💾 Archived View for radia.bortzmeyer.org › rfc-mirror › rfc4131.txt captured on 2024-07-09 at 02:30:04.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-







Network Working Group                                           S. Green
Request for Comments: 4131                                    Consultant
Category: Standards Track                                       K. Ozawa
                                                                 Toshiba
                                                         E. Cardona, Ed.
                                                               CableLabs
                                                           A. Katsnelson
                                                          September 2005

                    Management Information Base for
 Data Over Cable Service Interface Specification (DOCSIS) Cable Modems
     and Cable Modem Termination Systems for Baseline Privacy Plus

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This memo defines a portion of the Management Information Base (MIB)
   for use with network management protocols in the Internet community.
   In particular, it defines a set of managed objects for Simple Network
   Management Protocol (SNMP) based management of the Baseline Privacy
   Plus features of DOCSIS 1.1 and DOCSIS 2.0 (Data-over-Cable Service
   Interface Specification) compliant Cable Modems and Cable Modem
   Termination Systems.

Table of Contents

   1. The Internet-Standard Management Framework.....................  2
   2. Overview.......................................................  2
      2.1. Structure of the MIB......................................  3
      2.2. Relationship of BPI+ and BPI MIB Modules..................  4
      2.3. BPI+ MIB Module Relationship with The Interfaces Group MIB  5
   3. Definitions....................................................  5
   4. Acknowledgements............................................... 77
   5. Normative References........................................... 77
   6. Informative References......................................... 78
   7. Security Considerations........................................ 79
   8. IANA Considerations............................................ 83



Green, et al.               Standards Track                     [Page 1]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


1.  The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [RFC3410].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in STD 58,
   RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
   [RFC2580].

2.  Overview

   This MIB module (BPI+ MIB) provides a set of objects required for the
   management of the Baseline Privacy Interface Plus features of DOCSIS
   1.1 and DOCSIS 2.0 Cable Modem (CM) and Cable Modem Termination
   System (CMTS).  The specification is derived from the operational
   model described in the DOCSIS Baseline Privacy Interface Plus
   Specification [DOCSIS].

   DOCSIS Baseline Privacy Plus is composed of four distinct functional
   and manageable areas:

   o  Key exchange and data encryption

   o  Cable modem authentication

   o  Multicast encryption

   o  Authentication of downloaded software images

   This MIB module is an extension of the DOCSIS 1.0 Baseline Privacy
   MIB module [RFC3083] (BPI MIB), which is derived from the Operational
   model described in the DOCSIS Baseline Privacy Interface
   Specification [DOCSIS-1.0].  The original Baseline Privacy MIB
   structure has mostly been preserved in the Baseline Privacy Plus MIB.
   Please note that the referenced DOCSIS specifications only require
   that Cable Modems process IPv4 customer traffic.  Design choices in
   this MIB module reflect those requirements.  Future versions of the
   DOCSIS specifications are expected to require support for IPv6 as
   well.






Green, et al.               Standards Track                     [Page 2]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


   Conventions Used in This Document

      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
      NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
      in this document are to be interpreted as described in BCP 14, RFC
      2119 [RFC2119].

2.1.  Structure of the MIB

   This MIB module is structured into several tables and objects.

2.1.1.  Cable Modem

   o  The docsBpi2CmBaseTable contains authorization key exchange
      information for one CM MAC interface.

   o  The docsBpi2CmTEKTable contains traffic key exchange and data
      encryption information for a particular security association ID of
      the cable modem.

   o  Multicast Encryption information is maintained under
      Docsbpi2CmMulticastObjects.  There is currently one multicast
      table object that manages IP multicast encryption,
      docsBpi2CmIpMulticastMapTable.

   o  Digital certificates used for cable modem authentication are
      accessible via docsBpi2CmDeviceCertTable.

   o  Cryptographic suite capabilities for a CM MAC are maintained in
      the docsBpi2CmCryptoSuiteTable.

2.1.2.  Cable Modem Termination System

   o  The docsBpi2CmtsBaseTable contains default settings and summary
      counters for the cable modem termination system.

   o  The DocsBpi2CmtsAuthTable contains Authorization Key Exchange
      information for each CM MAC interface, as well as data from CM
      certificates used in cable modem authentication.

   o  The docsBpi2CmtsTEKTable contains traffic key exchange and data
      encryption information for a particular security association ID.

   o  Multicast Encryption information is maintained under
      Docsbpi2CmtsMulticastObjects.  There are currently two multicast
      table objects.  The Table docsBpi2CmtsIpMulticastMapTable is





Green, et al.               Standards Track                     [Page 3]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      specifically designed for IP multicast encryption, whereas
      docsBpi2CmtsMulticastAuthTable is meant to manage all multicast
      security associations.

         In particular, the table docsBpi2CmtsIpMulticastMapTable
         defines the object docsBpi2CmtsIpMulticastMask, which could be
         a non-contiguous netmask; this is why the object syntax is
         based on the INET-ADDRESS-MIB MIB Module [RFC4001] Textual
         Convention InetAddress instead of InetAddressPrefixLength.

         This is to facilitate the assignment of same DOCSIS Security
         Association ID (SAID) to one or more IPv6 multicast group IDs
         matching one or more IPv6 multicast scope types within an entry
         in this table.  For example, multicast scopes labeled
         "unassigned" [RFC3513] may be allocated by administrators to a
         particular SAID, regardless of their multicast scope; such
         mapping transient multicast group 'Y' to SAID 'z' for ANY
         multicast scope.  The non-contiguous netmask will be FF10:Y.
         See [RFC3513] for details on IPv6 multicast addressing.

   o  DocsBpi2CmtsCertObjects contains 2 manageable tables: one for
      provisioned cable modem certificates and one for certification
      authority certificates.

2.1.3.  Common

   o  The docsBpi2CodeDownloadControl objects manage the authenticated
      software download process for a given device.

2.2.  Relationship of BPI+ and BPI MIB Modules

   This section describes the relationship between the BPI+ MIB module
   defined in this document and the BPI MIB module defined in RFC 3083
   [RFC3083].  The BPI+ protocol interface is an enhancement to the BPI
   protocol, and it is a distinct protocol from BPI.  The associated
   BPI+ managed objects should be considered separate from the BPI MIB
   objects defined in RFC 3083.

   DOCSIS 1.1 and 2.0 systems implement both the BPI+ and BPI protocols
   to be backward compatible with 1.0 systems.  For more information
   regarding the interoperability between BPI and BPI+ compliant
   systems, refer to appendix C of the DOCSIS BPI+ specification
   [DOCSIS].  For MIB modules requirements, refer to section 4.6.1,
   Figure 9, of the DOCSIS 1.1 OSSI specification [DOCSIS-1.1] and to
   section 7.6.1, Tables 7-9, of the DOCSIS 2.0 OSSI specification
   [DOCSIS-2.0].





Green, et al.               Standards Track                     [Page 4]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


2.3.  BPI+ MIB Module Relationship with the Interfaces Group MIB

   The BPI+ MIB module is the management framework of Baseline Privacy
   Plus Interface Specification [DOCSIS], which provides the MAC layer
   (Media Access Control) security services of DOCSIS through the
   Baseline Privacy Key Management (BPKM) protocol.  The BPI+ MIB module
   objects are organized as extensions of the Radio Frequency (RF)
   Interface Management [RFC2670].

   The MIB table structures of this MIB Module are extensions of the
   DOCSIS CATV (Community Antenna Television) MAC layer interface
   (DocsCableMaclayer by [IANA]).  In particular, the provisions of the
   Interface Group MIB [RFC2863] for counter discontinuities and system
   re-initialization apply to CM and CMTS to validate the difference
   between two consecutive counter polls.

   All BPI+ MIB module counters are 32 bits and are based on the minimum
   time to wrap up considerations of [RFC2863] and their possible
   frequency occurrence as BPI+ FSM (Finite State Machine) event
   counters.  See [DOCSIS] for BPI+ FSM parameter guidelines.

3.  Definitions

   DOCS-IETF-BPI2-MIB DEFINITIONS ::= BEGIN

   IMPORTS
           MODULE-IDENTITY, OBJECT-TYPE,
           Integer32,
           Unsigned32,
           Counter32,
           mib-2
                FROM SNMPv2-SMI           -- [RFC2578]
           SnmpAdminString
                FROM SNMP-FRAMEWORK-MIB   -- [RFC3411]
           TEXTUAL-CONVENTION,
           MacAddress,
           RowStatus,
           TruthValue,
           DateAndTime,
           StorageType
                FROM SNMPv2-TC            -- [RFC2579]
           OBJECT-GROUP,
           MODULE-COMPLIANCE
                FROM SNMPv2-CONF          -- [RFC2580]
           ifIndex
                FROM IF-MIB               -- [RFC2863]
           InetAddressType,
           InetAddress



Green, et al.               Standards Track                     [Page 5]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                FROM INET-ADDRESS-MIB;    -- [RFC4001]

      docsBpi2MIB    MODULE-IDENTITY
           LAST-UPDATED "200507200000Z" -- July 20, 2005
           ORGANIZATION "IETF IP over Cable Data Network (IPCDN)
                         Working Group"
           CONTACT-INFO "---------------------------------------
                      Stuart M. Green
                      E-mail: rubbersoul3@yahoo.com
                      ---------------------------------------
                      Kaz Ozawa
                      Automotive Systems Development Center
                      TOSHIBA CORPORATION
                      1-1, Shibaura 1-Chome
                      Minato-ku, Tokyo 105-8001
                      Japan
                      Phone: +81-3-3457-8569
                      Fax: +81-3-5444-9325
                      E-mail: Kazuyoshi.Ozawa@toshiba.co.jp
                      ---------------------------------------
                      Alexander Katsnelson
                      Postal:
                      Tel:    +1-303-680-3924
                      E-mail: katsnelson6@peoplepc.com
                      ---------------------------------------
                      Eduardo Cardona
                      Postal:
                      Cable Television Laboratories, Inc.
                      858 Coal Creek Circle
                      Louisville, CO 80027- 9750
                      U.S.A.
                      Tel:    +1 303 661 9100
                      Fax:    +1 303 661 9199
                      E-mail: e.cardona@cablelabs.com
                      ---------------------------------------

              IETF IPCDN Working Group
              General Discussion: ipcdn@ietf.org
              Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn.
              Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn.
              Co-chairs: Richard Woundy, rwoundy@cisco.com
                         Jean-Francois Mule, jfm@cablelabs.com"
           DESCRIPTION
               "This is the MIB module for the DOCSIS Baseline
                Privacy Plus Interface (BPI+) at cable modems (CMs)
                and cable modem termination systems (CMTSs).

                Copyright (C) The Internet Society (2005).  This



Green, et al.               Standards Track                     [Page 6]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                version of this MIB module is part of RFC 4131; see
                the RFC itself for full legal notices."

           REVISION        "200507200000Z"  -- July 20, 2005
           DESCRIPTION
               "Initial version of the IETF BPI+ MIB module.
                This version published as RFC 4131."
              ::= { mib-2 126 }

      -- Textual conventions

   DocsX509ASN1DEREncodedCertificate ::= TEXTUAL-CONVENTION
           STATUS    current
           DESCRIPTION
               "An X509 digital certificate encoded as an ASN.1 DER
           object."
           SYNTAX    OCTET STRING (SIZE (0..4096))

   DocsSAId ::= TEXTUAL-CONVENTION
           DISPLAY-HINT "d"
           STATUS    current
           DESCRIPTION
                "Security Association identifier (SAID)."
           REFERENCE
                 "DOCSIS Baseline Privacy Plus Interface
           specification, Section 2.1.3, BPI+ Security
           Associations"
           SYNTAX    Integer32 (1..16383)

   DocsSAIdOrZero ::= TEXTUAL-CONVENTION
           DISPLAY-HINT "d"
           STATUS    current
           DESCRIPTION
                "Security Association identifier (SAID).  The value
           zero indicates that the SAID is yet to be determined."
           REFERENCE
                 "DOCSIS Baseline Privacy Plus Interface
           specification, Section 2.1.3, BPI+ Security
                 Associations"
           SYNTAX    Unsigned32 (0 | 1..16383)

   DocsBpkmSAType ::= TEXTUAL-CONVENTION
           STATUS    current
           DESCRIPTION
                "The type of security association (SA).
           The values of the named-numbers are associated
           with the BPKM SA-Type attributes:
           'primary' corresponds to code '1', 'static' to code '2',



Green, et al.               Standards Track                     [Page 7]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           and 'dynamic' to code '3'.
           The 'none' value must only be used if the SA type has yet
           to be determined."
           REFERENCE
                 "DOCSIS Baseline Privacy Plus Interface
           specification, Section 4.2.2.24"
           SYNTAX    INTEGER {
                          none(0),
                          primary(1),
                          static(2),
                          dynamic(3)
                     }

   DocsBpkmDataEncryptAlg ::= TEXTUAL-CONVENTION
           STATUS    current
           DESCRIPTION
               "The list of data encryption algorithms defined for
           the DOCSIS interface in the BPKM cryptographic-suite
           parameter.  The value 'none' indicates that the SAID
           being referenced has no data encryption."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           SYNTAX    INTEGER {
                          none(0),
                          des56CbcMode(1),
                          des40CbcMode(2),
                          t3Des128CbcMode(3),
                          aes128CbcMode(4),
                          aes256CbcMode(5)
                     }

   DocsBpkmDataAuthentAlg ::= TEXTUAL-CONVENTION
           STATUS    current
           DESCRIPTION
               "The list of data integrity algorithms defined for the
           DOCSIS interface in the BPKM cryptographic-suite parameter.
           The value 'none' indicates that no data integrity is used for
           the SAID being referenced."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           SYNTAX    INTEGER {
                          none(0),
                          hmacSha196(1)
                     }

      docsBpi2MIBObjects  OBJECT IDENTIFIER ::= { docsBpi2MIB 1 }



Green, et al.               Standards Track                     [Page 8]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      -- Cable Modem Group

      docsBpi2CmObjects OBJECT IDENTIFIER ::= { docsBpi2MIBObjects 1 }

      --
      -- The BPI+ base and authorization table for CMs,
      -- indexed by ifIndex
      --

      docsBpi2CmBaseTable OBJECT-TYPE
           SYNTAX              SEQUENCE OF    DocsBpi2CmBaseEntry
           MAX-ACCESS          not-accessible
           STATUS              current
           DESCRIPTION
                "This table describes the basic and authorization-
           related Baseline Privacy Plus attributes of each CM MAC
           interface."
           ::= { docsBpi2CmObjects 1 }

      docsBpi2CmBaseEntry OBJECT-TYPE
           SYNTAX              DocsBpi2CmBaseEntry
           MAX-ACCESS          not-accessible
           STATUS              current
           DESCRIPTION
                "Each entry contains objects describing attributes of
           one CM MAC interface.  An entry in this table exists for
           each ifEntry with an ifType of docsCableMaclayer(127)."
           INDEX               { ifIndex }
           ::= { docsBpi2CmBaseTable 1 }

      DocsBpi2CmBaseEntry ::= SEQUENCE {
           docsBpi2CmPrivacyEnable             TruthValue,
           docsBpi2CmPublicKey                 OCTET STRING,
           docsBpi2CmAuthState                 INTEGER,
           docsBpi2CmAuthKeySequenceNumber     Integer32,
           docsBpi2CmAuthExpiresOld            DateAndTime,
           docsBpi2CmAuthExpiresNew            DateAndTime,
           docsBpi2CmAuthReset                 TruthValue,
           docsBpi2CmAuthGraceTime             Integer32,
           docsBpi2CmTEKGraceTime              Integer32,
           docsBpi2CmAuthWaitTimeout           Integer32,
           docsBpi2CmReauthWaitTimeout         Integer32,
           docsBpi2CmOpWaitTimeout             Integer32,
           docsBpi2CmRekeyWaitTimeout          Integer32,
           docsBpi2CmAuthRejectWaitTimeout     Integer32,
           docsBpi2CmSAMapWaitTimeout          Integer32,
           docsBpi2CmSAMapMaxRetries           Integer32,
           docsBpi2CmAuthentInfos              Counter32,



Green, et al.               Standards Track                     [Page 9]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           docsBpi2CmAuthRequests              Counter32,
           docsBpi2CmAuthReplies               Counter32,
           docsBpi2CmAuthRejects               Counter32,
           docsBpi2CmAuthInvalids              Counter32,
           docsBpi2CmAuthRejectErrorCode       INTEGER,
           docsBpi2CmAuthRejectErrorString     SnmpAdminString,
           docsBpi2CmAuthInvalidErrorCode      INTEGER,
           docsBpi2CmAuthInvalidErrorString    SnmpAdminString
           }

      docsBpi2CmPrivacyEnable  OBJECT-TYPE
           SYNTAX              TruthValue
           MAX-ACCESS          read-only
           STATUS              current
           DESCRIPTION
                "This object identifies whether this CM is
           provisioned to run Baseline Privacy Plus."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1."
           ::= { docsBpi2CmBaseEntry 1 }

      docsBpi2CmPublicKey     OBJECT-TYPE
           SYNTAX             OCTET STRING (SIZE (0..524))
           MAX-ACCESS         read-only
           STATUS             current
           DESCRIPTION
                "The value of this object is a DER-encoded
           RSAPublicKey ASN.1 type string, as defined in the RSA
           Encryption Standard (PKCS #1), corresponding to the
           public key of the CM."

