docsis/mibs/DOCS-SEC-MIB

DOCS-SEC-MIB DEFINITIONS ::= BEGIN
  IMPORTS
    MODULE-IDENTITY,
    OBJECT-TYPE,
    Unsigned32,
    Counter32
             FROM SNMPv2-SMI          -- RFC 2578
    TEXTUAL-CONVENTION,
    TruthValue,
    MacAddress,
    RowStatus,
    DateAndTime
             FROM SNMPv2-TC           -- RFC 2579
    OBJECT-GROUP,
    MODULE-COMPLIANCE
             FROM SNMPv2-CONF         -- RFC 2580
    SnmpAdminString
             FROM SNMP-FRAMEWORK-MIB  -- RFC 3411
    SnmpTagList
             FROM SNMP-TARGET-MIB     -- RFC 3411
    InetAddressType,
    InetAddress,
    InetAddressPrefixLength
             FROM INET-ADDRESS-MIB    -- RFC 4001
    docsIf3CmtsCmRegStatusEntry,
    docsIf3CmtsCmRegStatusId
             FROM DOCS-IF3-MIB
    clabProjDocsis
             FROM CLAB-DEF-MIB
   docsBpi2CodeDownloadControl
             FROM DOCS-IETF-BPI2-MIB;

docsSecMib MODULE-IDENTITY
     LAST-UPDATED    "201601130000Z" -- January 13, 2016
     ORGANIZATION    "Cable Television Laboratories, Inc."
     CONTACT-INFO
         "
         Postal: Cable Television Laboratories, Inc.
         858 Coal Creek Circle
         Louisville, Colorado 80027-9750
         U.S.A.
         Phone: +1 303-661-9100
         Fax:   +1 303-661-9199
         E-mail: mibs@cablelabs.com"
     DESCRIPTION
        "This MIB module contains the management objects for the
        management of the security requirements in the DOCSIS
        Security Specification."

     REVISION    "201601130000Z" -- January 13, 2016
     DESCRIPTION
             "Modified per CM-OSSIv3.1-N-15.1393-6.
             Deprecate docsBpi2CodeUpdateCvcChain for DOCSIS 3.1
             that was added earlier ECN CM-OSSIv3.1-N-15.1243-1.
             3.1 PKI MIBs moved to DOCS-BPI2EXT-MIB"

     REVISION    "201503260000Z" -- March 26, 2015
    DESCRIPTION
            "Revised Version includes ECN CM-OSSIv3.1-N-15.1243-1
            and published as CM-OSSIv3.1-I03, to support
            docsBpi2CodeUpdateCvcChain for DOCSIS 3.1."

    REVISION    "201001150000Z" -- January 15, 2010
    DESCRIPTION
            "Revised Version includes ECN
            OSSIv3.0-N-09.0872-4
            and published as I11"

    REVISION    "200905290000Z" -- May 29, 2009
    DESCRIPTION
            "Revised Version includes ECNs
            OSSIv3.0-N-09.0773-1
            OSSIv3.0-N-09.0775-3
            OSSIv3.0-N-09.0777-2
            and published as I09"

    REVISION "200702230000Z" -- February 23, 2007
    DESCRIPTION
            "Revised Version includes ECN OSSIv3.0-N-06.0357-1
            and published as IO2"

     REVISION        "200612071700Z" -- December 7, 2006
     DESCRIPTION
        "Initial version, published as part of the CableLabs
        OSSIv3.0 specification CM-SP-OSSIv3.0-I01-061207
        Copyright 1999-2006 Cable Television Laboratories, Inc.
        All rights reserved."
     ::= {  clabProjDocsis 11}

-- Textual Conventions
DocsCvcCaCertificateChain ::= TEXTUAL-CONVENTION
     DISPLAY-HINT "*"
     STATUS      current
     DESCRIPTION
            "A degenerate PKCS7 signedData structure that contains the
            CVC and the CVC CA certificate chain in the certificates
            field."
     SYNTAX      OCTET STRING (SIZE (0..8192))


