-- extracted from draft-ietf-ipcdn-pktc-mtamib-00.txt -- at Thu Oct 31 06:10:53 2002 PKTC-MTA-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32, NOTIFICATION-TYPE, mib-2 FROM SNMPv2-SMI TruthValue, RowStatus, TEXTUAL-CONVENTION FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP FROM SNMPv2-CONF InetAddressType, InetAddress FROM INET-ADDRESS-MIB sysDescr FROM SNMPv2-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB docsDevSwCurrentVers FROM DOCS-CABLE-DEVICE-MIB; -- version 8 pktcMtaMib MODULE-IDENTITY LAST-UPDATED "200210250000Z" -- October 25, 2002 ORGANIZATION " PacketCable OSS Group " CONTACT-INFO "Matt Osman Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: m.osman@cablelabs.com Eugene Nechamkin Postal: Broadcom Corporation, 200-13711 International Place, Richmond, BC, V6V 2Z8 Canada Phone: +1 604 233 8500 Fax: +1 604 233 8501 E-mail: enechamkin@broadcom.com IETF IPCDN Working Group General Discussion: ipcdn@ietf.org Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn Co-chairs: Richard Woundy, rwoundy@cisco.com Jean-Francois Mule, jf.mule@cablelabs.com" DESCRIPTION "This is the MIB module for PacketCable 1.x compliant Multimedia Terminal Adapter Devices in Telephony-Over-Cable Systems" REVISION "200210250000Z" DESCRIPTION "Initial Introduction of the draft of the document." ::= { mib-2 99991 } -- to be assigned by IANA -- Textual Conventions X509Certificate ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An X509 digital certificate encoded as an ASN.1 DER object." SYNTAX OCTET STRING (SIZE (0..4096)) -- ================================================================ -- -- The MTA MIB only supports a single provisioning server. -- -- ================================================================ pktcMtaMibObjects OBJECT IDENTIFIER ::= { pktcMtaMib 1 } pktcMtaDevBase OBJECT IDENTIFIER ::= { pktcMtaMibObjects 1 } pktcMtaDevServer OBJECT IDENTIFIER ::= { pktcMtaMibObjects 2 } pktcMtaDevSecurity OBJECT IDENTIFIER ::= { pktcMtaMibObjects 3 } -- -- The following group describes the base objects in the MTA -- pktcMtaDevResetNow OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to true(1) causes the device to reset. Reading this object always returns false(2). When pktcMtaDevResetNow is set to true, the following actions occur: 1. All connections (if present) are flushed locally. 2. All current actions such as ringing immediately terminate. 3. Requests for notifications such as notification based on digit map recognition are flushed. 4. All endpoints are disabled. 5. The provisioning flow is started at step MTA-1." ::= { pktcMtaDevBase 1 } pktcMtaDevSerialNumber OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..128)) MAX-ACCESS read-only STATUS current DESCRIPTION "The manufacturer's serial number for this MTA." ::= { pktcMtaDevBase 2 } pktcMtaDevMacAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The telephony MAC address for this device." ::= { pktcMtaDevBase 3 } pktcMtaDevFQDN OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The Fully Qualified Domain Name for this MTA." ::= { pktcMtaDevBase 4 } pktcMtaDevEndPntCount OBJECT-TYPE SYNTAX Integer32 (1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "The physical end points for this MTA." ::= { pktcMtaDevBase 5 } pktcMtaDevEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The MTA Admin Status of this device, where True(1) means the voice feature is enabled and false(2) indicates that it is disabled." ::= { pktcMtaDevBase 6 } pktcMtaDevTypeIdentifier OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This is a copy of the device type identifier used in the DHCP option 60 exchanged between the MTA and the DHCP server." ::= { pktcMtaDevBase 7 } pktcMtaDevProvisioningState OBJECT-TYPE SYNTAX INTEGER { pass(1), inProgress(2), failConfigFileError(3), passWithWarning(4), passWithIncompleteParsing(5), failureInternalError(6), failOtherReason(7) } MAX-ACCESS read-only STATUS current DESCRIPTION "This parameter indicates the completion state of the MTA Device provisioning process. This parameter is sent as part of the final INFORM (step 25 of the MTA provisioning process) refer to the MTA Device provisioning spec for explanation on how an MTA chooses a particular state to report." ::= { pktcMtaDevBase 8 } pktcMtaDevHttpAccess OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates whether HTTP file access is supported for MTA configuration file transfer." ::= { pktcMtaDevBase 9 } pktcMtaDevProvisioningTimer OBJECT-TYPE SYNTAX