summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3460.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3460.txt')
-rw-r--r--doc/rfc/rfc3460.txt5211
1 files changed, 5211 insertions, 0 deletions
diff --git a/doc/rfc/rfc3460.txt b/doc/rfc/rfc3460.txt
new file mode 100644
index 0000000..131b2c3
--- /dev/null
+++ b/doc/rfc/rfc3460.txt
@@ -0,0 +1,5211 @@
+
+
+
+
+
+
+Network Working Group B. Moore, Ed.
+Request for Comments: 3460 IBM
+Updates: 3060 January 2003
+Category: Standards Track
+
+
+ Policy Core Information Model (PCIM) Extensions
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document specifies a number of changes to the Policy Core
+ Information Model (PCIM, RFC 3060). Two types of changes are
+ included. First, several completely new elements are introduced, for
+ example, classes for header filtering, that extend PCIM into areas
+ that it did not previously cover. Second, there are cases where
+ elements of PCIM (for example, policy rule priorities) are
+ deprecated, and replacement elements are defined (in this case,
+ priorities tied to associations that refer to policy rules). Both
+ types of changes are done in such a way that, to the extent possible,
+ interoperability with implementations of the original PCIM model is
+ preserved. This document updates RFC 3060.
+
+Table of Contents
+
+ 1. Introduction....................................................5
+ 2. Changes since RFC 3060..........................................5
+ 3. Overview of the Changes.........................................6
+ 3.1. How to Change an Information Model.........................6
+ 3.2. List of Changes to the Model...............................6
+ 3.2.1. Changes to PolicyRepository.........................6
+ 3.2.2. Additional Associations and Additional Reusable
+ Elements............................................7
+ 3.2.3. Priorities and Decision Strategies..................7
+ 3.2.4. Policy Roles........................................8
+ 3.2.5. CompoundPolicyConditions and
+ CompoundPolicyActions...............................8
+
+
+
+Moore Standards Track [Page 1]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ 3.2.6. Variables and Values................................9
+ 3.2.7. Domain-Level Packet Filtering.......................9
+ 3.2.8. Device-Level Packet Filtering.......................9
+ 4. The Updated Class and Association Class Hierarchies............10
+ 5. Areas of Extension to PCIM.....................................13
+ 5.1. Policy Scope..............................................13
+ 5.1.1. Levels of Abstraction: Domain- and Device-Level
+ Policies...........................................13
+ 5.1.2. Administrative and Functional Scopes...............14
+ 5.2. Reusable Policy Elements..................................15
+ 5.3. Policy Sets...............................................16
+ 5.4. Nested Policy Rules.......................................16
+ 5.4.1. Usage Rules for Nested Rules.......................17
+ 5.4.2. Motivation.........................................17
+ 5.5. Priorities and Decision Strategies........................18
+ 5.5.1. Structuring Decision Strategies....................19
+ 5.5.2. Side Effects.......................................21
+ 5.5.3. Multiple PolicySet Trees For a Resource............21
+ 5.5.4. Deterministic Decisions............................22
+ 5.6. Policy Roles..............................................23
+ 5.6.1. Comparison of Roles in PCIM with Roles in
+ snmpconf...........................................23
+ 5.6.2. Addition of PolicyRoleCollection to PCIMe..........24
+ 5.6.3. Roles for PolicyGroups.............................25
+ 5.7. Compound Policy Conditions and Compound Policy Actions....27
+ 5.7.1. Compound Policy Conditions.........................27
+ 5.7.2. Compound Policy Actions............................27
+ 5.8. Variables and Values......................................28
+ 5.8.1. Simple Policy Conditions...........................29
+ 5.8.2. Using Simple Policy Conditions.....................29
+ 5.8.3. The Simple Condition Operator......................31
+ 5.8.4. SimplePolicyActions................................33
+ 5.8.5. Policy Variables...................................35
+ 5.8.6. Explicitly Bound Policy Variables..................36
+ 5.8.7. Implicitly Bound Policy Variables..................37
+ 5.8.8. Structure and Usage of Pre-Defined Variables.......38
+ 5.8.9. Rationale for Modeling Implicit Variables
+ as Classes.........................................39
+ 5.8.10. Policy Values.....................................40
+ 5.9. Packet Filtering..........................................41
+ 5.9.1. Domain-Level Packet Filters........................41
+ 5.9.2. Device-Level Packet Filters........................42
+ 5.10. Conformance to PCIM and PCIMe............................43
+ 6. Class Definitions..............................................44
+ 6.1. The Abstract Class "PolicySet"............................44
+ 6.2. Update PCIM's Class "PolicyGroup".........................45
+ 6.3. Update PCIM's Class "PolicyRule"..........................45
+ 6.4. The Class "SimplePolicyCondition".........................46
+
+
+
+Moore Standards Track [Page 2]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ 6.5. The Class "CompoundPolicyCondition".......................47
+ 6.6. The Class "CompoundFilterCondition".......................47
+ 6.7. The Class "SimplePolicyAction"............................48
+ 6.8. The Class "CompoundPolicyAction"..........................48
+ 6.9. The Abstract Class "PolicyVariable".......................50
+ 6.10. The Class "PolicyExplicitVariable".......................50
+ 6.10.1. The Single-Valued Property "ModelClass"...........51
+ 6.10.2. The Single-Valued Property ModelProperty..........51
+ 6.11. The Abstract Class "PolicyImplicitVariable"..............51
+ 6.11.1. The Multi-Valued Property "ValueTypes"............52
+ 6.12. Subclasses of "PolicyImplicitVariable" Specified
+ in PCIMe.................................................52
+ 6.12.1. The Class "PolicySourceIPv4Variable"..............52
+ 6.12.2. The Class "PolicySourceIPv6Variable"..............52
+ 6.12.3. The Class "PolicyDestinationIPv4Variable".........53
+ 6.12.4. The Class "PolicyDestinationIPv6Variable".........53
+ 6.12.5. The Class "PolicySourcePortVariable"..............54
+ 6.12.6. The Class "PolicyDestinationPortVariable".........54
+ 6.12.7. The Class "PolicyIPProtocolVariable"..............54
+ 6.12.8. The Class "PolicyIPVersionVariable"...............55
+ 6.12.9. The Class "PolicyIPToSVariable"...................55
+ 6.12.10. The Class "PolicyDSCPVariable"...................55
+ 6.12.11. The Class "PolicyFlowIdVariable".................56
+ 6.12.12. The Class "PolicySourceMACVariable"..............56
+ 6.12.13. The Class "PolicyDestinationMACVariable".........56
+ 6.12.14. The Class "PolicyVLANVariable"...................56
+ 6.12.15. The Class "PolicyCoSVariable"....................57
+ 6.12.16. The Class "PolicyEthertypeVariable"..............57
+ 6.12.17. The Class "PolicySourceSAPVariable"..............57
+ 6.12.18. The Class "PolicyDestinationSAPVariable".........58
+ 6.12.19. The Class "PolicySNAPOUIVariable"................58
+ 6.12.20. The Class "PolicySNAPTypeVariable"...............59
+ 6.12.21. The Class "PolicyFlowDirectionVariable"..........59
+ 6.13. The Abstract Class "PolicyValue".........................59
+ 6.14. Subclasses of "PolicyValue" Specified in PCIMe...........60
+ 6.14.1. The Class "PolicyIPv4AddrValue"...................60
+ 6.14.2. The Class "PolicyIPv6AddrValue....................61
+ 6.14.3. The Class "PolicyMACAddrValue"....................62
+ 6.14.4. The Class "PolicyStringValue".....................63
+ 6.14.5. The Class "PolicyBitStringValue"..................63
+ 6.14.6. The Class "PolicyIntegerValue"....................64
+ 6.14.7. The Class "PolicyBooleanValue"....................65
+ 6.15. The Class "PolicyRoleCollection".........................65
+ 6.15.1. The Single-Valued Property "PolicyRole"...........66
+ 6.16. The Class "ReusablePolicyContainer".................66
+ 6.17. Deprecate PCIM's Class "PolicyRepository"................66
+ 6.18. The Abstract Class "FilterEntryBase".....................67
+ 6.19. The Class "IpHeadersFilter"..............................67
+
+
+
+Moore Standards Track [Page 3]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ 6.19.1. The Property HdrIpVersion.........................68
+ 6.19.2. The Property HdrSrcAddress........................68
+ 6.19.3. The Property HdrSrcAddressEndOfRange..............68
+ 6.19.4. The Property HdrSrcMask...........................69
+ 6.19.5. The Property HdrDestAddress.......................69
+ 6.19.6. The Property HdrDestAddressEndOfRange.............69
+ 6.19.7. The Property HdrDestMask..........................70
+ 6.19.8. The Property HdrProtocolID........................70
+ 6.19.9. The Property HdrSrcPortStart......................70
+ 6.19.10. The Property HdrSrcPortEnd.......................70
+ 6.19.11. The Property HdrDestPortStart....................71
+ 6.19.12. The Property HdrDestPortEnd......................71
+ 6.19.13. The Property HdrDSCP.............................72
+ 6.19.14. The Property HdrFlowLabel.................... ...72
+ 6.20. The Class "8021Filter"...................................72
+ 6.20.1. The Property 8021HdrSrcMACAddr....................73
+ 6.20.2. The Property 8021HdrSrcMACMask....................73
+ 6.20.3. The Property 8021HdrDestMACAddr...................73
+ 6.20.4. The Property 8021HdrDestMACMask...................73
+ 6.20.5. The Property 8021HdrProtocolID....................74
+ 6.20.6. The Property 8021HdrPriorityValue.................74
+ 6.20.7. The Property 8021HdrVLANID........................74
+ 6.21. The Class FilterList.....................................74
+ 6.21.1. The Property Direction............................75
+ 7. Association and Aggregation Definitions........................75
+ 7.1. The Aggregation "PolicySetComponent"......................75
+ 7.2. Deprecate PCIM's Aggregation "PolicyGroupInPolicyGroup"...76
+ 7.3. Deprecate PCIM's Aggregation "PolicyRuleInPolicyGroup"....76
+ 7.4. The Abstract Association "PolicySetInSystem"..............77
+ 7.5. Update PCIM's Weak Association "PolicyGroupInSystem"......77
+ 7.6. Update PCIM's Weak Association "PolicyRuleInSystem".......78
+ 7.7. The Abstract Aggregation "PolicyConditionStructure".......79
+ 7.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule"...79
+ 7.9. The Aggregation "PolicyConditionInPolicyCondition"........79
+ 7.10. The Abstract Aggregation "PolicyActionStructure".........80
+ 7.11. Update PCIM's Aggregation "PolicyActionInPolicyRule".....80
+ 7.12. The Aggregation "PolicyActionInPolicyAction".............80
+ 7.13. The Aggregation "PolicyVariableInSimplePolicyCondition"..80
+ 7.14. The Aggregation "PolicyValueInSimplePolicyCondition".....81
+ 7.15. The Aggregation "PolicyVariableInSimplePolicyAction".....82
+ 7.16. The Aggregation "PolicyValueInSimplePolicyAction"........83
+ 7.17. The Association "ReusablePolicy".........................83
+ 7.18. Deprecate PCIM's "PolicyConditionInPolicyRepository".....84
+ 7.19. Deprecate PCIM's "PolicyActionInPolicyRepository"........84
+ 7.20. The Association ExpectedPolicyValuesForVariable..........84
+ 7.21. The Aggregation "ContainedDomain"........................85
+ 7.22. Deprecate PCIM's "PolicyRepositoryInPolicyRepository"....86
+ 7.23. The Aggregation "EntriesInFilterList"....................86
+
+
+
+Moore Standards Track [Page 4]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ 7.23.1. The Reference GroupComponent......................86
+ 7.23.2. The Reference PartComponent.......................87
+ 7.23.3. The Property EntrySequence........................87
+ 7.24. The Aggregation "ElementInPolicyRoleCollection"..........87
+ 7.25. The Weak Association "PolicyRoleCollectionInSystem"......87
+ 8. Intellectual Property..........................................88
+ 9. Acknowledgements..............................................89
+ 10. Contributors..................................................89
+ 11. Security Considerations.......................................91
+ 12. Normative References..........................................91
+ 13. Informative References........................................91
+ Author's Address..................................................92
+ Full Copyright Statement..........................................93
+
+1. Introduction
+
+ This document specifies a number of changes to the Policy Core
+ Information Model (PCIM), RFC 3060 [1]. Two types of changes are
+ included. First, several completely new elements are introduced, for
+ example, classes for header filtering, that extend PCIM into areas
+ that it did not previously cover. Second, there are cases where
+ elements of PCIM (for example, policy rule priorities) are
+ deprecated, and replacement elements are defined (in this case,
+ priorities tied to associations that refer to policy rules). Both
+ types of changes are done in such a way that, to the extent possible,
+ interoperability with implementations of the original PCIM model is
+ preserved.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119 [8].
+
+2. Changes since RFC 3060
+
+ Section 3.2 contains a short discussion of the changes that this
+ document makes to the RFC 3060 information model. Here is a very
+ brief list of the changes:
+
+ 1. Deprecate and replace PolicyRepository and its associations.
+ 2. Clarify and expand the ways that PolicyRules and PolicyGroups are
+ aggregated.
+ 3. Change how prioritization for PolicyRules is represented, and
+ introduce administrator-specified decision strategies for rule
+ evaluation.
+ 4. Expand the role of PolicyRoles, and introduce a means of
+ associating a PolicyRole with a resource.
+ 5. Introduce compound policy conditions and compound policy actions
+ into the model.
+
+
+
+Moore Standards Track [Page 5]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ 6. Introduce variables and values into the model.
+ 7. Introduce variable and value subclasses for packet-header
+ filtering.
+ 8. Introduce classes for device-level packet-header filtering.
+
+3. Overview of the Changes
+
+3.1. How to Change an Information Model
+
+ The Policy Core Information Model is closely aligned with the DMTF's
+ CIM Core Policy model. Since there is no separately documented set
+ of rules for specifying IETF information models such as PCIM, it is
+ reasonable to look to the CIM specifications for guidance on how to
+ modify and extend the model. Among the CIM rules for changing an
+ information model are the following. Note that everything said here
+ about "classes" applies to association classes (including
+ aggregations) as well as to non- association classes.
+
+ o Properties may be added to existing classes.
+ o Classes, and individual properties, may be marked as DEPRECATED.
+ If there is a replacement feature for the deprecated class or
+ property, it is identified explicitly. Otherwise the notation "No
+ value" is used. In this document, the notation "DEPRECATED FOR
+ <feature-name>" is used to indicate that a feature has been
+ deprecated, and to identify its replacement feature.
+ o Classes may be inserted into the inheritance hierarchy above
+ existing classes, and properties from the existing classes may
+ then be "pulled up" into the new classes. The net effect is that
+ the existing classes have exactly the same properties they had
+ before, but the properties are inherited rather than defined
+ explicitly in the classes.
+ o New subclasses may be defined below existing classes.
+
+3.2. List of Changes to the Model
+
+ The following subsections provide a very brief overview of the
+ changes to PCIM defined in PCIMe. In several cases, the origin of
+ the change is noted, as QPIM [11], ICPM [12], or QDDIM [15].
+
+3.2.1. Changes to PolicyRepository
+
+ Because of the potential for confusion with the Policy Framework
+ component Policy Repository (from the four-box picture: Policy
+ Management Tool, Policy Repository, PDP, PEP), "PolicyRepository" is
+ a bad name for the PCIM class representing a container of reusable
+ policy elements. Thus the class PolicyRepository is being replaced
+ with the class ReusablePolicyContainer. To accomplish this change,
+ it is necessary to deprecate the PCIM class PolicyRepository and its
+
+
+
+Moore Standards Track [Page 6]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ three associations, and replace them with a new class
+ ReusablePolicyContainer and new associations. As a separate change,
+ the associations for ReusablePolicyContainer are being broadened, to
+ allow a ReusablePolicyContainer to contain any reusable policy
+ elements. In PCIM, the only associations defined for a
+ PolicyRepository were for it to contain reusable policy conditions
+ and policy actions.
+
+3.2.2. Additional Associations and Additional Reusable Elements
+
+ The PolicyRuleInPolicyRule and PolicyGroupInPolicyRule aggregations
+ have, in effect, been imported from QPIM. ("In effect" because these
+ two aggregations, as well as PCIM's two aggregations
+ PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, are all being
+ combined into a single aggregation PolicySetComponent.) These
+ aggregations make it possible to define larger "chunks" of reusable
+ policy to place in a ReusablePolicyContainer. These aggregations
+ also introduce new semantics representing the contextual implications
+ of having one PolicyRule executing within the scope of another
+ PolicyRule.
+
+3.2.3. Priorities and Decision Strategies
+
+ Drawing from both QPIM and ICPM, the Priority property has been
+ deprecated in PolicyRule, and placed instead on the aggregation
+ PolicySetComponent. The QPIM rules for resolving relative priorities
+ across nested PolicyGroups and PolicyRules have been incorporated
+ into PCIMe as well. With the removal of the Priority property from
+ PolicyRule, a new modeling dependency is introduced. In order to
+ prioritize a PolicyRule/PolicyGroup relative to other
+ PolicyRules/PolicyGroups, the elements being prioritized must all
+ reside in one of three places: in a common PolicyGroup, in a common
+ PolicyRule, or in a common System.
+
+ In the absence of any clear, general criterion for detecting policy
+ conflicts, the PCIM restriction stating that priorities are relevant
+ only in the case of conflicts is being removed. In its place, a
+ PolicyDecisionStrategy property has been added to the PolicyGroup and
+ PolicyRule classes. This property allows policy administrator to
+ select one of two behaviors with respect to rule evaluation: either
+ perform the actions for all PolicyRules whose conditions evaluate to
+ TRUE, or perform the actions only for the highest-priority PolicyRule
+ whose conditions evaluate to TRUE. (This is accomplished by placing
+ the PolicyDecisionStrategy property in an abstract class PolicySet,
+
+
+
+
+
+
+
+Moore Standards Track [Page 7]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ from which PolicyGroup and PolicyRule are derived.) The QPIM rules
+ for applying decision strategies to a nested set of PolicyGroups and
+ PolicyRules have also been imported.
+
+3.2.4. Policy Roles
+
+ The concept of policy roles is added to PolicyGroups (being present
+ already in the PolicyRule class). This is accomplished via a new
+ superclass for both PolicyRules and PolicyGroups - PolicySet. For
+ nested PolicyRules and PolicyGroups, any roles associated with the
+ outer rule or group are automatically "inherited" by the nested one.
+ Additional roles may be added at the level of a nested rule or group.
+
+ It was also observed that there is no mechanism in PCIM for assigning
+ roles to resources. For example, while it is possible in PCIM to
+ associate a PolicyRule with the role "FrameRelay&&WAN", there is no
+ way to indicate which interfaces match this criterion. A new
+ PolicyRoleCollection class has been defined in PCIMe, representing
+ the collection of resources associated with a particular role. The
+ linkage between a PolicyRule or PolicyGroup and a set of resources is
+ then represented by an instance of PolicyRoleCollection. Equivalent
+ values should be defined in the PolicyRoles property of PolicyRules
+ and PolicyGroups, and in the PolicyRole property in
+ PolicyRoleCollection.
+
+3.2.5. CompoundPolicyConditions and CompoundPolicyActions
+
+ The concept of a CompoundPolicyCondition has also been imported into
+ PCIMe from QPIM, and broadened to include a parallel
+ CompoundPolicyAction. In both cases the idea is to create reusable
+ "chunks" of policy that can exist as named elements in a
+ ReusablePolicyContainer. The "Compound" classes and their
+ associations incorporate the condition and action semantics that PCIM
+ defined at the PolicyRule level: DNF/CNF for conditions, and ordering
+ for actions.
+
+ Compound conditions and actions are defined to work with any
+ component conditions and actions. In other words, while the
+ components may be instances, respectively, of SimplePolicyCondition
+ and SimplePolicyAction (discussed immediately below), they need not
+ be.
+
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 8]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+3.2.6. Variables and Values
+
+ The SimplePolicyCondition / PolicyVariable / PolicyValue structure
+ has been imported into PCIMe from QPIM. A list of PCIMe-level
+ variables is defined, as well as a list of PCIMe-level values. Other
+ variables and values may, if necessary, be defined in submodels of
+ PCIMe. For example, QPIM defines a set of implicit variables
+ corresponding to fields in RSVP flows.
+
+ A corresponding SimplePolicyAction / PolicyVariable / PolicyValue
+ structure is also defined. While the semantics of a
+ SimplePolicyCondition are "variable matches value", a
+ SimplePolicyAction has the semantics "set variable to value".
+
+3.2.7. Domain-Level Packet Filtering
+
+ For packet filtering specified at the domain level, a set of
+ PolicyVariables and PolicyValues are defined, corresponding to the
+ fields in an IP packet header plus the most common Layer 2 frame
+ header fields. It is expected that domain-level policy conditions
+ that filter on these header fields will be expressed in terms of
+ CompoundPolicyConditions built up from SimplePolicyConditions that
+ use these variables and values. An additional PolicyVariable,
+ PacketDirection, is also defined, to indicate whether a packet being
+ filtered is traveling inbound or outbound on an interface.
+
+3.2.8. Device-Level Packet Filtering
+
+ For packet filtering expressed at the device level, including the
+ packet classifier filters modeled in QDDIM, the variables and values
+ discussed in Section 3.2.7 need not be used. Filter classes derived
+ from the CIM FilterEntryBase class hierarchy are available for use in
+ these contexts. These latter classes have two important differences
+ from the domain-level classes:
+
+ o They support specification of filters for all of the fields in a
+ particular protocol header in a single object instance. With the
+ domain-level classes, separate instances are needed for each
+ header field.
+
+ o They provide native representations for the filter values, as
+ opposed to the string representation used by the domain-level
+ classes.
