@Home Network
August 1999
DOCSIS Cable Device MIB
Cable Device Management Information Base
for DOCSIS compliant Cable Modems and
Cable Modem Termination Systems
Status of this Memo
-
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
-
Copyright © The Internet Society (1999). All Rights Reserved.
Abstract
-
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a basic set of managed objects for SNMP- based management of DOCSIS 1.0 compliant Cable Modems and Cable Modem Termination Systems.
This memo specifies a MIB module in a manner that is compliant to the SNMP SMIv2 [5][6][7]. The set of objects is consistent with the SNMP framework and existing SNMP standards.
This memo is a product of the IPCDN working group within the Internet Engineering Task Force. Comments are solicited and should be addressed to the working group's mailing list at ipcdn@terayon.com and/or the author.
Table of Contents
-
1 The SNMP Management Framework ................................... 2 2 Glossary ........................................................ 3 2.1 CATV .......................................................... 3 2.2 CM ............................................................ 3 2.3 CMTS .......................................................... 4 2.4 DOCSIS ........................................................ 4 2.5 Downstream .................................................... 4 2.6 Head-end ...................................................... 4 2.7 MAC Packet .................................................... 4 2.8 MCNS .......................................................... 4 2.9 RF ............................................................ 4 2.10 Upstream ..................................................... 4 3 Overview ........................................................ 4 3.1 Structure of the MIB .......................................... 5 3.2 Management requirements ....................................... 6 3.2.1 Handling of Software upgrades ............................... 6 3.2.2 Events and Traps ............................................ 6 3.2.3 Trap Throttling ............................................. 8 3.2.3.1 Trap rate throttling ...................................... 8 3.2.3.2 Limiting the trap rate .................................... 8 3.3 Protocol Filters .............................................. 9 3.3.1 Inbound LLC Filters - docsDevFilterLLCTable ................ 10 3.3.2 Special Filters ............................................ 10 3.3.2.1 IP Spoofing Filters - docsDevCpeTable .................... 10 3.3.2.2 SNMP Access Filters - docsDevNmAccessTable ............... 10 3.3.3 IP Filtering - docsDevIpFilterTable ........................ 11 3.3.4 Outbound LLC Filters ....................................... 13 4 Definitions .................................................... 13 5 Acknowledgments ................................................ 51 6 References ..................................................... 51 7 Security Considerations ........................................ 52 8 Intellectual Property .......................................... 54 9 Author's Address ............................................... 54 10 Full Copyright Statement ...................................... 55
1. The SNMP Management Framework
-
The SNMP Management Framework presently consists of five major components:
o An overall architecture, described in RFC 2571 [1]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC
-
1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12].
o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13]. o A set of fundamental applications described in RFC 2573 [14] and the view-based access control mechanism described in RFC 2575 [15].
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB.
-
2. Glossary
-
The terms in this document are derived either from normal cable system usage, or from the documents associated with the Data Over Cable Service Interface Specification process.
2.1. CATV
-
Originally "Community Antenna Television", now used to refer to any cable or hybrid fiber and cable system used to deliver video signals to a community.
2.2. CM Cable Modem.
-
A CM acts as a "slave" station in a DOCSIS compliant cable data system.
2.3. CMTS Cable Modem Termination System.
-
A generic term covering a cable bridge or cable router in a head-end. A CMTS acts as the master station in a DOCSIS compliant cable data system. It is the only station that transmits downstream, and it controls the scheduling of upstream transmissions by its associated CMs.
2.4. DOCSIS
-
"Data Over Cable Interface Specification". A term referring to the ITU-T J.112 Annex B standard for cable modem systems [20].
2.5. Downstream
-
The direction from the head-end towards the subscriber.
2.6. Head-end
-
The origination point in most cable systems of the subscriber video signals. Generally also the location of the CMTS equipment.
2.7. MAC Packet
-
A DOCSIS PDU.
2.8. MCNS
-
"Multimedia Cable Network System". Generally replaced in usage by DOCSIS.
2.9. RF
-
Radio Frequency.
2.10. Upstream
-
The direction from the subscriber towards the head-end.
3. Overview
-
This MIB provides a set of objects required for the management of DOCSIS compliant Cable Modems (CM) and Cable Modem Termination Systems (CMTS). The specification is derived from the DOCSIS Radio Frequency Interface specification [16]. Please note that the DOCSIS 1.0 standard only requires Cable Modems to implement SNMPv1 and to
process IPv4 customer traffic. Design choices in this MIB reflect those requirements. Future versions of the DOCSIS standard are expected to require support for SNMPv3 and IPv6 as well.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [19].
3.1. Structure of the MIB
-
This MIB is structured into seven groups:
o The docsDevBase group extends the MIB-II 'system' group with objects needed for cable device system management. o The docsDevNmAccessGroup provides a minimum level of SNMP access security (see Section 3 of [18]). o The docsDevSoftware group provides information for network- downloadable software upgrades. See "Handling of Software Upgrades" below.. o The docsDevServer group provides information about the progress of the interaction between the CM or CMTS and various provisioning servers. o The docsDevEvent group provides control and logging for event reporting. o The docsDevFilter group configures filters at link layer and IP layer for bridged data traffic. This group consists of a link-layer filter table, docsDevFilterLLCTable, which is used to manage the processing and forwarding of non-IP traffic; an IP packet classifier table, docsDevFilterIpTable, which is used to map classes of packets to specific policy actions; a policy table, docsDevFilterPolicyTable, which maps zero or more policy actions onto a specific packet classification, and one or more policy action tables.
-
-
At this time, this MIB specifies only one policy action table, docsDevFilterTosTable, which allows the manipulation of the type of services bits in an IP packet based on matching some criteria. The working group may add additional policy types and action tables in the future, for example to allow QOS to modem service identifier assignment based on destination.
-
o The docsDevCpe group provides control over which IP addresses may be used by customer premises equipment (e.g. PCs) serviced by a given cable modem. This provides anti-spoofing control at the point of origin for a large cable modem system. This group is separate from docsDevFilter primarily as this group is only implemented on the Cable Modem (CM) and MUST NOT be implemented on the Cable Modem Termination System (CMTS).
-
3.2. Management requirements
3.2.1. Handling of Software upgrades
-
The Cable Modem software upgrade process is documented in [16]. From a network management station, the operator:
o sets docsDevSwServer to the address of the TFTP server for software upgrades o sets docsDevSwFilename to the file pathname of the software upgrade image o sets docsDevSwAdminStatus to upgrade-from-mgt
One reason for the SNMP-initiated upgrade is to allow loading of a temporary software image (e.g., special diagnostic software) that differs from the software normally used on that device without changing the provisioning database.
Note that software upgrades should not be accepted blindly by the cable device. The cable device may refuse an upgrade if:
o The download is incomplete. o The file contents are incomplete or damaged. o The software is not intended for that hardware device (may include the case of a feature set that has not been purchased for this device).
3.2.2. Events and Traps
-
This MIB provides control facilities for reporting events through syslog, traps, and non-volatile logging. If events are reported through traps, the specified conventions must be followed. Other means of event reporting are outside the scope of this document.
The definition and coding of events is vendor-specific. In deference to the network operator who must troubleshoot multi-vendor networks, the circumstances and meaning of each event should be reported as human-readable text. Vendors SHOULD provide time-of-day clocks in CMs to provide useful timestamping of events.
For each vendor-specific event that is reportable via TRAP, the vendor must create an enterprise-specific trap definition. Trap definitions MUST include the event reason encoded as DisplayString and should be defined as:
trapName NOTIFICATION-TYPE
OBJECTS { ifIndex, eventReason, other useful objects } STATUS current DESCRIPTION "trap description" ::= Object Id
Note that ifIndex is only included if the event or trap is interface related.
An example (fake) vendor defined trap might be:
xyzVendorModemDropout NOTIFICATION-TYPE
OBJECTS { eventReason, xyzModemHighWatermarkCount } STATUS current DESCRIPTION "Sent by a CMTS when a configurable number of modems (xyzModemHysteresis) de-register or become unreachable during the sampling period (5 minutes). Used to warn a management station about a catastrophic cable plant outage." ::= { xyzTraps 23 } In this example eventReason is a DisplayString providing a human readable error message, and xyzModemHighWatermarkCount is a Gauge32 which indicates the maximum number of modems during the epoch.
The last digit of the trap OID for enterprise-specific traps must match docsDevEvId. For SNMPv1-capable Network Management systems, this is necessary to correlate the event type to the trap type. Many Network Management systems are only capable of trap filtering on an enterprise and single-last-digit basis.
3.2.3. Trap Throttling
-
The CM and CMTS MUST provide support for trap message throttling as described below. The network operator can employ message rate throttling or trap limiting by manipulating the appropriate MIB variables.