Integer32 (0..30) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "This object enables setting the duration of the provisioning timeout timer. The timer covers the provisioning sequence from step MTA-1 to step MTA-23. The value is in minutes and setting the timer to 0 disables this timer." DEFVAL {10} ::= {pktcMtaDevBase 10} pktcMtaDevProvisioningCounter OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This object is the count of the number of times the provisioning cycle has looped through step MTA-1 since the last reboot." ::= {pktcMtaDevBase 11} pktcMtaDevErrorOidsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevErrorOidsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "If pktcMtaDevProvisioningSate reported with anything other than a pass(1) then this table is populated with the necessary information, each pertaining to observations of the configuration file. Even if different parameters share the same error (ex., All Realm Names are invalid), all recognized errors must be reported as different instances." ::= {pktcMtaDevBase 12} pktcMtaDevErrorOidsEntry OBJECT-TYPE SYNTAX PktcMtaDevErrorOidsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This contains the necessary information an MTA must attempt to provide in case the configuration file is not parsed and/or accepted in its entirety." INDEX { pktcMtaDevErrorOidIndex } ::= {pktcMtaDevErrorOidsTable 1} PktcMtaDevErrorOidsEntry ::= SEQUENCE { pktcMtaDevErrorOidIndex Integer32, pktcMtaDevErrorOid SnmpAdminString, pktcMtaDevErrorValueGiven SnmpAdminString, pktcMtaDevErrorReason SnmpAdminString } pktcMtaDevErrorOidIndex OBJECT-TYPE SYNTAX Integer32 (1..1024) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is the index to pktcMtaDevErrorOidsEntry. This is an integer value and will start from the value of 1 and be incremented for each error encountered in the configuration file. These indices need not necessarily reflect the order of error occurrences in the configuration file." ::= {pktcMtaDevErrorOidsEntry 1} pktcMtaDevErrorOid OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This is the OID associated with the particular error. If the error was not due to an identifiable OID, then this can be populated with impartial identifiers, in hexadecimal or numeric format." ::= {pktcMtaDevErrorOidsEntry 2} pktcMtaDevErrorValueGiven OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "If the error was due to the value associated with the corresponding pktcMtaDevErrorOid, then this contains the value of the OID as interpreted by the MTA in the configuration file provided. If the error was not due to the value of an OID this must be set to an empty string. This is provided to eliminate errors due to misrepresentation/misinterpretation of data." ::= {pktcMtaDevErrorOidsEntry 3} pktcMtaDevErrorReason OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates the reason for the error, as per the MTA's interpretation, in human readable form. EX.: 'VALUE NOT IN RANGE', 'VALUE DOES NOT MATCH TYPE', 'UNSUPPORTED VALUE', 'LAST 4 BITS MUST BE SET TO ZERO', 'OUT OF MEMORY - CANNOT STORE', ..etc. This may also contain vendor specific errors for vendor specific OIDs and any proprietary error codes/messages which can help diagnose errors better, in a manner the vendor deems fit." ::= {pktcMtaDevErrorOidsEntry 4} -- -- The following group describes server access and parameters -- used for initial provisioning and bootstrapping. -- pktcMtaDevServerDns1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the primary DNS server to be used by the MTA to resolve the FQDNs and IP addresses." ::= { pktcMtaDevServer 1 } pktcMtaDevServerDns2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the Secondary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. Contains 0.0.0.0 if there is no Secondary DNS server specified for the MTA under consideration." ::= { pktcMtaDevServer 2 } pktcMtaDevConfigFile OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The URL of the TFTP/HTTP file for downloading provisioning and configuration parameters to this device. Returns NULL if the server address is unknown. Supports both TFTP and HTTP." ::= { pktcMtaDevServer 3 } pktcMtaDevSnmpEntity OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The FQDN of the SNMP V3 entity of the Provisioning Server to which the MTA has to communicate in order to receive the access method, location and the name of the Configuration file during MTA provisioning. This would also be the entity which caters to the