+
+ Device-level filter classes for the IP-related headers (IP, UDP, and
+ TCP) and the 802 MAC headers are defined, respectively, in Sections
+ 6.19 and 6.20.
+
+
+
+
+Moore Standards Track [Page 9]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+4. The Updated Class and Association Class Hierarchies
+
+ The following figure shows the class inheritance hierarchy for PCIMe.
+ Changes from the PCIM hierarchy are noted parenthetically.
+
+ ManagedElement (abstract)
+ |
+ +--Policy (abstract)
+ | |
+ | +---PolicySet (abstract -- new - 5.3)
+ | | |
+ | | +---PolicyGroup (moved - 5.3)
+ | | |
+ | | +---PolicyRule (moved - 5.3)
+ | |
+ | +---PolicyCondition (abstract)
+ | | |
+ | | +---PolicyTimePeriodCondition
+ | | |
+ | | +---VendorPolicyCondition
+ | | |
+ | | +---SimplePolicyCondition (new - 5.8.1)
+ | | |
+ | | +---CompoundPolicyCondition (new - 5.7.1)
+ | | |
+ | | +---CompoundFilterCondition (new - 5.9)
+ | |
+ | +---PolicyAction (abstract)
+ | | |
+ | | +---VendorPolicyAction
+ | | |
+ | | +---SimplePolicyAction (new - 5.8.4)
+ | | |
+ | | +---CompoundPolicyAction (new - 5.7.2)
+ | |
+ | +---PolicyVariable (abstract -- new - 5.8.5)
+ | | |
+ | | +---PolicyExplicitVariable (new - 5.8.6)
+ | | |
+ | | +---PolicyImplicitVariable (abstract -- new - 5.8.7)
+ | | |
+ | | +---(subtree of more specific classes -- new - 6.12)
+ | |
+ | +---PolicyValue (abstract -- new - 5.8.10)
+ | |
+ | +---(subtree of more specific classes -- new - 6.14)
+ |
+ +--Collection (abstract -- newly referenced)
+
+
+
+Moore Standards Track [Page 10]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ | |
+ | +--PolicyRoleCollection (new - 5.6.2)
+ ManagedElement(abstract)
+ |
+ +--ManagedSystemElement (abstract)
+ |
+ +--LogicalElement (abstract)
+ |
+ +--System (abstract)
+ | |
+ | +--AdminDomain (abstract)
+ | |
+ | +---ReusablePolicyContainer (new - 5.2)
+ | |
+ | +---PolicyRepository (deprecated - 5.2)
+ |
+ +--FilterEntryBase (abstract -- new - 6.18)
+ | |
+ | +--IpHeadersFilter (new - 6.19)
+ | |
+ | +--8021Filter (new - 6.20)
+ |
+ +--FilterList (new - 6.21)
+
+ Figure 1. Class Inheritance Hierarchy for PCIMe
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 11]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ The following figure shows the association class hierarchy for PCIMe.
+ As before, changes from PCIM are noted parenthetically.
+
+ [unrooted]
+ |
+ +---PolicyComponent (abstract)
+ | |
+ | +---PolicySetComponent (new - 5.3)
+ | |
+ | +---PolicyGroupInPolicyGroup (deprecated - 5.3)
+ | |
+ | +---PolicyRuleInPolicyGroup (deprecated - 5.3)
+ | |
+ | +---PolicyConditionStructure (abstract -- new - 5.7.1)
+ | | |
+ | | +---PolicyConditionInPolicyRule (moved - 5.7.1)
+ | | |
+ | | +---PolicyConditionInPolicyCondition (new - 5.7.1)
+ | |
+ | +---PolicyRuleValidityPeriod
+ | |
+ | +---PolicyActionStructure (abstract -- new - 5.7.2)
+ | | |
+ | | +---PolicyActionInPolicyRule (moved - 5.7.2)
+ | | |
+ | | +---PolicyActionInPolicyAction (new - 5.7.2)
+ | |
+ | +---PolicyVariableInSimplePolicyCondition (new - 5.8.2)
+ | |
+ | +---PolicyValueInSimplePolicyCondition (new - 5.8.2)
+ | |
+ | +---PolicyVariableInSimplePolicyAction (new - 5.8.4)
+ | |
+ | +---PolicyValueInSimplePolicyAction (new - 5.8.4)
+ [unrooted]
+ |
+ +---Dependency (abstract)
+ | |
+ | +---PolicyInSystem (abstract)
+ | | |
+ | | +---PolicySetInSystem (abstract, new - 5.3)
+ | | | |
+ | | | +---PolicyGroupInSystem
+ | | | |
+ | | | +---PolicyRuleInSystem
+ | | |
+ | | +---ReusablePolicy (new - 5.2)
+ | | |
+
+
+
+Moore Standards Track [Page 12]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ | | +---PolicyConditionInPolicyRepository (deprecated - 5.2)
+ | | |
+ | | +---PolicyActionInPolicyRepository (deprecated - 5.2)
+ | |
+ | +---ExpectedPolicyValuesForVariable (new - 5.8)
+ | |
+ | +---PolicyRoleCollectionInSystem (new - 5.6.2)
+ |
+ +---Component (abstract)
+ | |
+ | +---SystemComponent
+ | | |
+ | | +---ContainedDomain (new - 5.2)
+ | | |
+ | | +---PolicyRepositoryInPolicyRepository (deprecated - 5.2)
+ | |
+ | +---EntriesInFilterList (new - 7.23)
+ |
+ +---MemberOfCollection (newly referenced)
+ |
+ +--- ElementInPolicyRoleCollection (new - 5.6.2)
+
+ Figure 2. Association Class Inheritance Hierarchy for PCIMe
+
+ In addition to these changes that show up at the class and
+ association class level, there are other changes from PCIM involving
+ individual class properties. In some cases new properties are
+ introduced into existing classes, and in other cases existing
+ properties are deprecated (without deprecating the classes that
+ contain them).
+
+5. Areas of Extension to PCIM
+
+ The following subsections describe each of the areas for which PCIM
+ extensions are being defined.
+
+5.1. Policy Scope
+
+ Policy scopes may be thought of in two dimensions: 1) the level of
+ abstraction of the policy specification and 2) the applicability of
+ policies to a set of managed resources.
+
+5.1.1. Levels of Abstraction: Domain- and Device-Level Policies
+
+ Policies vary in level of abstraction, from the business-level
+ expression of service level agreements (SLAs) to the specification of
+ a set of rules that apply to devices in a network. Those latter
+ policies can, themselves, be classified into at least two groups:
+
+
+
+Moore Standards Track [Page 13]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ those policies consumed by a Policy Decision Point (PDP) that specify
+ the rules for an administrative and functional domain, and those
+ policies consumed by a Policy Enforcement Point (PEP) that specify
+ the device-specific rules for a functional domain. The higher-level
+ rules consumed by a PDP, called domain-level policies, may have late
+ binding variables unspecified, or specified by a classification,
+ whereas the device-level rules are likely to have fewer unresolved
+ bindings.
+
+ There is a relationship between these levels of policy specification
+ that is out of scope for this standards effort, but that is necessary
+ in the development and deployment of a usable policy-based
+ configuration system. An SLA-level policy transformation to the
+ domain-level policy may be thought of as analogous to a visual
+ builder that takes human input and develops a programmatic rule
+ specification. The relationship between the domain-level policy and
+ the device-level policy may be thought of as analogous to that of a
+ compiler and linkage editor that translates the rules into specific
+ instructions that can be executed on a specific type of platform.
+
+ PCIM and PCIMe may be used to specify rules at any and all of these
+ levels of abstraction. However, at different levels of abstraction,
+ different mechanisms may be more or less appropriate.
+
+5.1.2. Administrative and Functional Scopes
+
+ Administrative scopes for policy are represented in PCIM and in these
+ extensions to PCIM as System subclass instances. Typically, a
+ domain-level policy would be scoped by an AdminDomain instance (or by
+ a hierarchy of AdminDomain instances) whereas a device-level policy
+ might be scoped by a System instance that represents the PEP (e.g.,
+ an instance of ComputerSystem, see CIM [2]). In addition to
+ collecting policies into an administrative domain, these System
+ classes may also aggregate the resources to which the policies apply.
+
+ Functional scopes (sometimes referred to as functional domains) are
+ generally defined by the submodels derived from PCIM and PCIMe, and
+ correspond to the service or services to which the policies apply.
+ So, for example, Quality of Service may be thought of as a functional
+ scope, or Diffserv and Intserv may each be thought of as functional
+ scopes. These scoping decisions are represented by the structure of
+ the submodels derived from PCIM and PCIMe, and may be reflected in
+ the number and types of PEP policy client(s), services, and the
+ interaction between policies. Policies in different functional
+ scopes are organized into disjoint sets of policy rules. Different
+ functional domains may share some roles, some conditions, and even
+ some actions. The rules from different functional domains may even
+ be enforced at the same managed resource, but for the purposes of
+
+
+
+Moore Standards Track [Page 14]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ policy evaluation they are separate. See section 5.5.3 for more
+ information.
+
+ The functional scopes MAY be reflected in administrative scopes.
+ That is, deployments of policy may have different administrative
+ scopes for different functional scopes, but there is no requirement
+ to do so.
+
+5.2. Reusable Policy Elements
+
+ In PCIM, a distinction was drawn between reusable PolicyConditions
+ and PolicyActions and rule-specific ones. The PolicyRepository class
+ was also defined, to serve as a container for these reusable
+ elements. The name "PolicyRepository" has proven to be an
+ unfortunate choice for the class that serves as a container for
+ reusable policy elements. This term is already used in documents
+ like the Policy Framework, to denote the location from which the PDP
+ retrieves all policy specifications, and into which the Policy
+ Management Tool places all policy specifications. Consequently, the
+ PolicyRepository class is being deprecated, in favor of a new class
+ ReusablePolicyContainer.
+
+ When a class is deprecated, any associations that refer to it must
+ also be deprecated. So replacements are needed for the two
+ associations PolicyConditionInPolicyRepository and
+ PolicyActionInPolicyRepository, as well as for the aggregation
+ PolicyRepositoryInPolicyRepository. In addition to renaming the
+ PolicyRepository class to ReusablePolicyContainer, however, PCIMe is
+ also broadening the types of policy elements that can be reusable.
+ Consequently, rather than providing one-for-one replacements for the
+ two associations, a single higher-level association ReusablePolicy is
+ defined. This new association allows any policy element (that is, an
+ instance of any subclass of the abstract class Policy) to be placed
+ in a ReusablePolicyContainer.
+
+ Summarizing, the following changes in Sections 6 and 7 are the result
+ of this item:
+
+ o The class ReusablePolicyContainer is defined.
+ o PCIM's PolicyRepository class is deprecated.
+ o The association ReusablePolicy is defined.
+ o PCIM's PolicyConditionInPolicyRepository association is
+ deprecated.
+ o PCIM's PolicyActionInPolicyRepository association is deprecated.
+ o The aggregation ContainedDomain is defined.
+ o PCIM's PolicyRepositoryInPolicyRepository aggregation is
+ deprecated.
+
+
+
+
+Moore Standards Track [Page 15]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+5.3. Policy Sets
+
+ A "policy" can be thought of as a coherent set of rules to
+ administer, manage, and control access to network resources ("Policy
+ Terminology", reference [10]). The structuring of these coherent
+ sets of rules into subsets is enhanced in this document. In Section
+ 5.4, we discuss the new options for the nesting of policy rules.
+
+ A new abstract class, PolicySet, is introduced to provide an
+ abstraction for a set of rules. It is derived from Policy, and it is
+ inserted into the inheritance hierarchy above both PolicyGroup and
+ PolicyRule. This reflects the additional structural flexibility and
+ semantic capability of both subclasses.
+
+ Two properties are defined in PolicySet: PolicyDecisionStrategy and
+ PolicyRoles. The PolicyDecisionStrategy property is included in
+ PolicySet to define the evaluation relationship among the rules in
+ the policy set. See Section 5.5 for more information. The
+ PolicyRoles property is included in PolicySet to characterize the
+ resources to which the PolicySet applies. See Section 5.6 for more
+ information.
+
+ Along with the definition of the PolicySet class, a new concrete
+ aggregation class is defined that will also be discussed in the
+ following sections. PolicySetComponent is defined as a subclass of
+ PolicyComponent; it provides the containment relationship for a
+ PolicySet in a PolicySet. PolicySetComponent replaces the two PCIM
+ aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, so
+ these two aggregations are deprecated.
+
+ A PolicySet's relationship to an AdminDomain or other administrative
+ scoping system (for example, a ComputerSystem) is represented by the
+ PolicySetInSystem abstract association. This new association is
+ derived from PolicyInSystem, and the PolicyGroupInSystem and
+ PolicyRuleInSystem associations are now derived from
+ PolicySetInSystem instead of directly from PolicyInSystem. The
+ PolicySetInSystem.Priority property is discussed in Section 5.5.3.
+
+5.4. Nested Policy Rules
+
+ As previously discussed, policy is described by a set of policy rules
+ that may be grouped into subsets. In this section we introduce the
+ notion of nested rules, or the ability to define rules within rules.
+ Nested rules are also called sub-rules, and we use both terms in this
+ document interchangeably. The aggregation PolicySetComponent is used
+ to represent the nesting of a policy rule in another policy rule.
+
+
+
+
+
+Moore Standards Track [Page 16]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+5.4.1. Usage Rules for Nested Rules
+
+ The relationship between rules and sub-rules is defined as follows:
+
+ o The parent rule's condition clause is a condition for evaluation
+ of all nested rules; that is, the conditions of the parent are
+ logically ANDed to the conditions of the sub-rules. If the parent
+ rule's condition clause evaluates to FALSE, sub-rules MAY be
+ skipped since they also evaluate to FALSE.
+
+ o If the parent rule's condition evaluates to TRUE, the set of sub-
+ rules SHALL BE evaluated according to the decision strategy and
+ priorities as discussed in Section 5.5.
+
+ o If the parent rule's condition evaluates to TRUE, the parent
+ rule's set of actions is executed BEFORE execution of the sub-
+ rules actions. The parent rule's actions are not to be confused
+ with default actions. A default action is one that is to be
+ executed only if none of the more specific sub-rules are executed.
+ If a default action needs to be specified, it needs to be defined
+ as an action that is part of a catchall sub-rule associated with
+ the parent rule. The association linking the default action(s) in
+ this special sub-rule should have the lowest priority relative to
+ all other sub-rule associations:
+
+ if parent-condition then parent rule's action
+ if condA then actA
+ if condB then ActB
+ if True then default action
+
+ Such a default action functions as a default when FirstMatching
+ decision strategies are in effect (see section 5.5). If
+ AllMatching applies, the "default" action is always performed.
+
+ o Policy rules have a context in which they are executed. The rule
+ engine evaluates and applies the policy rules in the context of
+ the managed resource(s) that are identified by the policy roles
+ (or by an explicit association). Submodels MAY add additional
+ context to policy rules based on rule structure; any such
+ additional context is defined by the semantics of the action
+ classes of the submodel.
+
+5.4.2. Motivation
+
+ Rule nesting enhances Policy readability, expressiveness and
+ reusability. The ability to nest policy rules and form sub-rules is
+ important for manageability and scalability, as it enables complex
+ policy rules to be constructed from multiple simpler policy rules.
+
+
+
+Moore Standards Track [Page 17]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ These enhancements ease the policy management tools' task, allowing
+ policy rules to be expressed in a way closer to how humans think.
+
+ Although rule nesting can be used to suggest optimizations in the way
+ policy rules are evaluated, as discussed in section 5.5.2 "Side
+ Effects," nesting does not specify nor does it require any particular
+ order of evaluation of conditions. Optimization of rule evaluation
+ can be done in the PDP or in the PEP by dedicated code. This is
+ similar to the relation between a high level programming language
+ like C and machine code. An optimizer can create a more efficient
+ machine code than any optimization done by the programmer within the
+ source code. Nevertheless, if the PEP or PDP does not do
+ optimization, the administrator writing the policy may be able to
+ influence the evaluation of the policy rules for execution using rule
+ nesting.
+
+ Nested rules are not designed for policy repository retrieval
+ optimization. It is assumed that all rules and groups that are
+ assigned to a role are retrieved by the PDP or PEP from the policy
+ repository and enforced. Optimizing the number of rules retrieved
+ should be done by clever selection of roles.
+
+5.5. Priorities and Decision Strategies
+
+ A "decision strategy" is used to specify the evaluation method for
+ the policies in a PolicySet. Two decision strategies are defined:
+ "FirstMatching" and "AllMatching." The FirstMatching strategy is
+ used to cause the evaluation of the rules in a set such that the only
+ actions enforced on a given examination of the PolicySet are those
+ for the first rule (that is, the rule with the highest priority) that
+ has its conditions evaluate to TRUE. The AllMatching strategy is
+ used to cause the evaluation of all rules in a set; for all of the
+ rules whose conditions evaluate to TRUE, the actions are enforced.
+ Implementations MUST support the FirstMatching decision strategy;
+ implementations MAY support the AllMatching decision strategy.
+
+ As previously discussed, the PolicySet subclasses are PolicyGroup and
+ PolicyRule: either subclass may contain PolicySets of either
+ subclass. Loops, including the degenerate case of a PolicySet that
+ contains itself, are not allowed when PolicySets contain other
+ PolicySets. The containment relationship is specified using the
+ PolicySetComponent aggregation.
+
+ The relative priority within a PolicySet is established by the
+ Priority property of the PolicySetComponent aggregation of the
+ contained PolicyGroup and PolicyRule instances. The use of PCIM's
+ PolicyRule.Priority property is deprecated in favor of this new
+ property. The separation of the priority property from the rule has
+
+
+
+Moore Standards Track [Page 18]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ two advantages. First, it generalizes the concept of priority, so
+ that it can be used for both groups and rules. Second, it places the
+ priority on the relationship between the parent policy set and the
+ subordinate policy group or rule. The assignment of a priority value
+ then becomes much easier, in that the value is used only in
+ relationship to other priorities in the same set.
+
+ Together, the PolicySet.PolicyDecisionStrategy and
+ PolicySetComponent.Priority determine the processing for the rules
+ contained in a PolicySet. As before, the larger priority value
+ represents the higher priority. Unlike the earlier definition,
+ PolicySetComponent.Priority MUST have a unique value when compared
+ with others defined for the same aggregating PolicySet. Thus, the
+ evaluation of rules within a set is deterministically specified.
+
+ For a FirstMatching decision strategy, the first rule (that is, the
+ one with the highest priority) in the set that evaluates to True, is
+ the only rule whose actions are enforced for a particular evaluation
+ pass through the PolicySet.
+
+ For an AllMatching decision strategy, all of the matching rules are
+ enforced. The relative priority of the rules is used to determine
+ the order in which the actions are to be executed by the enforcement
+ point: the actions of the higher priority rules are executed first.
+ Since the actions of higher priority rules are executed first, lower
+ priority rules that also match may get the "last word," and thus
+ produce a counter-intuitive result. So, for example, if two rules
+ both evaluate to True, and the higher priority rule sets the DSCP to
+ 3 and the lower priority rule sets the DSCP to 4, the action of the
+ lower priority rule will be executed later and, therefore, will
+ "win," in this example, setting the DSCP to 4. Thus, conflicts
+ between rules are resolved by this execution order.
+
+ An implementation of the rule engine need not provide the action
+ sequencing but the actions MUST be sequenced by the PEP or PDP on its
+ behalf. So, for example, the rule engine may provide an ordered list
+ of actions to be executed by the PEP and any required serialization
+ is then provided by the service configured by the rule engine. See
+ Section 5.5.2 for a discussion of side effects.
+
+5.5.1. Structuring Decision Strategies
+
+ As discussed in Sections 5.3 and 5.4, PolicySet instances may be
+ nested arbitrarily. For a FirstMatching decision strategy on a
+ PolicySet, any contained PolicySet that matches satisfies the
+ termination criteria for the FirstMatching strategy. A PolicySet is
+ considered to match if it is a PolicyRule and its conditions evaluate
+ to True, or if the PolicySet is a PolicyGroup and at least one of its
+
+
+
+Moore Standards Track [Page 19]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ contained PolicyGroups or PolicyRules match. The priority associated
+ with contained PolicySets, then, determines when to terminate rule
+ evaluation in the structured set of rules.
+
+ In the example shown in Figure 3, the relative priorities for the
+ nested rules, high to low, are 1A, 1B1, 1X2, 1B3, 1C, 1C1, 1X2 and
+ 1C3. (Note that PolicyRule 1X2 is included in both PolicyGroup 1B
+ and PolicyRule 1C, but with different priorities.) Of course, which
+ rules are enforced is also dependent on which rules, if any, match.
+
+ PolicyGroup 1: FirstMatching
+ |
+ +-- Pri=6 -- PolicyRule 1A
+ |
+ +-- Pri=5 -- PolicyGroup 1B: AllMatching
+ | |
+ | +-- Pri=5 -- PolicyGroup 1B1: AllMatching
+ | | |
+ | | +---- etc.
+ | |
+ | +-- Pri=4 -- PolicyRule 1X2
+ | |
+ | +-- Pri=3 -- PolicyRule 1B3: FirstMatching
+ | |
+ | +---- etc.
+ |
+ +-- Pri=4 -- PolicyRule 1C: FirstMatching
+ |
+ +-- Pri=4 -- PolicyRule 1C1
+ |
+ +-- Pri=3 -- PolicyRule 1X2
+ |
+ +-- Pri=2 -- PolicyRule 1C3
+
+ Figure 3. Nested PolicySets with Different Decision Strategies
+
+ o Because PolicyGroup 1 has a FirstMatching decision strategy, if
+ the conditions of PolicyRule 1A match, its actions are enforced
+ and the evaluation stops.
