Policy Framework Working Group Angelica Reyes INTERNET-DRAFT Antoni Barba Updates: draft-ietf-policy-core-schema-16 David Moron Technical University of Catalonia Marcus Brunner NEC Mircea Pana MetaSolv August 2003 Policy Core Extension LDAP Schema (PCELS) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document defines a number of changes and extensions to the Policy Core LDAP Schema [PCLS] based on the specifications of the Policy Core Information Model Extensions [PCIM_EXT]. The changes include additional object classes previously not covered, deprecation of some object classes and changes to the object class hierarchy defined in [PCLS]. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. Reyes, et al. Expires: February 2004 [page 1] INTERNET-DRAFT PCELS August 2003 Table of contents 1. Introduction.................................................... 2. Relationship to other Policy Framework Documents................ 3. Inheritance Hierarchy for PCELS................................. 4. General Discussion of Mapping the Policy Core Information Model Extensions to LDAP........................................ 4.1 Summary of Class and Association Mappings.................... 4.2 Summary of changes since PCLS................................ 4.3 The Association of PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction.............. 4.4 The Aggregation of PolicyRules and PolicyGroups in PolicySets................................................... 4.5 The Aggregation of actions/conditions in PolicyRules and CompoundActions/CompoundConditions............................... 5. Class Definitions............................................... 5.1 The Class pcimPolicySet..................................... 5.2 The Structural Class pcimPolicySetAssociation............... 5.3 The Updated Class pcimGroup................................. 5.4 The Deprecated Class pcimGroupContainmentAuxClass........... 5.5 The Deprecated Class pcimRuleContainmentAuxClass............ 5.6 The Three Classes pcimPolicyRule............................ 5.7 The Structural Class pcimConditionAssociation............... 5.8 The Structural Class pcimActionAssociation.................. 5.9 The Three Deprecated Classes pcimRule....................... 5.10 The Deprecated Class pcimRuleConditionAssociation.......... 5.11 The Deprecated Class pcimRuleActionAssociation............. 5.12 The Auxiliary Class pcimSimpleConditionAuxClass............ 5.13 The Auxiliary Class pcimCompoundConditionAuxClass.......... 5.14 The Auxiliary Class pcimCompoundFilterAuxClass............. 5.15 The Auxiliary Class pcimSimpleActionAuxClass............... 5.16 The Auxiliary Class pcimCompoundActionAuxClass............. 5.17 The Abstract Class pcimVariable............................. 5.18 The Auxiliary Class pcimExplicitVariableAuxClass............ 5.19 The Auxiliary Class pcimImplicitVariableAuxClass........... 5.20 The Subclasses of pcimImplicitVariableAuxClass.............. 5.21 The Auxiliary Class pcimValueAuxClass....................... 5.22 The Subclasses of pcimValueAuxClass......................... 5.23 The Three Classes pcimReusableContainer..................... 5.24 The Three Deprecated Classes pcimRepository................. 5.25 The Structural Class pcimRoleCollection..................... 5.26 The Abstract Class pcimFilterEntry.......................... 5.27 The Structural Class pcimIPHeaders.......................... 5.28 The Structural Class pcim8021Headers........................ 5.29 The Auxiliary Class pcimFilterListAuxClass.................. 5.30 The Auxiliary Class pcimVendorVariableAuxClass.............. 5.31 The Auxiliary Class pcimVendorValueAuxClass................. 6. Security Considerations......................................... 7. IANA Considerations............................................. 7.1 Object Identifiers........................................... 7.2 Object Identifier Descriptors................................ Reyes, et al. Expires: February 2004 [page 2] INTERNET-DRAFT PCELS August 2003 8. Normative References............................................ 9. Informative References.......................................... 10. Authors' Addresses............................................. 11. Intellectual Property.......................................... 12. Full Copyright Statement....................................... 1. Introduction This document defines a number of changes and extensions to the Policy Core LDAP Schema [PCLS] based on the specifications of the Policy Core Information Model Extensions [PCIM_EXT]. The changes include additional object classes previously not covered, deprecation of some object classes and changes to the object class hierarchy defined in PCLS. Within the context of this document, the term 'PCELS' (Policy Core Extension LDAP Schema) is used to refer to the LDAP object class definitions contained in this document. 2. Relationship to other Policy Framework Documents This document contains an LDAP schema mapping for the classes defined in the Policy Core Information Model Extensions [PCIM_EXT]. Other documents may subsequently be produced, with mappings of the same PCIM extensions to other storage or transport technologies. The document is an extension to [PCLS], which defines the mapping of the Policy Core Information Model [PCIM] to an LDAP schema. 3. Inheritance Hierarchy for PCELS The following diagram illustrates the combined class hierarchy for the LDAP object classes defined in [PCLS] and in this document: top | +---dlm1ManagedElement (abstract) | | | +---pcimPolicy (abstract) | | | | | +---pcimPolicySet (abstract new) | | | | | | | +---pcimGroup (abstract moved) | | | | | | | | | +--pcimGroupAuxClass (auxiliary moved) | | | | | | | | | +---pcimGroupInstance (structural moved) | | | | Reyes, et al. Expires: February 2004 [page 3] INTERNET-DRAFT PCELS August 2003 | | | | | | | +---pcimPolicyRule (abstract new) | | | | | | | +---pcimPolicyRuleAuxClass (auxiliary new) | | | | | | | +---pcimPolicyRuleInstance (structural new) | | | | | +---pcimRule (abstract deprecated) | | | | | | | +---pcimRuleAuxClass (auxiliary deprecated) | | | | | | | +---pcimRuleInstance (structural deprecated) | | | | | +---pcimRuleConditionAssociation (structural deprecated) | | | | | +---pcimConditionAssociation (structural new) | | | | | +---pcimRuleValidityAssociation (structural) | | | | | +---pcimRuleActionAssociation (structural deprecated) | | | | | +---pcimActionAssociation (structural new) | | | | | +---pcimPolicySetAssociation (structural new) | | | | | +---pcimPolicyInstance (structural) | | | | | +---pcimElementAuxClass (auxiliary) | | | | | +---pcimRoleCollection (structural new) | | | | | +---pcimFilterEntry (abstract new) | | | | | +---pcimIPHeaders (structural new) | | | | | +---pcim8021Headers (structural new) | | | +---dlm1ManagedSystemElement (abstract) | | | +---dlm1LogicalElement (abstract) | | | +---dlm1System (abstract) | | | +---dlm1AdminDomain (abstract) | | | +---pcimRepository (abstract deprecated) | | | | | +---pcimRepositoryAuxClass | | | (auxiliary deprecated) | | | | | +---pcimRepositoryInstance | | (structural deprecated) Reyes, et al. Expires: February 2004 [page 4] INTERNET-DRAFT PCELS August 2003 | | | +---pcimReusableContainer (abstract new) | | | +---pcimReusableContainerAuxClass | | (auxiliary new) | | | +---pcimReusableContainerInstance | (structural new) | +---pcimConditionAuxClass (auxiliary) | | | +---pcimTPCAuxClass (auxiliary) | | | +---pcimConditionVendorAuxClass (auxiliary) | | | +---pcimSimpleConditionAuxClass (auxiliary new) | | | +---pcimCompoundConditionAuxClass (auxiliary new) | | | | | +---pcimCompoundFilterAuxClass (auxiliary new) | | | +---pcimFilterListAuxClass (auxiliary new) | +---pcimActionAuxClass (auxiliary) | | | +---pcimActionVendorAuxClass (auxiliary) | | | +---pcimSimpleActionAuxClass (auxiliary new) | | | +---pcimCompoundActionAuxClass (auxiliary new) | +---pcimVariable (abstract new) | | | +---pcimVendorVariableAuxClass (auxiliary new) | | | +---pcimExplicitVariableAuxClass (auxiliary new) | | | +---pcimImplicitVariableAuxClass (auxiliary new) | | | +---pcimSourceIPv4VariableAuxClass (auxiliary new) | | | +---pcimSourceIPv6VariableAuxClass (auxiliary new) | | | +---pcimDestinationIPv4VariableAuxClass (auxiliary new) | | | +---pcimDestinationIPv6VariableAuxClass (auxiliary new) | | | +---pcimSourcePortVariableAuxClass (auxiliary new) | | | +---pcimDestinationPortVariableAuxClass (auxiliary new) | | | +---pcimIPProtocolVariableAuxClass (auxiliary new) Reyes, et al. Expires: February 2004 [page 5] INTERNET-DRAFT PCELS August 2003 | | | +---pcimIPVersionVariableAuxClass (auxiliary new) | | | +---pcimIPToSVariableAuxClass (auxiliary new) | | | +---pcimDSCPVariableAuxClass (auxiliary new) | | | +---pcimFlowIdVariableAuxClass (auxiliary new) | | | +---pcimSourceMACVariableAuxClass (auxiliary new) | | | +---pcimDestinationMACVariableAuxClass (auxiliary new) | | | +---pcimVLANVariableAuxClass (auxiliary new) | | | +---pcimCoSVariableAuxClass (auxiliary new) | | | +---pcimEthertypeVariableAuxClass (auxiliary new) | | | +---pcimSourceSAPVariableAuxClass (auxiliary new) | | | +---pcimDestinationSAPVariableAuxClass (auxiliary new) | | | +---pcimSNAPOUIVariableAuxClass (auxiliary new) | | | +---pcimSNAPTypeVariableAuxClass (auxiliary new) | | | +---pcimFlowDirectionVariableAuxClass (auxiliary new) | +---pcimValueAuxClass (auxiliary new) | | | +---pcimVendorValueAuxClass (auxiliary new) | | | +---pcimIPv4AddrValueAuxClass (auxiliary new) | | | +---pcimIPv6AddrValueAuxClass (auxiliary new) | | | +---pcimMACAddrValueAuxClass (auxiliary new) | | | +---pcimStringValueAuxClass (auxiliary new) | | | +---pcimBitStringValueAuxClass (auxiliary new) | | | +---pcimIntegerValueAuxClass (auxiliary new) | | | +---pcimBooleanValueAuxClass (auxiliary new) | +---pcimSubtreesPtrAuxClass (auxiliary) | +---pcimGroupContainmentAuxClass (auxiliary deprecated) | +---pcimRuleContainmentAuxClass (auxiliary deprecated) Reyes, et al. Expires: February 2004 [page 6] INTERNET-DRAFT PCELS August 2003 4. General Discussion of Mapping the Policy Core Information Model Extensions to LDAP The object classes described in this document contain certain optimizations for a directory that uses LDAP as an access protocol. One example is the use of auxiliary class attachment to LDAP entries to realize some of the associations defined in the information model. Note that other storage types might need to implement the association differently. 