INTERNET-DRAFT PCELS June 2003 Policy Framework Working Group Angelica Reyes INTERNET-DRAFT Antoni Barba Updates: draft-ietf-policy-core-schema-16 David Moron Technical University of Catalonia Marcus Brunner NEC Mircea Pana MetaSolv June 2003 Policy Core Extension LDAP Schema (PCELS) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document defines a number of changes and extensions to the Policy Core LDAP Schema [PCLS] based on the specifications of the Policy Core Information Model Extensions [PCIM_EXT]. The changes include additional object classes previously not covered, deprecation of some object classes and changes to the object class hierarchy defined in PCLS. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. Reyes, et al. Expires: December 2003 [page 1] INTERNET-DRAFT PCELS June 2003 Table of contents 1. Introduction.................................................... 2. Relationship to other Policy Framework Documents................ 3. Inheritance Hierarchy for PCELS................................. 4. General Discussion of Mapping the Policy Core Information Model Extensions to LDAP........................................ 4.1 Summary of Class and Association Mappings.................... 4.2 Summary of changes since PCLS................................ 4.3 The Association of PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction.............. 4.4 The Aggregation of PolicyRules and PolicyGroups in PolicySets................................................... 4.5 The Aggregation of actions/conditions in PolicyRules and CompoundActions/CompoundConditions............................... 5. Class Definitions............................................... 5.1 The Class pcimPolicySet..................................... 5.2 The Structural Class pcimPolicySetAssociation............... 5.3 The Updated Class pcimGroup................................. 5.4 The Deprecated Class pcimGroupContainmentAuxClass........... 5.5 The Deprecated Class pcimRuleContainmentAuxClass............ 5.6 The Three Classes pcimPolicyRule............................ 5.7 The Structural Class pcimConditionAssociation............... 5.8 The Structural Class pcimActionAssociation.................. 5.9 The Three Deprecated Classes pcimRule....................... 5.10 The Deprecated Class pcimRuleConditionAssociation.......... 5.11 The Deprecated Class pcimRuleActionAssociation............. 5.12 The Auxiliary Class pcimSimpleConditionAuxClass............ 5.13 The Auxiliary Class pcimCompoundConditionAuxClass.......... 5.14 The Auxiliary Class pcimCompoundFilterAuxClass............. 5.15 The Auxiliary Class pcimSimpleActionAuxClass............... 5.16 The Auxiliary Class pcimCompoundActionAuxClass............. 5.17 The Abstract Class pcimVariable............................. 5.18 The Auxiliary Class pcimExplicitVariableAuxClass............ 5.19 The Auxiliary Class pcimImplicitVariableAuxClass........... 5.20 The Subclasses of pcimImplicitVariableAuxClass.............. 5.21 The Auxiliary Class pcimValueAuxClass....................... 5.22 The Subclasses of pcimValueAuxClass......................... 5.23 The Three Classes pcimReusableContainer..................... 5.24 The Three Deprecated Classes pcimRepository................. 5.25 The Structural Class pcimRoleCollection..................... 5.26 The Abstract Class pcimFilterEntry.......................... 5.27 The Structural Class pcimIPHeaders.......................... 5.28 The Structural Class pcim8021Headers........................ 5.29 The Auxiliary Class pcimFilterListAuxClass.................. 6. Security Considerations......................................... 7. IANA Considerations............................................. 7.1 Object Identifiers........................................... 7.2 Object Identifier Descriptors................................ 8. References...................................................... 9. Authors' Addresses.............................................. 10. Full Copyright Statement....................................... Appendix A: Issues................................................. Reyes, et al. Expires: December 2003 [page 2] INTERNET-DRAFT PCELS June 2003 1. Introduction This document defines a number of changes and extensions to the Policy Core LDAP Schema [PCLS] based on the specifications of the Policy Core Information Model Extensions [PCIM_EXT]. The changes include additional object classes previously not covered, deprecation of some object classes and changes to the object class hierarchy defined in PCLS. Within the context of this document, the term 'PCELS' (Policy Core Extension LDAP Schema) is used to refer to the LDAP object class definitions contained in this document. 2. Relationship to other Policy Framework Documents This document contains an LDAP schema mapping for the classes defined in the Policy Core Information Model Extensions [PCIM_EXT]. Other documents may subsequently be produced, with mappings of the same PCIM extensions to other storage or transport technologies. The document is an extension to [PCLS], which defines the mapping of the Policy Core Information Model [PCIM] to an LDAP schema. 3. Inheritance Hierarchy for PCELS The following diagram illustrates the combined class hierarchy for the LDAP object classes defined in [PCLS] and in this document: top | +---dlm1ManagedElement (abstract) | | | +---pcimPolicy (abstract) | | | | | +---pcimPolicySet (abstract new) | | | | | | | +---pcimGroup (abstract moved) | | | | | | | | | +--pcimGroupAuxClass (auxiliary moved) | | | | | | | | | +---pcimGroupInstance (structural moved) | | | | | | | +---pcimPolicyRule (abstract new) | | | | | | | +---pcimPolicyRuleAuxClass (auxiliary new) | | | | | | | +---pcimPolicyRuleInstance (structural new) | | | | | +---pcimRule (abstract deprecated) | | | | Reyes, et al. Expires: December 2003 [page 3] INTERNET-DRAFT PCELS June 2003 | | | +---pcimRuleAuxClass (auxiliary deprecated) | | | | | | | +---pcimRuleInstance (structural deprecated) | | | | | +---pcimRuleConditionAssociation (structural deprecated) | | | | | +---pcimConditionAssociation (structural new) | | | | | +---pcimRuleValidityAssociation (structural) | | | | | +---pcimRuleActionAssociation (structural deprecated) | | | | | +---pcimActionAssociation (structural new) | | | | | +---pcimPolicySetAssociation (structural new) | | | | | +---pcimPolicyInstance (structural) | | | | | +---pcimElementAuxClass (auxiliary) | | | | | +---pcimRoleCollection (structural new) | | | | | +---pcimFilterEntry (abstract new) | | | | | +---pcimIPHeaders (structural new) | | | | | +---pcim8021Headers (structural new) | | | +---dlm1ManagedSystemElement (abstract) | | | +---dlm1LogicalElement (abstract) | | | +---dlm1System (abstract) | | | +---dlm1AdminDomain (abstract) | | | +---pcimRepository (abstract deprecated) | | | | | +---pcimRepositoryAuxClass | | | (auxiliary deprecated) | | | | | +---pcimRepositoryInstance | | (structural deprecated) | | | +---pcimReusableContainer (abstract new) | | | +---pcimReusableContainerAuxClass | | (auxiliary new) | | | +---pcimReusableContainerInstance | (structural new) | +---pcimConditionAuxClass (auxiliary) Reyes, et al. Expires: December 2003 [page 4] INTERNET-DRAFT PCELS June 2003 | | | +---pcimTPCAuxClass (auxiliary) | | | +---pcimConditionVendorAuxClass (auxiliary) | | | +---pcimSimpleConditionAuxClass (auxiliary new) | | | +---pcimCompoundConditionAuxClass (auxiliary new) | | | | | +---pcimCompoundFilterAuxClass (auxiliary new) | | | +---pcimFilterListAuxClass (auxiliary new) | +---pcimActionAuxClass (auxiliary) | | | +---pcimActionVendorAuxClass (auxiliary) | | | +---pcimSimpleActionAuxClass (auxiliary new) | | | +---pcimCompoundActionAuxClass (auxiliary new) | +---pcimVariable (abstract new) | | | +---pcimExplicitVariableAuxClass (auxiliary new) | | | +---pcimImplicitVariableAuxClass (auxiliary new) | | | +---pcimSourceIPv4VariableAuxClass (auxiliary new) | | | +---pcimSourceIPv6VariableAuxClass (auxiliary new) | | | +---pcimDestinationIPv4VariableAuxClass (auxiliary new) | | | +---pcimDestinationIPv6VariableAuxClass (auxiliary new) | | | +---pcimSourcePortVariableAuxClass (auxiliary new) | | | +---pcimDestinationPortVariableAuxClass (auxiliary new) | | | +---pcimIPProtocolVariableAuxClass (auxiliary new) | | | +---pcimIPVersionVariableAuxClass (auxiliary new) | | | +---pcimIPToSVariableAuxClass (auxiliary new) | | | +---pcimDSCPVariableAuxClass (auxiliary new) | | | +---pcimFlowIdVariableAuxClass (auxiliary new) | | | +---pcimSourceMACVariableAuxClass (auxiliary new) | | | +---pcimDestinationMACVariableAuxClass (auxiliary new) | | Reyes, et al. Expires: December 2003 [page 5] INTERNET-DRAFT PCELS June 2003 | +---pcimVLANVariableAuxClass (auxiliary new) | | | +---pcimCoSVariableAuxClass (auxiliary new) | | | +---pcimEthertypeVariableAuxClass (auxiliary new) | | | +---pcimSourceSAPVariableAuxClass (auxiliary new) | | | +---pcimDestinationSAPVariableAuxClass (auxiliary new) | | | +---pcimSNAPOUIVariableAuxClass (auxiliary new) | | | +---pcimSNAPTypeVariableAuxClass (auxiliary new) | | | +---pcimFlowDirectionVariableAuxClass (auxiliary new) | +---pcimValueAuxClass (auxiliary new) | | | +---pcimIPv4AddrValueAuxClass (auxiliary new) | | | +---pcimIPv6AddrValueAuxClass (auxiliary new) | | | +---pcimMACAddrValueAuxClass (auxiliary new) | | | +---pcimStringValueAuxClass (auxiliary new) | | | +---pcimBitStringValueAuxClass (auxiliary new) | | | +---pcimIntegerValueAuxClass (auxiliary new) | | | +---pcimBooleanValueAuxClass (auxiliary new) | +---pcimSubtreesPtrAuxClass (auxiliary) | +---pcimGroupContainmentAuxClass (auxiliary deprecated) | +---pcimRuleContainmentAuxClass (auxiliary deprecated) 4. General Discussion of Mapping the Policy Core Information Model Extensions to LDAP The object classes described in this document contain certain optimizations for a directory that uses LDAP as an access protocol. One example is the use of auxiliary class attachment to LDAP entries to realize some of the associations defined in the information model. Note that other storage types might need to implement the association differently. Reyes, et al. Expires: December 2003 [page 6] INTERNET-DRAFT PCELS June 2003 4.1 Summary of Class and Association Mappings The LDAP object classes defined in this document are a direct mapping from the corresponding classes and, in some cases, the associations defined in [PCIM_EXT]. Similarly, the LDAP attributes defined here are a direct mapping from the corresponding class properties. In some cases, associations defined in [PCIM_EXT] are simply mapped to reference attributes or realized through auxiliary class attachment. Similar to [PCLS], the prefix "pcim" is used for all the object class and attribute names defined in this document. +----------------------------------------------------------------------+ | Information Model (PCIM ext) | LDAP Class(es) | +----------------------------------------------------------------------+ | PolicySet | pcimPolicySet | +----------------------------------------------------------------------+ | PolicyRule | pcimPolicyRule | | | pcimPolicyRuleAuxClass | | | pcimPolicyRuleInstance | +----------------------------------------------------------------------+ | SimplePolicyCondition | pcimSimpleConditionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyCondition | pcimCompoundConditionAuxClass | +----------------------------------------------------------------------+ | CompoundFilterCondition | pcimCompoundFilterAuxClass | +----------------------------------------------------------------------+ | SimplePolicyAction | pcimSimpleActionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyAction | pcimCompoundActionAuxClass | +----------------------------------------------------------------------+ | PolicyVariable | pcimVariable | +----------------------------------------------------------------------+ | PolicyExplicitVariable | pcimExplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicyImplicitVariable | pcimImplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv4Variable | pcimSourceIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv6Variable | pcimSourceIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv4Variable | pcimDestinationIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv6Variable | pcimDestinationIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourcePortVariable | pcimSourcePortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationPortVariable | pcimDestinationPortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPProtocolVariable | pcimIPProtocolVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPVersionVariable | pcimIPVersionVariableAuxClass | +----------------------------------------------------------------------+ Reyes, et al. Expires: December 2003 [page 7] INTERNET-DRAFT PCELS June 2003 | PolicyIPToSVariable | pcimIPToSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDSCPVariable | pcimDSCPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowIDVariable | pcimFlowIDVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceMACVariable | pcimSourceMACVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationMACVariable | pcimDestinationMACVariableAuxClass | +----------------------------------------------------------------------+ | PolicyVLANVariable | pcimVLANVariableAuxClass | +----------------------------------------------------------------------+ | PolicyCoSVariable | pcimCoSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyEthertypeVariable | pcimEthertypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceSAPVariable | pcimSourceSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationSAPVariable | pcimDestinationSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPOUIVariable | pcimSNAPOUIVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPTypeVariable | pcimSNAPTypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowDirectionVariable | pcimFlowDirectionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyValue | pcimValueAuxClass | +----------------------------------------------------------------------+ | PolicyIPv4AddrValue | pcimIPv4AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyIPv6AddrValue | pcimIPv6AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyMACAddrValue | pcimMACAddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyStringValue | pcimStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyBitStringValue | pcimBitStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyIntegerValue | pcimIntegerValueAuxClass | +----------------------------------------------------------------------+ | PolicyBooleanValue | pcimBooleanValueAuxClass | +----------------------------------------------------------------------+ | PolicyRoleCollection | pcimRoleCollection | +----------------------------------------------------------------------+ | ReusablePolicyContainer | pcimReusableContainer | | | pcimReusableContainerAuxClass | | | pcimReusableContainerInstance | +----------------------------------------------------------------------+ | FilterEntryBase | pcimFilterEntry | +----------------------------------------------------------------------+ | IPHeadersfilter | pcimIPHeaders | +----------------------------------------------------------------------+ | 8021Filter | pcim8021Headers | Reyes, et al. Expires: December 2003 [page 8] INTERNET-DRAFT PCELS June 2003 +----------------------------------------------------------------------+ | FilterList | pcimFilterListAuxClass | +----------------------------------------------------------------------+ +----------------------------------------------------------------------+ | Information Model Association | LDAP Attribute / Class | +----------------------------------------------------------------------+ | PolicySetComponent | pcimPolicySetComponentList in | | | pcimPolicySet and | | | pcimPolicySetDN in | | | pcimPolicySetAsociation | +----------------------------------------------------------------------+ | PolicySetInSystem | DIT Containment and | | | pcimPolicySetDN in | | | pcimPolicySetAsociation | +----------------------------------------------------------------------+ | PolicyGroupInSystem | (same as PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyRuleInSystem | (same as PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyConditionStructure | pcimConditionDN in | | | pcimConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyRule | pcimConditionList in | | | pcimPolicyRule and | | | pcimConditionDN in | | | pcimConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyCondition | pcimConditionList in | | | pcimCompoundConditionAuxClass | | | and pcimConditionDN in | | | pcimConditionAssociation | +----------------------------------------------------------------------+ | PolicyActionStructure | pcimActionDN in | | | pcimActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyRule | pcimActionList in | | | pcimPolicyRule and | | | pcimActionDN in | | | pcimActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyAction | pcimActionList in | | | pcimCompoundActionAuxClass | | | and pcimActionDN in | | | pcimActionAssociation | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcimVariableDN in | | Condition | pcimSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicy | pcimValueDN in | | Condition | pcimSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcimVariableDN in | Reyes, et al. Expires: December 2003 [page 9] INTERNET-DRAFT PCELS June 2003 | Action | pcimSimpleActionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicyAction | pcimValueDN in | | | pcimSimpleActionAuxClass | +----------------------------------------------------------------------+ | ReusablePolicy | DIT containment | +----------------------------------------------------------------------+ | ExpectedPolicyValuesForVariable | pcimExpectedValueList in | | | pcimVariable | +----------------------------------------------------------------------+ | ContainedDomain | DIT containment or | | | pcimReusableContainerList in | | | pcimReusableContainer | +----------------------------------------------------------------------+ | EntriesInFilterList | pcimFilterEntryList in | | | pcimFilterListAuxClass | +----------------------------------------------------------------------+ | ElementInPolicyRoleCollection | DIT containment or | | | pcimElementList in | | | pcimRoleCollection | +----------------------------------------------------------------------+ | PolicyRoleCollectionInSystem | DIT Containment | +----------------------------------------------------------------------+ 4.2 Summary of changes since PCLS This section provides an overview of the changes to PCLS defined in this document: 1. Changes to the pcimRepository: Because of the potential for confusion with the Policy Framework component Policy Repository as described in section 3.2.1 in [PCIM_EXT], the class is now called pcimReusableContainer. Its subclasses have been renamed as well. 2. The pcimGroupContainmentAuxClass and pcimRuleContainmentAuxClass auxiliary classes used to map the PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup aggregations defined by [PCIM] are replaced by the structural class pcimPolicySetAssociation and the attribute pcimPolicySetList added to the abstract class pcimPolicySet. The section 4.4 presents the details related to this association. 3. The class pcimRule is deprecated and with it the absolute prioritization of policy rules is no longer available. A relative prioritization of policies is introduced through the attribute pcimPriority in the pcimPolicySet object class. This attribute indicates the relative priority of the components of a policy set or, for a PolicySetInSystem, the priority of the referenced policy set relative to the other policy sets associated to this system. Reyes, et al. Expires: December 2003 [page 10] INTERNET-DRAFT PCELS June 2003 4. A new attribute pcimDecisionStrategy is added on the pcimPolicySet class in order to map the decision mechanism described in [PCIM_EXT]. 5. The attribute pcimRoles is moved to the class pcimPolicySet from the deprecated class pcimRule. Thus, the role based policy selection mechanism is preserved and extended to all the subclasses of pcimPolicySet. 