End-point provisioning needs of the MTA and is the destination for all provisioning informs. It may be also used for post-provisioning SNMP operations." ::= { pktcMtaDevServer 4 } pktcMtaDevProvConfigHash OBJECT-TYPE SYNTAX OCTET STRING (SIZE(16|20)) MAX-ACCESS read-write STATUS current DESCRIPTION "Hash of the contents of the config file, calculated and sent to the MTA prior to sending the config file. If the authenthenication algorithm is MD5, the length is 128 bits, If the authentication algorithm is SHA-1, the length is 160 bits." ::= { pktcMtaDevServer 5 } pktcMtaDevProvConfigKey OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0|8)) MAX-ACCESS read-write STATUS current DESCRIPTION "Key used to encrypt/decrypt the config file, sent to the MTA prior to sending the config file. If the privacy algorithm is null, the length is 0. If the privacy algorithm is DES, the length is 64 bits." ::= { pktcMtaDevServer 6 } pktcMtaDevProvSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "This timeout applies only when the Provisioning Server initiated key management (with a Wake Up message) for SNMPv3. It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the Provisioning Server." DEFVAL { 120 } ::= { pktcMtaDevServer 7 } -- ================================================================= -- -- Unsolicited Key Updates are based on an exponential backoff -- mechanism with two timers for AS replies. The fast timers -- has a maximum timer -- (pktcMtaDevProvUnsolicitedKeyMaxTimeout seconds) and a -- nominal timer (pktcMtaDevProvUnsolicitedKeyNomTimeout -- seconds) from which the backoff timer determinations -- are made. -- -- ================================================================= -- ================================================================= -- -- Timeouts for unsolicited key management updates are only -- pertinent before the first SNMP message is sent between the -- MTA and the CMS and before the configuration file is -- loaded. No SNMP communications can -- exist under PacketCable without the security association -- existing. The following object is provided only for -- diagnosistic purposes and are only useful if the MTA can be -- brought up without any security. -- -- ================================================================= pktcMtaDevProvUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies to MTA initiated AP-REQ/REP key management exchange with Provisioning Server. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL {600} ::= { pktcMtaDevServer 8 } pktcMtaDevProvUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "seconds" MAX-ACCESS read-only STATUS current DESCRIPTION "This timeout applies only when the MTA initiated AP-REQ/REP key management. Typically this is the average roundtrip time between the MTA and the Provisioning server." REFERENCE "PacketCable Security Specification [18]" DEFVAL {30} ::= { pktcMtaDevServer 9 } pktcMtaDevProvUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (1..32) MAX-ACCESS read-only STATUS current DESCRIPTION "This retries number applies to MTA initiated AP-REQ/REP key management exchange with Provisioning Server. This is the maximum number of retries before the MTA gives up attempting to establish an SNMPv3 security association with Provisioning Server." REFERENCE "PacketCable Security Specification [18]" DEFVAL {8} ::= { pktcMtaDevServer 10 } pktcMtaDevProvKerbRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The name of the associated Provisioning Kerberos Realm acquired during MTA4 ( DHCP Ack ). This is used as an index into the pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of the associated Kerberos Realm name MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevServer 11 } pktcMtaDevProvState OBJECT-TYPE SYNTAX INTEGER { operational (1), disabled (2), other (3), unknown (4), waitingToStart (10), waitingForDhcpOffer (12), waitingForDhcpAckResponse (14), waitingForProvRealmKdcNameResponse (16), waitingForProvRealmKdcAddrResponse (18), waitingForAsReply (20), waitingForTgsReply (22), waitingForApReply (24), waitingForSnmpGetRequest (26), waitingForSnmpSetInfo (28), waitingForTftpAddrResponse (30), waitingForConfigFile (32), waitingForTelRealmKdcNameResponse (34), waitingForTelRealmKdcAddrResponse (36), waitingForPkinitAsReply (38), waitingForCmsKerbTickTgsReply (40), waitingForCmsKerbTickApReply (42) } MAX-ACCESS read-only STATUS current DESCRIPTION "If operational(1), the device has completed loading and processing of initialization