3.2.3.1. Trap rate throttling
-
Network operators may employ either of two rate control methods. In the first method, the device ceases to send traps when the rate exceeds the specified maximum message rate. It resumes sending traps only if reactivated by a network management station request.
In the second method, the device resumes sending traps when the rate falls below the specified maximum message rate.
The network operator configures the specified maximum message rate by setting the measurement interval (in seconds), and the maximum number of traps to be transmitted within the measurement interval. The operator can query the operational throttling state (to determine whether traps are enabled or blocked by throttling) of the device, as well as query and set the administrative throttling state (to manage the rate control method) of the device.
3.2.3.2. Limiting the trap rate
-
Network operators may wish to limit the number of traps sent by a device over a specified time period. The device ceases to send traps when the number of traps exceeds the specified threshold. It resumes sending traps only when the measurement interval has passed.
The network operator defines the maximum number of traps he is willing to handle and sets the measurement interval to a large number (in hundredths of a second). For this case, the administrative throttling state is set to stop at threshold which is the maximum number of traps.
See "Techniques for Managing Asynchronously Generated Alerts" [17] for further information.
3.3. Protocol Filters
-
The Cable Device MIB provides objects for both LLC and IP protocol filters. The LLC protocol filter entries can be used to limit CM forwarding to a restricted set of network-layer protocols (such as IP, IPX, NetBIOS, and Appletalk).
The IP protocol filter entries can be used to restrict upstream or downstream traffic based on source and destination IP addresses, transport-layer protocols (such as TCP, UDP, and ICMP), and source and destination TCP/UDP port numbers.
In general, a cable modem applies filters (or more properly, classifiers) in an order appropriate to the layering model. Specifically, the inbound MAC (or LLC) layer filters are applied first, then the "special" filters, then the IP layer inbound filters, then the IP layer outbound filters, then any final LLC outbound filters. Since the cable modem does not generally do any IP processing (other than that specified by the filters) the processing of the IP in filters and IP out filters can usually be combined into a single step.
*************** * LLC Filters * *************** | | | v | v ************ | *************** * IP Spoof * | * SNMP Access * ************ | *************** | | | v v v **************** * IP Filter In * **************** | v ***************** * IP Filter Out * ***************** | v *********** * LLC Out * ***********
3.3.1. Inbound LLC Filters - docsDevFilterLLCTable
-
The inbound LLC (or MAC or level-2) filters are contained in the docsDevFilterLLCTable and are applied to level-2 frames entering the cable modem from either the RF MAC interface or from one of the CPE (ethernet or other) interfaces. These filters are used to prohibit the processing and forwarding of certain types of level-2 traffic that may be disruptive to the network. The filters, as currently specified, can be set to cause the modem to either drop frames which match at least one filter, or to process a frame which matches at least filter. Some examples of possible configurations would be to only permit IP (and ARP) traffic, or to drop NETBUEI traffic.
3.3.2. Special Filters
-
Special filters are applied after the packet is accepted from the MAC layer by the IP module, but before any other processing is done. They are filters that apply only to a very specific class of traffic.
3.3.2.1. IP Spoofing Filters - docsDevCpeTable
-
IP spoofing filters are applied to packets entering the modem from one of the CPE interfaces and are intended to prevent a subscriber from stealing or mis-using IP addresses that were not assigned to the subscriber. If the filters are active (enabled), the source address of the IP packet must match at least one IP address in this table or it is discarded without further processing.
The table can be automatically populated where the first N different IP addresses seen from the CPE side of the cable modem are used to automatically populate the table. The spoofing filters are specified in the docsDevCpeTable and the policy for automatically creating filters in that table is controlled by docsDevCpeEnroll and docsDevCpeMax as well as the network management agent.
3.3.2.2. SNMP Access Filters - docsDevNmAccessTable
-
The SNMP access filters are applied to SNMP packets entering from any interface and destined for the cable modem. If the packets enter from a CPE interface, the SNMP filters are applied after the IP spoofing filters. The filters only apply to SNMPv1 or SNMPv2c traffic, and are not consulted for SNMPv3 traffic (and need not be implemented by a v3 only agent). SNMPv3 access control is specified in the User Security Model MIB in [12].
3.3.3. IP Filtering - docsDevIpFilterTable
-
The IP Filtering table acts as a classifier table. Each row in the table describes a template against which IP packets are compared. The template includes source and destination addresses (and their associated masks), upper level protocol (e.g. TCP, UDP), source and destination port ranges, TOS and TOS mask. A row also contains interface and traffic direction match values which have to be considered in combination. All columns of a particular row must match the appropriate fields in the packet, and must match the interface and direction items for the packet to result in a match to the packet.
When classifying a packet, the table is scanned beginning with the lowest number filter. If the agent finds a match, it applies the group of policies specified. If the matched filter has the continue bit set, the agent continues the scan possibly matching additional filters and applying additional policies. This allows the agent to take one set of actions for the 24.0.16/255.255.255.0 group and one set of actions for telnet packets to/from 24.0.16.30 and these sets of actions may not be mutually exclusive.
Once a packet is matched, one of three actions happen based on the setting of docsDevFilterIpControl in the row. The packet may be dropped, in which case no further processing is required. The packet may be accepted and processing of the packet continues. Lastly, the packet may have a set of policy actions applied to it. If docsDevFilterIpContinue is set to true, scanning of the table continues and additional matches may result.
When a packet matches, and docsDevFilterIpControl in the filter matched is set to 'policy', the value of docsDevFilterIpPolicyId is used as a selector into the docsDevFilterPolicyTable. The first level of indirection may result in zero or more actions being taken based on the match. The docsDevFilterPolicyTable is scanned in row order and all rows where docsDevFilterPolicyId equals docsDevFilterIpPolicyId have the action specified by docsDevFilterPolicyValue 'executed'. For example, a value pointing to an entry in the docsDevFilterTosTable may result in the re-writing of the TOS bits in the IP packet which was matched. Another possibility may be to assign an output packet to a specific output upstream queue. An even more complex action might be to re-write the TOS value, assign the packet to an upstream service ID, and drop it into a particular IPSEC tunnel.
Example:
docsDevFilterIpTable # Index, SrcIP/Mask, DstIP/Mask,ULP, SrcPts,DstPts,Tos/Mask, # Int/Dir, Pgroup, [continue] # drop any netbios traffic 10, 0/0, 0/0, TCP, any, 137-139, 0/0, any/any, drop # traffic to the proxy gets better service - other matches possible 20, 0/0, proxy/32, TCP, any,any, 0/0, cpe/in, 10, continue # Traffic from CPE 1 gets 'Gold' service, other matches possible 30, cpe1/32, 0/0, any, any,any, 0/0, cpe/in, 20, continue # Traffic from CPE2 to work goes, other traffic dropped 40, cpe2/32, workIPs/24, any, 0/0, cpe/in, accept 45, cpe2/32, 0/0, any, any,ayn, 0/0, cpe/in, drop # Traffic with TOS=4 gets queued on the "silver" queue. 50, 0/0, 0/0, any, any,any, 4/255, cpe/in, 30 # Inbound "server" traffic to low numbered ports gets dropped. 60, 0/0, 0/0, TCP, any,1-1023, 0/0, cpe/out, drop 65, 0/0, 0/0, UDP, any,1-1023, 0/0, cpe/out, drop docsDevFilterIpPolicyTable # # index, policy group, policy 10, 10, queueEntry.20 -- special queue for traffic to proxy 15, 20, queueEntry.15 -- Gold Service queue 20, 20, docsDevFilterTosStatus.10 -- Mark this packet with TOS 5 25, 30, queueEntry.10 -- Silver service queue
This table describes some special processing for packets originating from either the first or second CPE device which results in their queuing on to special upstream traffic queues and for the "gold" service results in having the packets marked with a TOS of 5. The 10, 20, 60 and 65 entries are generic entries that would generally be applied to all traffic to this CM. The 30, 40 and 45 entries are specific to a particular CPE's service assignments. The ordering here is a bit contrived, but is close to what may actually be required by the operator to control various classes of customers.
3.3.4. Outbound LLC Filters
-
Lastly, any outbound LLC filters are applied to the packet just prior to it being emitted on the appropriate interface. This MIB does not specify any outbound LLC filters, but it is anticipated that the QOS additions to the DOCSIS standard may include some outbound LLC filtering requirements. If so, those filters would be applied as described here.
