Policy Framework Working Group Angelica Reyes INTERNET-DRAFT Antoni Barba Updates: draft-ietf-policy-core-schema-16 David Moron Technical University of Catalonia Marcus Brunner NEC Mircea Pana MetaSolv February 2003 Policy Core Extension LDAP Schema (PCELS) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document defines a number of changes and extensions to the Policy Core LDAP Schema [PCLS] based on the specifications of the Policy Core Information Model Extensions [PCIM_EXT]. The changes include additional classes previously not covered, deprecation of some object classes defined in PCLS and changes to the existing class hierarchy in PCLS. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. Reyes, et al. Expires: August 2003 [Page 1] INTERNET-DRAFT PCELS February 2003 Table of contents 1. Introduction....................................................3 2. Relationship to other Policy Framework Documents................3 3. Inheritance Hierarchy for PCELS.................................3 4. General Discussion of Mapping the Model Extensions to LDAP......6 4.1 Summary of Class and Association Mappings....................6 4.2 Summary of changes since PCLS................................10 4.3 Attaching PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction.................10 4.4 Aggregation of PolicyRules and PolicyGroups in PolicySets....10 4.5 Aggregation of actions/conditions in PolicyRules and CompoundActions/Conditions...................................11 5. Class Definitions...............................................16 5.1 The pcimePolicySet Class....................................16 5.2 The Structural Class pcimePolicySetAssociation..............17 5.3 The moved pcimGroup class...................................18 5.4 The Deprecated Class pcimGroupContainmentAuxClass...........19 5.5 The Deprecated Class pcimRuleContainmentAuxClass............19 5.6 The three new pcimeRule classes.............................20 5.7 The Structural Class pcimeConditionAssociation..............22 5.8 The Structural Class pcimeActionAssociation.................22 5.9 The Three Deprecated pcimRule classes.......................23 5.10 The Deprecated Class pcimRuleConditionAssociation..........25 5.11 The Deprecated Class pcimeRuleActionAssociation............25 5.12 The Auxiliary Class pcimeSimpleConditionAuxClass...........26 5.13 The Auxiliary Class pcimeCompoundConditionAuxClass.........27 5.14 The Auxiliary Class pcimeCompoundFilterAuxClass............27 5.15 The Auxiliary Class pcimeSimpleActionAuxClass..............28 5.16 The Auxiliary Class pcimeCompoundActionAuxClass............28 5.17 The Abstract Class pcimeVariable............................29 5.18 The auxiliary Class pcimeExplicitVariableAuxClass...........30 5.19 The Auxiliary Class pcimeImplicitVariableAuxClass..........30 5.20 Subclasses of pcimeImplicitVariableAuxClass.................31 5.21 The Auxiliary Class pcimeValueAuxClass......................34 5.22 Subclasses of pcimeValueAuxClass............................35 5.23 The three new Reusable Container classes....................38 5.24 The three deprecated Repository classes.....................39 5.25 The new class pcimeRoleCollection...........................40 6. Recommended Schema Extension Methods............................41 7. PCLS Data Migration Considerations..............................41 8. Security Considerations.........................................41 9. IANA Considerations.............................................42 9.1 Object Identifiers...........................................42 9.2 Object Identifier Descriptors................................42 10. References.....................................................43 11. Authors' Addresses.............................................43 12. Full Copyright Statement.......................................44 13. Appendix A: Issues.............................................44 Reyes, et al. Expires: August 2003 [Page 2] INTERNET-DRAFT PCELS February 2003 1. Introduction Within the context of this document, the term 'PCELS' (Policy Core Extension LDAP Schema) is used to refer to the LDAP object class definitions contained in this document. 2. Relationship to other Policy Framework Documents This document contains an LDAP schema representing the classes defined in the Policy Core Information Model Extensions [PCIM_EXT]. Other documents may subsequently be produced, with mappings of the same PCIM extensions to other storage or transport technologies. The document is an extension to [PCLS], which defines the LDAP mapping of the Policy Core Information Model [PCIM] to an LDAP schema. 3. Inheritance Hierarchy for PCELS The following diagram illustrates the class hierarchy for the LDAP Classes defined in [PCLS] and the LDAP classes defined in this document: top | +---dlm1ManagedElement (abstract) | | | +---pcimPolicy (abstract) | | | | | +---pcimePolicySet (abstract new) | | | | | | | +---pcimGroup (abstract moved) | | | | | | | | | +--pcimGroupAuxClass (auxiliary moved) | | | | | | | | | +---pcimGroupInstance (structural moved) | | | | | | | +---pcimeRule (abstract new) | | | | | | | +---pcimeRuleAuxClass (auxiliary new) | | | | | | | +---pcimeRuleInstance (structural new) | | | | | +---pcimRule (abstract deprecated) | | | | | | | +---pcimRuleAuxClass (auxiliary deprecated) | | | | | | | +---pcimRuleInstance (structural deprecated) | | | Reyes, et al. Expires: August 2003 [Page 3] INTERNET-DRAFT PCELS February 2003 | | | | | +---pcimRuleConditionAssociation (structural deprecated) | | | | | +---pcimeConditionAssociation (structural new) | | | | | +---pcimRuleValidityAssociation (structural) | | | | | +---pcimRuleActionAssociation (structural deprecated) | | | | | +---pcimeActionAssociation (structural new) | | | | | +---pcimePolicySetAssociation (structural new) | | | | | +---pcimPolicyInstance (structural) | | | | | +---pcimElementAuxClass (auxiliary) | | | | | +---pcimeRoleCollection (structural new) | | | +---dlm1ManagedSystemElement (abstract) | | | +---dlm1LogicalElement (abstract) | | | +---dlm1System (abstract) | | | +---dlm1AdminDomain (abstract) | | | +---pcimRepository (abstract deprecated) | | | | | +---pcimRepositoryAuxClass | | | (auxiliary deprecated) | | | | | +---pcimRepositoryInstance | | (structural deprecated) | | | +---pcimeReusableContainer (abstract new) | | | +---pcimeReusableContainerAuxClass | | (auxiliary new) | | | +---pcimReusableContainerInstance | (structural new) | +---pcimConditionAuxClass (auxiliary) | | | +---pcimTPCAuxClass (auxiliary) | | | +---pcimConditionVendorAuxClass (auxiliary) | | Reyes, et al. Expires: August 2003 [Page 4] INTERNET-DRAFT PCELS February 2003 | | | +---pcimeSimpleConditionAuxClass (auxiliary new) | | | +---pcimeCompoundConditionAuxClass (auxiliary new) | | | +---pcimeCompoundFilterAuxClass (auxiliary new) | +---pcimActionAuxClass (auxiliary) | | | +---pcimActionVendorAuxClass (auxiliary) | | | +---pcimeSimpleActionAuxClass (auxiliary new) | | | +---pcimeCompoundActionAuxClass (auxiliary new) | +---pcimeVariable (abstract new) | | | +---pcimeExplicitVariableAuxClass (auxiliary new) | | | +---pcimeImplicitVariableAuxClass (auxiliary new) | | | +---pcimeSourceIPv4VariableAuxClass (auxiliary new) | | | +---pcimeSourceIPv6VariableAuxClass (auxiliary new) | | | +---pcimeDestinationIPv4VariableAuxClass (auxiliary new) | | | +---pcimeDestinationIPv6VariableAuxClass (auxiliary new) | | | +---pcimeSourcePortVariableAuxClass (auxiliary new) | | | +---pcimeDestinationPortVariableAuxClass (auxiliary new) | | | +---pcimeIPProtocolVariableAuxClass (auxiliary new) | | | +---pcimeIPVersionVariableAuxClass (auxiliary new) | | | +---pcimeIPToSVariableAuxClass (auxiliary new) | | | +---pcimeDSCPVariableAuxClass (auxiliary new) | | | +---pcimeFlowIdVariableAuxClass (auxiliary new) | | | +---pcimeSourceMACVariableAuxClass (auxiliary new) | | | +---pcimeDestinationMACVariableAuxClass (auxiliary new) | | | +---pcimeVLANVariableAuxClass (auxiliary new) | | | +---pcimeCoSVariableAuxClass (auxiliary new) Reyes, et al. Expires: August 2003 [Page 5] INTERNET-DRAFT PCELS February 2003 | | | +---pcimeEthertypeVariableAuxClass (auxiliary new) | | | +---pcimeSourceSAPVariableAuxClass (auxiliary new) | | | +---pcimeDestinationSAPVariableAuxClass (auxiliary new) | | | +---pcimeSNAPOUIVariableAuxClass (auxiliary new) | | | +---pcimeSNAPTypeVariableAuxClass (auxiliary new) | | | +---pcimeFlowDirectionVariableAuxClass (auxiliary new) | +---pcimeValueAuxClass (auxiliary new) | | | +---pcimeIPv4AddrValueAuxClass (auxiliary new) | | | +---pcimeIPv6AddrValueAuxClass (auxiliary new) | | | +---pcimeMACAddrValueAuxClass (auxiliary new) | | | +---pcimeStringValueAuxClass (auxiliary new) | | | +---pcimeBitStringValueAuxClass (auxiliary new) | | | +---pcimeIntegerValueAuxClass (auxiliary new) | | | +---pcimeBooleanValueAuxClass (auxiliary new) | +---pcimSubtreesPtrAuxClass (auxiliary) | +---pcimGroupContainmentAuxClass (auxiliary deprecated) | +---pcimRuleContainmentAuxClass (auxiliary deprecated) 4. General Discussion of Mapping the Model Extensions to LDAP The classes described below contain certain optimizations for a directory that uses LDAP as an access protocol. One example is the use of auxiliary classes to represent some of the associations defined in the information model. Note that other storage types might need to implement the association differently. 4.1 Summary of Class and Association Mappings Forty-nine of the classes in the PCELS come directly from the fourty-five corresponding classes in the information model extensions.The prefix "pcime" is used to identify these LDAP classes. Reyes, et al. Expires: August 2003 [Page 6] INTERNET-DRAFT PCELS February 2003 +----------------------------------------------------------------------+ | Information Model (PCIM ext) | LDAP Class(es) | +----------------------------------------------------------------------+ | PolicySet | pcimePolicySet | +----------------------------------------------------------------------+ | PolicyRule | pcimeRule | | | pcimeRuleAuxClass | | | pcimeRuleInstance | +----------------------------------------------------------------------+ | SimplePolicyCondition | pcimeSimpleConditionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyCondition | pcimeCompoundConditionAuxClass | +----------------------------------------------------------------------+ | CompoundFilterCondition | pcimeCompoundFilterAuxClass | +----------------------------------------------------------------------+ | SimplePolicyAction | pcimeSimpleActionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyAction | pcimeCompoundActionAuxClass | +----------------------------------------------------------------------+ | PolicyVariable | pcimeVariable | +----------------------------------------------------------------------+ | PolicyExplicitVariable | pcimeExplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicyImplicitVariable | pcimeImplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv4Variable | pcimeSourceIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv6Variable | pcimeSourceIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv4Variable | pcimeDestinationIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv6Variable | pcimeDestinationIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourcePortVariable | pcimeSourcePortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationPortVariable | pcimeDestinationPortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPProtocolVariable | pcimeIPProtocolVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPVersionVariable | pcimeIPVersionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPToSVariable | pcimeIPToSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDSCPVariable | pcimeDSCPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowIDVariable | pcimeFlowIDVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceMACVariable | pcimeSourceMACVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationMACVariable | pcimeDestinationMACVariableAuxClass | Reyes, et al. Expires: August 2003 [Page 7] INTERNET-DRAFT PCELS February 2003 +----------------------------------------------------------------------+ | PolicyVLANVariable | pcimeVLANVariableAuxClass | +----------------------------------------------------------------------+ | PolicyCoSVariable | pcimeCoSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyEthertypeVariable | pcimeEthertypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceSAPVariable | pcimeSourceSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationSAPVariable | pcimeDestinationSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPOUIVariable | pcimeSNAPOUIVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPTypeVariable | pcimeSNAPTypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowDirectionVariable | pcimeFlowDirectionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyValue | pcimeValueAuxClass | +----------------------------------------------------------------------+ | PolicyIPv4AddrValue | pcimeIPv4AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyIPv6AddrValue | pcimeIPv6AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyMACAddrValue | pcimeMACAddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyStringValue | pcimeStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyBitStringValue | pcimeBitStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyIntegerValue | pcimeIntegerValueAuxClass | +----------------------------------------------------------------------+ | PolicyBooleanValue | pcimeBooleanValueAuxClass | +----------------------------------------------------------------------+ | PolicyRoleCollection | pcimeRoleCollection | +----------------------------------------------------------------------+ | ReusablePolicyContainer | pcimeReusableContainer | | | pcimeReusableContainerAuxClass | | | pcimeReusableContainerInstance | +----------------------------------------------------------------------+ | FilterEntryBase | pcimeFilterEntryBase | +----------------------------------------------------------------------+ | IPHeadersfilter | pcimeIPHeadersfilter | +----------------------------------------------------------------------+ | 8021Filter | pcime8021Filter | +----------------------------------------------------------------------+ | FilterList | pcimeFilterList | +----------------------------------------------------------------------+ Reyes, et al. Expires: August 2003 [Page 8] INTERNET-DRAFT PCELS February 2003 +----------------------------------------------------------------------+ | Information Model Association | LDAP Attribute / Class | +----------------------------------------------------------------------+ | PolicySetComponent | pcimePolicySetComponentList in | | | pcimePolicySet and | | | pcimePolicySetDN in | | | pcimePolicySetAsociation | +----------------------------------------------------------------------+ | PolicySetInSystem | DIT Containment and | | | pcimePolicySetDN in | | | pcimePolicySetAsociation | +----------------------------------------------------------------------+ | PolicyGroupInSystem | (same as PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyRuleInSystem | (same as PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyConditionStructure | pcimConditionDN in | | | pcimeConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyRule | pcimeConditionList in | | | pcimeRule and | | | pcimConditionDN in | | | pcimeConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyCondition | pcimeConditionList in | | | pcimeCompoundConditionAuxClass | | | and pcimConditionDN in | | | pcimeConditionAssociation | +----------------------------------------------------------------------+ | PolicyActionStructure | pcimActionDN in | | | pcimeActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyRule | pcimeActionList in | | | pcimeRule and | | | pcimActionDN in | | | pcimeActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyAction | pcimeActionList in | | | pcimeCompoundActionAuxClass | | | and pcimActionDN in | | | pcimeActionAssociation | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcimeVariableDN in | | Condition | pcimeSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicy | pcimeValueDN in | | Condition | pcimeSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcimeVariableDN in | | Action | pcimeSimpleActionAuxClass | Reyes, et al. Expires: August 2003 [Page 9] INTERNET-DRAFT PCELS February 2003 +----------------------------------------------------------------------+ | PolicyValueInSimplePolicyAction | pcimeValueDN in | | | pcimeSimpleActionAuxClass | +----------------------------------------------------------------------+ | ReusablePolicy | DIT containment | +----------------------------------------------------------------------+ | ExpectedPolicyValuesForVariable | DIT containment or | | | pcimeExpectedValueList in | | | pcimeVariable | +----------------------------------------------------------------------+ | ContainedDomain | DIT containment or | | | pcimeReusableContainerList in | | | pcimeReusableContainer | +----------------------------------------------------------------------+ | EntriesInFilterList | DIT containment or | | | pcimeFilterListEntriesList in | | | pcimeFilterList | +----------------------------------------------------------------------+ | ElementInPolicyRoleCollection | DIT containment or | | | pcimeElementList in | | | pcimeRoleCollection | +----------------------------------------------------------------------+ | PolicyRoleCollectionInSystem | DIT Containment | +----------------------------------------------------------------------+ 4.2 Summary of changes since PCLS 4.3 Attaching PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction A PolicySimpleCondition as well as a PolicySimpleAction includes a single PolicyValue and a single PolicyVariable. Each of them can be attached or referenced by a DN. The attachment helps create compact PolicyCondition and PolicyAction definitions that can be efficiently provisioned and retrieved from the repository. On the other hand, referenced PolicyVariables and PolicyValues instances can be reused in the construction of multiple policies and permit the administrative partitioning of the data and policy definitions. 4.4 Aggregation of PolicyRules and PolicyGroups in PolicySets Reyes, et al. Expires: August 2003 [Page 10] INTERNET-DRAFT PCELS February 2003 4.5 Aggregation of actions/conditions in PolicyRules and CompoundActions/Conditions. In PCIM_EXT were defined two new classes that offer the designer the capability of creating more complex conditions and actions. CompoundPolicyCondition and CompoundPolicyActionclasses are mapped in the PCELS' CompoundConditionAuxClass and CompoundActionAuxClass classes and inherit from pcimConditionAuxClass/pcimActionAuxClass Because of this inheritance they are stored in the same way the non-compound conditions/actions are. The compound conditions/actions defined in the PCIM_EXT are extensions of the rule capability to associate, grouping and evaluate/execute conditions/actions so the conditions/actions are associated to the compounds conditions/actions as they were associated to the rules in the PCLS. In this section is explained how to store this classes in the directory. As a general rule, the specific conditions/actions are DIT contained under rule or compound condition/action classes and attached to the association classes. The reusable conditions/actions, compound and non-compound, are contained in reusable containers and attached to policy instances. The examples below illustrate the four possible cases combining specific/reusable compound/non-compound condition/action. The rule has two compound conditions, each one has two different conditions. The schemes can be extended in order to store actions. The mapping of compound conditions/actions and the schemas below are based on the section 4.4 of the PCLS and how conditions and actions are associated to rules and repositories. - First case: specific compound condition/action with specific conditions/actions. Reyes, et al. Expires: August 2003 [Page 11] INTERNET-DRAFT PCELS February 2003 +--------------+ +------| Rule |------+ | +--------------+ | | * * | | ********* ********* | v * * v +---------+ +---------+ +-| CA1+cc1 |-+ +-| CA2+cc2 |-+ | +---------+ | | +---------+ | | * * | | * * | | **** **** | | **** **** | v * * v v * * v +------+ +------+ +------+ +------+ |CA3+c1| |CA4+c2| |CA5+c3| |CA6+c4| +------+ +------+ +------+ +------+ Figure 1. +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimeConditionAssociation structural class. cc#: pcimeCompoundConditionAuxClass auxiliary class. c#: pcimConditionAuxClass' subclass. Because the compound conditions/actions are specific to Rule, the auxiliary classes that represent them are attached to, structural classes pcimeConditionAssociation or pcimeActionAssociation. These structural classes represent the association between the rule and the compound condition and compound action . The rule's specific condition/ action are DIT contained in rule entry. The conditions/actions have to be tied to compound conditions/actions in the same way as compound conditions/actions are tied to rules, but association classes do the association between them compound conditions/actions and its specific conditions/actions. Reyes, et al. Expires: August 2003 [Page 12] INTERNET-DRAFT PCELS February 2003 - Second case: Rule's specific compound conditions/actions whit reusablecconditions/actions. +-------------+ +---------------+ +------| Rule |-----+ | RepositoryX | | +-------------+ | +---------------+ | * * | * * * * | * * | **** * * * | ********* ******** | * * * ******** | * * v * * * * | * +---------+ * * **** * | * +-| CA2+cc2 |-+ * * * * | * | +---------+ | * * * * v * | * * | * * * * +---------+ | **** **** | * * * * +-| CA1+cc1 |-+ | * * v * * * * | +---------+ | | * +------+ +-----+ * * * | * * | v * | CA6 |->|S1+c4| * * * | **** **** | +------+ +------+ +-----+ +-----+ * * | * * v | CA5 |------------------>|S2+c3| * * | * +------+ +------+ +-----+ +-----+ * v * | CA4 |-------------------------------------->|S3+c2| * +------+ +------+ +-----+ +-----+ | CA3 |------------------------------------------------------->|S4+c1| +------+ +-----+ Figure 2. +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimeConditionAssociation structural class. cc#: pcimeCompoundConditionAuxClass auxiliary class. c#: pcimConditionAuxClass' subclass. S#: structural class This case is similar to the first one. The conditions/actions are reusable so they are not attached to the association classes but they are attached to structural classes in the reusable container. It's needed that the association classes