Policy Framework (policy) M.Iyer, R.Kale, L.Apsani, S.Iyer, Internet Draft Alcatel draft-iyer-policy-ipvpn-info-model-00.txt June,2000 Category: Informational IP VPN Policy Information Model Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet- Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document represents the object oriented information model for representing policy information associated with provisioning IP VPN services such as firewall, address translation, quality of service, encryption. This draft extends the core policy information model to cover the policies that need to be enforced to configure IP VPN services mentioned earlier. The information model defined in this document is independent of any implementation specifics related to the repository used to store the policy information. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. Table of Contents 1. Introduction 2. UML Conventions 3. Inheritance Hierarchy 4. Containment Hierarchy 5. IPVPN Policy Definition 6. Policy Rule Class Iyer,Kale,Apsani,Iyer Expires January 2001 1 Internet Draft IP VPN Policy Information Model June 2000 7. Policy Condition Classes 8. Policy Action Classes 9. Policy Decision Process 10.Extending the IPVPN Policy Schema 1. Introduction The term IP VPN is used to denote VPN services delivered over an IP network. The goal of IP VPN provisioning is to align the network elements to provide consistent treatment to selected pieces of IP traffic. The network elements will require a combination of capabilities depending largely on their location in the topology and the technology being used. The classification and treatment of the traffic should be technology independent. However the models described in this document will lend themselves to easier implementation over certain standardized technologies in each of the traffic treatment areas. The IP VPN policy information model is based on the Policy Framework Core Information Model [PCIM]. The core model has been extended to address the requirement that network elements deliver the services required by the network user. The network elements receive their configuration in the form of policies. The policies are stored and distributed using the policy framework described in [PFRAME]. The IP VPN policy information model references classes from the Policy Framework Core Information Model [PCIM], the QoS Policy Information Model [QOSIM] and the IPSEC Configuration Policy Model [IPSECIM]. The corresponding LDAP implementations could be built based on the Policy Framework LDAP Core Schema [PCIM-LDAP] and QoS Policy Schema[QOSIM-LDAP] implementations. This document is organized as follows: 1. Section 2 provides a quick introduction to the Unified Modeling Language(UML) graphical notation used in this document 2. Section 3 defines the inheritance hierarchy in the context of the policy core information model 3. Section 4 defines the containment hierarchy in the context of the policy core information model 4. Section 5 provides an overview of the IP VPN policy definition and introduces the condition and action classes for IP VPN policies 5. Section 6 revisits the Policy Rule class[PCIM]. 6. Section 7 provides details on the policy condition classes and their attributes 7. Section 8 provides details on the policy action classes and their attributes 8. Section 9 explains the policy selection process which extends the selection model described in the policy core information model 9. Section 10 deals with extending the IP VPN policy schema Iyer,Kale,Apsani,Iyer Expires January 2001 2 Internet Draft IP VPN Policy Information Model June 2000 2. UML Notation The information model is presented in this document using UML notation since it a well accepted standard and provides a task independent way to model systems. 1. Boxes represent classes 2. A "o" denotes an aggregation. An aggregation is essentially a reference. 3. A "x" denotes containment. A contained object is owned entirely by the container. 