+
+ o If it does not match, PolicyGroup 1B is evaluated using an
+ AllMatching strategy. Since PolicyGroup 1B1 also has an
+ AllMatching strategy all of the rules and groups of rules
+ contained in PolicyGroup 1B1 are evaluated and enforced as
+ appropriate. PolicyRule 1X2 and PolicyRule 1B3 are also evaluated
+ and enforced as appropriate. If any of the sub-rules in the
+
+
+
+
+
+Moore Standards Track [Page 20]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ subtrees of PolicyGroup 1B evaluate to True, then PolicyRule 1C is
+ not evaluated because the FirstMatching strategy of PolicyGroup 1
+ has been satisfied.
+
+ o If neither PolicyRule 1A nor PolicyGroup 1B yield a match, then
+ PolicyRule 1C is evaluated. Since it is first matching, rules
+ 1C1, 1X2, and 1C3 are evaluated until the first match, if any.
+
+5.5.2. Side Effects
+
+ Although evaluation of conditions is sometimes discussed as an
+ ordered set of operations, the rule engine need not be implemented as
+ a procedural language interpreter. Any side effects of condition
+ evaluation or the execution of actions MUST NOT affect the result of
+ the evaluation of other conditions evaluated by the rule engine in
+ the same evaluation pass. That is, an implementation of a rule
+ engine MAY evaluate all conditions in any order before applying the
+ priority and determining which actions are to be executed.
+
+ So, regardless of how a rule engine is implemented, it MUST NOT
+ include any side effects of condition evaluation in the evaluation of
+ conditions for either of the decision strategies. For both the
+ AllMatching decision strategy and for the nesting of rules within
+ rules (either directly or indirectly) where the actions of more than
+ one rule may be enforced, any side effects of the enforcement of
+ actions MUST NOT be included in condition evaluation on the same
+ evaluation pass.
+
+5.5.3. Multiple PolicySet Trees For a Resource
+
+ As shown in the example in Figure 3., PolicySet trees are defined by
+ the PolicySet subclass instances and the PolicySetComponent
+ aggregation instances between them. Each PolicySet tree has a
+ defined set of decision strategies and evaluation priorities. In
+ section 5.6 we discuss some improvements in the use of PolicyRoles
+ that cause the parent PolicySet.PolicyRoles to be applied to all
+ contained PolicySet instances. However, a given resource may still
+ have multiple, disjoint PolicySet trees regardless of how they are
+ collected. These top-level PolicySet instances are called "unrooted"
+ relative to the given resource.
+
+ So, a PolicySet instance is defined to be rooted or unrooted in the
+ context of a particular managed element; the relationship to the
+ managed element is usually established by the policy roles of the
+ PolicySet instance and of the managed element (see 5.6 "Policy
+ Roles"). A PolicySet instance is unrooted in that context if and
+ only if there is no PolicySetComponent association to a parent
+ PolicySet that is also related to the same managed element. These
+
+
+
+Moore Standards Track [Page 21]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ PolicySetComponent aggregations are traversed up the tree without
+ regard to how a PolicySet instance came to be related with the
+ ManagedElement. Figure 4. shows an example where instance A has role
+ A, instance B has role B and so on. In this example, in the context
+ of interface X, instances B, and C are unrooted and instances D, E,
+ and F are all rooted. In the context of interface Y, instance A is
+ unrooted and instances B, C, D, E and F are all rooted.
+
+ +---+ +-----------+ +-----------+
+ | A | | I/F X | | I/F Y |
+ +---+ | has roles | | has roles |
+ / \ | B & C | | A & B |
+ / \ +-----------+ +-----------+
+ +---+ +---+
+ | B | | C |
+ +---+ +---+
+ / \ \
+ / \ \
+ +---+ +---+ +---+
+ | D | | E | | F |
+ +---+ +---+ +---+
+
+ Figure 4. Unrooted PolicySet Instances
+
+ For those cases where there are multiple unrooted PolicySet instances
+ that apply to the same managed resource (i.e., not in a common
+ PolicySetComponent tree), the decision strategy among these disjoint
+ PolicySet instances is the FirstMatching strategy. The priority used
+ with this FirstMatching strategy is defined in the PolicySetInSystem
+ association. The PolicySetInSystem subclass instances are present
+ for all PolicySet instances (it is a required association) but the
+ priority is only used as a default for unrooted PolicySet instances
+ in a given ManagedElement context.
+
+ The FirstMatching strategy is used among all unrooted PolicySet
+ instances that apply to a given resource for a given functional
+ domain. So, for example, the PolicySet instances that are used for
+ QoS policy and the instances that are used for IKE policy, although
+ they are disjoint, are not joined in a FirstMatching decision
+ strategy. Instead, they are evaluated independently of one another.
+
+5.5.4. Deterministic Decisions
+
+ As previously discussed, PolicySetComponent.Priority values MUST be
+ unique within a containing PolicySet and PolicySetInSystem.Priority
+ values MUST be unique for an associated System. Each PolicySet,
+ then, has a deterministic behavior based upon the decision strategy
+ and uniquely defined priority.
+
+
+
+Moore Standards Track [Page 22]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ There are certainly cases where rules need not have a unique priority
+ value (i.e., where evaluation and execution priority is not
+ important). However, it is believed that the flexibility gained by
+ this capability is not sufficiently beneficial to justify the
+ possible variations in implementation behavior and the resulting
+ confusion that might occur.
+
+5.6. Policy Roles
+
+ A policy role is defined in [10] as "an administratively specified
+ characteristic of a managed element (for example, an interface). It
+ is a selector for policy rules and PRovisioning Classes (PRCs), to
+ determine the applicability of the rule/PRC to a particular managed
+ element."
+
+ In PCIMe, PolicyRoles is defined as a property of PolicySet, which is
+ inherited by both PolicyRules and PolicyGroups. In this document, we
+ also add PolicyRole as the identifying name of a collection of
+ resources (PolicyRoleCollection), where each element in the
+ collection has the specified role characteristic.
+
+5.6.1. Comparison of Roles in PCIM with Roles in snmpconf
+
+ In the Configuration Management with SNMP (snmpconf) working group's
+ Policy Based Management MIB [14], policy rules are of the form
+
+ if <policyFilter> then <policyAction>
+
+ where <policyFilter> is a set of conditions that are used to
+ determine whether or not the policy applies to an object instance.
+ The policy filter can perform comparison operations on SNMP variables
+ already defined in MIBS (e.g., "ifType == ethernet").
+
+ The policy management MIB defined in [14] defines a Role table that
+ enables one to associate Roles with elements, where roles have the
+ same semantics as in PCIM. Then, since the policyFilter in a policy
+ allows one to define conditions based on the comparison of the values
+ of SNMP variables, one can filter elements based on their roles as
+ defined in the Role group.
+
+ This approach differs from that adopted in PCIM in the following
+ ways. First, in PCIM, a set of role(s) is associated with a policy
+ rule as the values of the PolicyRoles property of a policy rule. The
+ semantics of role(s) are then expected to be implemented by the PDP
+ (i.e., policies are applied to the elements with the appropriate
+ roles). In [14], however, no special processing is required for
+
+
+
+
+
+Moore Standards Track [Page 23]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ realizing the semantics of roles; roles are treated just as any other
+ SNMP variables and comparisons of role values can be included in the
+ policy filter of a policy rule.
+
+ Secondly, in PCIM, there is no formally defined way of associating a
+ role with an object instance, whereas in [14] this is done via the
+ use of the Role tables (pmRoleESTable and pmRoleSETable). The Role
+ tables associate Role values with elements.
+
+5.6.2. Addition of PolicyRoleCollection to PCIMe
+
+ In order to remedy the latter shortcoming in PCIM (the lack of a way
+ of associating a role with an object instance), PCIMe has a new class
+ PolicyRoleCollection derived from the CIM Collection class.
+ Resources that share a common role are aggregated by a
+ PolicyRoleCollection instance, via the ElementInPolicyRoleCollection
+ aggregation. The role is specified in the PolicyRole property of the
+ aggregating PolicyRoleCollection instance.
+
+ A PolicyRoleCollection always exists in the context of a system. As
+ was done in PCIM for PolicyRules and PolicyGroups, an association,
+ PolicyRoleCollectionInSystem, captures this relationship. Remember
+ that in CIM, System is a base class for describing network devices
+ and administrative domains.
+
+ The association between a PolicyRoleCollection and a system should be
+ consistent with the associations that scope the policy rules/groups
+ that are applied to the resources in that collection. Specifically,
+ a PolicyRoleCollection should be associated with the same System as
+ the applicable PolicyRules and/or PolicyGroups, or to a System higher
+ in the tree formed by the SystemComponent association. When a PEP
+ belongs to multiple Systems (i.e., AdminDomains), and scoping by a
+ single domain is impractical, two alternatives exist. One is to
+ arbitrarily limit domain membership to one System/AdminDomain. The
+ other option is to define a more global AdminDomain that simply
+ includes the others, and/or that spans the business or enterprise.
+
+ As an example, suppose that there are 20 traffic trunks in a network,
+ and that an administrator would like to assign three of them to
+ provide "gold" service. Also, the administrator has defined several
+ policy rules which specify how the "gold" service is delivered. For
+ these rules, the PolicyRoles property (inherited from PolicySet) is
+ set to "Gold Service".
+
+ In order to associate three traffic trunks with "gold" service, an
+ instance of the PolicyRoleCollection class is created and its
+ PolicyRole property is also set to "Gold Service". Following this,
+ the administrator associates three traffic trunks with the new
+
+
+
+Moore Standards Track [Page 24]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ instance of PolicyRoleCollection via the
+ ElementInPolicyRoleCollection aggregation. This enables a PDP to
+ determine that the "Gold Service" policy rules apply to the three
+ aggregated traffic trunks.
+
+ Note that roles are used to optimize policy retrieval. It is not
+ mandatory to implement roles or, if they have been implemented, to
+ group elements in a PolicyRoleCollection. However, if roles are
+ used, then either the collection approach should be implemented, or
+ elements should be capable of reporting their "pre-programmed" roles
+ (as is done in COPS).
+
+5.6.3. Roles for PolicyGroups
+
+ In PCIM, role(s) are only associated with policy rules. However, it
+ may be desirable to associate role(s) with groups of policy rules.
+ For example, a network administrator may want to define a group of
+ rules that apply only to Ethernet interfaces. A policy group can be
+ defined with a role-combination="Ethernet", and all the relevant
+ policy rules can be placed in this policy group. (Note that in
+ PCIMe, role(s) are made available to PolicyGroups as well as to
+ PolicyRules by moving PCIM's PolicyRoles property up from PolicyRule
+ to the new abstract class PolicySet. The property is then inherited
+ by both PolicyGroup and PolicyRule.) Then every policy rule in this
+ policy group implicitly inherits this role-combination from the
+ containing policy group. A similar implicit inheritance applies to
+ nested policy groups.
+
+ There is no explicit copying of role(s) from container to contained
+ entity. Obviously, this implicit inheritance of role(s) leads to the
+ possibility of defining inconsistent role(s) (as explained in the
+ example below); the handling of such inconsistencies is beyond the
+ scope of PCIMe.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 25]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ As an example, suppose that there is a PolicyGroup PG1 that contains
+ three PolicyRules, PR1, PR2, and PR3. Assume that PG1 has the roles
+ "Ethernet" and "Fast". Also, assume that the contained policy rules
+ have the role(s) shown below:
+
+ +------------------------------+
+ | PolicyGroup PG1 |
+ | PolicyRoles = Ethernet, Fast |
+ +------------------------------+
+ |
+ | +------------------------+
+ | | PolicyRule PR1 |
+ |--------| PolicyRoles = Ethernet |
+ | +------------------------+
+ |
+ | +--------------------------+
+ | | PolicyRule PR2 |
+ |--------| PolicyRoles = <undefined>|
+ | +--------------------------+
+ |
+ | +------------------------+
+ | | PolicyRule PR3 |
+ |--------| PolicyRoles = Slow |
+ +------------------------+
+
+ Figure 5. Inheritance of Roles
+
+ In this example, the PolicyRoles property value for PR1 is consistent
+ with the value in PG1, and in fact, did not need to be redefined. The
+ value of PolicyRoles for PR2 is undefined. Its roles are implicitly
+ inherited from PG1. Lastly, the value of PolicyRoles for PR3 is
+ "Slow". This appears to be in conflict with the role, "Fast,"
+ defined in PG1. However, whether these roles are actually in
+ conflict is not clear. In one scenario, the policy administrator
+ may have wanted only "Fast"- "Ethernet" rules in the policy group.
+ In another scenario, the administrator may be indicating that PR3
+ applies to all "Ethernet" interfaces regardless of whether they are
+ "Fast" or "Slow." Only in the former scenario (only "Fast"-
+ "Ethernet" rules in the policy group) is there a role conflict.
+
+ Note that it is possible to override implicitly inherited roles via
+ appropriate conditions on a PolicyRule. For example, suppose that
+ PR3 above had defined the following conditions:
+
+ (interface is not "Fast") and (interface is "Slow")
+
+ This results in unambiguous semantics for PR3.
+
+
+
+
+Moore Standards Track [Page 26]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+5.7. Compound Policy Conditions and Compound Policy Actions
+
+ Compound policy conditions and compound policy actions are introduced
+ to provide additional reusable "chunks" of policy.
+
+5.7.1. Compound Policy Conditions
+
+ A CompoundPolicyCondition is a PolicyCondition representing a Boolean
+ combination of simpler conditions. The conditions being combined may
+ be SimplePolicyConditions (discussed below in Section 6.4), but the
+ utility of reusable combinations of policy conditions is not
+ necessarily limited to the case where the component conditions are
+ simple ones.
+
+ The PCIM extensions to introduce compound policy conditions are
+ relatively straightforward. Since the purpose of the extension is to
+ apply the DNF / CNF logic from PCIM's PolicyConditionInPolicyRule
+ aggregation to a compound condition that aggregates simpler
+ conditions, the following changes are required:
+
+ o Create a new aggregation PolicyConditionInPolicyCondition, with
+ the same GroupNumber and ConditionNegated properties as
+ PolicyConditionInPolicyRule. The cleanest way to do this is to
+ move the properties up to a new abstract aggregation superclass
+ PolicyConditionStructure, from which the existing aggregation
+ PolicyConditionInPolicyRule and a new aggregation
+ PolicyConditionInPolicyCondition are derived. For now there is no
+ need to re-document the properties themselves, since they are
+ already documented in PCIM as part of the definition of the
+ PolicyConditionInPolicyRule aggregation.
+
+ o It is also necessary to define a concrete subclass
+ CompoundPolicyCondition of PolicyCondition, to introduce the
+ ConditionListType property. This property has the same function,
+ and works in exactly the same way, as the corresponding property
+ currently defined in PCIM for the PolicyRule class.
+
+ The class and property definitions for representing compound policy
+ conditions are below, in Section 6.
+
+5.7.2. Compound Policy Actions
+
+ A compound action is a convenient construct to represent a sequence
+ of actions to be applied as a single atomic action within a policy
+ rule. In many cases, actions are related to each other and should be
+ looked upon as sub-actions of one "logical" action. An example of
+ such a logical action is "shape & mark" (i.e., shape a certain stream
+ to a set of predefined bandwidth characteristics and then mark these
+
+
+
+Moore Standards Track [Page 27]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ packets with a certain DSCP value). This logical action is actually
+ composed of two different QoS actions, which should be performed in a
+ well-defined order and as a complete set.
+
+ The CompoundPolicyAction construct allows one to create a logical
+ relationship between a number of actions, and to define the
+ activation logic associated with this logical action.
+
+ The CompoundPolicyAction construct allows the reusability of these
+ complex actions, by storing them in a ReusablePolicyContainer and
+ reusing them in different policy rules. Note that a compound action
+ may also be aggregated by another compound action.
+
+ As was the case with CompoundPolicyCondition, the PCIM extensions to
+ introduce compound policy actions are relatively straightforward.
+ This time the goal is to apply the property ActionOrder from PCIM's
+ PolicyActionInPolicyRule aggregation to a compound action that
+ aggregates simpler actions. The following changes are required:
+
+ o Create a new aggregation PolicyActionInPolicyAction, with the same
+ ActionOrder property as PolicyActionInPolicyRule. The cleanest
+ way to do this is to move the property up to a new abstract
+ aggregation superclass PolicyActionStructure, from which the
+ existing aggregation PolicyActionInPolicyRule and a new
+ aggregation PolicyActionInPolicyAction are derived.
+
+ o It is also necessary to define a concrete subclass
+ CompoundPolicyAction of PolicyAction, to introduce the
+ SequencedActions property. This property has the same function,
+ and works in exactly the same way, as the corresponding property
+ currently defined in PCIM for the PolicyRule class.
+
+ o Finally, a new property ExecutionStrategy is needed for both the
+ PCIM class PolicyRule and the new class CompoundPolicyAction. This
+ property allows the policy administrator to specify how the PEP
+ should behave in the case where there are multiple actions
+ aggregated by a PolicyRule or by a CompoundPolicyAction.
+
+ The class and property definitions for representing compound policy
+ actions are below, in Section 6.
+
+5.8. Variables and Values
+
+ The following subsections introduce several related concepts,
+ including PolicyVariables and PolicyValues (and their numerous
+ subclasses), SimplePolicyConditions, and SimplePolicyActions.
+
+
+
+
+
+Moore Standards Track [Page 28]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+5.8.1. Simple Policy Conditions
+
+ The SimplePolicyCondition class models elementary Boolean expressions
+ of the form: "(<variable> MATCH <value>)". The relationship 'MATCH',
+ which is implicit in the model, is interpreted based on the variable
+ and the value. Section 5.8.3 explains the semantics of the 'MATCH'
+ operator. Arbitrarily complex Boolean expressions can be formed by
+ chaining together any number of simple conditions using relational
+ operators. Individual simple conditions can be negated as well.
+ Arbitrarily complex Boolean expressions are modeled by the class
+ CompoundPolicyCondition (described in Section 5.7.1).
+
+ For example, the expression "SourcePort == 80" can be modeled by a
+ simple condition. In this example, 'SourcePort' is a variable, '=='
+ is the relational operator denoting the equality relationship (which
+ is generalized by PCIMe to a "MATCH" relationship), and '80' is an
+ integer value. The complete interpretation of a simple condition
+ depends on the binding of the variable. Section 5.8.5 describes
+ variables and their binding rules.
+
+ The SimplePolicyCondition class refines the basic structure of the
+ PolicyCondition class defined in PCIM by using the pair (<variable>,
+ <value>) to form the condition. Note that the operator between the
+ variable and the value is always implied in PCIMe: it is not a part
+ of the formal notation.
+
+ The variable specifies the attribute of an object that should be
+ matched when evaluating the condition. For example, for a QoS model,
+ this object could represent the flow that is being conditioned. A
+ set of predefined variables that cover network attributes commonly
+ used for filtering is introduced in PCIMe, to encourage
+ interoperability. This list covers layer 3 IP attributes such as IP
+ network addresses, protocols and ports, as well as a set of layer 2
+ attributes (e.g., MAC addresses).
+
+ The bound variable is matched against a value to produce the Boolean
+ result. For example, in the condition "The source IP address of the
+ flow belongs to the 10.1.x.x subnet", a source IP address variable is
+ matched against a 10.1.x.x subnet value.
+
+5.8.2. Using Simple Policy Conditions
+
+ Simple conditions can be used in policy rules directly, or as
+ building blocks for creating compound policy conditions.
+
+ Simple condition composition MUST enforce the following data-type
+ conformance rule: The ValueTypes property of the variable must be
+ compatible with the type of the value class used. The simplest (and
+
+
+
+Moore Standards Track [Page 29]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ friendliest, from a user point-of-view) way to do this is to equate
+ the type of the value class with the name of the class. By ensuring
+ that the ValueTypes property of the variable matches the name of the
+ value class used, we know that the variable and value instance values
+ are compatible with each other.
+
+ Composing a simple condition requires that an instance of the class
+ SimplePolicyCondition be created, and that instances of the variable
+ and value classes that it uses also exist. Note that the variable
+ and/or value instances may already exist as reusable objects in an
+ appropriate ReusablePolicyContainer.
+
+ Two aggregations are used in order to create the pair (<variable>,
+ <value>). The aggregation PolicyVariableInSimplePolicyCondition
+ relates a SimplePolicyCondition to a single variable instance.
+ Similarly, the aggregation PolicyValueInSimplePolicyCondition relates
+ a SimplePolicyCondition to a single value instance. Both
+ aggregations are defined in this document.
+
+ Figure 6. depicts a SimplePolicyCondition with its associated
+ variable and value. Also shown are two PolicyValue instances that
+ identify the values that the variable can assume.
+
+ +-----------------------+
+ | SimplePolicyCondition |
+ +-----------------------+
+ * @
+ * @
+ +------------------+ * @ +---------------+
+ | (PolicyVariable) |*** @@@| (PolicyValue) |
+ +------------------+ +---------------+
+ # #
+ # ooo #
+ # #
+ +---------------+ +---------------+
+ | (PolicyValue) | ooo | (PolicyValue) |
+ +---------------+ +---------------+
+
+ Aggregation Legend:
+ **** PolicyVariableInSimplePolicyCondition
+ @@@@ PolicyValueInSimplePolicyCondition
+ #### ExpectedPolicyValuesForVariable
+
+ Figure 6. SimplePolicyCondition
+
+ Note: The class names in parenthesis denote subclasses. The classes
+ named in the figure are abstract, and thus cannot themselves be
+ instantiated.
+
+
+
+Moore Standards Track [Page 30]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+5.8.3. The Simple Condition Operator
+
+ A simple condition models an elementary Boolean expression of the
+ form "variable MATCHes value". However, the formal notation of the
+ SimplePolicyCondition, together with its associations, models only a
+ pair, (<variable>, <value>). The 'MATCH' operator is not directly
+ modeled -- it is implied. Furthermore, this implied 'MATCH' operator
+ carries overloaded semantics.