tie the conditions/actions in the reusable container using DN references. Reyes, et al. Expires: August 2003 [Page 13] INTERNET-DRAFT PCELS February 2003 -Third case: Reusable compound condition/action with specific conditions/actions. +--------------+ +--------------+ | Rule | | repositoryX | +---+--------------+----+ +--------------+ | * * | * * | ******* ******* | ******** ******** | * * v * * | * +----------+ +---------+ * | * | CA2 |--->| S1+cc2 | * | * +----------+ +-+---------+-+ * | * | * * | * | * | **** **** | * | * v * * v * | * +------+ +------+ * | * |CA5+c3| |CA6+c4| * v * +------+ +------+ * +----------+ +---------+ | CA1 |----------------------------------------->| S2+cc1 | +----------+ +-+---------+-+ | * * | | **** **** | v * * v +------+ +------+ |CA3+c1| |CA4+c2| +------+ +------+ Figure 3. +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimeConditionAssociation structural class. cc#: pcimeCompoundConditionAuxClass auxiliary class. c#: pcimConditionAuxClass' subclass. S#: structural class Because of the re-usability of the compound compound condition/action they are attached to structural classes and stored in the reusable container. They are related to the rule through the DN reference between the association classes and the compound condition/action. The specific conditions/actions are DIT contained in the compound condition/action entries. Reyes, et al. Expires: August 2003 [Page 14] INTERNET-DRAFT PCELS February 2003 -Fourth case: Reusable conditions/actions and compound conditions/actions. +------+ +---------------+ +---------------+ +-----| Rule |-----+ | RepositoryX | | RepositoryY | | +------+ | +---------------+ +---------------+ | * * | * * * * * * | ****** ****** | *** *** *** * * ***** | * * v * * * * * * | * +-------+ +------+ * * * *** * | * | CA2 |->|S1+ca1| * * * * * | * +-------+ +------+ * * * * * | * / * * \ * * * * * | * |** ** | * * * * * | * |* * v * * * * * | * |* +---+ * +-----+ * * * | * |* |CA6|----*--->|S3+c4| * * * | * v* +---+ * +-----+ * * * | * +---+ * +-----+ * * | * |CA5|---------*--------->|S4+c3| * * v * +---+ * +-----+ * * +-------+ +------+ * * | CA1 |-------------------------->|S2+cc1| * * +-------+ +------+ * * / * * \ * * | ** ** | * * | * * v * * | * +---+ +-----+ * | * |CA4|---------->|S5+c2| * v * +---+ +-----+ * +---+ +-----+ |CA3|--------------------->|S6+c1| +---+ +-----+ Figure 4. +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimeConditionAssociation structural class. cc#: pcimeCompoundConditionAuxClass auxiliary class. c#: pcimConditionAuxClass' subclass. S#: structural class Reyes, et al. Expires: August 2003 [Page 15] INTERNET-DRAFT PCELS February 2003 All the conditions/actions are reusable so they are stored in reusable containers. The figure 4 illustrates two different repositories or reusable containers but the number of containers in the system depends on the policy administrator so the conditions/actions could be stored in the same container or each condition/action could be stored in a different container. 5. Class Definitions 5.1 The pcimePolicySet Class. The abstract class PolicySet in the [PCIM_EXT] is introduced to provide an abstraction for a set of rules. The class value 'pcimePolicySet' is used as the mechanism for identifying group and rule- related instances in the DIT. In [PCIM_EXT], the classes PolicyGroup and PolicyRule are moved, so that they are now derived from PolicySet class. A pcimePolicySet object refers to instances of pcimGroup and pcimeRule via the attribute pcimePolicySetList and the attribute pcimePolicySetDN in the pcimePolicySetAssociation object class. The definition of the abstract class pcimePolicySet: ( IANA-ASSIGNED-OID.1.x NAME 'pcimePolicySet' DESC 'Abstract class that represents a collection of policies that form a coherent set.' SUP pcimPolicy ABSTRACT MAY ( pcimePolicySetName $ pcimeDecisionStrategy $ pcimRoles $ pcimePolicySetList ) ) One of the attributes of the pcimePolicySet class, the pcimRoles is already defined in [PCLS]. The other three attributes are defined below. The attribute pcimePolicySetName may be used as naming attribute for pcimePolicySet entries: Reyes, et al. Expires: August 2003 [Page 16] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimePolicySetName' DESC 'The user-friendly name of a policy set.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimeDecisionStrategy is used to define the evaluation method among the rules in the policy set and is mapped directly from the PolicyDecisionStrategy property defined in [PCIM_EXT]. ( IANA-ASSIGNED-OID.2.x NAME 'pcimeDecisionStrategy' DESC 'The evaluation method used for the components of a in the pcimePolicySet. Valid values: 1 [FirstMatching], 2 [AllMatching]' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attibute pcimePolicySetList is used to realize the PolicySetComponent aggregation. ( IANA-ASSIGNED-OID.2.x NAME 'pcimePolicySetList' DESC 'List of DN references to the pcimePolicySetAssociation entries used to aggregate policy sets.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The subclasses pcimGroup and pcimeRule are now derived from pcimePolicySet. 5.2 The Structural Class pcimePolicySetAssociation The pcimePolicySetAssociation class is used to aggregate components into pcimePolicySet entries. Instances of this class are always subordinated to the aggregating pcimePolicySet. The aggregation of reusable instances of (subclasses of) pcimePolicySet are referenced via the pcimePolicySetDN attribute. Non-reusable instances of (subclasses of) pcimePolicySet are attached as auxiliary classes directly to the pcimePolicySetAssociation entries. Reyes, et al. Expires: August 2003 [Page 17] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimePolicySetAssociation' DESC 'Structural class that contains attributes characterizing the relationship between a policy set and one of its components.' SUP pcimPolicy STRUCTURAL MUST ( pcimePriority ) MAY ( pcimePolicySetName $ pcimePolicySetDN ) ) The Attribute pcimePriority: ( IANA-ASSIGNED-OID.2.x NAME 'pcimePriority' DESC 'Policy priority.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The Attribute pcimePolicySetDN: ( IANA-ASSIGNED-OID.2.x NAME 'pcimePolicySetDN' DESC 'DN reference to a pcimePolicySet entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 5.3 The moved pcimGroup class The pcimGroup is defined in [PCLS]. Its superclass is changed here so that the pcimGroup can take advantage of the pcimePolicySet and its aggregation method. ( IANA-ASSIGNED-OID.1.2 NAME 'pcimGroup' DESC 'A container for a set of related pcimeRules and/or a set of related pcimGroups.' SUP pcimePolicySet ABSTRACT MAY (pcimGroupName) ) Reyes, et al. Expires: August 2003 [Page 18] INTERNET-DRAFT PCELS February 2003 5.4 The Deprecated Class pcimGroupContainmentAuxClass The policy group aggregation is replaced by the more comprehensive policy set aggregation. Therefore this class is deprecated: ( IANA-ASSIGNED-OID.1.22 NAME 'pcimGroupContainmentAuxClass' DESC 'An auxiliary class used to bind pcimGroups to an appropriate container object.' OBSOLETE SUP top AUXILIARY MAY ( pcimGroupsAuxContainedSet ) ) The attribute pcimGroupsAuxContainedSet is also deprecated: ( IANA-ASSIGNED-OID.2.38 NAME 'pcimGroupsAuxContainedSet' DESC 'DNs of pcimGroups associated in some way with the instance to which this attribute has been appended.' OBSOLETE EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.5 The Deprecated Class pcimRuleContainmentAuxClass The policy rule aggregation is replaced by the more comprehensive policy set aggregation. Therefore this