4.1 Summary of Class and Association Mappings The LDAP object classes defined in this document are a direct mapping from the corresponding classes and, in some cases, the associations defined in [PCIM_EXT]. Similarly, the LDAP attributes defined here are a direct mapping from the corresponding class properties. In some cases, associations defined in [PCIM_EXT] are simply mapped to reference attributes or realized through auxiliary class attachment. The classes pcimVendorVariableAuxClass and pcimVendorValueAuxClass are not mapped from [PCIM_EXT], they are new classes added in order to increase the framework's capability to store variables and values that have not been modeled with specific properties. Just like for any other schema elements defined in this document or in [PCLS], a particular submodel schema will not, in general, need to use vendor specific variable and value classes. Submodel schemas should apply the recommendations of section 5.10 of [PCIM_EXT] with regards to the supported and unsupported elements. Similar to [PCLS], the prefix "pcim" is used for all the object class and attribute names defined in this document. Reyes, et al. Expires: February 2004 [page 7] INTERNET-DRAFT PCELS August 2003 +----------------------------------------------------------------------+ | Information Model (PCIM ext) | LDAP Class(es) | +----------------------------------------------------------------------+ | PolicySet | pcimPolicySet | +----------------------------------------------------------------------+ | PolicyRule | pcimPolicyRule | | | pcimPolicyRuleAuxClass | | | pcimPolicyRuleInstance | +----------------------------------------------------------------------+ | SimplePolicyCondition | pcimSimpleConditionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyCondition | pcimCompoundConditionAuxClass | +----------------------------------------------------------------------+ | CompoundFilterCondition | pcimCompoundFilterAuxClass | +----------------------------------------------------------------------+ | SimplePolicyAction | pcimSimpleActionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyAction | pcimCompoundActionAuxClass | +----------------------------------------------------------------------+ | PolicyVariable | pcimVariable | +----------------------------------------------------------------------+ | -------------- | pcimVendorVariableAuxClass | +-------------------------------+--------------------------------------+ | PolicyExplicitVariable | pcimExplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicyImplicitVariable | pcimImplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv4Variable | pcimSourceIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv6Variable | pcimSourceIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv4Variable | pcimDestinationIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv6Variable | pcimDestinationIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourcePortVariable | pcimSourcePortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationPortVariable | pcimDestinationPortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPProtocolVariable | pcimIPProtocolVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPVersionVariable | pcimIPVersionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPToSVariable | pcimIPToSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDSCPVariable | pcimDSCPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowIDVariable | pcimFlowIDVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceMACVariable | pcimSourceMACVariableAuxClass | +----------------------------------------------------------------------+ | | | Reyes, et al. Expires: February 2004 [page 8] INTERNET-DRAFT PCELS August 2003 | PolicyDestinationMACVariable | pcimDestinationMACVariableAuxClass | +----------------------------------------------------------------------+ | PolicyVLANVariable | pcimVLANVariableAuxClass | +----------------------------------------------------------------------+ | PolicyCoSVariable | pcimCoSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyEthertypeVariable | pcimEthertypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceSAPVariable | pcimSourceSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationSAPVariable | pcimDestinationSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPOUIVariable | pcimSNAPOUIVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPTypeVariable | pcimSNAPTypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowDirectionVariable | pcimFlowDirectionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyValue | pcimValueAuxClass | +----------------------------------------------------------------------+ | ------------- | pcimVendorValueAuxClass | +-------------------------------+--------------------------------------+ | PolicyIPv4AddrValue | pcimIPv4AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyIPv6AddrValue | pcimIPv6AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyMACAddrValue | pcimMACAddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyStringValue | pcimStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyBitStringValue | pcimBitStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyIntegerValue | pcimIntegerValueAuxClass | +----------------------------------------------------------------------+ | PolicyBooleanValue | pcimBooleanValueAuxClass | +----------------------------------------------------------------------+ | PolicyRoleCollection | pcimRoleCollection | +----------------------------------------------------------------------+ | ReusablePolicyContainer | pcimReusableContainer | | | pcimReusableContainerAuxClass | | | pcimReusableContainerInstance | +----------------------------------------------------------------------+ | FilterEntryBase | pcimFilterEntry | +----------------------------------------------------------------------+ | IPHeadersfilter | pcimIPHeaders | +----------------------------------------------------------------------+ | 8021Filter | pcim8021Headers | +----------------------------------------------------------------------+ | FilterList | pcimFilterListAuxClass | +----------------------------------------------------------------------+ Reyes, et al. Expires: February 2004 [page 9] INTERNET-DRAFT PCELS August 2003 +----------------------------------------------------------------------+ | Information Model Association | LDAP Attribute / Class | +----------------------------------------------------------------------+ | PolicySetComponent | pcimPolicySetComponentList in | | | pcimPolicySet and | | | pcimPolicySetDN in | | | pcimPolicySetAsociation | +----------------------------------------------------------------------+ | PolicySetInSystem | DIT Containment and | | | pcimPolicySetDN in | | | pcimPolicySetAsociation | +----------------------------------------------------------------------+ | PolicyGroupInSystem | (same as PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyRuleInSystem | (same as PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyConditionStructure | pcimConditionDN in | | | pcimConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyRule | pcimConditionList in | | | pcimPolicyRule and | | | pcimConditionDN in | | | pcimConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyCondition | pcimConditionList in | | | pcimCompoundConditionAuxClass | | | and pcimConditionDN in | | | pcimConditionAssociation | +----------------------------------------------------------------------+ | PolicyActionStructure | pcimActionDN in | | | pcimActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyRule | pcimActionList in | | | pcimPolicyRule and | | | pcimActionDN in | | | pcimActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyAction | pcimActionList in | | | pcimCompoundActionAuxClass | | | and pcimActionDN in | | | pcimActionAssociation | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcimVariableDN in | | Condition | pcimSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicy | pcimValueDN in | | Condition | pcimSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcimVariableDN in | | Action | pcimSimpleActionAuxClass | +----------------------------------------------------------------------+ | | | Reyes, et al. Expires: February 2004 [page 10] INTERNET-DRAFT PCELS August 2003 | PolicyValueInSimplePolicyAction | pcimValueDN in | | | pcimSimpleActionAuxClass | +----------------------------------------------------------------------+ | ReusablePolicy | DIT containment | +----------------------------------------------------------------------+ | ExpectedPolicyValuesForVariable | pcimExpectedValueList in | | | pcimVariable | +----------------------------------------------------------------------+ | ContainedDomain | DIT containment or | | | pcimReusableContainerList in | | | pcimReusableContainer | +----------------------------------------------------------------------+ | EntriesInFilterList | pcimFilterEntryList in | | | pcimFilterListAuxClass | +----------------------------------------------------------------------+ | ElementInPolicyRoleCollection | DIT containment or | | | pcimElementList in | | | pcimRoleCollection | +----------------------------------------------------------------------+ | PolicyRoleCollectionInSystem | DIT Containment | +----------------------------------------------------------------------+ 4.2 Summary of changes since PCLS This section provides an overview of the changes to PCLS defined in this document: 1. Changes to the pcimRepository: Because of the potential for confusion with the Policy Framework component Policy Repository as described in section 3.2.1 in [PCIM_EXT], the class is now called pcimReusableContainer. Its subclasses have been renamed as well. 2. The pcimGroupContainmentAuxClass and pcimRuleContainmentAuxClass auxiliary classes used to map the PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup aggregations defined by [PCIM] are replaced by the structural class pcimPolicySetAssociation and the attribute pcimPolicySetList added to the abstract class pcimPolicySet. The section 4.4 presents the details related to this association. 3. The class pcimRule is deprecated and with it the absolute prioritization of policy rules is no longer available. A relative prioritization of policies is introduced through the attribute pcimPriority in the pcimPolicySet object class. This attribute indicates the relative priority of the components of a policy set or, for a PolicySetInSystem, the priority of the referenced policy set relative to the other policy sets associated to this system. 4. A new attribute pcimDecisionStrategy is added on the pcimPolicySet class in order to map the decision mechanism described in [PCIM_EXT]. Reyes, et al. Expires: February 2004 [page 11] INTERNET-DRAFT PCELS August 2003 5. The attribute pcimRoles is moved to the class pcimPolicySet from the deprecated class pcimRule. Thus, the role based policy selection mechanism is preserved and extended to all the subclasses of pcimPolicySet. 