           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.4."
           ::= { docsBpi2CmBaseEntry 2 }

      docsBpi2CmAuthState OBJECT-TYPE
           SYNTAX         INTEGER   {
                          start(1),
                          authWait(2),
                          authorized(3),
                          reauthWait(4),
                          authRejectWait(5),
                          silent(6)
                     }
           MAX-ACCESS     read-only
           STATUS         current



Green, et al.               Standards Track                    [Page 10]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           DESCRIPTION
                "The value of this object is the state of the CM
           authorization FSM.  The start state indicates that FSM is
           in its initial state."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.1.2.1."
           ::= { docsBpi2CmBaseEntry 3 }

      docsBpi2CmAuthKeySequenceNumber    OBJECT-TYPE
           SYNTAX              Integer32 (0..15)
           MAX-ACCESS          read-only
           STATUS              current
           DESCRIPTION
                "The value of this object is the most recent
           authorization key sequence number for this FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.2 and 4.2.2.10."
           ::= { docsBpi2CmBaseEntry 4 }

      docsBpi2CmAuthExpiresOld OBJECT-TYPE
           SYNTAX              DateAndTime
           MAX-ACCESS          read-only
           STATUS              current
           DESCRIPTION
                "The value of this object is the actual clock time for
           expiration of the immediate predecessor of the most recent
           authorization key for this FSM.  If this FSM has only one
           authorization key, then the value is the time of activation
           of this FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.2 and 4.2.2.9."
           ::= { docsBpi2CmBaseEntry 5 }

      docsBpi2CmAuthExpiresNew OBJECT-TYPE
           SYNTAX              DateAndTime
           MAX-ACCESS          read-only
           STATUS              current
           DESCRIPTION
                "The value of this object is the actual clock time for
           expiration of the most recent authorization key for this
           FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.2 and 4.2.2.9."
           ::= { docsBpi2CmBaseEntry 6 }



Green, et al.               Standards Track                    [Page 11]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmAuthReset OBJECT-TYPE
           SYNTAX         TruthValue
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "Setting this object to 'true' generates a Reauthorize
           event in the authorization FSM.  Reading this object always
           returns FALSE.

           This object is for testing purposes only, and therefore it
           is not required to be associated with a last reset
           object."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.1.2.3.4."
           ::= { docsBpi2CmBaseEntry 7 }

      docsBpi2CmAuthGraceTime  OBJECT-TYPE
           SYNTAX         Integer32 (1..6047999)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the grace time for an
           authorization key in seconds.  A CM is expected to start
           trying to get a new authorization key beginning
           AuthGraceTime seconds before the most recent authorization
           key actually expires."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.3."
           ::= { docsBpi2CmBaseEntry 8 }

      docsBpi2CmTEKGraceTime   OBJECT-TYPE
           SYNTAX         Integer32 (1..302399)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the grace time for
           the TEK in seconds.  The CM is expected to start trying to
           acquire a new TEK beginning TEK GraceTime seconds before
           the expiration of the most recent TEK."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.6."
           ::= { docsBpi2CmBaseEntry 9 }




Green, et al.               Standards Track                    [Page 12]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmAuthWaitTimeout     OBJECT-TYPE
           SYNTAX         Integer32 (1..30)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the Authorize Wait
           Timeout in seconds."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.1."
           ::= { docsBpi2CmBaseEntry 10 }

      docsBpi2CmReauthWaitTimeout   OBJECT-TYPE
           SYNTAX         Integer32 (1..30)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the Reauthorize Wait
           Timeout in seconds."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.2."
           ::= { docsBpi2CmBaseEntry 11 }

      docsBpi2CmOpWaitTimeout  OBJECT-TYPE
           SYNTAX         Integer32 (1..10)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the Operational Wait
           Timeout in seconds."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.4."
           ::= { docsBpi2CmBaseEntry 12 }

      docsBpi2CmRekeyWaitTimeout    OBJECT-TYPE
           SYNTAX         Integer32 (1..10)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the Rekey Wait Timeout
           in seconds."
           REFERENCE



Green, et al.               Standards Track                    [Page 13]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.5."
           ::= { docsBpi2CmBaseEntry 13 }

      docsBpi2CmAuthRejectWaitTimeout    OBJECT-TYPE
           SYNTAX         Integer32 (1..600)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the Authorization Reject
           Wait Timeout in seconds."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.7."
           ::= { docsBpi2CmBaseEntry 14 }

      docsBpi2CmSAMapWaitTimeout    OBJECT-TYPE
           SYNTAX         Integer32 (1..10)
           UNITS          "seconds"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the retransmission
           interval, in seconds, of SA Map Requests from the MAP Wait
           state."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.8."
           ::= { docsBpi2CmBaseEntry 15 }

      docsBpi2CmSAMapMaxRetries     OBJECT-TYPE
           SYNTAX         Integer32 (0..10)
           UNITS          "count"
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the maximum number of
           Map Request retries allowed."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.1.1.1.9."
           ::= { docsBpi2CmBaseEntry 16 }

      docsBpi2CmAuthentInfos   OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current



Green, et al.               Standards Track                    [Page 14]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           DESCRIPTION
                "The value of this object is the number of times
           the CM has transmitted an Authentication Information
           message.  Discontinuities in the value of this counter can
           occur at re-initialization of the management system, and at
           other times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.9."
           ::= { docsBpi2CmBaseEntry 17 }

      docsBpi2CmAuthRequests   OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the CM
           has transmitted an Authorization Request message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.1."
           ::= { docsBpi2CmBaseEntry 18 }

      docsBpi2CmAuthReplies    OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the CM
           has received an Authorization Reply message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.2."
           ::= { docsBpi2CmBaseEntry 19 }

      docsBpi2CmAuthRejects    OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current



Green, et al.               Standards Track                    [Page 15]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           DESCRIPTION
                "The value of this object is the number of times the CM
           has received an Authorization Reject message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.3."
           ::= { docsBpi2CmBaseEntry 20 }

      docsBpi2CmAuthInvalids   OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the count of times the CM
           has received an Authorization Invalid message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.7."
           ::= { docsBpi2CmBaseEntry 21 }

      docsBpi2CmAuthRejectErrorCode OBJECT-TYPE
           SYNTAX         INTEGER {
                                 none(1),
                                 unknown(2),
                                 unauthorizedCm(3),
                                 unauthorizedSaid(4),
                                 permanentAuthorizationFailure(8),
                                 timeOfDayNotAcquired(11)
                                 }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent
           Authorization Reject message received by the CM.  This has
           the value unknown(2) if the last Error-Code value was 0 and
           none(1) if no Authorization Reject message has been received
           since reboot."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,



Green, et al.               Standards Track                    [Page 16]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Sections 4.2.1.3 and 4.2.2.15."
           ::= { docsBpi2CmBaseEntry 22 }

      docsBpi2CmAuthRejectErrorString    OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in the
           most recent Authorization Reject message received by the
           CM.  This is a zero length string if no Authorization
           Reject message has been received since reboot."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.3 and 4.2.2.6."
           ::= { docsBpi2CmBaseEntry 23 }

      docsBpi2CmAuthInvalidErrorCode     OBJECT-TYPE
           SYNTAX         INTEGER {
                                 none(1),
                                 unknown(2),
                                 unauthorizedCm(3),
                                 unsolicited(5),
                                 invalidKeySequence(6),
                                 keyRequestAuthenticationFailure(7)
                                 }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent
           Authorization Invalid message received by the CM.  This has
           the value unknown(2) if the last Error-Code value was 0 and
           none(1) if no Authorization Invalid message has been received
           since reboot."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.7 and 4.2.2.15."
           ::= { docsBpi2CmBaseEntry 24 }

      docsBpi2CmAuthInvalidErrorString   OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in the
           most recent Authorization Invalid message received by the
           CM.  This is a zero length string if no Authorization



Green, et al.               Standards Track                    [Page 17]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Invalid message has been received since reboot."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.7 and 4.2.2.6."
           ::= { docsBpi2CmBaseEntry 25 }

      --
      -- The CM TEK Table, indexed by ifIndex and SAID
      --

      docsBpi2CmTEKTable  OBJECT-TYPE
           SYNTAX         SEQUENCE OF    DocsBpi2CmTEKEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This table describes the attributes of each CM
           Traffic Encryption Key (TEK) association.  The CM maintains
           (no more than) one TEK association per SAID per CM MAC
           interface."
           ::= { docsBpi2CmObjects 2 }

      docsBpi2CmTEKEntry  OBJECT-TYPE
           SYNTAX         DocsBpi2CmTEKEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "Each entry contains objects describing the TEK
           association attributes of one SAID.  The CM MUST create one
           entry per SAID, regardless of whether the SAID was obtained
           from a Registration Response message, from an Authorization
           Reply message, or from any dynamic SAID establishment
           mechanisms."
           INDEX     { ifIndex, docsBpi2CmTEKSAId }
           ::= { docsBpi2CmTEKTable 1 }

      DocsBpi2CmTEKEntry ::= SEQUENCE {
           docsBpi2CmTEKSAId                  DocsSAId,
           docsBpi2CmTEKSAType                DocsBpkmSAType,
           docsBpi2CmTEKDataEncryptAlg        DocsBpkmDataEncryptAlg,
           docsBpi2CmTEKDataAuthentAlg        DocsBpkmDataAuthentAlg,
           docsBpi2CmTEKState                 INTEGER,
           docsBpi2CmTEKKeySequenceNumber     Integer32,
           docsBpi2CmTEKExpiresOld            DateAndTime,
           docsBpi2CmTEKExpiresNew            DateAndTime,
           docsBpi2CmTEKKeyRequests           Counter32,
           docsBpi2CmTEKKeyReplies            Counter32,
           docsBpi2CmTEKKeyRejects            Counter32,
           docsBpi2CmTEKInvalids              Counter32,



Green, et al.               Standards Track                    [Page 18]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           docsBpi2CmTEKAuthPends             Counter32,
           docsBpi2CmTEKKeyRejectErrorCode    INTEGER,
           docsBpi2CmTEKKeyRejectErrorString  SnmpAdminString,
           docsBpi2CmTEKInvalidErrorCode      INTEGER,
           docsBpi2CmTEKInvalidErrorString    SnmpAdminString
           }

      docsBpi2CmTEKSAId   OBJECT-TYPE
           SYNTAX         DocsSAId
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The value of this object is the DOCSIS Security
           Association ID (SAID)."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.12."
           ::= { docsBpi2CmTEKEntry 1 }

      docsBpi2CmTEKSAType OBJECT-TYPE
           SYNTAX         DocsBpkmSAType
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the type of security
           association."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 2.1.3."
           ::= { docsBpi2CmTEKEntry 2 }

      docsBpi2CmTEKDataEncryptAlg   OBJECT-TYPE
           SYNTAX    DocsBpkmDataEncryptAlg
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the data encryption
           algorithm for this SAID."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           ::= { docsBpi2CmTEKEntry 3 }

      docsBpi2CmTEKDataAuthentAlg   OBJECT-TYPE
           SYNTAX    DocsBpkmDataAuthentAlg
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 19]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "The value of this object is the data authentication
           algorithm for this SAID."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           ::= { docsBpi2CmTEKEntry 4 }

      docsBpi2CmTEKState  OBJECT-TYPE
           SYNTAX         INTEGER {
                                  start(1),
                                  opWait(2),
                                  opReauthWait(3),
                                  operational(4),
                                  rekeyWait(5),
                                  rekeyReauthWait(6)
                                  }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the state of the
           indicated TEK FSM.  The start(1) state indicates that the
           FSM is in its initial state."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.1.3.1."
           ::= { docsBpi2CmTEKEntry 5 }

      docsBpi2CmTEKKeySequenceNumber     OBJECT-TYPE
           SYNTAX              Integer32 (0..15)
           MAX-ACCESS          read-only
           STATUS              current
           DESCRIPTION
                "The value of this object is the most recent TEK
           key sequence number for this TEK FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.2.10 and 4.2.2.13."
           ::= { docsBpi2CmTEKEntry 6 }

      docsBpi2CmTEKExpiresOld  OBJECT-TYPE
           SYNTAX         DateAndTime
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the actual clock time for
           expiration of the immediate predecessor of the most recent
           TEK for this FSM.  If this FSM has only one TEK, then the
           value is the time of activation of this FSM."



Green, et al.               Standards Track                    [Page 20]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.5 and 4.2.2.9."
           ::= { docsBpi2CmTEKEntry 7 }

      docsBpi2CmTEKExpiresNew  OBJECT-TYPE
           SYNTAX         DateAndTime
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the actual clock time for
           expiration of the most recent TEK for this FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.5 and 4.2.2.9."
           ::= { docsBpi2CmTEKEntry 8 }

      docsBpi2CmTEKKeyRequests OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the CM
           has transmitted a Key Request message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."

