Internet DRAFT - draft-iyer-policy-ipvpn-info-model
draft-iyer-policy-ipvpn-info-model
Policy Framework (policy) M.Iyer, R.Kale,
L.Apsani, S.Iyer,
Internet Draft Alcatel
draft-iyer-policy-ipvpn-info-model-00.txt June,2000
Category: Informational
IP VPN Policy Information Model
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in
progress." The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-
Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document represents the object oriented information model for
representing policy information associated with provisioning IP VPN
services such as firewall, address translation, quality of service,
encryption. This draft extends the core policy information model to
cover the policies that need to be enforced to configure IP VPN
services mentioned earlier. The information model defined in this
document is independent of any implementation specifics related to
the repository used to store the policy information.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119 [2].
Table of Contents
1. Introduction
2. UML Conventions
3. Inheritance Hierarchy
4. Containment Hierarchy
5. IPVPN Policy Definition
6. Policy Rule Class
Iyer,Kale,Apsani,Iyer Expires January 2001 1
Internet Draft IP VPN Policy Information Model June 2000
7. Policy Condition Classes
8. Policy Action Classes
9. Policy Decision Process
10.Extending the IPVPN Policy Schema
1. Introduction
The term IP VPN is used to denote VPN services delivered over an
IP network. The goal of IP VPN provisioning is to align the network
elements to provide consistent treatment to selected pieces of IP
traffic. The network elements will require a combination of
capabilities depending largely on their location in the topology and
the technology being used. The classification and treatment of the
traffic should be technology independent. However the models
described in this document will lend themselves to easier
implementation over certain standardized technologies in each of the
traffic treatment areas.
The IP VPN policy information model is based on the Policy
Framework Core Information Model [PCIM]. The core model has been
extended to address the requirement that network elements deliver
the services required by the network user. The network elements
receive their configuration in the form of policies. The policies
are stored and distributed using the policy framework described in
[PFRAME].
The IP VPN policy information model references classes from the
Policy Framework Core Information Model [PCIM], the QoS Policy
Information Model [QOSIM] and the IPSEC Configuration Policy
Model [IPSECIM]. The corresponding LDAP implementations could be
built based on the Policy Framework LDAP Core Schema [PCIM-LDAP]
and QoS Policy Schema[QOSIM-LDAP] implementations.
This document is organized as follows:
1. Section 2 provides a quick introduction to the Unified Modeling
Language(UML) graphical notation used in this document
2. Section 3 defines the inheritance hierarchy in the context of the
policy core information model
3. Section 4 defines the containment hierarchy in the context of the
policy core information model
4. Section 5 provides an overview of the IP VPN policy definition
and introduces the condition and action classes for IP VPN
policies
5. Section 6 revisits the Policy Rule class[PCIM].
6. Section 7 provides details on the policy condition classes and
their attributes
7. Section 8 provides details on the policy action classes and their
attributes
8. Section 9 explains the policy selection process which extends the
selection model described in the policy core information model
9. Section 10 deals with extending the IP VPN policy schema
Iyer,Kale,Apsani,Iyer Expires January 2001 2
Internet Draft IP VPN Policy Information Model June 2000
2. UML Notation
The information model is presented in this document using UML
notation since it a well accepted standard and provides a task
independent way to model systems.
1. Boxes represent classes
2. A "o" denotes an aggregation. An aggregation is essentially a
reference.
3. A "x" denotes containment. A contained object is owned entirely
by the container.
4. The association line may be annotated with "multiplicity" which
indicates the number of objects aggregated or contained.