4. The association line may be annotated with "multiplicity" which indicates the number of objects aggregated or contained. - a range of the form "a..b" indicates the minimum and maximum number of objects - an asterisk "*" indicates any number of objects 3. Inheritance Hierarchy Policy | +----PolicyGroup[PCIM] | | | +-------IPVPNPolicyDomain | | | +-------IPVPNAdministrationPolicyList | | | +-------IPVPNSignallingPolicyList | | | +-------IPVPNEnforcementPolicyList | | | +-------IPVPN | | | +-------FirewallPolicyList | | | +-------QoSPolicyList | | | +-------NATPolicyList | | | +-------SecurityPolicyList | +----PolicyRule[PCIM] | +----PolicyConditionInPolicyRule[PCIM] | +----PolicyCondition[PCIM] | | | +-------PolicyTimePeriodCondition[PCIM] | | | +-------VendorPolicyCondition[PCIM] | | | +-------PolicyTagCondition Iyer,Kale,Apsani,Iyer Expires January 2001 3 Internet Draft IP VPN Policy Information Model June 2000 | | | +-------TrafficProfileCondition | +----PolicyTag | | | +-------NetworkTag | | | | | +-------L2NetworkTag | | | | | +-------L3NetworkTag | | | +-------ApplicationTag | | | +-------UserProfileTag | | | +-------EnforcerProfileTag | | | +-------NetworkGroupTag | | | +-------ApplicationGroupTag | | | +-------UserGroupTag | | | +-------EnforcerGroupTag | +----PolicyActionInPolicyRule[PCIM] | +----PolicyAction[PCIM] | +-------VendorPolicyAction[PCIM] | +-------FirewallAction | +-------QoSAction | | | +-------ShapingAction | | | +-------MarkingAction | +-------NATAction | +-------SecurityAction | +-------IPSECAction | +-------MPLSAction 4. Containment Hierarchy +-----------------+ |PolicyRepository | +-----------------+ Iyer,Kale,Apsani,Iyer Expires January 2001 4 Internet Draft IP VPN Policy Information Model June 2000 x |1..n +------------------+ |IPVPNPolicyDomain | +------------------+ x x x x | | | | | | | |1 | | | +----------------------------+ | | | |IPVPNAdminstrationPolicyList| | | |1 +----------------------------+ | | +-------------------------+ | | |IPVPNSignallingPolicyList| | |1 +-------------------------+ | +--------------------------+ | |IPVPNEnforcementPolicyList| | +--------------------------+ | x | |1..n | +-----------------------------+ | | IPVPN | | +-----------------------------+ | x x x x x | | | | | |1 | | | | | +------------------+ | | | | | |FirewallPolicyList| | | | | |1 +------------------+ | | | | +-------------+ | | | | |QoSPolicyList| | | | |1 +-------------+ | | | +-------------+ | | | |NATPolicyList| | | |1 +-------------+ | | +------------------+ | | |SecurityPolicyList| | |1..n +------------------+ | +------------------+ | |PolicyTagCondition| | +------------------+ | o | |1 | +------------------+ | | PolicyTag | | +------------------+ | ^ ^ ^ ^ | | | | | | | | | | | | | | +----------+ | | | | |NetworkTag| | | | | +----------+ | | | +---------------+ | | | |NetworkGroupTag| Iyer,Kale,Apsani,Iyer Expires January 2001 5 Internet Draft IP VPN Policy Information Model June 2000 | | | +---------------+ | | +--------------+ | | |UserProfileTag| | | +--------------+ | +------------+ | |UserGroupTag| | +------------+ |1 +-------------+ |PolicyTagRoot| +-------------+ x x | | | +------------------------------+ | |ResourceTag | | +------------------------------+ | x x x x | | | | | | | | | |* | | | | +---------------+ | | | | | NetworkTag | | | | |* +---------------+ | | | +-----------------+ o | | | | UserProfileTag | | | | |* +-----------------+ | | | +------------------+ o | | | |ApplicationTag | | | | |* +------------------+ | | | +------------------+ o | | | |EnforcerProfileTag| | | | | +------------------+ | | | +-----------------+ o | | | |ResourceGroupTag | | | | | +-----------------+ | | | | x x x x | | | | | | | | | | | | | | | |* | | | | | | | +---------------+1..n | | | | | | | |NetworkGroupTag|-------------------+ | | |* +---------------+ | | | | | +------------+1..n | | | | | |UserGroupTag|------------------------+ | |* +------------+ | | | +-------------------+1..n | | | |ApplicationGroupTag|------------------+ |* +-------------------+ | +----------------+1..n | |EnforcerGroupTag|-------------------+ +----------------+ +-------------+ |AnyPolicyList| +-------------+ Iyer,Kale,Apsani,Iyer Expires January 2001 6 Internet Draft IP VPN Policy Information Model June 2000 x | |1..n +------------------------+ | AnyPolicyRule | +------------------------+ x o x | | | | | |1..n | | +---------------------------+ | | |PolicyConditionInPolicyRule| | | +---------------------------+ | | x | | |1 | | +------------------+ | | |PolicyTagCondition| | |1..n +------------------+ | +-------------------+ | |PolicyTimePeriodCondition| | +-------------------+ |1..n +------------------------+ |PolicyActionInPolicyRule| +------------------------+ x |1 +---------+ |AnyAction| +---------+ "Any" represents one of Firewall, QoS, NAT or Security policies 5. Container Classes 5.1 PolicyRepository[PCIM] This class represents the physical policy repository. It is defined in [PCIM]. 5.2 PolicyGroup[PCIM] This class is a base class for the IPVPN policy lists. The class is defined in [PCIM]. 