           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.4."
           ::= { docsBpi2CmTEKEntry 9 }

      docsBpi2CmTEKKeyReplies  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the CM
           has received a Key Reply message, including a message whose
           authentication failed.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,



Green, et al.               Standards Track                    [Page 21]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Section 4.2.1.5."
           ::= { docsBpi2CmTEKEntry 10 }

      docsBpi2CmTEKKeyRejects  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the CM
           has received a Key Reject message, including a message
           whose authentication failed.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.6."
           ::= { docsBpi2CmTEKEntry 11 }

      docsBpi2CmTEKInvalids    OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the CM
           has received a TEK Invalid message, including a message
           whose authentication failed.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.8."
           ::= { docsBpi2CmTEKEntry 12 }

      docsBpi2CmTEKAuthPends   OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the count of times an
           Authorization Pending (Auth Pend) event occurred in this
           FSM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of



Green, et al.               Standards Track                    [Page 22]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.1.3.3.3."
           ::= { docsBpi2CmTEKEntry 13 }

      docsBpi2CmTEKKeyRejectErrorCode    OBJECT-TYPE
           SYNTAX         INTEGER {
                                  none(1),
                                  unknown(2),
                                  unauthorizedSaid(4)
                                  }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent Key Reject
           message received by the CM.  This has the value unknown(2) if
           the last Error-Code value was 0 and none(1) if no Key
           Reject message has been received since registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.1.2.6 and 4.2.2.15."
           ::= { docsBpi2CmTEKEntry 14 }

      docsBpi2CmTEKKeyRejectErrorString  OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in the
           most recent Key Reject message received by the CM.  This is
           a zero length string if no Key Reject message has been
           received since registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.1.2.6 and 4.2.2.6."
           ::= { docsBpi2CmTEKEntry 15 }

      docsBpi2CmTEKInvalidErrorCode OBJECT-TYPE
           SYNTAX         INTEGER {
                                  none(1),
                                  unknown(2),
                                  invalidKeySequence(6)
                                  }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 23]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "The value of this object is the enumerated
           description of the Error-Code in the most recent TEK Invalid
           message received by the CM.  This has the value unknown(2) if
           the last Error-Code value was 0 and none(1) if no TEK
           Invalid message has been received since registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.1.2.8 and 4.2.2.15."
           ::= { docsBpi2CmTEKEntry 16 }

      docsBpi2CmTEKInvalidErrorString    OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in the
           most recent TEK Invalid message received by the CM.  This is
           a zero length string if no TEK Invalid message has been
           received since registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.1.2.8 and 4.2.2.6."
           ::= { docsBpi2CmTEKEntry 17 }

      --
      -- The CM Multicast Objects Group
      --

      docsBpi2CmMulticastObjects OBJECT IDENTIFIER
           ::= { docsBpi2CmObjects 3 }

      --
      -- The CM Dynamic IP Multicast Mapping Table, indexed by
      -- docsBpi2CmIpMulticastIndex and by ifIndex
      --

      docsBpi2CmIpMulticastMapTable OBJECT-TYPE
           SYNTAX         SEQUENCE OF DocsBpi2CmIpMulticastMapEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This table maps multicast IP addresses to SAIDs per
           CM MAC Interface.
           It is intended to map multicast IP addresses associated
           with SA MAP Request messages."
           ::= { docsBpi2CmMulticastObjects 1 }

      docsBpi2CmIpMulticastMapEntry OBJECT-TYPE



Green, et al.               Standards Track                    [Page 24]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           SYNTAX         DocsBpi2CmIpMulticastMapEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "Each entry contains objects describing the mapping of
           one multicast IP address to one SAID, as well as
           associated state, message counters, and error information.

           An entry may be removed from this table upon the reception
           of an SA Map Reject."
           INDEX     { ifIndex, docsBpi2CmIpMulticastIndex }
           ::= { docsBpi2CmIpMulticastMapTable 1 }

      DocsBpi2CmIpMulticastMapEntry ::= SEQUENCE {
           docsBpi2CmIpMulticastIndex               Unsigned32,
           docsBpi2CmIpMulticastAddressType         InetAddressType,
           docsBpi2CmIpMulticastAddress             InetAddress,
           docsBpi2CmIpMulticastSAId                DocsSAIdOrZero,
           docsBpi2CmIpMulticastSAMapState          INTEGER,
           docsBpi2CmIpMulticastSAMapRequests       Counter32,
           docsBpi2CmIpMulticastSAMapReplies        Counter32,
           docsBpi2CmIpMulticastSAMapRejects        Counter32,
           docsBpi2CmIpMulticastSAMapRejectErrorCode INTEGER,
           docsBpi2CmIpMulticastSAMapRejectErrorString SnmpAdminString
           }

      docsBpi2CmIpMulticastIndex         OBJECT-TYPE
           SYNTAX         Unsigned32 (1..4294967295)
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The index of this row."
           ::= { docsBpi2CmIpMulticastMapEntry 1 }

      docsBpi2CmIpMulticastAddressType   OBJECT-TYPE
           SYNTAX         InetAddressType
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The type of Internet address for
           docsBpi2CmIpMulticastAddress."
           ::= { docsBpi2CmIpMulticastMapEntry 2 }

      docsBpi2CmIpMulticastAddress  OBJECT-TYPE
           SYNTAX         InetAddress
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 25]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "This object represents the IP multicast address
           to be mapped.  The type of this address is determined by
           the value of the docsBpi2CmIpMulticastAddressType object."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 5.4."
           ::= { docsBpi2CmIpMulticastMapEntry 3 }

      docsBpi2CmIpMulticastSAId          OBJECT-TYPE
           SYNTAX         DocsSAIdOrZero
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "This object represents the SAID to which the IP
           multicast address has been mapped.  If no SA Map Reply has
           been received for the IP address, this object should have
           the value 0."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.12."
           ::= { docsBpi2CmIpMulticastMapEntry 4 }

      docsBpi2CmIpMulticastSAMapState         OBJECT-TYPE
           SYNTAX         INTEGER {
                                 start(1),
                                 mapWait(2),
                                 mapped(3)
                          }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the state of the SA
           Mapping FSM for this IP."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 5.3.1."
           ::= { docsBpi2CmIpMulticastMapEntry 5 }

      docsBpi2CmIpMulticastSAMapRequests OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CM has transmitted an SA Map Request message for this IP.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of



Green, et al.               Standards Track                    [Page 26]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.10."
           ::= { docsBpi2CmIpMulticastMapEntry 6 }

      docsBpi2CmIpMulticastSAMapReplies  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CM has received an SA Map Reply message for this IP.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.11."
           ::= { docsBpi2CmIpMulticastMapEntry 7 }

      docsBpi2CmIpMulticastSAMapRejects  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CM has received an SA MAP Reject message for this IP.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.12."
           ::= { docsBpi2CmIpMulticastMapEntry 8 }

      docsBpi2CmIpMulticastSAMapRejectErrorCode    OBJECT-TYPE
           SYNTAX         INTEGER {
                          none(1),
                          unknown(2),
                          noAuthForRequestedDSFlow(9),
                          dsFlowNotMappedToSA(10)
                          }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 27]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "The value of this object is the enumerated
           description of the Error-Code in the most recent SA Map
           Reject message sent in response to an SA Map Request for
           This IP.  It has the value none(1) if no SA MAP Reject
           message has been received since entry creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.12 and 4.2.2.15."
           ::= { docsBpi2CmIpMulticastMapEntry 9 }

      docsBpi2CmIpMulticastSAMapRejectErrorString  OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in
           the most recent SA Map Reject message sent in response to
           an SA Map Request for this IP.  It is a zero length string
           if no SA Map Reject message has been received since entry
           creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.12 and 4.2.2.6."
           ::= { docsBpi2CmIpMulticastMapEntry 10 }

      --
      -- CM Cert Objects
      --

      docsBpi2CmCertObjects OBJECT IDENTIFIER
           ::= { docsBpi2CmObjects 4 }

      --
      -- CM Device Cert Table
      --

      docsBpi2CmDeviceCertTable  OBJECT-TYPE
           SYNTAX                SEQUENCE OF DocsBpi2CmDeviceCertEntry
           MAX-ACCESS            not-accessible
           STATUS                current
           DESCRIPTION
                "This table describes the Baseline Privacy Plus
           device certificates for each CM MAC interface."
           ::= { docsBpi2CmCertObjects 1 }

      docsBpi2CmDeviceCertEntry  OBJECT-TYPE
           SYNTAX              DocsBpi2CmDeviceCertEntry
           MAX-ACCESS          not-accessible



Green, et al.               Standards Track                    [Page 28]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           STATUS              current
           DESCRIPTION
                "Each entry contains the device certificates of
           one CM MAC interface.  An entry in this table exists for
           each ifEntry with an ifType of docsCableMaclayer(127)."
           INDEX               { ifIndex }
           ::= { docsBpi2CmDeviceCertTable 1 }

      DocsBpi2CmDeviceCertEntry ::= SEQUENCE {
           docsBpi2CmDeviceCmCert
                                 DocsX509ASN1DEREncodedCertificate,
           docsBpi2CmDeviceManufCert
                                 DocsX509ASN1DEREncodedCertificate
           }

      docsBpi2CmDeviceCmCert   OBJECT-TYPE
           SYNTAX        DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS         read-write
           STATUS              current
           DESCRIPTION
                "The X509 DER-encoded cable modem certificate.
           Note:  This object can be set only when the value is the
           zero-length OCTET STRING; otherwise, an error of
           'inconsistentValue' is returned.  Once the object
           contains the certificate, its access MUST be read-only
           and persists after re-initialization of the
           managed system."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.1."
           ::= { docsBpi2CmDeviceCertEntry 1 }

      docsBpi2CmDeviceManufCert     OBJECT-TYPE
           SYNTAX         DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The X509 DER-encoded manufacturer certificate that
           signed the cable modem certificate."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.1."
           ::= { docsBpi2CmDeviceCertEntry 2 }

      --
      -- CM Crypto Suite Table
      --




Green, et al.               Standards Track                    [Page 29]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmCryptoSuiteTable    OBJECT-TYPE
           SYNTAX         SEQUENCE OF    DocsBpi2CmCryptoSuiteEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This table describes the Baseline Privacy Plus
           cryptographic suite capabilities for each CM MAC
           interface."
           ::= { docsBpi2CmObjects 5 }

      docsBpi2CmCryptoSuiteEntry    OBJECT-TYPE
           SYNTAX         DocsBpi2CmCryptoSuiteEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "Each entry contains a cryptographic suite pair
           that this CM MAC supports."
           INDEX     { ifIndex, docsBpi2CmCryptoSuiteIndex }
           ::= { docsBpi2CmCryptoSuiteTable 1 }

      DocsBpi2CmCryptoSuiteEntry ::= SEQUENCE {
           docsBpi2CmCryptoSuiteIndex              Unsigned32,
           docsBpi2CmCryptoSuiteDataEncryptAlg
                                       DocsBpkmDataEncryptAlg,
           docsBpi2CmCryptoSuiteDataAuthentAlg
                                       DocsBpkmDataAuthentAlg
           }

      docsBpi2CmCryptoSuiteIndex OBJECT-TYPE
           SYNTAX         Unsigned32 (1..1000)
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The index for a cryptographic suite row."
           ::= { docsBpi2CmCryptoSuiteEntry 1 }

      docsBpi2CmCryptoSuiteDataEncryptAlg     OBJECT-TYPE
           SYNTAX    DocsBpkmDataEncryptAlg
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the data encryption
           algorithm for this cryptographic suite capability."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           ::= { docsBpi2CmCryptoSuiteEntry 2 }




Green, et al.               Standards Track                    [Page 30]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmCryptoSuiteDataAuthentAlg     OBJECT-TYPE
           SYNTAX    DocsBpkmDataAuthentAlg
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the data authentication
           algorithm for this cryptographic suite capability."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           ::= { docsBpi2CmCryptoSuiteEntry 3 }

      -- Cable Modem Termination System Group

   docsBpi2CmtsObjects OBJECT IDENTIFIER ::= { docsBpi2MIBObjects 2 }

      --
      -- SPECIAL NOTE:  For the following CMTS tables, when a CM is
      -- running in BPI mode, replace SAID (Security Association ID)
      -- with SID (Service ID).  The CMTS is required to map SAIDs and
      -- SIDs to one contiguous space.
      --

      --
      -- The BPI+ base table for CMTSs, indexed by ifIndex
      --

      docsBpi2CmtsBaseTable    OBJECT-TYPE
           SYNTAX              SEQUENCE OF    DocsBpi2CmtsBaseEntry
           MAX-ACCESS          not-accessible
           STATUS              current
           DESCRIPTION
                "This table describes the basic Baseline Privacy
           attributes of each CMTS MAC interface."
           ::= { docsBpi2CmtsObjects 1 }

      docsBpi2CmtsBaseEntry    OBJECT-TYPE
           SYNTAX              DocsBpi2CmtsBaseEntry
           MAX-ACCESS          not-accessible
           STATUS              current
           DESCRIPTION
                "Each entry contains objects describing attributes of
           one CMTS MAC interface.  An entry in this table exists for
           each ifEntry with an ifType of docsCableMaclayer(127)."
           INDEX     { ifIndex }
           ::= { docsBpi2CmtsBaseTable 1 }

      DocsBpi2CmtsBaseEntry ::= SEQUENCE {



Green, et al.               Standards Track                    [Page 31]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           docsBpi2CmtsDefaultAuthLifetime              Integer32,
           docsBpi2CmtsDefaultTEKLifetime               Integer32,
           docsBpi2CmtsDefaultSelfSignedManufCertTrust  INTEGER,
               docsBpi2CmtsCheckCertValidityPeriods         TruthValue,
               docsBpi2CmtsAuthentInfos                     Counter32,
               docsBpi2CmtsAuthRequests                     Counter32,
               docsBpi2CmtsAuthReplies                      Counter32,
               docsBpi2CmtsAuthRejects                      Counter32,
               docsBpi2CmtsAuthInvalids                     Counter32,
               docsBpi2CmtsSAMapRequests                    Counter32,
               docsBpi2CmtsSAMapReplies                     Counter32,
               docsBpi2CmtsSAMapRejects                     Counter32
               }

      docsBpi2CmtsDefaultAuthLifetime    OBJECT-TYPE
           SYNTAX         Integer32 (1..6048000)
           UNITS          "seconds"
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "The value of this object is the default lifetime, in
           seconds, that the CMTS assigns to a new authorization key.
           This object value persists after re-initialization of the
           managed system."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.2."
           DEFVAL { 604800 }
           ::= { docsBpi2CmtsBaseEntry 1 }

      docsBpi2CmtsDefaultTEKLifetime     OBJECT-TYPE
           SYNTAX         Integer32 (1..604800)
           UNITS          "seconds"
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "The value of this object is the default lifetime, in
           seconds, that the CMTS assigns to a new Traffic Encryption
           Key (TEK).
           This object value persists after re-initialization of the
           managed system."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Appendix A.2."
           DEFVAL { 43200 }
           ::= { docsBpi2CmtsBaseEntry 2 }

      docsBpi2CmtsDefaultSelfSignedManufCertTrust  OBJECT-TYPE



Green, et al.               Standards Track                    [Page 32]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           SYNTAX    INTEGER {
                     trusted (1),
                     untrusted (2)
                     }
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "This object determines the default trust of
           self-signed manufacturer certificate entries, contained
           in docsBpi2CmtsCACertTable, and created after this
           object is set.
           This object need not persist after re-initialization
           of the managed system."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.1"
           ::= { docsBpi2CmtsBaseEntry 3 }

      docsBpi2CmtsCheckCertValidityPeriods    OBJECT-TYPE
           SYNTAX         TruthValue
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "Setting this object to 'true' causes all chained and
           root certificates in the chain to have their validity
           periods checked against the current time of day, when
           the CMTS receives an Authorization Request from the
           CM.
           A 'false' setting causes all certificates in the chain
           not to have their validity periods checked against the
           current time of day.
           This object need not persist after re-initialization
           of the managed system."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.2"
           ::= { docsBpi2CmtsBaseEntry 4 }

      docsBpi2CmtsAuthentInfos OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has received an Authentication Information message
           from any CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other