4. Definitions
DOCS-CABLE-DEVICE-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-TYPE, -- do not import BITS, IpAddress, Unsigned32, Counter32, Integer32, zeroDotZero, mib-2 FROM SNMPv2-SMI RowStatus, RowPointer, DateAndTime, TruthValue FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB InterfaceIndexOrZero FROM IF-MIB; -- RFC2233
docsDev MODULE-IDENTITY
-
LAST-UPDATED "9908190000Z" -- August 19, 1999 ORGANIZATION "IETF IPCDN Working Group" CONTACT-INFO " Michael StJohns Postal: @Home Network 425 Broadway Redwood City, CA 94063 U.S.A. Phone: +1 650 569 5368 E-mail: stjohns@corp.home.net" DESCRIPTION "This is the MIB Module for MCNS-compliant cable modems and cable-modem termination systems." REVISION "9908190000Z" DESCRIPTION "Initial Version, published as RFC 2669. Modified by Mike StJohns to add/revise filtering, TOS support, software version information objects." ::= { mib-2 69 }
docsDevMIBObjects OBJECT IDENTIFIER ::= { docsDev 1 }
docsDevBase OBJECT IDENTIFIER ::= { docsDevMIBObjects 1 }
--
-- For the following object, there is no concept in the
-- RFI specification corresponding to a backup CMTS. The
-- enumeration is provided here in case someone is able
-- to define such a role or device.
--
docsDevRole OBJECT-TYPE
-
SYNTAX INTEGER { cm(1), cmtsActive(2), cmtsBackup(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "Defines the current role of this device. cm (1) is a Cable Modem, cmtsActive(2) is a Cable Modem Termination System which is controlling the system of cable modems, and cmtsBackup(3) is a CMTS which is currently connected, but not controlling the system (not currently used). In general, if this device is a 'cm', its role will not change during operation or between reboots. If the device is a 'cmts' it may change between cmtsActive and cmtsBackup and back again during normal operation. NB: At this time, the DOCSIS standards do not support the concept of a backup CMTS, cmtsBackup is included for completeness." ::= { docsDevBase 1 }
docsDevDateTime OBJECT-TYPE
-
SYNTAX DateAndTime MAX-ACCESS read-write STATUS current DESCRIPTION "The date and time, with optional timezone information." ::= { docsDevBase 2 }
docsDevResetNow OBJECT-TYPE
-
SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to true(1) causes the device to reset. Reading this object always returns false(2)." ::= { docsDevBase 3 }
docsDevSerialNumber OBJECT-TYPE
-
SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The manufacturer's serial number for this device." ::= { docsDevBase 4 }
docsDevSTPControl OBJECT-TYPE
-
SYNTAX INTEGER { stEnabled(1), noStFilterBpdu(2), noStPassBpdu(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object controls operation of the spanning tree protocol (as distinguished from transparent bridging). If set to stEnabled(1) then the spanning tree protocol is enabled, subject to bridging constraints. If noStFilterBpdu(2), then spanning tree is not active, and Bridge PDUs received are discarded. If noStPassBpdu(3) then spanning tree is not active and Bridge PDUs are transparently forwarded. Note that a device need not implement all of these options, but that noStFilterBpdu(2) is required." ::= { docsDevBase 5 }
--
-- The following table provides one level of security for access
-- to the device by network management stations.
-- Note that access is also constrained by the
-- community strings and any vendor-specific security.
--
docsDevNmAccessTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevNmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table controls access to SNMP objects by network management stations. If the table is empty, access to SNMP objects is unrestricted. This table exists only on SNMPv1 or v2c agents and does not exist on SNMPv3 agents. See the conformance section for details. Specifically, for v3 agents, the appropriate MIBs and security models apply in lieu of this table." ::= { docsDevMIBObjects 2 }
docsDevNmAccessEntry OBJECT-TYPE
-
SYNTAX DocsDevNmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry describing access to SNMP objects by a particular network management station. An entry in this table is not readable unless the management station has read-write permission (either implicit if the table is empty, or explicit through an entry in this table. Entries are ordered by docsDevNmAccessIndex. The first matching entry (e.g. matching IP address and community string) is used to derive access." INDEX { docsDevNmAccessIndex } ::= { docsDevNmAccessTable 1 }
DocsDevNmAccessEntry ::= SEQUENCE {
-
docsDevNmAccessIndex Integer32, docsDevNmAccessIp IpAddress, docsDevNmAccessIpMask IpAddress, docsDevNmAccessCommunity OCTET STRING, docsDevNmAccessControl INTEGER, docsDevNmAccessInterfaces OCTET STRING, docsDevNmAccessStatus RowStatus }
docsDevNmAccessIndex OBJECT-TYPE
-
SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Index used to order the application of access entries." ::= { docsDevNmAccessEntry 1 }
docsDevNmAccessIp OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The IP address (or subnet) of the network management station. The address 255.255.255.255 is defined to mean any NMS. If traps are enabled for this entry, then the value must be the address of a specific device." DEFVAL { 'ffffffff'h } ::= { docsDevNmAccessEntry 2 }
docsDevNmAccessIpMask OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The IP subnet mask of the network management stations. If traps are enabled for this entry, then the value must be 255.255.255.255." DEFVAL { 'ffffffff'h } ::= { docsDevNmAccessEntry 3 }
docsDevNmAccessCommunity OBJECT-TYPE
-
SYNTAX OCTET STRING MAX-ACCESS read-create STATUS current DESCRIPTION "The community string to be matched for access by this entry. If set to a zero length string then any community string will match. When read, this object SHOULD return a zero length string." DEFVAL { "public" } ::= { docsDevNmAccessEntry 4 }
docsDevNmAccessControl OBJECT-TYPE
-
SYNTAX INTEGER { none(1), read(2), readWrite(3), roWithTraps(4), rwWithTraps(5), trapsOnly(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "Specifies the type of access allowed to this NMS. Setting this object to none(1) causes the table entry to be destroyed. Read(2) allows access by 'get' and 'get-next' PDUs. ReadWrite(3) allows access by 'set' as well. RoWithtraps(4), rwWithTraps(5), and trapsOnly(6) control distribution of Trap PDUs transmitted by this device." DEFVAL { read } ::= { docsDevNmAccessEntry 5 }
-- The syntax of the following object was copied from RFC1493,
-- dot1dStaticAllowedToGoTo.
docsDevNmAccessInterfaces OBJECT-TYPE
SYNTAX OCTET STRING MAX-ACCESS read-create STATUS current DESCRIPTION "Specifies the set of interfaces from which requests from this NMS will be accepted. Each octet within the value of this object specifies a set of eight interfaces, with the first octet specifying ports 1 through 8, the second octet specifying interfaces 9 through 16, etc. Within each octet, the most significant bit represents the lowest numbered interface, and the least significant bit represents the highest numbered interface. Thus, each interface is represented by a single bit within the value of this object. If that bit has a value of '1' then that interface is included in the set. Note that entries in this table apply only to link-layer interfaces (e.g., Ethernet and CATV MAC). Upstream and downstream channel interfaces must not be specified." -- DEFVAL is the bitmask corresponding to all interfaces ::= { docsDevNmAccessEntry 6 }
docsDevNmAccessStatus OBJECT-TYPE
-
SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Controls and reflects the status of rows in this table. Rows in this table may be created by either the create-and-go or create-and-wait paradigms. There is no restriction on changing values in a row of this table while the row is active." ::= { docsDevNmAccessEntry 7 }
--
-- Procedures for using the following group are described in section
-- 3.2.1 of the DOCSIS Radio Frequence Interface Specification
--
docsDevSoftware OBJECT IDENTIFIER ::= { docsDevMIBObjects 3 }
docsDevSwServer OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The address of the TFTP server used for software upgrades. If the TFTP server is unknown, return 0.0.0.0." ::= { docsDevSoftware 1 }
docsDevSwFilename OBJECT-TYPE
-
SYNTAX SnmpAdminString (SIZE (0..64)) MAX-ACCESS read-write STATUS current DESCRIPTION "The file name of the software image to be loaded into this device. Unless set via SNMP, this is the file name specified by the provisioning server that corresponds to the software version that is desired for this device. If unknown, the string '(unknown)' is returned." ::= { docsDevSoftware 2 }
docsDevSwAdminStatus OBJECT-TYPE
-
SYNTAX INTEGER { upgradeFromMgt(1), allowProvisioningUpgrade(2), ignoreProvisioningUpgrade(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "If set to upgradeFromMgt(1), the device will initiate a TFTP software image download using docsDevSwFilename. After successfully receiving an image, the device will set its state to ignoreProvisioningUpgrade(3) and reboot. If the download process is interrupted by a reset or power failure, the device will load the previous image and, after re-initialization, continue to attempt loading the image specified in docsDevSwFilename.
-
-
-
If set to allowProvisioningUpgrade(2), the device will use the software version information supplied by the provisioning server when next rebooting (this does not cause a reboot).
When set to ignoreProvisioningUpgrade(3), the device will disregard software image upgrade information from the provisioning server.
Note that reading this object can return upgradeFromMgt(1). This indicates that a software download is currently in progress, and that the device will reboot after successfully receiving an image.