-- Object Definitions
docsSecMibObjects  OBJECT IDENTIFIER ::= { docsSecMib 1 }

docsSecCmtsServerCfg OBJECT IDENTIFIER ::= { docsSecMibObjects 1 }

docsSecCmtsServerCfgTftpOptions OBJECT-TYPE
     SYNTAX      BITS {
                        hwAddr(0),
                        netAddr(1)
                      }
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute instructs the CMTS to insert the source
        IP address and/or MAC address of received TFTP packets
        into the TFTP option fields before forwarding
        the packets to the Config File server.
        This attribute is only applicable when the TftpProxyEnabled
        attribute of the MdCfg object is 'true'."
     REFERENCE
        "DOCSIS 3.0 Operations Support System Interface
         Specification CM-SP-OSSIv3.0-I01-061207,
         MdCfg Object Section in the Media Access Control (MAC)
         Requirements Annex."
     DEFVAL { {  } }
     ::= { docsSecCmtsServerCfg 1 }
docsSecCmtsServerCfgConfigFileLearningEnable OBJECT-TYPE
     SYNTAX      TruthValue
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute enables and disables Configuration
        File Learning functionality.
        If this attribute is set to 'true' the CMTS will respond
        with Authentication Failure in the REG-RSP message
        when there is a mismatch between learned config file
        parameters and REG-REQ parameters. If this attribute
        is set to 'false', the CMTS will not execute config
        file learning and mismatch check.
        This attribute is only applicable when the TftpProxyEnabled
        attribute of the MdCfg object is 'true'."
     REFERENCE
        "DOCSIS 3.0 Operations Support System Interface
         Specification CM-SP-OSSIv3.0-I01-061207,
         MdCfg Object Section in the Media Access Control (MAC)
         Requirements Annex.
         DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I01-060804, Secure Provisioning Section.
         DOCSIS 3.0 MAC and Upper Layer Protocols Interface
         Specification CM-SP-MULPIv3.0-I01-060804."
     DEFVAL { true }
     ::= { docsSecCmtsServerCfg 2 }
docsSecCmtsEncrypt OBJECT IDENTIFIER ::= { docsSecMibObjects 2 }
docsSecCmtsEncryptEncryptAlgPriority OBJECT-TYPE
     SYNTAX      SnmpTagList
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute allows for configuration of a prioritized
        list of encryption algorithms the CMTS will
        use when selecting the primary SAID encryption algorithm
        for a given CM. The CMTS selects the highest priority
        encryption algorithm from this list that the CM
        supports. By default the following encryption algorithms
        are listed from highest to lowest priority (left
        being the highest): 128 bit AES, 56 bit DES, 40 bit
        DES.
        An empty list indicates that the CMTS attempts to use
        the latest and robust encryption algorithm supported
        by the CM. The CMTS will ignore unknown values or unsupported
        algorithms."
     DEFVAL { "aes128CbcMode des56CbcMode des40CbcMode" }
     ::= { docsSecCmtsEncrypt 1 }

docsSecCmtsCmEaeExclusionTable OBJECT-TYPE
     SYNTAX      SEQUENCE OF DocsSecCmtsCmEaeExclusionEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This object defines a list of CMs or CM groups to exclude
        from Early Authentication and Encryption (EAE).
        This object allows overrides to the value of EAE Control
        for individual CMs or group of CMs for purposes
        such as debugging. The CMTS supports a minimum of
        30 instances of the CmtsCmEaeExclusion object.
        This object is only applicable when the EarlyAuthEncryptCtrl
        attribute of the MdCfg object is enabled.

        This object supports the creation and deletion of multiple
        instances."
     REFERENCE
         "DOCSIS 3.0 Operations Support System Interface
         Specification CM-SP-OSSIv3.0-I01-061207,
         MdCfg Object Section in the Media Access Control (MAC)
         Requirements Annex.
         DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I01-060804, Early Authentication And
         Encryption (EAE) Section."
     ::= { docsSecMibObjects 3}

docsSecCmtsCmEaeExclusionEntry OBJECT-TYPE
     SYNTAX      DocsSecCmtsCmEaeExclusionEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
         "The conceptual row of docsSecCmtsCmEaeExclusion.
          The CMTS persists all instances of CmtsCmEaeExclusion
          across reinitializations."
     INDEX {
             docsSecCmtsCmEaeExclusionId
           }
     ::= { docsSecCmtsCmEaeExclusionTable 1 }

