktcMtaCmsMapAdminStatus, pktcMtaCmsMapRowStatus, pktcMtaDevProvUnsolicitedKeyMaxTimeout, pktcMtaDevProvUnsolicitedKeyNomTimeout, pktcMtaDevProvUnsolicitedKeyMeanDev, pktcMtaDevProvUnsolicitedKeyMaxRetries, pktcMtaDevProvKerbRealmName, pktcMtaDevProvSolicitedKeyTimeout, pktcMtaDevProvConfigHash, pktcMtaDevProvConfigKey, pktcMtaDevProvState, pktcMtaDevProvisioningTimer, pktcMtaDevTelephonyRootCertificate } STATUS current DESCRIPTION "Group of objects for PacketCable MTA MIB." ::= { pktcMtaGroups 1 } --pktcMtaNotificationGroup NOTIFICATION-GROUP -- NOTIFICATIONS { pktcMtaProvisioningStatus, pktcMtaProvisioningEnrollment } -- STATUS current -- DESCRIPTION -- "These notifications deal with change in status of -- MTA Device." -- ::= { pktcMtaGroups 2 } pktcMtaObsoleteGroup OBJECT-GROUP OBJECTS { pktcMtaDevSignature, pktcMtaDevTelephonyCertificate, pktcMtaDevTgsLocation, pktcMtaDevKerberosRealm, pktcMtaDevServGracePeriod, pktcMtaDevKeyMgmtTimeout1, pktcMtaDevKeyMgmtTimeout2, pktcMtaDevServProviderCertificate, pktcMtaDevTgsStatus, pktcMtaDevKerbPrincipalName, pktcMtaDevLocalSystemCertificate, pktcMtaDevServerBootState } STATUS obsolete DESCRIPTION "Group of obsolete objects for PacketCable MTA MIB." ::= { pktcMtaGroups 3} END