6. The new attribute pcimExecutionStrategy is added to the pcimPolicyRule class to allow the specification of the expected behavior in the case where there are multiple actions aggregated by a rule or by a compound action. 7. Compound Conditions: The pcimCompoundConditionAuxClass class is added in order to map the CompoundPolicyCondition [PCIM_EXT]'s class. A new class, pcimConditionAssociation, is introduced to realize the aggregation of policy conditions in a pcimCompoundConditionAuxClass. The same class is used to aggregate policy conditions in a pcimPolicyRule while the pcimRuleConditionAssociation defined in [PCLS] for this purpose, is deprecated. 8. Compound Actions: The pcimCompoundActionAuxClass class is added in order to map the CompoundPolicyAction [PCIM_EXT]'s class. A new class, pcimActionAssociation, is introduced to realize the aggregation of policy actions in a pcimCompoundActionAuxClass. The same class is used to aggregate policy actions in a pcimPolicyRule while the pcimRuleActionAssociation defined in [PCLS] for this purpose, is deprecated. 9. Variables and values: The classes defined in [PCIM_EXT] for the implementation of simple conditions and actions directly mapped to auxiliary classes. These classes are: pcimSimpleConditionAuxClass, pcimSimpleActionAuxClass, pcimVariable and its subclasses, and pcimValue and its subclasses. 10. Reusable conditions, actions, groups, rules, variables and values are subordinated (DIT contained) to a pcimReusableContainer entry. Thus, the ReusablePolicy association defined in [PCIM_EXT] is Realized through subordination. 11. Device level filter classes are added to the schema. 12. The pcimRoleCollection class is added to the schema to allow the association of policy roles to resources represented as LDAP entries. 13. A general extension mechanism is introduced for representing policy variables and values that have not been specifically modeled. The mechanism is intended for vendor-specific extensions. Reyes, et al. Expires: February 2004 [page 12] INTERNET-DRAFT PCELS August 2003 4.3 The Association of PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction A PolicySimpleCondition as well as a PolicySimpleAction includes a single PolicyValue and a single PolicyVariable. Each of them can be attached or referenced by a DN. The attachment helps create compact PolicyCondition and PolicyAction definitions that can be efficiently provisioned and retrieved from the repository. On the other hand, referenced PolicyVariables and PolicyValues instances can be reused in the construction of multiple policies and permit the administrative partitioning of the data and policy definitions. 4.4 The Aggregation of PolicyRules and PolicyGroups in PolicySets In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, are combined into a single aggregation PolicySetComponent. This aggregation and the capability of association between a policy and the ReusablePolicyContainer offer new possibilities of reusability. Furthermore, these aggregations introduce new semantics representing the execution of one PolicyRule withing the scope of another PolicyRule. Since PolicySet is defined in [PCIM_EXT], it is mapped in this document to a new class pcimPolicySet in order to provide an abstraction for a set of policy rules or groups. The aggregation class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value attribute pcimPolicySetList in the pcimPolicySet class and the attribute pcimPolicySetDN in the pcimPolicySetAssociation. These attributes refer to the nested rules and groups. It is possible to store a rule/group nested in an other rule/group in two ways. The first way is to define the nested rule/group as specific to the nesting rule/group. The second way is to define the nested rules/groups as reusable. Reyes, et al. Expires: February 2004 [page 13] INTERNET-DRAFT PCELS August 2003 First case: Specific nested sets (rules/groups). +----------+ |Rule/Group| | | +-----|- -|-----+ | +----------+ | | * * | | * * | | **** **** | | * * | v * * v +-----------+ +-----------+ | SA1+Set1 | | SA2+Set2 | +-----------+ +-----------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass auxiliary class. SA#: pcimPolicySetAssocation structural class. The nesting pcimPolicySet refers to instances of pcimPolicySetAssociation using the attribute pcimPolicySetList. These strucural association classes are subordinated (DIT contained) to the pcimPolicySet (rule or group) entry and represent the association between the set (rule or group) and its nested rules/ groups. The nested pcimPolicySet instances are attached (as auxiliary classes) to the association entries. Reyes, et al. Expires: February 2004 [page 14] INTERNET-DRAFT PCELS August 2003 Second case: Reusable nested sets (rules/groups). +----------+ +-------------+ |Rule/Group| | RepositoryX | +-|- -|--+ | | | +----------+ | +-------------+ | * * | * * | *** **** | * * | * * v * * | * +---+ * * | * |SA2| +-------+ * v * | -|-------->|S1+Set2| * +---+ +---+ +-------+ * |SA1| +-------+ | -|------------------------------>|S2+Set3| +---+ +-------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass class. SA#: PolicySetAssocation structural class. S#: structural class. The nesting pcimPolicySet refers to instances of pcimPolicySetAssociation using the attribute pcimPolicySetList. These structural association classes are subordinated (DIT contained) to the pcimPolicySet entry and represent the association between the set (rule or group) and its nested rules/groups. The reusable rules/groups are instantiated here as auxiliary classes and attached to pcimPolicyInstance entries in the reusable container. An other option is to use the structural subclasses for defining reusable rules/groups. The association classes belonging to a nesting policy set are reference the reusable rules/groups using the attribute pcimPolicySetDN. A combination of both specific and reusable components is also allowed for the same policy set. Reyes, et al. Expires: February 2004 [page 15] INTERNET-DRAFT PCELS August 2003 4.5 The Aggregation of actions/conditions in PolicyRules and CompoundActions/CompoundConditions [PCIM_EXT] defines two new classes that offer the designer the capability of creating more complex conditions and actions. CompoundPolicyCondition and CompoundPolicyActionclasses are mapped in this document to pcimCompoundConditionAuxClass and pcimCompoundActionAuxClass classes that are subclasses of pcimConditionAuxClass/pcimActionAuxClass. The compound conditions/actions defined in [PCIM_EXT] extend the capability of the rule to associate, group and evaluate/execute conditions/actions. The conditions/actions are associated to compounds conditions/actions in the same way as they are associated to the rules. In this section it is explained how to store instances of these classes in an LDAP Directory. As a general rule, specific conditions/actions are subordinated (DIT contained) to the rule or compound condition/action that aggregates them and are attached to association class instances. Reusable conditions/actions, are subordinated to pcimReusableContainer instances and attached to pcimPolicyInstance instances. The examples below illustrate the four possible cases combining specific/reusable compound/non-compound condition/action. The rule has two compound conditions, each one has two different conditions. The schemes can be extended in order to store actions. The examples below are based on and extend those illustrated in the section 4.4 of [PCLS]. Reyes, et al. Expires: February 2004 [page 16] INTERNET-DRAFT PCELS August 2003 - First case: Specific compound condition/action with specific conditions/actions. +--------------+ +------| Rule |------+ | +--------------+ | | * * | | ********* ********* | v * * v +---------+ +---------+ +-| CA1+cc1 |-+ +-| CA2+cc2 |-+ | +---------+ | | +---------+ | | * * | | * * | | **** **** | | **** **** | v * * v v * * v +------+ +------+ +------+ +------+ |CA3+c1| |CA4+c2| |CA5+c3| |CA6+c4| +------+ +------+ +------+ +------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. Because the compound conditions/actions are specific to the Rule, They are auxiliary attachments to instances of the structural classes pcimConditionAssociation or pcimActionAssociation. These structural classes represent the association between the rule and the compound condition/action . The rule specific conditions/actions are therefore subordinated (DIT contained) to the rule entry. The conditions/actions are tied to the compound conditions/actions in the same way the compound conditions/actions are tied to rules. Association classes realize the association between the aggregating compound conditions/actions and the specific conditions/actions. Reyes, et al. Expires: February 2004 [page 17] INTERNET-DRAFT PCELS August 2003 - Second case: Rule specific compound conditions/actions whith reusable conditions/actions. +-------------+ +---------------+ +------| Rule |-----+ | RepositoryX | | +-------------+ | +---------------+ | * * | * * * * | * * | **** * * * | ********* ******** | * * * ******** | * * v * * * * | * +---------+ * * **** * | * +-| CA2+cc2 |-+ * * * * | * | +---------+ | * * * * v * | * * | * * * * +---------+ | **** **** | * * * * +-| CA1+cc1 |-+ | * * v * * * * | +---------+ | | * +------+ +-----+ * * * | * * | v * | CA6 |->|S1+c4| * * * | **** **** | +------+ +------+ +-----+ +-----+ * * | * * v | CA5 |------------------>|S2+c3| * * | * +------+ +------+ +-----+ +-----+ * v * | CA4 |------------------------------------->|S3+c2| * +------+ +------+ +-----+ +-----+ | CA3 |------------------------------------------------------>|S4+c1| +------+ +-----+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class This case is similar to the first one. The conditions/actions are reusable so they are not attached to the association classes but they are attached to structural classes in the reusable container. The association classes tie the conditions/actions in located in a reusable container to their aggregators using DN references. Reyes, et al. Expires: February 2004 [page 18] INTERNET-DRAFT PCELS August 2003 -Third case: Reusable compound condition/action with specific conditions/actions. +--------------+ +--------------+ | Rule | | repositoryX | +---+--------------+----+ +--------------+ | * * | * * | ******* ******* | ******** ******** | * * v * * | * +----------+ +---------+ * | * | CA2 |--->| S1+cc2 | * | * +----------+ +-+---------+-+ * | * | * * | * | * | **** **** | * | * v * * v * | * +------+ +------+ * | * |CA5+c3| |CA6+c4| * v * +------+ +------+ * +----------+ +---------+ | CA1 |----------------------------------------->| S2+cc1 | +----------+ +-+---------+-+ | * * | | **** **** | v * * v +------+ +------+ |CA3+c1| |CA4+c2| +------+ +------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class Re-usable compound conditions/actions are attached to structural classes and stored in a reusable policy container. They are related to the rule through a DN reference attribute in the association classes. Specific conditions/actions are attached to association entries and subordinated (DIT contained) to the aggregating compound conditions/actions. Reyes, et al. Expires: February 2004 [page 19] INTERNET-DRAFT PCELS August 2003 -Fourth case: Reusable conditions/actions and compound conditions/actions. +------+ +---------------+ +---------------+ +-----| Rule |-----+ | RepositoryX | | RepositoryY | | +------+ | +---------------+ +---------------+ | * * | * * * * * * | ****** ****** | *** *** *** * * ***** | * * v * * * * * * | * +-------+ +------+ * * * *** * | * | CA2 |->|S1+ca1| * * * * * | * +-------+ +------+ * * * * * | * / * * \ * * * * * | * |** ** | * * * * * | * |* * v * * * * * | * |* +---+ * +-----+ * * * | * |* |CA6|----*--->|S3+c4| * * * | * v* +---+ * +-----+ * * * | * +---+ * +-----+ * * | * |CA5|-----------*--------->|S4+c3| * * v * +---+ * +-----+ * * +-------+ +------+ * * | CA1 |-------------------------->|S2+cc1| * * +-------+ +------+ * * / * * \ * * | ** ** | * * | * * v * * | * +---+ +-----+ * | * |CA4|---------->|S5+c2| * v * +---+ +-----+ * +---+ +-----+ |CA3|--------------------->|S6+c1| +---+ +-----+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcimConditionAssociation structural class. cc#: pcimCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class Reyes, et al. Expires: February 2004 [page 20] INTERNET-DRAFT PCELS August 2003 All the conditions/actions are reusable so they are stored in reusable containers. The figure above illustrates two different reusable policy containers but the number of containers in the system is decided based on administrative reasons. The conditions, actions, etc. may be stored in the same container or in different containers with no impact on the policy definition semantics. 5. Class Definitions 5.1 The Class pcimPolicySet The abstract class PolicySet in the [PCIM_EXT] is introduced to provide an abstraction for a set of rules. The class value 'pcimPolicySet' is used as the mechanism for identifying group and rule- related instances in the DIT. In [PCIM_EXT], the classes PolicyGroup and PolicyRule are moved, so that they are now derived from PolicySet class. A pcimPolicySet object refers to instances of pcimGroup and pcimPolicyRule via the attribute pcimPolicySetList and the attribute pcimPolicySetDN in the pcimPolicySetAssociation object class. The definition of the abstract class pcimPolicySet: ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicySet' DESC 'Abstract class that represents a collection of policies that form a coherent set.' SUP pcimPolicy ABSTRACT MAY ( pcimPolicySetName $ pcimDecisionStrategy $ pcimRoles $ pcimPolicySetList ) ) One of the attributes of the pcimPolicySet class, the pcimRoles is already defined in [PCLS]. The other three attributes are defined below. Reyes, et al. Expires: February 2004 [page 21] INTERNET-DRAFT PCELS August 2003 The attribute pcimPolicySetName may be used as naming attribute for pcimPolicySet entries: ( IANA-ASSIGNED-OID.2.x NAME 'pcimPolicySetName' DESC 'The user-friendly name of a policy set.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimDecisionStrategy is used to define the evaluation method among the rules in the policy set and is mapped directly from the PolicyDecisionStrategy property defined in [PCIM_EXT]. ( IANA-ASSIGNED-OID.2.x NAME 'pcimDecisionStrategy' DESC 'The evaluation method used for the components of a in the pcimPolicySet. Valid values: 1 [FirstMatching], 2 [AllMatching]' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attibute pcimPolicySetList is used to realize the PolicySetComponent aggregation. ( IANA-ASSIGNED-OID.2.x NAME 'pcimPolicySetList' DESC 'List of DN references to pcimPolicySetAssociation entries used to aggregate policy sets.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The subclasses pcimGroup and pcimPolicyRule are now derived from pcimPolicySet. Reyes, et al. Expires: February 2004 [page 22] INTERNET-DRAFT PCELS August 2003 5.2 The Structural Class pcimPolicySetAssociation The pcimPolicySetAssociation class is used to aggregate components into pcimPolicySet entries. Instances of this class are always subordinated to the aggregating pcimPolicySet. The aggregation of a reusable instance of (subclass of) pcimPolicySet is referenced via the pcimPolicySetDN attribute. A non-reusable instance of (subclass of) pcimPolicySet is attached as auxiliary class directly to the pcimPolicySetAssociation entry. If a pcimPolicySetAssociation instance has a pcimPolicySet attached to it then the attribute pcimPolicySetDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicySetAssociation' DESC 'Structural class that contains attributes characterizing the relationship between a policy set and one of its components.' SUP pcimPolicy STRUCTURAL MUST ( pcimPriority ) MAY ( pcimPolicySetName $ pcimPolicySetDN ) ) The Attribute pcimPriority: ( IANA-ASSIGNED-OID.2.x NAME 'pcimPriority' DESC 'Policy priority.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The Attribute pcimPolicySetDN: ( IANA-ASSIGNED-OID.2.x NAME 'pcimPolicySetDN' DESC 'DN reference to a pcimPolicySet entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) Reyes, et al. Expires: February 2004 [page 23] INTERNET-DRAFT PCELS August 2003 5.3 The Updated Class pcimGroup The pcimGroup is defined in [PCLS]. Its superclass is changed here so that the pcimGroup can take advantage of the pcimPolicySet and its aggregation method. ( IANA-ASSIGNED-OID.1.2 NAME 'pcimGroup' DESC 'A container for a set of related pcimPolicyRule entries and/or a set of related pcimGroup entries.' SUP pcimPolicySet ABSTRACT MAY (pcimGroupName) ) 5.4 The Deprecated Class pcimGroupContainmentAuxClass The policy group aggregation is replaced by the more comprehensive policy set aggregation. Therefore this class is deprecated. The attribute pcimGroupsAuxContainedSet only used in the definition of the deprecated pcimGroupContainmentAuxClass object class is also deprecated. 5.5 The Deprecated Class pcimRuleContainmentAuxClass The policy rule aggregation is replaced by the more comprehensive policy set aggregation. Therefore this class is deprecated. The attribute pcimRulesAuxContainedSet only used in the definition of the deprecated pcimRuleContainmentAuxClass object class is also deprecated. 5.6 The Three Classes pcimPolicyRule The base class representing policy rules is redefined without a priority attribute. In addition, this class uses the Condition and Action aggregation methods similar to the CompoundCondition and the CompoundAction. If a pcimPolicyRule instance has a pcimConditionAuxClass attached to it then the attribute pcimConditionList SHOULD NOT be present in the same entry for the purpose of associating other conditions to the rule. However, when such situation occurs the referenced conditions MUST NOT be considered as associated to the rule. Reyes, et al. Expires: February 2004 [page 24] INTERNET-DRAFT PCELS August 2003 If a pcimPolicyRule instance has a pcimActionAuxClass attached to it then the attribute pcimActionList should not be present in the same entry for the purpose of associating other actions to the rule. However, when such situation occurs the referenced actions must not be considered as associated to the rule. ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicyRule' DESC 'The base class for representing the "If Condition then Action" semantics associated with a Policy Rule' SUP pcimPolicySet ABSTRACT MAY ( pcimRuleName $ pcimRuleEnabled $ pcimConditionListType $ pcimConditionList $ pcimActionList $ pcimRuleValidityPeriodList $ pcimRuleUsage $ pcimRuleMandatory $ pcimSequencedActions $ pcimExecutionStrategy ) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicyRuleAuxClass' DESC 'An auxiliary class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimPolicyRule AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimPolicyRuleInstance' DESC 'A structural class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcimPolicyRule STRUCTURAL ) The attributes pcimRuleCoditionListType, pcimRuleConditionList and pcimRuleActionList defined in [PCLS] are replaced by pcimConditionListType, pcimConditionList and pcimActionList. The new attributes are used in pcimPolicyRule as well as in the pcimCompoundConditionAuxClass and pcimCompoundActionAuxClass object classes. Reyes, et al. Expires: February 2004 [page 25] INTERNET-DRAFT PCELS August 2003 The attribute definitions are: ( IANA-ASSIGNED-OID.2.x NAME 'pcimConditionListType' DESC 'a value of 1 means that this policy rule is in disjunctive normal form; a value of 2 means that this policy rule is in conjunctive normal form.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimConditionList' DESC 'unordered set of DN references to pcimConditionAssociation entries used to aggregate policy conditions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimActionList' DESC 'Unordered set of DN references to pcimActionAssociation entries used to aggregate policy actions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcimSequencedActions' DESC 'Indicates whether the ordered execution of actions in an aggregate is Mandatory, Recommended, or DontCare.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) Reyes, et al. Expires: February 2004 [page 26] INTERNET-DRAFT PCELS August 2003 The new attribute pcimExecutionStrategy is a direct mapping of the ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class. ( IANA-ASSIGNED-OID.2.x NAME 'pcimExecutionStrategy' DESC 'Indicates the execution strategy to be used upon an action aggregate. VALUES: 1 [Do until success]; 2 [Do all]; 3 [do until failure]. Default value = 2.