DOCS-SEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Counter32 FROM SNMPv2-SMI -- RFC 2578 TEXTUAL-CONVENTION, TruthValue, MacAddress, RowStatus, DateAndTime FROM SNMPv2-TC -- RFC 2579 OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC 2580 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC 3411 SnmpTagList FROM SNMP-TARGET-MIB -- RFC 3411 InetAddressType, InetAddress, InetAddressPrefixLength, InetPortNumber FROM INET-ADDRESS-MIB -- RFC 4001 docsIf3CmtsCmRegStatusEntry, docsIf3CmtsCmRegStatusId FROM DOCS-IF3-MIB clabProjDocsis FROM CLAB-DEF-MIB docsBpi2CodeDownloadControl FROM DOCS-IETF-BPI2-MIB; docsSecMib MODULE-IDENTITY LAST-UPDATED "201503260000Z" -- March 26, 2015 ORGANIZATION "Cable Television Laboratories, Inc." CONTACT-INFO " Postal: Cable Television Laboratories, Inc. 858 Coal Creek Circle Louisville, Colorado 80027-9750 U.S.A. Phone: +1 303-661-9100 Fax: +1 303-661-9199 E-mail: mibs@cablelabs.com" DESCRIPTION "This MIB module contains the management objects for the management of the security requirements in the DOCSIS Security Specification." REVISION "201503260000Z" -- March 26, 2015 DESCRIPTION "Revised Version includes ECN CM-OSSIv3.1-N-15.1243-1 and published as CM-OSSIv3.1-I03, to support docsBpi2CodeUpdateCvcChain for DOCSIS 3.1." REVISION "201001150000Z" -- January 15, 2010 DESCRIPTION "Revised Version includes ECN OSSIv3.0-N-09.0872-4 and published as I11" REVISION "200905290000Z" -- May 29, 2009 DESCRIPTION "Revised Version includes ECNs OSSIv3.0-N-09.0773-1 OSSIv3.0-N-09.0775-3 OSSIv3.0-N-09.0777-2 and published as I09" REVISION "200702230000Z" -- February 23, 2007 DESCRIPTION "Revised Version includes ECN OSSIv3.0-N-06.0357-1 and published as IO2" REVISION "200612071700Z" -- December 7, 2006 DESCRIPTION "Initial version, published as part of the CableLabs OSSIv3.0 specification CM-SP-OSSIv3.0-I01-061207 Copyright 1999-2006 Cable Television Laboratories, Inc. All rights reserved." ::= { clabProjDocsis 11} -- Textual Conventions DocsCvcCaCertificateChain ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A degenerate PKCS7 signedData structure that contains the CVC and the CVC CA certificate chain in the certificates field." SYNTAX OCTET STRING (SIZE (0..8192)) -- Object Definitions docsSecMibObjects OBJECT IDENTIFIER ::= { docsSecMib 1 } docsSecCmtsServerCfg OBJECT IDENTIFIER ::= { docsSecMibObjects 1 } docsSecCmtsServerCfgTftpOptions OBJECT-TYPE SYNTAX BITS { hwAddr(0), netAddr(1) } MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute instructs the CMTS to insert the source IP address and/or MAC address of received TFTP packets into the TFTP option fields before forwarding the packets to the Config File server. This attribute is only applicable when the TftpProxyEnabled attribute of the MdCfg object is 'true'." REFERENCE "DOCSIS 3.0 Operations Support System Interface Specification CM-SP-OSSIv3.0-I01-061207, MdCfg Object Section in the Media Access Control (MAC) Requirements Annex." DEFVAL { { } } ::= { docsSecCmtsServerCfg 1 } docsSecCmtsServerCfgConfigFileLearningEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute enables and disables Configuration File Learning functionality. If this attribute is set to 'true' the CMTS will respond with Authentication Failure in the REG-RSP message when there is a mismatch between learned config file parameters and REG-REQ parameters. If this attribute is set to 'false', the CMTS will not execute config file learning and mismatch check. This attribute is only applicable when the TftpProxyEnabled attribute of the MdCfg object is 'true'." REFERENCE "DOCSIS 3.0 Operations Support System Interface Specification CM-SP-OSSIv3.0-I01-061207, MdCfg Object Section in the Media Access Control (MAC) Requirements Annex. DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I01-060804, Secure Provisioning Section. DOCSIS 3.0 MAC and