Green, et al.               Standards Track                    [Page 33]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.9."
           ::= { docsBpi2CmtsBaseEntry 5 }

      docsBpi2CmtsAuthRequests OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                   "The value of this object is the number of times the
           CMTS has received an Authorization Request message from any
           CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.1."
           ::= { docsBpi2CmtsBaseEntry 6 }

      docsBpi2CmtsAuthReplies  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                  "The value of this object is the number of times the
           CMTS has transmitted an Authorization Reply message to any
           CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.2."
           ::= { docsBpi2CmtsBaseEntry 7 }

      docsBpi2CmtsAuthRejects  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                   "The value of this object is the number of times the
           CMTS has transmitted an Authorization Reject message to any



Green, et al.               Standards Track                    [Page 34]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.3."
           ::= { docsBpi2CmtsBaseEntry 8 }

      docsBpi2CmtsAuthInvalids OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                    "The value of this object is the number of times
           the CMTS has transmitted an Authorization Invalid message
           to any CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.7."
           ::= { docsBpi2CmtsBaseEntry 9 }

      docsBpi2CmtsSAMapRequests     OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has received an SA Map Request message from any CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.10."
           ::= { docsBpi2CmtsBaseEntry 10 }

      docsBpi2CmtsSAMapReplies OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 35]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "The value of this object is the number of times the
           CMTS has transmitted an SA Map Reply message to any CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.11."
           ::= { docsBpi2CmtsBaseEntry 11 }

      docsBpi2CmtsSAMapRejects OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted an SA Map Reject message to any CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.12."
           ::= { docsBpi2CmtsBaseEntry 12 }

      --
      -- The CMTS Authorization Table, indexed by ifIndex and CM MAC
      -- address
      --

      docsBpi2CmtsAuthTable    OBJECT-TYPE
           SYNTAX         SEQUENCE OF    DocsBpi2CmtsAuthEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This table describes the attributes of each CM
           authorization association.  The CMTS maintains one
           authorization association with each Baseline Privacy-
           enabled CM, registered on each CMTS MAC interface,
           regardless of whether the CM is authorized or rejected."
           ::= { docsBpi2CmtsObjects 2 }

      docsBpi2CmtsAuthEntry    OBJECT-TYPE
           SYNTAX              DocsBpi2CmtsAuthEntry
           MAX-ACCESS          not-accessible
           STATUS              current



Green, et al.               Standards Track                    [Page 36]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           DESCRIPTION
                "Each entry contains objects describing attributes of
           one authorization association.  The CMTS MUST create one
           entry per CM per MAC interface, based on the receipt of an
           Authorization Request message, and MUST not delete the
           entry until the CM loses registration."
           INDEX     { ifIndex, docsBpi2CmtsAuthCmMacAddress }
           ::= { docsBpi2CmtsAuthTable 1 }

      DocsBpi2CmtsAuthEntry ::= SEQUENCE {
           docsBpi2CmtsAuthCmMacAddress        MacAddress,
           docsBpi2CmtsAuthCmBpiVersion        INTEGER,
           docsBpi2CmtsAuthCmPublicKey         OCTET STRING,
           docsBpi2CmtsAuthCmKeySequenceNumber Integer32,
           docsBpi2CmtsAuthCmExpiresOld        DateAndTime,
           docsBpi2CmtsAuthCmExpiresNew        DateAndTime,
           docsBpi2CmtsAuthCmLifetime          Integer32,
           docsBpi2CmtsAuthCmReset             INTEGER,
           docsBpi2CmtsAuthCmInfos             Counter32,
           docsBpi2CmtsAuthCmRequests          Counter32,
           docsBpi2CmtsAuthCmReplies           Counter32,
           docsBpi2CmtsAuthCmRejects           Counter32,
           docsBpi2CmtsAuthCmInvalids          Counter32,
           docsBpi2CmtsAuthRejectErrorCode     INTEGER,
           docsBpi2CmtsAuthRejectErrorString   SnmpAdminString,
           docsBpi2CmtsAuthInvalidErrorCode    INTEGER,
           docsBpi2CmtsAuthInvalidErrorString  SnmpAdminString,
           docsBpi2CmtsAuthPrimarySAId         DocsSAIdOrZero,
           docsBpi2CmtsAuthBpkmCmCertValid     INTEGER,
           docsBpi2CmtsAuthBpkmCmCert
                                DocsX509ASN1DEREncodedCertificate,
           docsBpi2CmtsAuthCACertIndexPtr      Unsigned32
           }

      docsBpi2CmtsAuthCmMacAddress  OBJECT-TYPE
           SYNTAX         MacAddress
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The value of this object is the physical address of
           the CM to which the authorization association applies."
           ::= { docsBpi2CmtsAuthEntry 1 }

      docsBpi2CmtsAuthCmBpiVersion  OBJECT-TYPE
           SYNTAX         INTEGER {
                            bpi (0),
                            bpiPlus (1)
                             }



Green, et al.               Standards Track                    [Page 37]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the version of Baseline
           Privacy for which this CM has registered.  The value
           'bpiplus' represents the value of BPI-Version Attribute of
           the Baseline Privacy Key Management BPKM attribute
           BPI-Version (1).  The value 'bpi' is used to represent the
           CM registered using DOCSIS 1.0 Baseline Privacy."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.22; ANSI/SCTE 22-2 2002(formerly DSS 02-03)
           Data-Over-Cable Service Interface Specification DOCSIS 1.0
           Baseline Privacy Interface (BPI)"
           ::= { docsBpi2CmtsAuthEntry 2 }

      docsBpi2CmtsAuthCmPublicKey   OBJECT-TYPE
           SYNTAX         OCTET STRING (SIZE (0..524))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is a DER-encoded
           RSAPublicKey ASN.1 type string, as defined in the RSA
           Encryption Standard (PKCS #1), corresponding to the
           public key of the CM.  This is the zero-length OCTET
           STRING if the CMTS does not retain the public key."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.4."
           ::= { docsBpi2CmtsAuthEntry 3 }

      docsBpi2CmtsAuthCmKeySequenceNumber     OBJECT-TYPE
           SYNTAX         Integer32 (0..15)
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the most recent
           authorization key sequence number for this CM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.2 and 4.2.2.10."
           ::= { docsBpi2CmtsAuthEntry 4 }

      docsBpi2CmtsAuthCmExpiresOld  OBJECT-TYPE
           SYNTAX         DateAndTime
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 38]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "The value of this object is the actual clock time
           for expiration of the immediate predecessor of the most
           recent authorization key for this FSM.  If this FSM has only
           one authorization key, then the value is the time of
           activation of this FSM.
           Note: This object has no meaning for CMs running in BPI
           mode; therefore, this object is not instantiated for entries
           associated to those CMs."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.2 and 4.2.2.9."
           ::= { docsBpi2CmtsAuthEntry 5 }

      docsBpi2CmtsAuthCmExpiresNew  OBJECT-TYPE
           SYNTAX         DateAndTime
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                     "The value of this object is the actual clock
           time for expiration of the most recent authorization key
           for this FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.2 and 4.2.2.9."
           ::= { docsBpi2CmtsAuthEntry 6 }

      docsBpi2CmtsAuthCmLifetime    OBJECT-TYPE
           SYNTAX         Integer32 (1..6048000)
           UNITS          "seconds"
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "The value of this object is the lifetime, in seconds,
           that the CMTS assigns to an authorization key for this CM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.2 and Appendix A.2."
           ::= { docsBpi2CmtsAuthEntry 7 }

      docsBpi2CmtsAuthCmReset  OBJECT-TYPE
           SYNTAX    INTEGER   {
                               noResetRequested(1),
                               invalidateAuth(2),
                               sendAuthInvalid(3),
                               invalidateTeks(4)
                               }
           MAX-ACCESS     read-write
           STATUS         current



Green, et al.               Standards Track                    [Page 39]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           DESCRIPTION
                "Setting this object to invalidateAuth(2) causes the
           CMTS to invalidate the current CM authorization key(s), but
           not to transmit an Authorization Invalid message nor to
           invalidate the primary SAID's TEKs.  Setting this object to
           sendAuthInvalid(3) causes the CMTS to invalidate the
           current CM authorization key(s), and to transmit an
           Authorization Invalid message to the CM, but not to
           invalidate the primary SAID's TEKs.  Setting this object to
           invalidateTeks(4) causes the CMTS to invalidate the current
           CM authorization key(s), to transmit an Authorization
           Invalid message to the CM, and to invalidate the TEKs
           associated with this CM's primary SAID.
           For BPI mode, substitute all of the CM's unicast
           TEKs for the primary SAID's TEKs in the previous
           paragraph.
           Reading this object returns the most recently set
           value of this object or, if the object has not been set
           since entry creation, returns noResetRequested(1)."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.1.2.3.4, 4.1.2.3.5, and 4.1.3.3.5."
           ::= { docsBpi2CmtsAuthEntry 8 }

      docsBpi2CmtsAuthCmInfos       OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has received an Authentication Information message
           from this CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.9."
           ::= { docsBpi2CmtsAuthEntry 9 }

      docsBpi2CmtsAuthCmRequests    OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has received an Authorization Request message from



Green, et al.               Standards Track                    [Page 40]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           this CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.1."
           ::= { docsBpi2CmtsAuthEntry 10 }

      docsBpi2CmtsAuthCmReplies     OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted an Authorization Reply message to this
           CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.2."
           ::= { docsBpi2CmtsAuthEntry 11 }

      docsBpi2CmtsAuthCmRejects     OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted an Authorization Reject message to
           this CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.3."
           ::= { docsBpi2CmtsAuthEntry 12 }

      docsBpi2CmtsAuthCmInvalids    OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current



Green, et al.               Standards Track                    [Page 41]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted an Authorization Invalid message to
           this CM.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.7."
           ::= { docsBpi2CmtsAuthEntry 13 }

      docsBpi2CmtsAuthRejectErrorCode    OBJECT-TYPE
           SYNTAX         INTEGER {
                                  none(1),
                                  unknown(2),
                                  unauthorizedCm(3),
                                  unauthorizedSaid(4),
                                  permanentAuthorizationFailure(8),
                                  timeOfDayNotAcquired(11)
                                  }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent
           Authorization Reject message transmitted to the CM.  This has
           the value unknown(2) if the last Error-Code value was 0 and
           none(1) if no Authorization Reject message has been
           transmitted to the CM since entry creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.3 and 4.2.2.15."
           ::= { docsBpi2CmtsAuthEntry 14 }

      docsBpi2CmtsAuthRejectErrorString  OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in the
           most recent Authorization Reject message transmitted to the
           CM.  This is a zero length string if no Authorization
           Reject message has been transmitted to the CM since entry
           creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,



Green, et al.               Standards Track                    [Page 42]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Sections 4.2.1.3 and 4.2.2.6."
           ::= { docsBpi2CmtsAuthEntry 15 }

      docsBpi2CmtsAuthInvalidErrorCode   OBJECT-TYPE
           SYNTAX         INTEGER {
                                  none(1),
                                  unknown(2),
                                  unauthorizedCm(3),
                                  unsolicited(5),
                                  invalidKeySequence(6),
                                  keyRequestAuthenticationFailure(7)
                                  }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent
           Authorization Invalid message transmitted to the CM.  This
           has the value unknown(2) if the last Error-Code value was 0
           and none(1) if no Authorization Invalid message has been
           transmitted to the CM since entry creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.7 and 4.2.2.15."
           ::= { docsBpi2CmtsAuthEntry 16 }

      docsBpi2CmtsAuthInvalidErrorString OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in the
           most recent Authorization Invalid message transmitted to
           the CM.  This is a zero length string if no Authorization
           Invalid message has been transmitted to the CM since entry
           creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.7 and 4.2.2.6."
           ::= { docsBpi2CmtsAuthEntry 17 }

      docsBpi2CmtsAuthPrimarySAId   OBJECT-TYPE
           SYNTAX         DocsSAIdOrZero
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the Primary Security
           Association identifier.  For BPI mode, the value must be



Green, et al.               Standards Track                    [Page 43]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           any unicast SID."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 2.1.3."
           ::= { docsBpi2CmtsAuthEntry 18 }

      docsBpi2CmtsAuthBpkmCmCertValid         OBJECT-TYPE
           SYNTAX    INTEGER {
                             unknown (0),
                             validCmChained (1),
                             validCmTrusted (2),
                             invalidCmUntrusted (3),
                             invalidCAUntrusted (4),
                             invalidCmOther (5),
                             invalidCAOther (6)
                             }
           MAX-ACCESS     read-only
           STATUS    current
           DESCRIPTION
                "Contains the reason why a CM's certificate is deemed
           valid or invalid.
           Return unknown(0) if the CM is running BPI mode.
           ValidCmChained(1) means the certificate is valid
              because it chains to a valid certificate.
           ValidCmTrusted(2) means the certificate is valid
              because it has been provisioned (in the
              docsBpi2CmtsProvisionedCmCert table) to be trusted.
           InvalidCmUntrusted(3) means the certificate is invalid
              because it has been provisioned (in the
              docsBpi2CmtsProvisionedCmCert table) to be untrusted.
           InvalidCAUntrusted(4) means the certificate is invalid
              because it chains to an untrusted certificate.
           InvalidCmOther(5) and InvalidCAOther(6) refer to
              errors in parsing, validity periods, etc., which are
              attributable to the CM certificate or its chain,
              respectively; additional information may be found
              in docsBpi2AuthRejectErrorString for these types
              of errors."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.2."
           ::= { docsBpi2CmtsAuthEntry 19 }

      docsBpi2CmtsAuthBpkmCmCert    OBJECT-TYPE
           SYNTAX         DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 44]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "The X509 CM Certificate sent as part of a BPKM
           Authorization Request.
           Note: The zero-length OCTET STRING must be returned if the
           Entire certificate is not retained in the CMTS."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2."
           ::= { docsBpi2CmtsAuthEntry 20 }

      docsBpi2CmtsAuthCACertIndexPtr    OBJECT-TYPE
           SYNTAX         Unsigned32 (0..4294967295)
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "A row index into docsBpi2CmtsCACertTable.
                 Returns the index in docsBpi2CmtsCACertTable to which
                 CA certificate this CM is chained to.  A value of
                 0 means it could not be found or not applicable."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2."
           ::= { docsBpi2CmtsAuthEntry 21 }