+
+ For example, in the simple condition "DestinationPort MATCH '80'",
+ the interpretation of the 'MATCH' operator is equality (the 'equal'
+ operator). Clearly, a different interpretation is needed in the
+ following cases:
+
+ o "DestinationPort MATCH {'80', '8080'}" -- operator is 'IS SET
+ MEMBER'
+
+ o "DestinationPort MATCH {'1 to 255'}" -- operator is 'IN INTEGER
+ RANGE'
+
+ o "SourceIPAddress MATCH 'MyCompany.com'" -- operator is 'IP ADDRESS
+ AS RESOLVED BY DNS'
+
+ The examples above illustrate the implicit, context-dependent nature
+ of the 'MATCH' operator. The interpretation depends on the actual
+ variable and value instances in the simple condition. The
+ interpretation is always derived from the bound variable and the
+ value instance associated with the simple condition. Text
+ accompanying the value class and implicit variable definition is used
+ for interpreting the semantics of the 'MATCH' relationship. In the
+ following list, we define generic (type-independent) matching.
+
+ PolicyValues may be multi-fielded, where each field may contain a
+ range of values. The same equally holds for PolicyVariables.
+ Basically, we have to deal with single values (singleton), ranges
+ ([lower bound .. upper bound]), and sets (a,b,c). So independent of
+ the variable and value type, the following set of generic matching
+ rules for the 'MATCH' operator are defined.
+
+ o singleton matches singleton -> the matching rule is defined in the
+ type
+
+ o singleton matches range [lower bound .. upper bound] -> the
+ matching evaluates to true, if the singleton matches the lower
+ bound or the upper bound or a value in between
+
+
+
+
+
+
+Moore Standards Track [Page 31]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ o singleton matches set -> the matching evaluates to true, if the
+ value of the singleton matches one of the components in the set,
+ where a component may be a singleton or range again
+
+ o ranges [A..B] matches singleton -> is true if A matches B matches
+ singleton
+
+ o range [A..B] matches range [X..Y] -> the matching evaluates to
+ true, if all values of the range [A..B] are also in the range
+ [X..Y]. For instance, [3..5] match [1..6] evaluates to true,
+ whereas [3..5] match [4..6] evaluates to false.
+
+ o range [A..B] matches set (a,b,c, ...) -> the matching evaluates to
+ true, if all values in the range [A..B] are part of the set. For
+ instance, range [2..3] match set ([1..2],3) evaluates to true, as
+ well as range [2..3] match set (2,3), and range [2..3] match set
+ ([1..2],[3..5]).
+
+ o set (a,b,c, ...) match singleton -> is true if a match b match c
+ match ... match singleton
+
+ o set match range -> the matching evaluates to true, if all values
+ in the set are part of the range. For example, set (2,3) match
+ range [1..4] evaluates to true.
+
+ o set (a,b,c,...) match set (x,y,z,...) -> the matching evaluates to
+ true, if all values in the set (a,b,c,...) are part of the set
+ (x,y,z,...). For example, set (1,2,3) match set (1,2,3,4)
+ evaluates to true. Set (1,2,3) match set (1,2) evaluates to
+ false.
+
+ Variables may contain various types (Section 6.11.1). When not
+ stated otherwise, the type of the value bound to the variable at
+ condition evaluation time and the value type of the PolicyValue
+ instance need to be of the same type. If they differ, then the
+ condition evaluates to FALSE.
+
+ The ExpectedPolicyValuesForVariable association specifies an expected
+ set of values that can be matched with a variable within a simple
+ condition. Using this association, a source or destination port can
+ be limited to the range 0-200, a source or destination IP address can
+ be limited to a specified list of IPv4 address values, etc.
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 32]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ +-----------------------+
+ | SimplePolicyCondition |
+ +-----------------------+
+ * @
+ * @
+ * @
+ +-----------------------------------+ +--------------------------+
+ | Name=SmallSourcePorts | | Name=Port300 |
+ | Class=PolicySourcePortVariable | | Class=PolicyIntegerValue |
+ | ValueTypes=[PolicyIntegerValue] | | IntegerList = [300] |
+ +-----------------------------------+ +--------------------------+
+ #
+ #
+ #
+ +-------------------------+
+ |Name=SmallPortsValues |
+ |Class=PolicyIntegerValue |
+ |IntegerList=[1..200] |
+ +-------------------------+
+
+ Aggregation Legend:
+ **** PolicyVariableInSimplePolicyCondition
+ @@@@ PolicyValueInSimplePolicyCondition
+ #### ExpectedPolicyValuesForVariable
+
+ Figure 7. An Invalid SimplePolicyCondition
+
+ The ability to express these limitations appears in the model to
+ support validation of a SimplePolicyCondition prior to its deployment
+ to an enforcement point. A Policy Management Tool, for example
+ SHOULD NOT accept the SimplePolicyCondition shown in Figure 7. If,
+ however, a policy rule containing this condition does appear at an
+ enforcement point, the expected values play no role in the
+ determination of whether the condition evaluates to True or False.
+ Thus in this example, the SimplePolicyCondition evaluates to True if
+ the source port for the packet under consideration is 300, and it
+ evaluates to False otherwise.
+
+5.8.4. SimplePolicyActions
+
+ The SimplePolicyAction class models the elementary set operation.
+ "SET <variable> TO <value>". The set operator MUST overwrite an old
+ value of the variable. In the case where the variable to be updated
+ is multi- valued, the only update operation defined is a complete
+ replacement of all previous values with a new set. In other words,
+ there are no Add or Remove [to/from the set of values] operations
+ defined for SimplePolicyActions.
+
+
+
+
+Moore Standards Track [Page 33]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ For example, the action "set DSCP to EF" can be modeled by a simple
+ action. In this example, 'DSCP' is an implicit variable referring to
+ the IP packet header DSCP field. 'EF' is an integer or bit string
+ value (6 bits). The complete interpretation of a simple action
+ depends on the binding of the variable.
+
+ The SimplePolicyAction class refines the basic structure of the
+ PolicyAction class defined in PCIM, by specifying the contents of the
+ action using the (<variable>, <value>) pair to form the action. The
+ variable specifies the attribute of an object. The value of this
+ attribute is set to the value specified in <value>. Selection of the
+ object is a function of the type of variable involved. See Sections
+ 5.8.6 and 5.8.7, respectively, for details on object selection for
+ explicitly bound and implicitly bound policy variables.
+
+ SimplePolicyActions can be used in policy rules directly, or as
+ building blocks for creating CompoundPolicyActions.
+
+ The set operation is only valid if the list of types of the variable
+ (ValueTypes property of PolicyImplicitVariable) includes the
+ specified type of the value. Conversion of values from one
+ representation into another is not defined. For example, a variable
+ of IPv4Address type may not be set to a string containing a DNS name.
+ Conversions are part of an implementation-specific mapping of the
+ model.
+
+ As was the case with SimplePolicyConditions, the role of expected
+ values for the variables that appear in SimplePolicyActions is for
+ validation, prior to the time when an action is executed. Expected
+ values play no role in action execution.
+
+ Composing a simple action requires that an instance of the class
+ SimplePolicyAction be created, and that instances of the variable and
+ value classes that it uses also exist. Note that the variable and/or
+ value instances may already exist as reusable objects in an
+ appropriate ReusablePolicyContainer.
+
+ Two aggregations are used in order to create the pair (<variable>,
+ <value>). The aggregation PolicyVariableInSimplePolicyAction relates
+ a SimplePolicyAction to a single variable instance. Similarly, the
+ aggregation PolicyValueInSimplePolicyAction relates a
+ SimplePolicyAction to a single value instance. Both aggregations are
+ defined in this document.
+
+ Figure 8. depicts a SimplePolicyAction with its associated variable
+ and value.
+
+
+
+
+
+Moore Standards Track [Page 34]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ +-----------------------+
+ | SimplePolicyAction |
+ | |
+ +-----------------------+
+ * @
+ * @
+ +------------------+ * @ +---------------+
+ | (PolicyVariable) |*** @@@| (PolicyValue) |
+ +------------------+ +---------------+
+ # #
+ # ooo #
+ # #
+ +---------------+ +---------------+
+ | (PolicyValue) | ooo | (PolicyValue) |
+ +---------------+ +---------------+
+
+ Aggregation Legend:
+ **** PolicyVariableInSimplePolicyAction
+ @@@@ PolicyValueInSimplePolicyAction
+ #### ExpectedPolicyValuesForVariable
+
+ Figure 8. SimplePolicyAction
+
+5.8.5. Policy Variables
+
+ A variable generically represents information that changes (or
+ "varies"), and that is set or evaluated by software. In policy,
+ conditions and actions can abstract information as "policy variables"
+ to be evaluated in logical expressions, or set by actions.
+
+ PCIMe defines two types of PolicyVariables, PolicyImplicitVariables
+ and PolicyExplicitVariables. The semantic difference between these
+ classes is based on modeling context. Explicit variables are bound
+ to exact model constructs, while implicit variables are defined and
+ evaluated outside of a model. For example, one can imagine a
+ PolicyCondition testing whether a CIM ManagedSystemElement's Status
+ property has the value "Error." The Status property is an explicitly
+ defined PolicyVariable (i.e., it is defined in the context of the CIM
+ Schema, and evaluated in the context of a specific instance). On the
+ other hand, network packets are not explicitly modeled or
+ instantiated, since there is no perceived value (at this time) in
+ managing at the packet level. Therefore, a PolicyCondition can make
+ no explicit reference to a model construct that represents a network
+ packet's source address. In this case, an implicit PolicyVariable is
+ defined, to allow evaluation or modification of a packet's source
+ address.
+
+
+
+
+
+Moore Standards Track [Page 35]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+5.8.6. Explicitly Bound Policy Variables
+
+ Explicitly bound policy variables indicate the class and property
+ names of the model construct to be evaluated or set. The CIM Schema
+ defines and constrains "appropriate" values for the variable (i.e.,
+ model property) using data types and other information such as
+ class/property qualifiers.
+
+ A PolicyExplicitVariable is "explicit" because its model semantics
+ are exactly defined. It is NOT explicit due to an exact binding to a
+ particular object instance. If PolicyExplicitVariables were tied to
+ instances (either via associations or by an object identification
+ property in the class itself), then we would be forcing element-
+ specific rules. On the other hand, if we only specify the object's
+ model context (class and property name), but leave the binding to the
+ policy framework (for example, using policy roles), then greater
+ flexibility results for either general or element-specific rules.
+
+ For example, an element-specific rule is obtained by a condition
+ ((<variable>, <value>) pair) that defines CIM LogicalDevice
+ DeviceID="12345". Alternately, if a PolicyRule's PolicyRoles is
+ "edge device" and the condition ((<variable>, <value>) pair) is
+ Status="Error", then a general rule results for all edge devices in
+ error.
+
+ Currently, the only binding for a PolicyExplicitVariable defined in
+ PCIMe is to the instances selected by policy roles. For each such
+ instance, a SimplePolicyCondition that aggregates the
+ PolicyExplicitVariable evaluates to True if and only if ALL of the
+ following are true:
+
+ o The instance selected is of the class identified by the variable's
+ ModelClass property, or of a subclass of this class.
+ o The instance selected has the property identified by the
+ variable's ModelProperty property.
+ o The value of this property in the instance matches the value
+ specified in the PolicyValue aggregated by the condition.
+
+ In all other cases, the SimplePolicyCondition evaluates to False.
+
+ For the case where a SimplePolicyAction aggregates a
+ PolicyExplicitVariable, the indicated property in the selected
+ instance is set to the value represented by the PolicyValue that the
+ SimplePolicyAction also aggregates. However, if the selected
+ instance is not of the class identified by the variable's ModelClass
+ property, or of a subclass of this class, then the action is not
+ performed. In this case the SimplePolicyAction is not treated either
+ as a successfully executed action (for the execution strategy Do
+
+
+
+Moore Standards Track [Page 36]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ Until Success) or as a failed action (for the execution strategy Do
+ Until Failure). Instead, the remaining actions for the policy rule,
+ if any, are executed as if this SimplePolicyAction were not present
+ at all in the list of actions aggregated by the rule.
+
+ Explicit variables would be more powerful if they could reach beyond
+ the instances selected by policy roles, to related instances.
+ However, to represent a policy rule involving such variables in any
+ kind of general way requires something that starts to resemble very
+ much a complete policy language. Clearly such a language is outside
+ the scope of PCIMe, although it might be the subject of a future
+ document.
+
+ By restricting much of the generality, it would be possible for
+ explicit variables in PCIMe to reach slightly beyond a selected
+ instance. For example, if a selected instance were related to
+ exactly one instance of another class via a particular association
+ class, and if the goal of the policy rule were both to test a
+ property of this related instance and to set a property of that same
+ instance, then it would be possible to represent the condition and
+ action of the rule using PolicyExplicitVariables. Rather than
+ handling this one specific case with explicit variables, though, it
+ was decided to lump them with the more general case, and deal with
+ them if and when a policy language is defined.
+
+ Refer to Section 6.10 for the formal definition of the class
+ PolicyExplicitVariable.
+
+5.8.7. Implicitly Bound Policy Variables
+
+ Implicitly bound policy variables define the data type and semantics
+ of a variable. This determines how the variable is bound to a value
+ in a condition or an action. Further instructions are provided for
+ specifying data type and/or value constraints for implicitly bound
+ variables.
+
+ PCIMe introduces an abstract class, PolicyImplicitVariable, to model
+ implicitly bound variables. This class is derived from the abstract
+ class PolicyVariable also defined in PCIMe. Each of the implicitly
+ bound variables introduced by PCIMe (and those that are introduced by
+ domain- specific sub-models) MUST be derived from the
+ PolicyImplicitVariable class. The rationale for using this mechanism
+ for modeling is explained below in Section 5.8.9.
+
+ A domain-specific policy information model that extends PCIMe may
+ define additional implicitly bound variables either by deriving them
+ directly from the class PolicyImplicitVariable, or by further
+
+
+
+
+Moore Standards Track [Page 37]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ refining an existing variable class such as SourcePort. When
+ refining a class such as SourcePort, existing binding rules, type or
+ value constraints may be narrowed.
+
+5.8.8. Structure and Usage of Pre-Defined Variables
+
+ A class derived from PolicyImplicitVariable to model a particular
+ implicitly bound variable SHOULD be constructed so that its name
+ depicts the meaning of the variable. For example, a class defined to
+ model the source port of a TCP/UDP flow SHOULD have 'SourcePort' in
+ its name.
+
+ PCIMe defines one association and one general-purpose mechanism that
+ together characterize each of the implicitly bound variables that it
+ introduces:
+
+ 1. The ExpectedPolicyValuesForVariable association defines the set of
+ value classes that could be matched to this variable.
+
+ 2. The list of constraints on the values that the PolicyVariable can
+ hold (i.e., values that the variable must match) are defined by
+ the appropriate properties of an associated PolicyValue class.
+
+ In the example presented above, a PolicyImplicitVariable represents
+ the SourcePort of incoming traffic. The ValueTypes property of an
+ instance of this class will hold the class name PolicyIntegerValue.
+ This by itself constrains the data type of the SourcePort instance to
+ be an integer. However, we can further constrain the particular
+ values that the SourcePort variable can hold by entering valid ranges
+ in the IntegerList property of the PolicyIntegerValue instance (0 -
+ 65535 in this document).
+
+ The combination of the VariableName and the
+ ExpectedPolicyValuesForVariable association provide a consistent and
+ extensible set of metadata that define the semantics of variables
+ that are used to form policy conditions. Since the
+ ExpectedPolicyValuesForVariable association points to a PolicyValue
+ instance, any of the values expressible in the PolicyValue class can
+ be used to constrain values that the PolicyImplicitVariable can hold.
+ For example:
+
+ o The ValueTypes property can be used to ensure that only proper
+ classes are used in the expression. For example, the SourcePort
+ variable will not be allowed to ever be of type
+ PolicyIPv4AddrValue, since source ports have different semantics
+ than IP addresses and may not be matched. However, integer value
+ types are allowed as the property ValueTypes holds the string
+ "PolicyIntegerValue", which is the class name for integer values.
+
+
+
+Moore Standards Track [Page 38]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ o The ExpectedPolicyValuesForVariable association also ensures that
+ variable-specific semantics are enforced (e.g., the SourcePort
+ variable may include a constraint association to a value object
+ defining a specific integer range that should be matched).
+
+5.8.9. Rationale for Modeling Implicit Variables as Classes
+
+ An implicitly bound variable can be modeled in one of several ways,
+ including a single class with an enumerator for each individual
+ implicitly bound variable and an abstract class extended for each
+ individual variable. The reasons for using a class inheritance
+ mechanism for specifying individual implicitly bound variables are
+ these:
+
+ 1. It is easy to extend. A domain-specific information model can
+ easily extend the PolicyImplicitVariable class or its subclasses
+ to define domain-specific and context-specific variables. For
+ example, a domain-specific QoS policy information model may
+ introduce an implicitly bound variable class to model applications
+ by deriving a qosApplicationVariable class from the
+ PolicyImplicitVariable abstract class.
+
+ 2. Introduction of a single structural class for implicitly bound
+ variables would have to include an enumerator property that
+ contains all possible individual implicitly bound variables. This
+ means that a domain-specific information model wishing to
+ introduce an implicitly bound variable must extend the enumerator
+ itself. This results in multiple definitions of the same class,
+ differing in the values available in the enumerator class. One
+ definition, in this document, would include the common implicitly
+ bound variables' names, while a second definition, in the domain-
+ specific information model document, may include additional values
+ ('qosApplicationVariable' in the example above). It wouldn't even
+ be obvious to the application developer that multiple class
+ definitions existed. It would be harder still for the application
+ developer to actually find the correct class to use.
+
+ 3. In addition, an enumerator-based definition would require each
+ additional value to be registered with IANA to ascertain adherence
+ to standards. This would make the process cumbersome.
+
+ 4. A possible argument against the inheritance mechanism would cite
+ the fact that this approach results in an explosion of class
+ definitions compared to an enumerator class, which only introduces
+ a single class. While, by itself, this is not a strike against
+ the approach, it may be argued that data models derived from this
+ information model may be more difficult to optimize for
+ applications. This argument is rejected on the grounds that
+
+
+
+Moore Standards Track [Page 39]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ application optimization is of lesser value for an information
+ model than clarity and ease of extension. In addition, it is hard
+ to claim that the inheritance model places an absolute burden on
+ the optimization. For example, a data model may still use
+ enumeration to denote instances of pre-defined variables and claim
+ PCIMe compliance, as long as the data model can be mapped
+ correctly to the definitions specified in this document.
+
+5.8.10. Policy Values
+
+ The abstract class PolicyValue is used for modeling values and
+ constants used in policy conditions. Different value types are
+ derived from this class, to represent the various attributes
+ required. Extensions of the abstract class PolicyValue, defined in
+ this document, provide a list of values for basic network attributes.
+ Values can be used to represent constants as named values. Named
+ values can be kept in a reusable policy container to be reused by
+ multiple conditions. Examples of constants include well-known ports,
+ well-known protocols, server addresses, and other similar concepts.
+
+ The PolicyValue subclasses define three basic types of values:
+ scalars, ranges and sets. For example, a well-known port number
+ could be defined using the PolicyIntegerValue class, defining a
+ single value (80 for HTTP), a range (80-88), or a set (80, 82, 8080)
+ of ports, respectively. For details, please see the class definition
+ for each value type in Section 6.14 of this document.
+
+ PCIMe defines the following subclasses of the abstract class
+ PolicyValue:
+
+ Classes for general use:
+
+ - PolicyStringValue,
+ - PolicyIntegerValue,
+ - PolicyBitStringValue
+ - PolicyBooleanValue.
+
+ Classes for layer 3 Network values:
+
+ - PolicyIPv4AddrValue,
+ - PolicyIPv6AddrValue.
+
+ Classes for layer 2 Network values:
+
+ - PolicyMACAddrValue.
+
+ For details, please see the class definition section of each class in
+ Section 6.14 of this document.
+
+
+
+Moore Standards Track [Page 40]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+5.9. Packet Filtering
+
+ PCIMe contains two mechanisms for representing packet filters. The
+ more general of these, termed here the domain-level model, expresses
+ packet filters in terms of policy variables and policy values. The
+ other mechanism, termed here the device-level model, expresses packet
+ filters in a way that maps more directly to the packet fields to
+ which the filters are being applied. While it is possible to map
+ between these two representations of packet filters, no mapping is
+ provided in PCIMe itself.
+
+5.9.1. Domain-Level Packet Filters
+
+ In addition to filling in the holes in the overall Policy
+ infrastructure, PCIMe proposes a single mechanism for expressing
+ domain-level packet filters in policy conditions. This is being done
+ in response to concerns that even though the initial "wave" of
+ submodels derived from PCIM were all filtering on IP packets, each
+ was doing it in a slightly different way. PCIMe proposes a common
+ way to express IP packet filters. The following figure illustrates
+ how packet-filtering conditions are expressed in PCIMe.
+
+ +---------------------------------+
+ | CompoundFilterCondition |
+ | - IsMirrored boolean |
+ | - ConditionListType (DNF|CNF) |
+ +---------------------------------+
+ + + +
+ + + +
+ + + +
+ SimplePC SimplePC SimplePC
+ * @ * @ * @
+ * @ * @ * @
+ * @ * @ * @
+ FlowDirection "In" SrcIP <addr1> DstIP <addr2>
+
+ Aggregation Legend:
+ ++++ PolicyConditionInPolicyCondition
+ **** PolicyVariableInSimplePolicyCondition
+ @@@@ PolicyValueInSimplePolicyCondition
+
+ Figure 9. Packet Filtering in Policy Conditions
+
+ In Figure 9., each SimplePolicyCondition represents a single field to
+ be filtered on: Source IP address, Destination IP address, Source
+ port, etc. An additional SimplePolicyCondition indicates the
+ direction that a packet is traveling on an interface: inbound or
+ outbound. Because of the FlowDirection condition, care must be taken
+
+
+
+Moore Standards Track [Page 41]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ in aggregating a set of SimplePolicyConditions into a
+ CompoundFilterCondition. Otherwise, the resulting
+ CompoundPolicyCondition may match all inbound packets, or all
+ outbound packets, when this is probably not what was intended.