Upper Layer Protocols Interface Specification CM-SP-MULPIv3.0-I01-060804." DEFVAL { true } ::= { docsSecCmtsServerCfg 2 } docsSecCmtsEncrypt OBJECT IDENTIFIER ::= { docsSecMibObjects 2 } docsSecCmtsEncryptEncryptAlgPriority OBJECT-TYPE SYNTAX SnmpTagList MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute allows for configuration of a prioritized list of encryption algorithms the CMTS will use when selecting the primary SAID encryption algorithm for a given CM. The CMTS selects the highest priority encryption algorithm from this list that the CM supports. By default the following encryption algorithms are listed from highest to lowest priority (left being the highest): 128 bit AES, 56 bit DES, 40 bit DES. An empty list indicates that the CMTS attempts to use the latest and robust encryption algorithm supported by the CM. The CMTS will ignore unknown values or unsupported algorithms." DEFVAL { "aes128CbcMode des56CbcMode des40CbcMode" } ::= { docsSecCmtsEncrypt 1 } docsSecCmtsCmEaeExclusionTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSecCmtsCmEaeExclusionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object defines a list of CMs or CM groups to exclude from Early Authentication and Encryption (EAE). This object allows overrides to the value of EAE Control for individual CMs or group of CMs for purposes such as debugging. The CMTS supports a minimum of 30 instances of the CmtsCmEaeExclusion object. This object is only applicable when the EarlyAuthEncryptCtrl attribute of the MdCfg object is enabled. This object supports the creation and deletion of multiple instances." REFERENCE "DOCSIS 3.0 Operations Support System Interface Specification CM-SP-OSSIv3.0-I01-061207, MdCfg Object Section in the Media Access Control (MAC) Requirements Annex. DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I01-060804, Early Authentication And Encryption (EAE) Section." ::= { docsSecMibObjects 3} docsSecCmtsCmEaeExclusionEntry OBJECT-TYPE SYNTAX DocsSecCmtsCmEaeExclusionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsSecCmtsCmEaeExclusion. The CMTS persists all instances of CmtsCmEaeExclusion across reinitializations." INDEX { docsSecCmtsCmEaeExclusionId } ::= { docsSecCmtsCmEaeExclusionTable 1 } DocsSecCmtsCmEaeExclusionEntry ::= SEQUENCE { docsSecCmtsCmEaeExclusionId Unsigned32, docsSecCmtsCmEaeExclusionMacAddr MacAddress, docsSecCmtsCmEaeExclusionMacAddrMask MacAddress, docsSecCmtsCmEaeExclusionRowStatus RowStatus } docsSecCmtsCmEaeExclusionId OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This key uniquely identifies the exclusion MAC address rule." ::= { docsSecCmtsCmEaeExclusionEntry 1 } docsSecCmtsCmEaeExclusionMacAddr OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This attribute identifies the CM MAC address. A match is made when a CM MAC address bitwise ANDed with the MacAddrMask attribute equals the value of this attribute." DEFVAL { '000000000000'H } ::= { docsSecCmtsCmEaeExclusionEntry 2 } docsSecCmtsCmEaeExclusionMacAddrMask OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This attribute identifies the CM MAC address mask and is used with the MacAddr attribute." DEFVAL { 'FFFFFFFFFFFF'H } ::= { docsSecCmtsCmEaeExclusionEntry 3 } docsSecCmtsCmEaeExclusionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Controls and reflects the status of rows in this table. There is no restriction on changing values in a row of this table while the row is active." ::= { docsSecCmtsCmEaeExclusionEntry 4 } docsSecCmtsSavControl OBJECT IDENTIFIER ::= { docsSecMibObjects 4 } docsSecCmtsSavControlCmAuthEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute enables or disables Source Address Verification (SAV) for CM configured policies in the SavCmAuth object. If this attribute is set to 'false', the CM configured policies in the SavCmAuth object are ignored. This attribute is