Network Working Group S. Azoum
Internet-Draft E. Jones
Intended status: Standards Track L. Sun
Expires: January 1, 2017 SPAWAR Systems Center Pacific
M. Irani
J. Sun
Nathan Kunes, Inc.
R. Purvis
The MITRE Corporation
S. Turner
sn3rd
June 30, 2016
Common Cryptographic MIB (CCMIB)
draft-turner-ccmib-00
Abstract
This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in the Internet
community. In particular, it describes managed objects used to
manage key management implementations including asymmetric keys,
symmetric keys, trust anchors, and cryptographic-related firmware.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 1, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
Azoum, et al. Expires January 1, 2017 [Page 1]
�
Internet-Draft CCMIB June 2016
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. The Internet-Standard Management Framework . . . . . . . . . 3
4. Structure of the MIB module . . . . . . . . . . . . . . . . . 3
5. Definition of the CC MIB module . . . . . . . . . . . . . . . 3
5.1. CC Assignments [assign] . . . . . . . . . . . . . . . . 3
5.2. CC Feature Hierarchy . . . . . . . . . . . . . . . . . . 5
5.3. CC Textual Conventions . . . . . . . . . . . . . . . . . 6
5.4. CC Device Info . . . . . . . . . . . . . . . . . . . . . 11
5.5. Key Management Info . . . . . . . . . . . . . . . . . . . 30
5.6. Key Transfer Pull . . . . . . . . . . . . . . . . . . . . 84
5.7. Key Transfer Push . . . . . . . . . . . . . . . . . . . . 100
5.8. Security Policy Information . . . . . . . . . . . . . . . 113
5.9. Secure Connection Information . . . . . . . . . . . . . . 120
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 128
7. Security Considerations . . . . . . . . . . . . . . . . . . . 128
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 128
8.1. Normative References . . . . . . . . . . . . . . . . . . 128
8.2. Informative References . . . . . . . . . . . . . . . . . 130
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 130
1. Introduction
This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in the Internet
community. In particular, it describes managed objects used to
manage key management implementations including asymmetric keys,
symmetric keys, trust anchors, and cryptographic-related firmware.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
Azoum, et al. Expires January 1, 2017 [Page 2]
�
Internet-Draft CCMIB June 2016
3. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
[RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in
[RFC2578], [RFC2579], and [RFC2580].
As with all MIB modules, an attempt to SET or CREATE an object to
value that is not supported by the implementation will result in a
failure using a return code that indicates that the value is not
supported.
4. Structure of the MIB module
5. Definition of the CC MIB module
5.1. CC Assignments [assign]
This MIB module makes reference to the following document: [RFC2578].
CC-ASSIGNMENTS-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, enterprises
FROM SNMPv2-SMI; -- RFC 2578
ccAssignmentsMIB MODULE-IDENTITY
LAST-UPDATED "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
ORGANIZATION "IETF"
CONTACT-INFO
"Shadi Azoum
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Azoum, et al. Expires January 1, 2017 [Page 3]
�
Internet-Draft CCMIB June 2016
Mike Irani
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documennts
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { mib-2 TBD }
--
-- Note: Current top-level OID assignments within the CC MIB tree:
-- mib-2.TBD : CC-ASSIGNMENTS-MIB (this MIB)
-- mib-2.TBD.1 : CC-FEATURE-HIERARCHY-MIB
END
Azoum, et al. Expires January 1, 2017 [Page 4]
�
Internet-Draft CCMIB June 2016
5.2. CC Feature Hierarchy
This MIB module makes reference to the following document: [RFC2578].
CC-FEATURE-HIERARCHY-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccAssignmentsMIB
FROM CC-ASSIGNMENTS-MIB -- FROM [assign]
MODULE-IDENTITY
FROM SNMPv2-SMI; -- FROM RFC 2578
ccFeatureHierarchyMIB MODULE-IDENTITY
LAST-UPDATED "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
ORGANIZATION "IETF"
CONTACT-INFO
"Shadi Azoum
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
Azoum, et al. Expires January 1, 2017 [Page 5]
�
Internet-Draft CCMIB June 2016
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { ccAssignmentsMIB 1 }
ccTextualConventions OBJECT IDENTIFIER
::= { ccFeatureHierarchyMIB 1 }
ccDeviceInfo OBJECT IDENTIFIER
::= { ccFeatureHierarchyMIB 2 }
ccKeyManagement OBJECT IDENTIFIER
::= { ccFeatureHierarchyMIB 3 }
ccKeyTransferPull OBJECT IDENTIFIER
::= { ccFeatureHierarchyMIB 4 }
ccKeyTransferPush OBJECT IDENTIFIER
::= { ccFeatureHierarchyMIB 5 }
ccSecurePolicyInfo OBJECT IDENTIFIER
::= { ccFeatureHierarchyMIB 6 }
ccSecureConnectionInfo OBJECT IDENTIFIER
::= { ccFeatureHierarchyMIB 7 }
END
5.3. CC Textual Conventions
This MIB module makes reference to following documents: Section 5.2,
[RFC2578], [RFC2579], [RFC5225], and [RFC5246].
CC-TEXTUAL-CONVENTIONS-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccTextualConventions
FROM CC-FEATURE-HIERARCHY-MIB -- FROM {{cc-fh}}
MODULE-IDENTITY, Integer32, Unsigned32
FROM SNMPv2-SMI -- FROM RFC 2578
TEXTUAL-CONVENTION
FROM SNMPv2-TC; -- FROM RFC 2579
Azoum, et al. Expires January 1, 2017 [Page 6]
�
Internet-Draft CCMIB June 2016
ccTextualConventionMIB MODULE-IDENTITY
LAST-UPDATED "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
ORGANIZATION "IETF"
CONTACT-INFO
"Shadi Azoum
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
Azoum, et al. Expires January 1, 2017 [Page 7]
�
Internet-Draft CCMIB June 2016
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { ccTextualConventions 1 }
-- *****************************************************************
-- IP Address Textual Conventions
-- *****************************************************************
IPAddressType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A value that represents a type of Internet address.
ipv4(1) An IPv4 address as defined by the
IPv4Address textual convention.
ipv6(2) An IPv6 address as defined by the
IPv6Address textual convention.
Implementations must ensure that IPAddressType objects
and any dependent objects (e.g. IPv4Address and IPv6Address
objects) are consistent. An inconsistentValue error must
be generated if an attempt to change an IPv4Address or
IPv6Address object would, for example, lead to an undefined
value. IPAddressType/IPv4Address and
IPAddressType/IPv6Address pairs must be changed together if
IPAddressType changes."
SYNTAX INTEGER { ipv4(1), ipv6(2) }
IPAddress ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Denotes a generic Internet address that is either IPv4 or
IPv6.
Every usage of the IPAddress textual convention is required
to specify the IPAddressType object which provides the
context. It is suggested that the IPAddressType object is
logically registered before the object(s) which use the
IPAddress textual convention if they appear in the same
logical row.
The value of an IPAddress object must always be consistent
with the value of the associated IPAddressType object.
Attempts to set an IPAddress object to a value which is
inconsistent with the associated IPAddressType must
fail with an inconsistentValue error.
Azoum, et al. Expires January 1, 2017 [Page 8]
�
Internet-Draft CCMIB June 2016
See the IPv4Address and IPv6Address textual conventions for
more details."
SYNTAX OCTET STRING (SIZE(4|16))
IPv4Address ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1d.1d.1d.1d"
STATUS current
DESCRIPTION
"Represents an IPv4 network address:
octets contents encoding
1-4 IPv4 address network-byte order
The corresponding IPAddressType value is ipv4(1)."
SYNTAX OCTET STRING (SIZE(4))
IPv6Address ::= TEXTUAL-CONVENTION
DISPLAY-HINT "2x:2x:2x:2x:2x:2x:2x:2x"
STATUS current
DESCRIPTION
"Represents an IPv6 network address:
octets contents encoding
1-16 IPv6 address network-byte order
The corresponding InetAddressType value is ipv6(2)."
SYNTAX OCTET STRING (SIZE(16))
PortNumber ::= TEXTUAL-CONVENTION
DISPLAY-HINT "d"
STATUS current
DESCRIPTION
"Represents a 16 bit port number of an Internet transport
layer protocol. Port numbers are assigned by IANA. A current
list of all assignments is available from
.
The value zero represents the ANY (wildcard) value. In
regards to a filter or rule, this means that any port number
satisfies the filter or rule."
SYNTAX Unsigned32 (0..65535)
ROHCCompressionProfiles ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A 16-bit field that conveys the compression profiles the
local or peer decompressor supports. Only ROHCv2 compression
profiles are used and they are defined using the following
Azoum, et al. Expires January 1, 2017 [Page 9]
�
Internet-Draft CCMIB June 2016
bit setting scheme shown below. Note that the bit setting
scheme does not correspond to the compression profile values
defined in RFC 5225. It is purely used in the MIB to convey
the compression profiles the local or peer decompressor
supports.
(0) compressionProfile1: IP/UDP/RTP
(1) compressionProfile2: IP/UDP
(2) compressionProfile3: IP/ESP
(3) compressionProfile4: IP
(4) compressionProfile5: IP/UDP-Lite/RTP
(5) compressionProfile6: IP/UDP-Lite
(6-15) RESERVED"
SYNTAX BITS { compressionProfile1(0), compressionProfile2(1),
compressionProfile3(2), compressionProfile4(3),
compressionProfile5(4), compressionProfile6(5) }
ROHCModes ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An indication of whether RObust Header Compression (ROHC)
will be used in a Generic INE Secure Connection and how it
is being used. This textual convention is only applicable to
dynamic Secure Connections, where negotiation is required
for establishment.
[noROHC] = ROHC will not be used
[useROHCWithoutFeedback] = ROHC will be used and feedback
will not be sent on the Secure Connection
[useROHCWithFeedback] = ROHC will be used and feedback will
be sent on the Secure Connection
[rohcAcceptableWithoutFeedback] = ROHC will not be signaled
for use by this device as an initiator of the Secure
Connection; feedback will also not be sent on the Secure
Connection.
[rohcAcceptableWithFeedback] = ROHC will not be signaled for
use by this device as an initiator of the Secure
Connection; feedback will be sent on the Secure
Connection."
SYNTAX INTEGER { noROHC(1), useROHCWithoutFeedback(2),
useROHCWithFeedback(3),
rohcAcceptableWithoutFeedback(4),
rohcAcceptableWithFeedback(5) }
KeyFingerprint ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1x:1x"
Azoum, et al. Expires January 1, 2017 [Page 10]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"A fingerprint value that can be used to uniquely reference
key materials of potentially arbitrary length.
A KeyFingerprint value is composed of a 1-octet hashing
algorithm identifier followed by the fingerprint value. The
octet value encoded is taken from the IANA TLS HashAlgorithm
Registry RFC 5246. The remaining 19 octets are filled using
the results of the hashing algorithm on the raw key material
and inherent tagging information, truncated to 19 octets.
With public key certificates, for example, a hash of the
entire structure truncated to 19 octets is used.
If no tagging information is available, the text 'NO_TAG'
(without quotes) will be used as input."
REFERENCE "RFC 5246: The Transport Layer
Security (TLS) Protocol Version 1.2
http://www.iana.org/assignments/tls-parameters/"
SYNTAX OCTET STRING (SIZE(20))
END
5.4. CC Device Info
This MIB module makes reference to the following documents:
[RFC1213], [RFC1907], [RFC2571], [RFC2578], [RFC2579], and [RFC2580].
CC-DEVICE-INFO-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccDeviceInfo
FROM CC-FEATURE-HIERARCHY-MIB -- FROM {{cc-fh}}
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF -- FROM RFC 2580
OBJECT-TYPE, Unsigned32, Integer32,
NOTIFICATION-TYPE, Counter64, MODULE-IDENTITY,
TimeTicks
FROM SNMPv2-SMI -- FROM RFC 2578
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- FROM RFC 2571
RowPointer, RowStatus, DateAndTime, TruthValue,
TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC; -- FROM RFC 2579
ccDeviceInfoMIB MODULE-IDENTITY
"Shadi Azoum
Azoum, et al. Expires January 1, 2017 [Page 11]
�
Internet-Draft CCMIB June 2016
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { ccDeviceInfo 1 }
Azoum, et al. Expires January 1, 2017 [Page 12]
�
Internet-Draft CCMIB June 2016
-- *****************************************************************
-- Device Info Information Segments
-- *****************************************************************
cDeviceInfoConformance OBJECT IDENTIFIER
::= { ccDeviceInfoMIB 1}
cDeviceComponentVersInfo OBJECT IDENTIFIER
::= { ccDeviceInfoMIB 2}
cBatteryInfo OBJECT IDENTIFIER
::= { ccDeviceInfoMIB 3}
cFirmwareInfo OBJECT IDENTIFIER
::= { ccDeviceInfoMIB 4}
cDeviceInfoScalars OBJECT IDENTIFIER
::= { ccDeviceInfoMIB 5}
cDeviceInfoNotify OBJECT IDENTIFIER
::= { ccDeviceInfoMIB 6}
-- *****************************************************************
-- General Device Info Scalars
-- *****************************************************************
cSystemDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The host's notion of the local date and time of day. Note,
some implementations will not allow changing of this object
and will send an inconsistentValue error."
::= { cDeviceInfoScalars 1 }
cSystemUpTime OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of time since this host was last initialized.
Note that this is different from sysUpTime in the SNMPv2-MIB
RFC 1907 because sysUpTime is the uptime of the network
management portion of the system."
::= { cDeviceInfoScalars 2 }
cSystemInitialLoadParameters OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..128))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object contains the parameters (e.g. a pathname and
Azoum, et al. Expires January 1, 2017 [Page 13]
�
Internet-Draft CCMIB June 2016
parameter) supplied to the load device when requesting the
initial operating system configuration from that device.
Note that writing to this object just changes the
configuration that will be used the next time the operating
system is loaded and does not actually cause the reload to
occur."
::= { cDeviceInfoScalars 3 }
cSecurityLevel OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..255))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The security level that this object is working at.
Different communities of interest may have different
conventions. The following values are defined and when used
by agents have specific meaning: UNCLASSIFIED, RESTRICTED,
CONFIDENTIAL, SECRET, TOP_SECRET."
::= { cDeviceInfoScalars 4 }
cElectronicSerialNumber OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Electronic Serial Number of the device. This may be the
chassis serial number or an internal serial number."
::= { cDeviceInfoScalars 5 }
cLastChanged OBJECT-TYPE
SYNTAX TimeTicks
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of cSystemUpTime the last time any configurable
object within the MIBs supported by the device has been
modified, created, or deleted by either SNMP, agent, or other
management method (e.g. via an HMI). Managers can use this
object to ensure that no changes to any configuration within the
device have happened since the last time it examined the device.
A value of 0 indicates that no objects have been changed since
the agent initialized."
::= { cDeviceInfoScalars 6 }
cResetDevice OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
Azoum, et al. Expires January 1, 2017 [Page 14]
�
Internet-Draft CCMIB June 2016
DESCRIPTION
"The indication of whether a device should be reset. Setting
this object to 'true' will perform a reset operation of the
device. This must not affect the state of any persistent
configuration data, zeroize any of the key material or erase
the audit log. When read this object should return false.
When set to false this object must not perform any operation
but should accept this as a valid SET operation."
::= { cDeviceInfoScalars 7 }
cSanitizeDevice OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The indication of whether persistent data should be erased.
Setting this object to 'true' will erase all persistent data
and return the box to an uninitialized state. It will
zeroize all keying data, erase all persistent storage and
auditing information. Setting this object will certainly
render the device unreachable from distant managers since it
will be unconfigured. When read this object should return
false. When set to false this object must not perform any
operation but should accept this as a valid SET operation."
::= { cDeviceInfoScalars 8 }
cRenderInoperable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The indication of whether persistent data should be erased.
Setting this object to 'true' will erase all persistent data
and return the box to an uninitialized state. It will
zeroize all keying data, erase all persistent storage and
auditing information. In addition, when supported, the
device is expected to perform some internal function that
will make the box unusable without returning to the factory
or some equivalent. Setting this object will certainly
render the device unreachable from distant managers since it
will be unconfigured. When read this object should return
false. When set to false this object must not perform any
operation but should accept this as a valid SET operation."
::= { cDeviceInfoScalars 9 }
cVendorName OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
Azoum, et al. Expires January 1, 2017 [Page 15]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"This object stores the device's vendor name and is intended
to be displayed and meaningful to the human operator (e.g.
Flinstones Inc). In other words, this object is not intended
to store the vendor's authoritative identification value
(i.e. sysObjectID RFC 1213)."
::= { cDeviceInfoScalars 10 }
cModelIdentifier OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object stores the device's model identifier. In
general, this would include the model name and model
number."
::= { cDeviceInfoScalars 11 }
cHardwareVersionNumber OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object stores the device's hardware version."
::= { cDeviceInfoScalars 12 }
-- *****************************************************************
-- Device Info Notifications
-- *****************************************************************
cFirmwareInstallFailed NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating a firmware install failed."
::= { cDeviceInfoNotify 1 }
cFirmwareInstallSuccess NOTIFICATION-TYPE
OBJECTS {
cFirmwareName,
cFirmwareVersion,
cFirmwareSource
}
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating a firmware install succeeded."
Azoum, et al. Expires January 1, 2017 [Page 16]
�
Internet-Draft CCMIB June 2016
::= { cDeviceInfoNotify 2 }
cResetDeviceInitialized NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating that the device is being reset due to a change in
the value of cResetDevice. This notification should be sent
before the device performs any other reset operations (such
as shutting down interfaces, etc.)"
::= { cDeviceInfoNotify 3 }
cSanitizeDeviceInitialized NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating that the device is being sanitized due to a
change in the value of cSanitizeDevice. This notification
should be sent before the device performs any other sanitize
operations (such as shutting down interfaces, etc.)"
::= { cDeviceInfoNotify 4 }
cTamperEventIndicated NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating that the device has detected a tamper event. This
notification should be sent before the device performs any
operations (such as shutting down interfaces, etc.)"
::= { cDeviceInfoNotify 5 }
cBatteryLow NOTIFICATION-TYPE
OBJECTS {
cBatteryType,
cBatteryOpStatus,
cBatteryLowThreshold
}
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating a battery has reached the threshold at which a
battery warning is indicated."
::= { cDeviceInfoNotify 6 }
cBatteryRequiresReplacement NOTIFICATION-TYPE
OBJECTS {
cBatteryType,
cBatteryOpStatus
Azoum, et al. Expires January 1, 2017 [Page 17]
�
Internet-Draft CCMIB June 2016
}
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating a battery should be charged or changed
immediately."
::= { cDeviceInfoNotify 7 }
cDeviceOnBattery NOTIFICATION-TYPE
OBJECTS {
cBatteryType,
cBatteryOpStatus
}
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating the device is on battery power. This notification
is sent when the device is no longer connected to an
external power source and is operating using a battery for
main power."
::= { cDeviceInfoNotify 8 }
cDeviceComponentDisabled NOTIFICATION-TYPE
OBJECTS {
cDeviceComponentName,
cDeviceComponentVersion,
cDeviceComponentOpStatus
}
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating a component described in the
cDeviceComponentVersTable has been disabled."
::= { cDeviceInfoNotify 9 }
cDeviceComponentEnabled NOTIFICATION-TYPE
OBJECTS {
cDeviceComponentName,
cDeviceComponentVersion
}
STATUS current
DESCRIPTION
"A notification from the device to the management station
indicating a component described in the
cDeviceComponentVersTable has been enabled."
::= { cDeviceInfoNotify 10 }
-- *****************************************************************
Azoum, et al. Expires January 1, 2017 [Page 18]
�
Internet-Draft CCMIB June 2016
-- CC MIB cDeviceComponentVersTable
-- *****************************************************************
cDeviceComponentVersTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cDeviceComponentVersTable."