parameters. If disabled(2) then the device was administratively disabled, possibly by being refused network access in the configuration file. If waitingToStart(10) then the MTA is has not received a signal to start initialization. If waitingForDhcpOffer(12) then a DHCP Discover has been transmitted and no offer has yet been received. If waitingForDhcpAckResponse(14) then a DHCP Request has been transmitted and no response has yet been received. If waitingProvRealmKdcNameResponse(16) then a DNS Srv request has been transmitted and no reply has yet been received. If waitingForProvRealmKdcAddrResponse(18) then a DNS request has been transmitted and no reply has yet been received. If waitingForAsReply(20) then an AS request has been and no MSO KDC AS Kerberos ticket reply has yet been received. If waitingForTgsReply(22) then a TGS request has been transmitted and no TGS ticket reply has yet been received. If waitingForApReply(24) then an AP request has been transmitted and no SNMPv3 key info reply has yet been received. If waitingForSnmpGetRequest(26) then an INFORM message has been transmitted and the device is waiting on optional/iterative GET requests. If waitingForSnmpSetInfo(28) then the device is waiting on config file download access information. If waitingForTftpAddrResponse(30) then a DNS request has been transmitted and no reply has yet been received. If waitingForConfigFile(32) then a TFTP request has been transmitted and no reply has yet been received or a download is in progress. If waitingForTelRealmKdcNameResponse(34) then a DNS Srv request has been transmitted and no name reply has yet been received. If waitingForTelRealmKdcAddrResponse(36) then a DNS request has been transmitted and no address reply has yet been received. If waitingForPkinitAsReply(38) then an AS request has been transmitted and no ticket reply has yet been received. If waitingForCmsKerbTickTgsReply(40) then a TGS request has been transmitted and no ticket reply has yet been received. If waitingForCmsKerbTickApReply(42) then a AP request has been transmitted and no Ipsec parameters reply has yet been received." REFERENCE "PacketCable Provisioning Specification PacketCable Security Specification [18]" ::= { pktcMtaDevServer 12 } pktcMtaDevServerDhcp1 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the primary DHCP server which would cater to the MTA during its provisioning. Contains 255.255.255.255 if there was no preference given with respect to the DHCP servers for MTA provisioning." ::= { pktcMtaDevServer 13 } pktcMtaDevServerDhcp2 OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the Secondary DHCP server which could cater to the MTA during its provisioning. Contains 0.0.0.0 if there is no specific secondary DHCP server to be considered during MTA provisioning." ::= { pktcMtaDevServer 14 } pktcMtaDevTimeServer OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-write STATUS current DESCRIPTION "This holds the IP address of the Time Server used for Time Synchronization and must be populated in the case of SMTA. Contains 0.0.0.0 if the Time Protocol is not used for time synchronization." ::= { pktcMtaDevServer 15} pktcMtaDevServerDns1AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the primary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. An Internet address of DNS-type must not be used." ::= { pktcMtaDevServer 16 } pktcMtaDevServerDns2AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the Secondary DNS server to be used by the MTA to resolve the FQDNs and IP addresses. An Internet address of DNS-type must not be used." ::= { pktcMtaDevServer 17 } pktcMtaDevServerDhcp1AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of Internet address of the primary DHCP server which would cater to the MTA during its provisioning." ::= { pktcMtaDevServer 18 } pktcMtaDevServerDhcp2AddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of Internet address of the secondary DHCP server which would cater to the MTA during its provisioning." ::= { pktcMtaDevServer 19 } pktcMtaDevTimeServerAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write STATUS current DESCRIPTION "The type of Internet address of the Time Server used to obtain the time." ::= { pktcMtaDevServer 20} -- -- The following group describes the security objects in the MTA. -- pktcMtaDevManufacturerCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA Manufacturer's X.509 public-key certificate, called MTA Manufacturer Certificate. It is issued to each MTA manufacturer and