only applicable when the SrcAddrVerificationEnabled attribute of the MdCfg object is 'true'." REFERENCE "DOCSIS 3.0 Operations Support System Interface Specification CM-SP-OSSIv3.0-I01-061207, MdCfg Object Section in the Media Access Control (MAC) Requirements Annex." DEFVAL { true } ::= { docsSecCmtsSavControl 1 } docsSecSavCmAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSecSavCmAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object defines a read-only set of SAV policies associated with a CM that the CMTS will use in addition to the CMTS verification of an operator assigned IP Address being associated with a CM. When the CMTS has not resolved a source address of a CM CPE, the CMTS verifies if the CM CPE is authorized to pass traffic based on this object. These object policies include a list of subnet prefixes (defined in the SavStaticList object) or a SAV Group Name that could reference a CMTS configured list of subnet prefixes (defined in SavCfgList object) or vendor-specific policies. The CMTS populates the attributes of this object for a CM from that CM's config file. This object is only applicable when the SrcAddrVerificationEnabled attribute of the MdCfg object is 'true' and the CmAuthEnable attribute of the CmtsSavCtrl object is 'true'. The CMTS is not required to persist instances of this object across reinitializations." REFERENCE "DOCSIS 3.0 Operations Support System Interface Specification CM-SP-OSSIv3.0-I01-061207, MdCfg Object Section in the Media Access Control (MAC) Requirements Annex. DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I01-060804, Secure Provisioning Section. DOCSIS 3.0 MAC and Upper Layer Protocols Interface Specification CM-SP-MULPIv3.0-I01-060804, Common Radio Frequency Interface Encodings Annex." ::= { docsSecMibObjects 5} docsSecSavCmAuthEntry OBJECT-TYPE SYNTAX DocsSecSavCmAuthEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsSecSavCmAuth." INDEX { docsIf3CmtsCmRegStatusId } ::= { docsSecSavCmAuthTable 1 } DocsSecSavCmAuthEntry ::= SEQUENCE { docsSecSavCmAuthGrpName SnmpAdminString, docsSecSavCmAuthStaticPrefixListId Unsigned32 } docsSecSavCmAuthGrpName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute references the Name attribute of the SavCfgList object of a CM. If the CM signaled group name is not configured in the CMTS, the CMTS ignores this attribute value for the purpose of Source Address Verification. The CMTS must allow the modification of the GrpName object and use the updated SAV rules for newly discovered CPEs from CMs. When a source IP address is claimed by two CMs (e.g., detected as duplicated), the CMTS must use the current SAV rules defined for both CMs in case the SAV GrpName rules may have been updated. In the case of a persisting conflict, it is up to vendor-implementation to decide what CM should hold the SAV authorization. The zero-length string indicates that no SAV Group was signaled by the CM. The zero-length value or a non-existing reference in the SavCfgList object means the SavCfgListName is ignored for the purpose of SAV." REFERENCE "DOCSIS 3.0 MAC and Upper Layer Protocols Interface Specification CM-SP-MULPIv3.0-I01-060804, Common Radio Frequency Interface Encodings Annex." ::= { docsSecSavCmAuthEntry 1 } docsSecSavCmAuthStaticPrefixListId OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute identifies the reference to a CMTS created subnet prefix list based on the CM signaled static prefix list TLV elements. The CMTS may reuse this attribute value to reference more than one CM when those CMs have signaled the same subnet prefix list to the CMTS. The value zero indicates that no SAV static prefix encodings were signaled by the CM." ::= { docsSecSavCmAuthEntry 2 } docsSecSavCfgListTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSecSavCfgListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object