6. The new attribute pcimExecutionStrategy is added to the pcimPolicyRule class to allow the specification of the expected behavior in the case where there are multiple actions aggregated by a rule or by a compound action. 7. Compound Conditions: The pcimCompoundConditionAuxClass class is added in order to map the CompoundPolicyCondition [PCIM_EXT]'s class. A new class, pcimConditionAssociation, is introduced to realize the aggregation of policy conditions in a pcimCompoundConditionAuxClass. The same class is used to aggregate policy conditions in a pcimPolicyRule while the pcimRuleConditionAssociation defined in [PCLS] for this purpose, is deprecated. 8. Compound Actions: The pcimCompoundActionAuxClass class is added in order to map the CompoundPolicyAction [PCIM_EXT]'s class. A new class, pcimActionAssociation, is introduced to realize the aggregation of policy actions in a pcimCompoundActionAuxClass. The same class is used to aggregate policy actions in a pcimPolicyRule while the pcimRuleActionAssociation defined in [PCLS] for this purpose, is deprecated. 9. Variables and values: The classes defined in [PCIM_EXT] for the implementation of simple conditions and actions directly mapped to auxiliary classes. These classes are: pcimSimpleConditionAuxClass, pcimSimpleActionAuxClass, pcimVariable and its subclasses, and pcimValue and its subclasses. 10. Reusable conditions, actions, groups, rules, variables and values are subordinated (DIT contained) to a pcimReusableContainer entry. Thus, the ReusablePolicy association defined in [PCIM_EXT] is Realized through subordination. 11. Device level filter classes are added to the schema. 12. The pcimRoleCollection class is added to the schema to allow the association of policy roles to resources represented as LDAP entries. 4.3 The Association of PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction Reyes, et al. Expires: December 2003 [page 11] INTERNET-DRAFT PCELS June 2003 A PolicySimpleCondition as well as a PolicySimpleAction includes a single PolicyValue and a single PolicyVariable. Each of them can be attached or referenced by a DN. The attachment helps create compact PolicyCondition and PolicyAction definitions that can be efficiently provisioned and retrieved from the repository. On the other hand, referenced PolicyVariables and PolicyValues instances can be reused in the construction of multiple policies and permit the administrative partitioning of the data and policy definitions. 4.4 The Aggregation of PolicyRules and PolicyGroups in PolicySets In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, are combined into a single aggregation PolicySetComponent. This aggregation and the capability of association between a policy and the ReusablePolicyContainer offer new possibilities of reusability. Furthermore, these aggregations introduce new semantics representing the execution of one PolicyRule withing the scope of another PolicyRule. Since PolicySet is defined in [PCIM_EXT], it is mapped in this document to a new class pcimPolicySet in order to provide an abstraction for a set of policy rules or groups. The aggregation class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value attribute pcimPolicySetList in the pcimPolicySet class and the attribute pcimPolicySetDN in the pcimPolicySetAssociation. These attributes refer to the nested rules and groups. It is possible to store a rule/group nested in an other rule/group in two ways. The first way is to define the nested rule/group as specific to the nesting rule/group. The second way is to define the nested rules/groups as reusable. First case: Specific nested sets (rules/groups). +----------+ |Rule/Group| | | +-----|- -|-----+ | +----------+ | | * * | | * * | | **** **** | | * * | v * * v +-----------+ +-----------+ | SA1+Set1 | | SA2+Set2 | +-----------+ +-----------+ Reyes, et al. Expires: December 2003 [page 12] INTERNET-DRAFT PCELS June 2003 +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass auxiliary class. SA#: pcimPolicySetAssocation structural class. The nesting pcimPolicySet refers to instances of pcimPolicySetAssociation using the attribute pcimPolicySetList. These strucural association classes are subordinated (DIT contained) to the pcimPolicySet (rule or group) entry and represent the association between the set (rule or group) and its nested rules/ groups. The nested pcimPolicySet instances are attached (as auxiliary classes) to the association entries. Second case: Reusable nested sets (rules/groups). +----------+ +-------------+ |Rule/Group| | RepositoryX | +-|- -|--+ | | | +----------+ | +-------------+ | * * | * * | *** **** | * * | * * v * * | * +---+ * * | * |SA2| +-------+ * v * | -|-------->|S1+Set2| * +---+ +---+ +-------+ * |SA1| +-------+ | -|------------------------------>|S2+Set3| +---+ +-------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass class. SA#: PolicySetAssocation structural class. S#: structural class. Reyes, et al. Expires: December 2003 [page 13] INTERNET-DRAFT PCELS June 2003 The nesting pcimPolicySet refers to instances of pcimPolicySetAssociation using the attribute pcimPolicySetList. These structural association classes are subordinated (DIT contained) to the pcimPolicySet entry and represent the association between the set (rule or group) and its nested rules/groups. The reusable rules/groups are instantiated here as auxiliary classes and attached to pcimPolicyInstance entries in the reusable container. An other option is to use the structural subclasses for defining reusable rules/groups. The association classes belonging to a nesting policy set are reference the reusable rules/groups using the attribute pcimPolicySetDN. A combination of both specific and reusable components is also allowed for the same policy set. 4.5 The Aggregation of actions/conditions in PolicyRules and CompoundActions/CompoundConditions [PCIM_EXT] defines two new classes that offer the designer the capability of creating more complex conditions and actions. CompoundPolicyCondition and CompoundPolicyActionclasses are mapped in this document to pcimCompoundConditionAuxClass and pcimCompoundActionAuxClass classes that are subclasses of pcimConditionAuxClass/pcimActionAuxClass. The compound conditions/actions defined in [PCIM_EXT] extend the capability of the rule to associate, group and evaluate/execute conditions/actions. The conditions/actions are associated to compounds conditions/actions in the same way as they are associated to the rules. In this section it is explained how to store instances of these classes in an LDAP Directory. As a general rule, specific conditions/actions are subordinated (DIT contained) to the rule or compound condition/action that aggregates them and are attached to association class instances. Reusable conditions/actions, are subordinated to pcimReusableContainer instances and attached to pcimPolicyInstance instances. The examples below illustrate the four possible cases combining specific/reusable compound/non-compound condition/action. The rule has two compound conditions, each one has two different conditions. The schemes can be extended in order to store actions. The examples below are based on and extend those illustrated in the section 4.4 of [PCLS]. - First case: Specific compound condition/action with specific conditions/actions. Reyes, et al. Expires: December 2003 [page 14] INTERNET-DRAFT PCELS June 2003 +--------------+ +------| Rule |------+ | +--------------+ | | * * | | ********* ********* | v * * v +---------+ +---------+ +-| CA1+cc1 |-+ +-| CA2+cc2 |-+ | +---------+ | | +---------+ | | * * | | * * | | **** **** | | **** **** | v * * v v * * v +------+ +------+ +------+ +------+ |CA3+c1| |CA4+c2| |CA5+c3| |CA6+c4| +------+ +------+ +------+ +------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. Because the compound conditions/actions are specific to the Rule, They are auxiliary attachments to instances of the structural classes pcimConditionAssociation or pcimActionAssociation. These structural classes represent the association between the rule and the compound condition/action . The rule specific conditions/actions are therefore subordinated (DIT contained) to the rule entry. The conditions/actions are tied to the compound conditions/actions in the same way the compound conditions/actions are tied to rules. Association classes realize the association between the aggregating compound conditions/actions and the specific conditions/actions. - Second case: Rule specific compound conditions/actions whith reusable conditions/actions. Reyes, et al. Expires: December 2003 [page 15] INTERNET-DRAFT PCELS June 2003 +-------------+ +---------------+ +------| Rule |-----+ | RepositoryX | | +-------------+ | +---------------+ | * * | * * * * | * * | **** * * * | ********* ******** | * * * ******** | * * v * * * * | * +---------+ * * **** * | * +-| CA2+cc2 |-+ * * * * | * | +---------+ | * * * * v * | * * | * * * * +---------+ | **** **** | * * * * +-| CA1+cc1 |-+ | * * v * * * * | +---------+ | | * +------+ +-----+ * * * | * * | v * | CA6 |->|S1+c4| * * * | **** **** | +------+ +------+ +-----+ +-----+ * * | * * v | CA5 |------------------>|S2+c3| * * | * +------+ +------+ +-----+ +-----+ * v * | CA4 |------------------------------------->|S3+c2| * +------+ +------+ +-----+ +-----+ | CA3 |------------------------------------------------------>|S4+c1| +------+ +-----+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class This case is similar to the first one. The conditions/actions are reusable so they are not attached to the association classes but they are attached to structural classes in the reusable container. The association classes tie the conditions/actions in located in a reusable container to their aggregators using DN references. -Third case: Reusable compound condition/action with specific conditions/actions. Reyes, et al. Expires: December 2003 [page 16] INTERNET-DRAFT PCELS June 2003 +--------------+ +--------------+ | Rule | | repositoryX | +---+--------------+----+ +--------------+ | * * | * * | ******* ******* | ******** ******** | * * v * * | * +----------+ +---------+ * | * | CA2 |--->| S1+cc2 | * | * +----------+ +-+---------+-+ * | * | * * | * | * | **** **** | * | * v * * v * | * +------+ +------+ * | * |CA5+c3| |CA6+c4| * v * +------+ +------+ * +----------+ +---------+ | CA1 |----------------------------------------->| S2+cc1 | +----------+ +-+---------+-+ | * * | | **** **** | v * * v +------+ +------+ |CA3+c1| |CA4+c2| +------+ +------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class Re-usable compound conditions/actions are attached to structural classes and stored in a reusable policy container. They are related to the rule through a DN reference attribute in the association classes. Specific conditions/actions are attached to association entries and subordinated (DIT contained) to the aggregating compound conditions/actions. -Fourth case: Reusable conditions/actions and compound conditions/actions. Reyes, et al. Expires: December 2003 [page 17] INTERNET-DRAFT PCELS June 2003 +------+ +---------------+ +---------------+ +-----| Rule |-----+ | RepositoryX | | RepositoryY | | +------+ | +---------------+ +---------------+ | * * | * * * * * * | ****** ****** | *** *** *** * * ***** | * * v * * * * * * | * +-------+ +------+ * * * *** * | * | CA2 |->|S1+ca1| * * * * * | * +-------+ +------+ * * * * * | * / * * \ * * * * * | * |** ** | * * * * * | * |* * v * * * * * | * |* +---+ * +-----+ * * * | * |* |CA6|----*--->|S3+c4| * * * | * v* +---+ * +-----+ * * * | * +---+ * +-----+ * * | * |CA5|-----------*--------->|S4+c3| * * v * +---+ * +-----+ * * +-------+ +------+ * * | CA1 |-------------------------->|S2+cc1| * * +-------+ +------+ * * / * * \ * * | ** ** | * * | * * v * * | * +---+ +-----+ * | * |CA4|---------->|S5+c2| * v * +---+ +-----+ * +---+ +-----+ |CA3|--------------------->|S6+c1| +---+ +-----+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class All the conditions/actions are reusable so they are stored in reusable containers. The figure above illustrates two different reusable policy containers but the number of containers in the system is decided based on administrative reasons. The conditions, actions, etc. may be stored in the same container or in different containers with no impact on the policy definition semantics. Reyes, et al. Expires: December 2003 [page 18] INTERNET-DRAFT PCELS June 2003 5. Class Definitions 5.1 The Class pcimPolicySet The abstract class PolicySet in the [PCIM_EXT] is introduced to provide an abstraction for a set of rules. The class value 'pcimPolicySet' is used as the mechanism for identifying group and rule- related instances in the DIT. In [PCIM_EXT], the classes PolicyGroup and PolicyRule are moved, so that they are now derived from PolicySet class. A pcimPolicySet object refers to instances of pcimGroup and pcimPolicyRule via the attribute pcimPolicySetList and the attribute pcimPolicySetDN in the pcimPolicySetAssociation object class. The definition of the abstract class pcimPolicySet: ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicySet' DESC 'Abstract class that represents a collection of policies that form a coherent set.' SUP pcimPolicy ABSTRACT MAY ( pcimPolicySetName $ pcimDecisionStrategy $ pcimRoles $ pcimPolicySetList ) ) One of the attributes of the pcimPolicySet class, the pcimRoles is already defined in [PCLS]. The other three attributes are defined below. The attribute pcimPolicySetName may be used as naming attribute for pcimPolicySet entries: ( IANA-ASSIGNED-OID.2.x NAME 'pcimPolicySetName' DESC 'The user-friendly name of a policy set.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimDecisionStrategy is used to define the evaluation method among the rules in the policy set and is mapped directly from the PolicyDecisionStrategy property defined in [PCIM_EXT]. Reyes, et al. Expires: December 2003 [page 19] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimDecisionStrategy' DESC 'The evaluation method used for the components of a in the pcimPolicySet. Valid values: 1 [FirstMatching], 2 [AllMatching]' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attibute pcimPolicySetList is used to realize the PolicySetComponent aggregation. ( IANA-ASSIGNED-OID.2.x NAME 'pcimPolicySetList' DESC 'List of DN references to the pcimPolicySetAssociation entries used to aggregate policy sets.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The subclasses pcimGroup and pcimPolicyRule are now derived from pcimPolicySet. 5.2 The Structural Class pcimPolicySetAssociation The pcimPolicySetAssociation class is used to aggregate components into pcimPolicySet entries. Instances of this class are always subordinated to the aggregating pcimPolicySet. The aggregation of a reusable instance of (subclass of) pcimPolicySet is referenced via the pcimPolicySetDN attribute. A non-reusable instance of (subclass of) pcimPolicySet is attached as auxiliary class directly to the pcimPolicySetAssociation entry. ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicySetAssociation' DESC 'Structural class that contains attributes characterizing the relationship between a policy set and one of its components.' SUP pcimPolicy STRUCTURAL MUST ( pcimPriority ) MAY ( pcimPolicySetName $ pcimPolicySetDN ) ) The Attribute pcimPriority: Reyes, et al. Expires: December 2003 [page 20] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimPriority' DESC 'Policy priority.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The Attribute pcimPolicySetDN: ( IANA-ASSIGNED-OID.2.x NAME 'pcimPolicySetDN' DESC 'DN reference to a pcimPolicySet entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 5.3 The Updated Class pcimGroup The pcimGroup is defined in [PCLS]. Its superclass is changed here so that the pcimGroup can take advantage of the pcimPolicySet and its aggregation method. ( IANA-ASSIGNED-OID.1.2 NAME 'pcimGroup' DESC 'A container for a set of related pcimPolicyRule entries and/or a set of related pcimGroup entries.' SUP pcimPolicySet ABSTRACT MAY (pcimGroupName) ) 5.4 The Deprecated Class pcimGroupContainmentAuxClass The policy group aggregation is replaced by the more comprehensive policy set aggregation. Therefore this class is deprecated. The attribute pcimGroupsAuxContainedSet only used in the definition of the deprecated pcimGroupContainmentAuxClass object class is also deprecated. 5.5 The Deprecated Class pcimRuleContainmentAuxClass The policy rule aggregation is replaced by the more comprehensive policy set aggregation. Therefore this class is deprecated. Reyes, et al. Expires: December 2003 [page 21] INTERNET-DRAFT PCELS June 2003 The attribute pcimRulesAuxContainedSet only used in the definition of the deprecated pcimRuleContainmentAuxClass object class is also deprecated. 5.6 The Three Classes pcimPolicyRule The base class representing policy rules is redefined without a priority attribute. In addition, this class uses the Condition and Action aggregation methods similar to the CompoundCondition and the CompoundAction. ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicyRule' DESC 'The base class for representing the "If Condition then Action" semantics associated with a Policy Rule' SUP pcimPolicySet ABSTRACT MAY ( pcimRuleName $ pcimRuleEnabled $ pcimConditionListType $ pcimConditionList $ pcimActionList $ pcimRuleValidityPeriodList $ pcimRuleUsage $ pcimRuleMandatory $ pcimSequencedActions $ pcimExecutionStrategy ) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicyRuleAuxClass' DESC 'An auxiliary class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimPolicyRule AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicyRuleInstance' DESC 'A structural class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimPolicyRule STRUCTURAL ) The attributes pcimRuleCoditionListType, pcimRuleConditionList and pcimRuleActionList defined in [PCLS] are replaced by pcimConditionListType, pcimConditionList and pcimActionList. The new attributes are used in pcimPolicyRule as well as in the pcimCompoundConditionAuxClass and pcimCompoundActionAuxClass object classes. Reyes, et al. Expires: December 2003 [page 22] INTERNET-DRAFT PCELS June 2003 The attribute definitions are: ( IANA-ASSIGNED-OID.2.x NAME 'pcimConditionListType' DESC 'a value of 1 means that this policy rule is in disjunctive normal form; a value of 2 means that this policy rule is in conjunctive normal form.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimConditionList' DESC 'unordered set of Dns to the pcimConditionAssociation entries used to aggregate policy conditions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimActionList' DESC 'Unordered set of DNs to the pcimActionAssociation entries used to aggregate policy actions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimSequencedActions' DESC 'Indicates whether the ordered execution of actions in an aggregate is Mandatory, Recommended, or DontCare.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The new attribute pcimExecutionStrategy is a direct mapping of the ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class. Reyes, et al. Expires: December 2003 [page 23] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimExecutionStrategy' DESC 'Indicates the execution strategy to be used upon an action aggregate. VALUES: 1 [Do until success]; 2 [Do all]; 3 [do until failure]. Default value = 2.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 5.7 The Structural Class pcimConditionAssociation This class is used to aggregate policy conditions in compound policy conditions or policy rules. It implements the PolicyConditionInPolicyRule and PolicyConditionInPolicyCondition aggregations. The pcimConditionAssociation class is used to aggregate policy conditions into pcimPolicyRule or pcimCompoundConditionAuxClass entries. Instances of this class are always subordinated to the aggregating pcimPolicyRule or pcimCompoundConditionAuxClass. The aggregation of a reusable instance of (subclass of) pcimConditionAuxClass is referenced via the pcimConditionDN attribute. A non-reusable instance of (subclass of) pcimConditionAuxClass is attached directly to the pcimConditionAssociation entry. ( IANA-ASSIGNED-OID.1.x NAME 'pcimConditionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy condition and one of its aggregators: pcimPolicyRule or pcimCompoundConditionAuxClass. It is used in the realization of a policy condition structure.' SUP pcimPolicy STRUCTURAL MUST ( pcimConditionGroupNumber $ pcimConditionNegated ) MAY ( pcimConditionName $ pcimConditionDN ) ) Its attributes are defined in the section 5.4 of the [PCLS]. 