-- extracted from draft-jones-cable-gateway-security-mib-01.txt -- at Wed Feb 5 06:12:00 2003 CABH-SEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, Unsigned32, Counter32, Integer32, OBJECT-TYPE FROM SNMPv2-SMI -- RFC2578 RowStatus, DateAndTime, TruthValue, DisplayString, VariablePointer FROM SNMPv2-TC -- RFC2579 OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC2580 InetPortNumber, InetAddressIPv4 FROM INET-ADDRESS-MIB --RFC3291 SnmpAdminString FROM SNMP-FRAMEWORK-MIB --RFC2571 X509Certificate FROM DOCS-BPI2-MIB cabhDevMib FROM CABH-DEV-MIB; -- ============================================================ -- -- History: -- -- Date Reason -- 10/28/02 -00 -- 01/22/03 -01 -- -- ============================================================ cabhSecMib MODULE-IDENTITY LAST-UPDATED "200301220000Z" -- January 22, 2003 ORGANIZATION "CableLabs Broadband Access Department" CONTACT-INFO "Kevin Luehrs Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: k.luehrs@cablelabs.com" DESCRIPTION "This MIB module supplies the basic management objects for the Security Portal Services. Acknowledgements: Nancy Davoust û YAS Broadband Ventures Jim Hinsey û Broadcom Visiting Engineer John Bevilacqua û YAS Broadband Ventures" REVISION "200301220000Z" -- January 22, 2003 DESCRIPTION "Initial version, published as RFC xxxx." -- RFC editor to assign xxxx ::= { cabhDevMib 2 } -- Textual conventions cabhSecMibObjects OBJECT IDENTIFIER ::= { cabhSecMib 1 } cabhSecFwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 1 } cabhSecFwBase OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 } cabhSecFwLogCtl OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 } cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 2 } cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 } cabhSecKerbBase OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 } cabhSec2FwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 } cabhSec2FwBase OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 } cabhSec2FwEvent OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 } cabhSec2FwLog OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 } cabhSec2FwFilter OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 } --cabhSec2Misc OBJECT IDENTIFIER ::= { cabhSecMib 5 } --might be needed for config file encryption key management -- -- CableHome 1.0 Base Firewall Functions -- cabhSecFwPolicyFileEnable OBJECT-TYPE SYNTAX INTEGER { enable(1), disable(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This parameter indicates whether or not to enable the firewall functionality." DEFVAL {enable} ::= { cabhSecFwBase 1 } cabhSecFwPolicyFileURL OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This object contains the name and IP address of the policy rule set file ina TFTP URL format. Once this object has been updated, it will trigger the file download." ::= { cabhSecFwBase 2 } cabhSecFwPolicyFileHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the rules set file, calculated and sent to the PS prior to sending the rules set file. For the SHA-1 authentication algorithm the length of the hash is 160 bits. This hash value is encoded in binary format." DEFVAL {''h} ::= { cabhSecFwBase 3 } cabhSecFwPolicyFileOperStatus OBJECT-TYPE SYNTAX INTEGER { inProgress(1), completeFromProvisioning(2), completeFromMgt(3), failed(4) } MAX-ACCESS read-only STATUS current DESCRIPTION "InProgress(1) indicates that a TFTP download is underway, either as a result of a version mismatch at provisioning or as a result of a upgradeFromMgt request. CompleteFromProvisioning(2) indicates that the last software upgrade was a result of version mismatch at provisioning. CompleteFromMgt(3)indicates that the last software upgrade was a result of setting docsDevSwAdminStatus to upgradeFromMgt. Failed(4) indicates that the last attempted download failed, ordinarily due to TFTP timeout." ::= { cabhSecFwBase 4 } cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The rule set version currently operating in the PS device. This object should be in the syntax used by the individual vendor to identify software versions. Any PS element MUST return a string descriptive of the current rule set file load. If this is not applicable, this object MUST