5.3 IPVPNPolicyDomain The policy domain represents an integral policy database. Policy objects within the domain do not have references to any objects outside of the domain. NAME IPVPNPolicyDomain Iyer,Kale,Apsani,Iyer Expires January 2001 7 Internet Draft IP VPN Policy Information Model June 2000 DESCRIPTION The class for representing the policy domain under which there is an entire policy database consisting of policy rules, policy conditions, policy actions and policy tags. DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.4 IPVPNAdminstrationPolicyList The list of policies that apply to the administration of the policy domain. The administration policies are not defined in this document, but need to be defined in a future draft. The Security Policy Specification Language [SPSL] serves as a good data point for defining the administration policy schema. NAME IPVPNAdministrationPolicyList DESCRIPTION The class for representing the list of policies which control the administration of the policy domain. DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.5 IPVPNSignalingPolicyList The list of policies that apply to the handling signaling traffic used to create dynamic policies. The signaling policies are not defined in this document, but need to be defined in a future draft. NAME IPVPNSignalingPolicyList DESCRIPTION The class for representing the list of policies which control the ability of agents within the network to use signaling to dynamically install policies. A signaling policy can reference enforcement policies DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.6 IPVPNEnforcementPolicyList The list of policies that apply to be the policy domain. These policies are enforced by the policy elements that belong to the policy domain. NAME IPVPNEnforcementPolicyList Iyer,Kale,Apsani,Iyer Expires January 2001 8 Internet Draft IP VPN Policy Information Model June 2000 DESCRIPTION The class for representing the list of policies which need to be enforced on the traffic by policy enforcers within the network. DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.7 IPVPN The IPVPN represents the IPVPN policy set that is to be applied to the traffic. This is a first pass classification that decides the IPVPN membership for the traffic. A possible future modification of the IPVPN class is that it can be nested within a larger IPVPN. When nested, the IPVPN cannot contain policylists. NAME IPVPN DESCRIPTION The class for representing the conditions used to determine the IPVPN membership of the traffic and the policy set to be applied to the traffic. DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.8 FirewallPolicyList The list of firewall policies that need to be applied to the traffic within an IPVPN. NAME FirewallPolicyList DESCRIPTION The class for representing the list of firewall policies which need to be enforced on the IPVPN traffic by policy enforcers within the network. DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.9 QoSPolicyList The list of QoS policies that need to be applied to the traffic within an IPVPN. NAME QoSPolicyList DESCRIPTION The class for representing the list of QoS policies which need to be enforced on the IPVPN traffic by policy enforcers within the network. DERIVED FROM PolicyGroup ABSTRACT FALSE Iyer,Kale,Apsani,Iyer Expires January 2001 9 Internet Draft IP VPN Policy Information Model June 2000 PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.10 NATPolicyList The list of NAT policies that need to be applied to the traffic within an IPVPN. NAME NATPolicyList DESCRIPTION The class for representing the list of NAT policies which need to be enforced on the IPVPN traffic by policy enforcers within the network. DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.11 SecurityPolicyList The list of security policies that need to be applied to the traffic within an IPVPN. NAME SecurityPolicyList DESCRIPTION The class for representing the list of security policies which need to be enforced on the IPVPN traffic by policy enforcers within the network. DERIVED FROM PolicyGroup ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 5.12 PolicyConditionInPolicyRule[PCIM] The policy core information model class. This class is defined in [PCIM]. It associates the policy condition with the policy rule. 5.13 PolicyActionInPolicyRule[PCIM] The policy core information model class. This class is defined in [PCIM]. It associates the policy action with the policy rule. 6. PolicyRule Class This class represents the core policy class, which is defined in [PCIM]. The attributes of the PolicyRule are mentioned once again in this document for convenience. NAME PolicyRule DESCRIPTION The central class for representing the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM Policy ABSTRACT FALSE Iyer,Kale,Apsani,Iyer