::= { cDeviceComponentVersInfo 1 }
cDeviceComponentVersTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cDeviceComponentVersInfo 2 }
cDeviceComponentVersTable OBJECT-TYPE
SYNTAX SEQUENCE OF CDeviceComponentVersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing a description of the specification
versions of components or specifications supported by the
ECU. Note that it is possible for multiple versions of a
given specification to be registered within the table."
::= { cDeviceComponentVersInfo 3 }
cDeviceComponentVersEntry OBJECT-TYPE
SYNTAX CDeviceComponentVersEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing a module descriptive name and its version
that is supported by this device."
INDEX { cDeviceComponentName, cDeviceComponentVersion }
::= { cDeviceComponentVersTable 1 }
cDeviceComponentVersEntry ::= SEQUENCE {
Azoum, et al. Expires January 1, 2017 [Page 19]
�
Internet-Draft CCMIB June 2016
cDeviceComponentName SnmpAdminString,
cDeviceComponentVersion SnmpAdminString,
cDeviceComponentOpStatus INTEGER,
cDeviceComponentDescription OCTET STRING
}
cDeviceComponentName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The module name or specification name. The string value to
be used in this field should be documented in the text of
the specification a given row is reporting information on.
Specification names beginning with a prefix of 'vendor-' are
reserved for private use by the vendor of the device.
The string 'device' (exact) is reserved for vendors to
register a software revision version of the device.
The string 'hardware' (exact) is reserved for vendors to
register a model number of the hardware of the device."
::= { cDeviceComponentVersEntry 1 }
cDeviceComponentVersion OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The version of the specification or module name listed in
the cDeviceComponentName object field in this row. The
string value to be used in this field should be documented
in the text of a specification, of the device, or elsewhere.
If the cDeviceComponentName begins with a 'vendor-' prefix,
the format of this field is vendor specific."
::= { cDeviceComponentVersEntry 2 }
cDeviceComponentOpStatus OBJECT-TYPE
SYNTAX INTEGER { up(1), notReady(2),
administrativelyDown(3) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The current operational state of the interface feature.
This row may be used to enable/disable components or modules
in the device, and some implementations may allow for
Azoum, et al. Expires January 1, 2017 [Page 20]
�
Internet-Draft CCMIB June 2016
various versions of a component to be activated. Devices may
use this construct to roll back versions of a device
software, or to allow various software feature versions to
be installed.
Agents may reject the changing this object for certain rows.
An example of this is changing the operational status of a
row that describes the software the device and not a
particular feature. In this event, the agent should return
an inconsistentValue error."
::= { cDeviceComponentVersEntry 3 }
cDeviceComponentDescription OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A description of the component. Agents may reject the
changing this object certain rows. In this event, the agent
should return an inconsistentValue error."
::= { cDeviceComponentVersEntry 4 }
-- *****************************************************************
-- CC MIB cBatteryInfoTable
-- *****************************************************************
cBatteryInfoTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cBatteryInfoTable."
::= { cBatteryInfo 1 }
cBatteryInfoTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cBatteryInfo 2 }
Azoum, et al. Expires January 1, 2017 [Page 21]
�
Internet-Draft CCMIB June 2016
cBatteryInfoTable OBJECT-TYPE
SYNTAX SEQUENCE OF CBatteryInfoEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing information on each of the batteries
installed in the device."
::= { cBatteryInfo 3 }
cBatteryInfoEntry OBJECT-TYPE
SYNTAX CBatteryInfoEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row continuing information on a specific battery. If a
device cannot return status of a battery it should not
create a row in this table for that battery."
INDEX { cBatteryIndex }
::= { cBatteryInfoTable 1 }
CBatteryInfoEntry ::= SEQUENCE {
cBatteryIndex Unsigned32,
cBatteryType INTEGER,
cBatteryOpStatus INTEGER,
cBatteryLowThreshold Integer32
}
cBatteryIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A numerical index used to identify the battery. This value
uniquely identifies a battery on this device. The value
should be persistent for a given battery, but management
stations should not depend on it as it may not be possible
for some devices to retain identical indexes (especially
across reboots)."
::= { cBatteryInfoEntry 1 }
cBatteryType OBJECT-TYPE
SYNTAX INTEGER { other(1), main(2), clock(3), security(4) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of battery. Other(1) describes a battery which is
not otherwise defined here. Main(2) batteries are used for
operation of the device when not connected to a power
Azoum, et al. Expires January 1, 2017 [Page 22]
�
Internet-Draft CCMIB June 2016
source. Clock(3) is used to describe batteries which cannot
provide main power to the device but maintain clock or other
persistent data. Security(4) is used for batteries which
perform specific security functions or which may render the
device inoperable when the battery is depleted. If a battery
is used for both clock and security, Security should be
returned."
::= { cBatteryInfoEntry 2 }
cBatteryOpStatus OBJECT-TYPE
SYNTAX INTEGER { unknown(1), batteryNormal(2),
batteryLow(3), batteryDepleted(4),
batteryMissing(5) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indication of the status of the battery."
::= {cBatteryInfoEntry 3}
cBatteryLowThreshold OBJECT-TYPE
SYNTAX Integer32 (0..100)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The percentage of capacity at which the cBatteryLow
notification will be generated. A value of zero indicates
that the notification should never be sent for this battery.
This object should not be implemented if the device will
detect a low battery, but the actual percentage is not
measurable. This object only needs be writable for
implementations that support modification of the warning
level percentage."
::= { cBatteryInfoEntry 4 }
-- *****************************************************************
-- CC MIB cFirmwareInformationTable
-- *****************************************************************
cFirmwareInformationTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cFirmwareInformationTable."
::= { cFirmwareInfo 1 }
cFirmwareInformationTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
Azoum, et al. Expires January 1, 2017 [Page 23]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cFirmwareInfo 2 }
cFirmwareInformationTable OBJECT-TYPE
SYNTAX SEQUENCE OF CFirmwareInformationEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table that lists firmware versions available in the
device, along with their versions and type. This is used to
list currently loaded firmware versions of running firmware
and other available firmware versions in support of
returning to a previous version of the firmware."
::= { cFirmwareInfo 3 }
cFirmwareInformationEntry OBJECT-TYPE
SYNTAX CFirmwareInformationEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing a firmware package name, version, and
source."
INDEX { cFirmwareName }
::= { cFirmwareInformationTable 1 }
CFirmwareInformationEntry ::= SEQUENCE {
cFirmwareName OCTET STRING,
cFirmwareVersion SnmpAdminString,
cFirmwareSource SnmpAdminString,
cFirmwareRunning TruthValue,
cFirmwareRowStatus RowStatus
}
cFirmwareName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
Azoum, et al. Expires January 1, 2017 [Page 24]
�
Internet-Draft CCMIB June 2016
"Unique identifier provided in the firmware package."
::= { cFirmwareInformationEntry 1 }
cFirmwareVersion OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Version of firmware (provided in the package); for legacy
firmware packages, this column would be the empty string,
''."
::= { cFirmwareInformationEntry 2 }
cFirmwareSource OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This column is used by the implementation to describe how
the firmware was received. Agents may use any string which
adequately describes the interface such as 'USB' or
'DS-100.' Agents may also reference entries in the ifTable
when appropriate. If received using a Cryptographic Device
Material (CDM) server, the exact URI that was used to
retrieve the firmware package would be configured in this
column."
::= { cFirmwareInformationEntry 3 }
cFirmwareRunning OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates if the firmware is currently running. Only one
row in the table should have this object set to True at any
given time. If this object is set from False to True, the
agent must install the firmware, uninstall the previous
running firmware and change the cFirmwareRunning object for
the previous running firmware from True to False."
::= { cFirmwareInformationEntry 4 }
cFirmwareRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The status of the row, by which old entries may be deleted
from this table. At a minimum, implementations must support
Azoum, et al. Expires January 1, 2017 [Page 25]
�
Internet-Draft CCMIB June 2016
destroy management functions. Support for active and
notReady management functions is optional."
::= { cFirmwareInformationEntry 5 }
-- *****************************************************************
-- Module Conformance Information
-- *****************************************************************
cDeviceInfoCompliances OBJECT IDENTIFIER
::= { cDeviceInfoConformance 1}
cDeviceInfoGroups OBJECT IDENTIFIER
::= { cDeviceInfoConformance 2}
cDeviceInfoSystemCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for system information."
MODULE
MANDATORY-GROUPS { cDeviceInfoSystemGroup }
GROUP cDeviceInfoSystemNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
OBJECT cSystemInitialLoadParameters
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
OBJECT cSecurityLevel
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
cSanitizeDevice
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
OBJECT cRenderInoperable
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
::= { cDeviceInfoCompliances 1 }
cDeviceInfoComponentCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
Azoum, et al. Expires January 1, 2017 [Page 26]
�
Internet-Draft CCMIB June 2016
"Compliance levels for component information."
MODULE
MANDATORY-GROUPS { cDeviceInfoComponentGroup }
GROUP cDeviceInfoComponentNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
::= { cDeviceInfoCompliances 2 }
cDeviceInfoBatteryCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for battery information."
MODULE
MANDATORY-GROUPS { cDeviceInfoBatteryGroup }
GROUP cDeviceInfoBatteryNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
OBJECT cBatteryLowThreshold
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
::= { cDeviceInfoCompliances 3 }
cDeviceInfoFirmwareCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for firmware information."
MODULE
MANDATORY-GROUPS { cDeviceInfoFirmwareGroup }
GROUP cDeviceInfoFirmwareNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
::= { cDeviceInfoCompliances 4 }
cDeviceInfoSystemGroup OBJECT-GROUP
OBJECTS {
cSystemDate,
cSystemUpTime,
cSystemInitialLoadParameters,
cSecurityLevel,
cElectronicSerialNumber,
cLastChanged,
cResetDevice,
cSanitizeDevice,
cRenderInoperable,
Azoum, et al. Expires January 1, 2017 [Page 27]
�
Internet-Draft CCMIB June 2016
cVendorName,
cModelIdentifier,
cHardwareVersionNumber
}
STATUS current
DESCRIPTION
"This group is composed of objects related to system
information."
::= { cDeviceInfoGroups 1 }
cDeviceInfoComponentGroup OBJECT-GROUP
OBJECTS {
cDeviceComponentVersTableCount,
cDeviceComponentVersTableLastChanged,
cDeviceComponentName,
cDeviceComponentVersion,
cDeviceComponentOpStatus,
cDeviceComponentDescription
}
STATUS current
DESCRIPTION
"This group is composed of objects related to component
information."
::= { cDeviceInfoGroups 2 }
cDeviceInfoBatteryGroup OBJECT-GROUP
OBJECTS {
cBatteryInfoTableCount,
cBatteryInfoTableLastChanged,
cBatteryType,
cBatteryOpStatus,
cBatteryLowThreshold
}
STATUS current
DESCRIPTION
"This group is composed of objects related to battery
information."
::= { cDeviceInfoGroups 3 }
cDeviceInfoFirmwareGroup OBJECT-GROUP
OBJECTS {
cFirmwareInformationTableCount,
cFirmwareInformationTableLastChanged,
cFirmwareName,
cFirmwareVersion,
cFirmwareSource,
cFirmwareRunning,
cFirmwareRowStatus
Azoum, et al. Expires January 1, 2017 [Page 28]
�
Internet-Draft CCMIB June 2016
}
STATUS current
DESCRIPTION
"This group is composed of objects related to firmware
information."
::= { cDeviceInfoGroups 4 }
cDeviceInfoSystemNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cResetDeviceInitialized,
cSanitizeDeviceInitialized,
cTamperEventIndicated,
cSanitizeDeviceInitialized
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to system
information."
::= { cDeviceInfoGroups 5 }
cDeviceInfoComponentNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cDeviceComponentDisabled,
cDeviceComponentEnabled
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to
component information."
::= { cDeviceInfoGroups 6 }
cDeviceInfoBatteryNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cBatteryLow,
cBatteryRequiresReplacement,
cDeviceOnBattery
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to battery
information."
::= { cDeviceInfoGroups 7 }
cDeviceInfoFirmwareNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cFirmwareInstallFailed,
cFirmwareInstallSuccess
}
Azoum, et al. Expires January 1, 2017 [Page 29]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"This group is composed of notifications related to firmware
information."
::= { cDeviceInfoGroups 8 }
END
5.5. Key Management Info
This MIB module makes references to the following documents:
[RFC2571], [RFC2578], [RFC2579], [RFC2580], [RFC5280], [RFC5914],
[RFC6030], and [RFC6353].
CC-KEY-MANAGEMENT-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccKeyManagement
FROM CC-FEATURE-HIERARCHY-MIB -- FROM {{cc-fh}}
OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
Counter64, MODULE-IDENTITY
FROM SNMPv2-SMI -- FROM RFC 2578
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- FROM RFC 2571
RowPointer, RowStatus, DateAndTime,
TruthValue,TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC -- FROM RFC 2579
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF -- FROM RFC 2580
SnmpTLSFingerprint
FROM SNMP-TLS-TM-MIB; -- FROM RFC 6353
ccKeyManagementMIB MODULE-IDENTITY
"Shadi Azoum
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
Azoum, et al. Expires January 1, 2017 [Page 30]
�
Internet-Draft CCMIB June 2016
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { ccKeyManagement 1 }
-- *****************************************************************
-- Key Management Information Segments
-- *****************************************************************
cSymmetricKeyInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 1 }
cAsymKeyInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 2 }
cTrustAnchorInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 3 }
cCKLInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 4 }
Azoum, et al. Expires January 1, 2017 [Page 31]
�
Internet-Draft CCMIB June 2016
cCDMStoreInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 5 }
cCertSubAltNameInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 6 }
cCertPathCtrlsInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 7 }
cCertPolicyInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 8 }
cPolicyMappingInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 9 }
cNameConstraintInfo OBJECT IDENTIFIER
::= { ccKeyManagementMIB 10 }
cKeyManagementScalars OBJECT IDENTIFIER
::= { ccKeyManagementMIB 11 }
cKeyManagementNotify OBJECT IDENTIFIER
::= { ccKeyManagementMIB 12 }
cKeyManagementConformance OBJECT IDENTIFIER
::= { ccKeyManagementMIB 13 }
-- *****************************************************************
-- Key Management Scalars
-- *****************************************************************
cZeroizeAllKeys OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'true' removes all entries in key
material tables and zeroizes key materials. It is applicable
to symmetric keys, asymmetric keys, and Trust Anchors (TA).
It must not modify any other information in the device such
as the persistent storage or the audit log. When read this
object should return false. If this object is set to the
same value as the current value, the device must not perform
any operation but should accept this as a valid SET
operation. Note after being set to true, an agent should
reset this object to false once it has zeroized all the keys
stored in the device."
::= { cKeyManagementScalars 1 }
cZeroizeSymmetricKeyTable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'true' removes all entries in the
cSymmetricKeyTablekey and zeroizes the associated key
Azoum, et al. Expires January 1, 2017 [Page 32]
�
Internet-Draft CCMIB June 2016
materials. This operation must not modify any other
information in the device such as the persistent storage or
the audit log. When read this object should return false. If
this object is set to the same value as the current value,
the device must not perform any operation but should accept
this as a valid SET operation. Note after being set to true,
an agent should reset this object to false once it has
zeroized the specific key materials stored in the device."
::= { cKeyManagementScalars 2 }
cZeroizeAsymKeyTable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'true' removes all entries in the
cAsymKeyTable, cCertSubAltNameTable, and zeroizes the
associated key materials. This operation must not modify any
other information in the device such as the persistent
storage or the audit log. When read this object should
return false. If this object is set to the same value as the
current value, the device must not perform any operation but
should accept this as a valid SET operation. Note after
being set to true, an agent should reset this object to
false once it has zeroized the specific key materials stored
in the device."
::= { cKeyManagementScalars 3 }
cZeroizeTrustAnchorTable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'true' removes all entries in the
cTrustAnchorTable. This operation must not modify any other
information in the device such as the persistent storage or
the audit log. When read this object should return false. If
this object is set to the same value as the current value,
the device must not perform any operation but should accept
this as a valid SET operation. Note after being set to true,
an agent should reset this object to false once it has
zeroized the specific key materials stored in the device.
Some implementations may restrict the deletion of Trust
Anchors to specific protocols (e.g. TAMP)."
::= { cKeyManagementScalars 4 }
cZeroizeCDMStoreTable OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 33]
�
Internet-Draft CCMIB June 2016
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'true' removes all entries in the
cCDMStoreTable that are of type symkey, asymkey, and
trustAnchor. This operation must not modify any other
information in the device such as the persistent storage or
the audit log. When read this object should return false. If
this object is set to the same value as the current value,
the device must not perform any operation but should accept
this as a valid SET operation. Note after being set to true,
an agent should reset this object to false once it has
zeroized the specific key materials stored in the device."
::= { cKeyManagementScalars 5 }
cKeyMaterialTableOID OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The OID of the table for which (1) a successful or failed
configuration occurred upon a key material load or (2) a key
material has expired, will expire, or had its expiration
date changed (3) a key material has been zeroized."
::= { cKeyManagementScalars 6 }
cKeyMaterialFingerprint OBJECT-TYPE
SYNTAX SnmpTLSFingerprint
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION
"The fingerprint of the key material to be transmitted in a
notification."
::= { cKeyManagementScalars 7 }
cSymKeyGlobalExpiryWarning OBJECT-TYPE
SYNTAX Unsigned32
UNITS "days"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A global setting, indicating the number of days prior to
the expiration date of a symmetric key (value of
cSymKeyExpirationDate in the associated cSymmetricKeyTable
entry) for which the cKeyMaterialExpiring notification will
be transmitted.
Azoum, et al. Expires January 1, 2017 [Page 34]
�
Internet-Draft CCMIB June 2016
The value in this object is only used if no value exists for
the associated cSymmetricKeyTable entry's
cSymKeyExpiryWarning object."
::= { cKeyManagementScalars 8 }
cAsymKeyGlobalExpiryWarning OBJECT-TYPE
SYNTAX Unsigned32
UNITS "days"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A global setting, indicating the number of days prior to
the expiration date of an asymmetric key (value of
cAsymKeyExpirationDate in the associated cAsymKeyTable entry)
for which the cKeyMaterialExpiring notification will be
transmitted.
The value in this object is only used if no value exists for
the associated cAsymKeyTable entry's cAsymKeyExpiryWarning
object."
::= { cKeyManagementScalars 9 }
cGenerateKeyType OBJECT-TYPE
SYNTAX INTEGER { x509v3(1), psk(2)}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The type of key material to be generated
[1] x509v3: X.509v3 certificate per RFC 5280.
[2] Symmetric Pre-Shared Key."
::= { cKeyManagementScalars 10 }
cGenerateKey OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to 'true' will force the generation of
key material, based on the type of key material described in
cGenerateKeyType. Post-generation, the agent must create an
entry in the appropriate key material table that captures
information on this key.
Note after being set to true, an agent should reset this
object to false once the key material has been generated and
an entry created in the appropriate table."
::= { cKeyManagementScalars 11 }
Azoum, et al. Expires January 1, 2017 [Page 35]
�
Internet-Draft CCMIB June 2016
-- *****************************************************************
-- Key Management Notifications
-- *****************************************************************
cKeyMaterialLoadSuccess NOTIFICATION-TYPE
OBJECTS { cKeyMaterialTableOID }
STATUS current
DESCRIPTION
"An attempt to load the device with key material, identified
by the table identifier (e.g. cSymmetricKeyTable), has
succeeded. This notification may be sent upon a single
successful key material load or may be sent upon a series of
successful single key material loads."
::= { cKeyManagementNotify 1 }
cKeyMaterialLoadFail NOTIFICATION-TYPE
OBJECTS { cKeyMaterialTableOID }
STATUS current
DESCRIPTION
"An attempt to load the device with key material, identified
by the table identifier (e.g. cSymmetricKeyTable), has
failed."