DocsSecCmtsCmEaeExclusionEntry ::= SEQUENCE {
     docsSecCmtsCmEaeExclusionId
                  Unsigned32,
     docsSecCmtsCmEaeExclusionMacAddr
                  MacAddress,
     docsSecCmtsCmEaeExclusionMacAddrMask
                  MacAddress,
     docsSecCmtsCmEaeExclusionRowStatus
                  RowStatus
     }

docsSecCmtsCmEaeExclusionId OBJECT-TYPE
     SYNTAX      Unsigned32 (1..4294967295)
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This key uniquely identifies the exclusion MAC address
        rule."
     ::= { docsSecCmtsCmEaeExclusionEntry 1 }

docsSecCmtsCmEaeExclusionMacAddr OBJECT-TYPE
     SYNTAX      MacAddress
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "This attribute identifies the CM MAC address. A match
        is made when a CM MAC address bitwise ANDed with the
        MacAddrMask attribute equals the value of this attribute."
     DEFVAL { '000000000000'H }
     ::= { docsSecCmtsCmEaeExclusionEntry 2 }

docsSecCmtsCmEaeExclusionMacAddrMask OBJECT-TYPE
     SYNTAX      MacAddress
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "This attribute identifies the CM MAC address mask
        and is used with the MacAddr attribute."
     DEFVAL { 'FFFFFFFFFFFF'H }
     ::= { docsSecCmtsCmEaeExclusionEntry 3 }

docsSecCmtsCmEaeExclusionRowStatus OBJECT-TYPE
     SYNTAX      RowStatus
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "Controls and reflects the status of rows in this
        table. There is no restriction on changing values in
        a row of this table while the row is active."
     ::= { docsSecCmtsCmEaeExclusionEntry 4 }

docsSecCmtsSavControl OBJECT IDENTIFIER ::= { docsSecMibObjects 4 }

docsSecCmtsSavControlCmAuthEnable OBJECT-TYPE
     SYNTAX      TruthValue
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute enables or disables Source Address
        Verification (SAV) for CM configured policies in the
        SavCmAuth object. If this attribute is set to 'false',
        the CM configured policies in the SavCmAuth object
        are ignored.
        This attribute is only applicable when the
        SrcAddrVerificationEnabled attribute of the MdCfg object is
        'true'."
     REFERENCE
        "DOCSIS 3.0 Operations Support System Interface
         Specification CM-SP-OSSIv3.0-I01-061207,
         MdCfg Object Section in the Media Access Control (MAC)
         Requirements Annex."
     DEFVAL { true }
     ::= { docsSecCmtsSavControl 1 }

docsSecSavCmAuthTable OBJECT-TYPE
     SYNTAX      SEQUENCE OF DocsSecSavCmAuthEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This object defines a read-only set of SAV policies
        associated with a CM that the CMTS will use in addition
        to the CMTS verification of an operator assigned IP
        Address being associated with a CM. When the CMTS has
        not resolved a source address of a CM CPE, the CMTS verifies
        if the CM CPE is authorized to pass traffic based
        on this object. These object policies include a list
        of subnet prefixes (defined in the SavStaticList
        object) or a SAV Group Name that could reference a CMTS
        configured list of subnet prefixes (defined in SavCfgList
        object) or vendor-specific policies. The CMTS
        populates the attributes of this object for a CM from
        that CM's config file.
        This object is only applicable when the
        SrcAddrVerificationEnabled attribute of the MdCfg object is
        'true' and the CmAuthEnable attribute of the CmtsSavCtrl
        object is 'true'.
        The CMTS is not required to persist instances of this
        object across reinitializations."
     REFERENCE
        "DOCSIS 3.0 Operations Support System Interface
         Specification CM-SP-OSSIv3.0-I01-061207,
         MdCfg Object Section in the Media Access Control (MAC)
         Requirements Annex.
         DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I01-060804, Secure Provisioning Section.
         DOCSIS 3.0 MAC and Upper Layer Protocols Interface
         Specification CM-SP-MULPIv3.0-I01-060804,
         Common Radio Frequency Interface Encodings Annex."
     ::= { docsSecMibObjects 5}

docsSecSavCmAuthEntry OBJECT-TYPE
     SYNTAX      DocsSecSavCmAuthEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
         "The conceptual row of docsSecSavCmAuth."
     INDEX {
             docsIf3CmtsCmRegStatusId
           }
     ::= { docsSecSavCmAuthTable 1 }

