DOCS-RPHY-SEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Counter64, Gauge32 FROM SNMPv2-SMI -- RFC 2578 TruthValue, TEXTUAL-CONVENTION FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC 3411 InterfaceIndex FROM IF-MIB DocsX509ASN1DEREncodedCertificate FROM DOCS-IETF-BPI2-MIB -- RFC 4131 docsRphyRpdDevInfoUniqueId FROM DOCS-RPHY-MIB clabProjDocsis FROM CLAB-DEF-MIB; docsRphySecMib MODULE-IDENTITY LAST-UPDATED "201810180000Z" -- October 18, 2018 ORGANIZATION "Cable Television Laboratories, Inc" CONTACT-INFO " Postal: Cable Television Laboratories, Inc. 400 Centennial Parkway Louisville, Colorado 80027-1266 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: mibs@cablelabs.com" DESCRIPTION "This MIB module contains the RPD objects for Security Management, as managed by the CCAP Core. Copyright 2017-2018 Cable Television Laboratories, Inc. All rights reserved." REVISION "201810180000Z" DESCRIPTION "Initial version, created by R-OSSI-N-18.1960-1." ::= { clabProjDocsis 34 } -- --------------------------------------------------------- -- Textual Conventions -- --------------------------------------------------------- -- --------------------------------------------------------------------- -- Main Groups -- --------------------------------------------------------------------- docsRphySecNotifications OBJECT IDENTIFIER ::= { docsRphySecMib 0} docsRphySecObjects OBJECT IDENTIFIER ::= { docsRphySecMib 1} docsRphySecConformance OBJECT IDENTIFIER ::= { docsRphySecMib 2} docsRphySecRpdMibObjects OBJECT IDENTIFIER ::= { docsRphySecObjects 1} docsRphySecCcapMibObjects OBJECT IDENTIFIER ::= { docsRphySecObjects 2} docsRphySecCompliances OBJECT IDENTIFIER ::= { docsRphySecConformance 1 } docsRphySecGroups OBJECT IDENTIFIER ::= { docsRphySecConformance 2 } -- --------------------------------------------------------------------- -- Notification Objects -- --------------------------------------------------------------------- -- --------------------------------------------------------------------- -- CCAP Core RPD Group Objects -- --------------------------------------------------------------------- -- --------------------------------------------------------------------- -- IEEE 802.1x PAE Supplicant Status Table -- --------------------------------------------------------------------- docsRphySecRpdIee8021xPaeSupplicantStatusTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsRphySecRpdIee8021xPaeSupplicantStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table reports status information for the IEEE 802.1x PAE RPD supplicant." ::= { docsRphySecRpdMibObjects 1 } docsRphySecRpdIee8021xPaeSupplicantStatusEntry OBJECT-TYPE SYNTAX DocsRphySecRpdIee8021xPaeSupplicantStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsRphySecRpdIee8021xPaeSupplicantStatusTable" INDEX { docsRphyRpdDevInfoUniqueId, docsRphySecRpdIee8021xPaeSupplicantStatusPortNumber } ::= { docsRphySecRpdIee8021xPaeSupplicantStatusTable 1 } DocsRphySecRpdIee8021xPaeSupplicantStatusEntry ::= SEQUENCE { docsRphySecRpdIee8021xPaeSupplicantStatusPortNumber InterfaceIndex, docsRphySecRpdIee8021xPaeSupplicantStatusAuthenticated TruthValue, docsRphySecRpdIee8021xPaeSupplicantStatusFailed TruthValue, docsRphySecRpdIee8021xPaeSupplicantStatusRetryCount Gauge32 } docsRphySecRpdIee8021xPaeSupplicantStatusPortNumber OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "This attribute reports an interface index indicating the port number associated with this port. Each PAE is uniquely identified by a port number. The port number used is unique amongst all port numbers for the system, and directly or indirectly identifies the Uncontrolled Port that supports the PAE." ::= { docsRphySecRpdIee8021xPaeSupplicantStatusEntry 1 } docsRphySecRpdIee8021xPaeSupplicantStatusAuthenticated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute will be set to 'true' by PACP if the PAE supplicant currently authenticated, and 'false' if the authentication fails or is revoked." ::= { docsRphySecRpdIee8021xPaeSupplicantStatusEntry 2 } docsRphySecRpdIee8021xPaeSupplicantStatusFailed OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute will be set to 'true' by PACP if the authentication has failed or has been terminated. The cause could be a failure returned by EAP, either immediately or following a reauthentication, an excessive number of attempts to authenticate (either immediately or upon reauthentication). The PACP will set the attribute Authenticated false as well as setting this attribute 