contain an empty string." ::= { cabhSecFwBase 5 } -- -- CableHome 1.0 Firewall Event MIBs -- cabhSecFwEventType1Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables or disables logging of type 1 firewall event messages. Type 1 event messages report attempts from both private and public clients to traverse the firewall that violate the Security Policy." DEFVAL { disable } ::= { cabhSecFwLogCtl 1 } cabhSecFwEventType2Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables or disables logging of type 2 firewall event messages. Type 2 event messages report identified Denial of Service attack attempts." DEFVAL { disable } ::= { cabhSecFwLogCtl 2 } cabhSecFwEventType3Enable OBJECT-TYPE SYNTAX INTEGER { enable (1), -- log event disable (2) -- do not log event } MAX-ACCESS read-write STATUS current DESCRIPTION "Enables or disables logging of type 3 firewall event messages. Type 3 event messages report changes made to the following firewall management parameters: cabhSecFwPolicyFileURL, cabhSecFwPolicyFileCurrentVersion, cabhSecFwPolicyFileEnable" DEFVAL { disable } ::= { cabhSecFwLogCtl 3 } cabhSecFwEventAttackAlertThreshold OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "If the number of type 1 or 2 hacker attacks exceeds this threshold in the period define by cabhSecFwEventAttackAlertPeriod, a firewall message event MUST be logged with priority level 4." DEFVAL { 65535 } ::= { cabhSecFwLogCtl 4 } cabhSecFwEventAttackAlertPeriod OBJECT-TYPE SYNTAX INTEGER (0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates the period to be used (in hours) for the cabhSecFwEventAttackAlertThreshold. This MIB variable should always keep track of the last x hours of events meaning that if the variable is set to track events for 10 hours then when the 11th hour is reached, the 1st hour of events is deleted from the tracking log. A default value is set to zero, meaning zero time, so that this MIB variable will not track any events unless configured." DEFVAL {0} ::= { cabhSecFwLogCtl 5 } -- -- CableHome PS device certificate -- cabhSecCertPsCert OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "The X509 DER-encoded PS certificate." ::= { cabhSecCertObjects 1 } -- -- CableHome 1.1 Firewall Management MIBs -- cabhSec2FwEnable OBJECT-TYPE SYNTAX INTEGER { disable(1), factoryDefault(2), configuredRuleset(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This parameter indicates whether to disable the firewall, enable the factory default policy, or enable the configured ruleset for firewall functionality." DEFVAL {factoryDefault } ::= { cabhSec2FwBase 1 } cabhSec2FwPolicyFileURL OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-write STATUS current DESCRIPTION "This object contains the name and IP address of the policy ruleset file in a TFTP or HTTP URL format. Once this object has been updated, it will trigger the file download." ::= { cabhSec2FwBase 2 } cabhSec2FwPolicyFileHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the firewall configuration file. For the SHA-1 authentication algorithm the length of the hash is 160 bits. This hash value is encoded in binary format." DEFVAL { ''h} ::= { cabhSec2FwBase 3 } cabhSec2FwPolicyFileOperStatus OBJECT-TYPE SYNTAX INTEGER { inProgress(1), complete(2), failed(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "InProgress(1) indicates a firewall configuration file download is underway. Complete(2) indicates the firewall configuration file was downloaded and processed successfully. Failed(3) indicates that the last attempted firewall configuration file download or processing failed." ::= { cabhSec2FwBase 4 } cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The configured ruleset currently loaded in the PS regardless if it is enabled or disabled. The PS MUST return a string descriptive of the current ruleset. If there is no configured ruleset, this object contains the string æfactory_defaultÆ." DEFVAL { "factory_Default" } ::= { cabhSec2FwBase 5 } cabhSec2FwClearPreviousRuleset OBJECT-TYPE SYNTAX INTEGER { increment(1), complete(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "The configuration file should contain this object to tell the firewall if the rules in the configuration file are incremental to the