DocsSecSavCmAuthEntry ::= SEQUENCE {
     docsSecSavCmAuthGrpName
                  SnmpAdminString,
     docsSecSavCmAuthStaticPrefixListId
                  Unsigned32
     }

docsSecSavCmAuthGrpName OBJECT-TYPE
     SYNTAX      SnmpAdminString
     MAX-ACCESS  read-only
     STATUS      current
     DESCRIPTION
        "This attribute references the Name attribute of the
        SavCfgList object of a CM. If the CM signaled group
        name is not configured in the CMTS, the CMTS ignores this
        attribute value for the purpose of Source Address
        Verification. The CMTS must allow the modification
        of the GrpName object and use the updated SAV rules for
        newly discovered CPEs from CMs. When a source IP address
        is claimed by two CMs (e.g., detected as duplicated),
        the CMTS must use the current SAV rules defined
        for both CMs in case the SAV GrpName rules may have been
        updated. In the case of a persisting conflict, it is
        up to vendor-implementation to decide what CM should
        hold the SAV authorization.
        The zero-length string indicates that no SAV Group was
        signaled by the CM. The zero-length value or a non-existing
        reference in the SavCfgList object means the
        SavCfgListName is ignored for the purpose of SAV."
     REFERENCE
         "DOCSIS 3.0 MAC and Upper Layer Protocols Interface
         Specification CM-SP-MULPIv3.0-I01-060804,
         Common Radio Frequency Interface Encodings Annex."
     ::= { docsSecSavCmAuthEntry 1 }

docsSecSavCmAuthStaticPrefixListId OBJECT-TYPE
     SYNTAX      Unsigned32
     MAX-ACCESS  read-only
     STATUS      current
     DESCRIPTION
        "This attribute identifies the reference to a CMTS
        created subnet prefix list based on the CM signaled static
        prefix list TLV elements. The CMTS may reuse this
        attribute value to reference more than one CM when
        those CMs have signaled the same subnet prefix list to
        the CMTS.
        The value zero indicates that no SAV static prefix encodings
        were signaled by the CM."
     ::= { docsSecSavCmAuthEntry 2 }

docsSecSavCfgListTable OBJECT-TYPE
     SYNTAX      SEQUENCE OF DocsSecSavCfgListEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This object defines the CMTS configured subnet prefix
        extension to the SavCmAuth object.
        This object supports the creation and deletion of multiple
        instances.
        Creation of a new instance of this object requires the
        PrefixAddrType and PrefixAddr attributes to be set."
     ::= { docsSecMibObjects 6}

docsSecSavCfgListEntry OBJECT-TYPE
     SYNTAX      DocsSecSavCfgListEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
         "The conceptual row of docsSecSavCfgList.
          The CMTS persists all instances of SavCfgList
          across reinitializations."
     INDEX {
             docsSecSavCfgListName,
             docsSecSavCfgListRuleId
           }
     ::= { docsSecSavCfgListTable 1 }

DocsSecSavCfgListEntry ::= SEQUENCE {
     docsSecSavCfgListName
                  SnmpAdminString,
     docsSecSavCfgListRuleId
                  Unsigned32,
     docsSecSavCfgListPrefixAddrType
                  InetAddressType,
     docsSecSavCfgListPrefixAddr
                  InetAddress,
     docsSecSavCfgListPrefixLen
                  InetAddressPrefixLength,
     docsSecSavCfgListRowStatus
                  RowStatus
     }

docsSecSavCfgListName OBJECT-TYPE
     SYNTAX      SnmpAdminString (SIZE (1..16))
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This attribute is the key that identifies the instance
        of the SavCmAuth object to which this object extension
        belongs."
     ::= { docsSecSavCfgListEntry 1 }

docsSecSavCfgListRuleId OBJECT-TYPE
     SYNTAX      Unsigned32 (1..4294967295)
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This attribute is the key that identifies a particular
        subnet prefix rule of an instance of this object."
     ::= { docsSecSavCfgListEntry 2 }

docsSecSavCfgListPrefixAddrType OBJECT-TYPE
     SYNTAX      InetAddressType
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "This attribute identifies the IP address type of this
        subnet prefix rule."
     ::= { docsSecSavCfgListEntry 3 }

docsSecSavCfgListPrefixAddr OBJECT-TYPE
     SYNTAX      InetAddress
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "This attribute corresponds to the IP address of this
        subnet prefix rule in accordance to the PrefixAddrType
        attribute."
     ::= { docsSecSavCfgListEntry 4 }