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 5.7 The Structural Class pcimConditionAssociation This class is used to aggregate policy conditions in compound policy conditions or policy rules. It implements the PolicyConditionInPolicyRule and PolicyConditionInPolicyCondition aggregations. The pcimConditionAssociation class is used to aggregate policy conditions into pcimPolicyRule or pcimCompoundConditionAuxClass entries. Instances of this class are always subordinated to the aggregating pcimPolicyRule or pcimCompoundConditionAuxClass. The aggregation of a reusable instance of (subclass of) pcimConditionAuxClass is referenced via the pcimConditionDN attribute. A non-reusable instance of (subclass of) pcimConditionAuxClass is attached directly to the pcimConditionAssociation entry. If a pcimConditionAssociation instance has a pcimConditionAuxClass attached to it then the attribute pcimConditionDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. ( IANA-ASSIGNED-OID.1.x NAME 'pcimConditionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy condition and one of its aggregators: pcimPolicyRule or pcimCompoundConditionAuxClass. It is used in the realization of a policy condition structure.' SUP pcimPolicy STRUCTURAL MUST ( pcimConditionGroupNumber $ pcimConditionNegated ) MAY ( pcimConditionName $ pcimConditionDN ) ) Its attributes are defined in the section 5.4 of the [PCLS]. Reyes, et al. Expires: February 2004 [page 27] INTERNET-DRAFT PCELS August 2003 5.8 The Structural Class pcimActionAssociation This class is used to aggregate policy actions in compound policy actions or policy rules. It implements the PolicyActionInPolicyRule and PolicyActionInPolicyAction aggregations. The pcimActionAssociation class is used to aggregate policy actions into pcimPolicyRule or pcimCompoundActionAuxClass entries. Instances of this class are always subordinated to the aggregating pcimPolicyRule or pcimCompoundActionAuxClass. The aggregation of a reusable instance of (subclass of) pcimActionAuxClass is referenced via the pcimActionDN attribute. A non-reusable instance of (subclass of) pcimActionAuxClass is attached directly to the pcimActionAssociation entry. If a pcimActionAssociation instance has a pcimActionAuxClass attached to it then the attribute pcimActionDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. The class definition follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimActionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy action and one of its aggregators. It is used in the realization of a policy action structure.' SUP pcimPolicy STRUCTURAL MUST ( pcimActionOrder ) MAY ( pcimActionName $ pcimActionDN ) ) Its attributes are defined in [PCLS]. 5.9 The Three Deprecated Classes pcimRule The class pcimRule and its subclasses are replaced by pcimPolicyRule and its subclasses. Therefore pcimRule and its subclasses are deprecated. The following attributes only used in the definition of the deprecated pcimRule object class are also deprecated: pcimRuleConditionListType pcimRuleConditionList pcimRuleActionList pcimRulePriority pcimRuleSequencedActions Reyes, et al. Expires: February 2004 [page 28] INTERNET-DRAFT PCELS August 2003 5.10 The Deprecated Class pcimRuleConditionAssociation. This class is replaced by the more flexible pcimConditionAssociation. 5.11 The Deprecated Class pcimRuleActionAssociation. This class is replaced by the more flexible pcimActionAssociation. 5.12 The Auxiliary Class pcimSimpleConditionAuxClass. This class indicates if a specific match with a specific . The "match" relationship is to be interpreted by analyzing the variable and value instances associated with the simple condition. Its two attributes realize the PolicyValueinSimplePolicyCondition and PolicyVariableinSimplePolicyCondition associations defined in [PCIM_EXT]. A reusable variable / value is associated to a pcimSimpleConditionAuxClass via the pcimVariableDN / pcimValueDN reference from the simple condition entry. A non-reusable variable / value is associated directly as auxiliary object class to the pcimSimpleConditionAuxClass entry. If a pcimSimpleConditionAuxClass instance has a pcimVariable attached to it then the attribute pcimVariableDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. If a pcimSimpleConditionAuxClass instance has a pcimValueAuxClass attached to it then the attribute pcimValueDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. The class definition follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimSimpleConditionAuxClass' DESC 'An auxiliary class that evaluate the matching between a value and a variable'. SUP pcimConditionAuxClass AUXILIARY MAY ( pcimVariableDN $ pcimValueDN ) ) Reyes, et al. Expires: February 2004 [page 29] INTERNET-DRAFT PCELS August 2003 The pcimVariableDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableDN' DESC 'DN reference to a pcimVariable entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) The pcimValueDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcimValueDN' DESC 'DN reference to a pcimValueAuxClass entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) A instance of pcimSimpleActionAuxClass and an instance of pcimSimpleConditionAuxClass MUST NOT be attached to a same entry. Because the two classes use the same mechanisms to associate Variables and Values, this restriction is necessary in order to avoid ambiguities. 5.13 The Auxiliary Class pcimCompoundConditionAuxClass. This class represents a compound policy condition, formed by aggregation of other policy conditions. A boolean attribute indicates whether the compounded conditions are to be interpreted as disjunctive normal form or conjunctive normal form. The class definition follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimCompoundConditionAuxClass' DESC 'An auxiliary class that represents a boolean combination of simpler conditions'. SUP pcimConditionAuxClass AUXILIARY MAY ( pcimConditionListType $ pcimConditionList ) ) Reyes, et al. Expires: February 2004 [page 30] INTERNET-DRAFT PCELS August 2003 The attribute pcimConditionListType is used to specify whether the list of policy conditions associated with this compound policy condition is in disjunctive normal form (DNF) or conjunctive normal form (CNF). The attribute pcimConditionList is an unordered set of DN references to conditions aggregated in the compound condition. These attributes are defined in section 5.6. 5.14 The Auxiliary Class pcimCompoundFilterAuxClass. This class represents a domain-level filter and it typically contains a set of simple conditions. ( IANA-ASSIGNED-OID.1.x NAME 'pcimCompoundFilterAuxClass' DESC 'A compound condition with mirroring capabilities for traffic caracterization.' SUP pcimCompoundConditionAuxClass AUXILIARY MAY ( pcimIsMirrored ) ) The Attribute pcimIsMirrored: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIsMirrored' DESC 'Indicates whether traffic that mirrors the specified filter is to be treated as matching the filter.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.15 The Auxiliary Class pcimSimpleActionAuxClass. This class overwrites an old value of the and set the new . Its two attributes realize the PolicyValueInSimplePolicyAction and PolciyVariableInSimplePolicyAction associations defined in [PCIM_EXT]. A reusable variable / value is associated to a pcimSimpleActionAuxClass via the pcimVariableDN / pcimValueDN reference from the simple action entry. A non-reusable variable / value is associated directly as auxiliary object class to the pcimSimpleActionAuxClass entry. Reyes, et al. Expires: February 2004 [page 31] INTERNET-DRAFT PCELS August 2003 If a pcimSimpleActionAuxClass instance has a pcimVariable attached to it then the attribute pcimVariableDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. If a pcimSimpleActionAuxClass instance has a pcimValueAuxClass attached to it then the attribute pcimValueDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimSimpleActionAuxClass' DESC 'This class contains attributes characterizing the relationship between a Simple PolicyAction and one variable and one value.' SUP pcimActionAuxClass AUXILIARY MAY ( pcimVariableDN $ pcimValueDN ) ) The attributes are defined in section 5.12. A instance of pcimSimpleActionAuxClass and an instance of pcimSimpleConditionAuxClass MUST NOT be attached to a same entry. Because the two classes use the same mechanisms to associate Variables and Values, this restriction is necessary in order to avoid ambiguities. 5.16 The Auxiliary Class pcimCompoundActionAuxClass. This class maps the CompoundPolicyAction class of the [PCIM_EXT]. The class definition follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimCompoundActionAuxClass' DESC 'A class that aggregates simpler actions in a sequence with specific execution strategy.' SUP pcimActionAuxClass AUXILIARY MAY ( pcimActionList $ pcimSequencedActions $ pcimExecutionStrategy ) ) The attributes pcimSequencedActions, pcimExecutionStrategy and pcimActionList are defined in 5.6 section. Reyes, et al. Expires: February 2004 [page 32] INTERNET-DRAFT PCELS August 2003 5.17 The Abstract Class pcimVariable. Variables specify the property of a flow or an event that should be matched when evaluating the condition. A given variable selects the set of matchable values through the ExpectedPolicyValuesForVariable association. A pcimVariable entry may be associated to a set of pcimValueAuxClass entries that represent its expected values. The expected values for a variable may be indicated by: (1) pcimExpectedValueList references to reusable instances of pcimValueAuxClass or by (2) pcimExpectedValueList references to subordinated non-reusable instances of pcimValueAuxClass ( IANA-ASSIGNED-OID.1.x NAME 'pcimVariable' DESC 'Base class for representing a variable whose actual value can be matched against or set to a specific value.' SUP top ABSTRACT MAY ( pcimVariableName $ pcimExpectedValueList ) ) The attribute pcimVariableName is an user-friendly name for the variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableName' DESC 'The user-friendly name of a variable.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimExpectedValueList is an unordered set of DN references to subclasses of pcimValueAuxClass. It maps the [PCIM_EXT] ExpectedPolicyValuesForVariable association: ( IANA-ASSIGNED-OID.2.x NAME 'pcimExpectedValueList' DESC 'List of DN references to pcimValueAuxClass entries that represent the acceptable values.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) Reyes, et al. Expires: February 2004 [page 33] INTERNET-DRAFT PCELS August 2003 5.18 The Auxiliary Class pcimExplicitVariableAuxClass The subclass pcimExplicitVariableAuxClass is defined as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimExplicitVariableAuxClass' DESC 'Explicitly defined policy variable evaluated within the context of the CIM Schema.' SUP pcimVariable AUXILIARY MUST ( pcimVariableModelClass $ pcimVariableModelProperty ) ) The attribute pcimVariableModelClass is a string specifying the class name whose property is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableModelClass' DESC 'Specifies a CIM class name or oid.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimVariableModelProperty is a string specifying the attribute, within the pcimVariableModelClass, which is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVariableModelProperty' DESC 'Specifies a CIM property name or oid.