+
+ Individual SimplePolicyConditions may be negated when they are
+ aggregated by a CompoundFilterCondition.
+
+ CompoundFilterCondition is a subclass of CompoundPolicyCondition. It
+ introduces one additional property, the Boolean property IsMirrored.
+ The purpose of this property is to allow a single
+ CompoundFilterCondition to match packets traveling in both directions
+ on a higher-level connection such as a TCP session. When this
+ property is TRUE, additional packets match a filter, beyond those
+ that would ordinarily match it. An example will illustrate how this
+ property works.
+
+ Suppose we have a CompoundFilterCondition that aggregates the
+ following three filters, which are ANDed together:
+
+ o FlowDirection = "In"
+ o Source IP = 9.1.1.1
+ o Source Port = 80
+
+ Regardless of whether IsMirrored is TRUE or FALSE, inbound packets
+ will match this CompoundFilterCondition if their Source IP address =
+ 9.1.1.1 and their Source port = 80. If IsMirrored is TRUE, however,
+ an outbound packet will also match the CompoundFilterCondition if its
+ Destination IP address = 9.1.1.1 and its Destination port = 80.
+
+ IsMirrored "flips" the following Source/Destination packet header
+ fields:
+
+ o FlowDirection "In" / FlowDirection "Out"
+ o Source IP address / Destination IP address
+ o Source port / Destination port
+ o Source MAC address / Destination MAC address
+ o Source [layer-2] SAP / Destination [layer-2] SAP.
+
+5.9.2. Device-Level Packet Filters
+
+ At the device level, packet header filters are represented by two
+ subclasses of the abstract class FilterEntryBase: IpHeadersFilter and
+ 8021Filter. Submodels of PCIMe may define other subclasses of
+ FilterEntryBase in addition to these two; ICPM [12], for example,
+ defines subclasses for IPsec-specific filters.
+
+
+
+
+
+Moore Standards Track [Page 42]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ Instances of the subclasses of FilterEntryBase are not used directly
+ as filters. They are always aggregated into a FilterList, by the
+ aggregation EntriesInFilterList. For PCIMe and its submodels, the
+ EntrySequence property in this aggregation always takes its default
+ value '0', indicating that the aggregated filter entries are ANDed
+ together.
+
+ The FilterList class includes an enumeration property Direction,
+ representing the direction of the traffic flow to which the
+ FilterList is to be applied. The value Mirrored(4) for Direction
+ represents exactly the same thing as the IsMirrored boolean does in
+ CompoundFilterCondition. See Section 5.9.1 for details.
+
+5.10. Conformance to PCIM and PCIMe
+
+ Because PCIM and PCIMe provide the core classes for modeling
+ policies, they are not in general sufficient by themselves for
+ representing actual policy rules. Submodels, such as QPIM and ICPM,
+ provide the means for expressing policy rules, by defining subclasses
+ of the classes defined in PCIM and PCIMe, and/or by indicating how
+ the PolicyVariables and PolicyValues defined in PCIMe can be used to
+ express conditions and actions applicable to the submodel.
+
+ A particular submodel will not, in general, need to use every element
+ defined in PCIM and PCIMe. For the elements it does not use, a
+ submodel SHOULD remain silent on whether its implementations must
+ support the element, must not support the element, should support the
+ element, etc. For the elements it does use, a submodel SHOULD
+ indicate which elements its implementations must support, which
+ elements they should support, and which elements they may support.
+
+ PCIM and PCIMe themselves simply define elements that may be of use
+ to submodels. These documents remain silent on whether
+ implementations are required to support an element, should support
+ it, etc.
+
+ This model (and derived submodels) defines conditions and actions
+ that are used by policy rules. While the conditions and actions
+ defined herein are straightforward and may be presumed to be widely
+ supported, as submodels are developed it is likely that situations
+ will arise in which specific conditions or actions are not supported
+ by some part of the policy execution system. Similarly, situations
+ may also occur where rules contain syntactic or semantic errors.
+
+ It should be understood that the behavior and effect of undefined or
+ incorrectly defined conditions or actions is not prescribed by this
+ information model. While it would be helpful if it were prescribed,
+ the variations in implementation restrict the ability for this
+
+
+
+Moore Standards Track [Page 43]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ information model to control the effect. For example, if an
+ implementation only detected that a PEP could not enforce a given
+ action on that PEP, it would be very difficult to declare that such a
+ failure should affect other PEPs, or the PDP process. On the other
+ hand, if the PDP determines that it cannot properly evaluate a
+ condition, that failure may well affect all applications of the
+ containing rules.
+
+6. Class Definitions
+
+ The following definitions supplement those in PCIM itself. PCIM
+ definitions that are not DEPRECATED here are still current parts of
+ the overall Policy Core Information Model.
+
+6.1. The Abstract Class "PolicySet"
+
+ PolicySet is an abstract class that may group policies into a
+ structured set of policies.
+
+ NAME PolicySet
+ DESCRIPTION An abstract class that represents a set of policies
+ that form a coherent set. The set of contained
+ policies has a common decision strategy and a
+ common set of policy roles. Subclasses include
+ PolicyGroup and PolicyRule.
+ DERIVED FROM Policy
+ ABSTRACT TRUE
+ PROPERTIES PolicyDecisionStrategy
+ PolicyRoles
+
+ The PolicyDecisionStrategy property specifies the evaluation method
+ for policy groups and rules contained within the policy set.
+
+ NAME PolicyDecisionStrategy
+ DESCRIPTION The evaluation method used for policies contained in
+ the PolicySet. FirstMatching enforces the actions
+ of the first rule that evaluates to TRUE;
+ All Matching enforces the actions of all rules
+ that evaluate to TRUE.
+ SYNTAX uint16
+ VALUES 1 [FirstMatching], 2 [AllMatching]
+ DEFAULT VALUE 1 [FirstMatching]
+
+ The definition of PolicyRoles is unchanged from PCIM. It is,
+ however, moved from the class Policy up to the superclass PolicySet.
+
+
+
+
+
+
+Moore Standards Track [Page 44]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.2. Update PCIM's Class "PolicyGroup"
+
+ The PolicyGroup class is moved, so that it is now derived from
+ PolicySet.
+
+ NAME PolicyGroup
+ DESCRIPTION A container for a set of related PolicyRules and
+ PolicyGroups.
+ DERIVED FROM PolicySet
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.3. Update PCIM's Class "PolicyRule"
+
+ The PolicyRule class is moved, so that it is now derived from
+ PolicySet. The Priority property is also deprecated in PolicyRule,
+ and PolicyRoles is now inherited from the parent class PolicySet.
+ Finally, a new property ExecutionStrategy is introduced, paralleling
+ the property of the same name in the class CompoundPolicyAction.
+
+ NAME PolicyRule
+ DESCRIPTION The central class for representing the "If Condition
+ then Action" semantics associated with a policy
+ rule.
+ DERIVED FROM PolicySet
+ ABSTRACT FALSE
+ PROPERTIES Enabled
+ ConditionListType
+ RuleUsage
+ Priority DEPRECATED FOR PolicySetComponent.Priority
+ AND FOR PolicySetInSystem.Priority
+ Mandatory
+ SequencedActions
+ ExecutionStrategy
+
+ The property ExecutionStrategy defines the execution strategy to be
+ used upon the sequenced actions aggregated by this PolicyRule. (An
+ equivalent ExecutionStrategy property is also defined for the
+ CompoundPolicyAction class, to provide the same indication for the
+ sequenced actions aggregated by a CompoundPolicyAction.) This
+ document defines three execution strategies:
+
+ Do Until Success - execute actions according to predefined order,
+ until successful execution of a single action.
+ Do All - execute ALL actions which are part of the modeled
+ set, according to their predefined order.
+ Continue doing this, even if one or more of the
+ actions fails.
+
+
+
+Moore Standards Track [Page 45]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ Do Until Failure - execute actions according to predefined order,
+ until the first failure in execution of a single
+ sub-action.
+
+ The property definition is as follows:
+
+ NAME ExecutionStrategy
+ DESCRIPTION An enumeration indicating how to interpret the
+ action ordering for the actions aggregated by this
+ PolicyRule.
+ SYNTAX uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do
+ Until Failure} )
+ DEFAULT VALUE Do All (2)
+
+6.4. The Class "SimplePolicyCondition"
+
+ A simple policy condition is composed of an ordered triplet:
+
+ <Variable> MATCH <Value>
+
+ No formal modeling of the MATCH operator is provided. The 'match'
+ relationship is implied. Such simple conditions are evaluated by
+ answering the question:
+
+ Does <variable> match <value>?
+
+ The 'match' relationship is to be interpreted by analyzing the
+ variable and value instances associated with the simple condition.
+
+ Simple conditions are building blocks for more complex Boolean
+ Conditions, modeled by the CompoundPolicyCondition class.
+
+ The SimplePolicyCondition class is derived from the PolicyCondition
+ class defined in PCIM.
+
+ A variable and a value must be associated with a simple condition to
+ make it a meaningful condition, using, respectively, the aggregations
+ PolicyVariableInSimplePolicyCondition and
+ PolicyValueInSimplePolicyCondition.
+
+ The class definition is as follows:
+
+ NAME SimplePolicyCondition
+ DERIVED FROM PolicyCondition
+ ABSTRACT False
+ PROPERTIES (none)
+
+
+
+
+
+Moore Standards Track [Page 46]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.5. The Class "CompoundPolicyCondition"
+
+ This class represents a compound policy condition, formed by
+ aggregation of simpler policy conditions.
+
+ NAME CompoundPolicyCondition
+ DESCRIPTION A subclass of PolicyCondition that introduces the
+ ConditionListType property, used for assigning DNF /
+ CNF semantics to subordinate policy conditions.
+ DERIVED FROM PolicyCondition
+ ABSTRACT FALSE
+ PROPERTIES ConditionListType
+
+ The ConditionListType property is used to specify whether the list of
+ policy conditions associated with this compound policy condition is
+ in disjunctive normal form (DNF) or conjunctive normal form (CNF).
+ If this property is not present, the list type defaults to DNF. The
+ property definition is as follows:
+
+ NAME ConditionListType
+ DESCRIPTION Indicates whether the list of policy conditions
+ associated with this policy rule is in disjunctive
+ normal form (DNF) or conjunctive normal form (CNF).
+ SYNTAX uint16
+ VALUES DNF(1), CNF(2)
+ DEFAULT VALUE DNF(1)
+
+6.6. The Class "CompoundFilterCondition"
+
+ This subclass of CompoundPolicyCondition introduces one additional
+ property, the boolean IsMirrored. This property turns on or off the
+ "flipping" of corresponding source and destination fields in a filter
+ specification.
+
+ NAME CompoundFilterCondition
+ DESCRIPTION A subclass of CompoundPolicyCondition that
+ introduces the IsMirrored property.
+ DERIVED FROM CompoundPolicyCondition
+ ABSTRACT FALSE
+ PROPERTIES IsMirrored
+
+ The IsMirrored property indicates whether packets that "mirror" a
+ compound filter condition should be treated as matching the filter.
+ The property definition is as follows:
+
+
+
+
+
+
+
+Moore Standards Track [Page 47]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ NAME IsMirrored
+ DESCRIPTION Indicates whether packets that mirror the specified
+ filter are to be treated as matching the filter.
+ SYNTAX boolean
+ DEFAULT VALUE FALSE
+
+6.7. The Class "SimplePolicyAction"
+
+ The SimplePolicyAction class models the elementary set operation.
+ "SET <variable> TO <value>". The set operator MUST overwrite an old
+ value of the variable.
+
+ Two aggregations are used in order to create the pair <variable>
+ <value>. The aggregation PolicyVariableInSimplePolicyAction relates
+ a SimplePolicyAction to a single variable instance. Similarly, the
+ aggregation PolicyValueInSimplePolicyAction relates a
+ SimplePolicyAction to a single value instance. Both aggregations are
+ defined in this document.
+
+ NAME SimplePolicyAction
+ DESCRIPTION A subclass of PolicyAction that introduces the
+ notion of "SET variable TO value".
+ DERIVED FROM PolicyAction
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.8. The Class "CompoundPolicyAction"
+
+ The CompoundPolicyAction class is used to represent an expression
+ consisting of an ordered sequence of action terms. Each action term
+ is represented as a subclass of the PolicyAction class, defined in
+ [PCIM]. Compound actions are constructed by associating dependent
+ action terms together using the PolicyActionInPolicyAction
+ aggregation.
+
+ The class definition is as follows:
+
+ NAME CompoundPolicyAction
+ DESCRIPTION A class for representing sequenced action terms.
+ Each action term is defined to be a subclass of the
+ PolicyAction class.
+ DERIVED FROM PolicyAction
+ ABSTRACT FALSE
+ PROPERTIES SequencedActions
+ ExecutionStrategy
+
+ This is a concrete class, and is therefore directly instantiable.
+
+
+
+
+Moore Standards Track [Page 48]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ The Property SequencedActions is identical to the SequencedActions
+ property defined in PCIM for the class PolicyRule.
+
+ The property ExecutionStrategy defines the execution strategy to be
+ used upon the sequenced actions associated with this compound action.
+ (An equivalent ExecutionStrategy property is also defined for the
+ PolicyRule class, to provide the same indication for the sequenced
+ actions associated with a PolicyRule.) This document defines three
+ execution strategies:
+
+ Do Until Success - execute actions according to predefined order,
+ until successful execution of a single sub-action.
+ Do All - execute ALL actions which are part of the modeled
+ set, according to their predefined order.
+ Continue doing this, even if one or more of the
+ sub-actions fails.
+ Do Until Failure - execute actions according to predefined order,
+ until the first failure in execution of a single
+ sub-action.
+
+ Since a CompoundPolicyAction may itself be aggregated either by a
+ PolicyRule or by another CompoundPolicyAction, its success or failure
+ will be an input to the aggregating entity's execution strategy.
+ Consequently, the following rules are specified, for determining
+ whether a CompoundPolicyAction succeeds or fails:
+
+ If the CompoundPolicyAction's ExecutionStrategy is Do Until Success,
+ then:
+
+ o If one component action succeeds, then the CompoundPolicyAction
+ succeeds.
+ o If all component actions fail, then the CompoundPolicyAction
+ fails.
+
+ If the CompoundPolicyAction's ExecutionStrategy is Do All, then:
+
+ o If all component actions succeed, then the CompoundPolicyAction
+ succeeds.
+ o If at least one component action fails, then the
+ CompoundPolicyAction fails.
+
+ If the CompoundPolicyAction's ExecutionStrategy is Do Until Failure,
+ then:
+
+ o If all component actions succeed, then the CompoundPolicyAction
+ succeeds.
+ o If at least one component action fails, then the
+ CompoundPolicyAction fails.
+
+
+
+Moore Standards Track [Page 49]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ The definition of the ExecutionStrategy property is as follows:
+
+ NAME ExecutionStrategy
+ DESCRIPTION An enumeration indicating how to interpret the
+ action ordering for the actions aggregated by this
+ CompoundPolicyAction.
+ SYNTAX uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do
+ Until Failure} )
+ DEFAULT VALUE Do All (2)
+
+6.9. The Abstract Class "PolicyVariable"
+
+ Variables are used for building individual conditions. The variable
+ specifies the property of a flow or an event that should be matched
+ when evaluating the condition. However, not every combination of a
+ variable and a value creates a meaningful condition. For example, a
+ source IP address variable can not be matched against a value that
+ specifies a port number. A given variable selects the set of
+ matchable value types.
+
+ A variable can have constraints that limit the set of values within a
+ particular value type that can be matched against it in a condition.
+ For example, a source-port variable limits the set of values to
+ represent integers to the range of 0-65535. Integers outside this
+ range cannot be matched to the source-port variable, even though they
+ are of the correct data type. Constraints for a given variable are
+ indicated through the ExpectedPolicyValuesForVariable association.
+
+ The PolicyVariable is an abstract class. Implicit and explicit
+ context variable classes are defined as sub classes of the
+ PolicyVariable class. A set of implicit variables is defined in this
+ document as well.
+
+ The class definition is as follows:
+
+ NAME PolicyVariable
+ DERIVED FROM Policy
+ ABSTRACT TRUE
+ PROPERTIES (none)
+
+6.10. The Class "PolicyExplicitVariable"
+
+ Explicitly defined policy variables are evaluated within the context
+ of the CIM Schema and its modeling constructs. The
+ PolicyExplicitVariable class indicates the exact model property to be
+ evaluated or manipulated. See Section 5.8.6 for a complete
+ discussion of what happens when the values of the ModelClass and
+
+
+
+
+Moore Standards Track [Page 50]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ ModelProperty properties in an instance of this class do not
+ correspond to the characteristics of the model construct being
+ evaluated or updated.
+
+ The class definition is as follows:
+
+ NAME PolicyExplicitVariable
+ DERIVED FROM PolicyVariable
+ ABSTRACT False
+ PROPERTIES ModelClass, ModelProperty
+
+6.10.1. The Single-Valued Property "ModelClass"
+
+ This property is a string specifying the class name whose property is
+ evaluated or set as a PolicyVariable.
+
+ The property is defined as follows:
+
+ NAME ModelClass
+ SYNTAX String
+
+6.10.2. The Single-Valued Property ModelProperty
+
+ This property is a string specifying the property name, within the
+ ModelClass, which is evaluated or set as a PolicyVariable. The
+ property is defined as follows:
+
+ NAME ModelProperty
+ SYNTAX String
+
+6.11. The Abstract Class "PolicyImplicitVariable"
+
+ Implicitly defined policy variables are evaluated outside of the
+ context of the CIM Schema and its modeling constructs. Subclasses
+ specify the data type and semantics of the PolicyVariables.
+
+ Interpretation and evaluation of a PolicyImplicitVariable can vary,
+ depending on the particular context in which it is used. For
+ example, a "SourceIP" address may denote the source address field of
+ an IP packet header, or the sender address delivered by an RSVP PATH
+ message.
+
+ The class definition is as follows:
+
+ NAME PolicyImplicitVariable
+ DERIVED FROM PolicyVariable
+ ABSTRACT True
+ PROPERTIES ValueTypes[ ]
+
+
+
+Moore Standards Track [Page 51]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.11.1. The Multi-Valued Property "ValueTypes"
+
+ This property is a set of strings specifying an unordered list of
+ possible value/data types that can be used in simple conditions and
+ actions, with this variable. The value types are specified by their
+ class names (subclasses of PolicyValue such as PolicyStringValue).
+ The list of class names enables an application to search on a
+ specific name, as well as to ensure that the data type of the
+ variable is of the correct type.
+
+ The list of default ValueTypes for each subclass of
+ PolicyImplicitVariable is specified within that variable's
+ definition.
+
+ The property is defined as follows:
+
+ NAME ValueTypes
+ SYNTAX String
+
+6.12. Subclasses of "PolicyImplicitVariable" Specified in PCIMe
+
+ The following subclasses of PolicyImplicitVariable are defined in
+ PCIMe.
+
+6.12.1. The Class "PolicySourceIPv4Variable"
+
+ NAME PolicySourceIPv4Variable
+ DESCRIPTION The source IPv4 address. of the outermost IP packet
+ header. "Outermost" here refers to the IP packet as
+ it flows on the wire, before any headers have been
+ stripped from it.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIPv4AddrValue
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.2. The Class "PolicySourceIPv6Variable"
+
+ NAME PolicySourceIPv6Variable
+ DESCRIPTION The source IPv6 address of the outermost IP packet
+ header. "Outermost" here refers to the IP packet as
+ it flows on the wire, before any headers have been
+ stripped from it.
+
+
+
+
+
+Moore Standards Track [Page 52]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ ALLOWED VALUE TYPES:
+ - PolicyIPv6AddrValue
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.3. The Class "PolicyDestinationIPv4Variable"
+
+ NAME PolicyDestinationIPv4Variable
+ DESCRIPTION The destination IPv4 address of the outermost IP
+ packet header. "Outermost" here refers to the IP
+ packet as it flows on the wire, before any headers
+ have been stripped from it.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIPv4AddrValue
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.4. The Class "PolicyDestinationIPv6Variable"
+
+ NAME PolicyDestinationIPv6Variable
+ DESCRIPTION The destination IPv6 address of the outermost IP
+ packet header. "Outermost" here refers to the IP
+ packet as it flows on the wire, before any headers
+ have been stripped from it.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIPv6AddrValue
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 53]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.12.5. The Class "PolicySourcePortVariable"
+
+ NAME PolicySourcePortVariable
+ DESCRIPTION Ports are defined as the abstraction that transport
+ protocols use to distinguish among multiple
+ destinations within a given host computer. For TCP
+ and UDP flows, the PolicySourcePortVariable is
+ logically bound to the source port field of the
+ outermost UDP or TCP packet header. "Outermost"
+ here refers to the IP packet as it flows on the
+ wire, before any headers have been stripped from
+ it.