previously established configured ruleset or a complete set of configuration rules. If the cabhSec2FwClearPreviousRuleset is set to Complete(2), the PS must purge all previous firewall rules configured by the cable operator before applying the new rules contained within the configuration file." DEFVAL { increment } ::= { cabhSec2FwBase 6 } -- -- Firewall Event MIBS -- cabhSec2FwEventControlTable OBJECT-TYPE SYNTAX SEQUENCE OF CabhSec2FwEventControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table allows control of the reporting of the Firewall events" ::= { cabhSec2FwEvent 1 } cabhSec2FwEventControlEntry OBJECT-TYPE SYNTAX CabhSec2FwEventControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Allows configuration of the reporting mechanisms for a particular type of attack." INDEX { cabhSec2FwEventType } ::= { cabhSec2FwEventControlTable 1 } CabhSec2FwEventControlEntry ::= SEQUENCE { cabhSec2FwEventType INTEGER, cabhSec2FwEventEnable TruthValue, cabhSec2FwEventThreshold Unsigned32, cabhSec2FwEventInterval Integer32, cabhSec2FwEventCount Counter32, cabhSec2FwEventLogReset TruthValue } cabhSec2FwEventType OBJECT-TYPE SYNTAX INTEGER { type1(1), type2(2), type3(3), type4(4), type5(5), type6(6) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "Classification of the different types of attacks. Type 1 logs all attempts from both LAN and WAN clients to traverse the Firewall that violate the Security Policy. Type 2 logs identified Denial of Service attack attempts. Type 3 logs all changes made to the cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileCurrentVersion or cabhSec2FwPolicyFileEnable objects. Type 4 logs all failed attempts to modify cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable objects. Type 5 logs allowed inbound packets from the WAN. Type 6 logs allowed outbound packets from the LAN." ::= { cabhSec2FwEventControlEntry 1 } cabhSec2FwEventEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Enables or disables counting and logging of firewall events by type as assigned by cabhSec2FwEventType." DEFVAL { false } ::= { cabhSec2FwEventControlEntry 2 } cabhSec2FwEventThreshold OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "Number of attacks to count before sending the appropriate event by type as assigned by cabhSec2FwEventType." DEFVAL {0} ::= { cabhSec2FwEventControlEntry 3 } cabhSec2FwEventInterval OBJECT-TYPE SYNTAX Integer32 (0..2147483647) UNITS "hours" MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates the time interval in hours to count and log occurrences of a firewall event type as assigned in cabhSec2FwEventType. If this MIB has a value of zero then there is no interval assigned and the PS will not count or log events." DEFVAL {0} ::= { cabhSec2FwEventControlEntry 4 } cabhSec2FwEventCount OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Indicates the current count up to the cabhSec2FwEventThreshold value by type as assigned by cabhSec2FwEventType." ::= { cabhSec2FwEventControlEntry 5 } cabhSec2FwEventLogReset OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to true clears the log table for the specified event type. Reading this object always returns false." DEFVAL {false} ::= { cabhSec2FwEventControlEntry 6 } -- -- Firewall Log Tables -- cabhSec2FwLogTable OBJECT-TYPE SYNTAX SEQUENCE OF CabhSec2FwLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains a log of packet information as related to events enabled by the cable operator. The types are defined in the CableHome 1.1 specification and require various objects to be included in the log. The following is a description for what is expected in the log for each type Type 1, Type 2, Type 5 and Type 6 table MUST include cabhSec2FwEventType, cabhSec2FwEventPriority, cabhSec2FwEventId, cabhSec2FwLogTime, cabhSec2FwIpProtocol, cabhSec2FwIpSourceAddr, cabhSec2FwIpDestAddr, cabhSec2FwIpSourcePort, cabhSec2FwIpDestPort, cabhSec2Fw, cabhSec2FwReplayCount. The other values not used by type 1, 2, 5 & 6 are default values. Type 3 & Type 4 MUST include cabhSec2FwEventType, cabhSec2FwEventPriority, cabhSec2FwEventId, cabhSec2FwLogTime, cabhSec2FwIpSourceAddr, cabhSec2FwMIBPointer. The other values not used by type 3 and 4 are default values." ::= { cabhSec2FwLog 