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Reyes, et al. Expires: February 2004 [page 34] INTERNET-DRAFT PCELS August 2003 5.19 The Auxiliary Class pcimImplicitVariableAuxClass The subclass pcimImplicitVariableAuxClass is defined as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimImplicitVariableAuxClass' DESC 'Implicitly defined policy variables whose evaluation depends on the usage context. Subclasses specify the data type and semantics of the variables.' SUP pcimVariable AUXILIARY MUST ( pcimExpectedValueTypes ) ) The attribute pcimExpectedValueTypes is the direct mapping from the valueTypes property in the [PCIM_EXT] PolicyImplicitVariable class. This attribute representes a set of allowed value types to be used with this variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcimExpectedValueTypes' DESC 'List of object class names or oids of subclasses of pcimValueAuxClass that define acceptable value types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 5.20 The Subclasses of pcimImplicitVariableAuxClass ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceIPv4VariableAuxClass' DESC 'Source IP v4 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceIPv6VariableAuxClass' DESC 'Source IP v6 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: February 2004 [page 35] INTERNET-DRAFT PCELS August 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationIPv4VariableAuxClass' DESC 'Destination IP v4 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationIPv6VariableAuxClass' DESC 'Destination IP v6 address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourcePortVariableAuxClass' DESC 'Source port' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationPortVariableAuxClass' DESC 'Destination port' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPProtocolVariableAuxClass' DESC 'IP protocol number' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPVersionVariableAuxClass' DESC 'IP version number' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPToSVariableAuxClass' DESC 'IP ToS' SUP pcimImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: February 2004 [page 36] INTERNET-DRAFT PCELS August 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimDSCPVariableAuxClass' DESC 'DiffServ code point' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimFlowIdVariableAuxClass' DESC 'Flow Identifier' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceMACVariableAuxClass' DESC 'Source MAC address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationMACVariableAuxClass' DESC 'Destination MAC address' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimVLANVariableAuxClass' DESC 'VLAN' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimCoSVariableAuxClass' DESC 'Class of service' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimEthertypeVariableAuxClass' DESC 'Ethertype' SUP pcimImplicitVariableAuxClass AUXILIARY ) Reyes, et al. Expires: February 2004 [page 37] INTERNET-DRAFT PCELS August 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimSourceSAPVariableAuxClass' DESC 'Source SAP' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimDestinationSAPVariableAuxClass' DESC 'Destination SAP' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSNAPOUIVariableAuxClass' DESC 'SNAP OUI' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimSNAPTypeVariableAuxClass' DESC 'SNAP type' SUP pcimImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimFlowDirectionVariableAuxClass' DESC 'Flow direction' SUP pcimImplicitVariableAuxClass AUXILIARY ) 5.21 The Auxiliary Class pcimValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcimValueAuxClass' DESC 'Base class for representing a value that can be matched against or set for a specific variable.' SUP top AUXILIARY MAY ( pcimValueName ) ) Reyes, et al. Expires: February 2004 [page 38] INTERNET-DRAFT PCELS August 2003 The Attribute pcimValueName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimValueName' DESC 'The user-friendly name of a value.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 5.22 The Subclasses of pcimValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPv4AddrValueAuxClass' DESC 'IP v4 address value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimIPv4AddrList ) ) The Attribute pcimIPv4AddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPv4AddrList' DESC 'List of IPv4 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPv6AddrValueAuxClass' DESC 'IP v6 address value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimIPv6AddrList ) ) Reyes, et al. Expires: February 2004 [page 39] INTERNET-DRAFT PCELS August 2003 The Attribute pcimIPv6AddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPv6AddrList' DESC 'List of IPv6 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimMACAddrValueAuxClass' DESC 'MAC address value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimMACAddrList ) ) The Attribute pcimMACAddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimMACAddrList' DESC 'List of MAC address values or ranges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimStringValueAuxClass' DESC 'String value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimStringList ) ) The Attribute pcimStringList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimStringList' DESC 'List of strings or wildcarded strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Reyes, et al. Expires: February 2004 [page 40] INTERNET-DRAFT PCELS August 2003 ( IANA-ASSIGNED-OID.1.x NAME 'pcimBitStringValueAuxClass' DESC 'Bit string value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimBitStringList ) ) The Attribute pcimBitStringList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimBitStringList' DESC 'List of bit strings or masked bit strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimIntegerValueAuxClass' DESC 'Integer value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimIntegerList ) ) The Attribute pcimIntegerList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIntegerList' DESC 'List of integers or integer ramges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimBooleanValueAuxClass' DESC 'Boolean value.' SUP pcimValueAuxClass AUXILIARY MUST ( pcimBoolean ) ) Reyes, et al. Expires: February 2004 [page 41] INTERNET-DRAFT PCELS August 2003 The Attribute pcimBoolean: ( IANA-ASSIGNED-OID.2.x NAME 'pcimBoolean' DESC 'A boolean value.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.23 The Three Classes pcimReusableContainer This class represents a container of reusable policy elements. The elements of a reusable container are aggregated via DIT containment. A reusable policy container can include the elements of other reusable policy containers by aggregating the container itself. This is realized by referencing the aggregated container by means of the attribute pcimReusableContainerList. ( IANA-ASSIGNED-OID.1.x NAME 'pcimReusableContainer' DESC 'A container for reusable policy information.' SUP dlm1AdminDomain ABSTRACT MAY ( pcimReusableContainerName $ pcimReusableContainerList ) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimReusableContainerAuxClass ' DESC 'An auxiliary class that can be used to aggregate reusable policy information.' SUP pcimReusableContainer AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcimReusableContainerInstance' DESC 'A structural class that can be used to aggregate reusable policy information.' SUP pcimReusableContainer STRUCTURAL ) Reyes, et al. Expires: February 2004 [page 42] INTERNET-DRAFT PCELS August 2003 The Attribute pcimReusableContainerName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimReusableContainerName' DESC 'The user-friendly name of a reusable policy container.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimReusableContainerList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimReusableContainerList' DESC 'List of DN references to pcimReusableContainer entries.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.24 The Three Deprecated Classes pcimRepository. The pcimRepository and its subclasses are deprecated in favor of the pcimReusableContainer and its subclasses. The pcimRepositoryNameattribute only used in the definition of the deprecated pcimRepository object class is also deprecated. 5.25 The Structural Class pcimRoleCollection. The pcimRoleCollection class creates the means for the association of policy roles to resources represented as LDAP entries. ( IANA-ASSIGNED-OID.1.x NAME 'pcimRoleCollection' DESC 'This class is used to group together entries that share a same role.' SUP pcimPolicy STRUCTURAL MUST ( pcimRole ) MAY ( pcimRoleCollectionName $ pcimElementList ) ) Reyes, et al. Expires: February 2004 [page 43] INTERNET-DRAFT PCELS August 2003 The Attribute pcimRole: ( IANA-ASSIGNED-OID.2.x NAME 'pcimRole' DESC 'String representing a role.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimRoleCollectionName: ( IANA-ASSIGNED-OID.2.x NAME 'pcimRoleCollectionName' DESC 'The user-friendly name of a role collection.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimElementList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimElementList' DESC 'List of DN references to entries representing managed elements.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.26 The Abstract Class pcimFilterEntry The abstract class pcimFilterEntry implements the FilterEntryBase class from [PCIM_EXT]. This class is the base class for defining message or packet filters. ( IANA-ASSIGNED-OID.1.x NAME 'pcimFilterEntry' DESC 'This class is used as a base class for representing message or packet filters.' SUP pcimPolicy ABSTRACT MAY ( pcimFilterName $ pcimFilterIsNegated ) ) Reyes, et al. Expires: February 2004 [page 44] INTERNET-DRAFT PCELS August 2003 The Attribute pcimFilterName may be used as naming attribute for filter entries: ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterName' DESC 'The user-friendly name of a filter.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcimIsMirrored indicates whether the specified criteria is to be negated or not in the process of matching a message or packet against the filter: ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterIsNegated' DESC 'If TRUE, indicates that the filter matches all but the messages or packets that conform to the specified criteria. Default: FALSE.