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..65535)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.6. The Class "PolicyDestinationPortVariable"
+
+ NAME PolicyDestinationPortVariable
+ DESCRIPTION Ports are defined as the abstraction that transport
+ protocols use to distinguish among multiple
+ destinations within a given host computer. For TCP
+ and UDP flows, the PolicyDestinationPortVariable is
+ logically bound to the destination port field of the
+ outermost UDP or TCP packet header. "Outermost"
+ here refers to the IP packet as it flows on the
+ wire, before any headers have been stripped from it.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..65535)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.7. The Class "PolicyIPProtocolVariable"
+
+ NAME PolicyIPProtocolVariable
+ DESCRIPTION The IP protocol number.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..255)
+
+
+
+
+
+
+Moore Standards Track [Page 54]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.8. The Class "PolicyIPVersionVariable"
+
+ NAME PolicyIPVersionVariable
+ DESCRIPTION The IP version number. The well-known values are 4
+ and 6.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..15)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.9. The Class "PolicyIPToSVariable"
+
+ NAME PolicyIPToSVariable
+ DESCRIPTION The IP TOS octet.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..255)
+ - PolicyBitStringValue (8 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.10. The Class "PolicyDSCPVariable"
+
+ NAME PolicyDSCPVariable
+ DESCRIPTION The 6 bit Differentiated Service Code Point.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..63)
+ - PolicyBitStringValue (6 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 55]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.12.11. The Class "PolicyFlowIdVariable"
+
+ NAME PolicyFlowIdVariable
+ DESCRIPTION The flow identifier of the outermost IPv6 packet
+ header. "Outermost" here refers to the IP packet as
+ it flows on the wire, before any headers have been
+ stripped from it.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..1048575
+ - PolicyBitStringValue (20 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.12. The Class "PolicySourceMACVariable"
+
+ NAME PolicySourceMACVariable
+ DESCRIPTION The source MAC address.
+
+ ALLOWED VALUE TYPES:
+ - PolicyMACAddrValue
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.13. The Class "PolicyDestinationMACVariable"
+
+ NAME PolicyDestinationMACVariable
+ DESCRIPTION The destination MAC address.
+
+ ALLOWED VALUE TYPES:
+ - PolicyMACAddrValue
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.14. The Class "PolicyVLANVariable"
+
+ NAME PolicyVLANVariable
+ DESCRIPTION The virtual Bridged Local Area Network Identifier, a
+ 12-bit field as defined in the IEEE 802.1q standard.
+
+
+
+
+
+
+Moore Standards Track [Page 56]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..4095)
+ - PolicyBitStringValue (12 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.15. The Class "PolicyCoSVariable"
+
+ NAME PolicyCoSVariable
+ DESCRIPTION Class of Service, a 3-bit field, used in the layer 2
+ header to select the forwarding treatment. Bound to
+ the IEEE 802.1q user-priority field.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..7)
+ - PolicyBitStringValue (3 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.16. The Class "PolicyEthertypeVariable"
+
+ NAME PolicyEthertypeVariable
+ DESCRIPTION The Ethertype protocol number of Ethernet frames.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..65535)
+ - PolicyBitStringValue (16 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.17. The Class "PolicySourceSAPVariable"
+
+ NAME PolicySourceSAPVariable
+ DESCRIPTION The Source Service Access Point (SAP) number of the
+ IEEE 802.2 LLC header.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..255)
+ - PolicyBitStringValue (8 bits)
+
+
+
+
+
+
+Moore Standards Track [Page 57]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.18. The Class "PolicyDestinationSAPVariable"
+
+ NAME PolicyDestinationSAPVariable
+ DESCRIPTION The Destination Service Access Point (SAP) number of
+ the IEEE 802.2 LLC header.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..255)
+ - PolicyBitStringValue (8 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.19. The Class "PolicySNAPOUIVariable"
+
+ NAME PolicySNAPOUIVariable
+ DESCRIPTION The value of the first three octets of the Sub-
+ Network Access Protocol (SNAP) Protocol Identifier
+ field for 802.2 SNAP encapsulation, containing an
+ Organizationally Unique Identifier (OUI). The value
+ 00-00-00 indicates the encapsulation of Ethernet
+ frames (RFC 1042). OUI value 00-00-F8 indicates the
+ special encapsulation of Ethernet frames by certain
+ types of bridges (IEEE 802.1H). Other values are
+ supported, but are not further defined here. These
+ OUI values are to be interpreted according to the
+ endian-notation conventions of IEEE 802. For either
+ of the two Ethernet encapsulations, the remainder of
+ the Protocol Identifier field is represented by the
+ PolicySNAPTypeVariable.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..16777215)
+ - PolicyBitStringValue (24 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 58]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.12.20. The Class "PolicySNAPTypeVariable"
+
+ NAME PolicySNAPTypeVariable
+ DESCRIPTION The value of the 4th and 5th octets of the Sub-
+ Network Access Protocol (SNAP) Protocol Identifier
+ field for IEEE 802 SNAP encapsulation when the
+ PolicySNAPOUIVariable indicates one of the two
+ Encapsulated Ethernet frame formats. This value is
+ undefined for other values of PolicySNAPOUIVariable.
+
+ ALLOWED VALUE TYPES:
+ - PolicyIntegerValue (0..65535)
+ - PolicyBitStringValue (16 bits)
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.12.21. The Class "PolicyFlowDirectionVariable"
+
+ NAME PolicyFlowDirectionVariable
+ DESCRIPTION The direction of a flow relative to a network
+ element. Direction may be "IN" and/or "OUT".
+
+ ALLOWED VALUE TYPES:
+ - PolicyStringValue ('IN", "OUT")
+
+ DERIVED FROM PolicyImplicitVariable
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+ To match on both inbound and outbound flows, the associated
+ PolicyStringValue object has two entries in its StringList property:
+ "IN" and "OUT".
+
+6.13. The Abstract Class "PolicyValue"
+
+ This is an abstract class that serves as the base class for all
+ subclasses that are used to define value objects in the PCIMe. It is
+ used for defining values and constants used in policy conditions.
+ The class definition is as follows:
+
+ NAME PolicyValue
+ DERIVED FROM Policy
+ ABSTRACT True
+ PROPERTIES (none)
+
+
+
+
+
+Moore Standards Track [Page 59]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.14. Subclasses of "PolicyValue" Specified in PCIMe
+
+ The following subsections contain the PolicyValue subclasses defined
+ in PCIMe. Additional subclasses may be defined in models derived
+ from PCIMe.
+
+6.14.1. The Class "PolicyIPv4AddrValue"
+
+ This class is used to provide a list of IPv4Addresses, hostnames and
+ address range values to be matched against in a policy condition.
+ The class definition is as follows:
+
+ NAME PolicyIPv4AddrValue
+ DERIVED FROM PolicyValue
+ ABSTRACT False
+ PROPERTIES IPv4AddrList[ ]
+
+ The IPv4AddrList property provides an unordered list of strings, each
+ specifying a single IPv4 address, a hostname, or a range of IPv4
+ addresses, according to the ABNF definition [6] of an IPv4 address,
+ as specified below:
+
+ IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
+ IPv4prefix = IPv4address "/" 1*2DIGIT
+ IPv4range = IPv4address"-"IPv4address
+ IPv4maskedaddress = IPv4address","IPv4address
+ Hostname (as defined in [4])
+
+ In the above definition, each string entry is either:
+
+ 1. A single IPv4address in dot notation, as defined above. Example:
+ 121.1.1.2
+
+ 2. An IPv4prefix address range, as defined above, specified by an
+ address and a prefix length, separated by "/". Example:
+ 2.3.128.0/15
+
+ 3. An IPv4range address range defined above, specified by a starting
+ address in dot notation and an ending address in dot notation,
+ separated by "-". The range includes all addresses between the
+ range's starting and ending addresses, including these two
+ addresses. Example: 1.1.22.1-1.1.22.5
+
+ 4. An IPv4maskedaddress address range, as defined above, specified by
+ an address and mask. The address and mask are represented in dot
+ notation, separated by a comma ",". The masked address appears
+ before the comma, and the mask appears after the comma. Example:
+ 2.3.128.0,255.255.248.0.
+
+
+
+Moore Standards Track [Page 60]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ 5. A single Hostname. The Hostname format follows the guidelines and
+ restrictions specified in [4]. Example: www.bigcompany.com.
+
+ Conditions matching IPv4AddrValues evaluate to true according to the
+ generic matching rules. Additionally, a hostname is matched against
+ another valid IPv4address representation by resolving the hostname
+ into an IPv4 address first, and then comparing the addresses
+ afterwards. Matching hostnames against each other is done using a
+ string comparison of the two names.
+
+ The property definition is as follows:
+
+ NAME IPv4AddrList
+ SYNTAX String
+ FORMAT IPv4address | IPv4prefix | IPv4range |
+ IPv4maskedaddress | hostname
+
+6.14.2. The Class "PolicyIPv6AddrValue
+
+ This class is used to define a list of IPv6 addresses, hostnames, and
+ address range values. The class definition is as follows:
+
+ NAME PolicyIPv6AddrValue
+ DERIVED FROM PolicyValue
+ ABSTRACT False
+ PROPERTIES IPv6AddrList[ ]
+
+ The property IPv6AddrList provides an unordered list of strings, each
+ specifying an IPv6 address, a hostname, or a range of IPv6 addresses.
+ IPv6 address format definition uses the standard address format
+ defined in [7]. The ABNF definition [6] as specified in [7] is:
+
+ IPv6address = hexpart [ ":" IPv4address ]
+ IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
+ IPv6prefix = hexpart "/" 1*2DIGIT
+ hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
+ hexseq = hex4 *( ":" hex4)
+ hex4 = 1*4HEXDIG
+ IPv6range = IPv6address"-"IPv6address
+ IPv6maskedaddress = IPv6address","IPv6address
+ Hostname (as defines in [NAMES])
+
+ Each string entry is either:
+
+ 1. A single IPv6address as defined above.
+
+ 2. A single Hostname. Hostname format follows guidelines and
+ restrictions specified in [4].
+
+
+
+Moore Standards Track [Page 61]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ 3. An IPv6range address range, specified by a starting address in dot
+ notation and an ending address in dot notation, separated by "-".
+ The range includes all addresses between the range's starting and
+ ending addresses, including these two addresses.
+
+ 4. An IPv4maskedaddress address range defined above specified by an
+ address and mask. The address and mask are represented in dot
+ notation separated by a comma ",".
+
+ 5. A single IPv6prefix as defined above.
+
+ Conditions matching IPv6AddrValues evaluate to true according to the
+ generic matching rules. Additionally, a hostname is matched against
+ another valid IPv6address representation by resolving the hostname
+ into an IPv6 address first, and then comparing the addresses
+ afterwards. Matching hostnames against each other is done using a
+ string comparison of the two names.
+
+6.14.3. The Class "PolicyMACAddrValue"
+
+ This class is used to define a list of MAC addresses and MAC address
+ range values. The class definition is as follows:
+
+ NAME PolicyMACAddrValue
+ DERIVED FROM PolicyValue
+ ABSTRACT False
+ PROPERTIES MACAddrList[ ]
+
+ The property MACAddrList provides an unordered list of strings, each
+ specifying a MAC address or a range of MAC addresses. The 802 MAC
+ address canonical format is used. The ABNF definition [6] is:
+
+ MACaddress = 1*4HEXDIG ":" 1*4HEXDIG ":" 1*4HEXDIG
+ MACmaskedaddress = MACaddress","MACaddress
+
+ Each string entry is either:
+
+ 1. A single MAC address. Example: 0000:00A5:0000
+
+ 2. A MACmaskedaddress address range defined specified by an address
+ and mask. The mask specifies the relevant bits in the address.
+ Example: 0000:00A5:0000,FFFF:FFFF:0000 defines a range of MAC
+ addresses in which the first four octets are equal to 0000:00A5.
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 62]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ The property definition is as follows:
+
+ NAME MACAddrList
+ SYNTAX String
+ FORMAT MACaddress | MACmaskedaddress
+
+6.14.4. The Class "PolicyStringValue"
+
+ This class is used to represent a single string value, or a set of
+ string values. Each value can have wildcards. The class definition
+ is as follows:
+
+ NAME PolicyStringValue
+ DERIVED FROM PolicyValue
+ ABSTRACT False
+ PROPERTIES StringList[ ]
+
+ The property StringList provides an unordered list of strings, each
+ representing a single string with wildcards. The asterisk character
+ "*" is used as a wildcard, and represents an arbitrary substring
+ replacement. For example, the value "abc*def" matches the string
+ "abcxyzdef", and the value "abc*def*" matches the string
+ "abcxxxdefyyyzzz". The syntax definition is identical to the
+ substring assertion syntax defined in [5]. If the asterisk character
+ is required as part of the string value itself, it MUST be quoted as
+ described in Section 4.3 of [5].
+
+ The property definition is as follows:
+
+ NAME StringList
+ SYNTAX String
+
+6.14.5. The Class "PolicyBitStringValue"
+
+ This class is used to represent a single bit string value, or a set
+ of bit string values. The class definition is as follows:
+
+ NAME PolicyBitStringValue
+ DERIVED FROM PolicyValue
+ ABSTRACT False
+ PROPERTIES BitStringList[ ]
+
+ The property BitStringList provides an unordered list of strings,
+ each representing a single bit string or a set of bit strings. The
+ number of bits specified SHOULD equal the number of bits of the
+ expected variable. For example, for a one-octet variable, 8 bits
+
+
+
+
+
+Moore Standards Track [Page 63]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ should be specified. If the variable does not have a fixed length,
+ the bit string should be matched against the variable's most
+ significant bit string. The formal definition of a bit string is:
+
+ binary-digit = "0" / "1"
+ bitString = 1*binary-digit
+ maskedBitString = bitString","bitString
+
+ Each string entry is either:
+
+ 1. A single bit string. Example: 00111010
+
+ 2. A range of bit strings specified using a bit string and a bit
+ mask. The bit string and mask fields have the same number of bits
+ specified. The mask bit string specifies the significant bits in
+ the bit string value. For example, 110110, 100110 and 110111
+ would match the maskedBitString 100110,101110 but 100100 would
+ not.
+
+ The property definition is as follows:
+
+ NAME BitStringList
+ SYNTAX String
+ FORMAT bitString | maskedBitString
+
+6.14.6. The Class "PolicyIntegerValue"
+
+ This class provides a list of integer and integer range values.
+ Integers of arbitrary sizes can be represented. The class definition
+ is as follows:
+
+ NAME PolicyIntegerValue
+ DERIVED FROM PolicyValue
+ ABSTRACT False
+ PROPERTIES IntegerList[ ]
+
+ The property IntegerList provides an unordered list of integers and
+ integer range values, represented as strings. The format of this
+ property takes one of the following forms:
+
+ 1. An integer value.
+
+ 2. A range of integers. The range is specified by a starting integer
+ and an ending integer, separated by '..'. The starting integer
+ MUST be less than or equal to the ending integer. The range
+ includes all integers between the starting and ending integers,
+ including these two integers.
+
+
+
+
+Moore Standards Track [Page 64]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ To represent a range of integers that is not bounded, the reserved
+ words -INFINITY and/or INFINITY can be used in place of the starting
+ and ending integers. In addition to ordinary integer matches,
+ INFINITY matches INFINITY and -INFINITY matches -INFINITY.
+
+ The ABNF definition [6] is:
+
+ integer = [-]1*DIGIT | "INFINITY" | "-INFINITY"
+ integerrange = integer".."integer
+
+ Using ranges, the operators greater-than, greater-than-or-equal-to,
+ less- than, and less-than-or-equal-to can be expressed. For example,
+ "X is- greater-than 5" (where X is an integer) can be translated to
+ "X matches 6-INFINITY". This enables the match condition semantics
+ of the operator for the SimplePolicyCondition class to be kept simple
+ (i.e., just the value "match").
+
+ The property definition is as follows:
+
+ NAME IntegerList
+ SYNTAX String
+ FORMAT integer | integerrange
+
+6.14.7. The Class "PolicyBooleanValue"
+
+ This class is used to represent a Boolean (TRUE/FALSE) value. The
+ class definition is as follows:
+
+ NAME PolicyBooleanValue
+ DERIVED FROM PolicyValue
+ ABSTRACT False
+ PROPERTIES BooleanValue
+
+ The property definition is as follows:
+
+ NAME BooleanValue
+ SYNTAX boolean
+
+6.15. The Class "PolicyRoleCollection"
+
+ This class represents a collection of managed elements that share a
+ common role. The PolicyRoleCollection always exists in the context
+ of a system, specified using the PolicyRoleCollectionInSystem
+ association. The value of the PolicyRole property in this class
+ specifies the role, and can be matched with the value(s) in the
+ PolicyRoles array in PolicyRules and PolicyGroups. ManagedElements
+ that share the role defined in this collection are aggregated into
+ the collection via the association ElementInPolicyRoleCollection.
+
+
+
+Moore Standards Track [Page 65]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ NAME PolicyRoleCollection
+ DESCRIPTION A subclass of the CIM Collection class used to group
+ together managed elements that share a role.
+ DERIVED FROM Collection
+ ABSTRACT FALSE
+
+ PROPERTIES PolicyRole
+
+6.15.1. The Single-Valued Property "PolicyRole"
+
+ This property represents the role associated with a
+ PolicyRoleCollection. The property definition is as follows:
+
+ NAME PolicyRole
+ DESCRIPTION A string representing the role associated with a
+ PolicyRoleCollection.
+ SYNTAX string
+
+6.16. The Class "ReusablePolicyContainer"
+
+ The new class ReusablePolicyContainer is defined as follows:
+
+ NAME ReusablePolicyContainer
+ DESCRIPTION A class representing an administratively defined
+ container for reusable policy-related information.
+ This class does not introduce any additional
+ properties beyond those in its superclass
+ AdminDomain. It does, however, participate in
+ a number of unique associations.
+ DERIVED FROM AdminDomain
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.17. Deprecate PCIM's Class "PolicyRepository"
+
+ The class definition of PolicyRepository (from PCIM) is updated as
+ follows, with an indication that the class has been deprecated. Note
+ that when an element of the model is deprecated, its replacement
+ element is identified explicitly.
+
+ NAME PolicyRepository
+ DEPRECATED FOR ReusablePolicyContainer
+ DESCRIPTION A class representing an administratively defined
+ container for reusable policy-related information.
+ This class does not introduce any additional
+ properties beyond those in its superclass
+ AdminDomain. It does, however, participate in a
+ number of unique associations.
+
+
+
+Moore Standards Track [Page 66]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ DERIVED FROM AdminDomain
+ ABSTRACT FALSE
+ PROPERTIES (none)
+
+6.18. The Abstract Class "FilterEntryBase"
+
+ FilterEntryBase is the abstract base class from which all filter
+ entry classes are derived. It serves as the endpoint for the
+ EntriesInFilterList aggregation, which groups filter entries into
+ filter lists. Its properties include CIM naming attributes and an
+ IsNegated boolean property (to easily "NOT" the match information
+ specified in an instance of one of its subclasses).
+
+ The class definition is as follows:
+
+ NAME FilterEntryBase
+ DESCRIPTION An abstract class representing a single
+ filter that is aggregated into a
+ FilterList via the aggregation
+ EntriesInFilterList.
+ DERIVED FROM LogicalElement
+ TYPE Abstract
+ PROPERTIES IsNegated
+
+6.19. The Class "IpHeadersFilter"
+
+ This concrete class contains the most commonly required properties
+ for performing filtering on IP, TCP or UDP headers. Properties not
+ present in an instance of IPHeadersFilter are treated as 'all
+ values'. A property HdrIpVersion identifies whether the IP addresses
+ in an instance are IPv4 or IPv6 addresses. Since the source and
+ destination IP addresses come from the same packet header, they will
+ always be of the same type.
+
+ The class definition is as follows:
+
+ NAME IpHeadersFilter
+ DESCRIPTION A class representing an entire IP
+ header filter, or any subset of one.
+ DERIVED FROM FilterEntryBase
+ TYPE Concrete
+ PROPERTIES HdrIpVersion, HdrSrcAddress,
+ HdrSrcAddressEndOfRange, HdrSrcMask,
+ HdrDestAddress, HdrDestAddressEndOfRange,
+ HdrDestMask, HdrProtocolID,
+ HdrSrcPortStart, HdrSrcPortEnd,
+ HdrDestPortStart, HdrDestPortEnd, HdrDSCP[ ],
+ HdrFlowLabel
+
+
+
+Moore Standards Track [Page 67]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.19.1. The Property HdrIpVersion
+
+ This property is an 8-bit unsigned integer, identifying the version
+ of the IP addresses to be filtered on. IP versions are identified as
+ they are in the Version field of the IP packet header - IPv4 = 4,
+ IPv6 = 6. These two values are the only ones defined for this
+ property.
+
+ The value of this property determines the sizes of the OctetStrings
+ in the six properties HdrSrcAddress, HdrSrcAddressEndOfRange,
+ HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, and
+ HdrDestMask, as follows:
+
+ o IPv4: OctetString(SIZE (4))
+
+ o IPv6: OctetString(SIZE (16|20)), depending on whether a scope
+ identifier is present
+
+ If a value for this property is not provided, then the filter does
+ not consider IP version in selecting matching packets, i.e., IP
+ version matches for all values. In this case, the HdrSrcAddress,
+ HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress,
+ HdrDestAddressEndOfRange, and HdrDestMask must also not be present.
+
+6.19.2. The Property HdrSrcAddress
+
+ This property is an OctetString, of a size determined by the value of
+ the HdrIpVersion property, representing a source IP address. When
+ there is no HdrSrcAddressEndOfRange value, this value is compared to
+ the source address in the IP header, subject to the mask represented
+ in the HdrSrcMask property. (Note that the mask is ANDed with the
+ address.) When there is a HdrSrcAddressEndOfRange value, this value
+ is the start of the specified range (i.e., the HdrSrcAddress is lower
+ than the HdrSrcAddressEndOfRange) that is compared to the source
+ address in the IP header and matches on any value in the range.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrSrcAddress in selecting matching packets, i.e.,
+ HdrSrcAddress matches for all values.