-
-
At initial startup, this object has the default value of allowProvisioningUpgrade(2)." ::= { docsDevSoftware 3 }
-
docsDevSwOperStatus OBJECT-TYPE
-
SYNTAX INTEGER { inProgress(1), completeFromProvisioning(2), completeFromMgt(3), failed(4), other(5) } MAX-ACCESS read-only STATUS current DESCRIPTION "InProgress(1) indicates that a TFTP download is underway, either as a result of a version mismatch at provisioning or as a result of a upgradeFromMgt request. CompleteFromProvisioning(2) indicates that the last software upgrade was a result of version mismatch at provisioning. CompleteFromMgt(3) indicates that the last software upgrade was a result of setting docsDevSwAdminStatus to upgradeFromMgt. Failed(4) indicates that the last attempted download failed, ordinarily due to TFTP timeout." REFERENCE "DOCSIS Radio Frequency Interface Specification, Section 8.2, Downloading Cable Modem Operating Software." ::= { docsDevSoftware 4 }
docsDevSwCurrentVers OBJECT-TYPE
SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The software version currently operating in this device. This object should be in the syntax used by the individual vendor to identify software versions. Any CM MUST return a string descriptive of the current software load. For a CMTS, this object SHOULD contain either a human readable representation of the vendor specific designation of the software for the chassis, or of the software for the control processor. If neither of these is applicable, this MUST contain an empty string." ::= { docsDevSoftware 5 } -- -- The following group describes server access and parameters used for -- initial provisioning and bootstrapping. --
docsDevServer OBJECT IDENTIFIER ::= { docsDevMIBObjects 4 }
docsDevServerBootState OBJECT-TYPE
-
SYNTAX INTEGER { operational(1), disabled(2), waitingForDhcpOffer(3), waitingForDhcpResponse(4), waitingForTimeServer(5), waitingForTftp(6), refusedByCmts(7), forwardingDenied(8), other(9), unknown(10) } MAX-ACCESS read-only STATUS current DESCRIPTION "If operational(1), the device has completed loading and processing of configuration parameters and the CMTS has completed the Registration exchange. If disabled(2) then the device was administratively disabled, possibly by being refused network access in the configuration file. If waitingForDhcpOffer(3) then a DHCP Discover has been transmitted and no offer has yet been received. If waitingForDhcpResponse(4) then a DHCP Request has been transmitted and no response has yet been received. If waitingForTimeServer(5) then a Time Request has been transmitted and no response has yet been received. If waitingForTftp(6) then a request to the TFTP parameter server has been made and no response received. If refusedByCmts(7) then the Registration Request/Response exchange with the CMTS failed. If forwardingDenied(8) then the registration process completed, but the network access option in the received configuration file prohibits forwarding. " REFERENCE "DOCSIS Radio Frequency Interface Specification, Figure 7-1, CM Initialization Overview." ::= { docsDevServer 1 }
docsDevServerDhcp OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the DHCP server that assigned an IP address to this device. Returns 0.0.0.0 if DHCP was not used for IP address assignment." ::= { docsDevServer 2 }
docsDevServerTime OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the Time server (RFC-868). Returns 0.0.0.0 if the time server IP address is unknown." ::= { docsDevServer 3 }
docsDevServerTftp OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the TFTP server responsible for downloading provisioning and configuration parameters to this device. Returns 0.0.0.0 if the TFTP server address is unknown." ::= { docsDevServer 4 }
docsDevServerConfigFile OBJECT-TYPE
SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The name of the device configuration file read from the TFTP server. Returns an empty string if the configuration file name is unknown." ::= { docsDevServer 5 } -- -- Event Reporting --
docsDevEvent OBJECT IDENTIFIER ::= { docsDevMIBObjects 5 }
docsDevEvControl OBJECT-TYPE
-
SYNTAX INTEGER { resetLog(1), useDefaultReporting(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Setting this object to resetLog(1) empties the event log. All data is deleted. Setting it to useDefaultReporting(2) returns all event priorities to their factory-default reporting. Reading this object always returns useDefaultReporting(2)." ::= { docsDevEvent 1 }
docsDevEvSyslog OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-write STATUS current DESCRIPTION "The IP address of the Syslog server. If 0.0.0.0, syslog transmission is inhibited." ::= { docsDevEvent 2 }
docsDevEvThrottleAdminStatus OBJECT-TYPE
-
SYNTAX INTEGER { unconstrained(1), maintainBelowThreshold(2), stopAtThreshold(3), inhibited(4) } MAX-ACCESS read-write STATUS current DESCRIPTION "Controls the transmission of traps and syslog messages with respect to the trap pacing threshold. unconstrained(1) causes traps and syslog messages to be transmitted without regard to the threshold settings.
-
-
-
maintainBelowThreshold(2) causes trap transmission and syslog messages to be suppressed if the number of traps would otherwise exceed the threshold. stopAtThreshold(3) causes trap transmission to cease at the threshold, and not resume until directed to do so. inhibited(4) causes all trap transmission and syslog messages to be suppressed.
A single event is always treated as a single event for threshold counting. That is, an event causing both a trap and a syslog message is still treated as a single event.
Writing to this object resets the thresholding state.
-
-
At initial startup, this object has a default value of unconstrained(1)." ::= { docsDevEvent 3 }
-
docsDevEvThrottleInhibited OBJECT-TYPE
-
SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "If true(1), trap and syslog transmission is currently inhibited due to thresholds and/or the current setting of docsDevEvThrottleAdminStatus. In addition, this is set to true(1) if transmission is inhibited due to no syslog (docsDevEvSyslog) or trap (docsDevNmAccessEntry) destinations having been set." ::= { docsDevEvent 4 }
docsDevEvThrottleThreshold OBJECT-TYPE
-
SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "Number of trap/syslog events per docsDevEvThrottleInterval to be transmitted before throttling.
-
-
-
A single event is always treated as a single event for threshold counting. That is, an event causing both a trap and a syslog message is still treated as a single event.
-
-
At initial startup, this object returns 0." ::= { docsDevEvent 5 }
-
docsDevEvThrottleInterval OBJECT-TYPE
SYNTAX Integer32 (1..2147483647)
UNITS "seconds" MAX-ACCESS read-write STATUS current DESCRIPTION "The interval over which the trap threshold applies. At initial startup, this object has a value of 1." ::= { docsDevEvent 6 } -- -- The following table controls the reporting of the various classes of -- events. --
docsDevEvControlTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevEvControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table allows control of the reporting of event classes. For each event priority, a combination of logging and reporting mechanisms may be chosen. The mapping of event types to priorities is vendor-dependent. Vendors may also choose to allow the user to control that mapping through proprietary means." ::= { docsDevEvent 7 }
docsDevEvControlEntry OBJECT-TYPE
-
SYNTAX DocsDevEvControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Allows configuration of the reporting mechanisms for a particular event priority." INDEX { docsDevEvPriority } ::= { docsDevEvControlTable 1 }
DocsDevEvControlEntry ::= SEQUENCE {
-
docsDevEvPriority INTEGER, docsDevEvReporting BITS }
docsDevEvPriority OBJECT-TYPE
-
-
SYNTAX INTEGER {
emergency(1), alert(2), critical(3), error(4), warning(5), notice(6), information(7), debug(8) } MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority level that is controlled by this entry. These are ordered from most (emergency) to least (debug) critical. Each event with a CM or CMTS has a particular priority level associated with it (as defined by the vendor). During normal operation no event more critical than notice(6) should be generated. Events between warning and emergency should be generated at appropriate levels of problems (e.g. emergency when the box is about to crash)." ::= { docsDevEvControlEntry 1 }
-
docsDevEvReporting OBJECT-TYPE
-
SYNTAX BITS { local(0), traps(1), syslog(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "Defines the action to be taken on occurrence of this event class. Implementations may not necessarily support all options for all event classes, but at minimum must allow traps and syslogging to be disabled. If the local(0) bit is set, then log to the internal log, if the traps(1) bit is set, then generate a trap, if the syslog(2) bit is set, then send a syslog message (assuming the syslog address is set)." ::= { docsDevEvControlEntry 2 }
docsDevEventTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevEventEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains a log of network and device events that may be of interest in fault isolation and troubleshooting." ::= { docsDevEvent 8 }
docsDevEventEntry OBJECT-TYPE
-
SYNTAX DocsDevEventEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Describes a network or device event that may be of interest in fault isolation and troubleshooting. Multiple sequential identical events are represented by incrementing docsDevEvCounts and setting docsDevEvLastTime to the current time rather than creating multiple rows. Entries are created with the first occurrance of an event. docsDevEvControl can be used to clear the table. Individual events can not be deleted." INDEX { docsDevEvIndex } ::= { docsDevEventTable 1 }
DocsDevEventEntry ::= SEQUENCE {
-
docsDevEvIndex Integer32, docsDevEvFirstTime DateAndTime, docsDevEvLastTime DateAndTime, docsDevEvCounts Counter32, docsDevEvLevel INTEGER, docsDevEvId Unsigned32, docsDevEvText SnmpAdminString }
docsDevEvIndex OBJECT-TYPE
-
SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Provides relative ordering of the objects in the event log. This object will always increase except when (a) the log is reset via docsDevEvControl, (b) the device reboots and does not implement non-volatile storage for this log, or (c) it reaches the value 2^31. The next entry for all the above cases is 1." ::= { docsDevEventEntry 1 }
docsDevEvFirstTime OBJECT-TYPE
-
SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "The time that this entry was created." ::= { docsDevEventEntry 2 }
docsDevEvLastTime OBJECT-TYPE
-
SYNTAX DateAndTime MAX-ACCESS read-only STATUS current DESCRIPTION "If multiple events are reported via the same entry, the time that the last event for this entry occurred, otherwise this should have the same value as docsDevEvFirstTime. " ::= { docsDevEventEntry 3 }
-- This object was renamed from docsDevEvCount to meet naming
-- requirements for Counter32
docsDevEvCounts OBJECT-TYPE
-
SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of consecutive event instances reported by this entry. This starts at 1 with the creation of this row and increments by 1 for each subsequent duplicate event." ::= { docsDevEventEntry 4 }
docsDevEvLevel OBJECT-TYPE
-
SYNTAX INTEGER { emergency(1), alert(2), critical(3), error(4), warning(5), notice(6), information(7), debug(8) } MAX-ACCESS read-only STATUS current DESCRIPTION "The priority level of this event as defined by the vendor. These are ordered from most serious (emergency) to least serious (debug)." ::= { docsDevEventEntry 5 }
--
-- Vendors will provide their own enumerations for the following.