      --
      -- The CMTS TEK Table, indexed by ifIndex and SAID
      --

      docsBpi2CmtsTEKTable     OBJECT-TYPE
           SYNTAX         SEQUENCE OF    DocsBpi2CmtsTEKEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This table describes the attributes of each
           Traffic Encryption Key (TEK) association.  The CMTS
           Maintains one TEK association per SAID on each CMTS MAC
           interface."
           ::= { docsBpi2CmtsObjects 3 }

      docsBpi2CmtsTEKEntry     OBJECT-TYPE
           SYNTAX         DocsBpi2CmtsTEKEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "Each entry contains objects describing attributes of
           one TEK association on a particular CMTS MAC interface.  The
           CMTS MUST create one entry per SAID per MAC interface,
           based on the receipt of a Key Request message, and MUST not
           delete the entry before the CM authorization for the SAID



Green, et al.               Standards Track                    [Page 45]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           permanently expires."
           INDEX     { ifIndex, docsBpi2CmtsTEKSAId }
           ::= { docsBpi2CmtsTEKTable 1 }

      DocsBpi2CmtsTEKEntry ::= SEQUENCE {
           docsBpi2CmtsTEKSAId                DocsSAId,
           docsBpi2CmtsTEKSAType              DocsBpkmSAType,
           docsBpi2CmtsTEKDataEncryptAlg      DocsBpkmDataEncryptAlg,
           docsBpi2CmtsTEKDataAuthentAlg      DocsBpkmDataAuthentAlg,
           docsBpi2CmtsTEKLifetime            Integer32,
           docsBpi2CmtsTEKKeySequenceNumber   Integer32,
           docsBpi2CmtsTEKExpiresOld          DateAndTime,
           docsBpi2CmtsTEKExpiresNew          DateAndTime,
           docsBpi2CmtsTEKReset               TruthValue,
           docsBpi2CmtsKeyRequests            Counter32,
           docsBpi2CmtsKeyReplies             Counter32,
           docsBpi2CmtsKeyRejects             Counter32,
           docsBpi2CmtsTEKInvalids            Counter32,
           docsBpi2CmtsKeyRejectErrorCode     INTEGER,
           docsBpi2CmtsKeyRejectErrorString   SnmpAdminString,
           docsBpi2CmtsTEKInvalidErrorCode    INTEGER,
           docsBpi2CmtsTEKInvalidErrorString  SnmpAdminString
      }

      docsBpi2CmtsTEKSAId OBJECT-TYPE
           SYNTAX         DocsSAId
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The value of this object is the DOCSIS Security
           Association ID (SAID)."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.12."
           ::= { docsBpi2CmtsTEKEntry 1 }

      docsBpi2CmtsTEKSAType    OBJECT-TYPE
           SYNTAX         DocsBpkmSAType
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the type of security
           association.  'dynamic' does not apply to CMs running in
           BPI mode.  Unicast BPI TEKs must utilize the 'primary'
           encoding, and multicast BPI TEKs must utilize the 'static'
           encoding."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,



Green, et al.               Standards Track                    [Page 46]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Section 2.1.3."
           ::= { docsBpi2CmtsTEKEntry 2 }

      docsBpi2CmtsTEKDataEncryptAlg OBJECT-TYPE
           SYNTAX    DocsBpkmDataEncryptAlg
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the data encryption
           algorithm for this SAID."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           ::= { docsBpi2CmtsTEKEntry 3 }

      docsBpi2CmtsTEKDataAuthentAlg OBJECT-TYPE
           SYNTAX    DocsBpkmDataAuthentAlg
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the data authentication
           algorithm for this SAID."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           ::= { docsBpi2CmtsTEKEntry 4 }

      docsBpi2CmtsTEKLifetime  OBJECT-TYPE
           SYNTAX         Integer32 (1..604800)
           UNITS          "seconds"
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "The value of this object is the lifetime, in
           seconds, that the CMTS assigns to keys for this TEK
           association."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.5 and Appendix A.2."
           ::= { docsBpi2CmtsTEKEntry 5 }


      docsBpi2CmtsTEKKeySequenceNumber   OBJECT-TYPE
           SYNTAX              Integer32 (0..15)
           MAX-ACCESS          read-only
           STATUS              current
           DESCRIPTION
                "The value of this object is the most recent TEK



Green, et al.               Standards Track                    [Page 47]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           key sequence number for this SAID."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.2.10 and 4.2.2.13."
           ::= { docsBpi2CmtsTEKEntry 6 }

      docsBpi2CmtsTEKExpiresOld     OBJECT-TYPE
           SYNTAX         DateAndTime
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the actual clock time
           for expiration of the immediate predecessor of the most
           recent TEK for this FSM.  If this FSM has only one TEK, then
           the value is the time of activation of this FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.5 and 4.2.2.9."
           ::= { docsBpi2CmtsTEKEntry 7 }

      docsBpi2CmtsTEKExpiresNew     OBJECT-TYPE
           SYNTAX         DateAndTime
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the actual clock time
           for expiration of the most recent TEK for this FSM."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.5 and 4.2.2.9."
           ::= { docsBpi2CmtsTEKEntry 8 }

      docsBpi2CmtsTEKReset     OBJECT-TYPE
           SYNTAX         TruthValue
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
                "Setting this object to 'true' causes the CMTS to
           invalidate all currently active TEKs and to generate new
           TEKs for the associated SAID; the CMTS MAY also generate
           unsolicited TEK Invalid messages, to optimize the TEK
           synchronization between the CMTS and the CM(s).  Reading
           this object always returns FALSE."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.1.3.3.5."
           ::= { docsBpi2CmtsTEKEntry 9 }




Green, et al.               Standards Track                    [Page 48]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmtsKeyRequests  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has received a Key Request message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.4."
           ::= { docsBpi2CmtsTEKEntry 10 }

      docsBpi2CmtsKeyReplies   OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted a Key Reply message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.5."
           ::= { docsBpi2CmtsTEKEntry 11 }

      docsBpi2CmtsKeyRejects   OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted a Key Reject message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.6."
           ::= { docsBpi2CmtsTEKEntry 12 }




Green, et al.               Standards Track                    [Page 49]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmtsTEKInvalids  OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted a TEK Invalid message.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.8."
           ::= { docsBpi2CmtsTEKEntry 13 }

      docsBpi2CmtsKeyRejectErrorCode     OBJECT-TYPE
           SYNTAX         INTEGER {
                                  none(1),
                                  unknown(2),
                                  unauthorizedSaid(4)
                                  }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent Key Reject
           message sent in response to a Key Request for this SAID.
           This has the value unknown(2) if the last Error-Code value
           was 0 and none(1) if no Key Reject message has been
           received since registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.6 and 4.2.2.15."
           ::= { docsBpi2CmtsTEKEntry 14 }

      docsBpi2CmtsKeyRejectErrorString   OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in
           the most recent Key Reject message sent in response to a
           Key Request for this SAID.  This is a zero length string if
           no Key Reject message has been received since
           registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,



Green, et al.               Standards Track                    [Page 50]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Sections 4.2.1.6 and 4.2.2.6."
           ::= { docsBpi2CmtsTEKEntry 15 }

      docsBpi2CmtsTEKInvalidErrorCode    OBJECT-TYPE
           SYNTAX         INTEGER {
                                  none(1),
                                  unknown(2),
                                  invalidKeySequence(6)
                                  }
           MAX-ACCESS          read-only
           STATUS              current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent TEK
           Invalid message sent in association with this SAID.  This
           has the value unknown(2) if the last Error-Code value was 0
           and none(1) if no TEK Invalid message has been received
           since registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.8 and 4.2.2.15."
           ::= { docsBpi2CmtsTEKEntry 16 }

      docsBpi2CmtsTEKInvalidErrorString  OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in
           the most recent TEK Invalid message sent in association
           with this SAID.  This is a zero length string if no TEK
           Invalid message has been received since registration."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.8 and 4.2.2.6."
           ::= { docsBpi2CmtsTEKEntry 17 }

      --
      -- The CMTS Multicast Objects Group
      --

      docsBpi2CmtsMulticastObjects OBJECT IDENTIFIER
           ::= { docsBpi2CmtsObjects 4 }

      --
      -- The CMTS IP Multicast Mapping Table, indexed by
      -- docsBpi2CmtsIpMulticastIndex, and by ifIndex
      --



Green, et al.               Standards Track                    [Page 51]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmtsIpMulticastMapTable         OBJECT-TYPE
           SYNTAX         SEQUENCE OF DocsBpi2CmtsIpMulticastMapEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This table maps multicast IP addresses to SAIDs.
           If a multicast IP address is mapped by multiple rows
           in the table, the row with the lowest
           docsBpi2CmtsIpMulticastIndex must be utilized for the
           mapping."
           ::= { docsBpi2CmtsMulticastObjects 1 }

      docsBpi2CmtsIpMulticastMapEntry         OBJECT-TYPE
           SYNTAX         DocsBpi2CmtsIpMulticastMapEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "Each entry contains objects describing the mapping of
           a set of multicast IP address and the mask to one SAID
           associated to a CMTS MAC Interface, as well as associated
           message counters and error information."
           INDEX     { ifIndex, docsBpi2CmtsIpMulticastIndex }
           ::= { docsBpi2CmtsIpMulticastMapTable 1 }

      DocsBpi2CmtsIpMulticastMapEntry ::= SEQUENCE {
           docsBpi2CmtsIpMulticastIndex            Unsigned32,
           docsBpi2CmtsIpMulticastAddressType      InetAddressType,
           docsBpi2CmtsIpMulticastAddress          InetAddress,
           docsBpi2CmtsIpMulticastMask             InetAddress,
           docsBpi2CmtsIpMulticastSAId             DocsSAIdOrZero,
           docsBpi2CmtsIpMulticastSAType           DocsBpkmSAType,
           docsBpi2CmtsIpMulticastDataEncryptAlg
                                           DocsBpkmDataEncryptAlg,
           docsBpi2CmtsIpMulticastDataAuthentAlg
                                           DocsBpkmDataAuthentAlg,
           docsBpi2CmtsIpMulticastSAMapRequests    Counter32,
           docsBpi2CmtsIpMulticastSAMapReplies     Counter32,
           docsBpi2CmtsIpMulticastSAMapRejects     Counter32,
           docsBpi2CmtsIpMulticastSAMapRejectErrorCode
                                                      INTEGER,
           docsBpi2CmtsIpMulticastSAMapRejectErrorString
                                                      SnmpAdminString,
           docsBpi2CmtsIpMulticastMapControl          RowStatus,
           docsBpi2CmtsIpMulticastMapStorageType      StorageType
           }

      docsBpi2CmtsIpMulticastIndex       OBJECT-TYPE
           SYNTAX         Unsigned32 (1..4294967295)



Green, et al.               Standards Track                    [Page 52]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The index of this row.  Conceptual rows having the
           value 'permanent' need not allow write-access to any
           columnar objects in the row."
           ::= { docsBpi2CmtsIpMulticastMapEntry 1 }

      docsBpi2CmtsIpMulticastAddressType OBJECT-TYPE
           SYNTAX         InetAddressType
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "The type of Internet address for
           docsBpi2CmtsIpMulticastAddress
           and docsBpi2CmtsIpMulticastMask."
           DEFVAL { ipv4 }
           ::= { docsBpi2CmtsIpMulticastMapEntry 2 }

      docsBpi2CmtsIpMulticastAddress          OBJECT-TYPE
           SYNTAX         InetAddress
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "This object represents the IP multicast address
           to be mapped, in conjunction with
           docsBpi2CmtsIpMulticastMask.  The type of this address is
           determined by the value of the object
           docsBpi2CmtsIpMulticastAddressType."
           ::= { docsBpi2CmtsIpMulticastMapEntry 3 }

      docsBpi2CmtsIpMulticastMask        OBJECT-TYPE
           SYNTAX         InetAddress
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "This object represents the IP multicast address mask
           for this row.
           An IP multicast address matches this row if the logical
           AND of the address with docsBpi2CmtsIpMulticastMask is
           identical to the logical AND of
           docsBpi2CmtsIpMulticastAddr with
           docsBpi2CmtsIpMulticastMask.  The type of this address is
           determined by the value of the object
           docsBpi2CmtsIpMulticastAddressType.
           Note: For IPv6, this object need not represent a
           contiguous netmask; e.g., to associate a SAID to a
           multicast group matching 'any' multicast scope.  The TC



Green, et al.               Standards Track                    [Page 53]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           InetAddressPrefixLength is not used, as it only
           represents contiguous netmask."
           ::= { docsBpi2CmtsIpMulticastMapEntry 4 }

      docsBpi2CmtsIpMulticastSAId        OBJECT-TYPE
           SYNTAX         DocsSAIdOrZero
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "This object represents the multicast SAID to be
           used in this IP multicast address mapping entry."
           ::= { docsBpi2CmtsIpMulticastMapEntry 5 }

      docsBpi2CmtsIpMulticastSAType OBJECT-TYPE
           SYNTAX         DocsBpkmSAType
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "The value of this object is the type of security
           association.  'dynamic' does not apply to CMs running in
           BPI mode.  Unicast BPI TEKs must utilize the 'primary'
           encoding, and multicast BPI TEKs must utilize the 'static'
           encoding.  By default, SNMP created entries set this object
           to 'static' if not set at row creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 2.1.3."
           ::= { docsBpi2CmtsIpMulticastMapEntry 6 }

      docsBpi2CmtsIpMulticastDataEncryptAlg   OBJECT-TYPE
           SYNTAX    DocsBpkmDataEncryptAlg
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "The value of this object is the data encryption
           algorithm for this IP."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           DEFVAL { des56CbcMode }
           ::= { docsBpi2CmtsIpMulticastMapEntry 7 }

      docsBpi2CmtsIpMulticastDataAuthentAlg   OBJECT-TYPE
           SYNTAX    DocsBpkmDataAuthentAlg
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "The value of this object is the data authentication



Green, et al.               Standards Track                    [Page 54]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           algorithm for this IP."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.2.20."
           DEFVAL { none }
           ::= { docsBpi2CmtsIpMulticastMapEntry 8 }

      docsBpi2CmtsIpMulticastSAMapRequests    OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has received an SA Map Request message for this IP.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.10."
           ::= { docsBpi2CmtsIpMulticastMapEntry 9 }

      docsBpi2CmtsIpMulticastSAMapReplies     OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted an SA Map Reply message for this IP.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.11."
           ::= { docsBpi2CmtsIpMulticastMapEntry 10 }

      docsBpi2CmtsIpMulticastSAMapRejects     OBJECT-TYPE
           SYNTAX         Counter32
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the number of times the
           CMTS has transmitted an SA Map Reject message for this IP.
           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other