+
+6.19.3. The Property HdrSrcAddressEndOfRange
+
+ This property is an OctetString, of a size determined by the value of
+ the HdrIpVersion property, representing the end of a range of source
+ IP addresses (inclusive), where the start of the range is the
+ HdrSrcAddress property value.
+
+
+
+
+
+Moore Standards Track [Page 68]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ If a value for HdrSrcAddress is not provided, then this property also
+ MUST NOT be provided. If a value for this property is provided, then
+ HdrSrcMask MUST NOT be provided.
+
+6.19.4. The Property HdrSrcMask
+
+ This property is an OctetString, of a size determined by the value of
+ the HdrIpVersion property, representing a mask to be used in
+ comparing the source address in the IP header with the value
+ represented in the HdrSrcAddress property.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrSrcMask in selecting matching packets, i.e., the
+ value of HdrSrcAddress or the source address range must match the
+ source address in the packet exactly. If a value for this property
+ is provided, then HdrSrcAddressEndOfRange MUST NOT be provided.
+
+6.19.5. The Property HdrDestAddress
+
+ This property is an OctetString, of a size determined by the value of
+ the HdrIpVersion property, representing a destination IP address.
+ When there is no HdrDestAddressEndOfRange value, this value is
+ compared to the destination address in the IP header, subject to the
+ mask represented in the HdrDestMask property. (Note that the mask is
+ ANDed with the address.) When there is a HdrDestAddressEndOfRange
+ value, this value is the start of the specified range (i.e., the
+ HdrDestAddress is lower than the HdrDestAddressEndOfRange) that is
+ compared to the destination address in the IP header and matches on
+ any value in the range.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrDestAddress in selecting matching packets, i.e.,
+ HdrDestAddress matches for all values.
+
+6.19.6. The Property HdrDestAddressEndOfRange
+
+ This property is an OctetString, of a size determined by the value of
+ the HdrIpVersion property, representing the end of a range of
+ destination IP addresses (inclusive), where the start of the range is
+ the HdrDestAddress property value.
+
+ If a value for HdrDestAddress is not provided, then this property
+ also MUST NOT be provided. If a value for this property is provided,
+ then HdrDestMask MUST NOT be provided.
+
+
+
+
+
+
+
+Moore Standards Track [Page 69]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.19.7. The Property HdrDestMask
+
+ This property is an OctetString, of a size determined by the value of
+ the HdrIpVersion property, representing a mask to be used in
+ comparing the destination address in the IP header with the value
+ represented in the HdrDestAddress property.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrDestMask in selecting matching packets, i.e., the
+ value of HdrDestAddress or the destination address range must match
+ the destination address in the packet exactly. If a value for this
+ property is provided, then HdrDestAddressEndOfRange MUST NOT be
+ provided.
+
+6.19.8. The Property HdrProtocolID
+
+ This property is an 8-bit unsigned integer, representing an IP
+ protocol type. This value is compared to the Protocol field in the
+ IP header.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrProtocolID in selecting matching packets, i.e.,
+ HdrProtocolID matches for all values.
+
+6.19.9. The Property HdrSrcPortStart
+
+ This property is a 16-bit unsigned integer, representing the lower
+ end of a range of UDP or TCP source ports. The upper end of the
+ range is represented by the HdrSrcPortEnd property. The value of
+ HdrSrcPortStart MUST be no greater than the value of HdrSrcPortEnd.
+ A single port is indicated by equal values for HdrSrcPortStart and
+ HdrSrcPortEnd.
+
+ A source port filter is evaluated by testing whether the source port
+ identified in the IP header falls within the range of values between
+ HdrSrcPortStart and HdrSrcPortEnd, including these two end points.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrSrcPortStart in selecting matching packets, i.e.,
+ there is no lower bound in matching source port values.
+
+6.19.10. The Property HdrSrcPortEnd
+
+ This property is a 16-bit unsigned integer, representing the upper
+ end of a range of UDP or TCP source ports. The lower end of the
+ range is represented by the HdrSrcPortStart property. The value of
+
+
+
+
+
+Moore Standards Track [Page 70]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ HdrSrcPortEnd MUST be no less than the value of HdrSrcPortStart. A
+ single port is indicated by equal values for HdrSrcPortStart and
+ HdrSrcPortEnd.
+
+ A source port filter is evaluated by testing whether the source port
+ identified in the IP header falls within the range of values between
+ HdrSrcPortStart and HdrSrcPortEnd, including these two end points.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrSrcPortEnd in selecting matching packets, i.e., there
+ is no upper bound in matching source port values.
+
+6.19.11. The Property HdrDestPortStart
+
+ This property is a 16-bit unsigned integer, representing the lower
+ end of a range of UDP or TCP destination ports. The upper end of the
+ range is represented by the HdrDestPortEnd property. The value of
+ HdrDestPortStart MUST be no greater than the value of HdrDestPortEnd.
+ A single port is indicated by equal values for HdrDestPortStart and
+ HdrDestPortEnd.
+
+ A destination port filter is evaluated by testing whether the
+ destination port identified in the IP header falls within the range
+ of values between HdrDestPortStart and HdrDestPortEnd, including
+ these two end points.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrDestPortStart in selecting matching packets, i.e.,
+ there is no lower bound in matching destination port values.
+
+6.19.12. The Property HdrDestPortEnd
+
+ This property is a 16-bit unsigned integer, representing the upper
+ end of a range of UDP or TCP destination ports. The lower end of the
+ range is represented by the HdrDestPortStart property. The value of
+ HdrDestPortEnd MUST be no less than the value of HdrDestPortStart. A
+ single port is indicated by equal values for HdrDestPortStart and
+ HdrDestPortEnd.
+
+ A destination port filter is evaluated by testing whether the
+ destination port identified in the IP header falls within the range
+ of values between HdrDestPortStart and HdrDestPortEnd, including
+ these two end points.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrDestPortEnd in selecting matching packets, i.e.,
+ there is no upper bound in matching destination port values.
+
+
+
+
+Moore Standards Track [Page 71]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.19.13. The Property HdrDSCP
+
+ The property HdrDSCP is defined as an array of uint8's, restricted to
+ the range 0..63. Since DSCPs are defined as discrete code points,
+ with no inherent structure, there is no semantically significant
+ relationship between different DSCPs. Consequently, there is no
+ provision for specifying a range of DSCPs in this property. However,
+ a list of individual DSCPs, which are ORed together to form a filter,
+ is supported by the array syntax.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrDSCP in selecting matching packets, i.e., HdrDSCP
+ matches for all values.
+
+6.19.14. The Property HdrFlowLabel
+
+ The 20-bit Flow Label field in the IPv6 header may be used by a
+ source to label sequences of packets for which it requests special
+ handling by IPv6 devices, such as non-default quality of service or
+ 'real-time' service. This property is an octet string of size 3
+ (that is, 24 bits), in which the 20-bit Flow Label appears in the
+ rightmost 20 bits, padded on the left with b'0000'.
+
+ If a value for this property is not provided, then the filter does
+ not consider HdrFlowLabel in selecting matching packets, i.e.,
+ HdrFlowLabel matches for all values.
+
+6.20. The Class "8021Filter"
+
+ This concrete class allows 802.1.source and destination MAC
+ addresses, as well as the 802.1 protocol ID, priority, and VLAN
+ identifier fields, to be expressed in a single object
+
+ The class definition is as follows:
+
+ NAME 8021Filter
+ DESCRIPTION A class that allows 802.1 source
+ and destination MAC address and
+ protocol ID, priority, and VLAN
+ identifier filters to be
+ expressed in a single object.
+ DERIVED FROM FilterEntryBase
+ TYPE Concrete
+ PROPERTIES 8021HdrSrcMACAddr, 8021HdrSrcMACMask,
+ 8021HdrDestMACAddr, 8021HdrDestMACMask,
+ 8021HdrProtocolID, 8021HdrPriorityValue,
+ 8021HDRVLANID
+
+
+
+
+Moore Standards Track [Page 72]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.20.1. The Property 8021HdrSrcMACAddr
+
+ This property is an OctetString of size 6, representing a 48-bit
+ source MAC address in canonical format. This value is compared to
+ the SourceAddress field in the MAC header, subject to the mask
+ represented in the 8021HdrSrcMACMask property.
+
+ If a value for this property is not provided, then the filter does
+ not consider 8021HdrSrcMACAddr in selecting matching packets, i.e.,
+ 8021HdrSrcMACAddr matches for all values.
+
+6.20.2. The Property 8021HdrSrcMACMask
+
+ This property is an OctetString of size 6, representing a 48-bit mask
+ to be used in comparing the SourceAddress field in the MAC header
+ with the value represented in the 8021HdrSrcMACAddr property.
+
+ If a value for this property is not provided, then the filter does
+ not consider 8021HdrSrcMACMask in selecting matching packets, i.e.,
+ the value of 8021HdrSrcMACAddr must match the source MAC address in
+ the packet exactly.
+
+6.20.3. The Property 8021HdrDestMACAddr
+
+ This property is an OctetString of size 6, representing a 48-bit
+ destination MAC address in canonical format. This value is compared
+ to the DestinationAddress field in the MAC header, subject to the
+ mask represented in the 8021HdrDestMACMask property.
+
+ If a value for this property is not provided, then the filter does
+ not consider 8021HdrDestMACAddr in selecting matching packets, i.e.,
+ 8021HdrDestMACAddr matches for all values.
+
+6.20.4. The Property 8021HdrDestMACMask
+
+ This property is an OctetString of size 6, representing a 48-bit mask
+ to be used in comparing the DestinationAddress field in the MAC
+ header with the value represented in the 8021HdrDestMACAddr property.
+
+ If a value for this property is not provided, then the filter does
+ not consider 8021HdrDestMACMask in selecting matching packets, i.e.,
+ the value of 8021HdrDestMACAddr must match the destination MAC
+ address in the packet exactly.
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 73]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+6.20.5. The Property 8021HdrProtocolID
+
+ This property is a 16-bit unsigned integer, representing an Ethernet
+ protocol type. This value is compared to the Ethernet Type field in
+ the 802.3 MAC header.
+
+ If a value for this property is not provided, then the filter does
+ not consider 8021HdrProtocolID in selecting matching packets, i.e.,
+ 8021HdrProtocolID matches for all values.
+
+6.20.6. The Property 8021HdrPriorityValue
+
+ This property is an 8-bit unsigned integer, representing an 802.1Q
+ priority. This value is compared to the Priority field in the 802.1Q
+ header. Since the 802.1Q Priority field consists of 3 bits, the
+ values for this property are limited to the range 0..7.
+
+ If a value for this property is not provided, then the filter does
+ not consider 8021HdrPriorityValue in selecting matching packets,
+ i.e., 8021HdrPriorityValue matches for all values.
+
+6.20.7. The Property 8021HdrVLANID
+
+ This property is a 32-bit unsigned integer, representing an 802.1Q
+ VLAN Identifier. This value is compared to the VLAN ID field in the
+ 802.1Q header. Since the 802.1Q VLAN ID field consists of 12 bits,
+ the values for this property are limited to the range 0..4095.
+
+ If a value for this property is not provided, then the filter does
+ not consider 8021HdrVLANID in selecting matching packets, i.e.,
+ 8021HdrVLANID matches for all values.
+
+6.21. The Class FilterList
+
+ This is a concrete class that aggregates instances of (subclasses of)
+ FilterEntryBase via the aggregation EntriesInFilterList. It is
+ possible to aggregate different types of filters into a single
+ FilterList - for example, packet header filters (represented by the
+ IpHeadersFilter class) and security filters (represented by
+ subclasses of FilterEntryBase defined by IPsec).
+
+ The aggregation property EntriesInFilterList.EntrySequence is always
+ set to 0, to indicate that the aggregated filter entries are ANDed
+ together to form a selector for a class of traffic.
+
+
+
+
+
+
+
+Moore Standards Track [Page 74]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ The class definition is as follows:
+
+ NAME FilterList
+ DESCRIPTION A concrete class representing
+ the aggregation of multiple filters.
+ DERIVED FROM LogicalElement
+ TYPE Concrete
+ PROPERTIES Direction
+
+6.21.1. The Property Direction
+
+ This property is a 16-bit unsigned integer enumeration, representing
+ the direction of the traffic flow to which the FilterList is to be
+ applied. Defined enumeration values are
+
+ o NotApplicable(0)
+ o Input(1)
+ o Output(2)
+ o Both(3) - This value is used to indicate that the direction is
+ immaterial, e.g., to filter on a source subnet regardless of
+ whether the flow is inbound or outbound
+ o Mirrored(4) - This value is also applicable to both inbound and
+ outbound flow processing, but it indicates that the filter
+ criteria are applied asymmetrically to traffic in both directions
+ and, thus, specifies the reversal of source and destination
+ criteria (as opposed to the equality of these criteria as
+ indicated by "Both"). The match conditions in the aggregated
+ FilterEntryBase subclass instances are defined from the
+ perspective of outbound flows and applied to inbound flows as well
+ by reversing the source and destination criteria. So, for
+ example, consider a FilterList with 3 filter entries indicating
+ destination port = 80, and source and destination addresses of a
+ and b, respectively. Then, for the outbound direction, the filter
+ entries match as specified and the 'mirror' (for the inbound
+ direction) matches on source port = 80 and source and destination
+ addresses of b and a, respectively.
+
+7. Association and Aggregation Definitions
+
+ The following definitions supplement those in PCIM itself. PCIM
+ definitions that are not DEPRECATED here are still current parts of
+ the overall Policy Core Information Model.
+
+7.1. The Aggregation "PolicySetComponent"
+
+ PolicySetComponent is a new aggregation class that collects instances
+ of PolicySet subclasses (PolicyGroups and PolicyRules) into coherent
+ sets of policies.
+
+
+
+Moore Standards Track [Page 75]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ NAME PolicySetComponent
+ DESCRIPTION A concrete class representing the components of a
+ policy set that have the same decision strategy, and
+ are prioritized within the set.
+ DERIVED FROM PolicyComponent
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref PolicySet[0..n]]
+ PartComponent[ref PolicySet[0..n]]
+ Priority
+
+ The definition of the Priority property is unchanged from its
+ previous definition in [PCIM].
+
+ NAME Priority
+ DESCRIPTION A non-negative integer for prioritizing this
+ PolicySet component relative to other components of
+ the same PolicySet. A larger value indicates a
+ higher priority.
+ SYNTAX uint16
+ DEFAULT VALUE 0
+
+7.2. Deprecate PCIM's Aggregation "PolicyGroupInPolicyGroup"
+
+ The new aggregation PolicySetComponent is used directly to represent
+ aggregation of PolicyGroups by a higher-level PolicyGroup. Thus the
+ aggregation PolicyGroupInPolicyGroup is no longer needed, and can be
+ deprecated.
+
+ NAME PolicyGroupInPolicyGroup
+ DEPRECATED FOR PolicySetComponent
+ DESCRIPTION A class representing the aggregation of PolicyGroups
+ by a higher-level PolicyGroup.
+ DERIVED FROM PolicyComponent
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref PolicyGroup[0..n]]
+ PartComponent[ref PolicyGroup[0..n]]
+
+7.3. Deprecate PCIM's Aggregation "PolicyRuleInPolicyGroup"
+
+ The new aggregation PolicySetComponent is used directly to represent
+ aggregation of PolicyRules by a PolicyGroup. Thus the aggregation
+ PolicyRuleInPolicyGroup is no longer needed, and can be deprecated.
+
+ NAME PolicyRuleInPolicyGroup
+ DEPRECATED FOR PolicySetComponent
+ DESCRIPTION A class representing the aggregation of PolicyRules
+ by a PolicyGroup.
+ DERIVED FROM PolicyComponent
+
+
+
+Moore Standards Track [Page 76]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref PolicyGroup[0..n]]
+ PartComponent[ref PolicyRule[0..n]]
+
+7.4. The Abstract Association "PolicySetInSystem"
+
+ PolicySetInSystem is a new association that defines a relationship
+ between a System and a PolicySet used in the administrative scope of
+ that system (e.g., AdminDomain, ComputerSystem). The Priority
+ property is used to assign a relative priority to a PolicySet within
+ the administrative scope in contexts where it is not a component of
+ another PolicySet.
+
+ NAME PolicySetInSystem
+ DESCRIPTION An abstract class representing the relationship
+ between a System and a PolicySet that is used in the
+ administrative scope of the System.
+ DERIVED FROM PolicyInSystem
+ ABSTRACT TRUE
+ PROPERTIES Antecedent[ref System[0..1]]
+ Dependent [ref PolicySet[0..n]]
+ Priority
+
+ The Priority property is used to specify the relative priority of the
+ referenced PolicySet when there are more than one PolicySet instances
+ applied to a managed resource that are not PolicySetComponents and,
+ therefore, have no other relative priority defined.
+
+ NAME Priority
+ DESCRIPTION A non-negative integer for prioritizing the
+ referenced PolicySet among other PolicySet
+ instances that are not components of a common
+ PolicySet. A larger value indicates a higher
+ priority.
+ SYNTAX uint16
+ DEFAULT VALUE 0
+
+7.5. Update PCIM's Weak Association "PolicyGroupInSystem"
+
+ Regardless of whether it a component of another PolicySet, a
+ PolicyGroup is itself defined within the scope of a System. This
+ association links a PolicyGroup to the System in whose scope the
+ PolicyGroup is defined. It is a subclass of the abstract
+ PolicySetInSystem association. The class definition for the
+ association is as follows:
+
+
+
+
+
+
+Moore Standards Track [Page 77]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ NAME PolicyGroupInSystem
+ DESCRIPTION A class representing the fact that a PolicyGroup is
+ defined within the scope of a System.
+ DERIVED FROM PolicySetInSystem
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref System[1..1]]
+ Dependent [ref PolicyGroup[weak]]
+
+ The Reference "Antecedent" is inherited from PolicySetInSystem, and
+ overridden to restrict its cardinality to [1..1]. It serves as an
+ object reference to a System that provides a scope for one or more
+ PolicyGroups. Since this is a weak association, the cardinality for
+ this object reference is always 1, that is, a PolicyGroup is always
+ defined within the scope of exactly one System.
+
+ The Reference "Dependent" is inherited from PolicySetInSystem, and
+ overridden to become an object reference to a PolicyGroup defined
+ within the scope of a System. Note that for any single instance of
+ the association class PolicyGroupInSystem, this property (like all
+ reference properties) is single-valued. The [0..n] cardinality
+ indicates that a given System may have 0, 1, or more than one
+ PolicyGroups defined within its scope.
+
+7.6. Update PCIM's Weak Association "PolicyRuleInSystem"
+
+ Regardless of whether it a component of another PolicySet, a
+ PolicyRule is itself defined within the scope of a System. This
+ association links a PolicyRule to the System in whose scope the
+ PolicyRule is defined. It is a subclass of the abstract
+ PolicySetInSystem association. The class definition for the
+ association is as follows:
+
+ NAME PolicyRuleInSystem
+ DESCRIPTION A class representing the fact that a PolicyRule is
+ defined within the scope of a System.
+ DERIVED FROM PolicySetInSystem
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref System[1..1]]
+ Dependent[ref PolicyRule[weak]]
+
+ The Reference "Antecedent" is inherited from PolicySetInSystem, and
+ overridden to restrict its cardinality to [1..1]. It serves as an
+ object reference to a System that provides a scope for one or more
+ PolicyRules. Since this is a weak association, the cardinality for
+ this object reference is always 1, that is, a PolicyRule is always
+ defined within the scope of exactly one System.
+
+
+
+
+
+Moore Standards Track [Page 78]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ The Reference "Dependent" is inherited from PolicySetInSystem, and
+ overridden to become an object reference to a PolicyRule defined
+ within the scope of a System. Note that for any single instance of
+ the association class PolicyRuleInSystem, this property (like all
+ Reference properties) is single-valued. The [0..n] cardinality
+ indicates that a given System may have 0, 1, or more than one
+ PolicyRules defined within its scope.
+
+7.7. The Abstract Aggregation "PolicyConditionStructure"
+
+ NAME PolicyConditionStructure
+ DESCRIPTION A class representing the aggregation of
+ PolicyConditions by an aggregating instance.
+ DERIVED FROM PolicyComponent
+ ABSTRACT TRUE
+ PROPERTIES PartComponent[ref PolicyCondition[0..n]]
+ GroupNumber
+ ConditionNegated
+7.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule"
+
+ The PCIM aggregation "PolicyConditionInPolicyRule" is updated, to
+ make it a subclass of the new abstract aggregation
+ PolicyConditionStructure. The properties GroupNumber and
+ ConditionNegated are now inherited, rather than specified explicitly
+ as they were in PCIM.
+
+ NAME PolicyConditionInPolicyRule
+ DESCRIPTION A class representing the aggregation of
+ PolicyConditions by a PolicyRule.
+ DERIVED FROM PolicyConditionStructure
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref PolicyRule[0..n]]
+
+7.9. The Aggregation "PolicyConditionInPolicyCondition"
+
+ A second subclass of PolicyConditionStructure is defined,
+ representing the compounding of policy conditions into a higher-level
+ policy condition.
+
+ NAME PolicyConditionInPolicyCondition
+ DESCRIPTION A class representing the aggregation of
+ PolicyConditions by another PolicyCondition.
+ DERIVED FROM PolicyConditionStructure
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref CompoundPolicyCondition[0..n]]
+
+
+
+
+
+
+Moore Standards Track [Page 79]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+7.10. The Abstract Aggregation "PolicyActionStructure"
+
+ NAME PolicyActionStructure
+ DESCRIPTION A class representing the aggregation of
+ PolicyActions by an aggregating instance.