is installed into each MTA either in the factory or with a code download. The provisioning server cannot update this certificate." ::= {pktcMtaDevSecurity 1} pktcMtaDevCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the MTA's X.509 public-key certificate issued by the manufacturer and installed into the embedded-MTA in the factory. This certificate, called MTA Device Certificate, contains the MTA's MAC address. It cannot be updated by the provisioning server." ::= { pktcMtaDevSecurity 2 } pktcMtaDevCorrelationId OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "Random value generated by the MTA for use in registration authorization. It is for use only in the MTA initialization messages and for MTA configuration file download." ::= { pktcMtaDevSecurity 3 } pktcMtaDevTelephonyRootCertificate OBJECT-TYPE SYNTAX X509Certificate MAX-ACCESS read-only STATUS current DESCRIPTION "ASN.1 DER encoding of the IP Telephony Root X.509 public-key certificate stored in the MTA non- volatile memory and updateable with a code download. This certificate is used to validate the initial AS Reply from the KDC received during the MTA initialization." ::= { pktcMtaDevSecurity 4 } -- =================================================================== -- -- Procedures for setting up security associations: -- -- A security association may be setup either via -- configuration or via NCS signaling. -- -- I. Security association setup via configuration. -- -- The realm must be configured first. Associated with -- the realm is a KDC. The realm table -- (pktcMtaDevRealmTable) indicates information about -- realm (e.g., name, organization name) and -- parameters associated with KDC communications (e.g., -- grace periods, AS request/AS reply adaptive backoff -- parameters). -- -- Once the realm is established, one or more servers may -- be defined in the realm. For PacketCable 1.0, these are -- Call Management Servers (CMSs). Associated with each CMS -- entry in the pktcMtaDevCmsTable is an explicit reference -- to a Realm via the realm index -- (pktcMtaDevCmsKerbRealmName), the FQDN of the CMS, and -- parameters associated with IPSec key management with the -- CMS (e.g., clock skew, AP request/AP reply adaptive -- backoff parameters). -- -- -- -- II. Security association setup via NCS signaling. -- -- Note: The following process is done automatically by -- the MTA. The NCS is not involved in creating signaled -- entries. -- The current CMS signaling association being used by an -- endpoint is marked as active in CMS MAP table. If NCS -- signaling requests a change of signaling association to -- a different FQDN, the MTA checks the current CMS MAP -- table entries for the affected endpoint. If the entry -- exists in the CMS MAP table, the current CMS MAP table -- entry is marked inactive and the newly chosen CMS MAP -- table entry is marked active. -- -- If the entry does not exist in the CMS MAP table, the -- CMS table is checked to determine whether or not it -- contains the CMS specified by CMS signaling (possibly -- a redirection). If the desired CMS entry is defined, -- then a corresponding entry is created and an entry in -- the CMS MAP table is created. If the MTA does not -- have current associations with that CMS, it will now -- perform key management to establish required security -- associations. Once the desired CMS entry is -- established, the current CMS MAP table entry is marked -- inactive and the newly created CMS MAP table entry is -- marked active. Otherwise the current CMS MAP table -- entry remains active and the newly created CMS MAP -- table entry is marked in active. -- -- If the entry does not exist in the CMS MAP table and -- the CMS entry does not exist in the CMS table, a new -- CMS table entry should be created. This CMS entry -- should use the same realm as used by this endpoint. The -- default values for the clock skew and AP request/AP -- reply adaptive backoff parameters should be used. The -- MTA will now perform key management to establish -- required security associations. Once the desired CMS -- entry is established, the current CMS MAP table entry -- is marked inactive and the newly created CMS MAP table -- entry is marked active. Otherwise the current CMS MAP -- table entry remains active and the newly created CMS -- MAP table entry is marked inactive. -- -- III. When the MTA receives wake-up or re-key messages from a -- CMS, it performs key management based on the -- corresponding entry in the CMS table. If the