- a range of the form "a..b" indicates the minimum and maximum
number of objects
- an asterisk "*" indicates any number of objects
3. Inheritance Hierarchy
Policy
|
+----PolicyGroup[PCIM]
| |
| +-------IPVPNPolicyDomain
| |
| +-------IPVPNAdministrationPolicyList
| |
| +-------IPVPNSignallingPolicyList
| |
| +-------IPVPNEnforcementPolicyList
| |
| +-------IPVPN
| |
| +-------FirewallPolicyList
| |
| +-------QoSPolicyList
| |
| +-------NATPolicyList
| |
| +-------SecurityPolicyList
|
+----PolicyRule[PCIM]
|
+----PolicyConditionInPolicyRule[PCIM]
|
+----PolicyCondition[PCIM]
| |
| +-------PolicyTimePeriodCondition[PCIM]
| |
| +-------VendorPolicyCondition[PCIM]
| |
| +-------PolicyTagCondition
Iyer,Kale,Apsani,Iyer Expires January 2001 3
Internet Draft IP VPN Policy Information Model June 2000
| |
| +-------TrafficProfileCondition
|
+----PolicyTag
| |
| +-------NetworkTag
| | |
| | +-------L2NetworkTag
| | |
| | +-------L3NetworkTag
| |
| +-------ApplicationTag
| |
| +-------UserProfileTag
| |
| +-------EnforcerProfileTag
| |
| +-------NetworkGroupTag
| |
| +-------ApplicationGroupTag
| |
| +-------UserGroupTag
| |
| +-------EnforcerGroupTag
|
+----PolicyActionInPolicyRule[PCIM]
|
+----PolicyAction[PCIM]
|
+-------VendorPolicyAction[PCIM]
|
+-------FirewallAction
|
+-------QoSAction
| |
| +-------ShapingAction
| |
| +-------MarkingAction
|
+-------NATAction
|
+-------SecurityAction
|
+-------IPSECAction
|
+-------MPLSAction
4. Containment Hierarchy
+-----------------+
|PolicyRepository |
+-----------------+
Iyer,Kale,Apsani,Iyer Expires January 2001 4
Internet Draft IP VPN Policy Information Model June 2000
x
|1..n
+------------------+
|IPVPNPolicyDomain |
+------------------+
x x x x
| | | |
| | | |1
| | | +----------------------------+
| | | |IPVPNAdminstrationPolicyList|
| | |1 +----------------------------+
| | +-------------------------+
| | |IPVPNSignallingPolicyList|
| |1 +-------------------------+
| +--------------------------+
| |IPVPNEnforcementPolicyList|
| +--------------------------+
| x
| |1..n
| +-----------------------------+
| | IPVPN |
| +-----------------------------+
| x x x x x
| | | | | |1
| | | | | +------------------+
| | | | | |FirewallPolicyList|
| | | | |1 +------------------+
| | | | +-------------+
| | | | |QoSPolicyList|
| | | |1 +-------------+
| | | +-------------+
| | | |NATPolicyList|
| | |1 +-------------+
| | +------------------+
| | |SecurityPolicyList|
| |1..n +------------------+
| +------------------+
| |PolicyTagCondition|
| +------------------+
| o
| |1
| +------------------+
| | PolicyTag |
| +------------------+
| ^ ^ ^ ^
| | | | |
| | | | |
| | | | +----------+
| | | | |NetworkTag|
| | | | +----------+
| | | +---------------+
| | | |NetworkGroupTag|
Iyer,Kale,Apsani,Iyer Expires January 2001 5
Internet Draft IP VPN Policy Information Model June 2000
| | | +---------------+
| | +--------------+
| | |UserProfileTag|
| | +--------------+
| +------------+
| |UserGroupTag|
| +------------+
|1
+-------------+
|PolicyTagRoot|
+-------------+
x x
| |
| +------------------------------+
| |ResourceTag |
| +------------------------------+
| x x x x
| | | | |
| | | | |*
| | | | +---------------+
| | | | | NetworkTag |
| | | |* +---------------+
| | | +-----------------+ o
| | | | UserProfileTag | |
| | |* +-----------------+ |
| | +------------------+ o |
| | |ApplicationTag | | |
| |* +------------------+ | |
| +------------------+ o | |
| |EnforcerProfileTag| | | |
| +------------------+ | | |
+-----------------+ o | | |
|ResourceGroupTag | | | | |
+-----------------+ | | | |
x x x x | | | |
| | | | | | | |
| | | |* | | | |
| | | +---------------+1..n | | | |
| | | |NetworkGroupTag|-------------------+
| | |* +---------------+ | | |
| | +------------+1..n | | |
| | |UserGroupTag|------------------------+
| |* +------------+ | |
| +-------------------+1..n | |
| |ApplicationGroupTag|------------------+
|* +-------------------+ |
+----------------+1..n |
|EnforcerGroupTag|-------------------+
+----------------+
+-------------+
