Network Working Group W. Sawyer Request for Comments: 4036 April 2005 Category: Standards Track
Network Working Group W. Sawyer Request for Comments: 4036 April 2005 Category: Standards Track
Management Information Base for Data Over Cable Service Interface Specification (DOCSIS) Cable Modem Termination Systems for Subscriber Management
用户管理用电缆数据服务接口规范(DOCSIS)电缆调制解调器终端系统管理信息库
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a set of managed objects for Simple Network Management Protocol (SNMP)-based management of Data-over-Cable Service Interface Specification (DOCSIS)-compliant Cable Modem Termination Systems. These managed objects facilitate protection of the cable network from misuse by subscribers. The Differentiated Services MIB (RFC 3289) provides the filtering functions needed here, making use of classification items defined in this specification.
此备忘录定义了管理信息库(MIB)的一部分,用于Internet社区中的网络管理协议。特别是,它定义了一组管理对象,用于基于简单网络管理协议(SNMP)的电缆服务接口规范(DOCSIS)兼容的电缆调制解调器终端系统数据管理。这些托管对象有助于保护有线网络免受用户滥用。区分服务MIB(RFC 3289)利用本规范中定义的分类项,提供此处所需的过滤功能。
Table of Contents
目录
1. The Internet-Standard Management Framework.................... 2 2. Conventions................................................... 2 3. Overview...................................................... 2 3.1. Structure of the MIB.................................... 4 3.1.1. docsSubMgtFilterGroupTable...................... 4 3.1.2. IPv4 Compliance................................. 5 3.2. Management Requirements................................. 5 3.2.1. Interaction with DOCSIS Provisioning for CPE Address Control................................. 6 3.2.2. Interaction with DOCSIS Provisioning for Filtering....................................... 6 3.2.3. Distinguishing Modem from Subscriber Traffic.... 7
1. The Internet-Standard Management Framework.................... 2 2. Conventions................................................... 2 3. Overview...................................................... 2 3.1. Structure of the MIB.................................... 4 3.1.1. docsSubMgtFilterGroupTable...................... 4 3.1.2. IPv4 Compliance................................. 5 3.2. Management Requirements................................. 5 3.2.1. Interaction with DOCSIS Provisioning for CPE Address Control................................. 6 3.2.2. Interaction with DOCSIS Provisioning for Filtering....................................... 6 3.2.3. Distinguishing Modem from Subscriber Traffic.... 7
3.3. Relationship to the Differentiated Services MIB [RFC3289]............................................... 7 3.3.1. Using the Filter Group to Extend Packet Classification.................................. 8 3.3.2. Interface Usage................................. 8 3.4. Filtering and the Tiny Fragment Attack.................. 9 4. Definitions................................................... 9 5. Acknowledgements.............................................. 23 6. IANA Considerations........................................... 23 7. Normative References.......................................... 23 8. Informative References........................................ 24 9. Security Considerations....................................... 25 Author's Address.................................................. 26 Full Copyright Statement.......................................... 27
3.3. Relationship to the Differentiated Services MIB [RFC3289]............................................... 7 3.3.1. Using the Filter Group to Extend Packet Classification.................................. 8 3.3.2. Interface Usage................................. 8 3.4. Filtering and the Tiny Fragment Attack.................. 9 4. Definitions................................................... 9 5. Acknowledgements.............................................. 23 6. IANA Considerations........................................... 23 7. Normative References.......................................... 23 8. Informative References........................................ 24 9. Security Considerations....................................... 25 Author's Address.................................................. 26 Full Copyright Statement.......................................... 27
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410].
有关描述当前互联网标准管理框架的文件的详细概述,请参阅RFC 3410[RFC3410]第7节。
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].
托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB对象通常通过简单网络管理协议(SNMP)进行访问。MIB中的对象是使用管理信息结构(SMI)中定义的机制定义的。本备忘录规定了符合SMIv2的MIB模块,如STD 58、RFC 2578[RFC2578]、STD 58、RFC 2579[RFC2579]和STD 58、RFC 2580[RFC2580]所述。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[RFC2119]中的说明进行解释。
This MIB module provides a set of objects required for the management of DOCSIS Cable Modem Termination Systems (CMTS). The specification is derived in part from the operational model described in the DOCSIS Radio Frequency Interface Specification [ITU-T-J122]. These managed objects facilitate protection of the cable network from misuse by subscribers. This misuse might include, for example, address spoofing, service spoofing, or operation of unauthorized services.
此MIB模块提供管理DOCSIS电缆调制解调器终端系统(CMT)所需的一组对象。本规范部分源自DOCSIS射频接口规范[ITU-T-J122]中描述的操作模型。这些托管对象有助于保护有线网络免受用户滥用。例如,这种误用可能包括地址欺骗、服务欺骗或未经授权的服务操作。
The following figure illustrates the operational and physical deployment relationships between elements in a cable modem network. This MIB module resides at the CMTS, which is the first point in the public data network at which the cable operator controls physical access. The CMTS (possibly assisted by other IP service devices) acts as a network edge, separating the physical outside-plant cable television network from the operator's IP network.
下图说明了电缆调制解调器网络中各元件之间的操作和物理部署关系。该MIB模块位于CMTS,CMTS是有线电视运营商控制物理访问的公共数据网络中的第一个点。CMT(可能由其他IP服务设备辅助)充当网络边缘,将物理厂外有线电视网络与运营商的IP网络分离。
| operator's IP network +------+ --------------------- | CMTS | operator's cable head-end +------+ --------------------- | +--------+--------+ CATV physical network | | | +----+ +----+ +----+ ------------------ | CM | | CM | | CM | subscriber premises +----+ +----+ +----+ ------------------ | | | subscriber host or network
| operator's IP network +------+ --------------------- | CMTS | operator's cable head-end +------+ --------------------- | +--------+--------+ CATV physical network | | | +----+ +----+ +----+ ------------------ | CM | | CM | | CM | subscriber premises +----+ +----+ +----+ ------------------ | | | subscriber host or network
This MIB module controls IP packet forwarding to and from each cable modem, at the CMTS. Different modems may be accorded different treatment.
此MIB模块控制CMT上每个电缆调制解调器之间的IP数据包转发。不同的调制解调器可被给予不同的处理。
Much of this module duplicates capabilities found in the DOCSIS Cable Device MIB [RFC2669]. Although it is expected that the Cable Device MIB will be used to prevent unwanted traffic from entering the cable network, it is also possible that a malicious user might tamper with cable modem software, disabling its filtering policies. This MIB provides a more secure mechanism, as physical access to the CMTS is controlled by the network operator.
该模块的大部分功能与DOCSIS电缆设备MIB[RFC2669]中的功能相同。尽管预计电缆设备MIB将用于防止不必要的通信量进入电缆网络,但恶意用户也可能篡改电缆调制解调器软件,从而禁用其过滤策略。该MIB提供了更安全的机制,因为对CMT的物理访问由网络运营商控制。
In particular, this MIB provides two capabilities: first, to limit the IP addresses behind a modem, and second, to provide address and protocol filtering to and from a modem. The first duplicates the capabilities of the docsDevCpe group [RFC2669]. This provides for either learned or provisioned subscriber premises host IP addresses behind a cable modem.
特别是,此MIB提供两种功能:第一,限制调制解调器后面的IP地址,第二,提供与调制解调器之间的地址和协议过滤。第一个复制了docsDevCpe组[RFC2669]的功能。这为有线调制解调器后面的已读入或已设置的用户场所主机IP地址提供了条件。
The address and protocol filtering capability is similar to that performed by the cable modem itself. It differs in several respects because it is intended to control subscriber traffic at the CMTS, rather than at the individual CM. First, the MIB structure must be indexed appropriately at the CMTS to indicate which cable modem subscriber is intended. Second, rather than maintaining a separate list of filters for each modem at the CMTS, it is assumed that large numbers of modems will share filtering characteristics. Therefore, modems are grouped so as to share common filter lists.
地址和协议过滤功能类似于电缆调制解调器本身执行的过滤功能。它在几个方面有所不同,因为它旨在控制CMT上的用户流量,而不是单个CM上的用户流量。首先,必须在CMT处对MIB结构进行适当的索引,以指示打算使用哪个电缆调制解调器用户。其次,假定大量调制解调器将共享过滤特性,而不是在CMT处为每个调制解调器维护单独的过滤器列表。因此,调制解调器被分组以共享公共过滤器列表。
The filtering capability is implemented using the Classification, Counting, and Drop facilities of the Differentiated Services MIB [RFC3289]. In order to provide different filtering for various classes of subscribers, this MIB defines the docsSubMgtFilterGroupTable, which specifies which filters apply to each subscriber packet. This table is used by RFC 3289 as a first pass of classification, and also to choose a second pass of classification using the diffServMultiFieldClfrTable:
过滤功能是使用区分服务MIB的分类、计数和丢弃功能实现的[RFC3289]。为了为不同类别的订阅者提供不同的筛选,此MIB定义了docsSubMgtFilterGroupTable,该表指定应用于每个订阅者数据包的筛选器。RFC 3289将此表用作第一次分类,并使用diffServMultiFieldClfrTable选择第二次分类:
diffServDataPathStart --> diffServClfrEntry(1) diffServClfrElementSpecific(1) --> docsSubMgtFilterGroupIndex diffServClfrElementNext(1) --> diffServClfrEntry(2) diffServClfrElementSpecific(2)--> diffServMultiFieldClfrEntry diffServClfrElementNext(2) --> difServActionEntry (count or algDrop)
diffServDataPathStart --> diffServClfrEntry(1) diffServClfrElementSpecific(1) --> docsSubMgtFilterGroupIndex diffServClfrElementNext(1) --> diffServClfrEntry(2) diffServClfrElementSpecific(2)--> diffServMultiFieldClfrEntry diffServClfrElementNext(2) --> difServActionEntry (count or algDrop)
Because it is assumed that large numbers of modems will share filtering characteristics, DOCSIS signaling defines filter groups according to which cable modems share common filter lists. The operator creates references to these groups in the diffServClfrElementSpecific(1) entries above.