::= { cKeyManagementNotify 2 }
cKeyMaterialExpiring NOTIFICATION-TYPE
OBJECTS {
cKeyMaterialFingerprint,
cKeyMaterialTableOID
}
STATUS current
DESCRIPTION
"Key Material, identified by Key Fingerprint and OID of the
associated key material table, is about to expire. This
notification is transmitted prior to the key material's
configured expiration date
(cSymKeyExpirationDate/cAsymKeyExpirationDate) as indicated
by a global setting
(cSymKeyGlobalExpiryWarning/cAsymKeyGlobalExpiryWarning) or
the granular setting per key material table entry
(cSymKeyExpiryWarning/cAsymKeyExpiryWarning) if configured."
::= { cKeyManagementNotify 3 }
cKeyMaterialExpired NOTIFICATION-TYPE
OBJECTS {
cKeyMaterialFingerprint,
cKeyMaterialTableOID
}
STATUS current
Azoum, et al. Expires January 1, 2017 [Page 36]
�
Internet-Draft CCMIB June 2016
DESCRIPTION
"Key Material, identified by Key Fingerprint and OID of the
associated key material table, has expired."
::= { cKeyManagementNotify 4 }
cKeyMaterialExpirationChanged NOTIFICATION-TYPE
OBJECTS {
cKeyMaterialFingerprint,
cKeyMaterialTableOID
}
STATUS current
DESCRIPTION
"The expiration date of Key Material, identified by Key
Fingerprint and the OID of the associated key material
table, has changed. This can happen by either the
'Expiration' object in the table changing or by the device
making a change due to some other automated security policy
change such as automatically extending a key when no new key
is available."
::= { cKeyManagementNotify 5 }
cKeyMaterialZeroized NOTIFICATION-TYPE
OBJECTS {
cKeyMaterialFingerprint,
cKeyMaterialTableOID
}
STATUS current
DESCRIPTION
"A key material, identified by fingerprint and OID of the
associated key material table, has been securely deleted and
zeroized. This notification is transmitted upon setting the
Row Status object of the associated key material table entry
to 'destroy', setting the cZeroizeAllKeys object to 'true',
setting the cZeroizeSymmetricKeyTable object to 'true',
setting the cZeroizeAsymKeyTable object to 'true', setting
the cZeroizeTrustAnchorTable object to 'true', or setting
the cZeroizeCDMStoreTable object to 'true'."
::= { cKeyManagementNotify 6 }
cCKLLoadSuccess NOTIFICATION-TYPE
OBJECTS {
cCKLIndex,
cCKLIssuer
}
STATUS current
DESCRIPTION
"An attempt to load the device with CKL, identified by
cCKLIndex and cCKLIssuer (indexes to the cCKLTable), has
Azoum, et al. Expires January 1, 2017 [Page 37]
�
Internet-Draft CCMIB June 2016
succeeded."
::= { cKeyManagementNotify 7 }
cCKLLoadFail NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An attempt to load the device with CKL has failed."
::= { cKeyManagementNotify 8 }
cCDMAdded NOTIFICATION-TYPE
OBJECTS {
cCDMStoreIndex,
cCDMStoreType
}
STATUS current
DESCRIPTION
"A new cryptographic device material (CDM) entry has been
added to the cCDMStoreTable, as identified cCDMStoreIndex
and cCDMStoreType."
::= { cKeyManagementNotify 9 }
cCDMDeleted NOTIFICATION-TYPE
OBJECTS {
cCDMStoreIndex,
cCDMStoreType,
cCDMStoreFriendlyName
}
STATUS current
DESCRIPTION
"A cryptographic device material (CDM) entry has been
deleted from the cCDMStoreTable, as identified
cCDMStoreIndex, cCDMStoreType and cCDMStoreFriendlyName."
::= { cKeyManagementNotify 10 }
cTrustAnchorAdded NOTIFICATION-TYPE
OBJECTS {
cTrustAnchorFingerprint,
cTrustAnchorFormatType,
cTrustAnchorUsageType
}
STATUS current
DESCRIPTION
"A trust anchor has been added to the cTrustAnchorTable, as
identified by cTrustAnchorFingerprint,
cTrustAnchorFormatType, and cTrustAnchorUsageType."
::= { cKeyManagementNotify 11 }
cTrustAnchorUpdated NOTIFICATION-TYPE
Azoum, et al. Expires January 1, 2017 [Page 38]
�
Internet-Draft CCMIB June 2016
OBJECTS {
cTrustAnchorFingerprint,
cTrustAnchorFormatType,
cTrustAnchorUsageType
}
STATUS current
DESCRIPTION
"A trust anchor has been updated in the cTrustAnchorTable,
as identified by cTrustAnchorFingerprint,
cTrustAnchorFormatType, and cTrustAnchorUsageType."
::= { cKeyManagementNotify 12 }
cTrustAnchorRemoved NOTIFICATION-TYPE
OBJECTS {
cTrustAnchorFingerprint,
cTrustAnchorFormatType,
cTrustAnchorUsageType
}
STATUS current
DESCRIPTION
"A trust anchor has been removed from the cTrustAnchorTable,
as identified by cTrustAnchorFingerprint,
cTrustAnchorFormatType, and cTrustAnchorUsageType."
::= { cKeyManagementNotify 13 }
-- *****************************************************************
-- CC MIB cSymmetricKeyTable
-- *****************************************************************
cSymmetricKeyTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cSymmetricKeyTable."
::= { cSymmetricKeyInfo 1 }
cSymmetricKeyTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
Azoum, et al. Expires January 1, 2017 [Page 39]
�
Internet-Draft CCMIB June 2016
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cSymmetricKeyInfo 2 }
cSymmetricKeyTable OBJECT-TYPE
SYNTAX SEQUENCE OF CSymmetricKeyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing the various types of symmetric keys
used by the device."
::= { cSymmetricKeyInfo 3 }
cSymmetricKeyEntry OBJECT-TYPE
SYNTAX CSymmetricKeyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a Symmetric Key."
INDEX { cSymKeyFingerprint }
::= { cSymmetricKeyTable 1 }
CSymmetricKeyEntry ::= SEQUENCE {
cSymKeyFingerprint SnmpTLSFingerprint,
cSymKeyUsage BITS,
cSymKeyID OCTET STRING,
cSymKeyIssuer OCTET STRING,
cSymKeyEffectiveDate DateAndTime,
cSymKeyExpirationDate DateAndTime,
cSymKeyExpiryWarning Unsigned32,
cSymKeyNumberOfTransactions Unsigned32,
cSymKeyFriendlyName SnmpAdminString,
cSymKeyClassification BITS,
cSymKeySource OCTET STRING,
cSymKeyRowStatus RowStatus
}
cSymKeyFingerprint OBJECT-TYPE
SYNTAX SnmpTLSFingerprint
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An inherent identification of the symmetric key and the
primary index to the cSymmetricKeyTable.
This MIB does not provide any additional requirements on
developing the fingerprint. Implementations are cautioned to
develop the hash in a manner that does not compromise the
Azoum, et al. Expires January 1, 2017 [Page 40]
�
Internet-Draft CCMIB June 2016
security of the key material."
::= { cSymmetricKeyEntry 1 }
cSymKeyUsage OBJECT-TYPE
SYNTAX BITS { oneTimePassword(0), challengeResponse(1),
unlock(2), encrypt(3), decrypt(4),
integrity(5), verify(6), keyWrap(7),
unwrap(8), derive(9), generate(10),
sharedSecret(11) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The intended usage for the key: One Time Password (OTP),
Challenge/Response (CR), Unlock, Encrypt, Decrypt,
Integrity, Verify, KeyWrap, Unwrap, Derive, Generate,
Shared Secret.
From RFC 6030 section 5.
OTP: The key is used for One Time Password (OTP) generation.
CR: The key is used for Challenge/Response purposes.
Unlock: The key is used for an inverse challenge response in
the case where a user has locked the device by entering a
wrong password too many times (for devices with password
input capability).
Encrypt: The key is used for data encryption purposes.
Integrity: The key is used to generate a keyed message
digest for data integrity or authentication purposes.
Verify: The key is used to verify a keyed message digest for
data integrity or authentication purposes (this is the
opposite key usage of 'Integrity').
Decrypt: The key is used for data decryption purposes.
KeyWrap: The key is used for key wrap purposes.
Unwrap: The key is used for key unwrap purposes.
Derive: The key is used with a key derivation function to
derive a new key.
Generate: The key is used to generate a new key based on a
random number and the previous value of the key.
Azoum, et al. Expires January 1, 2017 [Page 41]
�
Internet-Draft CCMIB June 2016
Shared Secret: The key is used as a shared secret between
entities.
Bit value translation:
1000 0000 0000 0000 = OneTimePassword
0100 0000 0000 0000 = ChallengeResponse
0010 0000 0000 0000 = Unlock
0001 0000 0000 0000 = Encrypt
0000 1000 0000 0000 = Decrypt
0000 0100 0000 0000 = Integrity
0000 0010 0000 0000 = Verify
0000 0001 0000 0000 = KeyWrap
0000 0000 1000 0000 = Unwrap
0000 0000 0100 0000 = Derive
0000 0000 0010 0000 = Generate
0000 0000 0001 0000 = SharedSecret"
::= { cSymmetricKeyEntry 2 }
cSymKeyID OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Represents a unique identifier assigned to this symmetric
key. This would typically be an identifier inherent to the
key material, such as a serial number or other form of
identifier derived from a tag or other key wrapper. This
object differs from cSymKeyFriendlyName which is a
user-defined ID."
::= { cSymmetricKeyEntry 3 }
cSymKeyIssuer OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Represents the name of the entity which issued the key. Use
a distinguished name (DN) when one is available."
::= { cSymmetricKeyEntry 4 }
cSymKeyEffectiveDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The effective date of the key."
::= { cSymmetricKeyEntry 5 }
Azoum, et al. Expires January 1, 2017 [Page 42]
�
Internet-Draft CCMIB June 2016
cSymKeyExpirationDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The expiration date of the key."
::= { cSymmetricKeyEntry 6 }
cSymKeyExpiryWarning OBJECT-TYPE
SYNTAX Unsigned32
UNITS "days"
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The number of days prior to the expiration date of this key
(cSymKeyExpirationDate) for which the cKeyMaterialExpiring
notification will be transmitted.
If configured, the scalar value of
cSymKeyGlobalExpiryWarning will be ignored. The value of
cSymKeyGlobalExpiryWarning will only be used if this column
is not populated, populated with 0, or not implemented."
::= { cSymmetricKeyEntry 7 }
cSymKeyNumberOfTransactions OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates the maximum number of times a key can be used
after having received it. If this column is not implemented,
then there is no restriction regarding the number of times a
key can be used.
When this number is reached, implementations supporting this
object should stop using this key and send a
cKeyMaterialExpired notification."
::= { cSymmetricKeyEntry 8 }
cSymKeyFriendlyName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A human readable label of the key for easier reference. It
is used only for helpful or informational purposes."
::= { cSymmetricKeyEntry 9 }
Azoum, et al. Expires January 1, 2017 [Page 43]
�
Internet-Draft CCMIB June 2016
cSymKeyClassification OBJECT-TYPE
SYNTAX BITS { unclassified(0), restricted(1),
confidential(2), secret(3), topSecret(4) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The classification of the key.
Bit value translation:
1000 0000 = unclassified
0100 0000 = restricted
0010 0000 = confidential
0001 0000 = secret
0000 1000 = topSecret
This column does not exist for devices that do not have the
concept of classification."
::= { cSymmetricKeyEntry 10 }
cSymKeySource OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The source of the key material. This can be the URI of a
key source entity. If the key was derived from a user-input
password, the string should say PASSWORD.
Keys developed by the device should contain the string
DEVICE-GENERATED. If the key was filled locally then this
column should begin with the word FILL followed by the fill
protocol. If the source is unknown, this column should not
be populated or be set to an empty string, ''."
::= { cSymmetricKeyEntry 11 }
cSymKeyRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this row by which existing entries may be
deleted from this table. Setting this column to destroy is
synonymous with zeroizing the key. Any reference(s) to this
object, upon setting this RowStatus to destroy, should be
destroyed as well.
Upon populating this row, this column should automatically
be set to notReady. Only after valid information has been
entered by the manager, can the manager set this column to
active.
Azoum, et al. Expires January 1, 2017 [Page 44]
�
Internet-Draft CCMIB June 2016
At a minimum, implementations must support active and
destroy management functions. Implementations must support
createAndWait and createAndGo management functions for this
object if the symmetric key material can be manually entered
by the manager."
::= { cSymmetricKeyEntry 12 }
-- *********************************************************************
-- CC MIB cAsymKeyTable
-- *********************************************************************
cAsymKeyTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cAsymKeyTable."
::= { cAsymKeyInfo 1 }
cAsymKeyTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cAsymKeyInfo 2 }
cAsymKeyTable OBJECT-TYPE
SYNTAX SEQUENCE OF CAsymKeyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing the Asymmetric Key Material and
Certificates used by the device. Enumeration values, when
applicable follow the conventions in RFC 5280."
::= { cAsymKeyInfo 3 }
cAsymKeyEntry OBJECT-TYPE
SYNTAX CAsymKeyEntry
MAX-ACCESS not-accessible
STATUS current
Azoum, et al. Expires January 1, 2017 [Page 45]
�
Internet-Draft CCMIB June 2016
DESCRIPTION
"A row containing information about an Asymmetric Key or
Certificate."
INDEX { cAsymKeyFingerprint }
::= { cAsymKeyTable 1 }
CAsymKeyEntry ::= SEQUENCE {
cAsymKeyFingerprint SnmpTLSFingerprint,
cAsymKeyFriendlyName SnmpAdminString,
cAsymKeySerialNumber OCTET STRING,
cAsymKeyIssuer OCTET STRING,
cAsymKeySignatureAlgorithm OCTET STRING,
cAsymKeyPublicKeyAlgorithm OCTET STRING,
cAsymKeyEffectiveDate DateAndTime,
cAsymKeyExpirationDate DateAndTime,
cAsymKeyExpiryWarning Unsigned32,
cAsymKeySubject OCTET STRING,
cAsymKeySubjectType BITS,
cAsymKeySubjectAltName SnmpAdminString,
cAsymKeyUsage BITS,
cAsymKeyClassification BITS,
cAsymKeySource OCTET STRING,
cAsymKeyRowStatus RowStatus,
cAsymKeyVersion INTEGER,
cAsymKeyRekey TruthValue,
cAsymKeyType OCTET STRING
}
cAsymKeyFingerprint OBJECT-TYPE
SYNTAX SnmpTLSFingerprint
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An inherent identification of the asymmetric key and the
primary index to the cAsymKeyTable."
::= { cAsymKeyEntry 1 }
cAsymKeyFriendlyName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A human readable label of the key for easier reference. It
is used only for helpful or informational purposes."
::= { cAsymKeyEntry 2 }
cAsymKeySerialNumber OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
Azoum, et al. Expires January 1, 2017 [Page 46]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The unique positive integer assigned to the Asymmetric
Key. For Public Key Certificate (PKC) this serial number is
assigned by the Certification Authority (CA). The value is
this column can be up to 20 bytes long per Section
'4.1.2.2. Serial Number' of RFC 5280. Other types of Key
Material may have different serial number format as defined
by the issuer (e.g. a Key Material ID)."
::= { cAsymKeyEntry 3 }
cAsymKeyIssuer OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The issuer of this key material. For Public Key
Certificates, this is the distinguished name (DN) of the
entity that has signed and issued the Public Key
Certificate (PKC). Other issuers shall be defined by the
class of device and will reference the Key Management
System that delivers the key material for that device."
::= { cAsymKeyEntry 4 }
cAsymKeySignatureAlgorithm OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Signature algorithm used by a Certification Authority to
sign this asymmetric key material (e.g. X.509 Certificate).
If no signature/signature algorithm is provided/used, this
column would not exist.
Note, this is a free form OCTET STRING column, meaning
implementations may utilize a standardized definition of
string values or use a proprietary definition of string
values for supported signature algorithms."
::= { cAsymKeyEntry 5 }
cAsymKeyPublicKeyAlgorithm OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Public key algorithm with which the public key is used (as
associated with the asymmetric key material (e.g. X.509
Azoum, et al. Expires January 1, 2017 [Page 47]
�
Internet-Draft CCMIB June 2016
Certificate)).
Note, this is a free form OCTET STRING column, meaning
implementations may utilize a standardized definition of
string values or use a proprietary definition of string
values for supported public key algorithms."
::= { cAsymKeyEntry 6 }
cAsymKeyEffectiveDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The date on which the validity period of the Asymmetric
Key begins. This column must not exist when the key
material does not have an inherent and associated effective
date."
::= { cAsymKeyEntry 7 }
cAsymKeyExpirationDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The date on which the validity period of the Asymmetric
Key ends. This column must not exist when the key material
does not have an inherent and associated expiration date."
::= { cAsymKeyEntry 8 }
cAsymKeyExpiryWarning OBJECT-TYPE
SYNTAX Unsigned32
UNITS "days"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The number of days prior to the expiration date of this
key (cAsymKeyExpirationDate) for which the
cKeyMaterialExpiring notification will be transmitted.
If configured, the scalar value of
cAsymKeyGlobalExpiryWarning will be ignored. The value of
cAsymKeyGlobalExpiryWarning will only be used if this
column is not populated, populated with 0, or not
implemented."
::= { cAsymKeyEntry 9 }
cAsymKeySubject OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
Azoum, et al. Expires January 1, 2017 [Page 48]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The entity associated with this Asymmetric Key.
For non-X.509 based key material, or when this object does
not apply for the key material, this column will not exist."
::= { cAsymKeyEntry 10 }
cAsymKeySubjectType OBJECT-TYPE
SYNTAX BITS { other(0), certificationAuthority(1),
crlIssuer(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Defines the type of subject based on the following
choices. certificationAuthority(1) - When set to 1
indicates that the subject (cAsymKeySubject) of the Public
Key Certificate (PKC) is a Certification Authority (CA).
crlIssuer(2) - When set to 1 indicates that the subject
(cCertificateSubject) of the Public Key Certificate (PKC)
is a Certificate Revocation List (CRL) issuer.
Bit value translation:
1000 0000 = other
0100 0000 = certificationAuthority
0010 0000 = crlIssuer
For non-X.509 based key material, or when this object does not
apply for the key material, this column will not exist."
::= { cAsymKeyEntry 11 }
cAsymKeySubjectAltName OBJECT-TYPE
SYNTAXSnmpAdminString (SIZE(1..32))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A reference string that points to a set of Certificate
Subject Alternative Subject Names in the
cCertSubAltNameTable.
This column should contain an empty string if the
Certificate has no associating Subject Alternative Names.
For non-X.509 based key material, or when this object does
not apply for the key material, this column will not
exist."
::= { cAsymKeyEntry 12 }
cAsymKeyUsage OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 49]
�
Internet-Draft CCMIB June 2016
SYNTAX BITS { other(0), digitalSignature(1),
nonRepudiation(2), keyEncipherment(3),
dataEncipherment(4), keyAgreement(5),
keyCertSign(6), cRLSign(7), encipherOnly(8),
decipherOnly(9) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Provides the intended type of usage for the Asymmetric
Key. The following types are supported (defined in Section
4.2.1.3 Key Usage of RFC 5280 for PKC):
other(0), digitalSignature(1), nonRepudiation(2),
keyEncipherment(3), dataEncipherment(4), keyAgreement(5),
keyCertSign(6), cRLSign(7), encipherOnly(8), and
decipherOnly(9)
Bit value translation:
1000 0000 0000 0000 = other,
0100 0000 0000 0000 = digitalSignature,
0010 0000 0000 0000 = nonRepudiation,
0001 0000 0000 0000 = keyEncipherment,
0000 1000 0000 0000 = dataEncipherment,
0000 0100 0000 0000 = keyAgreement,
0000 0010 0000 0000 = keyCertSign,
0000 0001 0000 0000 = cRLSign,
0000 0000 1000 0000 = encipherOnly,
0000 0000 0100 0000 = decipherOnly.