docsSecSavCfgListPrefixLen OBJECT-TYPE
     SYNTAX      InetAddressPrefixLength
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "This attribute defines the length of the subnet prefix
        to be matched by this rule."
     ::= { docsSecSavCfgListEntry 5 }

docsSecSavCfgListRowStatus OBJECT-TYPE
     SYNTAX      RowStatus
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "The row creation control of this conceptual row.
        An entry in this table can be set to active
        only when the following attributes are correctly
        assigned:
           PrefixAddrType
           PrefixAddress
        There are no restrictions to modify or delete
        entries in this table."
     ::= { docsSecSavCfgListEntry 6 }



docsSecSavStaticListTable OBJECT-TYPE
     SYNTAX      SEQUENCE OF DocsSecSavStaticListEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This object defines a subnet prefix extension to the
        SavCmAuth object based on CM statically signaled
        subnet prefixes to the CMTS.
        When a CM signals to the CMTS static subnet prefixes,
        the CMTS must create a List Id to be referenced by the CM
        in the SavCmAuth StaticPrefixListId attribute, or
        the CMTS may reference an existing List Id associated
        to previously registered CMs in case of those subnet
        prefixes associated with the List Id match the ones
        signaled by the CM."
     REFERENCE
        "DOCSIS 3.0 MAC and Upper Layer Protocols Interface
        Specification CM-SP-MULPIv3.0-I01-060804,
        Common Radio Frequency Interface Encodings Annex."
     ::= { docsSecMibObjects 7}

docsSecSavStaticListEntry OBJECT-TYPE
     SYNTAX      DocsSecSavStaticListEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
         "The conceptual row of docsSecSavStaticList.
          The CMTS may persist instances of this object
          across reinitializations."
     INDEX {
             docsSecSavStaticListId,
             docsSecSavStaticListRuleId
           }
     ::= { docsSecSavStaticListTable 1 }

DocsSecSavStaticListEntry ::= SEQUENCE {
     docsSecSavStaticListId
                  Unsigned32,
     docsSecSavStaticListRuleId
                  Unsigned32,
     docsSecSavStaticListPrefixAddrType
                  InetAddressType,
     docsSecSavStaticListPrefixAddr
                  InetAddress,
     docsSecSavStaticListPrefixLen
                  InetAddressPrefixLength
     }

docsSecSavStaticListId OBJECT-TYPE
     SYNTAX      Unsigned32 (1..4294967295)
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This key uniquely identifies the index that groups
        multiple subnet prefix rules. The CMTS assigns this
        value per CM or may reuse it among multiple CMs that share
        the same list of subnet prefixes."
     ::= { docsSecSavStaticListEntry 1 }

docsSecSavStaticListRuleId OBJECT-TYPE
     SYNTAX      Unsigned32 (1..4294967295)
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This key identifies a particular static subnet prefix
        rule of an instance of this object."
     ::= { docsSecSavStaticListEntry 2 }

docsSecSavStaticListPrefixAddrType OBJECT-TYPE
     SYNTAX      InetAddressType
     MAX-ACCESS  read-only
     STATUS      current
     DESCRIPTION
        "This attribute identifies the IP address type of this
        subnet prefix rule."
     ::= { docsSecSavStaticListEntry 3 }

docsSecSavStaticListPrefixAddr OBJECT-TYPE
     SYNTAX      InetAddress
     MAX-ACCESS  read-only
     STATUS      current
     DESCRIPTION
        "This attribute corresponds to the IP address of this
        subnet prefix rule in accordance to the PrefixAddrType
        attribute."
     ::= { docsSecSavStaticListEntry 4 }

docsSecSavStaticListPrefixLen OBJECT-TYPE
     SYNTAX      InetAddressPrefixLength
     MAX-ACCESS  read-only
     STATUS      current
     DESCRIPTION
        "This attribute defines the length of the subnet prefix
        to be matched by this rule."
     ::= { docsSecSavStaticListEntry 5 }

docsSecCmtsCmSavStatsTable OBJECT-TYPE
     SYNTAX      SEQUENCE OF DocsSecCmtsCmSavStatsEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This object provides a read-only list of SAV counters
        for different service theft indications."
     ::= { docsSecMibObjects 8}

docsSecCmtsCmSavStatsEntry OBJECT-TYPE
     SYNTAX      DocsSecCmtsCmSavStatsEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
         "The conceptual row of docsSecCmtsCmSavStats."
     AUGMENTS { docsIf3CmtsCmRegStatusEntry }
     ::= { docsSecCmtsCmSavStatsTable 1 }