由于假定大量调制解调器将共享过滤特性,DOCSIS信令根据电缆调制解调器共享公共过滤器列表定义过滤器组。运算符在上面的diffServClfrElementSpecific(1)条目中创建对这些组的引用。
This MIB is structured in four tables:
此MIB由四个表构成:
o The docsSubMgtCpeControlTable controls the acceptance of subscriber host addresses behind a cable modem.
o docsSubMgtCpeControlTable控制电缆调制解调器后面用户主机地址的接受。
o The docsSubMgtCpeIpTable monitors the subscriber host addresses that the CMTS believes exist behind the cable modem.
o docsSubMgtCpeIpTable监视CMTS认为存在于电缆调制解调器后面的用户主机地址。
o The docsSubMgtCmFilterTable binds a cable modem to a set of filters in diffServMultiFieldClfrTable.
o docsSubMgtCmFilterTable将电缆调制解调器绑定到DiffServMultifieldCfRTTable中的一组过滤器。
o The docsSubMgtFilterGroupTable provides the OIDs by which the diffServClfrElementTable selects a filter group.
o docsSubMgtFilterGroupTable提供了OID,diffServClfrElementTable通过这些OID选择过滤器组。
The docsSubMgtCpeControlTable and docsSubMgtCmFilterTable AUGMENT the docsIfCmtsCmStatusTable from [RFC2670]. Similarly, docsSubMgtCpeIpTable expands this table (an additional index is used). As such, each entry in these tables is bound to a registered cable modem, as perceived by the CMTS.
docsSubMgtCpeControlTable和docsSubMgtCmFilterTable从[RFC2670]扩展了DOCSIFCMTSCMSTATUSTATUST表。类似地,docssubmgtcepiptable扩展了这个表(使用了一个额外的索引)。因此,这些表中的每个条目都被绑定到一个注册的电缆调制解调器,正如CMT所感知的那样。
The docsSubMgtFilterGroupTable links the filter group (signaled by DOCSIS as a small integer) to the diffServClfrElementEntry for the first pass of filter classification. diffServClfrElementSpecific
docsSubMgtFilterGroupTable将过滤器组(由DOCSIS以小整数表示)链接到过滤器分类第一次通过的diffServClfrElementEntry。diffServClfrElementSpecific
requires a RowPointer. Thus, this table exists to provide referenced objects for diffServClfrElementSpecific. The classification method is as follows:
需要行指针。因此,此表的存在是为了为diffServClfrElementSpecific提供引用对象。分类方法如下:
o Use the DOCSIS filter group, as inferred from the sending or receiving modem, as the classification criterion.
o 使用从发送或接收调制解调器推断出的DOCSIS过滤器组作为分类标准。
o Use docsSubMgtFilterGroupIndex as the value to match.
o 使用docsSubMgtFilterGroupIndex作为要匹配的值。
An entry exists in this Table if a reference to it exists in diffServClfrElementSpecific.
如果diffServClfrElementSpecific中存在对此项的引用,则此表中存在该项。
As such, contrary to common practice, the index for the table is read-only and is both the Entry's index and its only value.
因此,与通常的做法相反,表的索引是只读的,并且是条目的索引及其唯一值。
Please note that the compliance statements in this version of the MIB module require support only for IPv4 addresses. That is because the current version of the DOCSIS protocols (1.0, 1.1, and 2.0) are not IPv6 capable. Although support for IPv6 will require changes to the DOCSIS protocols, it is expected that the only changes to the MIB module itself will be the addition of new compliance statements that mandate support for IPv6 addresses. All IP addresses that appear in this document conform to the textual conventions specified in [RFC4001].
请注意,此版本的MIB模块中的符合性声明仅要求支持IPv4地址。这是因为当前版本的DOCSIS协议(1.0、1.1和2.0)不支持IPv6。尽管对IPv6的支持需要对DOCSIS协议进行更改,但预计MIB模块本身的唯一更改将是添加新的法规遵从性声明,强制支持IPv6地址。本文件中出现的所有IP地址均符合[RFC4001]中规定的文本约定。
The DOCSIS cable modem provisioning model [ITU-T-J122] requires that cable modems use TFTP to acquire a list of parameters. The modem then passes many of these parameters to the CMTS in the DOCSIS Registration message. The parameter values are digitally signed by the creator of the TFTP contents, and the signature is verified by the CMTS. In general, then, the CMTS itself need not be configured with the attributes of its cable modems. It will acquire these values through the Registration process that is secured by the digital signature.
DOCSIS电缆调制解调器配置模型[ITU-T-J122]要求电缆调制解调器使用TFTP获取参数列表。然后,调制解调器在DOCSIS注册消息中将这些参数中的许多传递给CMT。参数值由TFTP内容的创建者进行数字签名,签名由CMT验证。一般来说,CMT本身不需要配置其电缆调制解调器的属性。它将通过数字签名保护的注册过程获取这些值。
Cable modem subscriber management, as described here, modifies this process slightly to reduce data and to ease administrative control. Filtering criteria, for example, are maintained through SNMP at the CMTS, and the modem registration merely signals the index values for the rows that apply to that modem.
如本文所述,电缆调制解调器用户管理稍微修改了此过程,以减少数据并简化管理控制。例如,在CMT上通过SNMP维护过滤条件,并且调制解调器注册仅发送适用于该调制解调器的行的索引值。
The CMTS creates rows in docsSubMgtCpeControlTable for each modem as a result of the DOCSIS registration process. The DOCSIS registration attributes may include items semantically equivalent to those in the docsDevCpe section of the DOCSIS Cable Device MIB [RFC2669]:
作为DOCSIS注册过程的结果,CMTS在DOCSUBMGTCEPCONTROLTABLE中为每个调制解调器创建行。DOCSIS注册属性可以包括语义上等同于DOCSIS电缆设备MIB[RFC2669]的docsDevCpe部分中的项目:
o docsDevCpeEnroll o docsDevCpeIpMax o docsDevCpeIp
o docsDevCpeIpMax o docsDevCpeIp
Successful DOCSIS registration will have the effect of setting the corresponding fields in the docsSubMgtCpeControlTable and the docsSubMgtCpeIpTable. If they are not present at modem registration, the CMTS shall apply the following:
成功的DOCSIS注册将在docsSubMgtCpeControlTable和docsSubMgtCpeIpTable中设置相应的字段。如果调制解调器注册时不存在,则CMT应适用以下规定:
o docsSubMgtCpeControlActive <-- docsSubMgtCpeActiveDefault o docsSubMgtCpeControlMaxCpeIp <-- docsSubMgtCpeMaxIpDefault o docsSubMgtCpeControlLearnable <-- docsSubMgtCpeLearnableDefault
o docsSubMgtCpeControlActive<--docsSubMgtCpeActiveDefault o docsSubMgtCpeControlMaxCpeIp<--docsSubMgtCpeMaxIpDefault o DOCSSUBMGTCPEControllerable<--DOCSSUBMGTCPLearnableDefault
Rows in docsSubMgtCpeIpTable are created through any of three ways: DOCSIS registration (as described above), learning by the CMTS, or some unspecified administrative mechanism on the CMTS. The docsDevCpeIpMax table bound applies only to the first two.
DOCSSUBMGTCPEEPTABLE中的行是通过以下三种方式之一创建的:DOCSIS注册(如上所述)、CMT学习或CMT上的某些未指定的管理机制。docsDevCpeIpMax表绑定仅适用于前两个。
The CMTS may learn addresses simply by snooping source IP addresses from traffic originating from each cable modem. Other learning mechanisms (for example, ARP snooping) may be used. The learning mechanism is not defined by this document.