Green, et al.               Standards Track                    [Page 55]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           times as indicated by the value of
           ifCounterDiscontinuityTime."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 4.2.1.12."
           ::= { docsBpi2CmtsIpMulticastMapEntry 11 }

      docsBpi2CmtsIpMulticastSAMapRejectErrorCode  OBJECT-TYPE
           SYNTAX         INTEGER {
                                  none(1),
                                  unknown(2),
                                  noAuthForRequestedDSFlow(9),
                                  dsFlowNotMappedToSA(10)
                                  }
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the enumerated
           description of the Error-Code in the most recent SA Map
           Reject message sent in response to an SA Map Request for
           this IP.  It has the value unknown(2) if the last Error-Code
           Value was 0 and none(1) if no SA MAP Reject message has
           been received since entry creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.12 and 4.2.2.15."
           ::= { docsBpi2CmtsIpMulticastMapEntry 12 }

      docsBpi2CmtsIpMulticastSAMapRejectErrorString     OBJECT-TYPE
           SYNTAX         SnmpAdminString (SIZE (0..128))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The value of this object is the text string in
           the most recent SA Map Reject message sent in response to
           an SA Map Request for this IP.  It is a zero length string
           if no SA Map Reject message has been received since entry
           creation."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections 4.2.1.12 and 4.2.2.6."
           ::= { docsBpi2CmtsIpMulticastMapEntry 13 }

      docsBpi2CmtsIpMulticastMapControl  OBJECT-TYPE
           SYNTAX         RowStatus
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION



Green, et al.               Standards Track                    [Page 56]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                "This object controls and reflects the IP multicast
           address mapping entry.  There is no restriction on the
           ability to change values in this row while the row is
           active.
           A created row can be set to active only after the
           Corresponding instances of docsBpi2CmtsIpMulticastAddress,
           docsBpi2CmtsIpMulticastMask, docsBpi2CmtsIpMulticastSAId,
           and docsBpi2CmtsIpMulticastSAType have all been set."
           ::= { docsBpi2CmtsIpMulticastMapEntry 14 }

      docsBpi2CmtsIpMulticastMapStorageType     OBJECT-TYPE
           SYNTAX         StorageType
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The storage type for this conceptual row.
           Conceptual rows having the value 'permanent' need not allow
           write-access to any columnar objects in the row."
           ::= { docsBpi2CmtsIpMulticastMapEntry 15 }

      --
      -- The CMTS Multicast SAID Authorization Table,
      -- indexed by ifIndex by
      -- multicast SAID by CM MAC address
      --

      docsBpi2CmtsMulticastAuthTable          OBJECT-TYPE
           SYNTAX         SEQUENCE OF DocsBpi2CmtsMulticastAuthEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This table describes the multicast SAID
           authorization for each CM on each CMTS MAC interface."
           ::= { docsBpi2CmtsMulticastObjects 2 }

      docsBpi2CmtsMulticastAuthEntry          OBJECT-TYPE
           SYNTAX         DocsBpi2CmtsMulticastAuthEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "Each entry contains objects describing the key
           authorization of one cable modem for one multicast SAID
           for one CMTS MAC interface.
           Row entries persist after re-initialization of
           the managed system."
           INDEX     { ifIndex, docsBpi2CmtsMulticastAuthSAId,
                  docsBpi2CmtsMulticastAuthCmMacAddress }
           ::= { docsBpi2CmtsMulticastAuthTable 1 }



Green, et al.               Standards Track                    [Page 57]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      DocsBpi2CmtsMulticastAuthEntry ::= SEQUENCE
           {
           docsBpi2CmtsMulticastAuthSAId                DocsSAId,
           docsBpi2CmtsMulticastAuthCmMacAddress        MacAddress,
           docsBpi2CmtsMulticastAuthControl             RowStatus
           }

      docsBpi2CmtsMulticastAuthSAId OBJECT-TYPE
           SYNTAX         DocsSAId
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This object represents the multicast SAID for
           authorization."
           ::= { docsBpi2CmtsMulticastAuthEntry 1 }

      docsBpi2CmtsMulticastAuthCmMacAddress   OBJECT-TYPE
           SYNTAX         MacAddress
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "This object represents the MAC address of the CM
           to which the multicast SAID authorization applies."
           ::= { docsBpi2CmtsMulticastAuthEntry 2 }

      docsBpi2CmtsMulticastAuthControl   OBJECT-TYPE
           SYNTAX         RowStatus
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "The status of this conceptual row for the
           authorization of multicast SAIDs to CMs."
           ::= { docsBpi2CmtsMulticastAuthEntry 3 }

      --
      -- CMTS Cert Objects
      --

      docsBpi2CmtsCertObjects OBJECT IDENTIFIER
           ::= { docsBpi2CmtsObjects 5 }

      --
      -- CMTS Provisioned CM Cert Table
      --

      docsBpi2CmtsProvisionedCmCertTable OBJECT-TYPE
           SYNTAX         SEQUENCE OF
                           DocsBpi2CmtsProvisionedCmCertEntry



Green, et al.               Standards Track                    [Page 58]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "A table of CM certificate trust entries provisioned
           to the CMTS.  The trust object for a certificate in this
           table has an overriding effect on the validity object of a
           certificate in the authorization table, as long as the
           entire contents of the two certificates are identical."
           ::= { docsBpi2CmtsCertObjects 1 }

      docsBpi2CmtsProvisionedCmCertEntry OBJECT-TYPE
           SYNTAX         DocsBpi2CmtsProvisionedCmCertEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "An entry in the CMTS's provisioned CM certificate
           table.  Row entries persist after re-initialization of
           the managed system."
           REFERENCE
                "Data-Over-Cable Service Interface Specifications:
           Operations Support System Interface Specification
           SP-OSSIv2.0-I05-040407, Section 6.2.14"
           INDEX { docsBpi2CmtsProvisionedCmCertMacAddress }
           ::= { docsBpi2CmtsProvisionedCmCertTable 1 }

      DocsBpi2CmtsProvisionedCmCertEntry ::= SEQUENCE
           {
           docsBpi2CmtsProvisionedCmCertMacAddress MacAddress,
           docsBpi2CmtsProvisionedCmCertTrust      INTEGER,
           docsBpi2CmtsProvisionedCmCertSource     INTEGER,
           docsBpi2CmtsProvisionedCmCertStatus     RowStatus,
           docsBpi2CmtsProvisionedCmCert
                                     DocsX509ASN1DEREncodedCertificate
           }

      docsBpi2CmtsProvisionedCmCertMacAddress OBJECT-TYPE
           SYNTAX         MacAddress
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The index of this row."
           ::= { docsBpi2CmtsProvisionedCmCertEntry 1 }

      docsBpi2CmtsProvisionedCmCertTrust      OBJECT-TYPE
           SYNTAX    INTEGER {
                             trusted(1),
                             untrusted(2)
                             }



Green, et al.               Standards Track                    [Page 59]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           MAX-ACCESS     read-create
           STATUS    current
           DESCRIPTION
                "Trust state for the provisioned CM certificate entry.
           Note: Setting this object need only override the validity
           of CM certificates sent in future authorization requests;
           instantaneous effect need not occur."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.1."
           DEFVAL { untrusted }
           ::= { docsBpi2CmtsProvisionedCmCertEntry 2 }

      docsBpi2CmtsProvisionedCmCertSource     OBJECT-TYPE
           SYNTAX    INTEGER {
                             snmp(1),
                             configurationFile(2),
                             externalDatabase(3),
                             other(4)
                             }
           MAX-ACCESS read-only
           STATUS  current
           DESCRIPTION
                "This object indicates how the certificate reached the
           CMTS.  Other(4) means that it originated from a source not
           identified above."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.1."
           ::= { docsBpi2CmtsProvisionedCmCertEntry 3 }

      docsBpi2CmtsProvisionedCmCertStatus OBJECT-TYPE
           SYNTAX  RowStatus
           MAX-ACCESS read-create
           STATUS  current
           DESCRIPTION
                "The status of this conceptual row.  Values in this row
           cannot be changed while the row is 'active'."
           ::= { docsBpi2CmtsProvisionedCmCertEntry 4 }

      docsBpi2CmtsProvisionedCmCert OBJECT-TYPE
           SYNTAX         DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "An X509 DER-encoded Certificate Authority
           certificate.
           Note: The zero-length OCTET STRING must be returned, on



Green, et al.               Standards Track                    [Page 60]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           reads, if the entire certificate is not retained in the
           CMTS."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2."
           ::= { docsBpi2CmtsProvisionedCmCertEntry 5 }

      --
      -- CMTS CA Cert Table
      --

      docsBpi2CmtsCACertTable OBJECT-TYPE
           SYNTAX         SEQUENCE OF DocsBpi2CmtsCACertEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The table of known Certificate Authority certificates
           acquired by this device."
           ::= { docsBpi2CmtsCertObjects 2 }

      docsBpi2CmtsCACertEntry OBJECT-TYPE
           SYNTAX         DocsBpi2CmtsCACertEntry
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "A row in the Certificate Authority certificate
           table.  Row entries with the trust status 'trusted',
           'untrusted', or 'root' persist after re-initialization
            of the managed system."
           REFERENCE
                "Data-Over-Cable Service Interface Specifications:
           Operations Support System Interface Specification
           SP-OSSIv2.0-I05-040407, Section 6.2.14"
           INDEX   { docsBpi2CmtsCACertIndex }
           ::= {docsBpi2CmtsCACertTable 1 }

      DocsBpi2CmtsCACertEntry ::= SEQUENCE {
           docsBpi2CmtsCACertIndex            Unsigned32,
           docsBpi2CmtsCACertSubject          SnmpAdminString,
           docsBpi2CmtsCACertIssuer           SnmpAdminString,
           docsBpi2CmtsCACertSerialNumber     OCTET STRING,
           docsBpi2CmtsCACertTrust            INTEGER,
           docsBpi2CmtsCACertSource           INTEGER,
           docsBpi2CmtsCACertStatus           RowStatus,
           docsBpi2CmtsCACert
                                 DocsX509ASN1DEREncodedCertificate,
           docsBpi2CmtsCACertThumbprint       OCTET STRING
      }



Green, et al.               Standards Track                    [Page 61]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmtsCACertIndex OBJECT-TYPE
           SYNTAX         Unsigned32 (1.. 4294967295)
           MAX-ACCESS     not-accessible
           STATUS         current
           DESCRIPTION
                "The index for this row."
           ::= { docsBpi2CmtsCACertEntry 1 }

      docsBpi2CmtsCACertSubject OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The subject name exactly as it is encoded in the
           X509 certificate.
           The organizationName portion of the certificate's subject
           name must be present.  All other fields are optional.  Any
           optional field present must be prepended with <CR>
           (carriage return, U+000D) <LF> (line feed, U+000A).
           Ordering of fields present must conform to the following:

           organizationName <CR> <LF>
           countryName <CR> <LF>
           stateOrProvinceName <CR> <LF>
           localityName <CR> <LF>
           organizationalUnitName <CR> <LF>
           organizationalUnitName=<Manufacturing Location> <CR> <LF>
           commonName"
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2.4"
           ::= { docsBpi2CmtsCACertEntry 2 }

      docsBpi2CmtsCACertIssuer OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The issuer name exactly as it is encoded in the
           X509 certificate.
           The commonName portion of the certificate's issuer
           name must be present.  All other fields are optional.  Any
           optional field present must be prepended with <CR>
           (carriage return, U+000D) <LF> (line feed, U+000A).
           Ordering of fields present must conform to the following:

           CommonName <CR><LF>
           countryName <CR><LF>



Green, et al.               Standards Track                    [Page 62]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           stateOrProvinceName <CR><LF>
           localityName <CR><LF>
           organizationName <CR><LF>
           organizationalUnitName <CR><LF>
           organizationalUnitName=<Manufacturing Location>"
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2.4"
           ::= { docsBpi2CmtsCACertEntry 3 }

      docsBpi2CmtsCACertSerialNumber OBJECT-TYPE
           SYNTAX         OCTET STRING (SIZE (1..32))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "This CA certificate's serial number, represented as
           an octet string."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.2.2"
           ::= { docsBpi2CmtsCACertEntry 4 }

      docsBpi2CmtsCACertTrust OBJECT-TYPE
           SYNTAX    INTEGER {
                             trusted (1),
                             untrusted (2),
                             chained (3),
                             root (4)
                             }
           MAX-ACCESS     read-create
           STATUS    current
           DESCRIPTION
                "This object controls the trust status of this
           certificate.  Root certificates must be given root(4)
           trust; manufacturer certificates must not be given root(4)
           trust.  Trust on root certificates must not change.
           Note: Setting this object need only affect the validity of
           CM certificates sent in future authorization requests;
           instantaneous effect need not occur."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.1"
           DEFVAL { chained }
           ::= { docsBpi2CmtsCACertEntry 5 }

      docsBpi2CmtsCACertSource OBJECT-TYPE
           SYNTAX    INTEGER {
                     snmp (1),



Green, et al.               Standards Track                    [Page 63]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                     configurationFile (2),
                     externalDatabase (3),
                     other (4),
                     authentInfo (5),
                     compiledIntoCode (6)
                     }
           MAX-ACCESS     read-only
           STATUS    current
           DESCRIPTION
                "This object indicates how the certificate reached
           the CMTS.  Other(4) means that it originated from a source
           not identified above."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.1"
           ::= { docsBpi2CmtsCACertEntry 6 }

      docsBpi2CmtsCACertStatus OBJECT-TYPE
           SYNTAX         RowStatus
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "The status of this conceptual row.  An attempt
           to set writable columnar values while this row is active
           behaves as follows:
           - Sets to the object docsBpi2CmtsCACertTrust are allowed.
           - Sets to the object docsBpi2CmtsCACert will return an
             error of 'inconsistentValue'.
           A newly created entry cannot be set to active until the
           value of docsBpi2CmtsCACert is being set."
           ::= { docsBpi2CmtsCACertEntry 7 }

      docsBpi2CmtsCACert  OBJECT-TYPE
           SYNTAX         DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS     read-create
           STATUS         current
           DESCRIPTION
                "An X509 DER-encoded Certificate Authority
           certificate.
           To help identify certificates, either this object or
           docsBpi2CmtsCACertThumbprint must be returned by a CMTS for
           self-signed CA certificates.

           Note: The zero-length OCTET STRING must be returned, on
           reads, if the entire certificate is not retained in the
           CMTS."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,



Green, et al.               Standards Track                    [Page 64]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Section 9.2."
           ::= { docsBpi2CmtsCACertEntry 8 }

      docsBpi2CmtsCACertThumbprint OBJECT-TYPE
           SYNTAX         OCTET STRING (SIZE (20))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
                "The SHA-1 hash of a CA certificate.
           To help identify certificates, either this object or
           docsBpi2CmtsCACert must be returned by a CMTS for
           self-signed CA certificates.