1 } cabhSec2FwLogEntry OBJECT-TYPE SYNTAX CabhSec2FwLogEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains the log of firewall events" INDEX {cabhSec2FwLogIndex} ::= { cabhSec2FwLogTable 1 } CabhSec2FwLogEntry ::= SEQUENCE { cabhSec2FwLogIndex Integer32, cabhSec2FwLogEventType INTEGER, cabhSec2FwLogEventPriority INTEGER, cabhSec2FwLogEventId Unsigned32, cabhSec2FwLogTime DateAndTime, cabhSec2FwLogIpProtocol Integer32, cabhSec2FwLogIpSourceAddr InetAddressIPv4, cabhSec2FwLogIpDestAddr InetAddressIPv4, cabhSec2FwLogIpSourcePort InetPortNumber, cabhSec2FwLogIpDestPort InetPortNumber, cabhSec2FwLogMessageType Unsigned32, cabhSec2FwLogReplayCount Unsigned32, cabhSec2FwMIBPointer VariablePointer } cabhSec2FwLogIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A sequence number for the specific events under a cabhSec2FwEventType." ::= { cabhSec2FwLogEntry 1 } cabhSec2FwLogEventType OBJECT-TYPE SYNTAX INTEGER { type1(1), type2(2), type3(3), type4(4), type5(5), type6(6) } MAX-ACCESS read-only STATUS current DESCRIPTION "Classification of the different types of attacks. Type 1 logs all attempts from both LAN and WAN clients to traverse the Firewall that violate the Security Policy. Type 2 logs identified Denial of Service attack attempts. Type 3 logs all changes made to the cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileCurrentVersion or cabhSec2FwPolicyFileEnable objects. Type 4 logs all failed attempts to modify cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable objects. Type 5 logs allowed inbound packets from the WAN. Type 6 logs allowed outbound packets from the LAN." ::= { cabhSec2FwLogEntry 2 } cabhSec2FwLogEventPriority OBJECT-TYPE SYNTAX INTEGER { emergency(1), alert(2), critical(3), error(4), warning(5), notice(6), information(7), debug(8) } MAX-ACCESS read-only STATUS current DESCRIPTION "The priority level of this event as defined by CableHome Specification. If a priority is not assigned in the CableHome specification for a particular event then the vendor or cable operator may assign priorities. These are ordered from most serious (emergency)to least serious (debug)." ::= { cabhSec2FwLogEntry 3 } cabhSec2FwLogEventId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The assigned event ID." ::= { cabhSec2FwLogEntry 4 } cabhSec2FwLogTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The time that this entry was created by the PS." ::= { cabhSec2FwLogEntry 5 } cabhSec2FwLogIpProtocol OBJECT-TYPE SYNTAX Integer32 (0..256) MAX-ACCESS read-only STATUS current DESCRIPTION "The IP Protocol" ::= { cabhSec2FwLogEntry 6 } cabhSec2FwLogIpSourceAddr OBJECT-TYPE SYNTAX InetAddressIPv4 MAX-ACCESS read-only STATUS current DESCRIPTION "The Source IP Address of the packet logged" ::= { cabhSec2FwLogEntry 7 } cabhSec2FwLogIpDestAddr OBJECT-TYPE SYNTAX InetAddressIPv4 MAX-ACCESS read-only STATUS current DESCRIPTION "The Destination IP Address of the packet logged" ::= { cabhSec2FwLogEntry 8 } cabhSec2FwLogIpSourcePort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The Source IP Port of the packet logged" ::= { cabhSec2FwLogEntry 9 } cabhSec2FwLogIpDestPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-only STATUS current DESCRIPTION "The Source IP Port of the packet logged" ::= { cabhSec2FwLogEntry 10 } cabhSec2FwLogMessageType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The ICMP defined types." ::= { cabhSec2FwLogEntry 11} cabhSec2FwLogReplayCount OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of identical attack packets that were seen by the firewall based on cabhSec2FwLogIpProtocol, cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort and cabhSec2FwLogMessageType" DEFVAL { 0 } ::= { cabhSec2FwLogEntry 12 } cabhSec2FwMIBPointer OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-only STATUS current DESCRIPTION "Identifies if the cabhSec2FwPolicyFileURL or the cabhSec2FwEnable MIB object changed or an attempt was made to change it." ::= { cabhSec2FwLogEntry 13 } -- ============================================================ -- -- PS IP Filter Scheduling Table -- -- The cabhSec2FwFilterScheduleTable contains the firewall -- policy identification and links that policy as defined -- in RFC 2669 to specific time of day