CMT可以简单地通过从来自每个电缆调制解调器的通信量中窥探源IP地址来学习地址。可以使用其他学习机制(例如,ARP监听)。本文件未定义学习机制。
Rows in docsSubMgtCmFilterTable are created by the CMTS for each modem as a result of the DOCSIS registration process. The DOCSIS registration attributes may include four indices (see section C.1.1.18.3 of [ITU-T-J122]):
作为DOCSIS注册过程的结果,CMT为每个调制解调器创建docsSubMgtCmFilterTable中的行。DOCSIS注册属性可包括四个索引(见[ITU-T-J122]第C.1.1.18.3节):
o One identifying the upstream (ingress with respect to the CMTS interface) filter group for packets originating from the cable modem (i.e., those packets whose source MAC address matches that of the cable modem).
o 一个用于识别来自电缆调制解调器的数据包(即源MAC地址与电缆调制解调器MAC地址匹配的数据包)的上游(相对于CMTS接口的入口)过滤器组的过滤器。
o One identifying the upstream filter group for packets originating from subscribers attached to the cable modem (i.e., those packets whose source MAC address does not match that of the cable modem).
o 用于识别来自连接到电缆调制解调器的订户的数据包(即,其源MAC地址与电缆调制解调器的MAC地址不匹配的数据包)的上游过滤器组。
o One identifying the downstream (egress with respect to the CMTS interface) filter group for packets destined to the cable modem (i.e., those packets whose destination MAC address matches that of the cable modem).
o 一个用于识别目的地为电缆调制解调器的包(即,其目的地MAC地址与电缆调制解调器的MAC地址匹配的包)的下游(相对于CMTS接口的出口)过滤器组的过滤器。
o One identifying the downstream filter group for packets destined to subscribers attached to the cable modem (i.e., those packets whose destination MAC address does not match that of the cable modem).
o 一个用于识别发送给连接到电缆调制解调器的用户的数据包(即,其目的地MAC地址与电缆调制解调器的MAC地址不匹配的数据包)的下游过滤器组。
Successful registration will have the effect of setting docsSubMgtCmFilterCmDownstream, docsSubMgtCmFilterCmUpstream, docsSubMgtCmFilterSubDownstream, and docsSubMgtCmFilterSubUpstream, for that modem (just as if they were set through the SNMP protocol). If the DOCSIS attributes are not present, the four values are set to zero. The effect will be to use the default entry (diffServClfrElementSpecific=zeroDotZero) specified in the diffServClfrElementTable. Note that omission of the DOCSIS-signaled values results in application of the default filtering entry, not in omission of filtering.
成功注册将产生为该调制解调器设置docsSubMgtCmFilterCmDownstream、docsSubMgtCmFilterCmUpstream、docsSubMgtCmFilterSubDownstream和docsSubMgtCmFilterSubUpstream的效果(就像它们是通过SNMP协议设置的一样)。如果DOCSIS属性不存在,则四个值设置为零。其效果是使用diffServClfrElementTable中指定的默认条目(diffServClfrElementSpecific=zeroDotZero)。请注意,忽略DOCSIS信号值会导致应用默认过滤条目,而不是忽略过滤。
All traffic originating from or destined to a subscriber site is potentially suspect and subject to suppression by the network operator. This is true even if the traffic is ostensibly sourced or sunk by the cable modem itself, rather than by the subscriber hosts behind the modem. To provide more nuanced administrative control, this document allows separate filter policies for modems and hosts. For example, modem policies may limit modems to server subnet - only access while allowing a different scope to subscribers.
所有来自或目的地为用户站点的流量都可能受到怀疑,并可能受到网络运营商的抑制。即使通信量表面上是由电缆调制解调器本身而不是调制解调器后面的用户主机发出或接收的,也是如此。为了提供更细致的管理控制,本文档允许对调制解调器和主机使用单独的筛选策略。例如,调制解调器策略可能会将调制解调器限制为仅对服务器子网的访问,同时允许用户使用不同的作用域。
The CMTS chooses the filter set to apply based solely on the MAC address (source MAC upstream, destination MAC downstream). If the MAC address matches that of the modem, then the docsSubMgtCmFilterCmUp/Downstream pair is used; otherwise, the docsSubMgtCmFilterSubUp/Downstream pair is applied.
CMTS仅基于MAC地址(源MAC上游、目标MAC下游)选择要应用的过滤器集。如果MAC地址与调制解调器的MAC地址匹配,则使用docsSubMgtCmFilterCmUp/下行对;否则,将应用docsSubMgtCmFilterSubUp/Downstream对。
If the CM acts as a router rather than as a DOCSIS bridging forwarder, then the network operator will only use the docsSubMgtCmFilterCmUp/Downstream pair.
如果CM充当路由器而不是DOCSIS桥接转发器,则网络运营商将仅使用docsSubMgtCmFilterCmUp/下游对。
DOCSIS CMTSes rely on the classification, counting, and drop facilities of the Differentiated Services MIB to screen subscriber packets for IP, TCP, and UDP characteristics. It is expected that
DOCSIS CMTSE依赖于区分服务MIB的分类、计数和丢弃功能来筛选用户数据包的IP、TCP和UDP特性。预计
any implementation of this MIB also includes at least the following from RFC 3289:
该MIB的任何实现还至少包括来自RFC 3289的以下内容:
o diffServDataPathTable o diffServClfrTable o diffServClfrElementTable o diffServMultiFieldClfrTable o diffServActionTable o diffServCountActTable o diffServAlgDropTable (diffServAlgDropType=alwaysDrop)
o diffServDataPathTable o diffServClfrTable o DiffServClfRementTable o DiffServMultiFieldCfRTable o diffServActionTable o diffServCountActTable o diffServAlgDropTable(diffServAlgDropType=alwaysDrop)
The corresponding "next-free" objects are also required.
还需要相应的“下一个自由”对象。
The use of other facilities from RFC 3289 is not precluded but is beyond the scope of this specification.
不排除使用RFC 3289中的其他设施,但超出本规范的范围。
The base capability of RFC 3289 assumes that all packets on the same direction of the same interface will be classified by the same criteria. Filter Groups, which are introduced in this document, expand on RFC 3289 to allow various subscribers to receive different classification (filtering) treatment. One way to view filter groups is as sub-interfaces within the physical DOCSIS channel. Another way to view them is as values of a field logically prepended to the packet prior to classification:
RFC 3289的基本功能假定同一接口的同一方向上的所有数据包将按照相同的标准进行分类。本文档中介绍的过滤器组在RFC 3289上进行了扩展,以允许不同的订阅者接受不同的分类(过滤)处理。查看筛选器组的一种方法是将其作为物理DOCSIS通道中的子接口。查看它们的另一种方式是在分类之前,将其作为数据包逻辑前置的字段值:
[filter group][DOCSIS MAC header][IP header]...
[筛选器组][DOCSIS MAC头][IP头]。。。
Of course this 'logical' field has no existence outside of the CMTS.
当然,这个“逻辑”字段在CMT之外不存在。
The diffServClfrTable and diffServClfrElementTable are then used twice: the first classifiers select among filter groups, using OIDs from docsSubMgtFilterGroupTable. The 'next' action on matching a filter group is to select a diffServClfrEntry that now classifies on IP/TCP/UDP criteria (the diffServMultiFieldClfrTable). The 'next' action on this second match may be a 'count' (and accept), a 'drop', or some other feature from RFC 3289.
然后使用diffServClfrTable和diffServClfrElementTable两次:第一个分类器使用docsSubMgtFilterGroupTable中的OID在过滤器组中进行选择。匹配筛选器组的“下一步”操作是选择现在根据IP/TCP/UDP标准进行分类的diffServClfrEntry(diffServMultiFieldClfrTable)。第二次匹配的“下一步”操作可能是“计数”(和接受)、“删除”或来自RFC 3289的某些其他功能。
For the purposes of DOCSIS subscriber management, only the DOCSIS MAC cable interface(s) are used. The interface appears as the index to diffServDataPathEntry, which is the starting point for diffserv MIB table traversal.
出于DOCSIS用户管理的目的,仅使用DOCSIS MAC电缆接口。该接口显示为diffServDataPathEntry的索引,diffServDataPathEntry是diffserv MIB表遍历的起点。
The use of the diffserv MIB for other purposes, both on the DOCSIS MAC interfaces and on other network interfaces, is not precluded by this document.
本文件不排除将diffserv MIB用于DOCSIS MAC接口和其他网络接口上的其他用途。
It is recommended that the implementers prevent the "tiny fragment" and "overlapping fragment" attacks for the TCP filtering tables in this MIB, as discussed in RFC 1858 [RFC1858] and RFC 3128 [RFC3128].
如RFC 1858[RFC1858]和RFC 3128[RFC3128]所述,建议实施者防止此MIB中TCP筛选表的“微小片段”和“重叠片段”攻击。
Prevention of these attacks can be implemented with the following rules, when filtering is enabled:
启用过滤后,可以使用以下规则来防止这些攻击:
o Admit all packets with fragment offset >= 2.
o 允许碎片偏移量>=2的所有数据包。
o Discard all packets with fragment offset = 1, or with fragment offset = 0 AND fragment payload length < 16.
o 丢弃片段偏移量=1或片段偏移量=0且片段有效负载长度<16的所有数据包。
o Apply filtering rules to all packets with fragment offset = 0.