|AnyPolicyList|
+-------------+
Iyer,Kale,Apsani,Iyer Expires January 2001 6
Internet Draft IP VPN Policy Information Model June 2000
x
|
|1..n
+------------------------+
| AnyPolicyRule |
+------------------------+
x o x
| | |
| | |1..n
| | +---------------------------+
| | |PolicyConditionInPolicyRule|
| | +---------------------------+
| | x
| | |1
| | +------------------+
| | |PolicyTagCondition|
| |1..n +------------------+
| +-------------------+
| |PolicyTimePeriodCondition|
| +-------------------+
|1..n
+------------------------+
|PolicyActionInPolicyRule|
+------------------------+
x
|1
+---------+
|AnyAction|
+---------+
"Any" represents one of Firewall, QoS, NAT or Security policies
5. Container Classes
5.1 PolicyRepository[PCIM]
This class represents the physical policy repository. It is defined
in [PCIM].
5.2 PolicyGroup[PCIM]
This class is a base class for the IPVPN policy lists. The class is
defined in [PCIM].
5.3 IPVPNPolicyDomain
The policy domain represents an integral policy database. Policy
objects within the domain do not have references to any objects
outside of the domain.
NAME IPVPNPolicyDomain
Iyer,Kale,Apsani,Iyer Expires January 2001 7
Internet Draft IP VPN Policy Information Model June 2000
DESCRIPTION The class for representing the policy domain
under which there is an entire policy database
consisting of policy rules, policy conditions,
policy actions and policy tags.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.4 IPVPNAdminstrationPolicyList
The list of policies that apply to the administration of the policy
domain. The administration policies are not defined in this
document, but need to be defined in a future draft. The Security
Policy Specification Language [SPSL] serves as a good data point
for defining the administration policy schema.
NAME IPVPNAdministrationPolicyList
DESCRIPTION The class for representing the list of policies
which control the administration of the policy
domain.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.5 IPVPNSignalingPolicyList
The list of policies that apply to the handling signaling traffic
used to create dynamic policies. The signaling policies are not
defined in this document, but need to be defined in a future draft.
NAME IPVPNSignalingPolicyList
DESCRIPTION The class for representing the list of policies
which control the ability of agents within the
network to use signaling to dynamically install
policies. A signaling policy can reference
enforcement policies
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.6 IPVPNEnforcementPolicyList
The list of policies that apply to be the policy domain. These
policies are enforced by the policy elements that belong to the
policy domain.
NAME IPVPNEnforcementPolicyList
Iyer,Kale,Apsani,Iyer Expires January 2001 8
Internet Draft IP VPN Policy Information Model June 2000
DESCRIPTION The class for representing the list of policies
which need to be enforced on the traffic by
policy enforcers within the network.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.7 IPVPN
The IPVPN represents the IPVPN policy set that is to be applied to
the traffic. This is a first pass classification that decides the
IPVPN membership for the traffic.
A possible future modification of the IPVPN class is that it can be
nested within a larger IPVPN. When nested, the IPVPN cannot contain
policylists.
NAME IPVPN
DESCRIPTION The class for representing the conditions used
to determine the IPVPN membership of the traffic
and the policy set to be applied to the traffic.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.8 FirewallPolicyList
The list of firewall policies that need to be applied to the traffic
within an IPVPN.
NAME FirewallPolicyList
DESCRIPTION The class for representing the list of firewall
policies which need to be enforced on the IPVPN
traffic by policy enforcers within the network.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.9 QoSPolicyList
The list of QoS policies that need to be applied to the traffic
within an IPVPN.