'true'." ::= { docsRphySecRpdIee8021xPaeSupplicantStatusEntry 3 } docsRphySecRpdIee8021xPaeSupplicantStatusRetryCount OBJECT-TYPE SYNTAX Gauge32 UNITS "times" MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute reports the count of the number of authentication attempts." ::= { docsRphySecRpdIee8021xPaeSupplicantStatusEntry 4 } -- --------------------------------------------------------------------- -- RPD Certificate Table -- --------------------------------------------------------------------- docsRphySecRpdCertTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsRphySecRpdCertEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table describes the set of known Certificate Authority certificates acquired by the RPD. Reference: Certificate Hierarchy and Profiles section of [RPHY]." ::= { docsRphySecRpdMibObjects 2 } docsRphySecRpdCertEntry OBJECT-TYPE SYNTAX DocsRphySecRpdCertEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsRphySecRpdCertTable. " INDEX { docsRphyRpdDevInfoUniqueId } ::= { docsRphySecRpdCertTable 1 } DocsRphySecRpdCertEntry ::= SEQUENCE { docsRphySecRpdCertDeviceCert DocsX509ASN1DEREncodedCertificate, docsRphySecRpdCertSigningCaCert DocsX509ASN1DEREncodedCertificate } docsRphySecRpdCertDeviceCert OBJECT-TYPE SYNTAX DocsX509ASN1DEREncodedCertificate MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents the X509 DER-encoded RPD device certificate." ::= { docsRphySecRpdCertEntry 1 } docsRphySecRpdCertSigningCaCert OBJECT-TYPE SYNTAX DocsX509ASN1DEREncodedCertificate MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents the X509 DER-encoded CA certificate that signed the RPD device certificate." ::= { docsRphySecRpdCertEntry 2 } -- --------------------------------------------------------------------- -- Trust Anchor Certificate Table -- --------------------------------------------------------------------- docsRphySecRpdTrustAnchorCertTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsRphySecRpdTrustAnchorCertEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table describes the set of known Certificate Authority certificates use to validate certificates. Reference: Certificate Hierarchy and Profiles section of [RPHY]." ::= { docsRphySecRpdMibObjects 3 } docsRphySecRpdTrustAnchorCertEntry OBJECT-TYPE SYNTAX DocsRphySecRpdTrustAnchorCertEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsRphySecRpdTrustAnchorCertTable. " INDEX { docsRphyRpdDevInfoUniqueId } ::= { docsRphySecRpdTrustAnchorCertTable 1 } DocsRphySecRpdTrustAnchorCertEntry ::= SEQUENCE { docsRphySecRpdTrustAnchorCertTrustAnchorCaCert DocsX509ASN1DEREncodedCertificate } docsRphySecRpdTrustAnchorCertTrustAnchorCaCert OBJECT-TYPE SYNTAX DocsX509ASN1DEREncodedCertificate MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents the X509 DER-encoded trust anchor CA certificate used to validate certificates received from the CCAP Core or AAA server." ::= { docsRphySecRpdTrustAnchorCertEntry 1 } -- --------------------------------------------------------------------- -- AAA Server Authorization Table -- --------------------------------------------------------------------- docsRphySecRpdAaaServerAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsRphySecRpdAaaServerAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table reports the authentication status of the AAA Server." ::= { docsRphySecRpdMibObjects 4 } docsRphySecRpdAaaServerAuthEntry OBJECT-TYPE SYNTAX DocsRphySecRpdAaaServerAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsRphySecRpdAaaServerAuthTable. " INDEX { docsRphyRpdDevInfoUniqueId } ::= { docsRphySecRpdAaaServerAuthTable 1 } DocsRphySecRpdAaaServerAuthEntry ::= SEQUENCE { docsRphySecRpdAaaServerAuthStatus INTEGER } docsRphySecRpdAaaServerAuthStatus OBJECT-TYPE SYNTAX INTEGER { authenticated(1), authFailed(2), authNotPerformed(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute reports the authentication status of the AAA Server. The default value is authNotPerformed(3)." ::= { docsRphySecRpdAaaServerAuthEntry 1 } -- --------------------------------------------------------------------- -- CCAP Core Authorization Table -- --------------------------------------------------------------------- docsRphySecRpdCcapCoreAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsRphySecRpdCcapCoreAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table reports the authentication status of the CCAP Core." ::= { docsRphySecRpdMibObjects 5 } docsRphySecRpdCcapCoreAuthEntry OBJECT-TYPE SYNTAX DocsRphySecRpdCcapCoreAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsRphySecRpdCcapCoreAuthTable. " INDEX { docsRphyRpdDevInfoUniqueId } ::= { docsRphySecRpdCcapCoreAuthTable 1 } DocsRphySecRpdCcapCoreAuthEntry ::= SEQUENCE { docsRphySecRpdCcapCoreAuthStatus INTEGER } docsRphySecRpdCcapCoreAuthStatus OBJECT-TYPE SYNTAX INTEGER { authenticated(1), authFailed(2), authNotPerformed(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute reports the authentication status of the CCAP Core. The default value is authNotPerformed(3)." ::= { docsRphySecRpdCcapCoreAuthEntry 1 } -- --------------------------------------------------------------------- -- CCAP Core Group Objects -- --------------------------------------------------------------------- docsRphySecCcapServerCertSubject OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents the subject name exactly as it is encoded in the X509 certificate. The organizationName portion of the certificate's subject name must be present. All other fields are optional. Any optional field present must be prepended with (carriage return, U+000D) (line feed, U+000A). Ordering of fields present must conform to the following: organizationName countryName stateOrProvinceName localityName organizationalUnitName organizationalUnitName= commonName " ::= { docsRphySecCcapMibObjects 1 } docsRphySecCcapServerCertIssuer OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents the issuer name exactly as it is encoded in the X509 certificate. The commonName portion of the certificate's issuer name must be present. All other fields are optional. Any optional field present must be prepended with (carriage return, U+000D) (line feed, U+000A). Ordering of fields present must conform to the following: commonName countryName stateOrProvinceName localityName organizationalUnitName organizationalUnitName= " ::= { docsRphySecCcapMibObjects 2 } docsRphySecCcapServerCertSerialNumber OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..32)) MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents the certificate's serial number, represented as an octet string. " ::= { docsRphySecCcapMibObjects 3 } docsRphySecCcapServerCertSource OBJECT-TYPE SYNTAX INTEGER { snmp(1), configurationFile (2), externalDatabase (3), other (4), authentInfo (5), compiledIntoCode (6) } MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute indicates how the certificate reached the CCAP Core. Other (4) means that it originated from a source not identified above." ::= { docsRphySecCcapMibObjects 4 } docsRphySecCcapServerCertCert OBJECT-TYPE SYNTAX DocsX509ASN1DEREncodedCertificate MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents an X509 DER-encoded CCAP Core certificate." ::= { docsRphySecCcapMibObjects 5 } docsRphySecCcapServerCertCertThumbprint OBJECT-TYPE SYNTAX OCTET STRING (SIZE (20)) MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute represents the SHA-1 hash of the CCAP Core certificate. " ::= { docsRphySecCcapMibObjects 6 } -- --------------------------------------------------------- -- Conformance definitions -- --------------------------------------------------------- docsRphySecCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for CCAP Core and RPD Security Management." MODULE -- docsRphySecMib -- conditionally mandatory groups GROUP docsRphySecRpdGroup DESCRIPTION "Group of objects applicable to RPDs only. These objects are implemented on the CCAP Core but are derived from the RPD via the GCP protocol." GROUP docsRphySecCcapGroup DESCRIPTION "Group of objects implemented to support security in CCAP Core." -- conditionally optional groups ::= { docsRphySecCompliances 1} docsRphySecRpdGroup OBJECT-GROUP OBJECTS { docsRphySecRpdIee8021xPaeSupplicantStatusAuthenticated, docsRphySecRpdIee8021xPaeSupplicantStatusFailed, docsRphySecRpdIee8021xPaeSupplicantStatusRetryCount, docsRphySecRpdCertDeviceCert, docsRphySecRpdCertSigningCaCert, docsRphySecRpdTrustAnchorCertTrustAnchorCaCert, docsRphySecRpdAaaServerAuthStatus, docsRphySecRpdCcapCoreAuthStatus } STATUS current DESCRIPTION "Group of objects implemented in CCAP Cores which represent RPD managed objects derived via the GCP protocol." ::= { docsRphySecGroups 1 } docsRphySecCcapGroup OBJECT-GROUP OBJECTS { docsRphySecCcapServerCertSubject, docsRphySecCcapServerCertIssuer, docsRphySecCcapServerCertSerialNumber, docsRphySecCcapServerCertSource, docsRphySecCcapServerCertCert, docsRphySecCcapServerCertCertThumbprint } STATUS current DESCRIPTION "Group of objects implemented to support security in CCAP Core." ::= { docsRphySecGroups 2 } END