o 将筛选规则应用于片段偏移量为0的所有数据包。
DOCS-IETF-SUBMGT-MIB DEFINITIONS ::= BEGIN
DOCS-IETF-SUBMGT-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, mib-2 FROM SNMPv2-SMI RowStatus, TruthValue, TimeStamp, StorageType FROM SNMPv2-TC OBJECT-GROUP, MODULE-COMPLIANCE FROM SNMPv2-CONF InetAddressType, InetAddress FROM INET-ADDRESS-MIB docsIfCmtsCmStatusIndex, docsIfCmtsCmStatusEntry FROM DOCS-IF-MIB -- RFC2670 diffServMIBDataPathGroup, diffServMIBClfrGroup, diffServMIBClfrElementGroup, diffServMIBMultiFieldClfrGroup,
从SNMPv2 SMI RowStatus导入模块标识、对象类型、整数32、mib-2,从SNMPv2 TC对象组导入TruthValue、时间戳、StorageType,从SNMPv2 CONF InetAddressType导入模块符合性,从INET-ADDRESS-mib docsIfCmtsCmStatusIndex导入InetAddress,从DOCS-IF-mib导入docsIfCmtsCmStatusEntry--RFC2670 diffServMIBDataPathGroup,diffServMIBClfrGroup,diffServMIBClfrElementGroup,DiffServMibMultiFieldCfRGroup,
diffServMIBActionGroup, diffServMIBAlgDropGroup, diffServMIBCounterGroup, diffServDataPathStatus, diffServClfrStatus, diffServClfrElementStatus, diffServMultiFieldClfrAddrType, diffServMultiFieldClfrSrcAddr, diffServMultiFieldClfrDstAddr, diffServAlgDropStatus, diffServDataPathStorage, diffServClfrStorage, diffServClfrElementStorage, diffServMultiFieldClfrStorage, diffServActionStorage, diffServCountActStorage, diffServAlgDropStorage, diffServAlgDropType FROM DIFFSERV-MIB -- RFC3289 ;
diffServMIBActionGroup、diffServMIBAlgDropGroup、diffServMIBCounterGroup、diffServDataPathStatus、diffServClfrStatus、diffServClfrElementStatus、diffServMultiFieldClfrAddrType、DiffServMultifielDcLfRrcAddr、DiffServMultifielDcLfRDStatus、diffServDataPathStorage、diffServClfrElementStorage、,来自DIFFSERV-MIB的DiffServMultiFieldCfRStorage、diffServActionStorage、diffServCountActStorage、diffServAlgDropStorage、diffServAlgDropType--RFC3289;
docsSubMgt MODULE-IDENTITY LAST-UPDATED "200503290000Z" -- March 29, 2005 ORGANIZATION "IETF IP over Cable Data Network (IPCDN) Working Group" CONTACT-INFO " Wilson Sawyer Postal: 50 Kelly Brook Lane East Hampstead, NH 03826 U.S.A.
docsSubMgt MODULE-IDENTITY上次更新的“200503290000Z”-2005年3月29日组织“IETF IP over Cable Data Network(IPCDN)工作组”联系方式威尔逊·索耶邮政:美国新罕布什尔州东汉普斯特德凯利布鲁克巷50号03826。
Phone: +1 603 382 7080 E-mail: wsawyer@ieee.org
Phone: +1 603 382 7080 E-mail: wsawyer@ieee.org
IETF IPCDN Working Group General Discussion: ipcdn@ietf.org Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn Co-chairs: Richard Woundy, Richard_Woundy@cable.comcast.com Jean-Francois Mule, jf.mule@cablelabs.com" DESCRIPTION "This is the CMTS centric subscriber management MIB for DOCSIS-compliant CMTS. It provides the objects to allow a Cable Modem Termination operator to control the IP addresses and protocols associated with subscribers' cable modems.
IETF IPCDN工作组一般性讨论:ipcdn@ietf.org订阅:http://www.ietf.org/mailman/listinfo/ipcdn 档案文件:ftp://ftp.ietf.org/ietf-mail-archive/ipcdn 共同主席:Richard Woundy,Richard_Woundy@cable.comcast.com让·弗朗索瓦·穆尔,jf。mule@cablelabs.com“说明”这是用于符合DOCSIS的CMT的以CMTS为中心的订户管理MIB。它提供了允许电缆调制解调器终端操作员控制与用户电缆调制解调器相关的IP地址和协议的对象。
Copyright (C) The Internet Society (2005). This version of this MIB module is part of RFC 4036; see the RFC itself for full legal notices." REVISION "200503290000Z" -- March 29, 2005 DESCRIPTION "Initial version, published as RFC 4036. Note that the compliance statements in this version apply only to implementations that support DOCSIS 1.0/1.1/2.0, which are not IPv6-capable." ::= { mib-2 125 }
Copyright (C) The Internet Society (2005). This version of this MIB module is part of RFC 4036; see the RFC itself for full legal notices." REVISION "200503290000Z" -- March 29, 2005 DESCRIPTION "Initial version, published as RFC 4036. Note that the compliance statements in this version apply only to implementations that support DOCSIS 1.0/1.1/2.0, which are not IPv6-capable." ::= { mib-2 125 }
docsSubMgtObjects OBJECT IDENTIFIER ::= { docsSubMgt 1 }
docsSubMgtObjects OBJECT IDENTIFIER ::= { docsSubMgt 1 }
docsSubMgtCpeControlTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSubMgtCpeControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table AUGMENTs the docsIfCmtsCmStatusTable, adding four WRITEable objects, as well as a read-only object, all of which reflect the state of subscriber management on a particular CM." ::= { docsSubMgtObjects 1 }
docsSubMgtCpeControlTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSubMgtCpeControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table AUGMENTs the docsIfCmtsCmStatusTable, adding four WRITEable objects, as well as a read-only object, all of which reflect the state of subscriber management on a particular CM." ::= { docsSubMgtObjects 1 }
docsSubMgtCpeControlEntry OBJECT-TYPE SYNTAX DocsSubMgtCpeControlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the docsSubMgtCpeControlTable. All values are set at successful modem registration, either from the system default, or from objects included in the DOCSIS registration request sent upstream to the CMTS from the CM. The contents of this entry are meaningless unless the corresponding docsIfCmtsCmStatusValue (see reference) is registrationComplete(6). The persistence of this row is determined solely by the lifespan of the corresponding docsIfCmtsCmStatusEntry (normally StorageType=volatile)."
docsSubMgtCpeControlEntry对象类型语法docsSubMgtCpeControlEntry MAX-ACCESS不可访问状态当前说明“docsSubMgtCpeControlTable中的一行。所有值都是在成功注册调制解调器时设置的,可以是系统默认值,也可以是从CM向上游发送到CMT的DOCSIS注册请求中包含的对象。除非相应的docsIfCmtsCmStatusValue(参见参考)注册完成(6),否则此条目的内容没有意义。此行的持久性仅由相应docsIfCmtsCmStatusEntry的寿命决定(通常存储类型=volatile)。”
REFERENCE "RFC 2670" AUGMENTS { docsIfCmtsCmStatusEntry } ::= {docsSubMgtCpeControlTable 1 }
REFERENCE "RFC 2670" AUGMENTS { docsIfCmtsCmStatusEntry } ::= {docsSubMgtCpeControlTable 1 }
DocsSubMgtCpeControlEntry ::= SEQUENCE { docsSubMgtCpeControlMaxCpeIp Integer32, docsSubMgtCpeControlActive TruthValue, docsSubMgtCpeControlLearnable TruthValue,
DocsSubMgtCpeControlEntry ::= SEQUENCE { docsSubMgtCpeControlMaxCpeIp Integer32, docsSubMgtCpeControlActive TruthValue, docsSubMgtCpeControlLearnable TruthValue,
docsSubMgtCpeControlReset TruthValue, docsSubMgtCpeControlLastReset TimeStamp }
docsSubMgtCpeControlReset TruthValue,docsSubMgtCpeControlLastReset TimeStamp}
docsSubMgtCpeControlMaxCpeIp OBJECT-TYPE SYNTAX Integer32(0..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "The number of simultaneous IP addresses permitted behind the CM. If this is set to zero, all CPE traffic from the CM is dropped. If the provisioning object corresponding to docsSubMgtCpeIpTable includes more CPE IP address entries for this modem than the value of this object, then this object is set to the count of the number of rows in docsSubMgtCpeIpTable that have the same docsIfCmtsCmStatusIndex value. (For example, if the CM has 5 IP addresses specified for it, this value is 5.) This limit applies to learned and DOCSIS-provisioned entries but not to entries added through some administrative process at the CMTS. If not set through DOCSIS provisioning, this object defaults to docsSubMgtCpeMaxIpDefault. Note that this object is only meaningful if docsSubMgtCpeControlActive is true." ::= { docsSubMgtCpeControlEntry 1 }
docsSubMgtCpeControlMaxCpeIp OBJECT-TYPE SYNTAX Integer32(0..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "The number of simultaneous IP addresses permitted behind the CM. If this is set to zero, all CPE traffic from the CM is dropped. If the provisioning object corresponding to docsSubMgtCpeIpTable includes more CPE IP address entries for this modem than the value of this object, then this object is set to the count of the number of rows in docsSubMgtCpeIpTable that have the same docsIfCmtsCmStatusIndex value. (For example, if the CM has 5 IP addresses specified for it, this value is 5.) This limit applies to learned and DOCSIS-provisioned entries but not to entries added through some administrative process at the CMTS. If not set through DOCSIS provisioning, this object defaults to docsSubMgtCpeMaxIpDefault. Note that this object is only meaningful if docsSubMgtCpeControlActive is true." ::= { docsSubMgtCpeControlEntry 1 }
docsSubMgtCpeControlActive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Controls the application of subscriber management to this cable modem. If this is set to true, CMTS-based CPE control is active, and all the actions required by the various filter tables and controls apply at the CMTS. If this is set to false, no subscriber management filtering is done at the CMTS (but other filters may apply). If not set through DOCSIS provisioning, this object defaults to docsSubMgtCpeActiveDefault." ::= { docsSubMgtCpeControlEntry 2 }
docsSubMgtCpeControlActive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Controls the application of subscriber management to this cable modem. If this is set to true, CMTS-based CPE control is active, and all the actions required by the various filter tables and controls apply at the CMTS. If this is set to false, no subscriber management filtering is done at the CMTS (but other filters may apply). If not set through DOCSIS provisioning, this object defaults to docsSubMgtCpeActiveDefault." ::= { docsSubMgtCpeControlEntry 2 }
docsSubMgtCpeControlLearnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "Controls whether the CMTS may learn (and pass traffic for) CPE IP addresses associated with a cable modem. If this is set to true, the CMTS may learn up to docsSubMgtMaxCpeIp
DocsSubmGTCPeControllerable对象类型语法TruthValue MAX-ACCESS读写状态当前描述“控制CMT是否可以学习(并传递)与电缆调制解调器关联的CPE IP地址。如果设置为true,则CMT最多可以学习docsSubMgtMaxCpeIp
addresses (less any DOCSIS-provisioned entries) related to this CM. Those IP addresses are added (by internal process) to the docsSubMgtCpeIpTable. The nature of the learning mechanism is not specified here.