           Note: The zero-length OCTET STRING must be returned, on
           reads, if the CA certificate thumb print is not retained
           in the CMTS."
           REFERENCE
                "DOCSIS Baseline Privacy Plus Interface Specification,
           Section 9.4.3"
           ::= { docsBpi2CmtsCACertEntry 9 }

      --
      -- Authenticated Software Download Objects
      --

      --
      -- Note: the authenticated software download objects are a
      -- CM requirement only.
      --

      docsBpi2CodeDownloadControl OBJECT IDENTIFIER
           ::= { docsBpi2MIBObjects 4 }

      docsBpi2CodeDownloadStatusCode     OBJECT-TYPE
           SYNTAX    INTEGER {
                             configFileCvcVerified (1),
                             configFileCvcRejected (2),
                             snmpCvcVerified (3),
                             snmpCvcRejected (4),
                             codeFileVerified (5),
                             codeFileRejected (6),
                             other (7)
                             }
           MAX-ACCESS     read-only
           STATUS    current
           DESCRIPTION
               "The value indicates the result of the latest config
           file CVC verification, SNMP CVC verification, or code file



Green, et al.               Standards Track                    [Page 65]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           verification."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Sections D.3.3.2 and D.3.5.1."
           ::= { docsBpi2CodeDownloadControl 1 }

      docsBpi2CodeDownloadStatusString   OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object indicates the additional
           information to the status code.  The value will include
           the error code and error description, which will be defined
           separately."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.7"
           ::= { docsBpi2CodeDownloadControl 2 }

      docsBpi2CodeMfgOrgName   OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the device manufacturer's
           organizationName."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 3 }

      docsBpi2CodeMfgCodeAccessStart     OBJECT-TYPE
           SYNTAX         DateAndTime  (SIZE(11))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the device manufacturer's
           current codeAccessStart value.  This value will always
           refer to Greenwich Mean Time (GMT), and the value
           format must contain TimeZone information (fields 8-10)."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 4 }

      docsBpi2CodeMfgCvcAccessStart OBJECT-TYPE
           SYNTAX         DateAndTime (SIZE(11))



Green, et al.               Standards Track                    [Page 66]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the device manufacturer's
           current cvcAccessStart value.  This value will always
           refer to Greenwich Mean Time (GMT), and the value
           format must contain TimeZone information (fields 8-10)."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 5 }

      docsBpi2CodeCoSignerOrgName   OBJECT-TYPE
           SYNTAX         SnmpAdminString
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the co-signer's
           organizationName.  The value is a zero length string if
           the co-signer is not specified."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 6 }

      docsBpi2CodeCoSignerCodeAccessStart     OBJECT-TYPE
           SYNTAX         DateAndTime (SIZE(11))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the co-signer's current
           codeAccessStart value.  This value will always refer to
           Greenwich Mean Time (GMT), and the value format must contain
           TimeZone information (fields 8-10).
           If docsBpi2CodeCoSignerOrgName is a zero
           length string, the value of this object is meaningless."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 7 }

      docsBpi2CodeCoSignerCvcAccessStart OBJECT-TYPE
           SYNTAX         DateAndTime (SIZE(11))
           MAX-ACCESS     read-only
           STATUS         current
           DESCRIPTION
               "The value of this object is the co-signer's current
           cvcAccessStart value.  This value will always refer to



Green, et al.               Standards Track                    [Page 67]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           Greenwich Mean Time (GMT), and the value format must contain
           TimeZone information (fields 8-10).
           If docsBpi2CodeCoSignerOrgName is a zero
           length string, the value of this object is meaningless."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.2.2."
           ::= { docsBpi2CodeDownloadControl 8 }

      docsBpi2CodeCvcUpdate    OBJECT-TYPE
           SYNTAX         DocsX509ASN1DEREncodedCertificate
           MAX-ACCESS     read-write
           STATUS         current
           DESCRIPTION
               "Setting a CVC to this object triggers the device
           to verify the CVC and update the cvcAccessStart values.
           The content of this object is then discarded.
           If the device is not enabled to upgrade codefiles, or if
           the CVC verification fails, the CVC will be rejected.
           Reading this object always returns the zero-length OCTET
           STRING."
           REFERENCE
               "DOCSIS Baseline Privacy Plus Interface Specification,
           Section D.3.3.2.2."
           ::= { docsBpi2CodeDownloadControl 9 }

      --
      -- The BPI+ MIB Conformance Statements (with a placeholder for
      -- notifications)
      --

      docsBpi2Notification     OBJECT IDENTIFIER
           ::= { docsBpi2MIB 0 }
      docsBpi2Conformance OBJECT IDENTIFIER
           ::= { docsBpi2MIB 2 }
      docsBpi2Compliances OBJECT IDENTIFIER
           ::= { docsBpi2Conformance 1 }
      docsBpi2Groups      OBJECT IDENTIFIER
           ::= { docsBpi2Conformance 2 }


      docsBpi2CmCompliance MODULE-COMPLIANCE
           STATUS         current
           DESCRIPTION
                "This is the compliance statement for CMs that
           implement the DOCSIS Baseline Privacy Interface Plus."

           MODULE  -- docsBpi2MIB



Green, et al.               Standards Track                    [Page 68]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           -- unconditionally mandatory group
           MANDATORY-GROUPS {
                  docsBpi2CmGroup,
                  docsBpi2CodeDownloadGroup
           }

      -- constrain on Encryption algorithms
      OBJECT docsBpi2CmTEKDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)
                     }
           DESCRIPTION
                "It is compliant to support des56CbcMode(1) and
           des40CbcMode(2) for data encryption algorithms."

      -- constrain on Integrity algorithms
      OBJECT docsBpi2CmTEKDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           DESCRIPTION
                "It is compliant to not support data message
           authentication algorithms."

      -- constrain on IP addressing
      OBJECT    docsBpi2CmIpMulticastAddressType
           SYNTAX InetAddressType { ipv4(1) }
           DESCRIPTION
                "An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      -- constrain on IP addressing
      OBJECT    docsBpi2CmIpMulticastAddress
           SYNTAX  InetAddress (SIZE(4))
           DESCRIPTION
                "An implementation is only required to support IPv4
           addresses Other address types support may be defined in
           future versions of this MIB module."

      -- constrain on Encryption algorithms
      OBJECT docsBpi2CmCryptoSuiteDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)



Green, et al.               Standards Track                    [Page 69]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                     }
           DESCRIPTION
                "It is compliant to only support des56CbcMode(1)
           and des40CbcMode(2) for data encryption algorithms."

      -- constrain on Integrity algorithms
      OBJECT docsBpi2CmCryptoSuiteDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           DESCRIPTION
                "It is compliant to not support data message
           authentication algorithms."

      ::= { docsBpi2Compliances 1 }


      docsBpi2CmtsCompliance MODULE-COMPLIANCE
           STATUS         current
           DESCRIPTION
                "This is the compliance statement for CMTSs that
           implement the DOCSIS Baseline Privacy Interface Plus."

           MODULE  -- docsBpi2MIB
           -- unconditionally mandatory group
           MANDATORY-GROUPS {
                  docsBpi2CmtsGroup
           }

      -- unconditionally optional group
      GROUP     docsBpi2CodeDownloadGroup
           DESCRIPTION
                "This group is optional for CMTSes.  The implementation
           decision of this group is left to the vendor"

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsDefaultAuthLifetime
           SYNTAX    Integer32 (86400..6048000)
           DESCRIPTION
                "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsDefaultTEKLifetime
           SYNTAX    Integer32 (1800..604800)
           DESCRIPTION



Green, et al.               Standards Track                    [Page 70]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


               "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsAuthCmLifetime
           SYNTAX    Integer32 (86400..6048000)
           DESCRIPTION
               "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on Encryption algorithms

   OBJECT   docsBpi2CmtsTEKDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)
                     }
           DESCRIPTION
                "It is compliant to only support des56CbcMode(1)
           and des40CbcMode(2) for data encryption."

      -- constrain on Integrity algorithms

   OBJECT docsBpi2CmtsTEKDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           DESCRIPTION
                "It is compliant to not support data message
           authentication algorithms."

      -- constrain on mandatory range

      OBJECT    docsBpi2CmtsTEKLifetime
           SYNTAX    Integer32 (1800..604800)
           DESCRIPTION
               "The refined range corresponds to the minimum and
           maximum values in operational networks."

      -- constrain on access
      -- constrain on IP Addressing

      OBJECT    docsBpi2CmtsIpMulticastAddressType
           SYNTAX      InetAddressType { ipv4(1) }
           MIN-ACCESS  read-only
           DESCRIPTION



Green, et al.               Standards Track                    [Page 71]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


               "Write access is not required.
           An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      OBJECT    docsBpi2CmtsIpMulticastAddress
           SYNTAX  InetAddress (SIZE(4))
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      OBJECT    docsBpi2CmtsIpMulticastMask
           SYNTAX  InetAddress (SIZE(4))
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           An implementation is only required to support IPv4
           addresses.  Support for other address types may be defined
           in future versions of this MIB module."

      -- constrain on access

      OBJECT    docsBpi2CmtsIpMulticastSAId
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required."

      OBJECT    docsBpi2CmtsIpMulticastSAType
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required."

      -- constrain on access
      -- constrain on Encryption algorithms

      OBJECT    docsBpi2CmtsIpMulticastDataEncryptAlg
           SYNTAX    DocsBpkmDataEncryptAlg {
                                  none(0),
                                  des56CbcMode(1),
                                  des40CbcMode(2)
                     }
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           It is compliant to only support des56CbcMode(1)



Green, et al.               Standards Track                    [Page 72]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


           and des40CbcMode(2) for data encryption"

      -- constrain on access
      -- constrain on Integrity algorithms

      OBJECT    docsBpi2CmtsIpMulticastDataAuthentAlg
           SYNTAX    DocsBpkmDataAuthentAlg {
                                  none(0)
                     }
           MIN-ACCESS  read-only
           DESCRIPTION
               "Write access is not required.
           It is compliant to not support data message
           authentication algorithms."

      -- constrain on access

      OBJECT    docsBpi2CmtsMulticastAuthControl
           MIN-ACCESS  read-only
           DESCRIPTION
          "Write access is not required."

           ::= { docsBpi2Compliances 2 }

      docsBpi2CmGroup     OBJECT-GROUP
           OBJECTS   {
                docsBpi2CmPrivacyEnable,
                docsBpi2CmPublicKey,
                docsBpi2CmAuthState,
                docsBpi2CmAuthKeySequenceNumber,
                docsBpi2CmAuthExpiresOld,
                docsBpi2CmAuthExpiresNew,
                docsBpi2CmAuthReset,
                docsBpi2CmAuthGraceTime,
                docsBpi2CmTEKGraceTime,
                docsBpi2CmAuthWaitTimeout,
                docsBpi2CmReauthWaitTimeout,
                docsBpi2CmOpWaitTimeout,
                docsBpi2CmRekeyWaitTimeout,
                docsBpi2CmAuthRejectWaitTimeout,
                docsBpi2CmSAMapWaitTimeout,
                docsBpi2CmSAMapMaxRetries,
                docsBpi2CmAuthentInfos,
                docsBpi2CmAuthRequests,
                docsBpi2CmAuthReplies,
                docsBpi2CmAuthRejects,
                docsBpi2CmAuthInvalids,
                docsBpi2CmAuthRejectErrorCode,



Green, et al.               Standards Track                    [Page 73]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                docsBpi2CmAuthRejectErrorString,
                docsBpi2CmAuthInvalidErrorCode,
                docsBpi2CmAuthInvalidErrorString,
                docsBpi2CmTEKSAType,
                docsBpi2CmTEKDataEncryptAlg,
                docsBpi2CmTEKDataAuthentAlg,
                docsBpi2CmTEKState,
                docsBpi2CmTEKKeySequenceNumber,
                docsBpi2CmTEKExpiresOld,
                docsBpi2CmTEKExpiresNew,
                docsBpi2CmTEKKeyRequests,
                docsBpi2CmTEKKeyReplies,
                docsBpi2CmTEKKeyRejects,
                docsBpi2CmTEKInvalids,
                docsBpi2CmTEKAuthPends,
                docsBpi2CmTEKKeyRejectErrorCode,
                docsBpi2CmTEKKeyRejectErrorString,
                docsBpi2CmTEKInvalidErrorCode,
                docsBpi2CmTEKInvalidErrorString,
                docsBpi2CmIpMulticastAddressType,
                docsBpi2CmIpMulticastAddress,
                docsBpi2CmIpMulticastSAId,
                docsBpi2CmIpMulticastSAMapState,
                docsBpi2CmIpMulticastSAMapRequests,
                docsBpi2CmIpMulticastSAMapReplies,
                docsBpi2CmIpMulticastSAMapRejects,
                docsBpi2CmIpMulticastSAMapRejectErrorCode,
                docsBpi2CmIpMulticastSAMapRejectErrorString,
                docsBpi2CmDeviceCmCert,
                docsBpi2CmDeviceManufCert,
                docsBpi2CmCryptoSuiteDataEncryptAlg,
                docsBpi2CmCryptoSuiteDataAuthentAlg
                }
           STATUS         current
           DESCRIPTION
                "This collection of objects provides CM BPI+ status
           and control."
      ::= { docsBpi2Groups 1 }

      docsBpi2CmtsGroup   OBJECT-GROUP
           OBJECTS {
                docsBpi2CmtsDefaultAuthLifetime,
                docsBpi2CmtsDefaultTEKLifetime,
                docsBpi2CmtsDefaultSelfSignedManufCertTrust,
                docsBpi2CmtsCheckCertValidityPeriods,
                docsBpi2CmtsAuthentInfos,
                docsBpi2CmtsAuthRequests,
                docsBpi2CmtsAuthReplies,



Green, et al.               Standards Track                    [Page 74]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                docsBpi2CmtsAuthRejects,
                docsBpi2CmtsAuthInvalids,
                docsBpi2CmtsSAMapRequests,
                docsBpi2CmtsSAMapReplies,
                docsBpi2CmtsSAMapRejects,
                docsBpi2CmtsAuthCmBpiVersion,
                docsBpi2CmtsAuthCmPublicKey,
                docsBpi2CmtsAuthCmKeySequenceNumber,
                docsBpi2CmtsAuthCmExpiresOld,
                docsBpi2CmtsAuthCmExpiresNew,
                docsBpi2CmtsAuthCmLifetime,
                docsBpi2CmtsAuthCmReset,
                docsBpi2CmtsAuthCmInfos,
                docsBpi2CmtsAuthCmRequests,
                docsBpi2CmtsAuthCmReplies,
                docsBpi2CmtsAuthCmRejects,
                docsBpi2CmtsAuthCmInvalids,
                docsBpi2CmtsAuthRejectErrorCode,
                docsBpi2CmtsAuthRejectErrorString,
                docsBpi2CmtsAuthInvalidErrorCode,
                docsBpi2CmtsAuthInvalidErrorString,
                docsBpi2CmtsAuthPrimarySAId,
                docsBpi2CmtsAuthBpkmCmCertValid,
                docsBpi2CmtsAuthBpkmCmCert,
                docsBpi2CmtsAuthCACertIndexPtr,
                docsBpi2CmtsTEKSAType,
                docsBpi2CmtsTEKDataEncryptAlg,
                docsBpi2CmtsTEKDataAuthentAlg,
                docsBpi2CmtsTEKLifetime,
                docsBpi2CmtsTEKKeySequenceNumber,
                docsBpi2CmtsTEKExpiresOld,
                docsBpi2CmtsTEKExpiresNew,
                docsBpi2CmtsTEKReset,
                docsBpi2CmtsKeyRequests,
                docsBpi2CmtsKeyReplies,
                docsBpi2CmtsKeyRejects,
                docsBpi2CmtsTEKInvalids,
                docsBpi2CmtsKeyRejectErrorCode,
                docsBpi2CmtsKeyRejectErrorString,
                docsBpi2CmtsTEKInvalidErrorCode,
                docsBpi2CmtsTEKInvalidErrorString,
                docsBpi2CmtsIpMulticastAddressType,
                docsBpi2CmtsIpMulticastAddress,
                docsBpi2CmtsIpMulticastMask,
                docsBpi2CmtsIpMulticastSAId,
                docsBpi2CmtsIpMulticastSAType,
                docsBpi2CmtsIpMulticastDataEncryptAlg,
                docsBpi2CmtsIpMulticastDataAuthentAlg,