5.8 The Structural Class pcimActionAssociation Reyes, et al. Expires: December 2003 [page 24] INTERNET-DRAFT PCELS June 2003 This class is used to aggregate policy actions in compound policy actions or policy rules. It implements the PolicyActionInPolicyRule and PolicyActionInPolicyAction aggregations. The pcimActionAssociation class is used to aggregate policy actions into pcimPolicyRule or pcimCompoundActionAuxClass entries. Instances of this class are always subordinated to the aggregating pcimPolicyRule or pcimCompoundActionAuxClass. The aggregation of a reusable instance of (subclass of) pcimActionAuxClass is referenced via the pcimActionDN attribute. A non-reusable instance of (subclass of) pcimActionAuxClass is attached directly to the pcimActionAssociation entry. The class definition follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimActionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy action and one of its aggregators. It is used in the realization of a policy action structure.' SUP pcimPolicy STRUCTURAL MUST ( pcimActionOrder ) MAY ( pcimActionName $ pcimActionDN ) ) Its attributes are defined in [PCLS]. 5.9 The Three Deprecated Classes pcimRule The class pcimRule and its subclasses are replaced by pcimPolicyRule and its subclasses. Therefore pcimRule and its subclasses are deprecated. The following attributes only used in the definition of the deprecated pcimRule object class are also deprecated: pcimRuleConditionListType pcimRuleConditionList pcimRuleActionList pcimRulePriority pcimRuleSequencedActions 5.10 The Deprecated Class pcimRuleConditionAssociation. This class is replaced by the more flexible pcimConditionAssociation. 5.11 The Deprecated Class pcimRuleActionAssociation. Reyes, et al. Expires: December 2003 [page 25] INTERNET-DRAFT PCELS June 2003 This class is replaced by the more flexible pcimActionAssociation. 5.12 The Auxiliary Class pcimSimpleConditionAuxClass. This class indicates if a specific match with a specific . The "match" relationship is to be interpreted by analyzing the variable and value instances associated with the simple condition. Its two attributes realize the PolicyValueinSimplePolicyCondition and PolicyVariableinSimplePolicyCondition associations defined in [PCIM_EXT]. A reusable variable / value is associated to a pcimSimpleConditionAuxClass via the pcimVariableDN / pcimValueDN reference from the simple condition entry. A non-reusable variable / value is associated directly as auxiliary object class to the pcimSimpleConditionAuxClass entry. The class definition follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimSimpleConditionAuxClass' DESC 'An auxiliary class that evaluate the matching between a value and a variable'. SUP pcimConditionAuxClass AUXILIARY MAY ( pcimVariableDN $ pcimValueDN ) ) The pcimVariableDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableDN' DESC 'DN reference to a pcimVariable entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) The pcimValueDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcimValueDN' DESC 'DN reference to a pcimValue entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) Reyes, et al. Expires: December 2003 [page 26] INTERNET-DRAFT PCELS June 2003 A instance of pcimSimpleActionAuxClass and an instance of pcimSimpleConditionAuxClass MUST NOT be attached to a same entry. Because the two classes use the same mechanisms to associate Variables and Values, this restriction is necessary in order to avoid ambiguities. 5.13 The Auxiliary Class pcimCompoundConditionAuxClass. This class represents a compound policy condition, formed by aggregation of other policy conditions. A boolean attribute indicates whether the compounded conditions are to be interpreted as disjunctive normal form or conjunctive normal form. The class definition follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimCompoundConditionAuxClass' DESC 'An auxiliary class that represents a boolean combination of simpler conditions'. SUP pcimConditionAuxClass AUXILIARY MAY ( pcimConditionListType $ pcimConditionList ) ) The attribute pcimConditionListType is used to specify whether the list of policy conditions associated with this compound policy condition is in disjunctive normal form (DNF) or conjunctive normal form (CNF). The attribute pcimConditionList is an unordered set of DNs to conditions aggregated in the compound condition. The attributes are defined in section 5.6. 5.14 The Auxiliary Class pcimCompoundFilterAuxClass. This class represents a domain-level filter and it typically contains a set of simple conditions. ( IANA-ASSIGNED-OID.1.x NAME 'pcimCompoundFilterAuxClass' DESC 'A compound condition with mirroring capabilities for traffic caracterization.' SUP pcimCompoundConditionAuxClass AUXILIARY MAY ( pcimIsMirrored ) ) The Attribute pcimIsMirrored: Reyes, et al. Expires: December 2003 [page 27] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimIsMirrored' DESC 'Indicates whether traffic that mirrors the specified filter is to be treated as matching the filter.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.15 The Auxiliary Class pcimSimpleActionAuxClass. This class overwrites an old value of the and set the new . Its two attributes realize the PolicyValueInSimplePolicyAction and PolciyVariableInSimplePolicyAction associations defined in [PCIM_EXT]. A reusable variable / value is associated to a pcimSimpleActionAuxClass via the pcimVariableDN / pcimValueDN reference from the simple action entry. A non-reusable variable / value is associated directly as auxiliary object class to the pcimSimpleActionAuxClass entry. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimSimpleActionAuxClass' DESC 'This class contains attributes characterizing the relationship between a Simple PolicyAction and one variable and one value.' SUP pcimActionAuxClass AUXILIARY MAY ( pcimVariableDN $ pcimValueDN ) ) The attributes are defined in section 5.12. A instance of pcimSimpleActionAuxClass and an instance of pcimSimpleConditionAuxClass MUST NOT be attached to a same entry. Because the two classes use the same mechanisms to associate Variables and Values, this restriction is necessary in order to avoid ambiguities. 5.16 The Auxiliary Class pcimCompoundActionAuxClass. This class maps the CompoundPolicyAction class of the [PCIM_EXT]. The class definition follows: Reyes, et al. Expires: December 2003 [page 28] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimCompoundActionAuxClass' DESC 'A class that aggregates simpler actions in a sequence with specific execution strategy.' SUP pcimActionAuxClass AUXILIARY MAY ( pcimActionList $ pcimSequencedActions $ pcimExecutionStrategy ) ) The attributes pcimSequencedActions, pcimExecutionStrategy and pcimActionList are defined in 5.6 section. 5.17 The Abstract Class pcimVariable. Variables specify the property of a flow or an event that should be matched when evaluating the condition. A given variable selects the set of matchable values through the ExpectedPolicyValuesForVariable association. A pcimVariable entry may be associated to a set of pcimValueAuxClass entries that represent its expected values. The expected values for a variable may be indicated by: (1) pcimExpectedValueList references to reusable instances of pcimValueAuxClass or by (2) subordinated non-reusable instances of pcimValueAuxClass ( IANA-ASSIGNED-OID.1.x NAME 'pcimVariable' DESC 'Base class for representing a variable whose actual value can be matched against or set to a specific value.' SUP top ABSTRACT MAY ( pcimVariableName $ pcimExpectedValueList ) ) The attribute pcimVariableName is an user-friendly name for the variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableName' DESC 'The user-friendly name of a variable.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Reyes, et al. Expires: December 2003 [page 29] INTERNET-DRAFT PCELS June 2003 The attribute pcimExpectedValueList is an unordered set of DNs to subclasses of pcimValueAuxClass. It maps the [PCIM_EXT] ExpectedPolicyValuesForVariable association: ( IANA-ASSIGNED-OID.2.x NAME 'pcimExpectedValueList' DESC 'List of DN references to the pcimValueAuxClass entries that represent the acceptable values.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.18 The Auxiliary Class pcimExplicitVariableAuxClass The subclass pcimExplicitVariableAuxClass is defined as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimExplicitVariableAuxClass' DESC 'Explicitly defined policy variable evaluated within the context of the CIM Schema.' SUP pcimVariable AUXILIARY MUST ( pcimVariableModelClass $ pcimVariableModelProperty ) ) The attribute pcimVariableModelClass is a string specifying the class name whose property is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableModelClass' DESC 'Specifies a CIM class name or oid.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimVariableModelProperty is a string specifying the attribute, within the pcimVariableModelClass, which is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableModelProperty' DESC 'Specifies a CIM property name or oid.