与此CM相关的地址(减去任何DOCSIS提供的条目)。这些IP地址(通过内部进程)添加到docssubmgtciptable。这里没有具体说明学习机制的性质。
If not set through DOCSIS provisioning, this object defaults to docsSubMgtCpeLearnableDefault. Note that this object is only meaningful if docsSubMgtCpeControlActive is true." ::= { docsSubMgtCpeControlEntry 3 }
If not set through DOCSIS provisioning, this object defaults to docsSubMgtCpeLearnableDefault. Note that this object is only meaningful if docsSubMgtCpeControlActive is true." ::= { docsSubMgtCpeControlEntry 3 }
docsSubMgtCpeControlReset OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object always returns false on read. If this object is set to true, the rows with 'learned' addresses in docsSubMgtCpeIpTable for this CM are deleted from that table." ::= { docsSubMgtCpeControlEntry 4 }
docsSubMgtCpeControlReset OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object always returns false on read. If this object is set to true, the rows with 'learned' addresses in docsSubMgtCpeIpTable for this CM are deleted from that table." ::= { docsSubMgtCpeControlEntry 4 }
docsSubMgtCpeControlLastReset OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when docsSubMgtCpeControlReset was last set true. Zero if never reset." DEFVAL { 0 } ::= { docsSubMgtCpeControlEntry 5 }
docsSubMgtCpeControlLastReset OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when docsSubMgtCpeControlReset was last set true. Zero if never reset." DEFVAL { 0 } ::= { docsSubMgtCpeControlEntry 5 }
docsSubMgtCpeMaxIpDefault OBJECT-TYPE SYNTAX Integer32(0..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "The default value for docsSubMgtCpeControlMaxCpeIp if not signaled in the DOCSIS Registration request. This value should be treated as nonvolatile; if set, its value should persist across device resets." DEFVAL { 16 } ::= { docsSubMgtObjects 2 }
docsSubMgtCpeMaxIpDefault OBJECT-TYPE SYNTAX Integer32(0..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "The default value for docsSubMgtCpeControlMaxCpeIp if not signaled in the DOCSIS Registration request. This value should be treated as nonvolatile; if set, its value should persist across device resets." DEFVAL { 16 } ::= { docsSubMgtObjects 2 }
docsSubMgtCpeActiveDefault OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The default value for docsSubMgtCpeControlActive if not
docsSubMgtCpeActiveDefault对象类型语法TruthValue MAX-ACCESS读写状态当前描述“如果没有,则为DOCSSUBMGTCPECeControlActive的默认值
signaled in the DOCSIS Registration request. This value should be treated as nonvolatile; if set, its value should persist across device resets." DEFVAL { false } ::= { docsSubMgtObjects 3 }
signaled in the DOCSIS Registration request. This value should be treated as nonvolatile; if set, its value should persist across device resets." DEFVAL { false } ::= { docsSubMgtObjects 3 }
docsSubMgtCpeLearnableDefault OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The default value for docsSubMgtCpeControlLearnable if not signaled in the DOCSIS Registration request. This value should be treated as nonvolatile; if set, its value should persist across device resets." DEFVAL { true } ::= { docsSubMgtObjects 4 }
docsSubMgtCpeLearnableDefault OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The default value for docsSubMgtCpeControlLearnable if not signaled in the DOCSIS Registration request. This value should be treated as nonvolatile; if set, its value should persist across device resets." DEFVAL { true } ::= { docsSubMgtObjects 4 }
docsSubMgtCpeIpTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSubMgtCpeIpEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of CPE IP addresses known on a per-CM basis." ::= { docsSubMgtObjects 5 }
docsSubMgtCpeIpTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSubMgtCpeIpEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of CPE IP addresses known on a per-CM basis." ::= { docsSubMgtObjects 5 }
docsSubMgtCpeIpEntry OBJECT-TYPE SYNTAX DocsSubMgtCpeIpEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the docsSubMgtCpeIpTable. The first index is the specific modem we're referring to, and the second index is the specific CPE IP entry." INDEX { docsIfCmtsCmStatusIndex, docsSubMgtCpeIpIndex } ::= {docsSubMgtCpeIpTable 1 }
docsSubMgtCpeIpEntry OBJECT-TYPE SYNTAX DocsSubMgtCpeIpEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the docsSubMgtCpeIpTable. The first index is the specific modem we're referring to, and the second index is the specific CPE IP entry." INDEX { docsIfCmtsCmStatusIndex, docsSubMgtCpeIpIndex } ::= {docsSubMgtCpeIpTable 1 }
DocsSubMgtCpeIpEntry ::= SEQUENCE { docsSubMgtCpeIpIndex Integer32, docsSubMgtCpeIpAddressType InetAddressType, docsSubMgtCpeIpAddr InetAddress, docsSubMgtCpeIpLearned TruthValue }
DocsSubMgtCpeIpEntry ::= SEQUENCE { docsSubMgtCpeIpIndex Integer32, docsSubMgtCpeIpAddressType InetAddressType, docsSubMgtCpeIpAddr InetAddress, docsSubMgtCpeIpLearned TruthValue }
docsSubMgtCpeIpIndex OBJECT-TYPE SYNTAX Integer32(1..2147483647)
DOCSSUBMGTCPEINDEX对象类型语法整数32(1..2147483647)
MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index of this CPE IP address relative to the indexed CM. An entry is created either through the included CPE IP addresses in the provisioning object, or via learning.
MAX-ACCESS not ACCESS STATUS current DESCRIPTION“此CPE IP地址相对于索引CM的索引。通过配置对象中包含的CPE IP地址或通过学习创建条目。
If docsSubMgtCpeControlActive is true and a CMTS receives an IP packet from a CM that contains a source IP address that does not match one of the docsSubMgtCpeIpAddr entries for this CM, one of two things occurs. If the number of entries is less than docsSubMgtCpeControlMaxCpeIp, the source address is added to the table and the packet is forwarded. If the number of entries equals the docsSubMgtCpeControlMaxCpeIp, then the packet is dropped." ::= { docsSubMgtCpeIpEntry 1 }
If docsSubMgtCpeControlActive is true and a CMTS receives an IP packet from a CM that contains a source IP address that does not match one of the docsSubMgtCpeIpAddr entries for this CM, one of two things occurs. If the number of entries is less than docsSubMgtCpeControlMaxCpeIp, the source address is added to the table and the packet is forwarded. If the number of entries equals the docsSubMgtCpeControlMaxCpeIp, then the packet is dropped." ::= { docsSubMgtCpeIpEntry 1 }
docsSubMgtCpeIpAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of internet address of docsSubMgtCpeIpAddr." ::= { docsSubMgtCpeIpEntry 2 }
docsSubMgtCpeIpAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-only STATUS current DESCRIPTION "The type of internet address of docsSubMgtCpeIpAddr." ::= { docsSubMgtCpeIpEntry 2 }
docsSubMgtCpeIpAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address either set from provisioning or learned via address gleaning or other forwarding means. See docsSubMgtCpeIpIndex for the mechanism.
docsSubMgtCpeIpAddr对象类型语法InetAddress MAX-ACCESS只读状态当前描述“通过设置或通过地址收集或其他转发方式获取的IP地址。有关机制,请参阅docsSubMgtCpeIpIndex。
The type of this address is determined by the value of docsSubMgtCpeIpAddressType." ::= { docsSubMgtCpeIpEntry 3 }
The type of this address is determined by the value of docsSubMgtCpeIpAddressType." ::= { docsSubMgtCpeIpEntry 3 }
docsSubMgtCpeIpLearned OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "If true, this entry was learned from IP packets sent upstream rather than from the provisioning objects." ::= { docsSubMgtCpeIpEntry 4 }
docsSubMgtCpeIpLearned OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-only STATUS current DESCRIPTION "If true, this entry was learned from IP packets sent upstream rather than from the provisioning objects." ::= { docsSubMgtCpeIpEntry 4 }
docsSubMgtCmFilterTable OBJECT-TYPE
docsSubMgtCmFilterTable对象类型
SYNTAX SEQUENCE OF DocsSubMgtCmFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Binds filter groups to modems, identifying for each modem the upstream and downstream filter groups that apply to packets for that modem. Normally, this table reflects the filter group values signaled by DOCSIS Registration, although values may be overridden by management action.