DocsSecCmtsCmSavStatsEntry ::= SEQUENCE {
     docsSecCmtsCmSavStatsSavDiscards
                  Counter32
     }

docsSecCmtsCmSavStatsSavDiscards OBJECT-TYPE
     SYNTAX      Counter32
     MAX-ACCESS  read-only
     STATUS      current
     DESCRIPTION
        "This attribute provides the information about number
        of dropped upstream packets due to SAV failure."
     ::= { docsSecCmtsCmSavStatsEntry 1 }

docsSecCmtsCertificate OBJECT IDENTIFIER ::= { docsSecMibObjects 9 }

docsSecCmtsCertificateCertRevocationMethod OBJECT-TYPE
     SYNTAX      INTEGER {
                           none(1),
                           crl(2),
                           ocsp(3),
                           crlAndOcsp(4)
                         }
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute identifies which certificate revocation
        method is to be used by the CMTS to verify the cable
        modem certificate validity. The certificate revocation
        methods include Certification Revocation
        List (CRL) and Online Certificate Status Protocol
        (OCSP).
        The following options are available:
        The option 'none' indicates that the CMTS does not attempt
        to determine the revocation status of a certificate.

        The option 'crl' indicates the CMTS uses a Certificate
        Revocation List (CRL) as defined by the Url attribute
        of the CmtsCertRevocationList object. When the
        value of this attribute is changed to 'crl', it triggers
        the CMTS to retrieve the CRL from the URL specified
        by the Url attribute. If the value of this attribute
        is 'crl' when the CMTS starts up, it triggers the CMTS
        to retrieve the CRL from the URL specified by the Url attribute.

        The option 'ocsp' indicates the CMTS uses the Online
        Certificate Status Protocol (OCSP) as defined by the
        Url attribute of the CmtsOnlineCertStatusProtocol
        object.

        The option 'crlAndOcsp' indicates the CMTS uses both
        the CRL as defined by the Url attribute in the
        CmtsCertRevocationList object and OCSP as defined by the Url
        attribute in the CmtsOnlineCertStatusProtocol
        object.
        The CMTS persists the values of the CertRevocationMethod
        attribute across reinitializations."
     DEFVAL { none }
     ::= { docsSecCmtsCertificate 1 }

docsSecCmtsCertRevocationList OBJECT IDENTIFIER
                                            ::= { docsSecMibObjects 10 }

docsSecCmtsCertRevocationListUrl OBJECT-TYPE
     SYNTAX      SnmpAdminString
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute contains the URL from where the CMTS
        will retrieve the CRL. When this attribute is set to
        a URL value different from the current value, it triggers
        the CMTS to retrieve the CRL from that URL. If the
        value of this attribute is a zero-length string, the
        CMTS does not attempt to retrieve the CRL.
        The CMTS persists the value of Url across
        reinitializations."
     REFERENCE
         "DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile
         and Management Section."
     DEFVAL { "" }
     ::= { docsSecCmtsCertRevocationList 1 }

docsSecCmtsCertRevocationListRefreshInterval OBJECT-TYPE
     SYNTAX      Unsigned32 (1..524160)
     UNITS       "minutes"
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute contains the refresh interval for
        the CMTS to retrieve the CRL (referred to in the Url attribute)
        with the purpose of updating its Certificate
        Revocation List. This attribute is meaningful if
        the tbsCertList.nextUpdate attribute does not exist
        in the last retrieved CRL, otherwise the value 0 is
        returned.
        The CMTS persists the value of RefreshInterval across
        reinitializations."
     REFERENCE
         "DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile
         and Management Section."
     DEFVAL { 10080 }
     ::= { docsSecCmtsCertRevocationList 2 }

docsSecCmtsCertRevocationListLastUpdate OBJECT-TYPE
     SYNTAX      DateAndTime
     MAX-ACCESS  read-only
     STATUS      current
     DESCRIPTION
        "This attribute contains the last date and time when
        the CRL was retrieved by the CMTS.
        If the CRL has not been updated, then this variable
        shall have the value corresponding to January 1, year
        0000, 00:00:00.0, which is encoded as
        (hex)'00 00 01 01 00 00 00 00'."
     ::= { docsSecCmtsCertRevocationList 3 }