class is deprecated. ( IANA-ASSIGNED-OID.1.23 NAME 'pcimRuleContainmentAuxClass' DESC 'An auxiliary class used to bind pcimRules to an appropriate container object.' OBSOLETE SUP top AUXILIARY MAY ( pcimRulesAuxContainedSet ) ) The attribute pcimRulesAuxContainedSet is also deprecated: Reyes, et al. Expires: August 2003 [Page 19] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.39 NAME 'pcimRulesAuxContainedSet' DESC 'DNs of pcimRules associated in some way with the instance to which this attribute has been appended.' OBSOLETE EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.6 The three new pcimeRule classes The base class representing policy rules is redefined without a priority attribute. In addition, this class uses the Condition and Action aggregation methods as the CompoundCondition and the CompoundAction. (IANA-ASSIGNED-OID.1.x NAME 'pcimeRule' DESC 'The base class for representing the "If Condition then Action" semantics associated with a Policy Rule' SUP pcimePolicySet ABSTRACT MAY (pcimRuleName $ pcimRuleEnabled $ pcimeConditionListType $ pcimeConditionList $ pcimeActionList $ pcimRuleValidityPeriodList $ pcimRuleUsage $ pcimRuleMandatory $ pcimeSequencedActions $ pcimeExecutionStrategy) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeRuleAuxClass' DESC 'An auxiliary class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimeRule AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeRuleInstance' DESC 'A structural class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimeRule STRUCTURAL ) The attributes pcimRuleCoditionListType, pcimRuleConditionList and pcimRuleActionList defined in [PCLS] are replaced in PCELS in order to reuse them in pcimeCompoundConditionAuxClass and pcimeCompoundActionAuxClass object classes. The definitions are as follows: Reyes, et al. Expires: August 2003 [Page 20] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeConditionListType' DESC 'a value of 1 means that this policy rule is in disjunctive normal form; a value of 2 means that this policy rule is in conjunctive normal form.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimeConditionList' DESC 'unordered set of Dns to the pcimeConditionAssociation entries used to aggregate policy conditions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimeActionList' DESC 'Unordered set of DNs to the pcimeActionAssociation entries used to aggregate policy actions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimeSequencedActions' DESC 'Indicates whether the ordered execution of actions in an aggregate is mandatory, recommended, or dontCare.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The new attribute pcimeExecutionStrategy is a direct mapping of the ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class. Reyes, et al. Expires: August 2003 [Page 21] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeExecutionStrategy' DESC 'Indicates the execution strategy to be used upon an action aggregate. VALUES: 1 [Do until success]; 2 [Do all]; 3 [do until failure]. Default value = 2.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 5.7 The Structural Class pcimeConditionAssociation This class is used to aggregate policy conditions in compound policy conditions or policy rules. ( IANA-ASSIGNED-OID.1.x NAME 'pcimeConditionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy condition and one of its aggregators: pcimeRule or pcimeCompoundConditionAuxClass). It is used in the realization of a policy condition structure.' SUP pcimPolicy STRUCTURAL MUST ( pcimConditionGroupNumber $ pcimConditionNegated ) MAY ( pcimConditionName $ pcimConditionDN ) ) Its attributes are defined in the section 5.4 of the [PCLS]. 5.8 The Structural Class pcimeActionAssociation This class is used to aggregate policy actions in compound policy actions or policy rules. It implements the PolicyActionInPolicyRule and PolicyActionInPolicyAction aggregations. The class definition follows: Reyes, et al. Expires: August 2003 [Page 22] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimeActionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy action and one of its aggregators. It is used in the realization of a policy action structure.' SUP pcimPolicy STRUCTURAL MUST ( pcimActionOrder ) MAY ( pcimActionName $ pcimActionDN ) ) Its attributes are defined in [PCLS]. 5.9 The Three Deprecated pcimRule classes The class pcimRule and its subclasses are replaced by pcimeRule and its subclasses. Therefore pcimeRule and its subclasses are deprecated. ( IANA-ASSIGNED-OID.1.5 NAME 'pcimRule' DESC 'The base class for representing the "If Condition then Action" semantics associated with a policy rule.' OBSOLETE SUP pcimPolicy ABSTRACT MAY ( pcimRuleName $ pcimRuleEnabled $ pcimRuleConditionListType $ pcimRuleConditionList $ pcimRuleActionList $ pcimRuleValidityPeriodList $ pcimRuleUsage $ pcimRulePriority $ pcimRuleMandatory $ pcimRuleSequencedActions $ pcimRoles ) ) ( IANA-ASSIGNED-OID.1.6 NAME 'pcimRuleAuxClass' DESC 'An auxiliary class for representing the "If Condition then Action" semantics associated with a policy rule.' OBSOLETE SUP pcimRule AUXILIARY ) Reyes, et al. Expires: August 2003 [Page 23] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.7 NAME 'pcimRuleInstance' DESC 'A structural class for representing the "If Condition then Action" semantics associated with a policy rule.' OBSOLETE SUP pcimRule STRUCTURAL ) The following attributes are also deprecated since with the deprecation of pcimRule, no other classes use them: ( IANA-ASSIGNED-OID.2.7 NAME 'pcimRuleConditionListType' DESC 'A value of 1 means that this policy rule is in disjunctive normal form; a value of 2 means that this policy rule is in conjunctive normal form.' OBSOLETE EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( IANA-ASSIGNED-OID.2.8 NAME 'pcimRuleConditionList' OBSOLETE DESC 'Unordered set of DNs of pcimRuleConditionAssociation entries representing associations between this policy rule and its conditions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.9 NAME 'pcimRuleActionList' OBSOLETE DESC 'Unordered set of DNs of pcimRuleActionAssociation entries representing associations between this policy rule and its actions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) Reyes, et al. Expires: August 2003 [Page 24] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.12 NAME 'pcimRulePriority' DESC 'A non-negative integer for prioritizing this pcimRule relative to other pcimRules. A larger value indicates a higher priority.' OBSOLETE EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( IANA-ASSIGNED-OID.2.14 NAME 'pcimRuleSequencedActions' DESC 'An integer enumeration indicating that the ordering of actions defined by the pcimActionOrder attribute is mandatory(1), recommended(2), or dontCare(3).' OBSOLETE EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 5.10 The Deprecated Class pcimRuleConditionAssociation. This class is replaced by the more flexible pcimeConditionAssociation. ( IANA-ASSIGNED-OID.1.8 NAME 'pcimRuleConditionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy rule and one of its policy conditions.' OBSOLETE SUP pcimPolicy STRUCTURAL MUST ( pcimConditionGroupNumber $ pcimConditionNegated ) MAY ( pcimConditionName $ pcimConditionDN ) ) 5.11 The Deprecated Class pcimeRuleActionAssociation. This class is replaced by the more flexible pcimeActionAssociation. Reyes, et al. Expires: August 2003 [Page 25] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.10 NAME 'pcimRuleActionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy rule and one of its policy actions.' OBSOLETE SUP pcimPolicy STRUCTURAL MUST ( pcimActionOrder ) MAY ( pcimActionName $ pcimActionDN ) ) 5.12 The Auxiliary Class pcimeSimpleConditionAuxClass. This class indicates if a specific match with a specific . The "match" relationship is to be interpreted by analyzing the variable and value instances associated with the simple condition. There is an attribute to realize pcimePolicyValueinSimplePolicyCondition and pcimePolicyVariableinSimplePolicyCondition associations. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSimpleConditionAuxClass' DESC 'An auxiliary class that evaluate the matching between a value and a variable'. SUP pcimConditionAuxClass AUXILIARY MAY (pcimeVariableDN $ pcimeValueDN) ) There are two attributes that may be in the pcimeSimpleConditionAuxClass class: the attribute pcimeVariableDN and pcimeValueDN. The pcimeVariableDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeVariableDN' DESC 'DN reference to a pcimeVariable entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) Reyes, et al. Expires: August 2003 [Page 26] INTERNET-DRAFT PCELS February 2003 The pcimeValueDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeValueDN' DESC 'DN reference to a pcimeValue entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 5.13 The Auxiliary Class pcimeCompoundConditionAuxClass. This class represents a compound policy condition, formed by aggregation of simple policy conditions. There is an attribute representing a boolean combination of simpler conditions. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME "pcimeCompoundConditionAuxClass" DESC "An auxiliary class that represents a boolean combination of simpler conditions". SUP pcimConditionAuxClass AUXILIARY MAY (pcimeConditionListType $ pcimeConditionList) ) The attribute pcimeConditionListType is used to specify whether the list of policy conditions associated with this compound policy condition is in disjunctive normal form (DNF) or conjunctive normal form (CNF). The attribute pcimeConditionList is an unordered set of DNs to conditions aggregated in the compound condition. The attributes are defined in section 5.6. 5.14 The Auxiliary Class pcimeCompoundFilterAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcimeCompoundFilterAuxClass' DESC 'A compound condition with mirroring capabilities for traffic caracterization.' SUP pcimeCompoundConditionAuxClass AUXILIARY MAY ( pcimeIsMirrored ) ) The Attribute pcimeIsMirrored: Reyes, et al. Expires: August 2003 [Page 27] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeIsMirrored' DESC 'Indicates whether traffic that mirrors the specified filter is to be treated as matching the filter.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.15 The Auxiliary Class pcimeSimpleActionAuxClass. This class overwrites an old value of the and set the new . There is an attribute to realize pcimePolicyValueInSimplePolicyAction, pcimeValueDN, and pcimePolciyVariableInSimplePolicyAction associations, pcimeVariableDN. The first attribute is used to attach a variable to a SimplePolicyAction and the second one is used to attach a value to a SimplePolicyAction. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSimpleActionAuxClass' DESC 'This class contains attributes characterizing the relationship between a Simple PolicyAction and one variable and one value.' SUP pcimActionAuxClass AUXILIARY MAY (pcimeVariableDN $ pcimeValueDN) ) The attributes are defined in section 5.12. 5.16 The Auxiliary Class pcimeCompoundActionAuxClass. This class maps the CompoundPolicyAction class of the [PCIM_EXT]. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimeCompoundActionAuxClass' DESC 'A class that aggregates simpler actions in a sequence with specific execution strategy.' SUP pcimActionAuxClass AUXILIARY MAY ( pcimeActionList $ pcimeSequencedActions $ pcimeExecutionStrategy ) ) Reyes, et al. Expires: August 2003 [Page 28] INTERNET-DRAFT PCELS February 2003 The attributes pcimeSequencedActions, pcimeExecutionStrategy and pcimeActionList are defined in 5.6 section. 5.17 The Abstract Class pcimeVariable. Variables specify the property of a flow or an event that should be matched when evaluating the condition. A given variable selects the set of matchable value types through the ExpectedPolicyValuesForVariable association. The classes definitions are as follows. First, the definition of the abstract class pcimePolicyVariable: ( IANA-ASSIGNED-OID.1.x NAME 'pcimeVariable' DESC 'Base class for representing a variable whose actual value can be matched against or set to a specific value.' SUP top ABSTRACT MAY ( pcimeVariableName $ pcimeExpectedValueList ) ) The attribute pcimeVariableName is an user-friendly name for the variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcimeVariableName' DESC 'The user-friendly name of a variable.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimeExpectedValueList is an unordered set of DNs to subclasses of pcimeValueAuxClass. It maps the PCIM_EXT's ExpectedPolicyValuesForVariable association: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeExpectedValueList' DESC 'List of DN references to the pcimeValueAuxClass entries that represent the acceptable values.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) Reyes, et al. Expires: August 2003 [Page 29] INTERNET-DRAFT PCELS February 2003 5.18 The auxiliary Class pcimeExplicitVariableAuxClass The subclass pcimeExplicitVariableAuxClass is defined as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimeExplicitVariableAuxClass' DESC 'Explicitly defined policy variable evaluated within the context of the CIM Schema.' SUP pcimeVariable AUXILIARY MUST ( pcimeVariableModelClass $ pcimeVariableModelProperty ) ) The attribute pcimeVariableModelClass is a string specifying the class name whose property is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeVariableModelClass' DESC 'Specifies a CIM class name or oid.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimeVariableModelProperty is a string specifying the attribute, within the pcimeVariableModelClass, which is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeVariableModelProperty' DESC 'Specifies a CIM property name or oid.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 5.19 The Auxiliary Class pcimeImplicitVariableAuxClass The subclass pcimeImplicitVariableAuxClass is defined as follows: Reyes, et al. Expires: August 2003 [Page 30] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimeImplicitVariableAuxClass' DESC 'Implicitly defined policy variables whose evaluation depends on the usage context. Subclasses specify the data type and semantics of the variables.' SUP pcimeVariable AUXILIARY MUST ( pcimeExpectedValueTypes ) ) The attribute pcimeExpectedValueTypes is the direct mapping from the valueTypes property in the PCIM_EXT's PolicyImplicitVariable class. This attribute representes a set of allowed value types to be used with this variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcimeExpectedValueTypes' DESC 'List of object class names or oids of subclasses of pcimeValueAuxClass that define acceptable value types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 5.20 Subclasses of pcimeImplicitVariableAuxClass ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSourceIPv4VariableAuxClass' DESC 'Source IP v4 address' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSourceIPv6VariableAuxClass' DESC 'Source IP v6 address' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeDestinationIPv4VariableAuxClass' DESC 'Destination IP v4 address' SUP pcimeImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: August 2003 [Page 31] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimeDestinationIPv6VariableAuxClass' DESC 'Destination IP v6 address' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSourcePortVariableAuxClass' DESC 'Source port' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeDestinationPortVariableAuxClass' DESC 'Destination port' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeIPProtocolVariableAuxClass' DESC 'IP protocol number' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeIPVersionVariableAuxClass' DESC 'IP version nulmer' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeIPToSVariableAuxClass' DESC 'IP ToS' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeDSCPVariableAuxClass' DESC 'DiffServ code point' SUP pcimeImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: August 2003 [Page 32] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimeFlowIdVariableAuxClass' DESC 'Flow Identifier' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSourceMACVariableAuxClass' DESC 'Source MAC address' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeDestinationMACVariableAuxClass' DESC 'Destination MAC address' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeVLANVariableAuxClass' DESC 'VLAN' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeCoSVariableAuxClass' DESC 'Class of service' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeEthertypeVariableAuxClass' DESC 'Ethertype' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSourceSAPVariableAuxClass' DESC 'Source SAP' SUP pcimeImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: August 2003 [Page 33] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimeDestinationSAPVariableAuxClass' DESC 'Destination SAP' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSNAPOUIVariableAuxClass' DESC 'SNAP OUI' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeSNAPTypeVariableAuxClass' DESC 'SNAP type' SUP pcimeImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeFlowDirectionVariableAuxClass' DESC 'Flow direction' SUP pcimeImplicitVariableAuxClass AUXILIARY ) 5.21 The Auxiliary Class pcimeValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcimeValueAuxClass' DESC 'Base class for representing a value that can be matched against or set for a specific variable.' SUP top AUXILIARY MAY ( pcimeValueName ) ) The Attribute pcimeValueName: Reyes, et al. Expires: August 2003 [Page 34] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeValueName' DESC 'The user-friendly name of a value.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 5.22 Subclasses of pcimeValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcimeIPv4AddrValueAuxClass' DESC 'IP v4 address value.' SUP pcimeValueAuxClass AUXILIARY MUST ( pcimeIPv4AddrList ) ) The Attribute pcimeIPv4AddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeIPv4AddrList' DESC 'List of IPv4 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeIPv6AddrValueAuxClass' DESC 'IP v6 address value.' SUP pcimeValueAuxClass AUXILIARY MUST ( pcimeIPv6AddrList ) ) The Attribute pcimeIPv6AddrList: Reyes, et al. Expires: August 2003 [Page 35] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeIPv6AddrList' DESC 'List of IPv6 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeMACAddrValueAuxClass' DESC 'MAC address value.' SUP pcimeValueAuxClass AUXILIARY MUST ( pcimeMACAddrList ) ) The Attribute pcimeMACAddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeMACAddrList' DESC 'List of MAC address values or ranges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeStringValueAuxClass' DESC 'String value.' SUP pcimeValueAuxClass AUXILIARY MUST ( pcimeStringList ) ) The Attribute pcimeStringList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeStringList' DESC 'List of strings or wildcarded strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Reyes, et al. Expires: August 2003 [Page 36] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimeBitStringValueAuxClass' DESC 'Bit string value.' SUP pcimeValueAuxClass AUXILIARY MUST ( pcimeBitStringList ) ) The Attribute pcimeBitStringList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeBitStringList' DESC 'List of bit strings or masked bit strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeIntegerValueAuxClass' DESC 'Integer value.' SUP pcimeValueAuxClass AUXILIARY MUST ( pcimeIntegerList ) ) The Attribute pcimeIntegerList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeIntegerList' DESC 'List of integers or integer ramges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeBooleanValueAuxClass' DESC 'Boolean value.' SUP pcimeValueAuxClass AUXILIARY MUST ( pcimeBoolean ) ) The Attribute pcimeBoolean: Reyes, et al. Expires: August 2003 [Page 37] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeBoolean' DESC 'A boolean value.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.23 The three new Reusable Container classes. ( IANA-ASSIGNED-OID.1.x NAME 'pcimeReusableContainer' DESC 'A container for reusable policy information.' SUP dlm1AdminDomain ABSTRACT MAY ( pcimeReusableContainerName $ pcimeReusableContainerList ) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeReusableContainerAuxClass ' DESC 'An auxiliary class that can be used to aggregate reusable policy information.' SUP pcimeReusableContainer AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimeReusableContainerInstance' DESC 'A structural class that can be used to aggregate reusable policy information.' SUP pcimeReusableContainer STRUCTURAL ) The Attribute pcimeReusableContainerName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeReusableContainerName' DESC 'The user-friendly name of a reusable policy container.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimeReusableContainerList: Reyes, et al. Expires: August 2003 [Page 38] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeReusableContainerList' DESC 'List of DN references to the pcimeReusableContainer entries.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.24 The three deprecated Repository classes. The pcimRepository and its subclasses are replaced by the pcimeReusableContainer and its subclasses. ( IANA-ASSIGNED-OID.1.18 NAME 'pcimRepository' DESC 'A container for reusable policy information.' OBSOLETE SUP dlm1AdminDomain ABSTRACT MAY ( pcimRepositoryName ) ) ( IANA-ASSIGNED-OID.1.19 NAME 'pcimRepositoryAuxClass' DESC 'An auxiliary class that can be used to aggregate reusable policy information.' OBSOLETE SUP pcimRepository AUXILIARY ) ( IANA-ASSIGNED-OID.1.20 NAME 'pcimRepositoryInstance' DESC 'A structural class that can be used to aggregate reusable policy information.' OBSOLETE SUP pcimRepository STRUCTURAL ) The following attribute is also deprecated: Reyes, et al. Expires: August 2003 [Page 39] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.36 NAME 'pcimRepositoryName' DESC 'The user-friendly name of this policy repository.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 5.25 The new class pcimeRoleCollection. ( IANA-ASSIGNED-OID.1.x NAME 'pcimeRoleCollection' DESC 'This class is used to group together entries that share a same role.' SUP pcimPolicy STRUCTURAL MUST ( pcimeRole ) MAY ( pcimeRoleCollectionName $ pcimeElementList ) ) The Attribute pcimeRole: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeRole' DESC 'String representing a role.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimeRoleCollectionName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimeRoleCollectionName' DESC 'The user-friendly name of a role collection.