DocsSubMgtCmFilterEntry MAX-ACCESS的语法序列不可访问状态当前描述将筛选器组绑定到调制解调器,为每个调制解调器标识应用于该调制解调器数据包的上游和下游筛选器组。通常,此表反映DOCSIS注册发出的过滤器组值,尽管这些值可能会被管理操作覆盖。
For each of the columns in this table, zero is a distinguished value, indicating that the default filtering action is to be taken rather than that associated with a filter group number. Zero is used if the filter group is not signaled by DOCSIS registration." ::= { docsSubMgtObjects 6 }
For each of the columns in this table, zero is a distinguished value, indicating that the default filtering action is to be taken rather than that associated with a filter group number. Zero is used if the filter group is not signaled by DOCSIS registration." ::= { docsSubMgtObjects 6 }
docsSubMgtCmFilterEntry OBJECT-TYPE SYNTAX DocsSubMgtCmFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Binds a filter group to each direction of traffic for a modem. The filters in this entry apply if docsSubMgtCpeControlActive is true.
docsSubMgtCmFilterEntry对象类型语法docsSubMgtCmFilterEntry MAX-ACCESS不可访问状态当前描述“将筛选器组绑定到调制解调器的每个通信方向。如果docsSubMgtCpeControlActive为true,则此项中的筛选器适用。
The contents of this entry are meaningless unless the corresponding docsIfCmtsCmStatusValue (see reference) is registrationComplete(6). The persistence of this row is determined solely by the lifespan of the corresponding docsIfCmtsCmStatusEntry (normally StorageType=volatile)." REFERENCE "RFC 2670" AUGMENTS { docsIfCmtsCmStatusEntry } ::= {docsSubMgtCmFilterTable 1 }
The contents of this entry are meaningless unless the corresponding docsIfCmtsCmStatusValue (see reference) is registrationComplete(6). The persistence of this row is determined solely by the lifespan of the corresponding docsIfCmtsCmStatusEntry (normally StorageType=volatile)." REFERENCE "RFC 2670" AUGMENTS { docsIfCmtsCmStatusEntry } ::= {docsSubMgtCmFilterTable 1 }
DocsSubMgtCmFilterEntry ::= SEQUENCE { docsSubMgtCmFilterSubDownstream Integer32, docsSubMgtCmFilterSubUpstream Integer32, docsSubMgtCmFilterCmDownstream Integer32, docsSubMgtCmFilterCmUpstream Integer32 }
DocsSubMgtCmFilterEntry ::= SEQUENCE { docsSubMgtCmFilterSubDownstream Integer32, docsSubMgtCmFilterSubUpstream Integer32, docsSubMgtCmFilterCmDownstream Integer32, docsSubMgtCmFilterCmUpstream Integer32 }
docsSubMgtCmFilterSubDownstream OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-write STATUS current
DOCSSUBMGTCMFilterSubdown对象类型语法整数32(0..65535)最大访问读写状态当前
DESCRIPTION "The filter group applied to traffic destined for subscribers attached to the referenced CM. Upon row creation, this is set either to zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable) or to the value in the provisioning object sent upstream from the CM to the CMTS during registration. The value of this object is the same as that of the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 1 }
DESCRIPTION "The filter group applied to traffic destined for subscribers attached to the referenced CM. Upon row creation, this is set either to zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable) or to the value in the provisioning object sent upstream from the CM to the CMTS during registration. The value of this object is the same as that of the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 1 }
docsSubMgtCmFilterSubUpstream OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The filter group applied to traffic originating from subscribers attached to the referenced CM. Upon row creation this is set to either zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable), or to the value in the provisioning object sent upstream from the CM to the CMTS. The value of this object is the same as that of the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 2 }
docsSubMgtCmFilterSubUpstream OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The filter group applied to traffic originating from subscribers attached to the referenced CM. Upon row creation this is set to either zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable), or to the value in the provisioning object sent upstream from the CM to the CMTS. The value of this object is the same as that of the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 2 }
docsSubMgtCmFilterCmDownstream OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The filter group applied to traffic destined for the referenced CM itself. Upon row creation this is set either to zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable), or to the value in the provisioning object sent upstream from the CM to the CMTS during registration. The value of this object is the same as that of the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 3 }
docsSubMgtCmFilterCmDownstream OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The filter group applied to traffic destined for the referenced CM itself. Upon row creation this is set either to zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable), or to the value in the provisioning object sent upstream from the CM to the CMTS during registration. The value of this object is the same as that of the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 3 }
docsSubMgtCmFilterCmUpstream OBJECT-TYPE SYNTAX Integer32(0..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "The filter group applied to traffic originating from the referenced CM itself. This is set upon row creation to either
docsSubMgtCmFilterCmUpstream对象类型语法整数32(0..65535)MAX-ACCESS读写状态当前描述“应用于源自引用CM本身的流量的筛选器组。这在创建行时设置为
zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable), or to the value in the provisioning object sent upstream from the CM to the CMTS during registration. The value of this object is the same as the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 4 }
zero (use default classification, the diffServClfrElementSpecific=zeroDotZero row of diffServClfrElementTable), or to the value in the provisioning object sent upstream from the CM to the CMTS during registration. The value of this object is the same as the filter group index appearing as docsSubMgtFilterGroupIndex." ::= { docsSubMgtCmFilterEntry 4 }
docsSubMgtFilterGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSubMgtFilterGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Provides a collection of referenceable entries to which diffServClfrElementSpecific refers. This table provides filter group indices that can be compared with those signaled during DOCSIS registration. A packet matches an entry from this table if the packet originated from or is destined to a cable modem that registered this index as one of its four filter groups (see docsSubMgtCmFilterTable), and if the packet direction and MAC address select the use of this index among the four." ::= { docsSubMgtObjects 7 }
docsSubMgtFilterGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF DocsSubMgtFilterGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Provides a collection of referenceable entries to which diffServClfrElementSpecific refers. This table provides filter group indices that can be compared with those signaled during DOCSIS registration. A packet matches an entry from this table if the packet originated from or is destined to a cable modem that registered this index as one of its four filter groups (see docsSubMgtCmFilterTable), and if the packet direction and MAC address select the use of this index among the four." ::= { docsSubMgtObjects 7 }
docsSubMgtFilterGroupEntry OBJECT-TYPE SYNTAX DocsSubMgtFilterGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry only exists if needed by the diffServClfrElementEntry. A packet matches this entry if the packet's cable modem registered this index as one of its four filter groups (see docsSubMgtCmFilterTable) and if the packet direction and MAC address select the use of this index among the four." INDEX { docsSubMgtFilterGroupIndex } ::= { docsSubMgtFilterGroupTable 1 }
docsSubMgtFilterGroupEntry OBJECT-TYPE SYNTAX DocsSubMgtFilterGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry only exists if needed by the diffServClfrElementEntry. A packet matches this entry if the packet's cable modem registered this index as one of its four filter groups (see docsSubMgtCmFilterTable) and if the packet direction and MAC address select the use of this index among the four." INDEX { docsSubMgtFilterGroupIndex } ::= { docsSubMgtFilterGroupTable 1 }
DocsSubMgtFilterGroupEntry ::= SEQUENCE { docsSubMgtFilterGroupIndex Integer32 }
DocsSubMgtFilterGroupEntry ::= SEQUENCE { docsSubMgtFilterGroupIndex Integer32 }
docsSubMgtFilterGroupIndex OBJECT-TYPE SYNTAX Integer32(1..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "The filter group index, from the set signaled at DOCSIS
docsSubMgtFilterGroupIndex对象类型语法整数32(1..65535)MAX-ACCESS只读状态当前说明“来自DOCSIS发出信号的集合的筛选器组索引
Registration. Provides a referenceable entry to which diffServClfrElementSpecific points. A packet matches this classifier entry if the packet's cable modem registered this index value as one of its four filter groups, and if the packet direction and MAC address select the use of this index among the four. Because this is the only field in this table, it is read-only, contrary to the usual SMI custom of making indices not-accessible.
登记提供可引用的条目,diffServClfrElementSpecific指向该条目。如果数据包的电缆调制解调器将此索引值注册为其四个过滤器组之一,并且如果数据包方向和MAC地址在四个过滤器组中选择使用此索引,则数据包与此分类器条目匹配。因为这是该表中唯一的字段,所以它是只读的,这与SMI通常的使索引不可访问的习惯相反。
Note that although zero may be signaled (or defaulted) at DOCSIS Registration to indicate a default filtering group, no such entry appears in this table, as diffServClfrElementSpecific will use a zeroDotZero pointer for that classification." ::= { docsSubMgtFilterGroupEntry 1 }
Note that although zero may be signaled (or defaulted) at DOCSIS Registration to indicate a default filtering group, no such entry appears in this table, as diffServClfrElementSpecific will use a zeroDotZero pointer for that classification." ::= { docsSubMgtFilterGroupEntry 1 }
docsSubMgtConformance OBJECT IDENTIFIER ::= { docsSubMgt 2 } docsSubMgtCompliances OBJECT IDENTIFIER ::= { docsSubMgtConformance 1 } docsSubMgtGroups OBJECT IDENTIFIER ::= { docsSubMgtConformance 2 }
docsSubMgtConformance OBJECT IDENTIFIER ::= { docsSubMgt 2 } docsSubMgtCompliances OBJECT IDENTIFIER ::= { docsSubMgtConformance 1 } docsSubMgtGroups OBJECT IDENTIFIER ::= { docsSubMgtConformance 2 }
docsSubMgtBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for CMTS devices that implement CMTS centric subscriber management.
docsSubMgtBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION“实施以CMTS为中心的订户管理的CMTS设备的合规性声明。
This compliance statement applies to implementations that support DOCSIS 1.0/1.1/2.0, which are not IPv6 capable."