NAME QoSPolicyList
DESCRIPTION The class for representing the list of QoS
policies which need to be enforced on the IPVPN
traffic by policy enforcers within the network.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
Iyer,Kale,Apsani,Iyer Expires January 2001 9
Internet Draft IP VPN Policy Information Model June 2000
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.10 NATPolicyList
The list of NAT policies that need to be applied to the traffic
within an IPVPN.
NAME NATPolicyList
DESCRIPTION The class for representing the list of NAT
policies which need to be enforced on the IPVPN
traffic by policy enforcers within the network.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.11 SecurityPolicyList
The list of security policies that need to be applied to the traffic
within an IPVPN.
NAME SecurityPolicyList
DESCRIPTION The class for representing the list of security
policies which need to be enforced on the IPVPN
traffic by policy enforcers within the network.
DERIVED FROM PolicyGroup
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
5.12 PolicyConditionInPolicyRule[PCIM]
The policy core information model class. This class is defined in
[PCIM]. It associates the policy condition with the policy rule.
5.13 PolicyActionInPolicyRule[PCIM]
The policy core information model class. This class is defined in
[PCIM]. It associates the policy action with the policy rule.
6. PolicyRule Class
This class represents the core policy class, which is defined in
[PCIM]. The attributes of the PolicyRule are mentioned once again in
this document for convenience.
NAME PolicyRule
DESCRIPTION The central class for representing the "If
Condition then Action" semantics associated with
a policy rule.
DERIVED FROM Policy
ABSTRACT FALSE
Iyer,Kale,Apsani,Iyer Expires January 2001 10
Internet Draft IP VPN Policy Information Model June 2000
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
CreationClassName[key]
PolicyRuleName[key]
Enabled
ConditionListType
RuleUsage
Priority
Mandatory
SequencedActions
PolicyRoles
7. Condition Classes
7.1 PolicyCondition[PCIM]
The policy core information model class. This class is defined in
[PCIM]
7.2 PolicyTimePeriodCondition[PCIM]
The policy core information model class. This class is defined in
[PCIM]
7.3 VendorPolicyCondition[PCIM]
The policy core information model class. This class is defined in
[PCIM]
7.4 PolicyTag
A policy tag associates a tag with networks, applications, user
profiles, enforcer profiles etc. A policy condition can be defined
in terms of policy tags.
NAME PolicyTag
DESCRIPTION The class for representing a tagged network,
application, user profile or enforcer profile. A
policy condition can be defined in terms of
policy tags.
DERIVED FROM Policy
ABSTRACT TRUE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
The known sub classes of this abstract class are NetworkTag,
ApplicationTag, UserProfileTag, EnforcerProfileTag.
7.5 PolicyTagCondition
Iyer,Kale,Apsani,Iyer Expires January 2001 11
Internet Draft IP VPN Policy Information Model June 2000
A policy tag condition is a policy condition that references policy
tags. The different types of policy tags are defined in the
following sections
NAME PolicyTagCondition
DESCRIPTION The class for representing the condition part
of the "If Condition then Action" semantics
associated with a policy rule.
DERIVED FROM PolicyCondition
ABSTRACT TRUE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
PolicyTagType
PolicyTagValue
7.5.1 The property PolicyTagType
The policy tag type property defines the type of the policy tag
value specified in the PolicyTagValue property
NAME PolicyTagType
DESCRIPTION The policy tag value type
SYNTAX integer
VALUES SourceNetwork(1), DestNetwork(2),
Application(3), User(4)
7.5.2 The property PolicyTagValue
The policy tag value specifies a policy tag value to be matched in
order to select the appropriate policy
NAME PolicyTagValue
DESCRIPTION The policy tag value
SYNTAX string
VALUES MultiValued
7.6 TrafficProfileCondition
Specifies the traffic metering that need to be applied to the
traffic to determine whether it confirms or does not confirm to the
profile. The condition itself could be either "confirms to" or "does
not confirm to" a certain metering spec. The traffic profile
condition class and its sub classes are defined in [QOSIM].