Expires January 2001 10 Internet Draft IP VPN Policy Information Model June 2000 PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] CreationClassName[key] PolicyRuleName[key] Enabled ConditionListType RuleUsage Priority Mandatory SequencedActions PolicyRoles 7. Condition Classes 7.1 PolicyCondition[PCIM] The policy core information model class. This class is defined in [PCIM] 7.2 PolicyTimePeriodCondition[PCIM] The policy core information model class. This class is defined in [PCIM] 7.3 VendorPolicyCondition[PCIM] The policy core information model class. This class is defined in [PCIM] 7.4 PolicyTag A policy tag associates a tag with networks, applications, user profiles, enforcer profiles etc. A policy condition can be defined in terms of policy tags. NAME PolicyTag DESCRIPTION The class for representing a tagged network, application, user profile or enforcer profile. A policy condition can be defined in terms of policy tags. DERIVED FROM Policy ABSTRACT TRUE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] The known sub classes of this abstract class are NetworkTag, ApplicationTag, UserProfileTag, EnforcerProfileTag. 7.5 PolicyTagCondition Iyer,Kale,Apsani,Iyer Expires January 2001 11 Internet Draft IP VPN Policy Information Model June 2000 A policy tag condition is a policy condition that references policy tags. The different types of policy tags are defined in the following sections NAME PolicyTagCondition DESCRIPTION The class for representing the condition part of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicyCondition ABSTRACT TRUE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] PolicyTagType PolicyTagValue 7.5.1 The property PolicyTagType The policy tag type property defines the type of the policy tag value specified in the PolicyTagValue property NAME PolicyTagType DESCRIPTION The policy tag value type SYNTAX integer VALUES SourceNetwork(1), DestNetwork(2), Application(3), User(4) 7.5.2 The property PolicyTagValue The policy tag value specifies a policy tag value to be matched in order to select the appropriate policy NAME PolicyTagValue DESCRIPTION The policy tag value SYNTAX string VALUES MultiValued 7.6 TrafficProfileCondition Specifies the traffic metering that need to be applied to the traffic to determine whether it confirms or does not confirm to the profile. The condition itself could be either "confirms to" or "does not confirm to" a certain metering spec. The traffic profile condition class and its sub classes are defined in [QOSIM]. 7.7 NetworkTag Specifies association of network to a network policy tag NAME NetworkTag DESCRIPTION The class for representing the association of a network to a policy tag DERIVED FROM PolicyTag ABSTRACT TRUE Iyer,Kale,Apsani,Iyer Expires January 2001 12 Internet Draft IP VPN Policy Information Model June 2000 PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] NetworkGroupTagName 7.7.1 The property NetworkGroupTagName The group memberships of this network tag NAME NetworkGroupTag DESCRIPTION The group membership of the network tag SYNTAX string VALUES MultiValued 7.8 L2NetworkTag Specifies the L2 parameters for the source or destination network associated with the network tag. This includes MAC addresses, VLAN tags and such other layer 2 characteristics of the IP packet NAME L2NetworkTag DESCRIPTION The class for representing the association of a layer 2 network to a policy tag. DERIVED FROM NetworkTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] L2TagType L2TagValue 7.8.1 The property L2TagType The L2TagType defines the type of the L2Tag value specified in the L2TagValue property NAME L2TagType DESCRIPTION The L2 tag value type SYNTAX string VALUES VLAN, 802.1Q 7.8.2 The property L2TagValue The L2TagValue specifies a L2 tag value to be matched in order to match a condition NAME L2TagValue DESCRIPTION The L2 tag value SYNTAX string VALUES MultiValued 7.9 L3NetworkTag Specifies the L3 parameters for the source or destination network associated with the network tag Iyer,Kale,Apsani,Iyer Expires January 2001 13 Internet Draft IP VPN Policy Information Model June 2000 NAME L3NetworkTag DESCRIPTION The class for representing the association of a layer 3 network to a policy tag. DERIVED FROM NetworkTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] IPAddressType IPAddressValue Netmask 7.9.1 The property IPAddressType The IPAddressType defines the type of the IPAddress value specified in the IPAddressValue property NAME IPAddressType DESCRIPTION The IPAddress value type SYNTAX string VALUES ipv4, ipv6 7.9.2 The property IPAddressValue The IPAddressValue specifies a IPAddress