defines the CMTS configured subnet prefix extension to the SavCmAuth object. This object supports the creation and deletion of multiple instances. Creation of a new instance of this object requires the PrefixAddrType and PrefixAddr attributes to be set." ::= { docsSecMibObjects 6} docsSecSavCfgListEntry OBJECT-TYPE SYNTAX DocsSecSavCfgListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsSecSavCfgList. The CMTS persists all instances of SavCfgList across reinitializations." INDEX { docsSecSavCfgListName, docsSecSavCfgListRuleId } ::= { docsSecSavCfgListTable 1 } DocsSecSavCfgListEntry ::= SEQUENCE { docsSecSavCfgListName SnmpAdminString, docsSecSavCfgListRuleId Unsigned32, docsSecSavCfgListPrefixAddrType InetAddressType, docsSecSavCfgListPrefixAddr InetAddress, docsSecSavCfgListPrefixLen InetAddressPrefixLength, docsSecSavCfgListRowStatus RowStatus } docsSecSavCfgListName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE (1..16)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This attribute is the key that identifies the instance of the SavCmAuth object to which this object extension belongs." ::= { docsSecSavCfgListEntry 1 } docsSecSavCfgListRuleId OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This attribute is the key that identifies a particular subnet prefix rule of an instance of this object." ::= { docsSecSavCfgListEntry 2 } docsSecSavCfgListPrefixAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "This attribute identifies the IP address type of this subnet prefix rule." ::= { docsSecSavCfgListEntry 3 } docsSecSavCfgListPrefixAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This attribute corresponds to the IP address of this subnet prefix rule in accordance to the PrefixAddrType attribute." ::= { docsSecSavCfgListEntry 4 } docsSecSavCfgListPrefixLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-create STATUS current DESCRIPTION "This attribute defines the length of the subnet prefix to be matched by this rule." ::= { docsSecSavCfgListEntry 5 } docsSecSavCfgListRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The row creation control of this conceptual row. An entry in this table can be set to active only when the following attributes are correctly assigned: PrefixAddrType PrefixAddress There are no restrictions to modify or delete entries in this table." ::= { docsSecSavCfgListEntry 6 } docsSecSavStaticListTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSecSavStaticListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object defines a subnet prefix extension to the SavCmAuth object based on CM statically signaled subnet prefixes to the CMTS. When a CM signals to the CMTS static subnet prefixes, the CMTS must create a List Id to be referenced by the CM in the SavCmAuth StaticPrefixListId attribute, or the CMTS may reference an existing List Id associated to previously registered CMs in case of those subnet prefixes associated with the List Id match the ones signaled by the CM." REFERENCE "DOCSIS 3.0 MAC and Upper Layer Protocols Interface Specification CM-SP-MULPIv3.0-I01-060804, Common Radio Frequency Interface Encodings Annex." ::= { docsSecMibObjects 7} docsSecSavStaticListEntry OBJECT-TYPE SYNTAX DocsSecSavStaticListEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsSecSavStaticList. The CMTS may persist instances of this object across reinitializations." INDEX { docsSecSavStaticListId, docsSecSavStaticListRuleId } ::= { docsSecSavStaticListTable 1 } DocsSecSavStaticListEntry ::= SEQUENCE { docsSecSavStaticListId Unsigned32, docsSecSavStaticListRuleId Unsigned32, docsSecSavStaticListPrefixAddrType InetAddressType, docsSecSavStaticListPrefixAddr InetAddress, docsSecSavStaticListPrefixLen InetAddressPrefixLength } docsSecSavStaticListId OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This key uniquely identifies the index that groups multiple