matching -- CMS entry does not exist, it must ignore the wake-up or -- re-key messages. -- -- ================================================================== -- ================================================================== -- -- pktcMtaDevRealmTable -- -- The pktcMtaDevRealmTable shows the KDC realms. The table is -- indexed withpktcMtaDevRealmName. The Realm Table is used in -- conjunction with any server which needs a security -- association with an MTA. The server table (today the CMS) -- has a security association. Each server-MTA security -- association is associated with a single Realm. This allows -- for multiple realms, each with its own security -- association. -- -- ================================================================== pktcMtaDevRealmTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevRealmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per Kerberos realm security parameters." ::= { pktcMtaDevSecurity 5 } pktcMtaDevRealmEntry OBJECT-TYPE SYNTAX PktcMtaDevRealmEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of security parameters for a single Kerberos realm." INDEX { IMPLIED pktcMtaDevRealmName } ::= { pktcMtaDevRealmTable 1 } PktcMtaDevRealmEntry ::= SEQUENCE { pktcMtaDevRealmName SnmpAdminString, pktcMtaDevRealmPkinitGracePeriod Integer32, pktcMtaDevRealmTgsGracePeriod Integer32, pktcMtaDevRealmOrgName OCTET STRING, pktcMtaDevRealmUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyNomTimeout Integer32, pktcMtaDevRealmUnsolicitedKeyMaxRetries Integer32, pktcMtaDevRealmStatus RowStatus } pktcMtaDevRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The corresponding Kerberos Realm name. This is used as an index into pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of Realm Name MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevRealmEntry 1 } pktcMtaDevRealmPkinitGracePeriod OBJECT-TYPE SYNTAX Integer32 (15..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "For the purposes of the key management with an Application Server (CMS or Provisioning Server), the MTA MUST obtain a new Kerberos ticket (with a PKINIT exchange) this many minutes before the old ticket expires. The minimum allowable value is 15 mins. The default is 30 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 2 } pktcMtaDevRealmTgsGracePeriod OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "minutes" MAX-ACCESS read-create STATUS current DESCRIPTION "When the MTA implementation uses TGS Request/TGS Reply Kerbersos messages for the purpose of the key management with an Application Server (CMS or Provisioning Server), the MTA MUST obtain a new service ticket for the Application Server (with a TGS Request) this many minutes before the old ticket expires. The minimum allowable value is 1 min. The default is 10 mins. This parameter MAY also be used with other Kerberized applications." DEFVAL { 10 } ::= { pktcMtaDevRealmEntry 3 } pktcMtaDevRealmOrgName OBJECT-TYPE SYNTAX OCTET STRING (SIZE (1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of the X.500 organization name attribute in the subject name of the Service provider certificate." ::= { pktcMtaDevRealmEntry 4 } -- ================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff -- mechanism with two timers for AS replies. The backoff -- timers has a maximum value of -- pktcMtaDevRealmUnsolicitedKeyMaxTimeout seconds and a -- nominal timer has a -- pktcMtaDevRealmUnsolicitedKeyNomTimeout seconds from which -- the backoff timer determinations are made. After -- pktcMatDevRealmUnsolicitedMaxRetries have occurred no more -- attempts are made. -- -- =================================================================== pktcMtaDevRealmUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 30 } ::= { pktcMtaDevRealmEntry 5 } pktcMtaDevRealmUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (100..600000) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. This value should account for the average roundtrip time between the MTA and the KDC as well as for the processing delay on the KDC." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 10000 } ::= { pktcMtaDevRealmEntry 6 } pktcMtaDevRealmUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (0..1024) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 5 } ::= { pktcMtaDevRealmEntry 7 } pktcMtaDevRealmStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevRealmTable." ::= { pktcMtaDevRealmEntry 8 } -- ================================================================== -- -- pktcMtaDevCmsTable -- -- The pktcMtaDevCmsTable shows the IPSec key management policy -- relating to a particular CMS. The table is indexed with -- pktcMtaDevCmsFQDN. -- -- =================================================================== pktcMtaDevCmsTable OBJECT-TYPE SYNTAX SEQUENCE OF PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains per CMS key management policy." ::= { pktcMtaDevSecurity 6 } pktcMtaDevCmsEntry OBJECT-TYPE SYNTAX PktcMtaDevCmsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "List of key management parameters for a single MTA-CMS interface." INDEX { IMPLIED pktcMtaDevCmsFqdn } ::= { pktcMtaDevCmsTable 1 } PktcMtaDevCmsEntry ::= SEQUENCE { pktcMtaDevCmsFqdn SnmpAdminString, pktcMtaDevCmsKerbRealmName SnmpAdminString, pktcMtaDevCmsSolicitedKeyTimeout Integer32, pktcMtaDevCmsMaxClockSkew Integer32, pktcMtaDevCmsUnsolicitedKeyMaxTimeout Integer32, pktcMtaDevCmsUnsolicitedKeyNomTimeout Integer32, pktcMtaDevCmsUnsolicitedKeyMaxRetries Integer32, pktcMtaDevCmsStatus RowStatus, pktcMtaDevCmsIpsecCtrl TruthValue } pktcMtaDevCmsFqdn OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The fully qualified domain name of the CMS. This is the index into the pktcMtaDevCmsTable. When used as an index, the upper case ASCII representation of the associated CMS FQDN MUST be used by both the Manager(SNMPv3 Entity) and the MTA." ::= { pktcMtaDevCmsEntry 1 } pktcMtaDevCmsKerbRealmName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "The Kerberos Realm Name of the associated CMS. This is the index into the pktcMtaDevRealmTable. When used as an index, the upper case ASCII representation of the associated CMS FQDN MUST be used by both the Manager (SNMPv3 Entity) and the MTA." ::= { pktcMtaDevCmsEntry 2 } pktcMtaDevCmsMaxClockSkew OBJECT-TYPE SYNTAX Integer32 (1..1800) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum allowable clock skew between the MTA and CMS." DEFVAL { 300 } ::= { pktcMtaDevCmsEntry 3 } pktcMtaDevCmsSolicitedKeyTimeout OBJECT-TYPE SYNTAX Integer32 (100..30000) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the CMS initiated key management (with a Wake Up or Rekey message). It is the period during which the MTA will save a nonce (inside the sequence number field) from the sent out AP Request and wait for the matching AP Reply from the CMS." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 1000 } ::= { pktcMtaDevCmsEntry 4 } -- =================================================================== -- -- Unsolicited Key Updates are based on an exponential backoff -- mechanism with two timers for AP replies. The backoff timers -- has a maximum value of pktcMtaDevCmsUnsolicitedKeyMaxTimeout -- seconds and a nominal timer has a -- pktcMtaDevCmsUnsolicitedKeyNomTimeout seconds from which the -- backoff timer determinations are made. After -- pktcMatDevCmsUnsolicitedMaxRetries have occurred no more -- attempts are made. -- -- ================================================================== pktcMtaDevCmsUnsolicitedKeyMaxTimeout OBJECT-TYPE SYNTAX Integer32 (1..600) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 8 } ::= { pktcMtaDevCmsEntry 5 } pktcMtaDevCmsUnsolicitedKeyNomTimeout OBJECT-TYPE SYNTAX Integer32 (100..30000) UNITS "milliseconds" MAX-ACCESS read-create STATUS current DESCRIPTION "This timeout applies only when the MTA initiated key management. Typically this is the average roundtrip time between the MTA and the CMS." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 500 } ::= { pktcMtaDevCmsEntry 6 } pktcMtaDevCmsUnsolicitedKeyMaxRetries OBJECT-TYPE SYNTAX Integer32 (0..1024) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the maximum number of retries before the MTA gives up attempting to establish a security association." REFERENCE "PacketCable Security Specification [18]" DEFVAL { 5 } ::= { pktcMtaDevCmsEntry 7 } pktcMtaDevCmsStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the Row Status associated with the pktcMtaDevCmsTable." ::= { pktcMtaDevCmsEntry 8 } pktcMtaDevCmsIpsecCtrl OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This value of 'true(1)' indicates that IPSec and IPSec key Management MUST be used to communicate with the CMS. The value of 'fales(2)' indicates that IPSec Signaling Security is disabled for both IPSec Key Management and IPSec protocol (for the specific CMS)." DEFVAL { true } ::= { pktcMtaDevCmsEntry 9 } -- -- notification group is for future extension. -- pktcMtaNotification OBJECT IDENTIFIER ::= { pktcMtaMib 2 } pktcMtaNotificationPrefix