Devices using asymmetric key material not adhering to RFC
5280 (X.509 format) may still use an applicable value for
the Usage, or may use 'other'."
::= { cAsymKeyEntry 13 }
cAsymKeyClassification OBJECT-TYPE
SYNTAX BITS { unclassified(0), restricted(1),
confidential(2), secret(3), topSecret(4) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The supported classification level supported by the
cAsymKeySubject used by this key material
Bit value translation:
1000 0000 = unclassified,
0100 0000 = restricted,
0010 0000 = confidential,
0001 0000 = secret,
0000 1000 = topSecret.
This column does not exist for devices that do not have the
concept of classification."
Azoum, et al. Expires January 1, 2017 [Page 50]
�
Internet-Draft CCMIB June 2016
::= { cAsymKeyEntry 14 }
cAsymKeySource OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The source of the key material. This can be the URI of a
key source entity. Keys developed by the device should
contain the string DEVICE-GENERATED. If the key was filled
locally then this column should begin with the word FILL
followed by the fill protocol. If the source is unknown,
this column should be blank."
::= { cAsymKeyEntry 15 }
cAsymKeyRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The status of this row by which existing entries may be
deleted from this table. Deleting a row in this table will
also delete analogous rows in the cCertSubAltNameTable that
are referenced by the cAsymKeySubjectAltName.
Setting this column to destroy is synonymous with zeroizing
the key material. Any reference(s) to this object, upon
setting this RowStatus to destroy, should be destroyed as
well. At a minimum, implementations must support active and
destroy management functions. Support for notInService and
notReady management functions is optional. Implementations
must not support createAndWait and createAndGo management
functions for this object."
::= { cAsymKeyEntry 16 }
cAsymKeyVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The version of the asymmetric key material. For example,
X.509 Version 3 certificates would have a value of '2', as
defined in RFC 5280 - Section 4.1.2.1.
When this object does not apply for the key material, this
column will not exist."
::= { cAsymKeyEntry 17 }
Azoum, et al. Expires January 1, 2017 [Page 51]
�
Internet-Draft CCMIB June 2016
cAsymKeyRekey OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Setting this object to 'true' imitates a rekey operation
for the asymmetric key material. Note, additional
configurations will likely be required based on the
supported key management protocol.
Note after being set to true, an agent should reset this
object to false once the rekey operation has completed."
::= { cAsymKeyEntry 18 }
cAsymKeyType OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This column describes the type of asymmetric key material.
Note, this is a free form OCTET STRING column.
Implementations are expected to utilize definition of string
values that apply to their specific nomenclature supported.
If no such nomenclature exists, this column should not be
populated or be set to an empty string (i.e. '')."
::= { cAsymKeyEntry 19 }
-- *****************************************************************
-- CC MIB cTrustAnchorTable
-- *****************************************************************
cTrustAnchorTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cTrustAnchorTable."
::= { cTrustAnchorInfo 1 }
cTrustAnchorTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
Azoum, et al. Expires January 1, 2017 [Page 52]
�
Internet-Draft CCMIB June 2016
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cTrustAnchorInfo 2 }
cTrustAnchorTable OBJECT-TYPE
SYNTAX SEQUENCE OF CTrustAnchorEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing the Trust Anchors (TAs) in this
device."
::= { cTrustAnchorInfo 3 }
cTrustAnchorEntry OBJECT-TYPE
SYNTAX CTrustAnchorEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a Trust Anchor (TA) that
has been loaded into the device."
INDEX { cTrustAnchorFingerprint }
::= { cTrustAnchorTable 1 }
CTrustAnchorEntry ::= SEQUENCE {
cTrustAnchorFingerprint SnmpTLSFingerprint,
cTrustAnchorFormatType INTEGER,
cTrustAnchorName OCTET STRING,
cTrustAnchorUsageType INTEGER,
cTrustAnchorKeyIdentifier OCTET STRING,
cTrustAnchorPublicKeyAlgorithm OCTET STRING,
cTrustAnchorContingencyAvail TruthValue,
cTrustAnchorRowStatus RowStatus
}
cTrustAnchorFingerprint OBJECT-TYPE
SYNTAX SnmpTLSFingerprint
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An inherent identification of the trust anchor and the
primary index to the cTrustAnchorTable."
::= { cTrustAnchorEntry 1 }
cTrustAnchorFormatType OBJECT-TYPE
SYNTAX INTEGER { x509v3(1), trustAnchorFormat(2),
Azoum, et al. Expires January 1, 2017 [Page 53]
�
Internet-Draft CCMIB June 2016
tbsCertificate(3) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type/format of the trust anchor.
[1] x509v3: X.509v3 certificate per RFC 5280.
[2] trustAnchorFormat: Trust Anchor Format per RFC 5914.
[3] tbsCertificate: To Be Signed Certificate per RFC 5280."
::= { cTrustAnchorEntry 2 }
cTrustAnchorName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The name of the Trust Anchor. When available, this is the
X.500 distinguished name (DN) associated with the Trust
Anchor (TA) used to construct and validate an X.509
certification path. When the value of cTrustAnchorFormatType
is 'trustAnchorFormat', this column is populated with the
value from the taTitle field of the TrustAnchorInfo
structure defined in RFC 5914, which is a human-readable
name for the trust anchor. Otherwise, this column should be
blank."
::= { cTrustAnchorEntry 3 }
cTrustAnchorUsageType OBJECT-TYPE
SYNTAX INTEGER { other(1), apex(2), management(3),
identity(4), firmware(5), crl(6) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The usage type for the Trust Anchor (TA). Note, crl(6) also
applies to compromised key lists."
::= { cTrustAnchorEntry 4 }
cTrustAnchorKeyIdentifier OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The identifier of the Trust Anchor's (TA's) public key."
::= { cTrustAnchorEntry 5 }
cTrustAnchorPublicKeyAlgorithm OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
Azoum, et al. Expires January 1, 2017 [Page 54]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"Public key algorithm with which the public key is used (as
associated with the trust anchor).
Note, this is a free form OCTET STRING column, meaning
implementations may utilize a standardized definition of
string values or use a proprietary definition of string
values for supported public key algorithms."
::= { cTrustAnchorEntry 6 }
cTrustAnchorContingencyAvail OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An indication of the availability of a contingency key for
an Apex Trust Anchor. When set to 'True', a contingency key
is available."
::= { cTrustAnchorEntry 7 }
cTrustAnchorRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The status of this row by which existing entries may be
deleted from this table. Setting this column to destroy is
synonymous with zeroizing the Trust Anchor (TA). Any
reference(s) to this object, upon setting this RowStatus to
destroy, should be destroyed as well.
At a minimum, implementations must support active and
destroy management functions. Support for notInService and
notReady management functions is optional. Implementations
must not support createAndWait and createAndGo management
functions for this object.
Some implementations may restrict the deletion of Trust
Anchors to specific protocols (e.g. TAMP)."
::= { cTrustAnchorEntry 8 }
-- *********************************************************************
-- CC MIB cCKLTable
-- *********************************************************************
cCKLTableCount OBJECT-TYPE
SYNTAX Unsigned32
Azoum, et al. Expires January 1, 2017 [Page 55]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCKLTable."
::= { cCKLInfo 1 }
cCKLLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCKLInfo 2 }
cCKLTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCKLEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing the Compromised Key Lists and
Certificate Revocation Lists (CRLS) used by the device. This
table is used both for CRLs as defined in RFC 5280 and for
other formats of revocation lists (such as Compromised Key
Lists.)"
::= { cCKLInfo 3 }
cCKLEntry OBJECT-TYPE
SYNTAX CCKLEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a Compromised Key List
or Certificate Revocation List (CRL) used by the device."
INDEX { cCKLIndex, cCKLIssuer }
::= { cCKLTable 1 }
CCKLEntry ::= SEQUENCE {
cCKLIndex Unsigned32,
cCKLIssuer OCTET STRING,
cCKLSerialNumber OCTET STRING,
cCKLIssueDate DateAndTime,
Azoum, et al. Expires January 1, 2017 [Page 56]
�
Internet-Draft CCMIB June 2016
cCKLNextUpdate DateAndTime,
cCKLRowStatus RowStatus,
cCKLVersion INTEGER,
cCKLLastUpdate DateAndTime
}
cCKLIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An ID that uniquely identifies the Compromised Key List
(CKL) in this table."
::= { cCKLEntry 1 }
cCKLIssuer OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"For devices adhering to RFC 5280 this is the X.500
distinguished name (DN) of the entity that has signed and
issued the Certificate Revocation List (CRL).
Other CRL/CKL issuers may use proprietary naming conventions
or formats.
If the source is unknown, this column should not be
populated or be set to an empty string, ''."
::= { cCKLEntry 2 }
cCKLSerialNumber OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A Serial Number for this CRL or CKL.
For CRLs adhering to RFC 5280, this will be a monotonically
increasing sequence number for a given Certificate
Revocation List (CRL) scope and CRL issuer. The CRL Number
allows users to easily determine when a particular CKL/CRL
supersedes another CKL/CRL."
::= { cCKLEntry 3 }
cCKLIssueDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
Azoum, et al. Expires January 1, 2017 [Page 57]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"The issue date of this CRL/CKL."
::= { cCKLEntry 4 }
cCKLNextUpdate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date by which the next CKL/CRL issued. The next CRL
could be issued before the indicated date, but it will not
be issued any later than the indicated date.
If this value is unknown, this column should not be
populated or be set to an empty string, ''."
::= { cCKLEntry 5 }
cCKLRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The status of this row by which existing entries may be
deleted from this table.
At a minimum, implementations must support active and
destroy management functions. Support for notInService and
notReady management functions is optional. Implementations
must not support createAndWait and createAndGo management
functions for this object."
::= { cCKLEntry 6 }
cCKLVersion OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The version of the CKL/CRL. For example, X.509 Version 2
CRLs would have a value of '1', as defined in RFC 5280 -
Section 5.1.2.1.
When this object does not apply for the CKL/CRL, this column
will not exist."
::= { cCKLEntry 7 }
cCKLLastUpdate OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 58]
�
Internet-Draft CCMIB June 2016
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The date this CKL/CRL was last updated."
::= { cCKLEntry 8 }
-- *********************************************************************
-- CC MIB cCDMStoreTable
-- *********************************************************************
cCDMStoreTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCDMStoreTable."
::= { cCDMStoreInfo 1 }
cCDMStoreTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCDMStoreInfo 2 }
cCDMStoreTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCDMStoreEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing various types of stored Crypto Device
Material (CDM) that are destined for this device and/or
destined for another device. When sending CDM to a destined
device, the cCDMTransferPkgLocatorRowPtr from the
CC-KEY-TRANSFER-PUSH-MIB can be used to point to the rows in
this table."
::= { cCDMStoreInfo 3 }
cCDMStoreEntry OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 59]
�
Internet-Draft CCMIB June 2016
SYNTAX CCDMStoreEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about stored Crypto Device
Material (CDM)."
INDEX { cCDMStoreIndex }
::= { cCDMStoreTable 1 }
CCDMStoreEntry ::= SEQUENCE {
cCDMStoreIndex Unsigned32,
cCDMStoreType INTEGER,
cCDMStoreSource SnmpAdminString,
cCDMStoreID OCTET STRING,
cCDMStoreFriendlyName SnmpAdminString,
cCDMStoreControl INTEGER,
cCDMStoreRowStatus RowStatus
}
cCDMStoreIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A numeric index that identifies a unique location in this
table."
::= { cCDMStoreEntry 1 }
cCDMStoreType OBJECT-TYPE
SYNTAX INTEGER { symKey(1), asymKey(2), trustAnchor(3),
crl(4), ckl(5), firmware(6),
storeAndForwardWrappedPkg(7) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of Crypto Device Material (CDM) populated in this
row.
(1) symKey - This row contains information about a stored
symmetric key.
(2) asymKey - This row contains information about a stored
asymmetric key.
(3) trustAnchor - This row contains information about a
stored Trust Anchor (TA).
(4) crl - This row contains information about a stored
Certificate Revocation List (CRL).
(5) ckl - This row contains information about a stored
Compromised Key List (CKL).
Azoum, et al. Expires January 1, 2017 [Page 60]
�
Internet-Draft CCMIB June 2016
(6) firmware - This row contains information about stored
firmware.
(7) storeAndForwardWrappedPkg - This row contains
information about a stored encrypted wrapped package,
typically meant to be forwarded to another device."
::= { cCDMStoreEntry 2 }
cCDMStoreSource OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An administrative name that identifies the source of this
Crypto Device Material (CDM). This could be the URI used
when downloaded from the CDM server or a physical port
designator for CDM downloaded via HMI."
::= { cCDMStoreEntry 3 }
cCDMStoreID OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Represents a unique identifier assigned to this Crypto
Device Material (CDM). This would typically be an identifier
inherent to the CDM, such as a serial number or other form
of identifier derived from a tag or other CDM wrapper. This
object differs from cCDMStoreFriendlyName which is a
user-defined ID."
::= { cCDMStoreEntry 4 }
cCDMStoreFriendlyName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A human readable label of this Crypto Device Material (CDM)
for easier reference. It is used only for helpful or
informational purposes."
::= { cCDMStoreEntry 5 }
cCDMStoreControl OBJECT-TYPE
SYNTAX INTEGER { readyForInstall(1), install(2),
installAndDiscard(3) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A means to control what happens to the Crypto Device
Azoum, et al. Expires January 1, 2017 [Page 61]
�
Internet-Draft CCMIB June 2016
Material (CDM) stored in this table.
(1) readyForInstall - The CDM is ready for installation.
(2) install - The CDM will be installed in the appropriate
table based on the cCDMStoreType.
(3) installAndDiscard - The CDM will be installed in the
appropriate table based on the cCDMStoreType and
discarded from this table after the install operation is
complete.
Note, setting the cCDMStoreRowStatus object to 'destroy'
will discard the CDM."
::= { cCDMStoreEntry 6 }
cCDMStoreRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The status of this row by which existing entries may be
deleted from this table.
At a minimum, implementations must support active and
destroy management functions. Support for notInService and
notReady management functions is optional. Implementations
must not support createAndWait and createAndGo management
functions for this object."
::= { cCDMStoreEntry 7 }
-- *****************************************************************
-- CC MIB cCertSubAltNameTable
-- *****************************************************************
cCertSubAltNameTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCertSubAltNameTable."
::= { cCertSubAltNameInfo 1 }
cCertSubAltNameTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
Azoum, et al. Expires January 1, 2017 [Page 62]
�
Internet-Draft CCMIB June 2016
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCertSubAltNameInfo 2 }
cCertSubAltNameTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCertSubAltNameTableEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing a list of Subject Alternative Names
associated with the certificate."
::= { cCertSubAltNameInfo 3 }
cCertSubAltNameTableEntry OBJECT-TYPE
SYNTAX CCertSubAltNameTableEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a Subject Alternative
Name and its type."
INDEX { cCertSubAltNameList, cCertSubAltNameListIndex }
::= { cCertSubAltNameTable 1 }
CCertSubAltNameTableEntry ::= SEQUENCE {
cCertSubAltNameList SnmpAdminString,
cCertSubAltNameListIndex Unsigned32,
cCertSubAltNameType INTEGER,
cCertSubAltNameValue1 OCTET STRING,
cCertSubAltNameValue2 OCTET STRING,
cCertSubAltNameRowStatus RowStatus
}
cCertSubAltNameList OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The administrative name defining the set of Subject
Alternative Names that are associated with the certificate.
Multiple Subject Alternative Names may use the same
administrative name, implying a group. It is the combination
of cCertSubAltNameList and cCertSubAltNameListIndex that
uniquely identifies each row or set of Subject Alternative
Names."
::= { cCertSubAltNameTableEntry 1 }
Azoum, et al. Expires January 1, 2017 [Page 63]
�
Internet-Draft CCMIB June 2016
cCertSubAltNameListIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique numeric index for rows, or sets of Subject
Alternative Names, with the same cCertSubAltNameList value.
This value, in combination with cCertSubAltNameList,
uniquely identifies each row, or set of Subject Alternative
Names."
::= { cCertSubAltNameTableEntry 2 }
cCertSubAltNameType OBJECT-TYPE
SYNTAX INTEGER { otherName(0), rfc822Name(1), dNSName(2),
x400Address(3), directoryName(4),
ediPartyName(5),
uniformResourceIdentifier(6), ipAddress(7),
registeredID(8) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the Subject Alternative Name as defined in RFC
5280, Section 4.2.1.6. Specifically, the value of this
object determines the format of cCertSubAltNameValue1 and
cCertSubAltNameValue2."
::= { cCertSubAltNameTableEntry 3 }
cCertSubAltNameValue1 OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The main value of the Subject Alternative Name. The format
of the value must match its Type as defined in RFC 5280,
Section 4.2.1.6.
This column is the main value and is used for all
cCertSubAltNameType types. For otherName(0), this column
provides the value of the 'value' field. For
ediPartyName(5), this column provides the value of the
'partyName'. For all other types, this column provides the
value as defined in RFC 5280, Section 4.2.1.6."
::= { cCertSubAltNameTableEntry 4 }
cCertSubAltNameValue2 OBJECT-TYPE
SYNTAX OCTET STRING
Azoum, et al. Expires January 1, 2017 [Page 64]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This column is a supplement to the main value
cCertSubAltNameValue1 and may only be used when the
cCertSubAltNameType is either otherName(0) or
ediPartyName(5). For otherName(0), this column provides the
value of the 'type-id' as defined in RFC 5280, Section
4.2.1.6. For ediPartyName(5), this column provides the value
of the 'nameAssigner' as defined in RFC 5280, Section
4.2.1.6.
For all other values of cCertSubAltNameType or when the
'nameAssigner' is not used for ediPartyName(5), this column
will not exist.
Note: Support for multiple otherName(0) or ediPartyName(5)
alternate names is provided by allowing multiple rows of the
same cCertSubAltNameType and cCertSubAltNameList but with a
unique cCertSubAltNameListIndex."
::= { cCertSubAltNameTableEntry 5 }
cCertSubAltNameRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this row by which existing entries may be
deleted from this table.
At a minimum, implementations must support active and
destroy management functions. Support for notInService and
notReady management functions is optional. Implementations
must not support createAndWait and createAndGo management
functions for this object."
::= { cCertSubAltNameTableEntry 6 }
-- *****************************************************************
-- CC MIB cCertPathCtrlsTable
-- *****************************************************************
cCertPathCtrlsTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCertPathCtrlsTable."
::= { cCertPathCtrlsInfo 1 }
Azoum, et al. Expires January 1, 2017 [Page 65]
�
Internet-Draft CCMIB June 2016
cCertPathCtrlsTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCertPathCtrlsInfo 2 }
cCertPathCtrlsTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCertPathCtrlsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing the controls and constraints applied
to a certificate in order to process certificate trust paths."
::= { cCertPathCtrlsInfo 3 }
cCertPathCtrlsEntry OBJECT-TYPE
SYNTAX CCertPathCtrlsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about certificate path
controls and constraints."
INDEX { cCertPathCtrlsKeyFingerprint }
::= { cCertPathCtrlsTable 1 }
CCertPathCtrlsEntry ::= SEQUENCE {
cCertPathCtrlsKeyFingerprint SnmpTLSFingerprint,
cCertPathCtrlsCertificate RowPointer,
cCertPathCtrlsCertPolicies OCTET STRING,
cCertPathCtrlsPolicyMappings OCTET STRING,
cCertPathCtrlsPolicyFlags BITS,
cCertPathCtrlsNamesPermitted OCTET STRING,
cCertPathCtrlsNamesExcluded OCTET STRING,
cCertPathCtrlsMaxPathLength Unsigned32
}
cCertPathCtrlsKeyFingerprint OBJECT-TYPE
SYNTAX SnmpTLSFingerprint
MAX-ACCESS not-accessible
Azoum, et al. Expires January 1, 2017 [Page 66]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"Identifies a trust anchor in the cTrustAnchorTable or a
certificate in the cAsymKeyTable. This column is the
primary index to the cCertPathCtrlsTable."