-- The interpretation of the enumeration is unambiguous for a
-- particular value of the vendor's enterprise number in sysObjectID.
--
docsDevEvId OBJECT-TYPE
-
SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "For this product, uniquely identifies the type of event that is reported by this entry." ::= { docsDevEventEntry 6 }
docsDevEvText OBJECT-TYPE
-
SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Provides a human-readable description of the event, including all relevant context (interface numbers, etc.)." ::= { docsDevEventEntry 7 }
docsDevFilter OBJECT IDENTIFIER ::= { docsDevMIBObjects 6 }
-- -- Link Level Control Filtering --
-- docsDevFilterLLCDefault renamed to docsDevFilterLLCUnmatchedAction
docsDevFilterLLCUnmatchedAction OBJECT-TYPE
-
SYNTAX INTEGER { discard(1), accept(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "LLC (Link Level Control) filters can be defined on an inclusive or exclusive basis: CMs can be configured to forward only packets matching a set of layer three protocols, or to drop packets matching a set of layer three protocols. Typical use of these filters is to filter out possibly harmful (given the context of a large metropolitan LAN) protocols.
-
-
-
If set to discard(1), any L2 packet which does not match at
-
-
least one filter in the docsDevFilterLLCTable will be discarded. If set to accept(2), any L2 packet which does not match at least one filter in the docsDevFilterLLCTable will be accepted for further processing (e.g., bridging). At initial system startup, this object returns accept(2)." ::= { docsDevFilter 1 }
-
docsDevFilterLLCTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevFilterLLCEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A list of filters to apply to (bridged) LLC traffic. The filters in this table are applied to incoming traffic on the appropriate interface(s) prior to any further processing (e.g. before handing the packet off for level 3 processing, or for bridging). The specific action taken when no filter is matched is controlled by docsDevFilterLLCUnmatchedAction." ::= { docsDevFilter 2 }
docsDevFilterLLCEntry OBJECT-TYPE
-
SYNTAX DocsDevFilterLLCEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Describes a single filter to apply to (bridged) LLC traffic received on a specified interface. " INDEX { docsDevFilterLLCIndex } ::= { docsDevFilterLLCTable 1 }
DocsDevFilterLLCEntry ::= SEQUENCE {
-
docsDevFilterLLCIndex Integer32, docsDevFilterLLCStatus RowStatus, docsDevFilterLLCIfIndex InterfaceIndexOrZero, docsDevFilterLLCProtocolType INTEGER, docsDevFilterLLCProtocol Integer32, docsDevFilterLLCMatches Counter32 }
docsDevFilterLLCIndex OBJECT-TYPE
-
SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Index used for the identification of filters (note that LLC filter order is irrelevant)." ::= { docsDevFilterLLCEntry 1 }
docsDevFilterLLCStatus OBJECT-TYPE
-
SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Controls and reflects the status of rows in this table. There is no restriction on changing any of the associated columns for this row while this object is set to active." ::= { docsDevFilterLLCEntry 2}
docsDevFilterLLCIfIndex OBJECT-TYPE
-
SYNTAX InterfaceIndexOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "The entry interface to which this filter applies. The value corresponds to ifIndex for either a CATV MAC or another network interface. If the value is zero, the filter applies to all interfaces. In Cable Modems, the default value is the customer side interface. In Cable Modem Termination Systems, this object has to be specified to create a row in this table." ::= { docsDevFilterLLCEntry 3 }
docsDevFilterLLCProtocolType OBJECT-TYPE
-
SYNTAX INTEGER { ethertype(1), dsap(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "The format of the value in docsDevFilterLLCProtocol: either a two-byte Ethernet Ethertype, or a one-byte 802.2 SAP value. EtherType(1) also applies to SNAP- encapsulated frames." DEFVAL { ethertype } ::= { docsDevFilterLLCEntry 4 }
docsDevFilterLLCProtocol OBJECT-TYPE
-
SYNTAX Integer32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "The layer three protocol for which this filter applies. The protocol value format depends on docsDevFilterLLCProtocolType. Note that for SNAP frames, etherType filtering is performed rather than DSAP=0xAA." DEFVAL { 0 } ::= { docsDevFilterLLCEntry 5 }
docsDevFilterLLCMatches OBJECT-TYPE
-
SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times this filter was matched." ::= { docsDevFilterLLCEntry 6 }
-- The default behavior for (bridged) packets that do not match IP
-- filters is defined by
-- docsDevFilterIpDefault.
docsDevFilterIpDefault OBJECT-TYPE
-
SYNTAX INTEGER { discard(1), accept(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If set to discard(1), all packets not matching an IP filter will be discarded. If set to accept(2), all packets not matching an IP filter will be accepted for further processing (e.g., bridging). At initial system startup, this object returns accept(2)." ::= { docsDevFilter 3 }
docsDevFilterIpTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevFilterIpEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An ordered list of filters or classifiers to apply to IP traffic. Filter application is ordered by the filter index, rather than by a best match algorithm (Note that this implies that the filter table may have gaps in the index values). Packets which match no filters will have policy 0 in the docsDevFilterPolicyTable applied to them if it exists. Otherwise, Packets which match no filters are discarded or forwarded according to the setting of docsDevFilterIpDefault.
-
-
-
Any IP packet can theoretically match multiple rows of this table. When considering a packet, the table is scanned in row index order (e.g. filter 10 is checked before filter 20). If the packet matches that filter (which means that it matches ALL criteria for that row), actions appropriate to docsDevFilterIpControl and docsDevFilterPolicyId are taken. If the packet was discarded processing is complete. If docsDevFilterIpContinue is set to true, the filter comparison continues with the next row in the table looking for additional matches.
If the packet matches no filter in the table, the packet is accepted or dropped for further processing based on the setting of docsDevFilterIpDefault. If the packet is accepted, the actions specified by policy group 0 (e.g. the rows in docsDevFilterPolicyTable which have a value of 0 for docsDevFilterPolicyId) are taken if that policy group exists.