restrictions. -- -- ============================================================= cabhSec2FwFilterScheduleTable OBJECT-TYPE SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains the link between the firewall rule and the associated time of day." ::= { cabhSec2FwFilter 1 } cabhSec2FwFilterScheduleEntry OBJECT-TYPE SYNTAX CabhSec2FwFilterScheduleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of IP firewall policies linked to time of day" INDEX { cabhSec2FwFilterScheduleIndex } ::= { cabhSec2FwFilterScheduleTable 1 } CabhSec2FwFilterScheduleEntry ::= SEQUENCE { cabhSec2FwFilterScheduleIndex Integer32, cabhSec2FwFilterScheduleRowStatus RowStatus, cabhSec2FwFilterScheduleStartTime DateAndTime, cabhSec2FwFilterScheduleEndTime DateAndTime, cabhSec2FwFilterScheduleDOW BITS } cabhSec2FwFilterScheduleIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Index for the Time Entry table." ::= { cabhSec2FwFilterScheduleEntry 1 } cabhSec2FwFilterScheduleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The Row Status interlock for creation and deletion of row entries. Any object in each row can be modified at any time while the row is active (1)." ::={ cabhSec2FwFilterScheduleEntry 2 } cabhSec2FwFilterScheduleStartTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The start time, with optional time zone, for a firewall filter ruleset." ::= { cabhSec2FwFilterScheduleEntry 3 } cabhSec2FwFilterScheduleEndTime OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The end time, with optional time zone, for a firewall filter ruleset." ::= { cabhSec2FwFilterScheduleEntry 4 } cabhSec2FwFilterScheduleDOW OBJECT-TYPE SYNTAX BITS { sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4), friday(5), saturday(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "The day of week to be used with the IP filter table from RFC2669." ::= { cabhSec2FwFilterScheduleEntry 5 } -- -- Kerberos MIBs -- --cabhSecKerbBaseTable OBJECT-TYPE -- SYNTAX SEQUENCE OF CabhSecKerbBaseEntry -- MAX-ACCESS not-accessible -- STATUS current -- DESCRIPTION -- "This table is for management for various Kerberos MIBs" -- INDEX { } -- ::= { cabhSecKerbBase 1 } --cabhSecKerbBaseEntry OBJECT-TYPE -- SYNTAX CabhSecKerbBaseEntry -- MAX-ACCESS not-accessible -- STATUS current -- DESCRIPTION -- "List of security parameters for Kerberos." -- ::= { cabhSecKerbBaseTable 1 } --CabhSecKerbBaseEntry ::= SEQUENCE { -- cabhSecKerbPKINITGracePeriod Integer32, -- cabhSecKerbTGSGracePeriod Integer32, -- cabhSecKerbKDCCertOrgName OCTET STRING, -- cabhSecKerbUnsolicitedKeyMaxTimeout Integer32, -- cabhSecKerbUnsolicitedKeyMaxRetries Integer32 -- } cabhSecKerbPKINITGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "The PKINIT Grace Period is needed by the PS to know when it should start retrying to get a new ticket. The PS MUST obtain a new Kerberos ticket (with a PKINIT exchange)this many minutes before the old ticket expires. The minimum allowed value is 15 minutes. The default value is 30 minutes." DEFVAL { 30 } -- ::= { cabhSecKerbBaseEntry 1 } ::= { cabhSecKerbBase 1} cabhSecKerbTGSGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "The TGS Grace Period is needed by the PS to know when it should start retrying to get a new ticket. The PS MUST obtain a new Kerberos ticket (with a TGS Request) this many minutes before the old ticket expires. The minimum allowed value is 15 minutes. The default value is 30 minutes." DEFVAL { 30 } -- ::= { cabhSecKerbBaseEntry 2 } ::= { cabhSecKerbBase 2} cabhSecKerbKDCCertOrgName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..64)) MAX-ACCESS read-write STATUS current DESCRIPTION "The value of the X.500 Organization Name attribute in the subject name filed of the service provider certificate." -- ::= { cabhSecKerbBaseEntry 3 } ::= { cabhSecKerbBase 3} cabhSecKerbUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies to PS initiated AP-REQ/REP key management exchange with NMS. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm. The minimum allowed value is 15 minutes. The default value is 600 minutes." DEFVAL { 600 } -- ::= { cabhSecKerbBaseEntry 4 } ::= { cabhSecKerbBase 4} cabhSecKerbUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (1..32) MAX-ACCESS read-only STATUS current DESCRIPTION "The number of retries the PS is allowed for AP-REQ/REP key management exchange initiation with the NMS. This is the maximum number of retries before the MTA gives up attempting to establish an SNMPv3 security association with NMS." DEFVAL { 8 } -- ::= { cabhSecKerbBaseEntry 5 } ::= { cabhSecKerbBase 5} cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 2 } cabhSecConformance OBJECT IDENTIFIER ::= { cabhSecMib 3 } cabhSecCompliances OBJECT IDENTIFIER ::= { cabhSecConformance 1 } cabhSecGroups OBJECT IDENTIFIER ::= { cabhSecConformance 2 } -- -- Notification Group for future extension -- -- compliance statements cabhSecCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for CableHome Security." MODULE --cabhSecMib -- unconditionally mandatory groups MANDATORY-GROUPS { -- cabhSecGroup, cabhSecCertGroup, cabhSecKerbGroup } -- conditional mandatory groups GROUP cabhSecGroup DESCRIPTION "This group is implemented only for CH 1.0 gateways." GROUP cabhSec2Group DESCRIPTION "This group is implemented only for CH 1.1 gateways." ::= { cabhSecCompliances 1} cabhSecGroup OBJECT-GROUP OBJECTS { cabhSecFwPolicyFileEnable, cabhSecFwPolicyFileURL, cabhSecFwPolicyFileHash, cabhSecFwPolicyFileOperStatus, cabhSecFwPolicyFileCurrentVersion, cabhSecFwEventType1Enable, cabhSecFwEventType2Enable, cabhSecFwEventType3Enable, cabhSecFwEventAttackAlertThreshold, cabhSecFwEventAttackAlertPeriod } STATUS current DESCRIPTION "Group of objects in CableHome 1.0 Firewall MIB." ::= { cabhSecGroups 1 } cabhSecCertGroup OBJECT-GROUP OBJECTS { cabhSecCertPsCert } STATUS current DESCRIPTION "Group of objects in CableHome gateway for PS Certificate." ::= { cabhSecGroups 2 } cabhSecKerbGroup OBJECT-GROUP OBJECTS { cabhSecKerbPKINITGracePeriod, cabhSecKerbTGSGracePeriod, cabhSecKerbKDCCertOrgName, cabhSecKerbUnsolicitedKeyMaxTimeout, cabhSecKerbUnsolicitedKeyMaxRetries } STATUS current DESCRIPTION "Group of objects in CableHome gateway for Kerberos key Management." ::= { cabhSecGroups 3 } cabhSec2Group OBJECT-GROUP OBJECTS { cabhSec2FwEnable, cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileHash, cabhSec2FwPolicyFileOperStatus, cabhSec2FwPolicyFileCurrentVersion, cabhSec2FwClearPreviousRuleset, cabhSec2FwEventEnable, cabhSec2FwEventThreshold, cabhSec2FwEventInterval, cabhSec2FwEventCount, cabhSec2FwEventLogReset, cabhSec2FwLogEventType, cabhSec2FwLogEventPriority, cabhSec2FwLogEventId, cabhSec2FwLogTime, cabhSec2FwLogIpProtocol, cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort, cabhSec2FwLogMessageType, cabhSec2FwLogReplayCount, cabhSec2FwMIBPointer, cabhSec2FwFilterScheduleRowStatus, cabhSec2FwFilterScheduleStartTime, cabhSec2FwFilterScheduleEndTime, cabhSec2FwFilterScheduleDOW } STATUS current DESCRIPTION "Group of objects in CableHome 1.1 Firewall MIB." ::= { cabhSecGroups 4 } END -- -- Copyright (C) The Internet Society (2003). All Rights Reserved. -- -- This document and translations of it may be copied and furnished to -- others, and derivative works that comment on or otherwise explain it -- or assist in its implementation may be prepared, copied, published -- and distributed, in whole or in part, without restriction of any -- kind, provided that the above copyright notice and this paragraph are -- included on all such copies and derivative works. However, this -- document itself may not be modified in any way, such as by removing -- the copyright notice or references to the Internet Society or other -- Internet organizations, except as needed for the purpose of -- developing Internet standards in which case the procedures for -- copyrights defined in the Internet Standards process must be -- followed, or as required to translate it into languages other than -- English. -- -- The limited permissions granted above are perpetual and will not be -- revoked by the Internet Society or its successors or assigns. -- -- This document and the information contained herein is provided on an -- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING -- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING -- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION -- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF -- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."