::= {cCertPathCtrlsEntry 1}
cCertPathCtrlsCertificate OBJECT-TYPE
SYNTAX RowPointer
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Optional reference to an X.509 certificate defined in the
cAsymKeyTable to assist with certification path development
and validation."
::= { cCertPathCtrlsEntry 2 }
cCertPathCtrlsCertPolicies OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates a grouping of one or more policies for this
certificate. The value of this column corresponds to the
cCertPolicyInformation column in the cCertPolicyTable.
When this object does not apply for the key material, this
column will not exist."
::= { cCertPathCtrlsEntry 3 }
cCertPathCtrlsPolicyMappings OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"For a Certificate Authority (CA) certificate, this
indicates a grouping of policy mappings between a
certificate issuer CA domain policy and a domain policy of
the subject certificate CA. The value of this column
corresponds to the cPolicyMappingGroup column of the
cPolicyMappingTable.
For non-X.509 based key material, or when this object does
not apply for the key material, this column will not exist."
::= { cCertPathCtrlsEntry 4 }
cCertPathCtrlsPolicyFlags OBJECT-TYPE
SYNTAX BITS { inhibitPolicyMapping(0),
Azoum, et al. Expires January 1, 2017 [Page 67]
�
Internet-Draft CCMIB June 2016
requireExplicitPolicy(1),
inhibitAnyPolicy(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Optional certificate path policy flags consisting of the
following: inhibitPolicyMapping, requireExplicitPolicy, and
inhibitAnyPolicy.
inhibitPolicyMapping: Indicates if policy mapping is allowed
in the certification path.
requireExplicitPolicy: Indicates if the certification path
must be valid for at least one of the certificate policies
in cCertPathCtrlsCertPolicies.
inhibitAnyPolicy: Indicates whether the special anyPolicy
policy identifier is considered an explicit match for other
certificate policies.
Bit value translation:
1000 = inhibitPolicyMapping
0100 = requireExplicitPolicy
0010 = inhibitAnyPolicy"
::= { cCertPathCtrlsEntry 5 }
cCertPathCtrlsNamesPermitted OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates a subtree of names that are permitted for
certificate path validation. The value of this column
corresponds to the cNameConstraintGenSubtree column in the
cNameConstraintTable.
When this object does not apply for the key material, this
column will not exist."
::= { cCertPathCtrlsEntry 6 }
cCertPathCtrlsNamesExcluded OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates a subtree of names that are excluded from
certificate path validation, regardless of information
appearing in the cCertPathCtrlsNamesPermitted subtree. The
Azoum, et al. Expires January 1, 2017 [Page 68]
�
Internet-Draft CCMIB June 2016
value of this column corresponds to the
cNameConstraintGenSubtree column in the
cNameConstraintTable.
When this object does not apply for the key material, this
column will not exist."
::= { cCertPathCtrlsEntry 7 }
cCertPathCtrlsMaxPathLength OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Optional indication of the maximum number of
non-self-issued intermediate certificates that may follow
this certificate in a valid certification path."
::= { cCertPathCtrlsEntry 8 }
-- *****************************************************************
-- CC MIB cCertPolicyTable
-- *****************************************************************
cCertPolicyTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCertPolicyTable."
::= { cCertPolicyInfo 1 }
cCertPolicyTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCertPolicyInfo 2 }
cCertPolicyTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCertPolicyEntry
MAX-ACCESS not-accessible
Azoum, et al. Expires January 1, 2017 [Page 69]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"The table containing certificate policy information to be
provided as input to the certificate path validation
algorithm. For an end entity certificate, this information
indicates under which policy this certificate has been
issued and the purposes for which the certificate may be
used. For a Certificate Authority (CA) certificate, this
information limits the set of policies for certification
paths that include this certificate."
::= { cCertPolicyInfo 3 }
cCertPolicyEntry OBJECT-TYPE
SYNTAX CCertPolicyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a certificate policy."
INDEX { cCertPolicyInformation, cCertPolicyInformationIndex }
::= { cCertPolicyTable 1 }
CCertPolicyEntry ::= SEQUENCE {
cCertPolicyInformation OCTET STRING,
cCertPolicyInformationIndex Unsigned32,
cCertPolicyIdentifier OBJECT IDENTIFIER,
cCertPolicyQualifierID INTEGER,
cCertPolicyQualifier OCTET STRING
}
cCertPolicyInformation OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Identifies a grouping of policies that are applicable to a
certificate. When used in conjunction with
cCertPolicyInformationIndex, a unique policy and qualifier
set is defined."
::= { cCertPolicyEntry 1 }
cCertPolicyInformationIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A numerical index that is unique for a specific
cCertPolicyInformation value. This index allows multiple
qualifiers to be defined for a particular policy. When used
Azoum, et al. Expires January 1, 2017 [Page 70]
�
Internet-Draft CCMIB June 2016
in conjunction with cCertPolicyInformation, a unique policy
and qualifier set is defined."
::= { cCertPolicyEntry 2 }
cCertPolicyIdentifier OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"For end entity certificates, this is an identifier for the
policy under which the certificate has been issued. For
Certificate Authority (CA) certificates, this is an
identifier for a certification path policy that includes
this certificate."
::= { cCertPolicyEntry 3 }
cCertPolicyQualifierID OBJECT-TYPE
SYNTAX INTEGER { cpsPointer(0), userNotice(1) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the type of qualifier per RFC 5280,
Section 4.2.1.4."
::= { cCertPolicyEntry 4 }
cCertPolicyQualifier OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Qualifier information with type based on
cCertPolicyQualifierID."
::= { cCertPolicyEntry 5 }
-- *********************************************************************
-- CC MIB cPolicyMappingTable
-- *********************************************************************
cPolicyMappingTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cPolicyMappingTable."
::= { cPolicyMappingInfo 1 }
cPolicyMappingTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
Azoum, et al. Expires January 1, 2017 [Page 71]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cPolicyMappingInfo 2 }
cPolicyMappingTable OBJECT-TYPE
SYNTAX SEQUENCE OF CPolicyMappingEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table listing mappings between policies that a
certificate issuing Certificate Authority (CA) considers as
equivalent or comparable to the domain policies of the
subject certificate CA."
::= { cPolicyMappingInfo 3 }
cPolicyMappingEntry OBJECT-TYPE
SYNTAX CPolicyMappingEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing a mapping between the domain policy of an
issuing Certificate Authority (CA) and an equivalent domain
policy of the subject certificate's CA."
INDEX { cPolicyMappingGroup, cPolicyMappingIndex }
::= { cPolicyMappingTable 1 }
CPolicyMappingEntry ::= SEQUENCE {
cPolicyMappingGroup OCTET STRING,
cPolicyMappingIndex Unsigned32,
cPolicyMappingSubjectPolicy OBJECT IDENTIFIER,
cPolicyMappingIssuerPolicy OBJECT IDENTIFIER
}
cPolicyMappingGroup OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Azoum, et al. Expires January 1, 2017 [Page 72]
�
Internet-Draft CCMIB June 2016
"Identifies a grouping of policy mappings that are
applicable to a certificate. When used in conjunction with
cPolicyMappingIndex, a unique policy mapping is defined."
::= { cPolicyMappingEntry 1 }
cPolicyMappingIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A numerical index that is unique for a specific
cPolicyMappingGroup value. When used in conjunction with
cPolicyMappingGroup, a unique policy mapping is defined."
::= { cPolicyMappingEntry 2 }
cPolicyMappingSubjectPolicy OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the subject Certificate Authority's domain
policy."
::= { cPolicyMappingEntry 3 }
cPolicyMappingIssuerPolicy OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the issuer domain policy that the issuer
Certificate Authority (CA) considers equivalent to the
subject CA domain policy."
::= { cPolicyMappingEntry 4 }
-- *********************************************************************
-- CC MIB cNameConstraintTable
-- *********************************************************************
cNameConstraintTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cNameConstraintTable."
::= { cNameConstraintInfo 1 }
cNameConstraintTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
Azoum, et al. Expires January 1, 2017 [Page 73]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cNameConstraintInfo 2 }
cNameConstraintTable OBJECT-TYPE
SYNTAX SEQUENCE OF CNameConstraintEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table listing designated name spaces within which
subject names in subsequent certificates in a certification
path can be stored."
::= { cNameConstraintInfo 3 }
cNameConstraintEntry OBJECT-TYPE
SYNTAX CNameConstraintEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row designating an entity's distinguished name to a name
space."
INDEX { cNameConstraintGenSubtree, cNameConstraintSubtreeIndex }
::= { cNameConstraintTable 1 }
CNameConstraintEntry ::= SEQUENCE {
cNameConstraintGenSubtree OCTET STRING,
cNameConstraintSubtreeIndex Unsigned32,
cNameConstraintBaseName SnmpAdminString
}
cNameConstraintGenSubtree OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Identifies a permitted or excluded name constraint subtree.
When used with cNameConstraintSubtreeIndex, a unique subject
name constraint entry is defined."
::= { cNameConstraintEntry 1 }
Azoum, et al. Expires January 1, 2017 [Page 74]
�
Internet-Draft CCMIB June 2016
cNameConstraintSubtreeIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A numerical index used to specify a name constraint within
a permitted or excluded name constraint subtree. When used
with a specific value of cNameConstraintGenSubtree, a unique
subject name constraint entry is defined."
::= { cNameConstraintEntry 2 }
cNameConstraintBaseName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The distinguished name of the subject that is permitted or
excluded."
::= { cNameConstraintEntry 3 }
-- *****************************************************************
-- Module Conformance Information
-- *****************************************************************
cKeyManagementCompliances OBJECT IDENTIFIER
::= { cKeyManagementConformance 1}
cKeyManagementGroups OBJECT IDENTIFIER
::= { cKeyManagementConformance 2}
cKeyManSymKeyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for symmetric key information."
MODULE
MANDATORY-GROUPS { cKeyManSymKeyGroup }
GROUP cKeyManSymKeyNotifyScalars
DESCRIPTION
"This symmetric key notification scalar group is optional
for implementation."
GROUP cKeyManSymKeyNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
::= { cKeyManagementCompliances 1 }
cKeyManAsymKeyCompliance MODULE-COMPLIANCE
STATUS current
Azoum, et al. Expires January 1, 2017 [Page 75]
�
Internet-Draft CCMIB June 2016
DESCRIPTION
"Compliance levels for asymmetric key information."
MODULE
MANDATORY-GROUPS { cKeyManAsymKeyGroup }
GROUP cKeyManCertSubAltNameGroup
DESCRIPTION
"Certificate Subject Alternative Name group is optional for
implementation."
GROUP cKeyManCertPathCtrlsGroup
DESCRIPTION
"Certificate Path Controls group is optional for
implementation."
GROUP cKeyManCertPolicyGroup
DESCRIPTION
"Certificate Policy group is optional for implementation."
GROUP cKeyManPolicyMappingGroup
DESCRIPTION
"Policy Mapping group is optional for implementation."
GROUP cKeyManNameConstraintGroup
DESCRIPTION
"Name Constraint group is optional for implementation."
GROUP cKeyManTrustAnchorGroup
DESCRIPTION
"Trust Anchor group is optional for implementation."
GROUP cKeyManAsymKeyNotifyScalars
DESCRIPTION
"This asymmetric key notification scalar group is optional
for implementation."
GROUP cKeyManAsymKeyNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
GROUP cKeyManTrustAnchorNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
OBJECT cCertPathCtrlsCertificate
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
Azoum, et al. Expires January 1, 2017 [Page 76]
�
Internet-Draft CCMIB June 2016
OBJECT cCertPathCtrlsPolicyFlags
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
OBJECT cCertPathCtrlsMaxPathLength
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
::= { cKeyManagementCompliances 2 }
cKeyManTrustAnchorCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for trust anchor information."
MODULE
MANDATORY-GROUPS { cKeyManTrustAnchorGroup }
GROUP cKeyManCertPathCtrlsGroup
DESCRIPTION
"Certificate Path Controls group is optional for
implementation."
GROUP cKeyManCertPolicyGroup
DESCRIPTION
"Certificate Policy group is optional for implementation."
GROUP cKeyManPolicyMappingGroup
DESCRIPTION
"Policy Mapping group is optional for implementation."
GROUP cKeyManNameConstraintGroup
DESCRIPTION
"Name Constraint group is optional for implementation."
GROUP cKeyManTrustAnchorNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
OBJECT cCertPathCtrlsCertificate
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
OBJECT cCertPathCtrlsPolicyFlags
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
Azoum, et al. Expires January 1, 2017 [Page 77]
�
Internet-Draft CCMIB June 2016
OBJECT cCertPathCtrlsMaxPathLength
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
::= { cKeyManagementCompliances 3 }
cKeyManCKLCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for CKL information."
MODULE
MANDATORY-GROUPS { cKeyManCKLGroup }
GROUP cKeyManCKLNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
::= { cKeyManagementCompliances 4 }
cKeyManCDMStoreCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for CDM Store information."
MODULE
MANDATORY-GROUPS { cKeyManCDMStoreGroup }
GROUP cKeyManCDMStoreNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
::= { cKeyManagementCompliances 5 }
cKeyManSymKeyGroup OBJECT-GROUP
OBJECTS {
cZeroizeAllKeys,
cZeroizeSymmetricKeyTable,
cSymmetricKeyTableCount,
cSymmetricKeyTableLastChanged,
cSymKeyUsage,
cSymKeyID,
cSymKeyIssuer,
cSymKeyEffectiveDate,
cSymKeyExpirationDate,
cSymKeyExpiryWarning,
cSymKeyNumberOfTransactions,
cSymKeyFriendlyName,
cSymKeyClassification,
cSymKeySource,
cSymKeyRowStatus
}
Azoum, et al. Expires January 1, 2017 [Page 78]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"This group is composed of objects related to symmetric key
information."
::= { cKeyManagementGroups 1 }
cKeyManAsymKeyGroup OBJECT-GROUP
OBJECTS {
cZeroizeAllKeys,
cZeroizeAsymKeyTable,
cAsymKeyTableCount,
cAsymKeyTableLastChanged,
cAsymKeyFingerprint,
cAsymKeyFriendlyName,
cAsymKeySerialNumber,
cAsymKeyIssuer,
cAsymKeySignatureAlgorithm,
cAsymKeyPublicKeyAlgorithm,
cAsymKeyEffectiveDate,
cAsymKeyExpirationDate,
cAsymKeyExpiryWarning,
cAsymKeySubject,
cAsymKeySubjectType,
cAsymKeyUsage,
cAsymKeyClassification,
cAsymKeySource,
cAsymKeyRowStatus,
cAsymKeyVersion,
cAsymKeyRekey,
cAsymKeyType
}
STATUS current
DESCRIPTION
"This group is composed of objects related to asymmetric key
information."
::= { cKeyManagementGroups 2 }
cKeyManCertSubAltNameGroup OBJECT-GROUP
OBJECTS {
cAsymKeySubjectAltName,
cCertSubAltNameTableCount,
cCertSubAltNameTableLastChanged,
cCertSubAltNameType,
cCertSubAltNameValue1,
cCertSubAltNameValue2,
cCertSubAltNameRowStatus
}
STATUS current
Azoum, et al. Expires January 1, 2017 [Page 79]
�
Internet-Draft CCMIB June 2016
DESCRIPTION
"This group is composed of objects related to certificate
subject alternative name information."
::= { cKeyManagementGroups 3 }
cKeyManCertPathCtrlsGroup OBJECT-GROUP
OBJECTS {
cCertPathCtrlsTableCount,
cCertPathCtrlsTableLastChanged,
cCertPathCtrlsCertificate,
cCertPathCtrlsPolicyFlags,
cCertPathCtrlsMaxPathLength
}
STATUS current
DESCRIPTION
"This group is composed of objects related to certificate
path controls information."
::= { cKeyManagementGroups 4 }
cKeyManCertPolicyGroup OBJECT-GROUP
OBJECTS {
cCertPathCtrlsCertPolicies,
cCertPolicyTableCount,
cCertPolicyTableLastChanged,
cCertPolicyIdentifier,
cCertPolicyQualifierID,
cCertPolicyQualifier
}
STATUS current
DESCRIPTION
"This group is composed of objects related to certificate
policy information."
::= { cKeyManagementGroups 5 }
cKeyManPolicyMappingGroup OBJECT-GROUP
OBJECTS {
cCertPathCtrlsPolicyMappings,
cPolicyMappingTableCount,
cPolicyMappingTableLastChanged,
cPolicyMappingSubjectPolicy,
cPolicyMappingIssuerPolicy
}
STATUS current
DESCRIPTION
"This group is composed of objects related to policy mapping
information."
::= { cKeyManagementGroups 6 }
Azoum, et al. Expires January 1, 2017 [Page 80]
�
Internet-Draft CCMIB June 2016
cKeyManNameConstraintGroup OBJECT-GROUP
OBJECTS {
cCertPathCtrlsNamesPermitted,
cCertPathCtrlsNamesExcluded,
cNameConstraintTableCount,
cNameConstraintTableLastChanged,
cNameConstraintBaseName
}
STATUS current
DESCRIPTION
"This group is composed of objects related to name
constraint information."
::= { cKeyManagementGroups 7 }
cKeyManTrustAnchorGroup OBJECT-GROUP
OBJECTS {
cZeroizeAllKeys,
cZeroizeTrustAnchorTable,
cTrustAnchorTableCount,
cTrustAnchorTableLastChanged,
cTrustAnchorFingerprint,
cTrustAnchorFormatType,
cTrustAnchorName,
cTrustAnchorUsageType,
cTrustAnchorKeyIdentifier,
cTrustAnchorPublicKeyAlgorithm,
cTrustAnchorContingencyAvail,
cTrustAnchorRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to trust anchor
information."
::= { cKeyManagementGroups 8 }
cKeyManCKLGroup OBJECT-GROUP
OBJECTS {
cCKLTableCount,
cCKLLastChanged,
cCKLIndex,
cCKLIssuer,
cCKLSerialNumber,
cCKLIssueDate,
cCKLNextUpdate,
cCKLRowStatus,
cCKLVersion,
cCKLLastUpdate
}
Azoum, et al. Expires January 1, 2017 [Page 81]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"This group is composed of objects related to compromised
key list information."
::= { cKeyManagementGroups 9 }
cKeyManCDMStoreGroup OBJECT-GROUP
OBJECTS {
cZeroizeAllKeys,
cZeroizeCDMStoreTable,
cCDMStoreTableCount,
cCDMStoreTableLastChanged,
cCDMStoreIndex,
cCDMStoreType,
cCDMStoreSource,
cCDMStoreID,
cCDMStoreFriendlyName,
cCDMStoreControl,
cCDMStoreRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to Crypto
Device Material store information."
::= { cKeyManagementGroups 10 }
cKeyManSymKeyNotifyScalars OBJECT-GROUP
OBJECTS {
cKeyMaterialTableOID,
cKeyMaterialFingerprint,
cSymKeyGlobalExpiryWarning
}
STATUS current
DESCRIPTION
"This group is composed of objects related to symmetric key
notifications."
::= { cKeyManagementGroups 11 }
cKeyManAsymKeyNotifyScalars OBJECT-GROUP
OBJECTS {
cKeyMaterialTableOID,
cKeyMaterialFingerprint,
cAsymKeyGlobalExpiryWarning
}
STATUS current
DESCRIPTION
"This group is composed of objects related to asymmetric key
notifications."