本合规性声明适用于支持DOCSIS 1.0/1.1/2.0(不支持IPv6)的实施。”
MODULE DIFFSERV-MIB -- RFC3289 MANDATORY-GROUPS { diffServMIBDataPathGroup, diffServMIBClfrGroup, diffServMIBClfrElementGroup, diffServMIBMultiFieldClfrGroup, diffServMIBActionGroup, diffServMIBAlgDropGroup, diffServMIBCounterGroup }
MODULE DIFFSERV-MIB -- RFC3289 MANDATORY-GROUPS { diffServMIBDataPathGroup, diffServMIBClfrGroup, diffServMIBClfrElementGroup, diffServMIBMultiFieldClfrGroup, diffServMIBActionGroup, diffServMIBAlgDropGroup, diffServMIBCounterGroup }
OBJECT diffServDataPathStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServDataPathStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServClfrStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServClfrStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServClfrElementStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServClfrElementStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServMultiFieldClfrAddrType SYNTAX InetAddressType { ipv4(1) } DESCRIPTION "An implementation is only required to support IPv4 addresses."
对象diffServMultiFieldClfrAddrType语法InetAddressType{ipv4(1)}说明“仅支持ipv4地址才需要实现。”
OBJECT diffServMultiFieldClfrSrcAddr SYNTAX InetAddress (SIZE(4)) DESCRIPTION "An implementation is only required to support IPv4 addresses."
对象DiffServMultiFieldCfRsrCddr语法InetAddress(大小(4))说明“实现仅需要支持IPv4地址。”
OBJECT diffServMultiFieldClfrDstAddr SYNTAX InetAddress (SIZE(4)) DESCRIPTION "An implementation is only required to support IPv4 addresses."
对象diffServMultiFieldClfrDstAddr语法InetAddress(大小(4))说明“实现仅需要支持IPv4地址。”
OBJECT diffServAlgDropStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServAlgDropStatus -- same as RFC3289 SYNTAX RowStatus { active(1) } WRITE-SYNTAX RowStatus { createAndGo(4), destroy(6) } DESCRIPTION "Support for createAndWait and notInService is not required."
OBJECT diffServDataPathStorage SYNTAX StorageType { nonVolatile(3) } DESCRIPTION "An implementation is only required to support nonvolatile storage."
对象diffServDataPathStorage语法StorageType{非易失性(3)}说明“仅需要实现来支持非易失性存储。”
OBJECT diffServClfrStorage SYNTAX StorageType { nonVolatile(3) } DESCRIPTION "An implementation is only required to support nonvolatile storage."
对象diffServClfrStorage语法StorageType{nonVolatile(3)}说明“仅需要实现来支持非易失性存储。”
OBJECT diffServClfrElementStorage SYNTAX StorageType { nonVolatile(3) } DESCRIPTION "An implementation is only required to support nonvolatile storage."
对象diffServClfrElementStorage语法StorageType{nonVolatile(3)}说明“仅支持非易失性存储才需要实现。”
OBJECT diffServMultiFieldClfrStorage SYNTAX StorageType { nonVolatile(3) } DESCRIPTION "An implementation is only required to support nonvolatile storage."
对象diffServMultiFieldClfrStorage语法StorageType{nonVolatile(3)}说明“仅支持非易失性存储时才需要实现。”
OBJECT diffServActionStorage SYNTAX StorageType { nonVolatile(3) } DESCRIPTION "An implementation is only required to support nonvolatile storage."
对象DiffServeActionStorage语法StorageType{nonVolatile(3)}说明“只有支持非易失性存储才需要实现。”
OBJECT diffServCountActStorage SYNTAX StorageType { nonVolatile(3) } DESCRIPTION "An implementation is only required to support nonvolatile storage."
对象diffServCountActStorage语法StorageType{nonVolatile(3)}说明“只有支持非易失性存储才需要实现。”
OBJECT diffServAlgDropStorage SYNTAX StorageType { nonVolatile(3) } DESCRIPTION "An implementation is only required to support nonvolatile storage."
对象diffServAlgDropStorage语法StorageType{nonVolatile(3)}说明“仅需要实现来支持非易失性存储。”
OBJECT diffServAlgDropType SYNTAX INTEGER { alwaysDrop(5) } DESCRIPTION "For DOCSIS subscriber management, this object is only used to provide packet filtering. Implementations need not support other values of this enumeration."
对象diffServAlgDropType语法整数{alwaysDrop(5)}说明“对于DOCSIS订户管理,此对象仅用于提供数据包筛选。实现不需要支持此枚举的其他值。”
MODULE -- This module i.e., DOCS-IETF-SUBMGT-MIB
模块——该模块即DOCS-IETF-SUBMGT-MIB
MANDATORY-GROUPS { docsSubMgtGroup }
MANDATORY-GROUPS { docsSubMgtGroup }
OBJECT docsSubMgtCpeControlMaxCpeIp SYNTAX Integer32(0..16) DESCRIPTION "An implementation is only required to support up to sixteen addresses per modem."
对象docsSubMgtCpeControlMaxCpeIp语法整数32(0..16)说明“一个实现只需要支持每个调制解调器最多16个地址。”
OBJECT docsSubMgtCpeMaxIpDefault SYNTAX Integer32(0..16) DESCRIPTION "An implementation is only required to support up to sixteen addresses per modem."
对象docsSubMgtCpeMaxIpDefault语法整数32(0..16)说明“一个实现只需要支持每个调制解调器最多16个地址。”
OBJECT docsSubMgtCpeIpAddressType SYNTAX InetAddressType { ipv4(1) } DESCRIPTION "An implementation is only required to support IPv4 addresses."
对象docsSubMgtCpeIpAddressType语法InetAddressType{ipv4(1)}说明“仅支持ipv4地址才需要实现。”
OBJECT docsSubMgtCpeIpAddr SYNTAX InetAddress (SIZE(4)) DESCRIPTION "An implementation is only required to support IPv4 addresses."
对象docsSubMgtCpeIpAddr语法InetAddress(大小(4))说明“实现仅需要支持IPv4地址。”
OBJECT docsSubMgtCmFilterSubDownstream SYNTAX Integer32(0..30) DESCRIPTION "An implementation is only required to support thirty filter groups."
对象docssubmgtcmfiltersubdown语法Integer32(0..30)说明“一个实现只需要支持三十个筛选器组。”
OBJECT docsSubMgtCmFilterSubUpstream SYNTAX Integer32(0..30) DESCRIPTION "An implementation is only required to support thirty filter groups."
对象docsSubMgtCmFilterSubUpstream语法Integer32(0..30)说明“一个实现只需要支持三十个筛选器组。”
OBJECT docsSubMgtCmFilterCmDownstream SYNTAX Integer32(0..30) DESCRIPTION "An implementation is only required to support thirty filter groups."
对象docsSubMgtCmFilterCmDownstream语法Integer32(0..30)说明“一个实现只需要支持三十个筛选器组。”
OBJECT docsSubMgtCmFilterCmUpstream SYNTAX Integer32(0..30) DESCRIPTION "An implementation is only required to support thirty filter groups."
对象docsSubMgtCmFilterCmUpstream语法Integer32(0..30)说明“一个实现只需要支持三十个筛选器组。”
::= { docsSubMgtCompliances 1 }
::= { docsSubMgtCompliances 1 }
docsSubMgtGroup OBJECT-GROUP OBJECTS { docsSubMgtCpeControlMaxCpeIp, docsSubMgtCpeControlActive,
docsSubMgtGroup对象组对象{docsSubMgtCpeControlMaxCpeIp,docsSubMgtCpeControlActive,
docsSubMgtCpeControlLearnable, docsSubMgtCpeControlReset, docsSubMgtCpeControlLastReset, docsSubMgtCpeMaxIpDefault, docsSubMgtCpeActiveDefault, docsSubMgtCpeLearnableDefault, docsSubMgtCpeIpAddressType, docsSubMgtCpeIpAddr, docsSubMgtCpeIpLearned, docsSubMgtCmFilterSubDownstream, docsSubMgtCmFilterSubUpstream, docsSubMgtCmFilterCmDownstream, docsSubMgtCmFilterCmUpstream, docsSubMgtFilterGroupIndex } STATUS current DESCRIPTION "The objects used to manage host-based cable modems via a set of CMTS enforced controls." ::= { docsSubMgtGroups 1 }
docsSubMgtCpeControlLearnable, docsSubMgtCpeControlReset, docsSubMgtCpeControlLastReset, docsSubMgtCpeMaxIpDefault, docsSubMgtCpeActiveDefault, docsSubMgtCpeLearnableDefault, docsSubMgtCpeIpAddressType, docsSubMgtCpeIpAddr, docsSubMgtCpeIpLearned, docsSubMgtCmFilterSubDownstream, docsSubMgtCmFilterSubUpstream, docsSubMgtCmFilterCmDownstream, docsSubMgtCmFilterCmUpstream, docsSubMgtFilterGroupIndex } STATUS current DESCRIPTION "The objects used to manage host-based cable modems via a set of CMTS enforced controls." ::= { docsSubMgtGroups 1 }
END
终止
This document is based on work by Michael St. Johns, then at Excite@Home. Thanks to Guenter Roeck and Julie McGray for reviewing earlier versions. Thanks to Bert Wijnen, Mike Heard, and Harrie Hazewinkel for extensive later review. Thanks to the working group chairs, Richard Woundy and Jean-Francois Mule, for their extensive support.