OBJECT IDENTIFIER ::= { pktcMtaNotification 0 } pktcMtaConformance OBJECT IDENTIFIER ::= { pktcMtaMib 3 } pktcMtaCompliances OBJECT IDENTIFIER ::= { pktcMtaConformance 1 } pktcMtaGroups OBJECT IDENTIFIER ::= { pktcMtaConformance 2 } -- -- Notification Group -- pktcMtaDevProvisioningEnrollment NOTIFICATION-TYPE OBJECTS { sysDescr, docsDevSwCurrentVers, pktcMtaDevTypeIdentifier, pktcMtaDevMacAddress, pktcMtaDevCorrelationId } STATUS current DESCRIPTION "This inform is issued to initiate the PacketCable process provisioning." REFERENCE "Inform as defined in [20]" ::= { pktcMtaNotificationPrefix 1 } pktcMtaDevProvisioningStatus NOTIFICATION-TYPE OBJECTS { pktcMtaDevMacAddress, pktcMtaDevCorrelationId, pktcMtaDevProvisioningState } STATUS current DESCRIPTION "This inform is issued to confirm completion of the PacketCable provisioning process, and indicate the completion state." REFERENCE "Inform as defined in [20]" ::= { pktcMtaNotificationPrefix 2 } -- compliance statements pktcMtaBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for devices that implement MTA feature." MODULE --pktcMtaMib -- unconditionally mandatory groups MANDATORY-GROUPS { pktcMtaGroup } ::= { pktcMtaCompliances 1 } pktcMtaGroup OBJECT-GROUP OBJECTS { pktcMtaDevResetNow, pktcMtaDevSerialNumber, pktcMtaDevMacAddress, pktcMtaDevFQDN, pktcMtaDevEndPntCount, pktcMtaDevEnabled, pktcMtaDevErrorOid, pktcMtaDevErrorValueGiven, pktcMtaDevErrorReason, pktcMtaDevTypeIdentifier, pktcMtaDevProvisioningState, pktcMtaDevHttpAccess, pktcMtaDevCertificate, pktcMtaDevCorrelationId, pktcMtaDevManufacturerCertificate, pktcMtaDevServerDhcp1, pktcMtaDevServerDhcp2, pktcMtaDevServerDhcp1AddressType, pktcMtaDevServerDhcp2AddressType, pktcMtaDevServerDns1, pktcMtaDevServerDns2, pktcMtaDevServerDns1AddressType, pktcMtaDevServerDns2AddressType, pktcMtaDevTimeServer, pktcMtaDevTimeServerAddressType, pktcMtaDevConfigFile, pktcMtaDevSnmpEntity, pktcMtaDevRealmPkinitGracePeriod, pktcMtaDevRealmTgsGracePeriod, pktcMtaDevRealmOrgName, pktcMtaDevRealmUnsolicitedKeyMaxTimeout, pktcMtaDevRealmUnsolicitedKeyNomTimeout, pktcMtaDevRealmUnsolicitedKeyMaxRetries, pktcMtaDevRealmStatus, pktcMtaDevCmsKerbRealmName, pktcMtaDevCmsUnsolicitedKeyMaxTimeout, pktcMtaDevCmsUnsolicitedKeyNomTimeout, pktcMtaDevCmsUnsolicitedKeyMaxRetries, pktcMtaDevCmsSolicitedKeyTimeout, pktcMtaDevCmsMaxClockSkew, pktcMtaDevCmsStatus, pktcMtaDevCmsIpsecCtrl, pktcMtaDevProvUnsolicitedKeyMaxTimeout, pktcMtaDevProvUnsolicitedKeyNomTimeout, pktcMtaDevProvUnsolicitedKeyMaxRetries, pktcMtaDevProvKerbRealmName, pktcMtaDevProvSolicitedKeyTimeout, pktcMtaDevProvConfigHash, pktcMtaDevProvConfigKey, pktcMtaDevProvState, pktcMtaDevProvisioningTimer, pktcMtaDevProvisioningCounter, pktcMtaDevTelephonyRootCertificate } STATUS current DESCRIPTION "Group of objects for PacketCable MTA MIB." ::= { pktcMtaGroups 1 } pktcMtaNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { pktcMtaDevProvisioningStatus, pktcMtaDevProvisioningEnrollment } STATUS current DESCRIPTION "These notifications deal with change in status of MTA Device." ::= { pktcMtaGroups 2 } END -- Copyright(C) The Internet Society (2001). All Rights Reserved. This -- document and translations of it may be copied and furnished to -- others, and derivative works that comment on or otherwise explain it -- or assist in its implementation may be prepared, copied, published -- and distributed, in whole or in part, without restriction of any -- kind, provided that the above copyright notice and this paragraph -- are included on all such copies and derivative works. However, this -- document itself may not be modified in any way, such as by removing -- the copyright notice or references to the Internet Society or other -- Internet organizations, except as needed for the purpose of -- developing Internet standards in which case the procedures for -- copyrights defined in the Internet Standards process must be -- followed, or as required to translate it into languages other than -- English. -- -- The limited permissions granted above are perpetual and will not be -- revoked by the Internet Society or its successors or assigns. -- -- This document and the information contained herein is provided on an -- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING -- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING -- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION -- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF -- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. --