Azoum, et al. Expires January 1, 2017 [Page 82]
�
Internet-Draft CCMIB June 2016
::= { cKeyManagementGroups 12 }
cKeyManSymKeyNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cKeyMaterialLoadSuccess,
cKeyMaterialLoadFail,
cKeyMaterialExpiring,
cKeyMaterialExpired,
cKeyMaterialExpirationChanged,
cKeyMaterialZeroized
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to
symmetric key information."
::= { cKeyManagementGroups 13 }
cKeyManAsymKeyNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cKeyMaterialLoadSuccess,
cKeyMaterialLoadFail,
cKeyMaterialExpiring,
cKeyMaterialExpired,
cKeyMaterialExpirationChanged,
cKeyMaterialZeroized
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to
asymmetric key information."
::= { cKeyManagementGroups 14 }
cKeyManTrustAnchorNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cTrustAnchorAdded,
cTrustAnchorUpdated,
cTrustAnchorRemoved
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to trust
anchor information."
::= { cKeyManagementGroups 15 }
cKeyManCKLNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cCKLLoadSuccess,
cCKLLoadFail
Azoum, et al. Expires January 1, 2017 [Page 83]
�
Internet-Draft CCMIB June 2016
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to
compromised key list information."
::= { cKeyManagementGroups 16 }
cKeyManCDMStoreNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cCDMAdded,
cCDMDeleted
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to Crypto
Device Material store information."
::= { cKeyManagementGroups 17 }
END
5.6. Key Transfer Pull
This MIB module makes reference to the following documents:
[RFC2571], [RFC2578], [RFC2579], and [RFC2580].
CC-KEY-TRANSFER-PULL-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccKeyTransferPull
FROM CC-FEATURE-HIERARCHY-MIB -- FROM {{cc-fh}}
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
ROM SNMPv2-CONF -- FROM RFC 2580
OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
Counter64, MODULE-IDENTITY
FROM SNMPv2-SMI -- FROM RFC 2578
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- FROM RFC 2571
RowPointer, RowStatus, DateAndTime,
TruthValue, TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC; -- FROM RFC 2579
ccKeyTransferPullMIB MODULE-IDENTITY
"Shadi Azoum
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
Azoum, et al. Expires January 1, 2017 [Page 84]
�
Internet-Draft CCMIB June 2016
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { 1 }
-- *****************************************************************
-- Key Transfer Pull Information Segments
-- *****************************************************************
Azoum, et al. Expires January 1, 2017 [Page 85]
�
Internet-Draft CCMIB June 2016
cKeyTransferPullConformance OBJECT IDENTIFIER
::= { ccKeyTransferPullMIB 1 }
cKeyTransferPullScalars OBJECT IDENTIFIER
::= { ccKeyTransferPullMIB 2 }
cKeyTransferPullNotify OBJECT IDENTIFIER
::= { ccKeyTransferPullMIB 3 }
cCDMServerInfo OBJECT IDENTIFIER
::= { ccKeyTransferPullMIB 4 }
cCDMDeliveryInfo OBJECT IDENTIFIER
::= { ccKeyTransferPullMIB 5 }
-- *****************************************************************
-- Key Transfer Pull Scalars
-- *****************************************************************
cCDMServerRetryDelay OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The amount of time to wait after a download attempt to the
cryptographic device material (CDM) server fails before
attempting to retry the operation. Note, this scalar applies
to the download of any type of item from the CDM server
(e.g. CDMs, CDMLs)."
::= { cKeyTransferPullScalars 1 }
cCDMServerRetryMaxAttempts OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The amount of retries attempted before the download attempt
to the cryptographic device material (CDM) server is
considered a failure. Note, this scalar applies to the
download of any type of item from the CDM server (e.g. CDMs,
CDMLs)."
::= { cKeyTransferPullScalars 2 }
cCDMPullRetrievalPriorities OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An indication of which cryptographic device materials
(CDMs) to retrieve based on this value and a configured
cCDMDeliveryPriority in a cCDMDeliveryTable entry. This
Azoum, et al. Expires January 1, 2017 [Page 86]
�
Internet-Draft CCMIB June 2016
value identifies an upper bound. A value of '5' for example,
implies that only cCDMDeliveryTable entries with a
cCDMDeliveryPriority value of '5' or less can be acted upon
(i.e. retrieved).
Different types of ECUs may have different values for this
scalar. Bandwidth-limited ECUs, for example, may configure
lower values for only retrieving high-priority CDMs.
A value of 0, also a default value for this scalar,
indicates that all cCDMDeliveryTable entries can be acted
upon regardless of the configured cCDMDeliveryPriority value."
DEFVAL {0}
::= { cKeyTransferPullScalars 3 }
cCDMLDeliveryRequest OBJECT-TYPE
SYNTAX INTEGER { readyForDownload(1), downloadAndParse(2),
discard(3) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This scalar controls the server's CDML download process -
server information is stored in the cCDMServerTable. When
read, it will return 'readyForDownload' if the last action
succeeded. If the last action is in progress or failed, it
will return the last requested action.
The values which may be set depend on the current value of
this object and the cCDMLDeliveryStatus object.
In order to initiate a new download, this object must
contain the value 'readyForDownload', and the
cCDMLDeliveryStatus must contain the value 'complete'. At
which point, setting this object to to 'downloadAndParse'
initiates the CDML download process. Note, the
cCDMLDeliveryStatus should transition to 'inProgress' at
the device begins the CDML download process from the
server(s) and URI(s) listed in the cCDMLServerTable (as
ordered by the cCDMLServerPriority index).
If the CDML download fails, the next highest priority URI
will be tried, and so on.
While a CDML download is in progress, or if the CDML
download fails for all possible servers and URIs (indicated
by a cCDMLDeliveryStatus value of 'downloadFailed'), this
object will return an inconsistentValue error for any new
value except 'discard' (which will cancel the current
Azoum, et al. Expires January 1, 2017 [Page 87]
�
Internet-Draft CCMIB June 2016
download).
If the CDML download succeeded, the cCDMLDeliveryStatusvalue
remains inProgress and the device attempts to parse the
download immediately. During the parsing of the CDML, all
new values will return inconsistentValue error (i.e. the
parse process can not be aborted). If the parse fails, the
cCDMLDeliveryStatus will transition to 'parseFailed', and
this object must be set to 'discard' before a new CDML
download is attempted."
::= { cKeyTransferPullScalars 4 }
cCDMLDeliveryStatus OBJECT-TYPE
SYNTAX INTEGER { complete(1), inProgress(2),
downloadFailed(3),
parseFailed(4) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This indicates the current state of a CDML download.
'complete' indicates that the last requested
cCDMLDeliveryRequest action was successful.
'inProgress' indicates that a CDML download or CDML parse is
underway.
'downloadFailed' indicates that the last attempted CDML
download failed.
'parseFailed' indicates that the last attempted CDML parse
failed.
The relationship between this object and
cCDMLDeliveryRequest is detailed in the following table. The
table indicates values of cCDMLDeliveryRequest that are
allowed depending on the current value of this object.
cCDMLDeliveryRequest! cCDMLDeliveryStatus
--------------------+-----------+----------+--------------+------------
! ! complete !inProgress!downloadFailed!parseFailed!
--------------------+-----------+----------+--------------+------------
! readyForDownload ! allowed ! error ! error ! error !
--------------------+-----------+----------+--------------+------------
! downloadAndParse ! allowed ! error ! error ! error !
--------------------+-----------+----------+--------------+------------
! discard ! error ! allowed ! allowed ! allowed !
Azoum, et al. Expires January 1, 2017 [Page 88]
�
Internet-Draft CCMIB June 2016
--------------------+-----------+----------+--------------+------------
As described cCDMLDeliveryRequest description, an
inconsistentValue error is returned."
DEFVAL {complete}
::= { cKeyTransferPullScalars 5 }
-- *****************************************************************
-- Key Transfer Pull Notifications
-- *****************************************************************
cCDMLPullReceiveSuccess NOTIFICATION-TYPE
OBJECTS { cCDMServerURI }
STATUS current
DESCRIPTION
"An attempt to receive a cryptographic device material list
(CDML) has succeeded. The CDM Server URI is provided with
this notification."
::= { cKeyTransferPullNotify 1 }
cCDMLPullReceiveFailed NOTIFICATION-TYPE
OBJECTS {
cCDMServerURI,
cCDMLDeliveryStatus
}
STATUS current
DESCRIPTION
"An attempt to receive a cryptographic device material list
(CDML) has failed. The CDM Server URI and CDML Delivery
Status are provided with this notification. Note, the
expected values for the CDML Delivery Status are:
'downloadFailed' and 'parseFailed'."
::= { cKeyTransferPullNotify 2 }
cCDMPullReceiveSuccess NOTIFICATION-TYPE
OBJECTS {
cCDMType,
cCDMURI
}
STATUS current
DESCRIPTION
"An attempt to receive a cryptographic device material (CDM)
has succeeded. The CDM Type and CDM URI are provided with
this notification."
::= { cKeyTransferPullNotify 3 }
cCDMPullReceiveFailed NOTIFICATION-TYPE
Azoum, et al. Expires January 1, 2017 [Page 89]
�
Internet-Draft CCMIB June 2016
OBJECTS {
cCDMType,
cCDMURI
}
STATUS current
DESCRIPTION
"An attempt to receive a cryptographic device material (CDM)
has failed. The CDM Type and CDM URI are provided with this
notification."
::= { cKeyTransferPullNotify 4 }
-- *****************************************************************
-- CC MIB cCDMServerTable
-- *****************************************************************
cCDMServerTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCDMServerTable"
::= { cCDMServerInfo 1 }
cCDMServerTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCDMServerInfo 2 }
cCDMServerTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCDMServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table containing a list of servers that will be queried
for available cryptographic device materials (CDMs), such as
keys and firmware packages. This table is also used to
obtain the cryptographic device material list (CDML), which
is a list detailing available CDMs and their associated
Azoum, et al. Expires January 1, 2017 [Page 90]
�
Internet-Draft CCMIB June 2016
location for obtainment."
::= { cCDMServerInfo 3 }
cCDMServerEntry OBJECT-TYPE
SYNTAX CCDMServerEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a server that has
available CDMLs/CDMs for download."
INDEX { cCDMServerPriority }
::= { cCDMServerTable 1 }
CCDMServerEntry ::= SEQUENCE {
cCDMServerPriority Unsigned32,
cCDMServerURI OCTET STRING,
cCDMServerAdditionalInfo SnmpAdminString,
cCDMServerRowStatus RowStatus
}
cCDMServerPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique numeric index that identifies a server that has
available CDMLs/CDMs for download. This index also provides
server prioritization functionality - lower values have a
higher priority. For example, the server with the lowest
value will be the first server for CDML/CDM downloads. In
the event of failure, the next lowest value server will be
tried, and so on.
This column is the sole index to the cCDMServerTable."
::= { cCDMServerEntry 1 }
cCDMServerURI OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The location of the server that has available CDMLs/CDMs
for download. The value in this column is represented as a
URI.
Note, download of a CDML will typically result in the
population of new CDM entries in the cCDMDeliveryTable."
Azoum, et al. Expires January 1, 2017 [Page 91]
�
Internet-Draft CCMIB June 2016
::= { cCDMServerEntry 2 }
cCDMServerAdditionalInfo OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Additional information about the CDM Server. This
information is manually configured by the manager both at or
after row creation."
::= { cCDMServerEntry 3 }
cCDMServerRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of the row, by which new entries may be created
or old entries deleted from this table.
Entries created within this table may not become active
unless all read-create columns in this column have valid
values, as detailed by each individual column's description.
At a minimum, implementations must support createAndGo,
active, and destroy management functions. Support for
createAndWait, notInService, and notReady management
functions is optional."
::= { cCDMServerEntry 4 }
-- *****************************************************************
-- CC MIB cCDMDeliveryTable
-- *****************************************************************
cCDMDeliveryTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCDMDeliveryTable"
::= { cCDMDeliveryInfo 1 }
cCDMDeliveryTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
Azoum, et al. Expires January 1, 2017 [Page 92]
�
Internet-Draft CCMIB June 2016
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCDMDeliveryInfo 2 }
cCDMDeliveryTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCDMDeliveryEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table storing information about cryptographic device
materials (CDMs) that are ready/available for retrieval.
Entries in this table are typically automatically configured
by the device after a server query. Entries can also be
manually configured by a manager if the location of the CDM
is predetermined."
::= { cCDMDeliveryInfo 3 }
cCDMDeliveryEntry OBJECT-TYPE
SYNTAX CCDMDeliveryEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a specific cryptographic
device material (CDM) available for download."
INDEX { cCDMType, cCDMURI }
::= { cCDMDeliveryTable 1 }
CCDMDeliveryEntry ::= SEQUENCE {
cCDMType INTEGER,
cCDMURI OCTET STRING,
cCDMPackageSize Unsigned32,
cCDMAdditionalInfo SnmpAdminString,
cCDMLastDownloadDate OCTET STRING,
cCDMDeliveryPriority Unsigned32,
cCDMDeliveryRequest INTEGER,
cCDMDeliveryStatus INTEGER,
cCDMDeliveryRowStatus RowStatus
}
cCDMType OBJECT-TYPE
SYNTAX INTEGER { notification(1), symmetricKey(2),
asymmetricKey(3), certificate(4),
cklOrCrl(5), firmware(6) }
Azoum, et al. Expires January 1, 2017 [Page 93]
�
Internet-Draft CCMIB June 2016
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the cryptographic device material (CDM) that
can be retrieved from a CDM server:
[notification] = CDM is a notification providing
status/information for a particular
(other) CDM
[symmetricKey] = CDM is a symmetric key
[asymmetricKey] = CDM is a non-certificate asymmetric key
[certificate] = CDM is a certificate
[cklOrCrl] = CDM is a compromised key list or
certificate revocation list
[firmware] = CDM is a firmware package."
::= { cCDMDeliveryEntry 1 }
cCDMURI OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The location of the cryptographic device material (CDM),
represented in a URI format. Because of its type, the
associated URI of the CDM Server can easily be derived.
This column is typically populated by an agent upon querying
a CDM Server (e.g. downloading and parsing a cryptographic
device material list (CDML) from a CDM Server (entry in the
cCDMServerTable)). However, a manager can also configure an
entry in this table with predetermined knowledge of the CDM
location."
::= { cCDMDeliveryEntry 2 }
cCDMPackageSize OBJECT-TYPE
SYNTAX Unsigned32
UNITS "bytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The package size, in bytes, of the cryptographic device
material (CDM). This information is retrieved from a
cryptographic device material list (CDML) or a server's
product availability response following a query. This column
does not apply to notifications found in CDMLs."
::= { cCDMDeliveryEntry 3 }
cCDMAdditionalInfo OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 94]
�
Internet-Draft CCMIB June 2016
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Additional information about the cryptographic device
material (CDM). This information can be retrieved from the
downloaded cryptographic device material list (CDML) or
manually configured by the manager both at or after row
creation."
::= { cCDMDeliveryEntry 4 }
cCDMLastDownloadDate OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(14))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This is a 14 character field that will be populated with
the following values depending on the state of the download
and the CDM type.
1. The date and time (expressed as Generalized Time) when
the device last successfully downloaded the CDM from the
CDM Server. The format follows: 'yyyymmddhhmmss' where
'yyyy' - year
'mm' - month (first 'mm's from left to right)
'dd' - day
'hh' - hour
'mm' - minutes (second 'mm's from left to right)
'ss' - seconds
2. All zero characters for the following cases.
a. No indication that device has successfully downloaded
the CDM.
b. The cCDMType is a notification."
::= { cCDMDeliveryEntry 5 }
cCDMDeliveryPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A configurable priority value on the cryptographic device
material (CDM). This column is a means to allow certain key
products to be downloaded before others. Lower values have a
higher priority (e.g. a value of 1 will be processed before
a value of 2)."
::= { cCDMDeliveryEntry 6 }
cCDMDeliveryRequest OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 95]
�
Internet-Draft CCMIB June 2016
SYNTAX INTEGER { downloadAndInstall(1), downloadAndStore(2),
discard(3) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object signals the local device to perform actions on
the available cryptographic device materials (CDMs) from a
CDM server. The following types of actions are supported:
[downloadAndInstall] = Initiates a download of a CDM. After
a successful download, the CDM will be installed for local
consumption and an entry is to be configured in the
appropriate MIB table based on cCDMType:
cCDMType | MIB Table Destination
-------------------------------------
(1) notification | N/A
(2) symmetricKey | cSymmetricKeyTable
(3) asymmetricKey | cAsymKeyTable
(4) certificate | cAsymKeyTable
(5) cklOrCrl | cCKLTable
(6) firmware | cFirmwareInformationTable
[downloadAndStore] = Initiates a download of the CDM. After
a successful download, an entry is created in the
cCDMStoreTable to store the CDM.
[discard] = Stops the current CDM delivery request and
discards the CDM if potentially downloaded; this reverts the
current value of the cCDMDeliveryStatus to 'complete'. If
entries are created in the aforementioned tables for the
install and store operations, these newly configured entries
will be removed.
The enumeration value of 'downloadAndStore' does not apply
when cCDMType is set to 'notification'. 'downloadAndInstall'
is used for a cCDMType of 'notification'.
If this column is configured to any value except 'discard'
while the value of cCDMDeliveryStatus is any value except
'complete', the SNMP set operation must result in an
inconsistentValue exception. The same applies if 'discard'
is configured while the value cCDMDeliveryStatus is
'complete'."
::= { cCDMDeliveryEntry 7 }
cCDMDeliveryStatus OBJECT-TYPE
SYNTAX INTEGER { complete(1), inProgress(2),
Azoum, et al. Expires January 1, 2017 [Page 96]
�
Internet-Draft CCMIB June 2016
downloadFailed(3), installFailed(4),
storeFailed(5) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the cryptographic device material (CDM)
delivery operation. The following status values are
supported:
[complete] = The default state where the local device is
ready to start a delivery request for the CDM. Between
requests this state can only be reached after successful
operations or if cCDMDeliveryRequest is set to 'discard'
during an operation.
[inProgress] = This state is reached when the device is
either currently performing a download of the CDM or
configuring appropriate MIB tables conveying installation or
storage of key material.
[downloadFailed] = This state is reached after a failure
occurs during a download of a CDM when cCDMDeliveryRequest
was configured to either 'downloadAndStore' or
'downloadAndInstall'.
[installFailed] = This state is reached after a failure
occurs during the install of the downloaded CDM when
cCDMDeliveryRequest was configured to 'downloadAndInstall'.
[storeFailed] = This state is reached after a failure
occurs during the store of the downloaded CDM when
cCDMDeliveryRequest was configured to 'downloadAndStore'."
::= { cCDMDeliveryEntry 8 }
cCDMDeliveryRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of the row, by which new entries may be created
or old entries deleted from this table.
Entries created within this table may not become active
unless all read-create columns in this column have valid
values, as detailed by each individual column's description.
At a minimum, implementations must support createAndGo,
active, and destroy management functions. Support for
Azoum, et al. Expires January 1, 2017 [Page 97]
�
Internet-Draft CCMIB June 2016
createAndWait, notInService, and notReady management
functions is optional."
::= { cCDMDeliveryEntry 9 }
-- *****************************************************************
-- Module Conformance Information
-- *****************************************************************
cKeyTransferPullCompliances OBJECT IDENTIFIER
::= { cKeyTransferPullConformance 1}
cKeyTransferPullGroups OBJECT IDENTIFIER
::= { cKeyTransferPullConformance 2}
cKeyTransferPullCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for key transfer pull information."
MODULE
MANDATORY-GROUPS {
cKeyTransferPullServerGroup,
cKeyTransferPullDeliveryGroup
}
GROUP cKeyTransferPullDeliveryNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
OBJECT cCDMDeliveryRequest
SYNTAX INTEGER { downloadAndInstall(1), discard(3) }
DESCRIPTION
"Implementation of this enumeration value(s) is mandatory -
enumeration values not listed here are optional."