docsSecCmtsOnlineCertStatusProtocol OBJECT IDENTIFIER
                                            ::= { docsSecMibObjects 11 }

docsSecCmtsOnlineCertStatusProtocolUrl OBJECT-TYPE
     SYNTAX      SnmpAdminString
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute contains the URL string to retrieve
        OCSP information. If the value of this attribute is
        a zero-length string, the CMTS does not attempt to request
        the status of a CM certificate.
        The CMTS persists the value of Url across
        reinitializations."
     REFERENCE
         "DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile
         and Management Section.
         RFC 2560."
     DEFVAL { "" }
     ::= { docsSecCmtsOnlineCertStatusProtocol 1 }

docsSecCmtsOnlineCertStatusProtocolSignatureBypass OBJECT-TYPE
     SYNTAX      TruthValue
     MAX-ACCESS  read-write
     STATUS      current
     DESCRIPTION
        "This attribute enables or disables signature checking
        on OCSP response messages.
        The CMTS persists the value of SignatureBypass across
        reinitializations."
     REFERENCE
         "DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I01-060804, BPI+ X.509 Certificate Profile
         and Management Section.
         RFC 2560."
     DEFVAL { false }
     ::= { docsSecCmtsOnlineCertStatusProtocol 2 }

docsSecCmtsCmBpi2EnforceExclusionTable OBJECT-TYPE
     SYNTAX      SEQUENCE OF DocsSecCmtsCmBpi2EnforceExclusionEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This object defines a list of CMs or CM groups to exclude from
        BPI+ enforcement policies configured within the CMTS. This
        object allows overrides to the value of BPI+ enforcement
        control for individual CMs or group of CMs for purposes such as
        debugging. The CMTS supports a minimum of 30 instances of the
        CmtsCmBpi2EnforceExclusion object.
       This object supports the creation and deletion of multiple
        instances."
     REFERENCE
         "DOCSIS 3.0 Operations Support System Interface
         Specification CM-SP-OSSIv3.0-I11-100115,
         MdCfg Object Section in the Media Access Control (MAC)
         Requirements Annex.
         DOCSIS 3.0 Security Specification
         CM-SP-SECv3.0-I12-100115, BPI+ Enforce Section."
     ::= { docsSecMibObjects 12}

docsSecCmtsCmBpi2EnforceExclusionEntry OBJECT-TYPE
     SYNTAX      DocsSecCmtsCmBpi2EnforceExclusionEntry
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
         "The conceptual row of docsSecCmtsCmBpi2EnforceExclusion.
          The CMTS persists all instances of CmtsCmBpi2EnforceExclusion
          across reinitializations."
     INDEX {
             docsSecCmtsCmBpi2EnforceExclusionId
           }
     ::= { docsSecCmtsCmBpi2EnforceExclusionTable 1 }

DocsSecCmtsCmBpi2EnforceExclusionEntry ::= SEQUENCE {
     docsSecCmtsCmBpi2EnforceExclusionId
                  Unsigned32,
     docsSecCmtsCmBpi2EnforceExclusionMacAddr
                  MacAddress,
     docsSecCmtsCmBpi2EnforceExclusionMacAddrMask
                  MacAddress,
     docsSecCmtsCmBpi2EnforceExclusionRowStatus
                  RowStatus
     }

docsSecCmtsCmBpi2EnforceExclusionId OBJECT-TYPE
     SYNTAX      Unsigned32 (1..4294967295)
     MAX-ACCESS  not-accessible
     STATUS      current
     DESCRIPTION
        "This key uniquely identifies the exclusion MAC address
        rule."
     ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 1 }

docsSecCmtsCmBpi2EnforceExclusionMacAddr OBJECT-TYPE
     SYNTAX      MacAddress
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "This attribute identifies the CM MAC address. A match
        is made when a CM MAC address bitwise ANDed with the
        MacAddrMask attribute equals the value of this attribute."
     DEFVAL { '000000000000'H }
     ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 2 }

docsSecCmtsCmBpi2EnforceExclusionMacAddrMask OBJECT-TYPE
     SYNTAX      MacAddress
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "This attribute identifies the CM MAC address mask
        and is used with the MacAddr attribute."
     DEFVAL { 'FFFFFFFFFFFF'H }
     ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 3 }

docsSecCmtsCmBpi2EnforceExclusionRowStatus OBJECT-TYPE
     SYNTAX      RowStatus
     MAX-ACCESS  read-create
     STATUS      current
     DESCRIPTION
        "Controls and reflects the status of rows in this
        table. There is no restriction on changing values in
        a row of this table while the row is active."
     ::= { docsSecCmtsCmBpi2EnforceExclusionEntry 4 }