-
-
Logically, this table is consulted twice during the processing of any IP packet - once upon its acceptance from the L2 entity, and once upon its transmission to the L2 entity. In actuality, for cable modems, IP filtering is generally the only IP processing done for transit traffic. This means that inbound and outbound filtering can generally be done at the same time with one pass through the filter table." ::= { docsDevFilter 4 }
-
docsDevFilterIpEntry OBJECT-TYPE
-
SYNTAX DocsDevFilterIpEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Describes a filter to apply to IP traffic received on a specified interface. All identity objects in this table (e.g. source and destination address/mask, protocol, source/dest port, TOS/mask, interface and direction) must match their respective fields in the packet for any given filter to match. To create an entry in this table, docsDevFilterIpIfIndex must be specified." INDEX { docsDevFilterIpIndex } ::= { docsDevFilterIpTable 1 }
DocsDevFilterIpEntry ::= SEQUENCE {
docsDevFilterIpIndex Integer32,
-
docsDevFilterIpStatus RowStatus, docsDevFilterIpControl INTEGER, docsDevFilterIpIfIndex InterfaceIndexOrZero, docsDevFilterIpDirection INTEGER, docsDevFilterIpBroadcast TruthValue, docsDevFilterIpSaddr IpAddress, docsDevFilterIpSmask IpAddress, docsDevFilterIpDaddr IpAddress, docsDevFilterIpDmask IpAddress, docsDevFilterIpProtocol Integer32, docsDevFilterIpSourcePortLow Integer32, docsDevFilterIpSourcePortHigh Integer32, docsDevFilterIpDestPortLow Integer32, docsDevFilterIpDestPortHigh Integer32, docsDevFilterIpMatches Counter32, docsDevFilterIpTos OCTET STRING, docsDevFilterIpTosMask OCTET STRING, docsDevFilterIpContinue TruthValue, docsDevFilterIpPolicyId Integer32 }
docsDevFilterIpIndex OBJECT-TYPE
-
SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Index used to order the application of filters. The filter with the lowest index is always applied first." ::= { docsDevFilterIpEntry 1 }
docsDevFilterIpStatus OBJECT-TYPE
-
SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Controls and reflects the status of rows in this table. Specifying only this object (with the appropriate index) on a CM is sufficient to create a filter row which matches all inbound packets on the ethernet interface, and results in the packets being discarded. docsDevFilterIpIfIndex (at least) must be specified on a CMTS to create a row. Creation of the rows may be done via either create-and-wait or create-and-go, but the filter is not applied until this object is set to (or changes to) active. There is no restriction in changing any object in a row while this object is set to active." ::= { docsDevFilterIpEntry 2 }
docsDevFilterIpControl OBJECT-TYPE
-
SYNTAX INTEGER { discard(1), accept(2), policy(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "If set to discard(1), all packets matching this filter will be discarded and scanning of the remainder of the filter list will be aborted. If set to accept(2), all packets matching this filter will be accepted for further processing (e.g., bridging). If docsDevFilterIpContinue is set to true, see if there are other matches, otherwise done. If set to policy (3), execute the policy entries matched by docsDevIpFilterPolicyId in docsDevIpFilterPolicyTable. If is docsDevFilterIpContinue is set to true, continue scanning the table for other matches, otherwise done." DEFVAL { discard } ::= { docsDevFilterIpEntry 3 }
docsDevFilterIpIfIndex OBJECT-TYPE
-
SYNTAX InterfaceIndexOrZero MAX-ACCESS read-create STATUS current DESCRIPTION "The entry interface to which this filter applies. The value corresponds to ifIndex for either a CATV MAC or another network interface. If the value is zero, the filter applies to all interfaces. Default value in Cable Modems is the index of the customer-side (e.g. ethernet) interface. In Cable Modem Termination Systems, this object MUST be specified to create a row in this table." ::= { docsDevFilterIpEntry 4 }
docsDevFilterIpDirection OBJECT-TYPE
-
SYNTAX INTEGER { inbound(1), outbound(2), both(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "Determines whether the filter is applied to inbound(1) traffic, outbound(2) traffic, or traffic in both(3) directions." DEFVAL { inbound } ::= { docsDevFilterIpEntry 5 }
docsDevFilterIpBroadcast OBJECT-TYPE
-
SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "If set to true(1), the filter only applies to multicast and broadcast traffic. If set to false(2), the filter applies to all traffic." DEFVAL { false } ::= { docsDevFilterIpEntry 6 }
docsDevFilterIpSaddr OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The source IP address, or portion thereof, that is to be matched for this filter. The source address is first masked (and'ed) against docsDevFilterIpSmask before being compared to this value. A value of 0 for this object and 0 for the mask matches all IP addresses." DEFVAL { '00000000'h } ::= { docsDevFilterIpEntry 7 }
docsDevFilterIpSmask OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask that is to be applied to the source address prior to matching. This mask is not necessarily the same as a subnet mask, but 1's bits must be leftmost and contiguous." DEFVAL { '00000000'h } ::= { docsDevFilterIpEntry 8 }
docsDevFilterIpDaddr OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The destination IP address, or portion thereof, that is to be matched for this filter. The destination address is first masked (and'ed) against docsDevFilterIpDmask before being compared to this value. A value of 0 for this object and 0 for the mask matches all IP addresses." DEFVAL { '00000000'h } ::= { docsDevFilterIpEntry 9 }
docsDevFilterIpDmask OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask that is to be applied to the destination address prior to matching. This mask is not necessarily the same as a subnet mask, but 1's bits must be leftmost and contiguous." DEFVAL { '00000000'h } ::= { docsDevFilterIpEntry 10 }
docsDevFilterIpProtocol OBJECT-TYPE
-
SYNTAX Integer32 (0..256) MAX-ACCESS read-create STATUS current DESCRIPTION "The IP protocol value that is to be matched. For example: icmp is 1, tcp is 6, udp is 17. A value of 256 matches ANY protocol." DEFVAL { 256 } ::= { docsDevFilterIpEntry 11 }
docsDevFilterIpSourcePortLow OBJECT-TYPE
-
SYNTAX Integer32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "If docsDevFilterIpProtocol is udp or tcp, this is the inclusive lower bound of the transport-layer source port range that is to be matched, otherwise it is ignored during matching." DEFVAL { 0 } ::= { docsDevFilterIpEntry 12 }
docsDevFilterIpSourcePortHigh OBJECT-TYPE
-
SYNTAX Integer32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "If docsDevFilterIpProtocol is udp or tcp, this is the inclusive upper bound of the transport-layer source port range that is to be matched, otherwise it is ignored during matching." DEFVAL { 65535 } ::= { docsDevFilterIpEntry 13 }
docsDevFilterIpDestPortLow OBJECT-TYPE
-
SYNTAX Integer32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "If docsDevFilterIpProtocol is udp or tcp, this is the inclusive lower bound of the transport-layer destination port range that is to be matched, otherwise it is ignored during matching." DEFVAL { 0 } ::= { docsDevFilterIpEntry 14 }
docsDevFilterIpDestPortHigh OBJECT-TYPE
-
SYNTAX Integer32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "If docsDevFilterIpProtocol is udp or tcp, this is the inclusive upper bound of the transport-layer destination port range that is to be matched, otherwise it is ignored during matching." DEFVAL { 65535 } ::= { docsDevFilterIpEntry 15 }
docsDevFilterIpMatches OBJECT-TYPE
SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "Counts the number of times this filter was matched. This object is initialized to 0 at boot, or at row creation, and is reset only upon reboot." ::= { docsDevFilterIpEntry 16 } docsDevFilterIpTos OBJECT-TYPE SYNTAX OCTET STRING ( SIZE (1)) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the value to be matched to the packet's TOS (Type of Service) value (after the TOS value is AND'd with docsDevFilterIpTosMask). A value for this object of 0 and a mask of 0 matches all TOS values." DEFVAL { '00'h } ::= { docsDevFilterIpEntry 17 }
docsDevFilterIpTosMask OBJECT-TYPE
-
SYNTAX OCTET STRING ( SIZE (1) ) MAX-ACCESS read-create STATUS current DESCRIPTION "The mask to be applied to the packet's TOS value before matching." DEFVAL { '00'h } ::= { docsDevFilterIpEntry 18 }
docsDevFilterIpContinue OBJECT-TYPE
-
SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "If this value is set to true, and docsDevFilterIpControl is anything but discard (1), continue scanning and applying policies." DEFVAL { false } ::= { docsDevFilterIpEntry 19 }
docsDevFilterIpPolicyId OBJECT-TYPE
-
SYNTAX Integer32 (0..2147483647) MAX-ACCESS read-create STATUS current DESCRIPTION "This object points to an entry in docsDevFilterPolicyTable. If docsDevFilterIpControl is set to policy (3), execute all matching policies in docsDevFilterPolicyTable. If no matching policy exists, treat as if docsDevFilterIpControl were set to accept (1). If this object is set to the value of 0, there is no matching policy, and docsDevFilterPolicyTable MUST NOT be consulted." DEFVAL { 0 } ::= { docsDevFilterIpEntry 20 }
--
--
docsDevFilterPolicyTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevFilterPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A Table which maps between a policy group ID and a set of policies to be applied. All rows with the same docsDevFilterPolicyId are part of the same policy group and are applied in the order in which they are in this table.
-
-
-
docsDevFilterPolicyTable exists to allow multiple policy actions to be applied to any given classified packet. The policy actions are applied in index order For example:
-
-
Index ID Type Action 1 1 TOS 1 9 5 TOS 1 12 1 IPSEC 3
-
-
-
This says that a packet which matches a filter with policy id 1, first has TOS policy 1 applied (which might set the TOS bits to enable a higher priority), and next has the IPSEC policy 3 applied (which may result in the packet being dumped into a secure VPN to a remote encryptor).