7.7 NetworkTag
Specifies association of network to a network policy tag
NAME NetworkTag
DESCRIPTION The class for representing the association of a
network to a policy tag
DERIVED FROM PolicyTag
ABSTRACT TRUE
Iyer,Kale,Apsani,Iyer Expires January 2001 12
Internet Draft IP VPN Policy Information Model June 2000
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
NetworkGroupTagName
7.7.1 The property NetworkGroupTagName
The group memberships of this network tag
NAME NetworkGroupTag
DESCRIPTION The group membership of the network tag
SYNTAX string
VALUES MultiValued
7.8 L2NetworkTag
Specifies the L2 parameters for the source or destination network
associated with the network tag. This includes MAC addresses, VLAN
tags and such other layer 2 characteristics of the IP packet
NAME L2NetworkTag
DESCRIPTION The class for representing the association of a
layer 2 network to a policy tag.
DERIVED FROM NetworkTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
L2TagType
L2TagValue
7.8.1 The property L2TagType
The L2TagType defines the type of the L2Tag value specified in the
L2TagValue property
NAME L2TagType
DESCRIPTION The L2 tag value type
SYNTAX string
VALUES VLAN, 802.1Q
7.8.2 The property L2TagValue
The L2TagValue specifies a L2 tag value to be matched in order to
match a condition
NAME L2TagValue
DESCRIPTION The L2 tag value
SYNTAX string
VALUES MultiValued
7.9 L3NetworkTag
Specifies the L3 parameters for the source or destination network
associated with the network tag
Iyer,Kale,Apsani,Iyer Expires January 2001 13
Internet Draft IP VPN Policy Information Model June 2000
NAME L3NetworkTag
DESCRIPTION The class for representing the association of a
layer 3 network to a policy tag.
DERIVED FROM NetworkTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
IPAddressType
IPAddressValue
Netmask
7.9.1 The property IPAddressType
The IPAddressType defines the type of the IPAddress value specified
in the IPAddressValue property
NAME IPAddressType
DESCRIPTION The IPAddress value type
SYNTAX string
VALUES ipv4, ipv6
7.9.2 The property IPAddressValue
The IPAddressValue specifies a IPAddress value to be matched in
order to match a condition
NAME IPAddressValue
DESCRIPTION The IPAddress value
SYNTAX string
7.9.3 The property Netmask
The Netmask specifies a subnet mask to be matched in order to match
a L3 Network condition
NAME Netmask
DESCRIPTION The netmask value to be used to match the L
L3network condition
SYNTAX string
7.10 ApplicationTag
Specifies the L4-L7 characteristics of the packet including
application level decodes which require stateful inspection of the
packet e.g HTTP, FTP, SMTP, TELNET etc.
NAME ApplicationTag
DESCRIPTION The class for representing the association of
an application to a policy tag
DERIVED FROM PolicyTag
Iyer,Kale,Apsani,Iyer Expires January 2001 14
Internet Draft IP VPN Policy Information Model June 2000
ABSTRACT TRUE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
ApplicationGroupTagName
This class will have several sub classes which reflect the
application protocol classification granularity. In the most common
case a sub class could define the TCP/UDP ports being used by an
application.
7.10.1 The property ApplicationGroupTagName
The group memberships of this application tag
NAME ApplicationGroupTag
DESCRIPTION The group membership of the application tag
SYNTAX string
VALUES MultiValued
7.11 UserProfileTag
Specifies a user profile, which is deduced from the mode of
authentication of the user. The user profile is associated with a
tag. This could be a filter for the subject name within a
certificate or a domain name entered by the user e.g
joe@company.com.
NAME UserProfileTag
DESCRIPTION The class for representing the association of a
user profile to a policy tag.
DERIVED FROM PolicyTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
UserProfileFilter
UserGroupTagName
7.11.1 The property UserProfileFilter
The profile filter to be used to associate a user with a
UserProfileTag.
NAME UserProfileFilter
DESCRIPTION The user profile filter to be to used to
associate a profile with a logged in user
SYNTAX string
7.11.2 The property UserGroupTagName
The group memberships for the user profile tag
Iyer,Kale,Apsani,Iyer Expires January 2001 15
Internet Draft IP VPN Policy Information Model June 2000
NAME UserGroupTagName
DESCRIPTION The group membership of the user profile filter
SYNTAX string
VALUES MultiValued
7.12 EnforcerProfileTag
Specifies an enforcer profile and the associated tag. The tag is
used to give the administrator flexibility in deciding where the
policies will be installed.