value to be matched in order to match a condition NAME IPAddressValue DESCRIPTION The IPAddress value SYNTAX string 7.9.3 The property Netmask The Netmask specifies a subnet mask to be matched in order to match a L3 Network condition NAME Netmask DESCRIPTION The netmask value to be used to match the L L3network condition SYNTAX string 7.10 ApplicationTag Specifies the L4-L7 characteristics of the packet including application level decodes which require stateful inspection of the packet e.g HTTP, FTP, SMTP, TELNET etc. NAME ApplicationTag DESCRIPTION The class for representing the association of an application to a policy tag DERIVED FROM PolicyTag Iyer,Kale,Apsani,Iyer Expires January 2001 14 Internet Draft IP VPN Policy Information Model June 2000 ABSTRACT TRUE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] ApplicationGroupTagName This class will have several sub classes which reflect the application protocol classification granularity. In the most common case a sub class could define the TCP/UDP ports being used by an application. 7.10.1 The property ApplicationGroupTagName The group memberships of this application tag NAME ApplicationGroupTag DESCRIPTION The group membership of the application tag SYNTAX string VALUES MultiValued 7.11 UserProfileTag Specifies a user profile, which is deduced from the mode of authentication of the user. The user profile is associated with a tag. This could be a filter for the subject name within a certificate or a domain name entered by the user e.g joe@company.com. NAME UserProfileTag DESCRIPTION The class for representing the association of a user profile to a policy tag. DERIVED FROM PolicyTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] UserProfileFilter UserGroupTagName 7.11.1 The property UserProfileFilter The profile filter to be used to associate a user with a UserProfileTag. NAME UserProfileFilter DESCRIPTION The user profile filter to be to used to associate a profile with a logged in user SYNTAX string 7.11.2 The property UserGroupTagName The group memberships for the user profile tag Iyer,Kale,Apsani,Iyer Expires January 2001 15 Internet Draft IP VPN Policy Information Model June 2000 NAME UserGroupTagName DESCRIPTION The group membership of the user profile filter SYNTAX string VALUES MultiValued 7.12 EnforcerProfileTag Specifies an enforcer profile and the associated tag. The tag is used to give the administrator flexibility in deciding where the policies will be installed. NAME EnforcerProfileTag DESCRIPTION The class for representing the different enforcer profiles in the network environment. Association. DERIVED FROM PolicyTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] EnforcerProfileFilter EnforcerGroupTagName 7.12.1 The property EnforcerProfileFilter The profile filter to be used to identify a tag for the enforcer. NAME EnforcerProfileFilter DESCRIPTION The profile filter to be to identify the enforcer tag SYNTAX string 7.12.2 The property EnforcerGroupTagName The group memberships of this enforcer identified in the enforcer profile NAME EnforcerGroupTag DESCRIPTION The group membership of the enforcer tag SYNTAX string VALUES MultiValued 7.13 NetworkGroupTag Specifies the network group tags which can in turn be referenced by NetworkTags and policies. Traffic that matches a network tag implies that it matches the network group tags mentioned in the network tag. NAME NetworkGroupTag DESCRIPTION The class for representing the network group tag which can be referenced by NetworkTags and policies. Iyer,Kale,Apsani,Iyer Expires January 2001 16 Internet Draft IP VPN Policy Information Model June 2000 DERIVED FROM PolicyTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 7.14 ApplicationGroupTag Specifies the application group tags that can be referenced by ApplicationTags and policies. NAME ApplicationGroupTag DESCRIPTION The class for representing the application group tag which can be referenced by ApplicationTags and policies DERIVED FROM PolicyTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 7.15 UserGroupTag Specifies the user group tags that can be referenced by UserTags and policies. NAME UserGroupTag DESCRIPTION The class for representing the user group tag which can be referenced by ApplicationTags and policies. DERIVED FROM PolicyTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 7.16 EnforcerGroupTag Specifies the enforcer group tags that can be referenced by EnforcerTags and policies. NAME EnforcerGroupTag DESCRIPTION The class for representing the enforcer group tag which can be referenced by EnforcerTags and IPVPNÆs DERIVED FROM PolicyTag ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 8 Policy Action Classes Iyer,Kale,Apsani,Iyer Expires January 2001 17 Internet Draft IP VPN Policy Information Model June 2000 8.1 FirewallAction Specifies the firewall action to be enforced such as drop, pass, log, alert etc. The list of possible actions is limited by the attributes in the action object. NAME FirewallAction DESCRIPTION The class for representing the firewall action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] Action 9.1.1 The property Action The action defines the type of firewall action to be enforced NAME Action DESCRIPTION The firewall action to be enforced SYNTAX string VALUES Allow/Allow&Log/Allow&Alarm/ Deny/Deny&Log/Deny&Alarm 8.2 QoSAction Specifies the QoS action to be applied to the traffic which could be shaping or marking or both. NAME QoSAction DESCRIPTION The class for representing the QoS action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicyAction ABSTRACT TRUE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 8.2.1 ShapingAction Specifies the shaping action to the applied to the traffic. The action would indicate the quality of service that needs to be applied to the traffic. The QoS to be granted will be indicated by the using three possible metrics i.e. TOS levels, DSCP levels, absolute values for QoS parameters minimum, maximum, jitter, latency, packet loss etc. NAME ShapingAction Iyer,Kale,Apsani,Iyer Expires January 2001 18 Internet Draft IP VPN Policy Information Model June 2000 DESCRIPTION The class for representing the QoS shaping action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] QpPHBSet[QOSIM] 8.2.1.1 The property qpPHBSet The PHBSet defines the per hop behavior to enforced for the traffic. This would typically include TOSLevels, DSCP, AFDropPrecedence, QoS- Minimum, QoS-Maximum, QoS-Priority, QoS-Jitter, QoS-Latency, QoS- PacketLoss. The [QOSIM] provides a description of the Per Hop Behaviour[PHB] to be modeled. 8.2.2 MarkingAction Specifies the marking action to the applied to the traffic. The marker to be used would indicate the quality of service that needs to be applied to the traffic once the packet leaves the enforcer. The marking include TOS, DiffServ, 802.1Q. NAME MarkingAction DESCRIPTION The class for representing the QoS marking action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] QpPHBSet[QOSIM] 8.2.2.1 The property qpPHBSet The PHBSet defines the per hop behavior to enforced for the traffic. This would typically include TOSLevels, DSCP, AFDropPrecedence, QoS- Minimum, QoS-Maximum, QoS-Priority, QoS-Jitter, QoS-Latency, QoS- PacketLoss. The [QOSIM] provides a description of the Per Hop Behaviour[PHB] to be modeled. 8.5 NATAction Specifies which source addresses need to be translated and to what new source addresses NAME NATAction Iyer,Kale,Apsani,Iyer Expires January 2001 19 Internet Draft IP VPN Policy Information Model June 2000 DESCRIPTION The class for representing the network address translation action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] OriginalIPAddress OriginalNetmask FinalIPAddress FinalNetmask 8.5.1 The property OriginalIPAddress Specifies the original set of IP addresses that needs to be translated. NAME OriginalIPAddress DESCRIPTION The original IP address that needs to be translated. SYNTAX string 8.5.2 The property OriginalNetmask Specifies the original IP subnet that needs to be translated NAME OriginalIPAddress DESCRIPTION The original IP subnet that needs to be translated. SYNTAX string 8.5.3 The property FinalIPAddress Specifies the IP addresses to be used during the translation NAME FinalIPAddress DESCRIPTION Specifies the IP addresses to be used for translation SYNTAX string 8.5.4 The property FinalNetmask Specifies the IP subnet to be used during translation NAME FinalNetmask DESCRIPTION Specifies the IP subnet to be used during translation SYNTAX string 8.6 SecurityAction Iyer,Kale,Apsani,Iyer Expires January 2001 20 Internet Draft IP VPN Policy Information Model June 2000 Specifies the security parameters to be used for authentication, encryption and encapsulation of the traffic. NAME SecurityAction DESCRIPTION The class for representing the security action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicyAction ABSTRACT TRUE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] 8.7 IPSECAction Specifies the various IPSEC parameters to be used when applying IPSEC encryption to the traffic, using specific AH, ESP NAME IPSECAction DESCRIPTION The class for representing the IPSEC security action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM SecurityAction ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] CIM_System.Name[key] IPSECSecurityAction[IPSECIM] 8.7.1 The property IPSecSecurityAction The property is IPSecSecurityAction is a reference to an instance of a SecurityAssociationAction object defined in [IPSECIM]. The definition of the SecurityAssociationAction includes IKE and IPSEC values for key negotiation, authentication, encryption and key expiry. 