-
-
Policy ID 0 is reserved for default actions and is applied only to packets which match no filters in docsDevIpFilterTable." ::= { docsDevFilter 5 }
-
docsDevFilterPolicyEntry OBJECT-TYPE
SYNTAX DocsDevFilterPolicyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the docsDevFilterPolicyTable. Entries are created by Network Management. To create an entry, docsDevFilterPolicyId and docsDevFilterPolicyAction must be specified." INDEX { docsDevFilterPolicyIndex } ::= { docsDevFilterPolicyTable 1 } DocsDevFilterPolicyEntry ::= SEQUENCE { docsDevFilterPolicyIndex Integer32, docsDevFilterPolicyId Integer32, -- docsDevFilterPolicyType INTEGER, -- docsDevFilterPolicyAction Integer32, docsDevFilterPolicyStatus RowStatus, docsDevFilterPolicyPtr RowPointer }
docsDevFilterPolicyIndex OBJECT-TYPE
-
SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "Index value for the table." ::= { docsDevFilterPolicyEntry 1 }
docsDevFilterPolicyId OBJECT-TYPE
-
SYNTAX Integer32 (0..2147483647) MAX-ACCESS read-create STATUS current DESCRIPTION "Policy ID for this entry. A policy ID can apply to multiple rows of this table, all relevant policies are executed. Policy 0 (if populated) is applied to all packets which do not match any of the filters. N.B. If docsDevFilterIpPolicyId is set to 0, it DOES NOT match policy 0 of this table. " ::= { docsDevFilterPolicyEntry 2 }
-- docsDevFilterPolicyType ::= { docsDevFilterPolicyEntry 3} Removed
-- docsDevFilterPolicyAction ::= { docsDevFilterPolicyEntry 4 } removed
docsDevFilterPolicyStatus OBJECT-TYPE
-
SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Object used to create an entry in this table." ::= { docsDevFilterPolicyEntry 5 }
docsDevFilterPolicyPtr OBJECT-TYPE
-
SYNTAX RowPointer MAX-ACCESS read-create STATUS current DESCRIPTION "This object points to a row in an applicable filter policy table. Currently, the only standard policy table is docsDevFilterTosTable. Per the textual convention, this object points to the first accessible object in the row. E.g. to point to a row in docsDevFilterTosTable with an index of 21, the value of this object would be the object identifier docsDevTosStatus.21.
-
-
-
Vendors must adhere to the same convention when adding vendor specific policy table extensions.
-
-
-
The default upon row creation is a null pointer which results in no policy action being taken." DEFVAL { zeroDotZero } ::= { docsDevFilterPolicyEntry 6 } -- -- TOS Policy action table --
docsDevFilterTosTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevFilterTosEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table used to describe Type of Service (TOS) bits processing.
-
-
-
This table is an adjunct to the docsDevFilterIpTable, and the docsDevFilterPolicy table. Entries in the latter table can point to specific rows in this (and other) tables and cause specific actions to be taken. This table permits the manipulation of the value of the Type of Service bits in the IP header of the matched packet as follows:
Set the tosBits of the packet to(tosBits & docsDevFilterTosAndMask) |
-
-
docsDevFilterTosOrMask This construct allows you to do a clear and set of all the TOS bits in a flexible manner." ::= { docsDevFilter 6 }
-
docsDevFilterTosEntry OBJECT-TYPE
-
SYNTAX DocsDevFilterTosEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A TOS policy entry." INDEX { docsDevFilterTosIndex } ::= { docsDevFilterTosTable 1 }
DocsDevFilterTosEntry ::= SEQUENCE {
-
docsDevFilterTosIndex Integer32, docsDevFilterTosStatus RowStatus, docsDevFilterTosAndMask OCTET STRING (SIZE (1)), docsDevFilterTosOrMask OCTET STRING (SIZE (1)) }
docsDevFilterTosIndex OBJECT-TYPE
-
SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The unique index for this row. There are no ordering requirements for this table and any valid index may be specified." ::= { docsDevFilterTosEntry 1 }
docsDevFilterTosStatus OBJECT-TYPE
-
SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The object used to create and delete entries in this table. A row created by specifying just this object results in a row which specifies no change to the TOS bits. A row may be created using either the create-and-go or create-and-wait paradigms. There is no restriction on the ability to change values in this row while the row is active." ::= { docsDevFilterTosEntry 2 }
docsDevFilterTosAndMask OBJECT-TYPE
-
SYNTAX OCTET STRING (SIZE (1)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is bitwise AND'd with the matched packet's TOS bits." DEFVAL { 'ff'h } ::= { docsDevFilterTosEntry 3 }
docsDevFilterTosOrMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1)) MAX-ACCESS read-create STATUS current DESCRIPTION "After bitwise AND'ing with the above bits, the packet's TOS bits are bitwise OR'd with these bits." DEFVAL { '00'h } ::= { docsDevFilterTosEntry 4 } -- -- CPE IP Management and anti spoofing group. Only implemented on -- Cable Modems. --
docsDevCpe OBJECT IDENTIFIER ::= { docsDevMIBObjects 7}
docsDevCpeEnroll OBJECT-TYPE
-
SYNTAX INTEGER { none(1), any(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This object controls the population of docsDevFilterCpeTable. If set to none, the filters must be set manually. If set to any, the CM wiretaps the packets originating from the ethernet and enrolls up to docsDevCpeIpMax addresses based on the source IP addresses of those packets. At initial system startup, default value for this object is any(2)." ::= { docsDevCpe 1 }
docsDevCpeIpMax OBJECT-TYPE
-
SYNTAX Integer32 (-1..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "This object controls the maximum number of CPEs allowed to connect behind this device. If set to zero, any number of CPEs may connect up to the maximum permitted for the device. If set to -1, no filtering is done on CPE source addresses, and no entries are made in the docsDevFilterCpeTable. If an attempt is made to set this to a number greater than that permitted for the device, it is set to that maximum. At iniitial system startup, default value for this object is 1." ::= { docsDevCpe 2 }
docsDevCpeTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF DocsDevCpeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the IP addresses seen (or permitted) as source addresses in packets originating from the customer interface on this device. In addition, this table can be provisioned with the specific addresses permitted for the CPEs via the normal row creation mechanisms." ::= { docsDevCpe 3 }
docsDevCpeEntry OBJECT-TYPE
-
SYNTAX DocsDevCpeEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the docsDevFilterCpeTable. There is one entry for each IP CPE seen or provisioned. If docsDevCpeIpMax is set to -1, this table is ignored, otherwise: Upon receipt of an IP packet from the customer interface of the CM, the source IP address is checked against this table. If the address is in the table, packet processing continues. If the address is not in the table, but docsDevCpeEnroll is set to any and the table size is less than docsDevCpeIpMax, the address is added to the table and packet processing continues. Otherwise, the packet is dropped. The filtering actions specified by this table occur after any LLC filtering (docsDevFilterLLCTable), but prior to any IP filtering (docsDevFilterIpTable, docsDevNmAccessTable)." INDEX { docsDevCpeIp } ::= {docsDevCpeTable 1 }
DocsDevCpeEntry ::= SEQUENCE {
-
docsDevCpeIp IpAddress, docsDevCpeSource INTEGER, docsDevCpeStatus RowStatus }
docsDevCpeIp OBJECT-TYPE
-
SYNTAX IpAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION "The IP address to which this entry applies." ::= { docsDevCpeEntry 1 }
docsDevCpeSource OBJECT-TYPE
-
SYNTAX INTEGER { other(1), manual(2), learned(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "This object describes how this entry was created. If the value is manual(2), this row was created by a network management action (either configuration, or SNMP set). If set to learned(3), then it was found via looking at the source IP address of a received packet." ::= { docsDevCpeEntry 2 }
docsDevCpeStatus OBJECT-TYPE
SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Standard object to manipulate rows. To create a row in this table, you only need to specify this object. Management stations SHOULD use the create-and-go mechanism for creating rows in this table." ::= { docsDevCpeEntry 3 } -- -- Placeholder for notifications/traps. -- docsDevNotification OBJECT IDENTIFIER ::= { docsDev 2 } -- -- Conformance definitions -- docsDevConformance OBJECT IDENTIFIER ::= { docsDev 3 } docsDevGroups OBJECT IDENTIFIER ::= { docsDevConformance 1 } docsDevCompliances OBJECT IDENTIFIER ::= { docsDevConformance 2 }
docsDevBasicCompliance MODULE-COMPLIANCE
-
STATUS current DESCRIPTION "The compliance statement for MCNS Cable Modems and Cable Modem Termination Systems."
MODULE -- docsDev
-- conditionally mandatory groups
GROUP docsDevBaseGroup
-
-
DESCRIPTION
-
"Mandatory in Cable Modems, optional in Cable Modem
Termination Systems."
-
GROUP docsDevEventGroup
-
-
DESCRIPTION
-
"Mandatory in Cable Modems, optional in Cable Modem
Termination Systems."