subnet prefix rules. The CMTS assigns this value per CM or may reuse it among multiple CMs that share the same list of subnet prefixes." ::= { docsSecSavStaticListEntry 1 } docsSecSavStaticListRuleId OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This key identifies a particular static subnet prefix rule of an instance of this object." ::= { docsSecSavStaticListEntry 2 } docsSecSavStaticListPrefixAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute identifies the IP address type of this subnet prefix rule." ::= { docsSecSavStaticListEntry 3 } docsSecSavStaticListPrefixAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute corresponds to the IP address of this subnet prefix rule in accordance to the PrefixAddrType attribute." ::= { docsSecSavStaticListEntry 4 } docsSecSavStaticListPrefixLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute defines the length of the subnet prefix to be matched by this rule." ::= { docsSecSavStaticListEntry 5 } docsSecCmtsCmSavStatsTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSecCmtsCmSavStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object provides a read-only list of SAV counters for different service theft indications." ::= { docsSecMibObjects 8} docsSecCmtsCmSavStatsEntry OBJECT-TYPE SYNTAX DocsSecCmtsCmSavStatsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsSecCmtsCmSavStats." AUGMENTS { docsIf3CmtsCmRegStatusEntry } ::= { docsSecCmtsCmSavStatsTable 1 } DocsSecCmtsCmSavStatsEntry ::= SEQUENCE { docsSecCmtsCmSavStatsSavDiscards Counter32 } docsSecCmtsCmSavStatsSavDiscards OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute provides the information about number of dropped upstream packets due to SAV failure." ::= { docsSecCmtsCmSavStatsEntry 1 } docsSecCmtsCertificate OBJECT IDENTIFIER ::= { docsSecMibObjects 9 } docsSecCmtsCertificateCertRevocationMethod OBJECT-TYPE SYNTAX INTEGER { none(1), crl(2), ocsp(3), crlAndOcsp(4) } MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute identifies which certificate revocation method is to be used by the CMTS to verify the cable modem certificate validity. The certificate revocation methods include Certification Revocation List (CRL) and Online Certificate Status Protocol (OCSP). The following options are available: The option 'none' indicates that the CMTS does not attempt to determine the revocation status of a certificate. The option 'crl' indicates the CMTS uses a Certificate Revocation List (CRL) as defined by the Url attribute of the CmtsCertRevocationList object. When the value of this attribute is changed to 'crl', it triggers the CMTS to retrieve the CRL from the URL specified by the Url attribute. If the value of this attribute is 'crl' when the CMTS starts up, it triggers the CMTS to retrieve the CRL from the URL specified by the Url attribute. The option 'ocsp' indicates the CMTS uses the Online Certificate Status Protocol (OCSP) as defined by the Url attribute of the CmtsOnlineCertStatusProtocol object. The option 'crlAndOcsp' indicates the CMTS uses both the CRL as defined by the Url attribute in the CmtsCertRevocationList object and OCSP as defined by the Url attribute in the CmtsOnlineCertStatusProtocol object. The CMTS persists the values of the CertRevocationMethod attribute across reinitializations." DEFVAL { none } ::= { docsSecCmtsCertificate 1 } docsSecCmtsCertRevocationList OBJECT IDENTIFIER ::= { docsSecMibObjects 10 } docsSecCmtsCertRevocationListUrl OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute contains the URL from where the CMTS will retrieve the CRL. When this attribute is set to a URL value different from the current value, it triggers the CMTS to retrieve the CRL from that URL. If the value of this attribute is a zero-length string, the CMTS does not attempt to retrieve the CRL. The CMTS persists the value of Url across reinitializations." REFERENCE "DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile and Management Section." DEFVAL { "" } ::= { docsSecCmtsCertRevocationList 1 } docsSecCmtsCertRevocationListRefreshInterval OBJECT-TYPE SYNTAX Unsigned32 (1..524160) UNITS "minutes" MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute contains the refresh interval for the CMTS to retrieve the CRL (referred to in the Url attribute) with the purpose of updating its Certificate Revocation List. This attribute is meaningful if the tbsCertList.nextUpdate attribute does not exist in the last retrieved CRL, otherwise the value 0 is returned. The CMTS persists the value of RefreshInterval across reinitializations." REFERENCE "DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile and Management Section." DEFVAL { 10080 } ::= { docsSecCmtsCertRevocationList 2 } docsSecCmtsCertRevocationListLastUpdate OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "This attribute contains the last date and time when the CRL was retrieved by the CMTS. If the CRL has not been updated, then this variable shall have the value corresponding to January 1, year 0000, 00:00:00.0, which is encoded as (hex)'00 00 01 01 00 00 00 00'." ::= { docsSecCmtsCertRevocationList 3 } docsSecCmtsOnlineCertStatusProtocol OBJECT IDENTIFIER ::= { docsSecMibObjects 11 } docsSecCmtsOnlineCertStatusProtocolUrl OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute contains the URL string to retrieve OCSP information. If the value of this attribute is a zero-length string, the CMTS does not attempt to request the status of a CM certificate. The CMTS persists the value of Url across reinitializations." REFERENCE "DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile and Management Section. RFC 2560." DEFVAL { "" } ::= { docsSecCmtsOnlineCertStatusProtocol 1 } docsSecCmtsOnlineCertStatusProtocolSignatureBypass OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute enables or disables signature checking on OCSP response messages. The CMTS persists the value of SignatureBypass across reinitializations." REFERENCE "DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile and Management Section. RFC 2560." DEFVAL { false } ::= { docsSecCmtsOnlineCertStatusProtocol 2 } docsSecCmtsCmBpi2EnforceExclusionTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSecCmtsCmBpi2EnforceExclusionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object defines a list of CMs or CM groups to exclude from BPI+ enforcement policies configured within the CMTS. This object allows overrides to the value of BPI+ enforcement control for individual CMs or group of CMs for purposes such as debugging. The CMTS supports a minimum of 30 instances of the CmtsCmBpi2EnforceExclusion object. This object supports the creation and deletion of multiple instances." REFERENCE "DOCSIS 3.0 Operations Support System Interface Specification CM-SP-OSSIv3.0-I11-100115, MdCfg Object Section in the Media Access Control (MAC) Requirements Annex. DOCSIS 3.0 Security Specification CM-SP-SECv3.0-I12-100115, BPI+ Enforce Section." ::= { docsSecMibObjects 12} docsSecCmtsCmBpi2EnforceExclusionEntry OBJECT-TYPE SYNTAX DocsSecCmtsCmBpi2EnforceExclusionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The conceptual row of docsSecCmtsCmBpi2EnforceExclusion. The CMTS persists all instances of CmtsCmBpi2EnforceExclusion across reinitializations." INDEX { docsSecCmtsCmBpi2EnforceExclusionId } ::= { docsSecCmtsCmBpi2EnforceExclusionTable 1 } DocsSecCmtsCmBpi2EnforceExclusionEntry ::= SEQUENCE { docsSecCmtsCmBpi2EnforceExclusionId Unsigned32, docsSecCmtsCmBpi2EnforceExclusionMacAddr MacAddress, docsSecCmtsCmBpi2EnforceExclusionMacAddrMask MacAddress, docsSecCmtsCmBpi2EnforceExclusionRowStatus RowStatus } docsSecCmtsCmBpi2EnforceExclusionId OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This key uniquely identifies the exclusion MAC address rule." ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 1 } docsSecCmtsCmBpi2EnforceExclusionMacAddr OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This attribute identifies the CM MAC address. A match is made when a CM MAC address bitwise ANDed with the MacAddrMask attribute equals the value of this attribute." DEFVAL { '000000000000'H } ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 2 } docsSecCmtsCmBpi2EnforceExclusionMacAddrMask OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This attribute identifies the CM MAC address mask and is used with the MacAddr attribute." DEFVAL { 'FFFFFFFFFFFF'H } ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 3 } docsSecCmtsCmBpi2EnforceExclusionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Controls and reflects the status of rows in this table. There is no restriction on changing values in a row of this table while the row is active." ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 4 } -- -- DOCS-IETF-BPI2-MIB extension -- -- As RFC-4131 is a released RFC its MIB definition cannot be readily -- modified. However, it can be extended in another MIB definition and -- that is being done here to support a D3.1 security requirement. -- docsBpi2CodeUpdateCvcChain OBJECT-TYPE SYNTAX DocsCvcCaCertificateChain MAX-ACCESS read-write STATUS current DESCRIPTION "The value of this object is a degenerate PKCS7 signedData structure that contains the CVC and the CVC CA certificate chain in the certificates field. Setting this object triggers the device to verify the CVC and update the cvcAccessStart values. The content of this object is then discarded. If the device is not enabled to upgrade codefiles, or if the CVC verification fails, the CVC will be rejected. Reading this object always returns the zero-length OCTET STRING." REFERENCE "DOCSIS 3.1 Security Specification, CM-SP-SECv3.1-I02-150326, Secure Software Download Section" ::= { docsBpi2CodeDownloadControl 10 } -- Conformance Definitions docsSecMibConformance OBJECT IDENTIFIER ::= { docsSecMib 2 } docsSecMibCompliances OBJECT IDENTIFIER ::= { docsSecMibConformance 1 } docsSecMibGroups OBJECT IDENTIFIER ::= { docsSecMibConformance 2 } docsSecCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for CMTSs that implement the DOCSIS Security MIB." MODULE -- this MODULE MANDATORY-GROUPS { docsSecGroup } ::= { docsSecMibCompliances 1 } docsSecCmCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for CMs that implement the DOCSIS Security MIB." MODULE -- this MODULE MANDATORY-GROUPS { docsSecCmGroup } ::= { docsSecMibCompliances 2 } docsSecGroup OBJECT-GROUP OBJECTS { docsSecCmtsCertRevocationListUrl, docsSecCmtsCertRevocationListRefreshInterval, docsSecCmtsCertRevocationListLastUpdate, docsSecCmtsOnlineCertStatusProtocolUrl, docsSecCmtsOnlineCertStatusProtocolSignatureBypass, docsSecCmtsServerCfgTftpOptions, docsSecCmtsServerCfgConfigFileLearningEnable, docsSecCmtsEncryptEncryptAlgPriority, docsSecCmtsSavControlCmAuthEnable, docsSecCmtsCmEaeExclusionMacAddr, docsSecCmtsCmEaeExclusionMacAddrMask, docsSecCmtsCmEaeExclusionRowStatus, docsSecSavCmAuthGrpName, docsSecSavCmAuthStaticPrefixListId, docsSecSavCfgListPrefixAddrType, docsSecSavCfgListPrefixAddr, docsSecSavCfgListPrefixLen, docsSecSavCfgListRowStatus, docsSecSavStaticListPrefixAddrType, docsSecSavStaticListPrefixAddr, docsSecSavStaticListPrefixLen, docsSecCmtsCmSavStatsSavDiscards, docsSecCmtsCertificateCertRevocationMethod, docsSecCmtsCmBpi2EnforceExclusionMacAddr, docsSecCmtsCmBpi2EnforceExclusionMacAddrMask, docsSecCmtsCmBpi2EnforceExclusionRowStatus } STATUS current DESCRIPTION "Group of objects implemented in the CMTS." ::= { docsSecMibGroups 1 } docsSecCmGroup OBJECT-GROUP OBJECTS { docsBpi2CodeUpdateCvcChain } STATUS current DESCRIPTION "Group of objects implemented in the CM." ::= { docsSecMibGroups 2 } END