8.8 MPLSAction Specifies the various MPLS parameters to be used when using MPLS tunnels to transport the traffic providing security through traffic segregation NAME MPLSAction DESCRIPTION The class for representing the MPLS security action of the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM SecurityAction ABSTRACT FALSE PROPERTIES CIM_System.CreationClassName[key] Iyer,Kale,Apsani,Iyer Expires January 2001 21 Internet Draft IP VPN Policy Information Model June 2000 CIM_System.Name[key] MPLSSecurityAction 8.8.1 The property MPLSSecurityAction The property is MPLSSecurityAction is a reference to an instance of a SecurityAssociationAction object to be defined under the MPLS policy specification. It is anticipated that a policy information model for MPLS configuration will soon be available. The definition of the SecurityAssociationAction includes the information required to setup an LSP(Label Switched Path) to provide the traffic with the required security and level of service. In a practical enforcement scenario the policy conditions will result in a FEC(Forward Equivalence Class) and the MPLSSecurityAction will result in the LSP being setup. The action could include the signaling protocol(RSVP/CR-LDP) to be used, constraint based routing directives, traffic engineering parameters. There will be a potential overlap with the QoS actions specified earlier. 9 Policy Decision Process The policy decision process consists of the following steps : Step 1 Identify the User characteristics of the traffic if possible Identify the Network characteristics of the traffic Step 2 Match the PolicyTagConditions for User and Network characteristics to determine the IPVPN Step 3 Within the IPVPN match the SourceNetworkConditions, DestNetworkConditions, UserConditions, ApplicationConditions, TimePeriodConditions to determine the policy that matches Step 4 Use the action list to decide on the actions that need to be enforced on the traffic 10 Extending the IPVPN Policy Schema The IPVPN policy schema can be extended to adapt to the changing landscape of technologies and classification criteria. It is anticipated that the following areas will be extended more often than the others Iyer,Kale,Apsani,Iyer Expires January 2001 22 Internet Draft IP VPN Policy Information Model June 2000 1. PolicyTag The policy tag sub classes may be extended to include new schemes of identifying a network as well as new applications. The Application tag is an abstract class and needs to be extended with protocol specific filters 2. PolicyAction The policy action class may be extended to include new possible actions that can be added to support new IP services or better implementations of existing IP services. 8. Security Considerations This security considerations of this document are the same as those of the [PCIM] 9. References 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 [PFRAME] W. Weiss, H. Mahon, B. Moore, J. Strassner , G. Waters, A. Westerinen, J. Wheeler, "Policy Framework", draft-ietf-policy- framework-00.txt, Sept 99. [PCIM] J. Strassner, E. Ellesson, B. Moore, "Policy Framework Core Information Model", draft-ietf-policy-core-info-model-06.txt, May 2000 [PCIM-LDAP] J. Strassner, E. Ellesson, B.Moore, Ryan Moats, "Policy Framework LDAP Core Schema", draft-ietf-policy-core-schema-06.txt, Nov 99 [QOSIM] Y. Snir, Y Ramberg, J. Strassner, R. Cohen, "Policy Framework QoS Information Model", draft-ietf-policy-qos-info-model- 01.txt, April 2000 [QOSIM-LDAP] Y. Snir, Y Ramberg, J. Strassner, R. Cohen, "QoS Policy Schema", draft-ietf-policy-qos-schema-01.txt , Feb 2000 [SPSL] M.Condell, C.Lynn, J. Zao, "Security Policy Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000 [IPSECIM] Jamie Jason, "IPsec Configuration Policy Model", draft- ietf-ipsp-config-policy-model-00.txt, March 2000 Iyer,Kale,Apsani,Iyer Expires January 2001 23 Internet Draft IP VPN Policy Information Model June 2000 11. Author's Addresses Mahadevan Iyer Alcatel Inc 595 Yosemite Blvd, Milpitas, CA Phone: 408 586 7687 Email: iyer@internetdevices.com Iyer,Kale,Apsani,Iyer Expires January 2001 24 Internet Draft IP VPN Policy Information Model June 2000 Full Copyright Statement "Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into