-
GROUP docsDevFilterGroup
-
-
DESCRIPTION
-
"Mandatory in Cable Modems, optional in Cable Modem
Termination Systems."
-
GROUP docsDevNmAccessGroup
-
-
DESCRIPTION
-
"This group is only implemented in devices which do not
-
implement SNMPv3 User Security Model. It SHOULD NOT be implemented by SNMPv3 conformant devices.
For devices which do not implement SNMPv3 or later, this group is Mandatory in Cable Modems and is optional in Cable Modem Termination Systems."
-
GROUP docsDevServerGroup
DESCRIPTION
"This group is implemented only in Cable Modems and is
not implemented in Cable Modem Termination Systems."
GROUP docsDevSoftwareGroup
-
-
DESCRIPTION
-
"This group is Mandatory in Cable Modems and optional in
-
Cable Modem Termination Systems."
-
GROUP docsDevCpeGroup
-
-
DESCRIPTION
-
"This group is Mandatory in Cable Modems, and is
-
not implemented in Cable Modem Termination Systems. A similar capability for CMTS devices may be proposed later after study."
-
OBJECT docsDevSTPControl
-
-
MIN-ACCESS read-only
DESCRIPTION-
"It is compliant to implement this object as read-only.
-
-
Devices need only support noStFilterBpdu(2)."
OBJECT docsDevEvReporting
-
-
-
MIN-ACCESS read-only
DESCRIPTION-
"It is compliant to implement this object as read-only.
-
-
Devices need only support local(0)." ::= { docsDevCompliances 1 }
-
docsDevBaseGroup OBJECT-GROUP
-
OBJECTS { docsDevRole, docsDevDateTime, docsDevResetNow, docsDevSerialNumber, docsDevSTPControl } STATUS current DESCRIPTION "A collection of objects providing device status and control." ::= { docsDevGroups 1 }
docsDevNmAccessGroup OBJECT-GROUP
-
OBJECTS { docsDevNmAccessIp, docsDevNmAccessIpMask, docsDevNmAccessCommunity, docsDevNmAccessControl, docsDevNmAccessInterfaces, docsDevNmAccessStatus } STATUS current DESCRIPTION "A collection of objects for controlling access to SNMP objects." ::= { docsDevGroups 2 }
docsDevSoftwareGroup OBJECT-GROUP
-
OBJECTS { docsDevSwServer, docsDevSwFilename, docsDevSwAdminStatus, docsDevSwOperStatus, docsDevSwCurrentVers } STATUS current DESCRIPTION "A collection of objects for controlling software downloads." ::= { docsDevGroups 3 }
docsDevServerGroup OBJECT-GROUP
-
-
OBJECTS {
-
docsDevServerBootState,
docsDevServerDhcp, docsDevServerTime, docsDevServerTftp, docsDevServerConfigFile } STATUS current DESCRIPTION "A collection of objects providing status about server provisioning." ::= { docsDevGroups 4 }
-
docsDevEventGroup OBJECT-GROUP
-
OBJECTS { docsDevEvControl, docsDevEvSyslog, docsDevEvThrottleAdminStatus, docsDevEvThrottleInhibited, docsDevEvThrottleThreshold, docsDevEvThrottleInterval, docsDevEvReporting, docsDevEvFirstTime, docsDevEvLastTime, docsDevEvCounts, docsDevEvLevel, docsDevEvId, docsDevEvText } STATUS current DESCRIPTION "A collection of objects used to control and monitor events." ::= { docsDevGroups 5 }
docsDevFilterGroup OBJECT-GROUP
-
-
OBJECTS {
docsDevFilterLLCUnmatchedAction, docsDevFilterIpDefault, docsDevFilterLLCStatus, docsDevFilterLLCIfIndex, docsDevFilterLLCProtocolType, docsDevFilterLLCProtocol, docsDevFilterLLCMatches, docsDevFilterIpControl, docsDevFilterIpIfIndex, docsDevFilterIpStatus, docsDevFilterIpDirection, docsDevFilterIpBroadcast, docsDevFilterIpSaddr, docsDevFilterIpSmask, docsDevFilterIpDaddr, docsDevFilterIpDmask, docsDevFilterIpProtocol, docsDevFilterIpSourcePortLow, docsDevFilterIpSourcePortHigh, docsDevFilterIpDestPortLow, docsDevFilterIpDestPortHigh, docsDevFilterIpMatches, docsDevFilterIpTos, docsDevFilterIpTosMask, docsDevFilterIpContinue, docsDevFilterIpPolicyId, docsDevFilterPolicyId, docsDevFilterPolicyStatus, docsDevFilterPolicyPtr, docsDevFilterTosStatus, docsDevFilterTosAndMask, docsDevFilterTosOrMask } STATUS current DESCRIPTION "A collection of objects to specify filters at link layer and IP layer." ::= { docsDevGroups 6 }
-
docsDevCpeGroup OBJECT-GROUP
-
OBJECTS { docsDevCpeEnroll, docsDevCpeIpMax, docsDevCpeSource, docsDevCpeStatus } STATUS current DESCRIPTION "A collection of objects used to control the number and specific values of IP addresses allowed for associated Customer Premises Equipment (CPE)." ::= { docsDevGroups 7 }
END
5. Acknowledgments
-
This document was produced by the IPCDN Working Group. It is based on a document written by Pam Anderson from CableLabs, Wilson Sawyer from BayNetworks, and Rich Woundy from Continental Cablevision. The original working group editor, Guenter Roeck of cisco Systems, did much of the grunt work of putting the document into its current form.
Special thanks is also due to Azlina Palmer, who helped a lot reviewing the document.
6. References
-
[1] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999. [2] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990. [3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. [4] Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991. [5] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Structure of Management Information for Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [6] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [7] McCloghrie, K., Perkins, D. and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. [9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999. [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999. [13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [14] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC 2573, April 1999. [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999.
[16] "Data-Over-Cable Service Interface Specifications: Cable Modem
Radio Frequency Interface Specification SP-RFI-I04-980724", DOCSIS, July 1998, http://www.cablemodem.com/public/pubtechspec/SP-RFI-I04- 980724.pdf. [17] Steinberg, L., "Techniques for Managing Asynchronously Generated Alerts", RFC 1224, May 1991.
[18] "Data-Over-Cable Service Interface Specifications: Operations
Support System Interface Specification RF Interface SP-OSSI-RF- I02-980410", DOCSIS, April 1998, http://www.cablemodem.com/public/pubtechspec/ossi/sp-ossi.PDF. [19] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[20] "Data-Over-Cable Service Interface Specifications: Baseline
-
Privacy Interface Specification SP-BPI-I01-970922", DOCSIS, September 1977, http://www.cablemodem.com/public/pubtechspec/ss/SP-BPI-I01- 970922.pdf
7. Security Considerations
-
This MIB relates to a system which will provide metropolitan public internet access. As such, improper manipulation of the objects represented by this MIB may result in denial of service to a large number of end-users. In addition, manipulation of the docsDevNmAccessTable, docsDevFilterLLCTable, docsDevFilterIpTable and the elements of the docsDevCpe group may allow an end-user to increase their service levels, spoof their IP addresses, change the permitted management stations, or affect other end-users in either a positive or negative manner.
There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. In addition to those mentioned above:
o The use of docsDevNmAccessTable to specify management stations is considered to be only limited protection and does not protect against attacks which spoof the management station's IP address. The use of stronger mechanisms such as SNMPv3 security should be considered where possible. Specifically, SNMPv3 VACM and USM MUST be used with any v3 agent which implements this MIB. Administrators may also wish to consider whether even read access to docsDevNmAccessTable may be undesirable under certain circumstances. o The CM may have its software changed by the actions of the management system. An improper software load may result in substantial vulnerabilities and the loss of the ability of the management system to control the cable modem. o The device may be reset by setting docsDevResetNow = true(1). This causes the device to reload its configuration files as well as eliminating all previous non-persistent network management settings. As such, this may provide a vector for attacking the system. o Setting docsDevEvThrottleAdminStatus = unconstrained(1) (which is also the DEFVAL) may cause flooding of traps, which can disrupt network service.
This MIB does not affect confidentiality of services on a cable modem system. [20] specifies the implementation of the DOCSIS Baseline privacy mechanism. The working group expects to issue a MIB for the management of this mechanism at a later time.
SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model [12] and the View-based Access Control Model [15] is recommended.
It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
8. Intellectual Property
-
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
9. Author's Address
-
Michael StJohns
@Home Network
425 Broadway
Redwood City, CA 94063
U.S.APhone: +1 650 569 5368 EMail: stjohns@corp.home.net
10. Full Copyright Statement
-
Copyright © The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
-
Funding for the RFC Editor function is currently provided by the Internet Society.