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Reyes, et al. Expires: December 2003 [page 30] INTERNET-DRAFT PCELS June 2003 5.19 The Auxiliary Class pcimImplicitVariableAuxClass The subclass pcimImplicitVariableAuxClass is defined as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimImplicitVariableAuxClass' DESC 'Implicitly defined policy variables whose evaluation depends on the usage context. Subclasses specify the data type and semantics of the variables.' SUP pcimVariable AUXILIARY MUST ( pcimExpectedValueTypes ) ) The attribute pcimExpectedValueTypes is the direct mapping from the valueTypes property in the [PCIM_EXT] PolicyImplicitVariable class. This attribute representes a set of allowed value types to be used with this variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcimExpectedValueTypes' DESC 'List of object class names or oids of subclasses of pcimValueAuxClass that define acceptable value types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 5.20 The Subclasses of pcimImplicitVariableAuxClass ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceIPv4VariableAuxClass' DESC 'Source IP v4 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceIPv6VariableAuxClass' DESC 'Source IP v6 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationIPv4VariableAuxClass' DESC 'Destination IP v4 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: December 2003 [page 31] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationIPv6VariableAuxClass' DESC 'Destination IP v6 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourcePortVariableAuxClass' DESC 'Source port' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationPortVariableAuxClass' DESC 'Destination port' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPProtocolVariableAuxClass' DESC 'IP protocol number' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPVersionVariableAuxClass' DESC 'IP version number' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPToSVariableAuxClass' DESC 'IP ToS' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDSCPVariableAuxClass' DESC 'DiffServ code point' SUP pcimImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: December 2003 [page 32] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimFlowIdVariableAuxClass' DESC 'Flow Identifier' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceMACVariableAuxClass' DESC 'Source MAC address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationMACVariableAuxClass' DESC 'Destination MAC address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimVLANVariableAuxClass' DESC 'VLAN' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimCoSVariableAuxClass' DESC 'Class of service' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimEthertypeVariableAuxClass' DESC 'Ethertype' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceSAPVariableAuxClass' DESC 'Source SAP' SUP pcimImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: December 2003 [page 33] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationSAPVariableAuxClass' DESC 'Destination SAP' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSNAPOUIVariableAuxClass' DESC 'SNAP OUI' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSNAPTypeVariableAuxClass' DESC 'SNAP type' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimFlowDirectionVariableAuxClass' DESC 'Flow direction' SUP pcimImplicitVariableAuxClass AUXILIARY ) 5.21 The Auxiliary Class pcimValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcimValueAuxClass' DESC 'Base class for representing a value that can be matched against or set for a specific variable.' SUP top AUXILIARY MAY ( pcimValueName ) ) The Attribute pcimValueName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimValueName' DESC 'The user-friendly name of a value.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Reyes, et al. Expires: December 2003 [page 34] INTERNET-DRAFT PCELS June 2003 5.22 The Subclasses of pcimValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPv4AddrValueAuxClass' DESC 'IP v4 address value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimIPv4AddrList ) ) The Attribute pcimIPv4AddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPv4AddrList' DESC 'List of IPv4 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPv6AddrValueAuxClass' DESC 'IP v6 address value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimIPv6AddrList ) ) The Attribute pcimIPv6AddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPv6AddrList' DESC 'List of IPv6 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimMACAddrValueAuxClass' DESC 'MAC address value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimMACAddrList ) ) The Attribute pcimMACAddrList: Reyes, et al. Expires: December 2003 [page 35] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimMACAddrList' DESC 'List of MAC address values or ranges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimStringValueAuxClass' DESC 'String value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimStringList ) ) The Attribute pcimStringList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimStringList' DESC 'List of strings or wildcarded strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimBitStringValueAuxClass' DESC 'Bit string value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimBitStringList ) ) The Attribute pcimBitStringList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimBitStringList' DESC 'List of bit strings or masked bit strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Reyes, et al. Expires: December 2003 [page 36] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimIntegerValueAuxClass' DESC 'Integer value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimIntegerList ) ) The Attribute pcimIntegerList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIntegerList' DESC 'List of integers or integer ramges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimBooleanValueAuxClass' DESC 'Boolean value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimBoolean ) ) The Attribute pcimBoolean: ( IANA-ASSIGNED-OID.2.x NAME 'pcimBoolean' DESC 'A boolean value.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.23 The Three Classes pcimReusableContainer This class represents a container of reusable policy elements. The elements of a reusable container are aggregated via DIT containment. A reusable policy container can include the elements of other reusable policy containers by aggregating the container itself. This is realized by referencing the aggregated container by means of the attribute pcimReusableContainerList. Reyes, et al. Expires: December 2003 [page 37] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimReusableContainer' DESC 'A container for reusable policy information.' SUP dlm1AdminDomain ABSTRACT MAY ( pcimReusableContainerName $ pcimReusableContainerList ) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimReusableContainerAuxClass ' DESC 'An auxiliary class that can be used to aggregate reusable policy information.' SUP pcimReusableContainer AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimReusableContainerInstance' DESC 'A structural class that can be used to aggregate reusable policy information.' SUP pcimReusableContainer STRUCTURAL ) The Attribute pcimReusableContainerName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimReusableContainerName' DESC 'The user-friendly name of a reusable policy container.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimReusableContainerList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimReusableContainerList' DESC 'List of DN references to the pcimReusableContainer entries.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.24 The Three Deprecated Classes pcimRepository. The pcimRepository and its subclasses are deprecated in favor of the pcimReusableContainer and its subclasses. Reyes, et al. Expires: December 2003 [page 38] INTERNET-DRAFT PCELS June 2003 The pcimRepositoryNameattribute only used in the definition of the deprecated pcimRepository object class is also deprecated. 5.25 The Structural Class pcimRoleCollection. The pcimRoleCollection class creates the means for the association of policy roles to resources represented as LDAP entries. ( IANA-ASSIGNED-OID.1.x NAME 'pcimRoleCollection' DESC 'This class is used to group together entries that share a same role.' SUP pcimPolicy STRUCTURAL MUST ( pcimRole ) MAY ( pcimRoleCollectionName $ pcimElementList ) ) The Attribute pcimRole: ( IANA-ASSIGNED-OID.2.x NAME 'pcimRole' DESC 'String representing a role.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimRoleCollectionName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimRoleCollectionName' DESC 'The user-friendly name of a role collection.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimElementList: Reyes, et al. Expires: December 2003 [page 39] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimElementList' DESC 'List of DN references to the entries representing managed elements.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.26 The Abstract Class pcimFilterEntry The abstract class pcimFilterEntry implements the FilterEntryBase class from [PCIM_EXT]. This class is the base class for defining message or packet filters. ( IANA-ASSIGNED-OID.1.x NAME 'pcimFilterEntry' DESC 'This class is used as a base class for representing message or packet filters.' SUP pcimPolicy ABSTRACT MAY ( pcimFilterName $ pcimFilterIsNegated ) ) The Attribute pcimFilterName may be used as naming attribute for filter entries: ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterName' DESC 'The user-friendly name of a filter.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimIsMirrored indicates whether the specified criteria is to be negated or not in the process of matching a message or packet against the filter: ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterIsNegated' DESC 'If TRUE, indicates that the filter matches all but the messages or packets that conform to the specified criteria. Default: FALSE.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) Reyes, et al. Expires: December 2003 [page 40] INTERNET-DRAFT PCELS June 2003 5.27 The Structural Class pcimIPHeaders. The class pcimIPHeaders implements the IpHeadersFilter class of the [PCIM_EXT] model. It provides means for filtering traffic by values in the IP header. Optional attributes, if not specified shall be treated as 'all values'. ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPHeaders' DESC 'This class defines an IP header filter.' SUP pcimFilterEntry STRUCTURAL MAY ( pcimIPHdrVersion $ pcimIPHdrSourceAddress $ pcimIPHdrSourceAddressEndOfRange $ pcimIPHdrSourceMask $ pcimIPHdrDestAddress $ pcimIPHdrDestAddressEndOfRange $ pcimIPHdrDestMask $ pcimIPHdrProtocolID $ pcimIPHdrSourcePortStart $ pcimIPHdrSourcePortEnd $ pcimIPHdrDestPortStart $ pcimIPHdrDestPortEnd $ pcimIPHdrDSCPList $ pcimIPHdrFlowLabel ) ) The attribute pcimIPHdrVersion identifies the IP version and dictates the format for the IP version dependent attribute values in a pcimIPHeaders entry. These attributes are: pcimIPHdrSourceAddress pcimIPHdrSourceAddressEndOfRange pcimIPHdrSourceMask pcimIPHdrDestAddress pcimIPHdrDestAddressEndOfRange pcimIPHdrDestMask If a value for this attribute is not provided, then the filter does not consider IP version in selecting matching packets. In this case, IP version dependent attributes must not be present in the filter entry. The possible values of pcimIPHdrVersion are '4' and '6'. ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrVersion' DESC 'The IP version.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) Reyes, et al. Expires: December 2003 [page 41] INTERNET-DRAFT PCELS June 2003 The attribute pcimIPHdrSourceAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourceAddress' DESC 'The IP source address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrSourceAddressEndOfRange: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourceAddressEndOfRange' DESC 'The end or address range for the IP source address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrSourceMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourceMask' DESC 'The address mask for the IP source address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrDestAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestAddress' DESC 'The IP destination address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrDestAddressEndOfRange: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestAddressEndOfRange' DESC 'The end of address range for the IP destination address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrDestMask: Reyes, et al. Expires: December 2003 [page 42] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestMask' DESC 'The address mask for the IP destination address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrProtocolID: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrProtocolID' DESC 'The IP protocol type.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcimIPHdrSourcePortStart: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourcePortStart' DESC 'The start of the source port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcimIPHdrSourcePortEnd: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourcePortEnd' DESC 'The end of the source port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcimIPHdrDestPortStart: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestPortStart' DESC 'The start of the destination port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) Reyes, et al. Expires: December 2003 [page 43] INTERNET-DRAFT PCELS June 2003 The attribute pcimIPHdrDestPortEnd: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestPortEnd' DESC 'The end of the destination port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The multivalue attribute pcimIPHdrDSCPList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDSCPList' DESC 'The DSCP values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcimIPHdrFlowLabel: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrFlowLabel' DESC 'The IP flow label.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) 5.28 The Structural Class pcim8021Headers. ( IANA-ASSIGNED-OID.1.x NAME ' pcim8021Headers' DESC 'This class defines an 802.1 header filter.' SUP pcimFilterEntry STRUCTURAL MAY ( pcim8021HdrSourceMACAddress $ pcim8021HdrSourceMACMask $ pcim8021HdrDestMACAddress $ pcim8021HdrDestMACMask $ pcim8021HdrProtocolID $ pcim8021HdrPriority $ pcim8021HdrVLANID ) ) The attribute pcim8021HdrSourceMACAddress: Reyes, et al. Expires: December 2003 [page 44] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrSourceMACAddress' DESC 'The source MAC address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcim8021HdrSourceMACMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrSourceMACMask' DESC 'The source MAC address mask.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcim8021HdrDestMACAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrDestMACAddress' DESC 'The destination MAC address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcim8021HdrDestMACMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrDestMACMask' DESC 'The destination MAC address mask.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcim8021HdrProtocolID: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrProtocolID' DESC 'The 802.1 protocol ID.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcim8021HdrPriority: Reyes, et al. Expires: December 2003 [page 45] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrPriority' DESC 'The 802.1 priority.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcim8021HdrVLANID: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrVLANID' DESC 'The 802.1 VLAN ID.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 5.29 The Auxiliary Class pcimFilterListAuxClass. This class represents a set of device-level filters aggregated in a policy condition. Therefore, instances of this class can be used in policy rules or as elements of more complex compound conditions. The aggregation EntriesInFilterList from the [PCIM_EXT] model is implemented by the multi-value attribute pcimFilterEntryList. The EntrySequence property of the aggregation EntriesInFilterList that is restricted to its default value ('0') in the [PCIM_EXT] model is redundant and therefore not implemented. ( IANA-ASSIGNED-OID.1.x NAME 'pcimFilterListAuxClass' DESC 'This class is used to aggregate filters represented as subclasses of pcimFilterEntry.' SUP pcimConditionAuxClass STRUCTURAL MAY ( pcimFilterListName $ pcimFilterDirection $ pcimFilterEntryList ) ) The Attribute pcimFilterListName may be used as naming attribute for filter lists: Reyes, et al. Expires: December 2003 [page 46] INTERNET-DRAFT PCELS June 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterListName' DESC 'The user-friendly name of a filter list.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimFilterDirection indicates the direction of the packets or messages relative to the interface where the filter is applied. The possible values are: NotApplicable(0), Input(1), Output(2), Both(3), Mirrored(4). ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterDirection' DESC 'The direction of the packets or messages to which this filter is to be applied.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcimFilterEntryList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterEntryList' DESC 'List of DN references to the pcimFilterEntry entries.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 6. Security Considerations This topic is based on requirements from previous [PCLS] documents [] and also takes into account other RFCs about the same security aspects entitled as following: RFC 2829 (Authentication Methods for LDAP) RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security) These RFC documents provide a general framework for security architecture of the system. However some comments have to be provided as a consequence of the inclusion of extensions in this own document and its relation with PCLS doc. Reyes, et al. Expires: December 2003 [page 47] INTERNET-DRAFT PCELS June 2003 Due to the new considered scenarios, with reusability and information containers located in other DITs etc, these conditions are expressed in chapter 4.4 of the [PCLS] document. As a consequence, new types of threats in the system have to be considered. In fact, it is necessary to define new security services in order to protect against these new aspects. As a result of this, the following new security services are defined: 1) Authentication between entities of the network 2) Mutual authentication between network operator and network entities (p.e. DITs) 3) Integrity and confidentiality of links between network entities and also in the LDAP directories. Several definitions and security mechanisms related about DITs can also obtained from the following ITU specification: X.509 The Directory. Authentication framework Furthermore, the obtention of the OIDs and values of the attributes from the DITs in a distributed scenario has as a consequence the interaction between diverse network entities with changes of security domain and/or administrative domain. In this directory scenario, with migration of data, the use of DSP (Directory Service Protocol) protocol with types of queries like referral, chaining and multicasting with different key management and authentication among network entities would have to be considered. 7. IANA Considerations 7.1 Object Identifiers It IS NOT requested that IANA register an LDAP Object Identifer for use in this technical specification. The OID assigned as base for identifying the schema elements defined in [PCLS] will be reused for the schema elements defined in this document. 