OBJECT cCDMDeliveryStatus
SYNTAX INTEGER { complete(1), inProgress(2), downloadFailed(3),
installFailed(4) }
DESCRIPTION
"Implementation of this enumeration value(s) is mandatory -
enumeration values not listed here are optional."
::= { cKeyTransferPullCompliances 1 }
cKeyTransferPullServerGroup OBJECT-GROUP
OBJECTS {
cCDMServerRetryDelay,
cCDMServerRetryMaxAttempts,
cCDMServerTableCount,
cCDMServerTableLastChanged,
cCDMServerURI,
Azoum, et al. Expires January 1, 2017 [Page 98]
�
Internet-Draft CCMIB June 2016
cCDMServerAdditionalInfo,
cCDMServerRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to server
information."
::= { cKeyTransferPullGroups 1 }
cKeyTransferPullDeliveryGroup OBJECT-GROUP
OBJECTS {
cCDMPullRetrievalPriorities,
cCDMLDeliveryRequest,
cCDMLDeliveryStatus,
cCDMDeliveryTableCount,
cCDMDeliveryTableLastChanged,
cCDMDeliveryTableLastChanged,
cCDMType,
cCDMURI,
cCDMPackageSize,
cCDMAdditionalInfo,
cCDMLastDownloadDate,
cCDMDeliveryPriority,
cCDMDeliveryRequest,
cCDMDeliveryStatus,
cCDMDeliveryRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to delivery
information."
::= { cKeyTransferPullGroups 2 }
cKeyTransferPullDeliveryNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cCDMLPullReceiveSuccess,
cCDMLPullReceiveFailed,
cCDMPullReceiveSuccess,
cCDMPullReceiveFailed
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to delivery
information."
::= { cKeyTransferPullGroups 3 }
END
Azoum, et al. Expires January 1, 2017 [Page 99]
�
Internet-Draft CCMIB June 2016
5.7. Key Transfer Push
This MIB module makes reference to following documents: [RFC2571],
[RFC2578], [RFC2579], [RFC2580].
CC-KEY-TRANSFER-PUSH-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccKeyTransferPush
FROM CC-FEATURE-HIERARCHY-MIB -- FROM {{cc-fh}}
OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
Counter64, MODULE-IDENTITY
FROM SNMPv2-SMI -- FROM RFC 2578
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- FROM RFC 2571
RowPointer, RowStatus, DateAndTime,
TruthValue, TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC -- FROM RFC 2579
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF; -- FROM RFC 2580
ccKeyTransferPushMIB MODULE-IDENTITY
"Shadi Azoum
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
Azoum, et al. Expires January 1, 2017 [Page 100]
�
Internet-Draft CCMIB June 2016
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { ccKeyTransferPush 1 }
-- *****************************************************************
-- Key Transfer Push Information Segments
-- *****************************************************************
cCDMPushDestInfo OBJECT IDENTIFIER
::= { ccKeyTransferPushMIB 1 }
cCDMTransferPkgInfo OBJECT IDENTIFIER
::= { ccKeyTransferPushMIB 2 }
cCDMPushSrcInfo OBJECT IDENTIFIER
::= { ccKeyTransferPushMIB 3 }
cKeyTransferPushScalars OBJECT IDENTIFIER
::= { ccKeyTransferPushMIB 4 }
cKeyTransferPushNotify OBJECT IDENTIFIER
::= { ccKeyTransferPushMIB 5 }
cKeyTransferPushConformance OBJECT IDENTIFIER
::= { ccKeyTransferPushMIB 6 }
-- *****************************************************************
-- Key Transfer Push Scalars
-- *****************************************************************
cCDMTransferDelay OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
Azoum, et al. Expires January 1, 2017 [Page 101]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"The number of seconds to wait after a Cryptographic Device
Material (CDM) transfer attempt initiated by the sender
fails before attempting to retry the operation."
::= { cKeyTransferPushScalars 1 }
cCDMTransferMaxAttempts OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The amount of retries attempted before giving up on a
device due to consecutive Cryptographic Device Material
(CDM) transfer failures."
::= { cKeyTransferPushScalars 2 }
-- *****************************************************************
-- Key Transfer Push Notifications
-- *****************************************************************
cCDMPushSendSuccess NOTIFICATION-TYPE
OBJECTS {
cCDMPushDestAddressLocationType,
cCDMPushDestAddressLocation,
cCDMPushDestTransferType,
cCDMPushDestPackageSelection
}
STATUS current
DESCRIPTION
"An attempt to send CDM, identified by CDM push transfer
information (cCDMPushDestTable row data), has succeeded."
::= { cKeyTransferPushNotify 1 }
cCDMPushReceiveSuccess NOTIFICATION-TYPE
OBJECTS {
cCDMPushSrcAddrLocationType,
cCDMPushSrcAddrLocation,
cCDMPushSrcTransferType
}
STATUS current
DESCRIPTION
"An attempt to receive key material, identified by CDM push
transfer information (cCDMPushSrcTable row data), has
succeeded."
::= { cKeyTransferPushNotify 2 }
cCDMPushReceiveFail NOTIFICATION-TYPE
Azoum, et al. Expires January 1, 2017 [Page 102]
�
Internet-Draft CCMIB June 2016
OBJECTS {
cCDMPushSrcAddrLocationType,
cCDMPushSrcAddrLocation,
cCDMPushSrcTransferType
}
STATUS current
DESCRIPTION
"An attempt to receive key material via a Push operation,
identified by the Sender Address and Transfer Type has
failed."
::= { cKeyTransferPushNotify 3 }
cCDMPushSendFail NOTIFICATION-TYPE
OBJECTS {
cCDMPushDestAddressLocationType,
cCDMPushDestAddressLocation,
cCDMPushDestTransferType,
cCDMPushDestPackageSelection
}
STATUS current
DESCRIPTION
"An attempt to send key material, identified by the
Recipient Address and Transfer Type, has failed."
::= { cKeyTransferPushNotify 4 }
-- *****************************************************************
-- CC MIB cCDMPushDestTable
-- *****************************************************************
cCDMPushDestTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCDMPushDestTable"
::= { cCDMPushDestInfo 1 }
cCDMPushDestTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
Azoum, et al. Expires January 1, 2017 [Page 103]
�
Internet-Draft CCMIB June 2016
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCDMPushDestInfo 2 }
cCDMPushDestTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCDMPushDestEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table that provides the necessary information a sender
needs to initiate a Cryptographic Device Material (CDM) send
to a receiving device."
::= { cCDMPushDestInfo 3 }
cCDMPushDestEntry OBJECT-TYPE
SYNTAX CCDMPushDestEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information for a Cryptographic Device
Material (CDM) transfer to a receiving device."
INDEX { cCDMPushDestIndex }
::= { cCDMPushDestTable 1 }
CCDMPushDestEntry ::= SEQUENCE {
cCDMPushDestIndex Unsigned32,
cCDMPushDestTransferType INTEGER,
cCDMPushDestAddressLocationType INTEGER,
cCDMPushDestAddressLocation OCTET STRING,
cCDMPushDestTransferTime DateAndTime,
cCDMPushDestPackageSelection SnmpAdminString,
cCDMPushDestRowStatus RowStatus
}
cCDMPushDestIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A numeric index that identifies a unique location in this
table."
::= { cCDMPushDestEntry 1 }
cCDMPushDestTransferType OBJECT-TYPE
SYNTAX INTEGER { ipsec(1), tls(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Azoum, et al. Expires January 1, 2017 [Page 104]
�
Internet-Draft CCMIB June 2016
"The transfer mechanism or protocol used by the sender to
execute the Cryptographic Device Material (CDM) transfer:
ipsec(1), tls(2):
ipsec - Internet Protocol Security (IPsec)
tls - Transport Layer Security (TLS)"
::= { cCDMPushDestEntry 2 }
cCDMPushDestAddressLocationType OBJECT-TYPE
SYNTAX INTEGER { ipv4(1), ipv6(2), uri(3), other(4) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Enumeration indicating the type of address location."
::= { cCDMPushDestEntry 3 }
cCDMPushDestAddressLocation OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Location of the receiver. The syntax allows a URI or an IP
address to be configured."
::= { cCDMPushDestEntry 4 }
cCDMPushDestTransferTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A valid date and time value populated in this object will
automatically initiate the transfer at the value specified.
To initiate an immediate transfer the following
configuration is used: '0' for the year field, '1' for the
month field, '1' for the day field, '-' for the direction
from UTC field, and '0' for all other fields. This
configuration is displayed as '0-1-1,00:00:00.0,-0:0'. Note
that if the timezone fields are not used then the displayed
value is as follows: '0-1-1,00:00:00.0'. The timezone
fields are the direction from UTC, hours from UTC, and
minutes from UTC."
::= { cCDMPushDestEntry 5 }
cCDMPushDestPackageSelection OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
Azoum, et al. Expires January 1, 2017 [Page 105]
�
Internet-Draft CCMIB June 2016
"A reference string that points to the key material(s) to
transfer. This column may reference one entry (e.g. an entry
in the cCDMStoreTable) or multiple entries (e.g. multiple
entries in the cCDMTransferPkgTable). This object defines
all the items in the package that will be sent."
::= { cCDMPushDestEntry 6 }
cCDMPushDestRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of the row, by which new entries may be created
or old entries deleted from this table.
Entries created within this table may not become active
unless all read-create columns in this column have valid
values, as detailed by each individual column's description.
At a minimum, implementations must support createAndGo,
active, and destroy management functions. Support for
createAndWait, notInService, and notReady management
functions is optional."
::= { cCDMPushDestEntry 7 }
-- *****************************************************************
-- CC MIB cCDMTransferPkgTable
-- *****************************************************************
cCDMTransferPkgTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCDMTransferPkgTable."
::= { cCDMTransferPkgInfo 1 }
cCDMTransferPkgTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
Azoum, et al. Expires January 1, 2017 [Page 106]
�
Internet-Draft CCMIB June 2016
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCDMTransferPkgInfo 2 }
cCDMTransferPkgTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCDMTransferPkgEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table for configuring single or multiple Cryptographic
Device Material (CDM) in a package that can be transferred
on a send operation. Entries in this table are referenced by
the cCDMPushDestPackageSelection column."
::= { cCDMTransferPkgInfo 3 }
cCDMTransferPkgEntry OBJECT-TYPE
SYNTAX CCDMTransferPkgEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about a package used on a send
operation."
INDEX { cCDMTransferPkgLabel, cCDMTransferPkgIndex }
::= { cCDMTransferPkgTable 1 }
CCDMTransferPkgEntry ::= SEQUENCE {
cCDMTransferPkgLabel SnmpAdminString,
cCDMTransferPkgIndex Unsigned32,
cCDMTransferPkgLocatorRowPtr RowPointer,
cCDMTransferPkgRowStatus RowStatus
}
cCDMTransferPkgLabel OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An administrative name that identifies a package within
this table. cCDMTransferPkgLabel and cCDMTransferPkgIndex
serve as indexes of this table."
::= { cCDMTransferPkgEntry 1 }
cCDMTransferPkgIndex OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An administrative way of creating a unique row within this
Azoum, et al. Expires January 1, 2017 [Page 107]
�
Internet-Draft CCMIB June 2016
table. This value shows the position of a given item within
this package designated by cCDMTransferPkgLabel.
cCDMTransferPkgLabel and cCDMTransferPkgIndex serve as
indexes of this table."
::= { cCDMTransferPkgEntry 2 }
cCDMTransferPkgLocatorRowPtr OBJECT-TYPE
SYNTAX RowPointer
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A RowPointer that points to a unique entry in the table
containing the necessary Cryptographic Device Material (CDM)
for transfer. For example, referencing a key in the
cSymmetricKeyTable, the value in this column contains the
pointer to the appropriate row in the cSymmetricKeyTable."
::= { cCDMTransferPkgEntry 3 }
cCDMTransferPkgRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of the row, by which new entries may be created
or old entries deleted from this table.
Entries created within this table may not become active
unless all read-create columns in this column have valid
values, as detailed by each individual column's description.
At a minimum, implementations must support createAndGo,
active, and destroy management functions. Support for
createAndWait, notInService, and notReady management
functions is optional."
::= { cCDMTransferPkgEntry 4 }
-- *****************************************************************
-- CC MIB cCDMPushSrcTable
-- *****************************************************************
cCDMPushSrcTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cCDMPushSrcTable"
::= { cCDMPushSrcInfo 1 }
Azoum, et al. Expires January 1, 2017 [Page 108]
�
Internet-Draft CCMIB June 2016
cCDMPushSrcTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cCDMPushSrcInfo 2 }
cCDMPushSrcTable OBJECT-TYPE
SYNTAX SEQUENCE OF CCDMPushSrcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table provides the list of authorized senders that
this receiving device will accept Cryptographic Device
Material (CDM) transfers from. Servers for the
cCDMServerTable are not listed in this table since this
table is specific for the Push Model."
::= { cCDMPushSrcInfo 3 }
cCDMPushSrcEntry OBJECT-TYPE
SYNTAX CCDMPushSrcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing information about an authorized sender
that this receiving device will accept."
INDEX { cCDMPushSrcSenderName, cCDMPushSrcTransferType }
::= { cCDMPushSrcTable 1 }
CCDMPushSrcEntry ::= SEQUENCE {
cCDMPushSrcSenderName SnmpAdminString,
cCDMPushSrcTransferType INTEGER,
cCDMPushSrcAddrLocationType INTEGER,
cCDMPushSrcAddrLocation OCTET STRING,
cCDMPushSrcRowStatus RowStatus
}
cCDMPushSrcSenderName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS not-accessible
Azoum, et al. Expires January 1, 2017 [Page 109]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"An administrative string for an authorized sender.
cCDMPushSrcSenderName and cCDMPushSrcTransferType serve as
indexes of this table."
::= { cCDMPushSrcEntry 1 }
cCDMPushSrcTransferType OBJECT-TYPE
SYNTAX INTEGER { ipsec(1), tls(2), other(3) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Analogous to cCDMPushDestTransferType. The transfer
mechanism or protocol used by the receiver to receive the
Cryptographic Device Material (CDM) transfer.
ipsec - Internet Protocol Security (IPsec)
tls - Transport Layer Security (TLS)
other - used for device specific transfer mechanisms
cCDMPushSrcSenderName and cCDMPushSrcTransferType serve as
indexes of this table."
::= { cCDMPushSrcEntry 2 }
cCDMPushSrcAddrLocationType OBJECT-TYPE
SYNTAX INTEGER { ipv4(1), ipv6(2), uri(3), other(4) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Enumeration indicating the type of address location
(values: ipv4, ipv6 or uri)."
::= { cCDMPushSrcEntry 3 }
cCDMPushSrcAddrLocation OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Location of the authorized sender."
::= { cCDMPushSrcEntry 4 }
cCDMPushSrcRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of the row, by which new entries may be created
or old entries deleted from this table.
Azoum, et al. Expires January 1, 2017 [Page 110]
�
Internet-Draft CCMIB June 2016
Entries created within this table may not become active
unless all read-create columns in this column have valid
values, as detailed by each individual column's description.
At a minimum, implementations must support createAndGo,
active, and destroy management functions. Support for
createAndWait, notInService, and notReady management
functions is optional."
::= { cCDMPushSrcEntry 5 }
-- *****************************************************************
-- Module Conformance Information
-- *****************************************************************
cKeyTransferPushCompliances OBJECT IDENTIFIER
::= { cKeyTransferPushConformance 1}
cKeyTransferPushGroups OBJECT IDENTIFIER
::= { cKeyTransferPushConformance 2}
cKeyTransferPushSenderCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for sender information."
MODULE
MANDATORY-GROUPS { cKeyTransferPushSenderGroup }
GROUP cKeyTransferPushSenderNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
OBJECT cCDMTransferDelay
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
OBJECT cCDMTransferMaxAttempts
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
::= { cKeyTransferPushCompliances 1 }
cKeyTransferPushReceiverCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for receiver information."
MODULE
MANDATORY-GROUPS { cKeyTransferPushReceiverGroup }
Azoum, et al. Expires January 1, 2017 [Page 111]
�
Internet-Draft CCMIB June 2016
GROUP cKeyTransferPushReceiverNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
::= { cKeyTransferPushCompliances 2 }
cKeyTransferPushSenderGroup OBJECT-GROUP
OBJECTS {
cCDMTransferDelay,
cCDMTransferMaxAttempts,
cCDMPushDestTableCount,
cCDMPushDestTableLastChanged,
cCDMPushDestTransferType,
cCDMPushDestAddressLocationType,
cCDMPushDestAddressLocation,
cCDMPushDestTransferTime,
cCDMPushDestPackageSelection,
cCDMPushDestRowStatus,
cCDMTransferPkgTableCount,
cCDMTransferPkgTableLastChanged,
cCDMTransferPkgLocatorRowPtr,
cCDMTransferPkgRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to sender
information."
::= { cKeyTransferPushGroups 1 }
cKeyTransferPushReceiverGroup OBJECT-GROUP
OBJECTS {
cCDMPushSrcTableCount,
cCDMPushSrcTableLastChanged,
cCDMPushSrcTransferType,
cCDMPushSrcAddrLocationType,
cCDMPushSrcAddrLocation,
cCDMPushSrcRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to receiver
information."
::= { cKeyTransferPushGroups 2 }
cKeyTransferPushSenderNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cCDMPushSendSuccess,
cCDMPushSendFail
}
Azoum, et al. Expires January 1, 2017 [Page 112]
�
Internet-Draft CCMIB June 2016
STATUS current
DESCRIPTION
"This group is composed of notifications related to sender
information."
::= { cKeyTransferPushGroups 3 }
cKeyTransferPushReceiverNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cCDMPushReceiveSuccess,
cCDMPushReceiveFail
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to receiver
information."
::= { cKeyTransferPushGroups 4 }
END
5.8. Security Policy Information
This module makes reference to: Section 5.2, Section 5.3, [RFC2571],
[RFC2578], [RFC2579], and [RFC2580].
~~~~
CC-SECURE-POLICY-INFO-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccSecurePolicyInfo
FROM CC-FEATURE-HIERARCHY-MIB -- FROM {{cc-fh}}
IPAddressType, IPAddress, PortNumber,
ROHCModes
FROM CC-TEXTUAL-CONVENTIONS-MIB -- FROM {{cc-txt}}
OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
Counter64, MODULE-IDENTITY
FROM SNMPv2-SMI -- FROM RFC 2578
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF -- FROM RFC 2580
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- FROM RFC 2571
RowPointer, RowStatus, DateAndTime,
TruthValue, TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC; -- FROM RFC 2579
ccSecurePolicyInfoMIB MODULE-IDENTITY
"Shadi Azoum
Azoum, et al. Expires January 1, 2017 [Page 113]
�
Internet-Draft CCMIB June 2016
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
NKI Engineering
irani@nkiengineering.com
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { ccSecurePolicyInfo 1 }
Azoum, et al. Expires January 1, 2017 [Page 114]
�
Internet-Draft CCMIB June 2016
-- *****************************************************************
-- Secure Policy Info Information Segments
-- *****************************************************************
cSecurePolicyConformance OBJECT IDENTIFIER
::= { ccSecurePolicyInfoMIB 1 }
cSecPolicyRuleInfo OBJECT IDENTIFIER
::= { ccSecurePolicyInfoMIB 2 }
cSecurePolicyInfoScalars OBJECT IDENTIFIER
::= { ccSecurePolicyInfoMIB 3 }
cSecurePolicyInfoNotify OBJECT IDENTIFIER
::= { ccSecurePolicyInfoMIB 4 }
-- *****************************************************************
-- Secure Policy Info Scalars
-- *****************************************************************
-- *****************************************************************
-- Secure Policy Info Notifications
-- *****************************************************************
cSecPolicyChanged NOTIFICATION-TYPE
OBJECTS {
cSecPolicyRulePriorityID,
cSecPolicyRuleDescription
}
STATUS current
DESCRIPTION
"A notification indicating that an existent Security Policy
entry in the cSecPolicyRuleTable in has changed."