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimeElementList: Reyes, et al. Expires: August 2003 [Page 40] INTERNET-DRAFT PCELS February 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimeElementList' DESC 'List of DN references to the entries representing managed elements.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 6. Recommended Schema Extension Methods 7. PCLS Data Migration Considerations 8. Security Considerations This topic is based on requirements from previous [PCLS] documents [] and also takes into account other RFCs about the same security aspects entitled as following: RFC 2829 (AuthenticationMethods for LDAP) RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security) These RFC documents provide a general framework for security architecture of the system. However some comments have to be provided as a consequence of the inclusion of extensions in this own document and its relation with PCLS doc. Due to the new considered scenarios, with reusability and information containers located in other DITs etc, these conditions are expressed in chapter 4.4 of the [PCLS] document. As a consequence, new types of threats in the system have to be considered. In fact, it is necessary to define new security services in order to protect against these new aspects. As a result of this, the following new security services are defined: 1) Athentication between entities of the network 2) Mutual authentication between network operator and network entities (p.e. DITs) 3) Integrity and confidentiality of links between network entities and also in the LDAP directories. Several definitions and security mechanisms related about DITs can also obtained from the following ITU specification: X.509 The Directory. Authentication framework Reyes, et al. Expires: August 2003 [Page 41] INTERNET-DRAFT PCELS February 2003 Furthermore, the obtention of the OIDs and values of the attributes from the DITs in a distributed scenario has as a consequence the interaction between diverse network entities with changes of security domain and/or administrative domain. In this directory scenario, with migration of data, the use of DSP (Directory Service Protocol) protocol with types of queries like referral, chaining and multicasting with different key management and authentication among network entities would have to be considered. 9. IANA Considerations 9.1 Object Identifiers It is requested that IANA register an LDAP Object Identifer for use in this technical specification according to the following template: Subject: Request for LDAP OID Registration Person & email address to contact for further information: XXX Specification: RFC XXXX Author/Change Controller: IESG Comments: The assigned OID will be used as a base for identifying a number of schema elements defined in this document. 9.2 Object Identifier Descriptors It is requested that IANA register the LDAP Descriptors used in this technical specification as detailed in the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comment Person & email address to contact for further information: Bob Moore (remoore@us.ibm.com) Usage: see comment Specification: RFC XXXX Author/Change Controller: IESG Comments: Reyes, et al. Expires: August 2003 [Page 42] INTERNET-DRAFT PCELS February 2003 The following descriptors should be added: NAME Type OID -------------- ---- ------------ pcimeXXX O IANA-ASSIGNED-OID.1.1 10. References [CIM] Distributed Management Task Force, Inc., "Common Information Model (CIM) Schema", version 2.3, March 2000. The components of the CIM v2.3 schema are available via links on the following DMTF web page: http://www.dmtf.org/spec/cims.html [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, May, 2000. [PCIM_EXT] B. Moore at el., "Policy Core Information Model (PCIM) Extensions", RFC 3460, January 2003. [PCLS] J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core LDAP Schema", Internet Draft, work in progress, draft-ietf-policy-core-schema-16.txt. [LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002. 11. Authors' Addresses Angelica Reyes, Antoni Barba, David Moron Technical University of Catalonia Jordi-Girona 1-3 08034 Barcelona Spain [angelica|telabm|dmoron]@mat.upc.es Marcus Brunner NEC Europe Ltd. Kurfuersten Anlage 34 D-69115 Heidelberg Germany brunner@ccrle.nec.de Mircea Pana MetaSolv Software Inc. 360 Legget Drive Ottawa, Ontario, Canada K2K 3N1 mpana@metasolv.com Reyes, et al. Expires: August 2003 [Page 43] INTERNET-DRAFT PCELS February 2003 12. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Appendix A: Issues Some classes need to be added: 1. pcimeReusablePolicyContainer subclasses. Since pcimeRepository and its two subclasses are deprecated we have needed to add the pcimeReusablePolicyContainer and two subclasses: pcimeReusableContainerInstance (structural) and pcimeReusableContainerAuxClass(auxiliary). The class pcimeReusableContainer is defined as an abstract class so pcimeReusableContainer subclasses are needed in order to instanciate classes in the directory. RESOLUTION: This issue has been resolved in sections 5.23 and 5.24. 2.We have to add the subclasses pcimRuleActionAssociation and pcimActionAssociation RESOLUTION: This issue has been resolved using the class pcimeActionAssociation. See section 5.8 Reyes, et al. Expires: August 2003 [Page 44] INTERNET-DRAFT PCELS February 2003 3. We have to clarify next classes pcimePolicyVariableAuxClass. pcimePolicyVariableInstance. pcimePolicyExplicitVariableAuxClass. pcimePolicyImplicitVariableInstance. RESOLUTION: This issue has been resolved in sections from 5.17 to 5.22 4. We have to clarify the mapping of next classes PolicyValue and its subclasses. PolicyImpliciyVariable subclasses. RESOLUTION: This issue has been resolved in sections from 5.19 to 5.22 We also consider the next points: 5. To define classes to search errors and classes to detect failures in the system (Still it is an open issue) 6. Because of the policy server is centralized and the LDAP is distributed hierarchically could be necessary to add classes in order to find duplicates in the information. It can occur, for example when updating is excessively often. (Still it is an open issue) 7. Mapping between Network domains and the updating of information. (Still it is an open issue) Servers via resource management programs could manage some of these topics, even though it is necessary to add specific classes. (Still it is an open issue) 8. The PolicyRoleCollection class from [PCIM_EXT] is implemented as the pcimeRoleCollection structural object class. This object class is a subclass of the abstract pcimPolicy defined in [PCLS]. As a consequence pcimeRoleCollection instances can be located and retrieved by LDAP clients that implement the mechanism defined in the section 4.5 of [PCLS]. An other option to consider is the implementation of pcimeRoleCollection as a triplet of abstract / structural / auxiliary subclasses of the abstract dlm1Collection defined by [CIM]. In such case, however, in order to permit the utilization of the location and retrieval mechanism mentioned above, it would be necessary to attach a pcimElementAuxClass to the pcimeRoleCollection instances. RESOLUTION: CLOSED. The authors agree on the current implementation. 9. Considerations about the relation between performance related to retrieval of information and storage capacity of DITs. 10. The following PCIM EXT classes and aggregations need to be addressed: FilterEntryBase, IpHeadersFilter, 8021Filter, FilterList and EntriesInFilterList. Reyes, et al. Expires: August 2003 [Page 45] INTERNET-DRAFT PCELS February 2003