--
-- DOCS-IETF-BPI2-MIB extension (deprecated)
--
--
docsBpi2CodeUpdateCvcChain    OBJECT-TYPE
     SYNTAX         DocsCvcCaCertificateChain
     MAX-ACCESS     read-write
     STATUS         deprecated
     DESCRIPTION
         "The value of this object is a degenerate PKCS7 signedData
         structure that contains the CVC and the CVC CA
         certificate chain in the certificates field. Setting
         this object triggers the device to verify the CVC and
         update the cvcAccessStart values. The content of this
         object is then discarded. If the device is not enabled
         to upgrade codefiles, or if the CVC verification fails,
         the CVC will be rejected. Reading this object always
         returns the zero-length OCTET STRING."
     REFERENCE
         "DOCSIS 3.1 Security Specification, CM-SP-SECv3.1-I02-150326,
         Secure Software Download Section"
 ::= { docsBpi2CodeDownloadControl 10 }

-- Conformance Definitions
docsSecMibConformance OBJECT IDENTIFIER ::= { docsSecMib 2 }
docsSecMibCompliances OBJECT IDENTIFIER ::= { docsSecMibConformance 1 }
docsSecMibGroups      OBJECT IDENTIFIER ::= { docsSecMibConformance 2 }

docsSecCompliance MODULE-COMPLIANCE
STATUS      current
DESCRIPTION
        "The compliance statement for CMTSs that implement the DOCSIS
         Security MIB."

    MODULE -- this MODULE
MANDATORY-GROUPS {
     docsSecGroup
     }

::= { docsSecMibCompliances 1 }

docsSecCmCompliance MODULE-COMPLIANCE
STATUS      deprecated
DESCRIPTION
        "The compliance statement for CMs that implement the DOCSIS
         Security MIB."

    MODULE -- this MODULE
    MANDATORY-GROUPS {
     docsSecCmGroup
     }

::= { docsSecMibCompliances 2 }


docsSecGroup OBJECT-GROUP
    OBJECTS {
     docsSecCmtsCertRevocationListUrl,
     docsSecCmtsCertRevocationListRefreshInterval,
     docsSecCmtsCertRevocationListLastUpdate,
     docsSecCmtsOnlineCertStatusProtocolUrl,
     docsSecCmtsOnlineCertStatusProtocolSignatureBypass,
     docsSecCmtsServerCfgTftpOptions,
     docsSecCmtsServerCfgConfigFileLearningEnable,
     docsSecCmtsEncryptEncryptAlgPriority,
     docsSecCmtsSavControlCmAuthEnable,
     docsSecCmtsCmEaeExclusionMacAddr,
     docsSecCmtsCmEaeExclusionMacAddrMask,
     docsSecCmtsCmEaeExclusionRowStatus,
     docsSecSavCmAuthGrpName,
     docsSecSavCmAuthStaticPrefixListId,
     docsSecSavCfgListPrefixAddrType,
     docsSecSavCfgListPrefixAddr,
     docsSecSavCfgListPrefixLen,
     docsSecSavCfgListRowStatus,
     docsSecSavStaticListPrefixAddrType,
     docsSecSavStaticListPrefixAddr,
     docsSecSavStaticListPrefixLen,
     docsSecCmtsCmSavStatsSavDiscards,
     docsSecCmtsCertificateCertRevocationMethod,
     docsSecCmtsCmBpi2EnforceExclusionMacAddr,
     docsSecCmtsCmBpi2EnforceExclusionMacAddrMask,
     docsSecCmtsCmBpi2EnforceExclusionRowStatus
     }
    STATUS      current
    DESCRIPTION
         "Group of objects implemented in the CMTS."
    ::= { docsSecMibGroups 1 }

docsSecCmGroup OBJECT-GROUP
    OBJECTS {
    docsBpi2CodeUpdateCvcChain
    }
    STATUS      deprecated
    DESCRIPTION
         "Group of objects implemented in the CM."
    ::= { docsSecMibGroups 2 }

END