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.27 The Structural Class pcimIPHeaders. The class pcimIPHeaders implements the IpHeadersFilter class of the [PCIM_EXT] model. It provides means for filtering traffic by values in the IP header. Optional attributes, if not specified shall be treated as 'all values'. ( IANA-ASSIGNED-OID.1.x NAME 'pcimIPHeaders' DESC 'This class defines an IP header filter.' SUP pcimFilterEntry STRUCTURAL MAY ( pcimIPHdrVersion $ pcimIPHdrSourceAddress $ pcimIPHdrSourceAddressEndOfRange $ pcimIPHdrSourceMask $ pcimIPHdrDestAddress $ pcimIPHdrDestAddressEndOfRange $ pcimIPHdrDestMask $ pcimIPHdrProtocolID $ pcimIPHdrSourcePortStart $ pcimIPHdrSourcePortEnd $ pcimIPHdrDestPortStart $ pcimIPHdrDestPortEnd Reyes, et al. Expires: February 2004 [page 45] INTERNET-DRAFT PCELS August 2003 $ pcimIPHdrDSCPList $ pcimIPHdrFlowLabel ) ) The attribute pcimIPHdrVersion identifies the IP version and dictates the format for the IP version dependent attribute values in a pcimIPHeaders entry. These attributes are: pcimIPHdrSourceAddress pcimIPHdrSourceAddressEndOfRange pcimIPHdrSourceMask pcimIPHdrDestAddress pcimIPHdrDestAddressEndOfRange pcimIPHdrDestMask If a value for this attribute is not provided, then the filter does not consider IP version in selecting matching packets. In this case, IP version dependent attributes must not be present in the filter entry. The possible values of pcimIPHdrVersion are '4' and '6'. ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrVersion' DESC 'The IP version.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcimIPHdrSourceAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourceAddress' DESC 'The IP source address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrSourceAddressEndOfRange: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourceAddressEndOfRange' DESC 'The end or address range for the IP source address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) Reyes, et al. Expires: February 2004 [page 46] INTERNET-DRAFT PCELS August 2003 The attribute pcimIPHdrSourceMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourceMask' DESC 'The address mask for the IP source address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrDestAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestAddress' DESC 'The IP destination address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrDestAddressEndOfRange: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestAddressEndOfRange' DESC 'The end of address range for the IP destination address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrDestMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestMask' DESC 'The address mask for the IP destination address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcimIPHdrProtocolID: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrProtocolID' DESC 'The IP protocol type.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) Reyes, et al. Expires: February 2004 [page 47] INTERNET-DRAFT PCELS August 2003 The attribute pcimIPHdrSourcePortStart: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourcePortStart' DESC 'The start of the source port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcimIPHdrSourcePortEnd: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrSourcePortEnd' DESC 'The end of the source port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcimIPHdrDestPortStart: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestPortStart' DESC 'The start of the destination port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcimIPHdrDestPortEnd: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDestPortEnd' DESC 'The end of the destination port range.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) Reyes, et al. Expires: February 2004 [page 48] INTERNET-DRAFT PCELS August 2003 The multivalue attribute pcimIPHdrDSCPList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrDSCPList' DESC 'The DSCP values.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcimIPHdrFlowLabel: ( IANA-ASSIGNED-OID.2.x NAME 'pcimIPHdrFlowLabel' DESC 'The IP flow label.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) 5.28 The Structural Class pcim8021Headers. ( IANA-ASSIGNED-OID.1.x NAME ' pcim8021Headers' DESC 'This class defines an 802.1 header filter.' SUP pcimFilterEntry STRUCTURAL MAY ( pcim8021HdrSourceMACAddress $ pcim8021HdrSourceMACMask $ pcim8021HdrDestMACAddress $ pcim8021HdrDestMACMask $ pcim8021HdrProtocolID $ pcim8021HdrPriority $ pcim8021HdrVLANID ) ) The attribute pcim8021HdrSourceMACAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrSourceMACAddress' DESC 'The source MAC address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) Reyes, et al. Expires: February 2004 [page 49] INTERNET-DRAFT PCELS August 2003 The attribute pcim8021HdrSourceMACMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrSourceMACMask' DESC 'The source MAC address mask.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcim8021HdrDestMACAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrDestMACAddress' DESC 'The destination MAC address.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcim8021HdrDestMACMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrDestMACMask' DESC 'The destination MAC address mask.' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcim8021HdrProtocolID: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrProtocolID' DESC 'The 802.1 protocol ID.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcim8021HdrPriority: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrPriority' DESC 'The 802.1 priority.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) Reyes, et al. Expires: February 2004 [page 50] INTERNET-DRAFT PCELS August 2003 The attribute pcim8021HdrVLANID: ( IANA-ASSIGNED-OID.2.x NAME 'pcim8021HdrVLANID' DESC 'The 802.1 VLAN ID.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 5.29 The Auxiliary Class pcimFilterListAuxClass. This class represents a set of device-level filters aggregated in a policy condition. Therefore, instances of this class can be used in policy rules or as elements of more complex compound conditions. The aggregation EntriesInFilterList from the [PCIM_EXT] model is implemented by the multi-value attribute pcimFilterEntryList. The EntrySequence property of the aggregation EntriesInFilterList that is restricted to its default value ('0') in the [PCIM_EXT] model is redundant and therefore not implemented. ( IANA-ASSIGNED-OID.1.x NAME 'pcimFilterListAuxClass' DESC 'This class is used to aggregate filters represented as subclasses of pcimFilterEntry.' SUP pcimConditionAuxClass STRUCTURAL MAY ( pcimFilterListName $ pcimFilterDirection $ pcimFilterEntryList ) ) The Attribute pcimFilterListName may be used as naming attribute for filter lists: ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterListName' DESC 'The user-friendly name of a filter list.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcimFilterDirection indicates the direction of the packets or messages relative to the interface where the filter is applied. The possible values are: NotApplicable(0), Input(1), Output(2), Both(3), Mirrored(4). Reyes, et al. Expires: February 2004 [page 51] INTERNET-DRAFT PCELS August 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterDirection' DESC 'The direction of the packets or messages to which this filter is to be applied.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcimFilterEntryList: ( IANA-ASSIGNED-OID.2.x NAME 'pcimFilterEntryList' DESC 'List of DN references to pcimFilterEntry entries.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.30 The Auxiliary Class pcimVendorVariableAuxClass. This class provides a general extension mechanism for representing policy variables that have not been modeled with specific properties. Instead, its two properties are used to define the content and format of the variable, as explained below. This class is intended for vendor-specific extensions that are not amenable to using pcimVariable; standardized extensions SHOULD NOT use this class. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimVendorVariableAuxClass' DESC 'A class that defines a registered means to describe a policy variable.' SUP pcimVariable AUXILIARY MAY ( pcimVendorVariableData $ pcimVendorVariableEncoding ) ) The pcimVendorVariableData attribute is a multi-valued attribute. It provides a general mechanism for representing policy variables that have not been modeled as specific attributes. This information is encoded in a set of octet strings. The format of the octet strings is identified by the OID stored in the pcimVendorVariableEncoding attribute. This attribute is defined as follows: Reyes, et al. Expires: February 2004 [page 52] INTERNET-DRAFT PCELS August 2003 ( IANA-ASSIGNED-OID.2.x NAME 'pcimVendorVariableData' DESC 'Mechanism for representing variables that have not been modeled as specific attributes. Their format is identified by the OID stored in the attribute pcimVendorVariableEncoding.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) The pcimVendorVariableEncoding attribute is used to identify the format and semantics for the pcimVendorVariableData attribute. This attribute is defined as follows: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVendorVariableEncoding' DESC 'An OID identifying the format and semantics for the pcimVendorVariableData for this instance.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE ) 5.31 The Auxiliary Class pcimVendorValueAuxClass. This class provides a general extension mechanism for representing policy values that have not been modeled with specific properties. Instead, its two properties are used to define the content and format of the value, as explained below. This class is intended for vendor-specific extensions that are not amenable to using pcimValueAuxClass; standardized extensions SHOULD NOT use this class. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcimVendorValueAuxClass' DESC 'A class that defines a registered means to describe a policy value.' SUP pcimValueAuxClass AUXILIARY MAY ( pcimVendorValueData $ pcimVendorValueEncoding ) ) Reyes, et al. Expires: February 2004 [page 53] INTERNET-DRAFT PCELS August 2003 The pcimVendorValueData attribute is a multi-valued attribute. It provides a general mechanism for representing policy values that have not been modeled as specific attributes. This information is encoded in a set of octet strings. The format of the octet strings is identified by the OID stored in the pcimVendorValueEncoding attribute. This attribute is defined as follows: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVendorValueData' DESC 'Mechanism for representing values that have not been modeled as specific attributes. Their format is identified by the OID stored in the attribute pcimVendorValueEncoding.