+ DERIVED FROM PolicyComponent
+ ABSTRACT TRUE
+ PROPERTIES PartComponent[ref PolicyAction[0..n]]
+ ActionOrder
+
+ The definition of the ActionOrder property appears in Section 7.8.3
+ of PCIM [1].
+
+7.11. Update PCIM's Aggregation "PolicyActionInPolicyRule"
+
+ The PCIM aggregation "PolicyActionInPolicyRule" is updated, to make
+ it a subclass of the new abstract aggregation PolicyActionStructure.
+ The property ActionOrder is now inherited, rather than specified
+ explicitly as it was in PCIM.
+
+ NAME PolicyActionInPolicyRule
+ DESCRIPTION A class representing the aggregation of
+ PolicyActions by a PolicyRule.
+ DERIVED FROM PolicyActionStructure
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref PolicyRule[0..n]]
+
+7.12. The Aggregation "PolicyActionInPolicyAction"
+
+ A second subclass of PolicyActionStructure is defined, representing
+ the compounding of policy actions into a higher-level policy action.
+
+ NAME PolicyActionInPolicyAction
+ DESCRIPTION A class representing the aggregation of
+ PolicyActions by another PolicyAction.
+ DERIVED FROM PolicyActionStructure
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref CompoundPolicyAction[0..n]]
+
+7.13. The Aggregation "PolicyVariableInSimplePolicyCondition"
+
+ A simple policy condition is represented as an ordered triplet
+ {variable, operator, value}. This aggregation provides the linkage
+ between a SimplePolicyCondition instance and a single PolicyVariable.
+ The aggregation PolicyValueInSimplePolicyCondition links the
+ SimplePolicyCondition to a single PolicyValue. The Operator property
+ of SimplePolicyCondition represents the third element of the triplet,
+ the operator.
+
+
+
+Moore Standards Track [Page 80]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ The class definition for this aggregation is as follows:
+
+ NAME PolicyVariableInSimplePolicyCondition
+ DERIVED FROM PolicyComponent
+ ABSTRACT False
+ PROPERTIES GroupComponent[ref SimplePolicyCondition[0..n]]
+ PartComponent[ref PolicyVariable[1..1] ]
+
+ The reference property "GroupComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ SimplePolicyCondition that contains exactly one PolicyVariable. Note
+ that for any single instance of the aggregation class
+ PolicyVariableInSimplePolicyCondition, this property is single-
+ valued. The [0..n] cardinality indicates that there may be 0, 1, or
+ more SimplePolicyCondition objects that contain any given policy
+ variable object.
+
+ The reference property "PartComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ PolicyVariable that is defined within the scope of a
+ SimplePolicyCondition. Note that for any single instance of the
+ association class PolicyVariableInSimplePolicyCondition, this
+ property (like all reference properties) is single-valued. The
+ [1..1] cardinality indicates that a SimplePolicyCondition must have
+ exactly one policy variable defined within its scope in order to be
+ meaningful.
+
+7.14. The Aggregation "PolicyValueInSimplePolicyCondition"
+
+ A simple policy condition is represented as an ordered triplet
+ {variable, operator, value}. This aggregation provides the linkage
+ between a SimplePolicyCondition instance and a single PolicyValue.
+ The aggregation PolicyVariableInSimplePolicyCondition links the
+ SimplePolicyCondition to a single PolicyVariable. The Operator
+ property of SimplePolicyCondition represents the third element of the
+ triplet, the operator.
+
+ The class definition for this aggregation is as follows:
+
+ NAME PolicyValueInSimplePolicyCondition
+ DERIVED FROM PolicyComponent
+ ABSTRACT False
+ PROPERTIES GroupComponent[ref SimplePolicyCondition[0..n]]
+ PartComponent[ref PolicyValue[1..1] ]
+
+ The reference property "GroupComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ SimplePolicyCondition that contains exactly one PolicyValue. Note
+
+
+
+Moore Standards Track [Page 81]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ that for any single instance of the aggregation class
+ PolicyValueInSimplePolicyCondition, this property is single-valued.
+ The [0..n] cardinality indicates that there may be 0, 1, or more
+ SimplePolicyCondition objects that contain any given policy value
+ object.
+
+ The reference property "PartComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ PolicyValue that is defined within the scope of a
+ SimplePolicyCondition. Note that for any single instance of the
+ association class PolicyValueInSimplePolicyCondition, this property
+ (like all reference properties) is single-valued. The [1..1]
+ cardinality indicates that a SimplePolicyCondition must have exactly
+ one policy value defined within its scope in order to be meaningful.
+
+7.15. The Aggregation "PolicyVariableInSimplePolicyAction"
+
+ A simple policy action is represented as a pair {variable, value}.
+ This aggregation provides the linkage between a SimplePolicyAction
+ instance and a single PolicyVariable. The aggregation
+ PolicyValueInSimplePolicyAction links the SimplePolicyAction to a
+ single PolicyValue.
+
+ The class definition for this aggregation is as follows:
+
+ NAME PolicyVariableInSimplePolicyAction
+ DERIVED FROM PolicyComponent
+ ABSTRACT False
+ PROPERTIES GroupComponent[ref SimplePolicyAction[0..n]]
+ PartComponent[ref PolicyVariable[1..1] ]
+
+ The reference property "GroupComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ SimplePolicyAction that contains exactly one PolicyVariable. Note
+ that for any single instance of the aggregation class
+ PolicyVariableInSimplePolicyAction, this property is single-valued.
+ The [0..n] cardinality indicates that there may be 0, 1, or more
+ SimplePolicyAction objects that contain any given policy variable
+ object.
+
+ The reference property "PartComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ PolicyVariable that is defined within the scope of a
+ SimplePolicyAction. Note that for any single instance of the
+ association class PolicyVariableInSimplePolicyAction, this property
+ (like all reference properties) is single-valued. The [1..1]
+ cardinality indicates that a SimplePolicyAction must have exactly one
+ policy variable defined within its scope in order to be meaningful.
+
+
+
+Moore Standards Track [Page 82]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+7.16. The Aggregation "PolicyValueInSimplePolicyAction"
+
+ A simple policy action is represented as a pair {variable, value}.
+ This aggregation provides the linkage between a SimplePolicyAction
+ instance and a single PolicyValue. The aggregation
+ PolicyVariableInSimplePolicyAction links the SimplePolicyAction to a
+ single PolicyVariable.
+
+ The class definition for this aggregation is as follows:
+
+ NAME PolicyValueInSimplePolicyAction
+ DERIVED FROM PolicyComponent
+ ABSTRACT False
+ PROPERTIES GroupComponent[ref SimplePolicyAction[0..n]]
+ PartComponent[ref PolicyValue[1..1] ]
+
+ The reference property "GroupComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ SimplePolicyAction that contains exactly one PolicyValue. Note that
+ for any single instance of the aggregation class
+ PolicyValueInSimplePolicyAction, this property is single-valued. The
+ [0..n] cardinality indicates that there may be 0, 1, or more
+ SimplePolicyAction objects that contain any given policy value
+ object.
+
+ The reference property "PartComponent" is inherited from
+ PolicyComponent, and overridden to become an object reference to a
+ PolicyValue that is defined within the scope of a SimplePolicyAction.
+ Note that for any single instance of the association class
+ PolicyValueInSimplePolicyAction, this property (like all reference
+ properties) is single-valued. The [1..1] cardinality indicates that
+ a SimplePolicyAction must have exactly one policy value defined
+ within its scope in order to be meaningful.
+
+7.17. The Association "ReusablePolicy"
+
+ The association ReusablePolicy makes it possible to include any
+ subclass of the abstract class "Policy" in a ReusablePolicyContainer.
+
+ NAME ReusablePolicy
+ DESCRIPTION A class representing the inclusion of a reusable
+ policy element in a ReusablePolicyContainer.
+ Reusable elements may be PolicyGroups, PolicyRules,
+ PolicyConditions, PolicyActions, PolicyVariables,
+ PolicyValues, or instances of any other subclasses
+ of the abstract class Policy.
+
+
+
+
+
+Moore Standards Track [Page 83]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ DERIVED FROM PolicyInSystem
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref ReusablePolicyContainer[0..1]]
+
+7.18. Deprecate PCIM's "PolicyConditionInPolicyRepository"
+
+ NAME PolicyConditionInPolicyRepository
+ DEPRECATED FOR ReusablePolicy
+ DESCRIPTION A class representing the inclusion of a reusable
+ PolicyCondition in a PolicyRepository.
+ DERIVED FROM PolicyInSystem
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref PolicyRepository[0..1]]
+ Dependent[ref PolicyCondition[0..n]]
+
+7.19. Deprecate PCIM's "PolicyActionInPolicyRepository"
+
+ NAME PolicyActionInPolicyRepository
+ DEPRECATED FOR ReusablePolicy
+ DESCRIPTION A class representing the inclusion of a reusable
+ PolicyAction in a PolicyRepository.
+ DERIVED FROM PolicyInSystem
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref PolicyRepository[0..1]]
+ Dependent[ref PolicyAction[0..n]]
+
+7.20. The Association ExpectedPolicyValuesForVariable
+
+ This association links a PolicyValue object to a PolicyVariable
+ object, modeling the set of expected values for that PolicyVariable.
+ Using this association, a variable (instance) may be constrained to
+ be bound- to/assigned only a set of allowed values. For example,
+ modeling an enumerated source port variable, one creates an instance
+ of the PolicySourcePortVariable class and associates with it the set
+ of values (integers) representing the allowed enumeration, using
+ appropriate number of instances of the
+ ExpectedPolicyValuesForVariable association.
+
+ Note that a single variable instance may be constrained by any number
+ of values, and a single value may be used to constrain any number of
+ variables. These relationships are manifested by the n-to-m
+ cardinality of the association.
+
+ The purpose of this association is to support validation of simple
+ policy conditions and simple policy actions, prior to their
+ deployment to an enforcement point. This association, and the
+
+
+
+
+
+Moore Standards Track [Page 84]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ PolicyValue object that it refers to, plays no role when a PDP or a
+ PEP is evaluating a simple policy condition, or executing a simple
+ policy action. See Section 5.8.3 for more details on this point.
+
+ The class definition for the association is as follows:
+
+ NAME ExpectedPolicyValuesForVariable
+ DESCRIPTION A class representing the association of a set of
+ expected values to a variable object.
+ DERIVED FROM Dependency
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref PolicyVariable[0..n]]
+ Dependent [ref PolicyValue [0..n]]
+
+ The reference property Antecedent is inherited from Dependency. Its
+ type and cardinality are overridden to provide the semantics of a
+ variable optionally having value constraints. The [0..n] cardinality
+ indicates that any number of variables may be constrained by a given
+ value.
+
+ The reference property "Dependent" is inherited from Dependency, and
+ overridden to become an object reference to a PolicyValue
+ representing the values that a particular PolicyVariable can have.
+ The [0..n] cardinality indicates that a given policy variable may
+ have 0, 1 or more than one PolicyValues defined to model the set(s)
+ of values that the policy variable can take.
+
+7.21. The Aggregation "ContainedDomain"
+
+ The aggregation ContainedDomain provides a means of nesting of one
+ ReusablePolicyContainer inside another one. The aggregation is
+ defined at the level of ReusablePolicyContainer's superclass,
+ AdminDomain, to give it applicability to areas other than Core
+ Policy.
+
+ NAME ContainedDomain
+ DESCRIPTION A class representing the aggregation of lower level
+ administrative domains by a higher-level
+ AdminDomain.
+ DERIVED FROM SystemComponent
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref AdminDomain [0..n]]
+ PartComponent[ref AdminDomain [0..n]]
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 85]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+7.22. Deprecate PCIM's "PolicyRepositoryInPolicyRepository"
+
+ NAME PolicyRepositoryInPolicyRepository
+ DEPRECATED FOR ContainedDomain
+ DESCRIPTION A class representing the aggregation of
+ PolicyRepositories by a higher-level
+ PolicyRepository.
+ DERIVED FROM SystemComponent
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref PolicyRepository[0..n]]
+ PartComponent[ref PolicyRepository[0..n]]
+
+7.23. The Aggregation "EntriesInFilterList"
+
+ This aggregation is a specialization of the Component aggregation; it
+ is used to define a set of filter entries (subclasses of
+ FilterEntryBase) that are aggregated by a FilterList.
+
+ The cardinalities of the aggregation itself are 0..1 on the
+ FilterList end, and 0..n on the FilterEntryBase end. Thus in the
+ general case, a filter entry can exist without being aggregated into
+ any FilterList. However, the only way a filter entry can figure in
+ the PCIMe model is by being aggregated into a FilterList by this
+ aggregation.
+
+ The class definition for the aggregation is as follows:
+
+ NAME EntriesInFilterList
+ DESCRIPTION An aggregation used to define a set of
+ filter entries (subclasses of
+ FilterEntryBase) that are aggregated by
+ a particular FilterList.
+ DERIVED FROM Component
+ ABSTRACT False
+ PROPERTIES GroupComponent[ref
+ FilterList[0..1]],
+ PartComponent[ref
+ FilterEntryBase[0..n],
+ EntrySequence
+
+7.23.1. The Reference GroupComponent
+
+ This property is overridden in this aggregation to represent an
+ object reference to a FilterList object (instead of to the more
+ generic ManagedSystemElement object defined in its superclass). It
+ also restricts the cardinality of the aggregate to 0..1 (instead of
+ the more generic 0-or-more), representing the fact that a filter
+ entry always exists within the context of at most one FilterList.
+
+
+
+Moore Standards Track [Page 86]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+7.23.2. The Reference PartComponent
+
+ This property is overridden in this aggregation to represent an
+ object reference to a FilterEntryBase object (instead of to the more
+ generic ManagedSystemElement object defined in its superclass). This
+ object represents a single filter entry, which may be aggregated with
+ other filter entries to form the FilterList.
+
+7.23.3. The Property EntrySequence
+
+ An unsigned 16-bit integer indicating the order of the filter entry
+ relative to all others in the FilterList. The default value '0'
+ indicates that order is not significant, because the entries in this
+ FilterList are ANDed together.
+
+7.24. The Aggregation "ElementInPolicyRoleCollection"
+
+ The following aggregation is used to associate ManagedElements with a
+ PolicyRoleCollection object that represents a role played by these
+ ManagedElements.
+
+ NAME ElementInPolicyRoleCollection
+ DESCRIPTION A class representing the inclusion of a
+ ManagedElement in a collection, specified as
+ having a given role. All the managed elements
+ in the collection share the same role.
+ DERIVED FROM MemberOfCollection
+ ABSTRACT FALSE
+ PROPERTIES Collection[ref PolicyRoleCollection [0..n]]
+ Member[ref ManagedElement [0..n]]
+
+7.25. The Weak Association "PolicyRoleCollectionInSystem"
+
+ A PolicyRoleCollection is defined within the scope of a System. This
+ association links a PolicyRoleCollection to the System in whose scope
+ it is defined.
+
+ When associating a PolicyRoleCollection with a System, this should be
+ done consistently with the system that scopes the policy rules/groups
+ that are applied to the resources in that collection. A
+ PolicyRoleCollection is associated with the same system as the
+ applicable PolicyRules and/or PolicyGroups, or to a System higher in
+ the tree formed by the SystemComponent association.
+
+ The class definition for the association is as follows:
+
+
+
+
+
+
+Moore Standards Track [Page 87]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ NAME PolicyRoleCollectionInSystem
+ DESCRIPTION A class representing the fact that a
+ PolicyRoleCollection is defined within the scope of
+ a System.
+ DERIVED FROM Dependency
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref System[1..1]]
+ Dependent[ref PolicyRoleCollection[weak]]
+
+ The reference property Antecedent is inherited from Dependency, and
+ overridden to become an object reference to a System, and to restrict
+ its cardinality to [1..1]. It serves as an object reference to a
+ System that provides a scope for one or more PolicyRoleCollections.
+ Since this is a weak association, the cardinality for this object
+ reference is always 1, that is, a PolicyRoleCollection is always
+ defined within the scope of exactly one System.
+
+ The reference property Dependent is inherited from Dependency, and
+ overridden to become an object reference to a PolicyRoleCollection
+ defined within the scope of a System. Note that for any single
+ instance of the association class PolicyRoleCollectionInSystem, this
+ property (like all Reference properties) is single-valued. The
+ [0..n] cardinality indicates that a given System may have 0, 1, or
+ more than one PolicyRoleCollections defined within its scope.
+
+8. Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11.
+
+ Copies of claims of rights made available for publication and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+
+
+
+Moore Standards Track [Page 88]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+9. Acknowledgements
+
+ The starting point for this document was PCIM itself [1], and the
+ first three submodels derived from it [11], [12], [13]. The authors
+ of these documents created the extensions to PCIM, and asked the
+ questions about PCIM, that are reflected in PCIMe.
+
+10. Contributors
+
+ This document includes text written by a number of authors (including
+ the editor), that was subsequently merged by the editor. The
+ following people contributed text to this document:
+
+ Lee Rafalow
+ IBM Corporation, BRQA/501
+ 4205 S. Miami Blvd.
+ Research Triangle Park, NC 27709
+
+ Phone: +1 919-254-4455
+ Fax: +1 919-254-6243
+ EMail: rafalow@us.ibm.com
+
+
+ Yoram Ramberg
+ Cisco Systems
+ 4 Maskit Street
+ Herzliya Pituach, Israel 46766
+
+ Phone: +972-9-970-0081
+ Fax: +972-9-970-0219
+ EMail: yramberg@cisco.com
+
+
+ Yoram Snir
+ Cisco Systems
+ 4 Maskit Street
+ Herzliya Pituach, Israel 46766
+
+ Phone: +972-9-970-0085
+ Fax: +972-9-970-0366
+ EMail: ysnir@cisco.com
+
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 89]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ Andrea Westerinen
+ Cisco Systems
+ Building 20
+ 725 Alder Drive
+ Milpitas, CA 95035
+
+ Phone: +1-408-853-8294
+ Fax: +1-408-527-6351
+ EMail: andreaw@cisco.com
+
+
+ Ritu Chadha
+ Telcordia Technologies
+ MCC 1J-218R
+ 445 South Street
+ Morristown NJ 07960.
+
+ Phone: +1-973-829-4869
+ Fax: +1-973-829-5889
+ EMail: chadha@research.telcordia.com
+
+
+ Marcus Brunner
+ NEC Europe Ltd.
+ C&C Research Laboratories
+ Adenauerplatz 6
+ D-69115 Heidelberg, Germany
+
+ Phone: +49 (0)6221 9051129
+ Fax: +49 (0)6221 9051155
+ EMail: brunner@ccrle.nec.de
+
+
+ Ron Cohen
+ Ntear LLC
+
+ EMail: ronc@ntear.com
+
+
+ John Strassner
+ INTELLIDEN, Inc.
+ 90 South Cascade Avenue
+ Colorado Springs, CO 80903
+
+ Phone: +1-719-785-0648
+ EMail: john.strassner@intelliden.com
+
+
+
+
+
+Moore Standards Track [Page 90]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+11. Security Considerations
+
+ The Policy Core Information Model (PCIM) [1] describes the general
+ security considerations related to the general core policy model.
+ The extensions defined in this document do not introduce any
+ additional considerations related to security.
+
+12. Normative References
+
+ [1] Moore, B., Ellesson, E., Strassner, J. and A. Westerinen,
+ "Policy Core Information Model -- Version 1 Specification", RFC
+ 3060, February 2001.
+
+ [2] Distributed Management Task Force, Inc., "DMTF Technologies: CIM
+ Standards CIM Schema: Version 2.5", available at
+ http://www.dmtf.org/standards/cim_schema_v25.php.
+
+ [3] Distributed Management Task Force, Inc., "Common Information
+ Model (CIM) Specification: Version 2.2", June 14, 1999,
+ available at
+ http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf.
+
+ [4] Mockapetris, P., "Domain Names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [5] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight
+ Directory Access Protocol (v3): Attribute Syntax Definitions",
+ RFC 2252, December 1997.
+
+ [6] Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", RFC 2234, November 1997.
+
+ [7] Hinden, R. and S. Deering, "IP Version 6 Addressing
+ Architecture", RFC 2373, July 1998.
+
+ [8] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+13. Informative References
+
+ [9] Hovey, R. and S. Bradner, "The Organizations Involved in the
+ IETF Standards Process", BCP 11, RFC 2028, October 1996.
+
+ [10] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M.,
+ Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J. and
+ Waldbusser, "Terminology for Policy-Based Management", RFC 3198,
+ November 2001.
+
+
+
+
+Moore Standards Track [Page 91]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+ [11] Snir, Y., and Y. Ramberg, J. Strassner, R. Cohen, "Policy QoS
+ Information Model", Work in Progress.
+
+ [12] Jason, J., and L. Rafalow, E. Vyncke, "IPsec Configuration
+ Policy Model", Work in Progress.
+
+ [13] Chadha, R., and M. Brunner, M. Yoshida, J. Quittek, G.
+ Mykoniatis, A. Poylisher, R. Vaidyanathan, A. Kind, F.
+ Reichmeyer, "Policy Framework MPLS Information Model for QoS and
+ TE", Work in Progress.
+
+ [14] S. Waldbusser, and J. Saperia, T. Hongal, "Policy Based
+ Management MIB", Work in Progress.
+
+ [15] B. Moore, and D. Durham, J. Halpern, J. Strassner, A.
+ Westerinen, W. Weiss, "Information Model for Describing Network
+ Device QoS Datapath Mechanisms", Work in Progress.
+
+Author's Address
+
+ Bob Moore
+ IBM Corporation, BRQA/501
+ 4205 S. Miami Blvd.
+ Research Triangle Park, NC 27709
+
+ Phone: +1 919-254-4436
+ Fax: +1 919-254-6243
+ EMail: remoore@us.ibm.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 92]
+
+RFC 3460 PCIM Extensions January 2003
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Moore Standards Track [Page 93]
+