本文档基于Michael St.Johns的工作,当时Excite@Home. 感谢Guenter Roeck和Julie McGray审阅早期版本。感谢Bert Wijnen、Mike Heard和Harrie Hazewinkel在以后的广泛评论。感谢工作组主席Richard Woundy和Jean-Francois Mule的广泛支持。
The MIB module defined in this document uses the following IANA-assigned OBJECT IDENTIFIER value recorded in the SMI Numbers registry:
本文档中定义的MIB模块使用SMI编号注册表中记录的以下IANA分配对象标识符值:
Descriptor OBJECT IDENTIFIER value ---------- ----------------------- docsSubMgt { mib-2 125}
Descriptor OBJECT IDENTIFIER value ---------- ----------------------- docsSubMgt { mib-2 125}
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2578]McCloghrie,K.,Perkins,D.,和J.Schoenwaeld,“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,1999年4月。
[RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2579]McCloghrie,K.,Perkins,D.,和J.Schoenwaeld,“SMIv2的文本约定”,STD 58,RFC 2579,1999年4月。
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.
[RFC2580]McCloghrie,K.,Perkins,D.,和J.Schoenwaeld,“SMIv2的一致性声明”,STD 58,RFC 25801999年4月。
[ITU-T-J122] Second-Generation Transmission Systems for Interactive Cable Television Services, J.122, ITU-T, December, 2002.
[ITU-T-J122]交互式有线电视服务的第二代传输系统,J.122,ITU-T,2002年12月。
[RFC2670] St. Johns, M., "Radio Frequency (RF) Interface Management Information Base for MCNS/DOCSIS compliant RF interfaces", RFC 2670, August 1999.
[RFC2670]圣约翰,M.,“MCNS/DOCSIS兼容射频接口的射频(RF)接口管理信息库”,RFC 26701999年8月。
[RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002.
[RFC3289]Baker,F.,Chan,K.和A.Smith,“差异化服务体系结构的管理信息库”,RFC 3289,2002年5月。
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005.
[RFC4001]Daniele,M.,Haberman,B.,Routhier,S.,和J.Schoenwaeld,“互联网网络地址的文本约定”,RFC 4001,2005年2月。
[RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security Considerations for IP Fragment Filtering", RFC 1858, October 1995.
[RFC1858]Ziemba,G.,Reed,D.,和P.Trana,“IP片段过滤的安全考虑”,RFC 1858,1995年10月。
[RFC2669] St. Johns, M., "DOCSIS Cable Device MIB Cable Device Management Information Base for DOCSIS compliant Cable Modems and Cable Modem Termination Systems", RFC 2669, August 1999.
[RFC2669]圣约翰,M.,“符合DOCSIS标准的电缆调制解调器和电缆调制解调器终端系统的DOCSIS电缆设备MIB电缆设备管理信息库”,RFC 2669,1999年8月。
[RFC3128] Miller, I., "Protection Against a Variant of the Tiny Fragment Attack (RFC 1858)", RFC 3128, June 2001.
[RFC3128]Miller,I.,“防止微小碎片攻击的变体(RFC 1858)”,RFC 31281001年6月。
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002.
[RFC3410]Case,J.,Mundy,R.,Partain,D.,和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 34102002年12月。
[DOCSBPI] "Data-Over-Cable Service Interface Specifications: Baseline Privacy Plus Interface Specification SP-BPI+- I11-040407", DOCSIS, April 2004, available at http://www.cablemodem.com/ and at http://www.cablelabs.com/specifications/archives.
[DOCSBPI]“有线数据服务接口规范:基线隐私加接口规范SP-BPI+-I11-040407”,DOCSIS,2004年4月,可访问http://www.cablemodem.com/ 在http://www.cablelabs.com/specifications/archives.
This MIB is intended to limit certain kinds of network behavior by subscriber hosts attached to cable modems, including, for example, IP spoofing. These limitations may be compromised, however, if the cable modem's identity or registration process is spoofed. The DOCSIS RFI and privacy specifications [ITU-T-J122] and [DOCSBPI] define a number of mechanisms for assuring modem identity.
此MIB旨在限制连接到有线调制解调器的用户主机的某些类型的网络行为,例如,包括IP欺骗。但是,如果电缆调制解调器的身份或注册过程被欺骗,这些限制可能会受到损害。DOCSIS RFI和隐私规范[ITU-T-J122]和[DOCSBPI]定义了许多确保调制解调器身份的机制。
For network filtering of TCP traffic to be effective, implementors MUST follow the recommendations in section 3.4.
为了使TCP流量的网络过滤有效,实施者必须遵循第3.4节中的建议。
There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. These objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations.
此MIB中定义了许多管理对象,它们的MAX-ACCESS子句为read-write和/或read-create。在某些网络环境中,这些对象可能被视为敏感或易受攻击。在没有适当保护的非安全环境中支持SET操作可能会对网络操作产生负面影响。
Unauthorized SETs to this MIB can permit two major security problems with public cable network operation: IP address spoofing, and defeat of operator-defined packet filtering.
此MIB的未经授权设置可能会导致公共有线网络操作出现两个主要安全问题:IP地址欺骗和操作员定义的包过滤失败。
The following objects, if SET maliciously, would evade controls on address spoofing:
如果恶意设置以下对象,将逃避对地址欺骗的控制:
docsSubMgtCpeControlMaxCpeIp docsSubMgtCpeControlActive docsSubMgtCpeControlLearnable docsSubMgtCpeControlReset docsSubMgtCpeMaxIpDefault docsSubMgtCpeActiveDefault docsSubMgtCpeLearnableDefault
docsSubMgtCpeControlMaxCpeIp docsSubMgtCpeControlActive docsSubMgtCpeControlLearnable docsSubMgtCpeControlReset docsSubMgtCpeMaxIpDefault docsSubMgtCpeActiveDefault DocSSubmGTCPLearnable默认
The following objects could also permit packet filtering to be defeated:
以下对象也可能导致数据包过滤失败:
docsSubMgtCmFilterSubDownstream docsSubMgtCmFilterSubUpstream docsSubMgtCmFilterCmDownstream docsSubMgtCmFilterCmUpstream
DOCSSUBMGTCMFilterSub下游DOCSSUBMGTCMFilterSub上游DOCSSUBMGTCMFilterCMD下游DOCSSUBMGTCMFilterCMMUPStream
Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET access to these objects and possibly even to encrypt the values of these objects when they are sent over the network via SNMP. The most sensitive is docsSubMgtCpeIpAddr within docsSubMgtCpeIpTable. Although docsSubMgtCpeIpTable is intended to control address spoofing, it includes information about the current subscriber address pool. This information may in itself be valuable to would-be spoofers.
在某些网络环境中,此MIB模块中的某些可读对象(即具有MAX-ACCESS而非not ACCESS的对象)可能被视为敏感或易受攻击。因此,在通过SNMP通过网络发送这些对象时,控制甚至访问这些对象,甚至可能加密这些对象的值,这一点非常重要。最敏感的是docssubmgtceptable中的docssubmgtcepipaddr。虽然docssubmgtcepiptable旨在控制地址欺骗,但它包含有关当前订户地址池的信息。这些信息本身可能对潜在的欺骗者很有价值。
SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.
SNMPv3之前的SNMP版本未包含足够的安全性。即使网络本身是安全的(例如通过使用IPSec),也无法控制安全网络上的谁可以访问和获取/设置(读取/更改/创建/删除)此MIB模块中的对象。
It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).
建议实施者考虑SNMPv3框架所提供的安全特性(参见[RCFC310],第8节),包括对SNMPv3加密机制的完全支持(用于身份验证和隐私)。
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) who have legitimate rights to GET or SET (change/create/delete) them.
此外,不建议部署SNMPv3之前的SNMP版本。相反,建议部署SNMPv3并启用加密安全性。然后,客户/运营商有责任确保授予访问此MIB模块实例权限的SNMP实体正确配置为仅授予具有获取或设置(更改/创建/删除)对象的合法权限的主体(用户)访问对象。
Author's Address
作者地址
Wilson Sawyer 50 Kelly Brook Lane East Hampstead NH 03826
威尔森·索耶新罕布什尔州东汉普斯特德凯利布鲁克巷50号03826
Phone: +1 603 382 7080 EMail: wsawyer@ieee.org
Phone: +1 603 382 7080 EMail: wsawyer@ieee.org
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。