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) The pcimVendorValueEncoding attribute is used to identify the format and semantics for the pcimVendorValueData attribute. This attribute is defined as follows: ( IANA-ASSIGNED-OID.2.x NAME 'pcimVendorValueEncoding' DESC 'An OID identifying the format and semantics for the pcimVendorValueData for this instance.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE ) 6. Security Considerations This topic is based on requirements from previous [PCLS] documents and also takes into account other RFCs about the same security aspects entitled as following: RFC 2829 (Authentication Methods for LDAP) RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security) These RFC documents provide a general framework for security architecture of the system. However some comments have to be provided as a consequence of the inclusion of extensions in this own document and its relation with PCLS doc. Reyes, et al. Expires: February 2004 [page 54] INTERNET-DRAFT PCELS August 2003 Due to the new considered scenarios, with reusability and information containers located in other DITs etc, these conditions are expressed in chapter 4.4 of the [PCLS] document. As a consequence, new types of threats in the system have to be considered. In fact, it is necessary to define new security services in order to protect against these new aspects. As a result of this, the following new security services are defined: 1) Authentication between entities of the network 2) Mutual authentication between network operator and network entities (p.e. DITs) 3) Integrity and confidentiality of links between network entities and also in the LDAP directories. Several definitions and security mechanisms related about DITs can also obtained from the following ITU specification: X.509 The Directory Authentication framework Furthermore, the obtention of the OIDs and values of the attributes From the DITs in a distributed scenario has as a consequence the Interaction between diverse network entities with changes of security Domain and/or administrative domain. In this directory scenario, with migration of data, the use of DSP (Directory Service Protocol) protocol with types of queries like referral, chaining and multicasting with different key management and authentication among network entities would have to be considered. 7. IANA Considerations 7.1 Object Identifiers It is requested that IANA register an LDAP Object Identifier for use in this technical specification according to the following template: Subject: Request for LDAP OID Registration Person & email address to contact for further information: Mircea Pana (mpana@metasolv.com) Specification: RFC XXXX Author/Change Controller: IESG Comments: The assigned OID will be used as a base for identifying a number of schema elements defined in this document. Reyes, et al. Expires: February 2004 [page 55] INTERNET-DRAFT PCELS August 2003 7.2 Object Identifier Descriptors It is requested that IANA register the LDAP Descriptors used in this technical specification as detailed in the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comment Person & email address to contact for further information: Mircea Pana (mpana@metasolv.com) Usage: see comment Specification: RFC XXXX Author/Change Controller: IESG Comments: The following descriptors should be added: NAME Type OID -------------- ---- ------------ pcimPolicySet O IANA-ASSIGNED-OID.1.x pcimPolicySetName A IANA-ASSIGNED-OID.2.x pcimDecisionStrategy A IANA-ASSIGNED-OID.2.x pcimPolicySetList A IANA-ASSIGNED-OID.2.x pcimPolicySetAssociation O IANA-ASSIGNED-OID.1.x pcimPriority A IANA-ASSIGNED-OID.2.x pcimPolicySetDN A IANA-ASSIGNED-OID.2.x pcimPolicyRule O IANA-ASSIGNED-OID.1.x pcimPolicyRuleAuxClass O IANA-ASSIGNED-OID.1.x pcimPolicyRuleInstance O IANA-ASSIGNED-OID.1.x pcimConditionListType A IANA-ASSIGNED-OID.2.x pcimConditionList A IANA-ASSIGNED-OID.2.x pcimActionList A IANA-ASSIGNED-OID.2.x pcimSequencedActions A IANA-ASSIGNED-OID.2.x pcimExecutionStrategy A IANA-ASSIGNED-OID.2.x pcimConditionAssociation O IANA-ASSIGNED-OID.1.x pcimActionAssociation O IANA-ASSIGNED-OID.1.x pcimSimpleConditionAuxClass O IANA-ASSIGNED-OID.1.x pcimVariableDN A IANA-ASSIGNED-OID.2.x pcimValueDN A IANA-ASSIGNED-OID.2.x pcimCompoundConditionAuxClass O IANA-ASSIGNED-OID.1.x pcimCompoundFilterAuxClass O IANA-ASSIGNED-OID.1.x pcimIsMirrored A IANA-ASSIGNED-OID.2.x pcimSimpleActionAuxClass O IANA-ASSIGNED-OID.1.x pcimCompoundActionAuxClass O IANA-ASSIGNED-OID.1.x pcimVariable O IANA-ASSIGNED-OID.1.x pcimVariableName A IANA-ASSIGNED-OID.2.x pcimExpectedValueList A IANA-ASSIGNED-OID.2.x pcimExplicitVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimVariableModelClass A IANA-ASSIGNED-OID.2.x pcimVariableModelProperty A IANA-ASSIGNED-OID.2.x pcimImplicitVariableAuxClass O IANA-ASSIGNED-OID.1.x Reyes, et al. Expires: February 2004 [page 56] INTERNET-DRAFT PCELS August 2003 pcimExpectedValueTypes A IANA-ASSIGNED-OID.2.x pcimSourceIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourceIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourcePortVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationPortVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimIPProtocolVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimIPVersionVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimIPToSVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDSCPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimFlowIdVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourceMACVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationMACVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimVLANVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimCoSVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimEthertypeVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSourceSAPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimDestinationSAPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSNAPOUIVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimSNAPTypeVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimFlowDirectionVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimValueAuxClass O IANA-ASSIGNED-OID.1.x pcimValueName A IANA-ASSIGNED-OID.2.x pcimIPv4AddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcimIPv4AddrList A IANA-ASSIGNED-OID.2.x pcimIPv6AddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcimIPv6AddrList A IANA-ASSIGNED-OID.2.x pcimMACAddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcimMACAddrList A IANA-ASSIGNED-OID.2.x pcimStringValueAuxClass O IANA-ASSIGNED-OID.1.x pcimStringList A IANA-ASSIGNED-OID.2.x pcimBitStringValueAuxClass O IANA-ASSIGNED-OID.1.x pcimBitStringList A IANA-ASSIGNED-OID.2.x pcimIntegerValueAuxClass O IANA-ASSIGNED-OID.1.x pcimIntegerList A IANA-ASSIGNED-OID.2.x pcimBooleanValueAuxClass O IANA-ASSIGNED-OID.1.x pcimBoolean A IANA-ASSIGNED-OID.2.x pcimReusableContainer O IANA-ASSIGNED-OID.1.x pcimReusableContainerAuxClass O IANA-ASSIGNED-OID.1.x pcimReusableContainerInstance O IANA-ASSIGNED-OID.1.x pcimReusableContainerName A IANA-ASSIGNED-OID.2.x pcimReusableContainerList A IANA-ASSIGNED-OID.2.x pcimRoleCollection O IANA-ASSIGNED-OID.1.x pcimRole A IANA-ASSIGNED-OID.2.x pcimRoleCollectionName A IANA-ASSIGNED-OID.2.x pcimElementList A IANA-ASSIGNED-OID.2.x pcimFilterEntry O IANA-ASSIGNED-OID.1.x pcimFilterName A IANA-ASSIGNED-OID.2.x pcimFilterIsNegated A IANA-ASSIGNED-OID.2.x pcimIPHeaders O IANA-ASSIGNED-OID.1.x pcimIPHdrVersion A IANA-ASSIGNED-OID.2.x Reyes, et al. Expires: February 2004 [page 57] INTERNET-DRAFT PCELS August 2003 pcimIPHdrSourceAddress A IANA-ASSIGNED-OID.2.x pcimIPHdrSourceAddressEndOfRange A IANA-ASSIGNED-OID.2.x pcimIPHdrSourceMask A IANA-ASSIGNED-OID.2.x pcimIPHdrDestAddress A IANA-ASSIGNED-OID.2.x pcimIPHdrDestAddressEndOfRange A IANA-ASSIGNED-OID.2.x pcimIPHdrDestMask A IANA-ASSIGNED-OID.2.x pcimIPHdrProtocolID A IANA-ASSIGNED-OID.2.x pcimIPHdrSourcePortStart A IANA-ASSIGNED-OID.2.x pcimIPHdrSourcePortEnd A IANA-ASSIGNED-OID.2.x pcimIPHdrDestPortStart A IANA-ASSIGNED-OID.2.x pcimIPHdrDestPortEnd A IANA-ASSIGNED-OID.2.x pcimIPHdrDSCPList A IANA-ASSIGNED-OID.2.x pcimIPHdrFlowLabel A IANA-ASSIGNED-OID.2.x pcim8021Headers O IANA-ASSIGNED-OID.1.x pcim8021HdrSourceMACAddress A IANA-ASSIGNED-OID.2.x pcim8021HdrSourceMACMask A IANA-ASSIGNED-OID.2.x pcim8021HdrDestMACAddress A IANA-ASSIGNED-OID.2.x pcim8021HdrDestMACMask A IANA-ASSIGNED-OID.2.x pcim8021HdrProtocolID A IANA-ASSIGNED-OID.2.x pcim8021HdrPriority A IANA-ASSIGNED-OID.2.x pcim8021HdrVLANID A IANA-ASSIGNED-OID.2.x pcimFilterListAuxClass O IANA-ASSIGNED-OID.1.x pcimFilterListName A IANA-ASSIGNED-OID.2.x pcimFilterDirection A IANA-ASSIGNED-OID.2.x pcimFilterEntryList A IANA-ASSIGNED-OID.2.x pcimVendorVariableAuxClass O IANA-ASSIGNED-OID.1.x pcimVendorVariableData A IANA-ASSIGNED-OID.2.x pcimVendorVariableEncoding A IANA-ASSIGNED-OID.2.x pcimVendorValueAuxClass O IANA-ASSIGNED-OID.1.x pcimVendorValueData A IANA-ASSIGNED-OID.2.x pcimVendorValueEncoding A IANA-ASSIGNED-OID.2.x where Type A is Attribute, Type O is ObjectClass 8. Normative References [CIM] Distributed Management Task Force, Inc., "Common Information Model (CIM) Specification", Version 2.2, June 14, 1999. This document is available on the following DMTF web page: http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf [CIM_LDAP] Distributed Management Task Force, Inc., "DMTF LDAP Schema for the CIM v2.5 Core Information Model", April 15, 2002. This document is available on the following DMTF web page: http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, May, 2000. Reyes, et al. Expires: February 2004 [page 58] INTERNET-DRAFT PCELS August 2003 [PCIM_EXT] B. Moore at el., "Policy Core Information Model (PCIM) Extensions", RFC 3460, January 2003. [PCLS] J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core LDAP Schema", Internet Draft, work in progress, draft-ietf-policy-core-schema-16.txt. 9. Informative References [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [PROCESS] Hovey, R., and S. Bradner, "The Organizations Involved in the IETF Standards Process", BCP 11, RFC 2028, October 1996. [LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002. 10. Authors' Addresses Angelica Reyes, Antoni Barba, David Moron Technical University of Catalonia Jordi-Girona 1-3 08034 Barcelona Spain [angelica|telabm|dmoron]@mat.upc.es Marcus Brunner NEC Europe Ltd. Kurfuersten Anlage 34 D-69115 Heidelberg Germany brunner@ccrle.nec.de Mircea Pana MetaSolv Software Inc. 360 Legget Drive Ottawa, Ontario, Canada K2K 3N1 mpana@metasolv.com Reyes, et al. Expires: February 2004 [page 59] INTERNET-DRAFT PCELS August 2003 11. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 12. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Reyes, et al. Expires: February 2004 [page 60]