NAME EnforcerProfileTag
DESCRIPTION The class for representing the different
enforcer profiles in the network environment.
Association.
DERIVED FROM PolicyTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
EnforcerProfileFilter
EnforcerGroupTagName
7.12.1 The property EnforcerProfileFilter
The profile filter to be used to identify a tag for the enforcer.
NAME EnforcerProfileFilter
DESCRIPTION The profile filter to be to identify the
enforcer tag
SYNTAX string
7.12.2 The property EnforcerGroupTagName
The group memberships of this enforcer identified in the enforcer
profile
NAME EnforcerGroupTag
DESCRIPTION The group membership of the enforcer tag
SYNTAX string
VALUES MultiValued
7.13 NetworkGroupTag
Specifies the network group tags which can in turn be referenced by
NetworkTags and policies. Traffic that matches a network tag implies
that it matches the network group tags mentioned in the network tag.
NAME NetworkGroupTag
DESCRIPTION The class for representing the network group
tag which can be referenced by NetworkTags and
policies.
Iyer,Kale,Apsani,Iyer Expires January 2001 16
Internet Draft IP VPN Policy Information Model June 2000
DERIVED FROM PolicyTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
7.14 ApplicationGroupTag
Specifies the application group tags that can be referenced by
ApplicationTags and policies.
NAME ApplicationGroupTag
DESCRIPTION The class for representing the application
group tag which can be referenced by
ApplicationTags and policies
DERIVED FROM PolicyTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
7.15 UserGroupTag
Specifies the user group tags that can be referenced by UserTags and
policies.
NAME UserGroupTag
DESCRIPTION The class for representing the user group tag
which can be referenced by ApplicationTags and
policies.
DERIVED FROM PolicyTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
7.16 EnforcerGroupTag
Specifies the enforcer group tags that can be referenced by
EnforcerTags and policies.
NAME EnforcerGroupTag
DESCRIPTION The class for representing the enforcer group
tag which can be referenced by EnforcerTags and
IPVPNÆs
DERIVED FROM PolicyTag
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
8 Policy Action Classes
Iyer,Kale,Apsani,Iyer Expires January 2001 17
Internet Draft IP VPN Policy Information Model June 2000
8.1 FirewallAction
Specifies the firewall action to be enforced such as drop, pass,
log, alert etc. The list of possible actions is limited by the
attributes in the action object.
NAME FirewallAction
DESCRIPTION The class for representing the firewall action
of the "If Condition then Action" semantics
associated with a policy rule.
DERIVED FROM PolicyAction
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
Action
9.1.1 The property Action
The action defines the type of firewall action to be enforced
NAME Action
DESCRIPTION The firewall action to be enforced
SYNTAX string
VALUES Allow/Allow&Log/Allow&Alarm/
Deny/Deny&Log/Deny&Alarm
8.2 QoSAction
Specifies the QoS action to be applied to the traffic which could be
shaping or marking or both.
NAME QoSAction
DESCRIPTION The class for representing the QoS action of
the "If Condition then Action" semantics
associated with a policy rule.
DERIVED FROM PolicyAction
ABSTRACT TRUE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
8.2.1 ShapingAction
Specifies the shaping action to the applied to the traffic. The
action would indicate the quality of service that needs to be
applied to the traffic. The QoS to be granted will be indicated by
the using three possible metrics i.e. TOS levels, DSCP levels,
absolute values for QoS parameters minimum, maximum, jitter,
latency, packet loss etc.
NAME ShapingAction
Iyer,Kale,Apsani,Iyer Expires January 2001 18
Internet Draft IP VPN Policy Information Model June 2000
DESCRIPTION The class for representing the QoS shaping
action of the "If Condition then Action"
semantics associated with a policy rule.