Green, et al.               Standards Track                    [Page 75]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


                docsBpi2CmtsIpMulticastSAMapRequests,
                docsBpi2CmtsIpMulticastSAMapReplies,
                docsBpi2CmtsIpMulticastSAMapRejects,
                docsBpi2CmtsIpMulticastSAMapRejectErrorCode,
                docsBpi2CmtsIpMulticastSAMapRejectErrorString,
                docsBpi2CmtsIpMulticastMapControl,
                docsBpi2CmtsIpMulticastMapStorageType,
                docsBpi2CmtsMulticastAuthControl,
                docsBpi2CmtsProvisionedCmCertTrust,
                docsBpi2CmtsProvisionedCmCertSource,
                docsBpi2CmtsProvisionedCmCertStatus,
                docsBpi2CmtsProvisionedCmCert,
                docsBpi2CmtsCACertSubject,
                docsBpi2CmtsCACertIssuer,
                docsBpi2CmtsCACertSerialNumber,
                docsBpi2CmtsCACertTrust,
                docsBpi2CmtsCACertSource,
                docsBpi2CmtsCACertStatus,
                docsBpi2CmtsCACert,
                docsBpi2CmtsCACertThumbprint
                }
           STATUS         current
           DESCRIPTION
                "This collection of objects provides CMTS BPI+ status
           and control."
      ::= { docsBpi2Groups 2 }

      docsBpi2CodeDownloadGroup OBJECT-GROUP
              OBJECTS {
                docsBpi2CodeDownloadStatusCode,
                docsBpi2CodeDownloadStatusString,
                docsBpi2CodeMfgOrgName,
                docsBpi2CodeMfgCodeAccessStart,
                docsBpi2CodeMfgCvcAccessStart,
                docsBpi2CodeCoSignerOrgName,
                docsBpi2CodeCoSignerCodeAccessStart,
                docsBpi2CodeCoSignerCvcAccessStart,
                docsBpi2CodeCvcUpdate
                }
           STATUS         current
           DESCRIPTION
                "This collection of objects provides authenticated
           software download support."
      ::= { docsBpi2Groups 3 }

      END





Green, et al.               Standards Track                    [Page 76]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


4.  Acknowledgements

   Kaz Ozawa: Authenticated Software Download objects and general
              suggestions.

   Rich Woundy: BPI MIB and general MIB expertise.

   Mike St. Johns: BPI MIB and first version of BPI+ MIB.

   Bert Wijnen: Extensive comments in MIB syntax and accuracy.

   Thanks to Mike Sabin and Manson Wong for reviewing early BPI+ MIB
   drafts and to Jean-Francois Mule for contributing to the last
   versions.

5.  Normative References

   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2578]    McCloghrie, K., Perkins, D., and J. Schoenwaelder,
                "Structure of Management Information Version 2 (SMIv2)",
                STD 58, RFC 2578, April 1999.

   [RFC2579]    McCloghrie, K., Perkins, D., and J. Schoenwaelder,
                "Textual Conventions for SMIv2", STD 58, RFC 2579, April
                1999.

   [RFC2580]    McCloghrie, K., Perkins, D., and J. Schoenwaelder,
                "Conformance Statements for SMIv2", STD 58, RFC 2580,
                April 1999.

   [RFC3411]    Harrington, D., Presuhn, R., and B. Wijnen, "An
                Architecture for Describing Simple Network Management
                Protocol (SNMP) Management Frameworks", STD 62, RFC
                3411, December 2002.

   [RFC4001]    Daniele, M., Haberman, B., Routhier, S., and J.
                Schoenwaelder, "Textual Conventions for Internet Network
                Addresses", RFC 4001, February 2005.

   [RFC2863]    McCloghrie, K. and F. Kastenholz, "The Interfaces Group
                MIB", RFC 2863, June 2000.








Green, et al.               Standards Track                    [Page 77]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


   [RFC2670]    St. Johns, M., "Radio Frequency (RF) Interface
                Management Information Base for MCNS/DOCSIS compliant RF
                interfaces", RFC 2670, August 1999.

   [DOCSIS]     "Data-Over-Cable Service Interface Specifications:
                Baseline Privacy Plus Interface Specification SP-BPI+-
                I11-040407", DOCSIS, April 2004, available at
                http://www.cablemodem.com.
                http://www.cablelabs.com/specifications/archives.

6.  Informative References

   [RFC3083]    Woundy, R., "Baseline Privacy Interface Management
                Information Base for DOCSIS Compliant Cable Modems and
                Cable Modem Termination Systems", RFC 3083, March 2001.

   [RFC3410]    Case, J., Mundy, R., Partain, D., and B. Stewart,
                "Introduction and Applicability Statements for
                Internet-Standard Management Framework", RFC 3410,
                December 2002.

   [RFC3513]    Hinden, R. and S. Deering, "Internet Protocol Version 6
                (IPv6) Addressing Architecture", RFC 3513, April 2003.

   [DOCSIS-1.0] "Data-Over-Cable Service Interface Specifications:
                DOCSIS 1.0 Baseline Privacy Interface (BPI) ANSI/SCTE
                22-2 2202, Available at http://www.scte.org.

   [DOCSIS-1.1] "Data-Over-Cable Service Interface Specifications:
                Operations Support System Interface Specification SP-
                OSSIv1.1-I07-030730", DOCSIS 1.1 July 2003, available at
                http://www.cablemodem.com.
                http://www.cablelabs.com/specifications/archives.

   [DOCSIS-2.0] "Data-Over-Cable Service Interface Specifications:
                Operations Support System Interface Specification SP-
                OSSIv2.0-I05-040407", DOCSIS 2.0 April 2004,
                http://www.cablemodem.com.
                http://www.cablelabs.com/specifications/archives.

   [IANA]       "Protocol Numbers and Assignment Services", IANA,
                http://www.iana.org/assignments/ianaiftype-mib.









Green, et al.               Standards Track                    [Page 78]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


7.  Security Considerations

   There are a number of management objects defined in this MIB module
   with a MAX-ACCESS clause of read-write and/or read-create.  Such
   objects may be considered sensitive or vulnerable in some network
   environments.  The support for SET operations in a non-secure
   environment without proper protection can have a negative effect on
   network operations.  These are the tables and objects and their
   sensitivity/vulnerability:

   - The following objects, if SNMP SET maliciously, could constitute
     denial of service or theft of service attacks or compromise the
     intended data privacy of users:

   Objects related to the Baseline Privacy Key Management (BPKM)

      docsBpi2CmAuthReset,
      docsBpi2CmtsAuthCmReset,
      docsBpi2CmtsTEKReset:
          These objects are used for initiating a re-key process.  A
          malicious massive SET attack may cause CMTS processing
          overload and may compromise the service.

      docsBpi2CmtsDefaultAuthLifetime,
      docsBpi2CmtsDefaultTEKLifetime,
      docsBpi2CmtsAuthCmLifetime,
      docsBpi2CmtsTEKLifetime:
          To minimize the risk of malicious or unintended short periods
          of time when key updates may lead to degradation or denial of
          service, implementers are encouraged to follow these objects'
          range constraints, as defined in the docsBpi2CmtsCompliance
          MODULE-COMPLIANCE clause for operational deployments.

      docsBpi2CmtsDefaultSelfSignedManufCertTrust:
          A malicious SET in a self-signed certificate as reject
          message, which may constitute denial of service.  This object
          is designed for testing purposes; therefore, it is not
          RECOMMENDED for use in commercial deployments [DOCSIS].
          Administrators can make use of View-based Access Control
          (VACM) introduced in section 7.9 of [RFC3410] to restrict
          write access to this object.

      docsBpi2CmtsCheckCertValidityPeriods:
          A malicious SET in this object that enables the period
          validity and a wrong clock time in the CMTS could cause denial
          of service, as CM authorization requests will be rejected.





Green, et al.               Standards Track                    [Page 79]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      For more details in the validation of CM certificates, refer to
      section 9 of [DOCSIS] .

   Objects related to the CM only:

      Objects in docsBpi2CmDeviceCertTable

      docsBpi2CmDeviceCmCert:
          This object is not harmful, considering that a CM received a
          Certificate during the manufacturing process.  Therefore, the
          object access becomes read-only.  See the object DESCRIPTION
          clause in section 3 for details.

      Objects for Secure Software Download in table
      docsBpi2CodeDownloadControl:

      docsBpi2CodeCvcUpdate:
          A malicious SET on this object may not constitute a risk,
          since the CM holds the DOCSIS root key to verify the CVC
          authenticity.  The operator, if configured, could receive a
          notification for event occurrences, which may lead to
          detecting the source of the attack.  Moreover, [DOCSIS]
          recommends that CMs CVC be regularly updated to minimize the
          risk of potential code-signing keys being compromised (e.g.,
          by configuration file).

      Objects related to the CMTS only:

      Objects in docsBpi2CmtsProvisionedCmCertTable and
      docsBpi2CmtsCACertTable containing CM Certificates and Certificate
      Authority information, respectively:

      docsBpi2CmtsProvisionedCmCertTrust,
      docsBpi2CmtsProvisionedCmCertStatus,
      docsBpi2CmtsProvisionedCmCert,
      docsBpi2CmtsCACertStatus,
      docsBpi2CmtsCACert:
          A malicious SET on these objects may constitute a denial of
          service attack that will be experienced after the CMs perform
          authorization requests.  It does not affect CMs in the
          authorized state.

      Objects in multicast tables docsBpi2CmtsIpMulticastMapTable and
      docsBpi2CmtsMulticastAuthTable:

      docsBpi2CmtsIpMulticastAddressType,
      docsBpi2CmtsIpMulticastAddress,
      docsBpi2CmtsIpMulticastMaskType,



Green, et al.               Standards Track                    [Page 80]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      docsBpi2CmtsIpMulticastMask,
      docsBpi2CmtsIpMulticastSAId,
      docsBpi2CmtsIpMulticastSAType:
          Malicious SET on these objects may cause misconfiguration,
          causing interruption of the users' active multicast
          applications.

      docsBpi2CmtsIpMulticastDataEncryptAlg,
      docsBpi2CmtsIpMulticastDataAuthentAlg:
          Malicious SETs on these objects may create service
          misconfiguration, causing service interruption or theft of
          service if encryption algorithms are removed for the multicast
          groups.

      docsBpi2CmtsIpMulticastMapControl,
      docsBpi2CmtsMulticastAuthControl:
          Malicious SETs on these objects may remove and/or disable
          customers and/or multicast groups, causing service disruption.
          This may also constitute theft of service by authorizing non-
          subscribed users to multicast groups or by adding other
          multicast groups in the forward path.

   Some of the readable objects in this MIB module (i.e., objects with a
   MAX-ACCESS other than not-accessible) may be considered sensitive or
   vulnerable in some network environments.  It is thus important to
   control even GET and/or NOTIFY access to these objects and possibly
   to even encrypt the values of these objects when sending them over
   the network via SNMP.  These are the tables and objects and their
   sensitivity/vulnerability:

      Objects in docsBpi2CmBaseTable, docsBpi2CmTEKTable,
      docsBpi2CmtsBaseTable, docsBpi2CmtsAuthTable,
      docsBpi2CmtsTEKTable, docsBpi2CmtsProvisionedCmCertTable, and
      docsBpi2CmtsCACertTable:
          If this information is accessible, attackers may use it to
          distinguish users configured to work without data encryption
          (e.g., docsBpi2CmPrivacyEnable) and to know current Baseline
          Privacy parameters in the network.

      Objects in docsBpi2CmIpMulticastMapTable and
      docsBpi2CmtsMulticastAuthTable:
          In addition to the vulnerabilities around BPI plus multicast
          objects described in the previous part, the read-only objects
          of this table may help attackers monitor the status of the
          intrusion.






Green, et al.               Standards Track                    [Page 81]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


      Objects in docsBpi2CodeDownloadControl:
          In addition to the vulnerability of the read-write object
          docsBpi2CodeCvcUpdate, attackers may be able to monitor the
          status of a denial of service using Secure Software Download.

   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPSec),
   even then, there is no control as to who on the secure network is
   allowed to access and GET/SET (read/change/create/delete) the objects
   in this MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

   BPI+ Encryption Algorithms:

   The BPI+ Traffic Encryption Keys (TEK) defined in the DOCSIS BPI+
   specification [DOCSIS] use 40-bit or 56-bit DES for encryption (DES
   CBC mode).  Currently, there is no mechanism or algorithm defined for
   data integrity.

   Due to the DES cryptographic weaknesses, future revisions of the
   DOCSIS BPI+ specification should introduce more advanced encryption
   algorithms, as proposed in the DocsBpkmDataEncryptAlg textual
   convention, to overcome the progress in cheaper and faster hardware
   or software decryption tools.  Future revisions of the DOCSIS BPI+
   specification [DOCSIS] should also adopt authentication algorithms,
   as described in the DocsBpkmDataAuthentAlg textual convention.

   It is important to note that frequent key changes do not necessarily
   help in mitigating or reducing the risks of a DES attack.  Indeed,
   the traffic encryption keys, which are configured on a per cable
   modem basis and per BPI+ multicast group, can be utilized to decrypt
   old traffic, even when they are no longer in active use.







Green, et al.               Standards Track                    [Page 82]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


   Note that, not exempt to the same recommendations above, the CM BPI+
   authorization protocol uses triple DES encryption, which offers
   improved robustness in comparison to DES for CM authorization and TEK
   re-key management.

8.  IANA Considerations

   The MIB module in this document uses the following IANA-assigned
   OBJECT IDENTIFIER value, recorded in the SMI Numbers registry:

      Descriptor     OBJECT IDENTIFIER Value
      ----------     -----------------------
      docsBpi2MIB    { mib-2 126 }






































Green, et al.               Standards Track                    [Page 83]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


Authors' Addresses

   Stuart M. Green

   EMail: rubbersoul3@yahoo.com


   Kaz Ozawa
   Automotive Systems Development Center
   TOSHIBA CORPORATION
   1-1, Shibaura 1-Chome
   Minato-ku, Tokyo 105-8001
   Japan

   Phone: +81-3-3457-8569
   Fax: +81-3-5444-9325
   EMail: Kazuyoshi.Ozawa@toshiba.co.jp


   Alexander Katsnelson

   Phone: +1-303-680-3924
   EMail: katsnelson6@peoplepc.com


   Eduardo Cardona
   Cable Television Laboratories, Inc.
   858 Coal Creek Circle
   Louisville, CO 80027- 9750
   U.S.A.

   Phone: +1 303 661 9100
   EMail: e.cardona@cablelabs.com


















Green, et al.               Standards Track                    [Page 84]

RFC 4131                  DOCSIS BPI Plus MIB             September 2005


Full Copyright Statement

   Copyright (C) The Internet Society (2005).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.







Green, et al.               Standards Track                    [Page 85]