7.2 Object Identifier Descriptors It is requested that IANA register the LDAP Descriptors used in this technical specification as detailed in the following template: Reyes, et al. Expires: December 2003 [page 48] INTERNET-DRAFT PCELS June 2003 Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comment Person & email address to contact for further information: Mircea Pana (mpana@metasolv.com) Usage: see comment Specification: RFC XXXX Author/Change Controller: IESG Comments: The following descriptors should be added: NAME Type OID -------------- ---- ------------ pcimPolicySet O IANA-ASSIGNED-OID.1.x pcimPolicySetName A IANA-ASSIGNED-OID.2.x pcimDecisionStrategy A IANA-ASSIGNED-OID.2.x pcimPolicySetList A IANA-ASSIGNED-OID.2.x pcimPolicySetAssociation O IANA-ASSIGNED-OID.1.x pcimPriority A IANA-ASSIGNED-OID.2.x pcimPolicySetDN A IANA-ASSIGNED-OID.2.x pcimPolicyRule O IANA-ASSIGNED-OID.1.x pcimPolicyRuleAuxClass O IANA-ASSIGNED-OID.1.x pcimPolicyRuleInstance O IANA-ASSIGNED-OID.1.x pcimConditionListType A IANA-ASSIGNED-OID.2.x pcimConditionList A IANA-ASSIGNED-OID.2.x pcimActionList A IANA-ASSIGNED-OID.2.x pcimSequencedActions A IANA-ASSIGNED-OID.2.x pcimExecutionStrategy A IANA-ASSIGNED-OID.2.x pcimConditionAssociation O IANA-ASSIGNED-OID.1.x pcimActionAssociation O IANA-ASSIGNED-OID.1.x pcimSimpleConditionAuxClass O IANA-ASSIGNED-OID.1.x pcimVariableDN A IANA-ASSIGNED-OID.2.x pcimValueDN A IANA-ASSIGNED-OID.2.x pcimCompoundConditionAuxClass O IANA-ASSIGNED-OID.1.x pcimCompoundFilterAuxClass O IANA-ASSIGNED-OID.1.x pcimIsMirrored A IANA-ASSIGNED-OID.2.x pcimSimpleActionAuxClass O IANA-ASSIGNED-OID.1.x pcimCompoundActionAuxClass O IANA-ASSIGNED-OID.1.x pcimVariable O IANA-ASSIGNED-OID.1.x pcimVariableName A IANA-ASSIGNED-OID.2.x pcimExpectedValueList A IANA-ASSIGNED-OID.2.x pcimExplicitVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimVariableModelClass A IANA-ASSIGNED-OID.2.x pcimVariableModelProperty A IANA-ASSIGNED-OID.2.x pcimImplicitVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimExpectedValueTypes A IANA-ASSIGNED-OID.2.x pcimSourceIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourceIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourcePortVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationPortVariableAuxClass O IANA-ASSIGNED-OID.1.x Reyes, et al. Expires: December 2003 [page 49] INTERNET-DRAFT PCELS June 2003 pcimIPProtocolVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimIPVersionVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimIPToSVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDSCPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimFlowIdVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourceMACVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationMACVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimVLANVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimCoSVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimEthertypeVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourceSAPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationSAPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSNAPOUIVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSNAPTypeVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimFlowDirectionVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimValueAuxClass O IANA-ASSIGNED-OID.1.x pcimValueName A IANA-ASSIGNED-OID.2.x pcimIPv4AddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcimIPv4AddrList A IANA-ASSIGNED-OID.2.x pcimIPv6AddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcimIPv6AddrList A IANA-ASSIGNED-OID.2.x pcimMACAddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcimMACAddrList A IANA-ASSIGNED-OID.2.x pcimStringValueAuxClass O IANA-ASSIGNED-OID.1.x pcimStringList A IANA-ASSIGNED-OID.2.x pcimBitStringValueAuxClass O IANA-ASSIGNED-OID.1.x pcimBitStringList A IANA-ASSIGNED-OID.2.x pcimIntegerValueAuxClass O IANA-ASSIGNED-OID.1.x pcimIntegerList A IANA-ASSIGNED-OID.2.x pcimBooleanValueAuxClass O IANA-ASSIGNED-OID.1.x pcimBoolean A IANA-ASSIGNED-OID.2.x pcimReusableContainer O IANA-ASSIGNED-OID.1.x pcimReusableContainerAuxClass O IANA-ASSIGNED-OID.1.x pcimReusableContainerInstance O IANA-ASSIGNED-OID.1.x pcimReusableContainerName A IANA-ASSIGNED-OID.2.x pcimReusableContainerList A IANA-ASSIGNED-OID.2.x pcimRoleCollection O IANA-ASSIGNED-OID.1.x pcimRole A IANA-ASSIGNED-OID.2.x pcimRoleCollectionName A IANA-ASSIGNED-OID.2.x pcimElementList A IANA-ASSIGNED-OID.2.x pcimFilterEntry O IANA-ASSIGNED-OID.1.x pcimFilterName A IANA-ASSIGNED-OID.2.x pcimFilterIsNegated A IANA-ASSIGNED-OID.2.x pcimIPHeaders O IANA-ASSIGNED-OID.1.x pcimIPHdrVersion A IANA-ASSIGNED-OID.2.x pcimIPHdrSourceAddress A IANA-ASSIGNED-OID.2.x pcimIPHdrSourceAddressEndOfRange A IANA-ASSIGNED-OID.2.x pcimIPHdrSourceMask A IANA-ASSIGNED-OID.2.x pcimIPHdrDestAddress A IANA-ASSIGNED-OID.2.x pcimIPHdrDestAddressEndOfRange A IANA-ASSIGNED-OID.2.x pcimIPHdrDestMask A IANA-ASSIGNED-OID.2.x pcimIPHdrProtocolID A IANA-ASSIGNED-OID.2.x pcimIPHdrSourcePortStart A IANA-ASSIGNED-OID.2.x Reyes, et al. Expires: December 2003 [page 50] INTERNET-DRAFT PCELS June 2003 pcimIPHdrSourcePortEnd A IANA-ASSIGNED-OID.2.x pcimIPHdrDestPortStart A IANA-ASSIGNED-OID.2.x pcimIPHdrDestPortEnd A IANA-ASSIGNED-OID.2.x pcimIPHdrDSCPList A IANA-ASSIGNED-OID.2.x pcimIPHdrFlowLabel A IANA-ASSIGNED-OID.2.x pcim8021Headers O IANA-ASSIGNED-OID.1.x pcim8021HdrSourceMACAddress A IANA-ASSIGNED-OID.2.x pcim8021HdrSourceMACMask A IANA-ASSIGNED-OID.2.x pcim8021HdrDestMACAddress A IANA-ASSIGNED-OID.2.x pcim8021HdrDestMACMask A IANA-ASSIGNED-OID.2.x pcim8021HdrProtocolID A IANA-ASSIGNED-OID.2.x pcim8021HdrPriority A IANA-ASSIGNED-OID.2.x pcim8021HdrVLANID A IANA-ASSIGNED-OID.2.x pcimFilterListAuxClass O IANA-ASSIGNED-OID.1.x pcimFilterListName A IANA-ASSIGNED-OID.2.x pcimFilterDirection A IANA-ASSIGNED-OID.2.x pcimFilterEntryList A IANA-ASSIGNED-OID.2.x 8. References [CIM] Distributed Management Task Force, Inc., "Common Information Model (CIM) Schema", version 2.3, March 2000. The components of the CIM v2.3 schema are available via links on the following DMTF web page: http://www.dmtf.org/spec/cims.html [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, May, 2000. [PCIM_EXT] B. Moore at el., "Policy Core Information Model (PCIM) Extensions", RFC 3460, January 2003. [PCLS] J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core LDAP Schema", Internet Draft, work in progress, draft-ietf-policy-core-schema-16.txt. [LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002. 9. Authors' Addresses Angelica Reyes, Antoni Barba, David Moron Technical University of Catalonia Jordi-Girona 1-3 08034 Barcelona Spain [angelica|telabm|dmoron]@mat.upc.es Reyes, et al. Expires: December 2003 [page 51] INTERNET-DRAFT PCELS June 2003 Marcus Brunner NEC Europe Ltd. Kurfuersten Anlage 34 D-69115 Heidelberg Germany brunner@ccrle.nec.de Mircea Pana MetaSolv Software Inc. 360 Legget Drive Ottawa, Ontario, Canada K2K 3N1 mpana@metasolv.com 10. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Appendix A: Issues Some classes need to be added: Reyes, et al. Expires: December 2003 [page 52] INTERNET-DRAFT PCELS June 2003 1. pcimReusablePolicyContainer subclasses. Since pcimRepository and its two subclasses are deprecated we have needed to add the pcimReusablePolicyContainer and two subclasses: pcimReusableContainerInstance (structural) and pcimReusableContainerAuxClass(auxiliary). The class pcimReusableContainer is defined as an abstract class so pcimReusableContainer subclasses are needed in order to instanciate classes in the directory. RESOLUTION: This issue has been resolved in sections 5.23 and 5.24. 2.We have to add the subclasses pcimRuleActionAssociation and pcimActionAssociation RESOLUTION: This issue has been resolved using the class pcimActionAssociation. See section 5.8 3. We have to clarify next classes pcimPolicyVariableAuxClass. pcimPolicyVariableInstance. pcimPolicyExplicitVariableAuxClass. pcimPolicyImplicitVariableInstance. RESOLUTION: This issue has been resolved in sections from 5.17 to 5.22 4. We have to clarify the mapping of next classes PolicyValue and its subclasses. PolicyImpliciyVariable subclasses. RESOLUTION: This issue has been resolved in sections from 5.19 to 5.22 We also consider the next points: 5. To define classes to search errors and classes to detect failures in the system RESOLUTION: not in scope for this document 6. Because of the policy server is centralized and the LDAP is distributed hierarchically could be necessary to add classes in order to find duplicates in the information. It can occur, for example when updating is excessively often. RESOLUTION: implementation specific. not in scope for this document 7. Mapping between Network domains and the updating of information. Servers via resource management programs could manage some of these topics, even though it is necessary to add specific classes. RESOLUTION: not in scope for this document Reyes, et al. Expires: December 2003 [page 53] INTERNET-DRAFT PCELS June 2003 8. The PolicyRoleCollection class from [PCIM_EXT] is implemented as the pcimRoleCollection structural object class. This object class is a subclass of the abstract pcimPolicy defined in [PCLS]. As a consequence pcimRoleCollection instances can be located and retrieved by LDAP clients that implement the mechanism defined in the section 4.5 of [PCLS]. An other option to consider is the implementation of pcimRoleCollection as a triplet of abstract / structural / auxiliary subclasses of the abstract dlm1Collection defined by [CIM]. In such case, however, in order to permit the utilization of the location and retrieval mechanism mentioned above, it would be necessary to attach a pcimElementAuxClass to the pcimRoleCollection instances. RESOLUTION: The authors agree on the current implementation. 9. Considerations about the relation between performance related to retrieval of information and storage capacity of DITs. RESOLUTION: not in scope for this document 10. The following PCIM EXT classes and aggregations need to be addressed: FilterEntryBase, IpHeadersFilter, 8021Filter, FilterList and EntriesInFilterList. RESOLUTION: defined in Subsections 5.26-5.29 11. pcimFilterEntry implements the FilterEntry but is a subclass of pcimPolicy and not a subclass of [CIM]'s dlm1LogicalElement. RESOLUTION: the authors agree with this implementation that has practical advantages over the other options. 12. pcimFilterListAuxClass implements the FilterList but is a subclass of pcimConditionAuxClass and not a subclass of [CIM]'s dlm1LogicalElement. RESOLUTION: the authors agree with this implementation that has practical advantages over the other options. 13. A limitation of this LDAP schema can lead to an ambiguous situation when a SimpleCondition and a SimpleAction are collocated. I.e. when they are attached to the same entry, for example in a Simple policy rule construct. In such situation a (non-reusable) Value or Variable attached to the same entry may be interpreted as being associated to either (or both) the condition and the action. More than that, since the pcimValueDN and pcimVariableDN attributes are used in both the SimpleCondition and the SimpleAction to associate a reusable Value or Variable, the ownership of the attribute is confusing in case of collocated condition and action. RESOLUTION: Added note to explicitly make pcimSimpleConditionAuxClass and pcimSimpleActionAuxClass mutually exclusive in an LDAP entry. Reyes, et al. Expires: December 2003 [page 54]