DERIVED FROM PolicyAction
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
QpPHBSet[QOSIM]
8.2.1.1 The property qpPHBSet
The PHBSet defines the per hop behavior to enforced for the traffic.
This would typically include TOSLevels, DSCP, AFDropPrecedence, QoS-
Minimum, QoS-Maximum, QoS-Priority, QoS-Jitter, QoS-Latency, QoS-
PacketLoss. The [QOSIM] provides a description of the Per Hop
Behaviour[PHB] to be modeled.
8.2.2 MarkingAction
Specifies the marking action to the applied to the traffic. The
marker to be used would indicate the quality of service that needs
to be applied to the traffic once the packet leaves the enforcer.
The marking include TOS, DiffServ, 802.1Q.
NAME MarkingAction
DESCRIPTION The class for representing the QoS marking
action of the "If Condition then Action"
semantics associated with a policy rule.
DERIVED FROM PolicyAction
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
QpPHBSet[QOSIM]
8.2.2.1 The property qpPHBSet
The PHBSet defines the per hop behavior to enforced for the traffic.
This would typically include TOSLevels, DSCP, AFDropPrecedence, QoS-
Minimum, QoS-Maximum, QoS-Priority, QoS-Jitter, QoS-Latency, QoS-
PacketLoss. The [QOSIM] provides a description of the Per Hop
Behaviour[PHB] to be modeled.
8.5 NATAction
Specifies which source addresses need to be translated and to what
new source addresses
NAME NATAction
Iyer,Kale,Apsani,Iyer Expires January 2001 19
Internet Draft IP VPN Policy Information Model June 2000
DESCRIPTION The class for representing the network address
translation action of the "If Condition then
Action" semantics associated with a policy rule.
DERIVED FROM PolicyAction
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
OriginalIPAddress
OriginalNetmask
FinalIPAddress
FinalNetmask
8.5.1 The property OriginalIPAddress
Specifies the original set of IP addresses that needs to be
translated.
NAME OriginalIPAddress
DESCRIPTION The original IP address that needs to be
translated.
SYNTAX string
8.5.2 The property OriginalNetmask
Specifies the original IP subnet that needs to be translated
NAME OriginalIPAddress
DESCRIPTION The original IP subnet that needs to be
translated.
SYNTAX string
8.5.3 The property FinalIPAddress
Specifies the IP addresses to be used during the translation
NAME FinalIPAddress
DESCRIPTION Specifies the IP addresses to be used for
translation
SYNTAX string
8.5.4 The property FinalNetmask
Specifies the IP subnet to be used during translation
NAME FinalNetmask
DESCRIPTION Specifies the IP subnet to be used during
translation
SYNTAX string
8.6 SecurityAction
Iyer,Kale,Apsani,Iyer Expires January 2001 20
Internet Draft IP VPN Policy Information Model June 2000
Specifies the security parameters to be used for authentication,
encryption and encapsulation of the traffic.
NAME SecurityAction
DESCRIPTION The class for representing the security action
of the "If Condition then Action" semantics
associated with a policy rule.
DERIVED FROM PolicyAction
ABSTRACT TRUE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
8.7 IPSECAction
Specifies the various IPSEC parameters to be used when applying
IPSEC encryption to the traffic, using specific AH, ESP
NAME IPSECAction
DESCRIPTION The class for representing the IPSEC security
action of the "If Condition then Action"
semantics associated with a policy rule.
DERIVED FROM SecurityAction
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
CIM_System.Name[key]
IPSECSecurityAction[IPSECIM]
8.7.1 The property IPSecSecurityAction
The property is IPSecSecurityAction is a reference to an instance of
a SecurityAssociationAction object defined in [IPSECIM]. The
definition of the SecurityAssociationAction includes IKE and IPSEC
values for key negotiation, authentication, encryption and key
expiry.
8.8 MPLSAction
Specifies the various MPLS parameters to be used when using MPLS
tunnels to transport the traffic providing security through traffic
segregation
NAME MPLSAction
DESCRIPTION The class for representing the MPLS security
action of the "If Condition then Action"
semantics associated with a policy rule.