::= { cSecurePolicyInfoNotify 1 }
-- *****************************************************************
-- CC MIB cSecPolicyRuleTable
-- *****************************************************************
cSecPolicyRuleTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cSecPolicyRuleTable."
::= { cSecPolicyRuleInfo 1 }
cSecPolicyRuleTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
Azoum, et al. Expires January 1, 2017 [Page 115]
�
Internet-Draft CCMIB June 2016
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
::= { cSecPolicyRuleInfo 2 }
cSecPolicyRuleTable OBJECT-TYPE
SYNTAX SEQUENCE OF CSecPolicyRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The cSecPolicyRuleTable stores the Security Policy Rules
that are compared against inbound and outbound data traffic
flow. These Security Policy Rules define the actions (e.g.
protect, bypass, discard) on how the data traffic flow should
be treated."
::= { cSecPolicyRuleInfo 3 }
cSecPolicyRuleEntry OBJECT-TYPE
SYNTAX CSecPolicyRuleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing general information about a Security
Policy rule."
INDEX { cSecPolicyRulePriorityID }
::= { cSecPolicyRuleTable 1 }
CSecPolicyRuleEntry ::= SEQUENCE {
cSecPolicyRulePriorityID Unsigned32,
cSecPolicyRuleDescription OCTET STRING,
cSecPolicyRuleType INTEGER,
cSecPolicyRuleFilterReference SnmpAdminString,
cSecPolicyRuleAction INTEGER,
cSecPolicyRuleRowStatus RowStatus
}
cSecPolicyRulePriorityID OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Local unique index that identifies the priority at which
Azoum, et al. Expires January 1, 2017 [Page 116]
�
Internet-Draft CCMIB June 2016
this Security Policy rule is applied. Lower values have a
higher priority (e.g. a value of 1 will be processed before
a value of 2). This column is the primary index to the
cSecPolicyRuleTable."
::= { cSecPolicyRuleEntry 1 }
cSecPolicyRuleDescription OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An administrative string describing the Security Policy
rule. Note, this is a free form OCTET STRING that provides
the user a store for any form of description/documentation
for the given entry."
::= { cSecPolicyRuleEntry 2 }
cSecPolicyRuleType OBJECT-TYPE
SYNTAX INTEGER { ipsec(1), tls(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Optional column that defines the related protocol type of
the Security Policy rule. Depending on this column's set
value, entries will vary in respect to which other
columns/tables (if at all) must be populated to fully
configure the Security Policy rule."
::= { cSecPolicyRuleEntry 3 }
cSecPolicyRuleFilterReference OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A string that references the associated filter for the
Security Policy rule. Data traffic flow (inbound/outbound)
comparison against the associated filter provide the basis
in which a Security Policy rule is applied to the given data
traffic flow."
::= { cSecPolicyRuleEntry 4 }
cSecPolicyRuleAction OBJECT-TYPE
SYNTAX INTEGER { protect(1), bypass(10), discard(20),
discardInbound(21), discardOutbound(22) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates what action the ECU should take on
Azoum, et al. Expires January 1, 2017 [Page 117]
�
Internet-Draft CCMIB June 2016
matching a data traffic flow against a filter (as defined by
cSecPolicyRuleFilterReference). The value of this column can
take one of four enumeration values.
[1] protect: The 'protect' enumeration value indicates that
the data traffic flow should be protected by a Secure
Connection with attributes defined by the associated filter
(cSecPolicyRuleFilterReference).
[10] bypass: The 'bypass' enumeration value indicates that
the data traffic flow should be bypassed with no
cryptographic protection/services provided.
[20] discard: The 'discard enumeration value indicates that
the data traffic flow, agnostic of their direction, should
be discarded.
[21] discardInbound: The 'discardInbound' enumeration value
indicates that an inbound data traffic flow should be
discarded.
[22] discardOutbound: The 'discardOutbound' enumeration
value indicates that an outbound data traffic flow should be
discarded.
Implementations that do not support the 'discardInbound' and
'discardOutbound' enumeration values should return a
wrongValue exception during a SET to the cSecPolicyRuleAction
object.
A valid enumeration value must be specified in order for
cSecPolicyRuleRowStatus to be 'active'."
::= { cSecPolicyRuleEntry 5 }
cSecPolicyRuleRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of the row, by which new entries may be created,
or old entries deleted from this table.
Entries created within this table may not become active
unless all read-create columns in this table have valid
values, as detailed by each individual column's description.
At a minimum, implementations must support createAndGo and
destroy management functions. Support for createAndWait,
Azoum, et al. Expires January 1, 2017 [Page 118]
�
Internet-Draft CCMIB June 2016
active, notInService, and notReady management functions is
optional."
::= { cSecPolicyRuleEntry 6 }
-- *****************************************************************
-- Module Conformance Information
-- *****************************************************************
cSecurePolicyCompliances OBJECT IDENTIFIER
::= { cSecurePolicyConformance 1 }
cSecurePolicyGroups OBJECT IDENTIFIER
::= { cSecurePolicyConformance 2 }
cSecurePolicyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for secure policy information."
MODULE
MANDATORY-GROUPS { cSecurePolicyGroup }
GROUP cSecurePolicyNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
::= { cSecurePolicyCompliances 1 }
cSecurePolicyGroup OBJECT-GROUP
OBJECTS {
cSecPolicyRuleTableCount,
cSecPolicyRuleTableLastChanged,
cSecPolicyRulePriorityID,
cSecPolicyRuleDescription,
cSecPolicyRuleType,
cSecPolicyRuleFilterReference,
cSecPolicyRuleAction,
cSecPolicyRuleRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to secure policy
information."
::= { cSecurePolicyGroups 1 }
cSecurePolicyNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cSecPolicyChanged
}
STATUS current
DESCRIPTION
Azoum, et al. Expires January 1, 2017 [Page 119]
�
Internet-Draft CCMIB June 2016
"This group is composed of notifications related to secure
policy information."
::= { cSecurePolicyGroups 2 }
END ~~~~
5.9. Secure Connection Information
This module makes reference to: Section 5.2, Section 5.3, [RFC2571],
[RFC2578], [RFC2579], and [RFC2580], [RFC4303].
CC-SECURE-CONNECTION-INFO-MIB DEFINITIONS ::= BEGIN
IMPORTS
ccSecureConnectionInfo
FROM CC-FEATURE-HIERARCHY-MIB -- FROM {{cc-fh}}
IPAddressType, IPAddress, PortNumber,
ROHCCompressionProfiles
FROM CC-TEXTUAL-CONVENTIONS-MIB -- FROM {{cc-txt}}
OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
Counter64, MODULE-IDENTITY
FROM SNMPv2-SMI -- FROM RFC 2578
MODULE-COMPLIANCE, OBJECT-GROUP,
NOTIFICATION-GROUP
FROM SNMPv2-CONF -- FROM RFC 2580
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- FROM RFC 2571
RowPointer, RowStatus, DateAndTime,
TruthValue, TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC; -- FROM RFC 2579
ccSecureConnectionInfoMIB MODULE-IDENTITY
"Shadi Azoum
US Navy
email: shadi.azoum@navy.mil
Elliott Jones
US Navy
elliott.jones@navy.mil
Lily Sun
US Navy
lily.sun@navy.mil
Mike Irani
NKI Engineering
irani@nkiengineering.com
Azoum, et al. Expires January 1, 2017 [Page 120]
�
Internet-Draft CCMIB June 2016
Jeffrey Sun
NKI Engineering
sunjeff@nkiengineering.com
Ray Purvis
MITRE
Email:rpurvis@mitre.org
Sean Turner
sn3rd
Email:sean@sn3rd.com"
DESCRIPTION
"This MIB defines the CC MIB tree hierarchical assignments
below it and acts as a reservation mechanism.
Copyright (c) 2016 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC xxxx;
see the RFC itself for full legal notices."
-- RFC Ed.: RFC-editor please fill in xxxx.
REVISION "YYYYMMDDHHMMSSZ" -- DD MM YYYY HH:MM:00 ZULU
DESCRIPTION "Initial Version. Published as RFC xxxx."
-- RFC Ed.: RFC-editor please fill in xxxx.
::= { ccSecureConnectionInfo 1 }
-- *****************************************************************
-- Secure Connection Info Information Segments
-- *****************************************************************
cSecureConnectionConformance OBJECT IDENTIFIER
::= { ccSecureConnectionInfoMIB 1 }
cSecureConnectionInfo OBJECT IDENTIFIER
::= { ccSecureConnectionInfoMIB 2 }
cSecureConnectionInfoScalars OBJECT IDENTIFIER
::= { ccSecureConnectionInfoMIB 3 }
cSecureConnectionInfoNotify OBJECT IDENTIFIER
::= { ccSecureConnectionInfoMIB 4 }
-- *****************************************************************
-- Secure Connection Info Scalars
Azoum, et al. Expires January 1, 2017 [Page 121]
�
Internet-Draft CCMIB June 2016
-- *****************************************************************
-- *****************************************************************
-- Secure Connection Info Notifications
-- *****************************************************************
cSecConnectionEstablished NOTIFICATION-TYPE
OBJECTS { cSecConTableID }
STATUS current
DESCRIPTION
"A notification indicating that a new Secure Connection was
successfully established."
::= { cSecureConnectionInfoNotify 1 }
cSecConnectionDeleted NOTIFICATION-TYPE
OBJECTS { cSecConTableID }
STATUS current
DESCRIPTION
"A notification indicating that an existent Secure
Connection was successfully deleted."
::= { cSecureConnectionInfoNotify 2 }
-- *********************************************************************
-- CC MIB cSecConTable
-- *********************************************************************
cSecConTableCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of rows in the cSecConTable."
::= { cSecureConnectionInfo 1 }
cSecConTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The last time any entry in the table was modified, created,
or deleted by either SNMP, agent, or other management method
(e.g. via an HMI). Managers can use this object to ensure
that no changes to configuration of this table have happened
since the last time it examined the table. A value of 0
indicates that no entry has been changed since the agent
initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
should be used to populate this column."
Azoum, et al. Expires January 1, 2017 [Page 122]
�
Internet-Draft CCMIB June 2016
::= { cSecureConnectionInfo 2 }
cSecConTable OBJECT-TYPE
SYNTAX SEQUENCE OF CSecConEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The cSecConTable stores general Secure Connection
(active/inactive) information associated with the ECU. This
table provides the base/common information for Secure
Connections."
::= { cSecureConnectionInfo 3 }
cSecConEntry OBJECT-TYPE
SYNTAX CSecConEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A row containing general information about an
active/inactive Secure Connection."
INDEX { cSecConTableID }
::= { cSecConTable 1 }
CSecConEntry ::= SEQUENCE {
cSecConTableID Unsigned32,
cSecConType OCTET STRING,
cSecConDataPlaneID OCTET STRING,
cSecConDirection INTEGER,
cSecConKeyReference OCTET STRING,
cSecConCryptographicSuite OCTET STRING,
cSecConEstablishmentTime DateAndTime,
cSecConStatus OCTET STRING,
cSecConRowStatus RowStatus
}
cSecConTableID OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Local unique index that identifies a Secure Connection.
This column is the primary index to the cSecConTable."
::= { cSecConEntry 1 }
cSecConType OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
Azoum, et al. Expires January 1, 2017 [Page 123]
�
Internet-Draft CCMIB June 2016
DESCRIPTION
"Optional column that defines the related protocol type of
the Secure Connection. Depending on this column's populated
value, entries will vary in respect to which other
columns/tables (if at all) are applicable to the Secure
Connection. Example of values for this column are: 'ipsec'
for Internet Protocol Security secure connections and 'tls'
for Transport Layer Security/Secure Socket Layer secure
connections."
::= { cSecConEntry 2 }
cSecConDataPlaneID OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The unique identifier associated with the Secure
Connection, based on the Secure Connection protocol.
Note, this is a free form OCTET STRING column where
meaningful values/format are defined per Secure Connection
protocol type basis. For instance, in an IPsec context (i.e.
cSecConType value is set to 'ipsec'), this column would
store the Security Parameter Index (SPI) for a given
Encapsulating Security Payload Version 3 Security
Association (RFC 4303 - Section 2.1.)."
::= { cSecConEntry 3 }
cSecConDirection OBJECT-TYPE
SYNTAX INTEGER { inbound(1), outbound(2),
bidirectional(3) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The data plane traffic flow direction for the Secure
Connection.
[1] inbound: data plane traffic flow is incoming on the
Secure Connection.
[2] outbound: data plane traffic flow is outgoing on the
Secure Connection.
[3] bidirectional: data plane traffic flow is incoming and
outgoing on the Secure Connection."
::= { cSecConEntry 4 }
cSecConKeyReference OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 124]
�
Internet-Draft CCMIB June 2016
SYNTAX OCTET STRING (SIZE(0..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Administrative string that references key material
associated with the Secure Connection. This column
references an entry (via table index value) in a key-related
table in the CC-KEY-MANAGEMENT-MIB.
If there is no appropriate value to populate with, this
column would be populated with an empty string, ''."
::= { cSecConEntry 5 }
cSecConCryptographicSuite OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The set of cryptographic attributes (e.g. Encryption
Algorithm, Integrity Algorithm) respective to the Secure
Connection. Note, this is a free form OCTET STRING column,
meaning implementations may utilize a standardized
definition of string values that describe a set of
cryptographic suites or use a proprietary definition of
string values for supported cryptographic suites."
::= { cSecConEntry 6 }
cSecConEstablishmentTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The local date and time when the Secure Connection was or
will be established. The value in this column may be
manually set to a date and time prior to the effective date
of the key material (if associated) as referenced by the
cSecConKeyReference column. If this column value is not
manually configured with a date and time then the value will
be automatically populated with the current cSystemDate
value in respect to when the cSecConRowStatus column is
first set to Active.
Note, implementations may treat this column as an alpha date
for the Secure Connection, and thus ascertain other Secure
Connection-related values based on this time."
::= { cSecConEntry 7 }
cSecConStatus OBJECT-TYPE
Azoum, et al. Expires January 1, 2017 [Page 125]
�
Internet-Draft CCMIB June 2016
SYNTAX OCTET STRING
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Column that provides the current status of the Secure
Connection. Note, this is a free form OCTET STRING column
where meaningful values are defined per Secure Connection
protocol type basis (i.e. as defined by the cSecConType
value) or per implementation basis.
If there is no appropriate value to populate with, this
column would be populated with an empty string, ''."
::= { cSecConEntry 8 }
cSecConRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of the row, by which new entries may be created,
or old entries deleted from this table.
Entries created within this table may not become active
unless all read-create columns in this table have valid
values, as detailed by each individual column's description.
The set of RowStatus enumerations that must be supported is
dependent on the type of secure connection. At a minimum,
implementations must support createAndGo and destroy if the
secure connection can be created and destroyed by the
manager. Implementations must support active and
notInService if the secure connection can be
enabled/disabled by the manager."
::= { cSecConEntry 9 }
-- *********************************************************************
-- Module Conformance Information
-- *********************************************************************
cSecureConnectionCompliances OBJECT IDENTIFIER
::= { cSecureConnectionConformance 1}
cSecureConnectionGroups OBJECT IDENTIFIER
::= { cSecureConnectionConformance 2}
cSecureConnectionCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Compliance levels for secure connection information."
Azoum, et al. Expires January 1, 2017 [Page 126]
�
Internet-Draft CCMIB June 2016
MODULE
MANDATORY-GROUPS { cSecureConnectionGroup }
GROUP cSecureConnectionNotifyGroup
DESCRIPTION
"This notification group is optional for implementation."
OBJECT cSecConType
MIN-ACCESS not-accessible
DESCRIPTION
"Implementation of this object is optional."
::= { cSecureConnectionCompliances 1 }
cSecureConnectionGroup OBJECT-GROUP
OBJECTS {
cSecConTableCount,
cSecConTableLastChanged,
cSecConTableID,
cSecConType,
cSecConDataPlaneID,
cSecConDirection,
cSecConKeyReference,
cSecConCryptographicSuite,
cSecConEstablishmentTime,
cSecConStatus,
cSecConRowStatus
}
STATUS current
DESCRIPTION
"This group is composed of objects related to secure
connection information."
::= { cSecureConnectionGroups 1 }
cSecureConnectionNotifyGroup NOTIFICATION-GROUP
NOTIFICATIONS {
cSecConnectionEstablished,
cSecConnectionDeleted
}
STATUS current
DESCRIPTION
"This group is composed of notifications related to secure
connection information."
::= { cSecureConnectionGroups 2 }
END
Azoum, et al. Expires January 1, 2017 [Page 127]
�
Internet-Draft CCMIB June 2016
6. IANA Considerations
7. Security Considerations
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
there is no control as to who on the secure network is allowed to
access and GET/SET (read/change/create/delete) the objects in this
MIB module.
Implementations SHOULD provide the security features described by the
SNMPv3 framework (see [RFC3410]), and implementations claiming
compliance to the SNMPv3 standard MUST include full support for
authentication and privacy via the User-based Security Model (USM)
[RFC3414] with the AES cipher algorithm [RFC3826]. Implementations
MAY also provide support for the Transport Security Model (TSM)
[RFC5591] in combination with a secure transport such as SSH
[RFC5592] or TLS/DTLS {RFC6353}.
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC2571] Wijnen, B., Harrington, D., and R. Presuhn, "An
Architecture for Describing SNMP Management Frameworks",
RFC 2571, DOI 10.17487/RFC2571, April 1999,
.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578,
DOI 10.17487/RFC2578, April 1999,
.
Azoum, et al. Expires January 1, 2017 [Page 128]
�
Internet-Draft CCMIB June 2016
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999,
.
[RFC2580] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Conformance Statements for SMIv2",
STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999,
.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414,
DOI 10.17487/RFC3414, December 2002,
.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826,
DOI 10.17487/RFC3826, June 2004,
.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
for the Simple Network Management Protocol (SNMP)",
STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009,
.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June
2009, .
[RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor
Format", RFC 5914, DOI 10.17487/RFC5914, June 2010,
.
Azoum, et al. Expires January 1, 2017 [Page 129]
�
Internet-Draft CCMIB June 2016
[RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
Key Container (PSKC)", RFC 6030, DOI 10.17487/RFC6030,
October 2010, .
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)",
STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011,
.
8.2. Informative References
[RFC1213] McCloghrie, K. and M. Rose, "Management Information Base
for Network Management of TCP/IP-based internets: MIB-II",
STD 17, RFC 1213, DOI 10.17487/RFC1213, March 1991,
.
[RFC1907] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Management Information Base for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1907,
DOI 10.17487/RFC1907, January 1996,
.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410,
DOI 10.17487/RFC3410, December 2002,
.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005,
.
[RFC5225] Pelletier, G. and K. Sandlund, "RObust Header Compression
Version 2 (ROHCv2): Profiles for RTP, UDP, IP, ESP and
UDP-Lite", RFC 5225, DOI 10.17487/RFC5225, April 2008,
.
Authors' Addresses
Shadi Azoum
SPAWAR Systems Center Pacific
Email: shadi.azoum@navy.mil
Azoum, et al. Expires January 1, 2017 [Page 130]
�
Internet-Draft CCMIB June 2016
Elliott Jones
SPAWAR Systems Center Pacific
Email: elliott.jones@navy.mil
Lily Sun
SPAWAR Systems Center Pacific
Email: lily.sun@navy.mil
Mike Irani
Nathan Kunes, Inc.
Email: irani@nkiengineering.com
Jeffrey Sun
Nathan Kunes, Inc.
Email: sunjeff@nkiengineering.com
Ray Purvis
The MITRE Corporation
Email: rpurvis@mitre.org
Sean Turner
sn3rd
Email: sean@sn3rd.com
Azoum, et al. Expires January 1, 2017 [Page 131]