DERIVED FROM SecurityAction
ABSTRACT FALSE
PROPERTIES CIM_System.CreationClassName[key]
Iyer,Kale,Apsani,Iyer Expires January 2001 21
Internet Draft IP VPN Policy Information Model June 2000
CIM_System.Name[key]
MPLSSecurityAction
8.8.1 The property MPLSSecurityAction
The property is MPLSSecurityAction is a reference to an instance of
a SecurityAssociationAction object to be defined under the MPLS
policy specification. It is anticipated that a policy information
model for MPLS configuration will soon be available. The definition
of the SecurityAssociationAction includes the information required
to setup an LSP(Label Switched Path) to provide the traffic with the
required security and level of service. In a practical enforcement
scenario the policy conditions will result in a FEC(Forward
Equivalence Class) and the MPLSSecurityAction will result in the LSP
being setup. The action could include the signaling
protocol(RSVP/CR-LDP) to be used, constraint based routing
directives, traffic engineering parameters. There will be a
potential overlap with the QoS actions specified earlier.
9 Policy Decision Process
The policy decision process consists of the following steps :
Step 1
Identify the User characteristics of the traffic if possible
Identify the Network characteristics of the traffic
Step 2
Match the PolicyTagConditions for User and Network
characteristics to determine the IPVPN
Step 3
Within the IPVPN match the SourceNetworkConditions,
DestNetworkConditions, UserConditions, ApplicationConditions,
TimePeriodConditions to determine the policy that matches
Step 4
Use the action list to decide on the actions that need to be
enforced on the traffic
10 Extending the IPVPN Policy Schema
The IPVPN policy schema can be extended to adapt to the changing
landscape of technologies and classification criteria. It is
anticipated that the following areas will be extended more often
than the others
Iyer,Kale,Apsani,Iyer Expires January 2001 22
Internet Draft IP VPN Policy Information Model June 2000
1. PolicyTag
The policy tag sub classes may be extended to include new schemes
of identifying a network as well as new applications.
The Application tag is an abstract class and needs to be extended
with protocol specific filters
2. PolicyAction
The policy action class may be extended to include new possible
actions that can be added to support new IP services or better
implementations of existing IP services.
8. Security Considerations
This security considerations of this document are the same as those
of the [PCIM]
9. References
1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996.
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997
[PFRAME] W. Weiss, H. Mahon, B. Moore, J. Strassner , G. Waters, A.
Westerinen, J. Wheeler, "Policy Framework", draft-ietf-policy-
framework-00.txt, Sept 99.
[PCIM] J. Strassner, E. Ellesson, B. Moore, "Policy Framework Core
Information Model", draft-ietf-policy-core-info-model-06.txt, May
2000
[PCIM-LDAP] J. Strassner, E. Ellesson, B.Moore, Ryan Moats, "Policy
Framework LDAP Core Schema", draft-ietf-policy-core-schema-06.txt,
Nov 99
[QOSIM] Y. Snir, Y Ramberg, J. Strassner, R. Cohen, "Policy
Framework QoS Information Model", draft-ietf-policy-qos-info-model-
01.txt, April 2000
[QOSIM-LDAP] Y. Snir, Y Ramberg, J. Strassner, R. Cohen, "QoS Policy
Schema", draft-ietf-policy-qos-schema-01.txt , Feb 2000
[SPSL] M.Condell, C.Lynn, J. Zao, "Security Policy Specification
Language", draft-ietf-ipsp-spsl-00.txt, March 2000
[IPSECIM] Jamie Jason, "IPsec Configuration Policy Model", draft-
ietf-ipsp-config-policy-model-00.txt, March 2000
Iyer,Kale,Apsani,Iyer Expires January 2001 23
Internet Draft IP VPN Policy Information Model June 2000
11. Author's Addresses
Mahadevan Iyer
Alcatel Inc
595 Yosemite Blvd, Milpitas, CA
Phone: 408 586 7687
Email: iyer@internetdevices.com
Iyer,Kale,Apsani,Iyer Expires January 2001 24
Internet Draft IP VPN Policy Information Model June 2000
Full Copyright Statement
"Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into
�
