Policy Framework Working Group Mircea Pana, Editor INTERNET-DRAFT MetaSolv Updates: draft-ietf-policy-core-schema-16 Angelica Reyes University Veracruzana Antoni Barba David Moron Technical University of Catalonia Marcus Brunner NEC January 2004 Policy Core Extension LDAP Schema (PCELS) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document defines a number of changes and extensions to the Policy Core LDAP Schema (RFC zzzz) based on the model extensions defined by RFC 3640. These changes and extensions consist of new LDAP object classes and attribute types. Some of the schema items defined in this document re-implement existing concepts in accordance with their new semantics modified by RFC 3640. The other schema items implement new concepts, not covered by RFC zzzz. This document updates RFC zzzz. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [KEYWORDS]. Pana, et al. Expires: July 2004 [page 1] INTERNET-DRAFT PCELS January 2004 Table of contents 1. Introduction.....................................................3 2. Relationship to other Policy Framework Documents.................3 3. Inheritance Hierarchy for PCELS..................................3 4. General Discussion of Mapping the Policy Core Information Model Extensions to LDAP.........................................7 4.1 Summary of Class and Association Mappings.....................7 4.2 Summary of changes since PCLS................................11 4.3 Impact on existing implementations of the Policy Core LDAP Schema...............................13 4.4 The Association of PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction..............13 4.5 The Aggregation of PolicyRules and PolicyGroups in PolicySets...................................................14 4.6 The Aggregation of actions /conditions in PolicyRules and CompoundActions /CompoundConditions..........................16 5. Class Definitions...............................................21 5.1 The Class pcelsPolicySet....................................21 5.2 The Structural Class pcelsPolicySetAssociation..............23 5.3 The Three Classes pcelsRule.................................24 5.4 The Structural Class pcelsConditionAssociation..............27 5.5 The Structural Class pcelsActionAssociation.................28 5.6 The Auxiliary Class pcelsSimpleConditionAuxClass............29 5.7 The Auxiliary Class pcelsCompoundConditionAuxClass..........30 5.8 The Auxiliary Class pcelsCompoundFilterAuxClass.............31 5.9 The Auxiliary Class pcelsSimpleActionAuxClass...............31 5.10 The Auxiliary Class pcelsCompoundActionAuxClass............32 5.11 The Abstract Class pcelsVariable............................33 5.12 The Auxiliary Class pcelsExplicitVariableAuxClass...........34 5.13 The Auxiliary Class pcelsImplicitVariableAuxClass..........35 5.14 The Subclasses of pcelsImplicitVariableAuxClass.............36 5.15 The Auxiliary Class pcelsValueAuxClass......................38 5.16 The Subclasses of pcelsValueAuxClass........................39 5.17 The Three Classes pcelsReusableContainer....................41 5.18 The Structural Class pcelsRoleCollection....................43 5.19 The Abstract Class pcelsFilterEntry.........................44 5.20 The Structural Class pcelsIPHeaders.........................45 5.21 The Structural Class pcels8021Headers.......................49 5.22 The Auxiliary Class pcelsFilterListAuxClass.................51 5.23 The Auxiliary Class pcelsVendorVariableAuxClass.............52 5.24 The Auxiliary Class pcelsVendorValueAuxClass................53 6. Security Considerations.........................................54 7. IANA Considerations.............................................55 7.1 Object Identifiers...........................................55 7.2 Object Identifier Descriptors................................55 8. Normative References............................................58 9. Informative References..........................................58 10. Authors' Addresses.............................................59 11. Intellectual Property..........................................59 12. Full Copyright Statement.......................................60 Pana, et al. Expires: July 2004 [page 2] INTERNET-DRAFT PCELS January 2004 PLEASE NOTE: OIDs for the schema elements in this document have not been assigned. This note is to be removed by the RFC editor before publication. All uses of OIDs are indicated symbolically: for example, IANA-ASSIGNED-OID.1.1 is a placeholder that will be replaced by a real OID that is assigned by IANA before publication. For details on OID assignment see section 7 IANA Considerations. 1. Introduction This document defines a number of changes and extensions to the Policy Core LDAP Schema [PCLS] based on the specifications of the Policy Core Information Model Extensions [PCIM_EXT]. These changes and extensions consist of new LDAP [LDAP] object classes and attribute types. Some of the schema items defined in this document re-implement existing concepts in accordance with their new semantics modified by [PCIM_EXT]. The other schema items implement new concepts, not covered by [PCLS]. Within the context of this document, the term 'PCELS' (Policy Core Extension LDAP Schema) is used to refer to the LDAP object class definitions and the associated recommendations contained in this document. 2. Relationship to other Policy Framework Documents This document contains an LDAP schema mapping for the classes defined in the Policy Core Information Model Extensions [PCIM_EXT]. Other documents may subsequently be produced, with mappings of the same [PCIM] extensions to other storage or transport technologies. The document is an extension to [PCLS], which defines the mapping of the Policy Core Information Model [PCIM] to an LDAP schema. 3. Inheritance Hierarchy for PCELS The following diagram illustrates the combined class hierarchy for the LDAP object classes defined in [PCLS] and in this document: Pana, et al. Expires: July 2004 [page 3] INTERNET-DRAFT PCELS January 2004 top | +---dlm1ManagedElement (abstract) | | | +---pcimPolicy (abstract) | | | | | +---pcelsPolicySet (abstract new) | | | | | | | +---pcelsRule (abstract new) | | | | | | | +---pcelsRuleAuxClass (auxiliary new) | | | | | | | +---pcelsRuleInstance (structural new) | | | | | +---pcimRule (abstract) | | | | | | | +---pcimRuleAuxClass (auxiliary) | | | | | | | +---pcimRuleInstance (structural) | | | | | +---pcimRuleConditionAssociation (structural) | | | | | | | +---pcelsConditionAssociation (structural new) | | | | | +---pcimRuleValidityAssociation (structural) | | | | | +---pcimRuleActionAssociation (structural) | | | | | | | +---pcelsActionAssociation (structural new) | | | | | +---pcelsPolicySetAssociation (structural new) | | | | | +---pcimPolicyInstance (structural) | | | | | +---pcimElementAuxClass (auxiliary) | | | | | +---pcelsRoleCollection (structural new) | | | | | +---pcelsFilterEntry (abstract new) | | | | | +---pcelsIPHeaders (structural new) | | | | | +---pcels8021Headers (structural new) | | | +---dlm1ManagedSystemElement (abstract) | | | +---dlm1LogicalElement (abstract) | | | +---dlm1System (abstract) | | | +---dlm1AdminDomain (abstract) | | Pana, et al. Expires: July 2004 [page 4] INTERNET-DRAFT PCELS January 2004 | +---pcimRepository (abstract) | | | +---pcelsReusableContainer (abstract new) | | | +---pcelsReusableContainerAuxClass | | (auxiliary new) | | | +---pcelsReusableContainerInstance | (structural new) | +---pcimConditionAuxClass (auxiliary) | | | +---pcimTPCAuxClass (auxiliary) | | | +---pcimConditionVendorAuxClass (auxiliary) | | | +---pcelsSimpleConditionAuxClass (auxiliary new) | | | +---pcelsCompoundConditionAuxClass (auxiliary new) | | | | | +---pcelsCompoundFilterAuxClass (auxiliary new) | | | +---pcelsFilterListAuxClass (auxiliary new) | +---pcimActionAuxClass (auxiliary) | | | +---pcimActionVendorAuxClass (auxiliary) | | | +---pcelsSimpleActionAuxClass (auxiliary new) | | | +---pcelsCompoundActionAuxClass (auxiliary new) | +---pcelsVariable (abstract new) | | | +---pcelsVendorVariableAuxClass (auxiliary new) | | | +---pcelsExplicitVariableAuxClass (auxiliary new) | | | +---pcelsImplicitVariableAuxClass (auxiliary new) | | | +---pcelsSourceIPv4VariableAuxClass (auxiliary new) | | | +---pcelsSourceIPv6VariableAuxClass (auxiliary new) | | | +---pcelsDestinationIPv4VariableAuxClass (auxiliary new) | | | +---pcelsDestinationIPv6VariableAuxClass (auxiliary new) | | | +---pcelsSourcePortVariableAuxClass (auxiliary new) | | | +---pcelsDestinationPortVariableAuxClass (auxiliary new) | | Pana, et al. Expires: July 2004 [page 5] INTERNET-DRAFT PCELS January 2004 | +---pcelsIPProtocolVariableAuxClass (auxiliary new) | | | +---pcelsIPVersionVariableAuxClass (auxiliary new) | | | +---pcelsIPToSVariableAuxClass (auxiliary new) | | | +---pcelsDSCPVariableAuxClass (auxiliary new) | | | +---pcelsFlowIdVariableAuxClass (auxiliary new) | | | +---pcelsSourceMACVariableAuxClass (auxiliary new) | | | +---pcelsDestinationMACVariableAuxClass (auxiliary new) | | | +---pcelsVLANVariableAuxClass (auxiliary new) | | | +---pcelsCoSVariableAuxClass (auxiliary new) | | | +---pcelsEthertypeVariableAuxClass (auxiliary new) | | | +---pcelsSourceSAPVariableAuxClass (auxiliary new) | | | +---pcelsDestinationSAPVariableAuxClass (auxiliary new) | | | +---pcelsSNAPOUIVariableAuxClass (auxiliary new) | | | +---pcelsSNAPTypeVariableAuxClass (auxiliary new) | | | +---pcelsFlowDirectionVariableAuxClass (auxiliary new) | +---pcelsValueAuxClass (auxiliary new) | | | +---pcelsVendorValueAuxClass (auxiliary new) | | | +---pcelsIPv4AddrValueAuxClass (auxiliary new) | | | +---pcelsIPv6AddrValueAuxClass (auxiliary new) | | | +---pcelsMACAddrValueAuxClass (auxiliary new) | | | +---pcelsStringValueAuxClass (auxiliary new) | | | +---pcelsBitStringValueAuxClass (auxiliary new) | | | +---pcelsIntegerValueAuxClass (auxiliary new) | | | +---pcelsBooleanValueAuxClass (auxiliary new) | +---pcimSubtreesPtrAuxClass (auxiliary) | +---pcimGroupContainmentAuxClass (auxiliary) | Pana, et al. Expires: July 2004 [page 6] INTERNET-DRAFT PCELS January 2004 +---pcimRuleContainmentAuxClass (auxiliary) 4. General Discussion of Mapping the Policy Core Information Model Extensions to LDAP The object classes described in this document contain certain optimizations for a directory that uses LDAP as an access protocol. One example is the use of auxiliary class attachment to LDAP entries to realize some of the associations defined in the information model. Note that other storage types might need to implement the association differently. 4.1 Summary of Class and Association Mappings The LDAP object classes defined in this document are a direct mapping from the corresponding classes and, in some cases, the associations defined in [PCIM_EXT]. Similarly, the LDAP attributes defined here are a direct mapping from the corresponding class properties. In some cases, associations defined in [PCIM_EXT] are simply mapped to reference attributes or realized through auxiliary class attachment. The classes pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass are not mapped from [PCIM_EXT], they are new classes added in order to increase the framework's capability to store variables and values that have not been modeled with specific properties. Just like for any other schema elements defined in this document or in [PCLS], a particular submodel schema will not, in general, need to use vendor specific variable and value classes. Submodel schemas should apply the recommendations of section 5.10 of [PCIM_EXT] with regards to the supported and unsupported elements. While [PCLS] uses the prefix "pcim" for the schema items that it defines, the object class and attribute names defined in this document are prefixed "pcels". Pana, et al. Expires: July 2004 [page 7] INTERNET-DRAFT PCELS January 2004 +----------------------------------------------------------------------+ | Information Model (PCIM_EXT) | LDAP Class(es) | +----------------------------------------------------------------------+ | PolicySet | pcelsPolicySet | +----------------------------------------------------------------------+ | PolicyRule | pcelsRule | | | pcelsRuleAuxClass | | | pcelsRuleInstance | +----------------------------------------------------------------------+ | PolicyGroup | pcelsPolicySet or pcelsRule | | | with no associated validity periods, | | | conditions or actions | +----------------------------------------------------------------------+ | SimplePolicyCondition | pcelsSimpleConditionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyCondition | pcelsCompoundConditionAuxClass | +----------------------------------------------------------------------+ | CompoundFilterCondition | pcelsCompoundFilterAuxClass | +----------------------------------------------------------------------+ | SimplePolicyAction | pcelsSimpleActionAuxClass | +----------------------------------------------------------------------+ | CompoundPolicyAction | pcelsCompoundActionAuxClass | +----------------------------------------------------------------------+ | PolicyVariable | pcelsVariable | +----------------------------------------------------------------------+ | -------------- | pcelsVendorVariableAuxClass | +-------------------------------+--------------------------------------+ | PolicyExplicitVariable | pcelsExplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicyImplicitVariable | pcelsImplicitVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv4Variable | pcelsSourceIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceIPv6Variable | pcelsSourceIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv4Variable | pcelsDestinationIPv4VariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationIPv6Variable | pcelsDestinationIPv6VariableAuxClass | +----------------------------------------------------------------------+ | PolicySourcePortVariable | pcelsSourcePortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationPortVariable | pcelsDestinationPortVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPProtocolVariable | pcelsIPProtocolVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPVersionVariable | pcelsIPVersionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyIPToSVariable | pcelsIPToSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDSCPVariable | pcelsDSCPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowIDVariable | pcelsFlowIDVariableAuxClass | Pana, et al. Expires: July 2004 [page 8] INTERNET-DRAFT PCELS January 2004 +----------------------------------------------------------------------+ | PolicySourceMACVariable | pcelsSourceMACVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationMACVariable | pcelsDestinationMACVariableAuxClass | +----------------------------------------------------------------------+ | PolicyVLANVariable | pcelsVLANVariableAuxClass | +----------------------------------------------------------------------+ | PolicyCoSVariable | pcelsCoSVariableAuxClass | +----------------------------------------------------------------------+ | PolicyEthertypeVariable | pcelsEthertypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicySourceSAPVariable | pcelsSourceSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicyDestinationSAPVariable | pcelsDestinationSAPVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPOUIVariable | pcelsSNAPOUIVariableAuxClass | +----------------------------------------------------------------------+ | PolicySNAPTypeVariable | pcelsSNAPTypeVariableAuxClass | +----------------------------------------------------------------------+ | PolicyFlowDirectionVariable | pcelsFlowDirectionVariableAuxClass | +----------------------------------------------------------------------+ | PolicyValue | pcelsValueAuxClass | +----------------------------------------------------------------------+ | ------------- | pcelsVendorValueAuxClass | +-------------------------------+--------------------------------------+ | PolicyIPv4AddrValue | pcelsIPv4AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyIPv6AddrValue | pcelsIPv6AddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyMACAddrValue | pcelsMACAddrValueAuxClass | +----------------------------------------------------------------------+ | PolicyStringValue | pcelsStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyBitStringValue | pcelsBitStringValueAuxClass | +----------------------------------------------------------------------+ | PolicyIntegerValue | pcelsIntegerValueAuxClass | +----------------------------------------------------------------------+ | PolicyBooleanValue | pcelsBooleanValueAuxClass | +----------------------------------------------------------------------+ | PolicyRoleCollection | pcelsRoleCollection | +----------------------------------------------------------------------+ | ReusablePolicyContainer | pcelsReusableContainer | | | pcelsReusableContainerAuxClass | | | pcelsReusableContainerInstance | +----------------------------------------------------------------------+ | FilterEntryBase | pcelsFilterEntry | +----------------------------------------------------------------------+ | IPHeadersfilter | pcelsIPHeaders | +----------------------------------------------------------------------+ | 8021Filter | pcels8021Headers | +----------------------------------------------------------------------+ | FilterList | pcelsFilterListAuxClass | Pana, et al. Expires: July 2004 [page 9] INTERNET-DRAFT PCELS January 2004 +----------------------------------------------------------------------+ +----------------------------------------------------------------------+ | Information Model Association | LDAP Attribute / Class | +----------------------------------------------------------------------+ | PolicySetComponent | pcelsPolicySetComponentList in | | | pcelsPolicySet and | | | pcelsPolicySetDN in | | | pcelsPolicySetAsociation | +----------------------------------------------------------------------+ | PolicySetInSystem | DIT Containment and | | | pcelsPolicySetDN in | | | pcelsPolicySetAsociation | +----------------------------------------------------------------------+ | PolicyGroupInSystem | (see PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyRuleInSystem | (see PolicySetInSystem) | +----------------------------------------------------------------------+ | PolicyConditionStructure | pcimConditionDN in | | | pcelsConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyRule | pcelsConditionList in | | | pcelsRule and | | | pcimConditionDN in | | | pcelsConditionAssociation | +----------------------------------------------------------------------+ | PolicyConditionInPolicyCondition | pcelsConditionList in | | | pcelsCompoundConditionAuxClass | | | and pcimConditionDN in | | | pcelsConditionAssociation | +----------------------------------------------------------------------+ | PolicyActionStructure | pcimActionDN in | | | pcelsActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyRule | pcelsActionList in | | | pcelsRule and | | | pcimActionDN in | | | pcelsActionAssociation | +----------------------------------------------------------------------+ | PolicyActionInPolicyAction | pcelsActionList in | | | pcelsCompoundActionAuxClass | | | and pcimActionDN in | | | pcelsActionAssociation | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcelsVariableDN in | | Condition | pcelsSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicy | pcelsValueDN in | | Condition | pcelsSimpleConditionAuxClass | +----------------------------------------------------------------------+ | PolicyVariableInSimplePolicy | pcelsVariableDN in | Pana, et al. Expires: July 2004 [page 10] INTERNET-DRAFT PCELS January 2004 | Action | pcelsSimpleActionAuxClass | +----------------------------------------------------------------------+ | PolicyValueInSimplePolicyAction | pcelsValueDN in | | | pcelsSimpleActionAuxClass | +----------------------------------------------------------------------+ | ReusablePolicy | DIT containment | +----------------------------------------------------------------------+ | ExpectedPolicyValuesForVariable | pcelsExpectedValueList in | | | pcelsVariable | +----------------------------------------------------------------------+ | ContainedDomain | DIT containment or | | | pcelsReusableContainerList in | | | pcelsReusableContainer | +----------------------------------------------------------------------+ | EntriesInFilterList | pcelsFilterEntryList in | | | pcelsFilterListAuxClass | +----------------------------------------------------------------------+ | ElementInPolicyRoleCollection | DIT containment or | | | pcelsElementList in | | | pcelsRoleCollection | +----------------------------------------------------------------------+ | PolicyRoleCollectionInSystem | DIT Containment | +----------------------------------------------------------------------+ 4.2 Summary of changes since PCLS This section provides an overview of the changes relative to [PCLS] defined in this document: 1. The concept of an ordered set of policies is introduced by means of two new object classes, pcelsPolicySet and pcelsPolicySetAssociation. These classes enable the aggregation and relative prioritization of policies (rules and /or groups). The attribute pcelsPriority used by the pcelsPolicySetAssociation object class indicates the relative priority of the aggregated components. The new policy aggregation mechanism provides an alternative to the aggregation mechanism defined by [PCLS] (pcimRuleContainmentAuxClass and /or pcimGroupContainmentAuxClass attaches to a pcimGroup). 2. The attribute pcimRoles defined by [PCLS] is used here by the pcelsPolicySet object class. Thus, the role based policy selection mechanism is extended to all the subclasses of pcelsPolicySet. 3. A new attribute pcelsDecisionStrategy is added on the pcelsPolicySet class as a mapping from the decision mechanism. Pana, et al. Expires: July 2004 [page 11] INTERNET-DRAFT PCELS January 2004 4. A new class pcelsRule (with two subclasses), implements the modified semantics of the PolicyRule in accordance with [PCIM_EXT]. This new class does not include an absolute priority attribute but pcelsRule entries can be prioritized relative to each other within a System (behavior inherited from its superior: pcelsPolicySet). The pcelsRule class also inherits from pcelsPolicySet the ability to aggregate other policy rules or groups. Hence, the ability to construct nested rule structures of arbitrary complexity. 5. A new attribute pcelsExecutionStrategy is added to the pcelsRule and pcelsCompoundActionAuxClass classes to allow the specification of the expected behavior in case of multiple actions aggregated by a rule or by a compound action. 6. Compound Conditions: The pcelsCompoundConditionAuxClass class is added in order to map the CompoundPolicyCondition class. A new class, pcelsConditionAssociation realizes the aggregation of policy conditions in a pcelsCompoundConditionAuxClass. The same association class is used to aggregate policy conditions in a pcelsRule. 7. Compound Actions: The pcelsCompoundActionAuxClass class is added in order to map the CompoundPolicyAction class. A new class, pcelsActionAssociation realizes the aggregation of policy actions in a pcelsCompoundActionAuxClass. The same association class is used to aggregate policy actions in a pcelsRule. 8. Simple Conditions, Simple Actions, Variables and Values: The simple condition, simple action, variable and value classes defined by [PCIM_EXT] are directly mapped to LDAP object classes. These are: pcelsSimpleConditionAuxClass, pcelsSimpleActionAuxClass, pcelsVariable and its subclasses, and pcelsValueAuxClass and its subclasses. 9. A general extension mechanism is introduced for representing policy variables and values that have not been specifically modeled. The mechanism is intended for vendor-specific extensions. 10. Reusable Policy Repository: A new class (with two subclasses), pcelsReusableContainer is created as a subclass of pcimRepository. While maintaining compatibility with older [PCLS] implementations, the addition of this class acknowledges the intent of [PCIM_EXT] to avoid the potential for confusion with the Policy Framework component named Policy Repository. The new class enables many-to-many associations between reusable policy containers. 11. The ReusablePolicy association defined in [PCIM_EXT] is realized through subordination to a (subclass of) pcelsReusableContainer. Thus, reusable policy components (groups, rules, conditions, actions, variables and values) are may be defined as stand-alone entries or stand-alone groups of related entries subordinated (DIT contained) to a pcelsReusableContainer. Pana, et al. Expires: July 2004 [page 12] INTERNET-DRAFT PCELS January 2004 12. Device level filter classes are added to the schema. 13. The pcelsRoleCollection class is added to the schema to allow the association of policy roles to resources represented as LDAP entries. 4.3 Impact on existing implementations of the Policy Core LDAP Schema In general, the intent of PCELS is to extend the functionality offered by the Policy Core LDAP Schema. For the most part, the compatibility with [PCLS] is preserved. The few cases where compatibility can not be achieved due to fundamental changes imposed by [PCIM_EXT], are defined here as alternatives to the original implementation. PCELS does not obsolete nor deprecates the concepts implemented by [PCLS]. The new LDAP schema items are defined in this document in a way that avoids, to the extent possible, interference into the normal operation of a reasonably well executed implementation of [PCLS]. The intent is to permit at least a harmless coexistence of the two models in the same data repository. It should be noted, however, that the PCELS introduces the following changes that may have an impact on some [PCLS] implementations: 1. Some attributes originally used only by pcimRule are now also used by classes unknown to [PCLS] implementations (pcelsPolicySet and pcelsRule). In particular the attribute pcimRoles is also used by pcelsPolicySet for role based policy selection. 2. Condition and action association classes originally used by only pcimRule are now used (through subclasses) by pcelsRule as well. 3. pcimRepository containers may include entries of types unknown to [PCLS] implementations. When the choice exists, PCELS implementations SHOULD support the new schema and MAY also support the one defined by [PCLS]. For example, if PolicyRule support is required, an implementation SHOULD be able to read or read-write (as applicable) pcelsRule entires. The same implementation MAY be able to read or read-write pcimRule. Note: The provisions of section 5.10. "Conformance to PCIM and PCIMe" of [PCIM_EXT] apply to the LDAP schema items defined this document as well as to [PCLS]. 4.4 The Association of PolicyVariable and PolicyValues to PolicySimpleCondition and PolicySimpleAction Pana, et al. Expires: July 2004 [page 13] INTERNET-DRAFT PCELS January 2004 A PolicySimpleCondition as well as a PolicySimpleAction includes a single PolicyValue and a single PolicyVariable. Each of them can be attached or referenced by a DN. The attachment helps create compact PolicyCondition and PolicyAction definitions that can be efficiently provisioned and retrieved from the repository. On the other hand, referenced PolicyVariables and PolicyValues instances can be reused in the construction of multiple policies and permit the administrative partitioning of the data and policy definitions. 4.5 The Aggregation of PolicyRules and PolicyGroups in PolicySets In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, are combined into a single aggregation PolicySetComponent. This aggregation and the capability of association between a policy and the ReusablePolicyContainer offer new possibilities of reusability. Furthermore, these aggregations introduce new semantics representing the execution of one PolicyRule within the scope of another PolicyRule. Since PolicySet is defined in [PCIM_EXT], it is mapped in this document to a new class pcelsPolicySet in order to provide an abstraction for a set of policy rules or groups. The aggregation class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value attribute pcelsPolicySetList in the pcelsPolicySet class and the attribute pcelsPolicySetDN in the pcelsPolicySetAssociation. These attributes refer to the nested rules and groups. It is possible to store a rule /group nested in an other rule /group in two ways. The first way is to define the nested rule /group as specific to the nesting rule /group. The second way is to define the nested rules /groups as reusable. First case: Specific nested sets (rules /groups). +----------+ |Rule/Group| | | +-----|- -|-----+ | +----------+ | | * * | | * * | | **** **** | | * * | v * * v +-----------+ +-----------+ | SA1+Set1 | | SA2+Set2 | +-----------+ +-----------+ Pana, et al. Expires: July 2004 [page 14] INTERNET-DRAFT PCELS January 2004 +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. Set#: pcelsRuleAuxClass auxiliary class. SA#: pcelsPolicySetAssocation structural class. The nesting pcelsPolicySet refers to instances of pcelsPolicySetAssociation using the attribute pcelsPolicySetList. These structural association classes are subordinated (DIT contained) to the pcelsPolicySet (rule or group) entry and represent the association between the set (rule or group) and its nested rules/ groups. The nested pcelsPolicySet instances are attached (as auxiliary classes) to the association entries. Second case: Reusable nested sets (rules /groups). +----------+ +-------------+ |Rule/Group| | ContainerX | +-|- -|--+ | | | +----------+ | +-------------+ | * * | * * | *** **** | * * | * * v * * | * +---+ * * | * |SA2| +-------+ * v * | -|-------->|S1+Set2| * +---+ +---+ +-------+ * |SA1| +-------+ | -|------------------------------>|S2+Set3| +---+ +-------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ Set#: pcelsRuleAuxClass auxiliary class. SA#: PolicySetAssocation structural class. S#: structural class. Pana, et al. Expires: July 2004 [page 15] INTERNET-DRAFT PCELS January 2004 The nesting pcelsPolicySet refers to instances of pcelsPolicySetAssociation using the attribute pcelsPolicySetList. These structural association classes are subordinated (DIT contained) to the pcelsPolicySet entry and represent the association between the set (rule or group) and its nested rules /groups. The reusable rules /groups are instantiated here as auxiliary classes and attached to pcimPolicyInstance entries in the reusable container. An other option is to use the structural subclasses for defining reusable rules /groups. The association classes belonging to a nesting policy set are reference the reusable rules /groups using the attribute pcelsPolicySetDN. A combination of both specific and reusable components is also allowed for the same policy set. 4.6 The Aggregation of actions /conditions in PolicyRules and CompoundActions /CompoundConditions [PCIM_EXT] defines two new classes that offer the designer the capability of creating more complex conditions and actions. CompoundPolicyCondition and CompoundPolicyActionclasses are mapped in this document to pcelsCompoundConditionAuxClass and pcelsCompoundActionAuxClass classes that are subclasses of pcimConditionAuxClass/pcimActionAuxClass. The compound conditions /actions defined in [PCIM_EXT] extend the capability of the rule to associate, group and evaluate conditions /execute actions. The conditions /actions are associated to compounds conditions /actions in the same way as they are associated to the rules. In this section it is explained how to store instances of these classes in an LDAP Directory. As a general rule, specific conditions /actions are subordinated (DIT contained) to the rule or compound condition /action that aggregates them and are attached to association class instances. Reusable conditions /actions, are subordinated to pcelsReusableContainer instances and attached to pcimPolicyInstance instances. The examples below illustrate the four possible cases combining specific /reusable compound /non-compound condition /action. The rule has two compound conditions, each one has two different conditions. The schemes can be extended in order to store actions. The examples below are based on and extend those illustrated in the section 4.4 of [PCLS]. - First case: Specific compound condition /action with specific conditions /actions. Pana, et al. Expires: July 2004 [page 16] INTERNET-DRAFT PCELS January 2004 +--------------+ +------| Rule |------+ | +--------------+ | | * * | | ********* ********* | v * * v +---------+ +---------+ +-| CA1+cc1 |-+ +-| CA2+cc2 |-+ | +---------+ | | +---------+ | | * * | | * * | | **** **** | | **** **** | v * * v v * * v +------+ +------+ +------+ +------+ |CA3+c1| |CA4+c2| |CA5+c3| |CA6+c4| +------+ +------+ +------+ +------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcelsConditionAssociation structural class. cc#: pcelsCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. Because the compound conditions /actions are specific to the Rule, They are auxiliary attachments to instances of the structural classes pcelsConditionAssociation or pcelsActionAssociation. These structural classes represent the association between the rule and the compound condition /action . The rule specific conditions /actions are therefore subordinated (DIT contained) to the rule entry. The conditions /actions are tied to the compound conditions /actions in the same way the compound conditions /actions are tied to rules. Association classes realize the association between the aggregating compound conditions /actions and the specific conditions /actions. - Second case: Rule specific compound conditions /actions with reusable conditions /actions. Pana, et al. Expires: July 2004 [page 17] INTERNET-DRAFT PCELS January 2004 +-------------+ +---------------+ +------| Rule |-----+ | ContainerX | | +-------------+ | +---------------+ | * * | * * * * | * * | **** * * * | ********* ******** | * * * ******** | * * v * * * * | * +---------+ * * **** * | * +-| CA2+cc2 |-+ * * * * | * | +---------+ | * * * * v * | * * | * * * * +---------+ | **** **** | * * * * +-| CA1+cc1 |-+ | * * v * * * * | +---------+ | | * +------+ +-----+ * * * | * * | v * | CA6 |->|S1+c4| * * * | **** **** | +------+ +------+ +-----+ +-----+ * * | * * v | CA5 |------------------>|S2+c3| * * | * +------+ +------+ +-----+ +-----+ * v * | CA4 |------------------------------------->|S3+c2| * +------+ +------+ +-----+ +-----+ | CA3 |------------------------------------------------------>|S4+c1| +------+ +-----+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcelsConditionAssociation structural class. cc#: pcelsCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class This case is similar to the first one. The conditions /actions are reusable so they are not attached to the association classes but they are attached to structural classes in the reusable container. The association classes tie the conditions /actions in located in a reusable container to their aggregators using DN references. -Third case: Reusable compound condition /action with specific conditions /actions. Pana, et al. Expires: July 2004 [page 18] INTERNET-DRAFT PCELS January 2004 +--------------+ +--------------+ | Rule | | RepositoryX | +---+--------------+----+ +--------------+ | * * | * * | ******* ******* | ******** ******** | * * v * * | * +----------+ +---------+ * | * | CA2 |--->| S1+cc2 | * | * +----------+ +-+---------+-+ * | * | * * | * | * | **** **** | * | * v * * v * | * +------+ +------+ * | * |CA5+c3| |CA6+c4| * v * +------+ +------+ * +----------+ +---------+ | CA1 |----------------------------------------->| S2+cc1 | +----------+ +-+---------+-+ | * * | | **** **** | v * * v +------+ +------+ |CA3+c1| |CA4+c2| +------+ +------+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcelsConditionAssociation structural class. cc#: pcelsCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class Re-usable compound conditions /actions are attached to structural classes and stored in a reusable policy container. They are related to the rule through a DN reference attribute in the association classes. Specific conditions /actions are attached to association entries and subordinated (DIT contained) to the aggregating compound conditions /actions. -Fourth case: Reusable conditions /actions and compound conditions /actions. Pana, et al. Expires: July 2004 [page 19] INTERNET-DRAFT PCELS January 2004 +------+ +---------------+ +---------------+ +-----| Rule |-----+ | ContainerX | | ContainerY | | +------+ | +---------------+ +---------------+ | * * | * * * * * * | ****** ****** | *** *** *** * * ***** | * * v * * * * * * | * +-------+ +------+ * * * *** * | * | CA2 |->|S1+ca1| * * * * * | * +-------+ +------+ * * * * * | * / * * \ * * * * * | * |** ** | * * * * * | * |* * v * * * * * | * |* +---+ * +-----+ * * * | * |* |CA6|----*--->|S3+c4| * * * | * v* +---+ * +-----+ * * * | * +---+ * +-----+ * * | * |CA5|-----------*--------->|S4+c3| * * v * +---+ * +-----+ * * +-------+ +------+ * * | CA1 |-------------------------->|S2+cc1| * * +-------+ +------+ * * / * * \ * * | ** ** | * * | * * v * * | * +---+ +-----+ * | * |CA4|---------->|S5+c2| * v * +---+ +-----+ * +---+ +-----+ |CA3|--------------------->|S6+c1| +---+ +-----+ +------------------------------+ |LEGEND: | | ***** DIT containment | | + auxiliary attachment | | ----> DN reference | +------------------------------+ #: Number. CA#: pcelsConditionAssociation structural class. cc#: pcelsCompoundConditionAuxClass auxiliary class. c#: subclass of pcimConditionAuxClass. S#: structural class All the conditions /actions are reusable so they are stored in reusable containers. The figure above illustrates two different reusable policy containers but the number of containers in the system is decided based on administrative reasons. The conditions, actions, etc. may be stored in the same container or in different containers with no impact on the policy definition semantics. Pana, et al. Expires: July 2004 [page 20] INTERNET-DRAFT PCELS January 2004 5. Class Definitions The semantics for the policy information classes that are to be mapped directly from the information model to an LDAP representation are detailed in [PCIM_EXT]. Consequently, this document presents only a brief reference to those semantics. The focus here is on the mapping from the information model (which is independent of repository type and access protocol) to a form that can be accessed using LDAP. For various reasons including LDAP specific optimization, this mapping is not always 1:1. Some new classes and attributes needed to be created (that were not part of [PCIM] or [PCIM_EXT]) to implement the LDAP mapping. These new LDAP-only classes are fully defined in this document. The following notes apply to this section in its entirety. Note 1: The formal language for specifying the classes, attributes, and DIT structure and content rules is that defined in [LDAP_SYNTAX]. In the following definitions, the class and attribute definitions follow [LDAP_SYNTAX] but they are line-wrapped to enhance human readability. Note 2: Even though not explicitly noted in the following class and attribute definitions, implementations may define DIT structure and content rules where applicable and supported by the underlying LDAP infrastructure. In such cases, the DIT structure rule considerations presented by section 5 of [PCLS] must be applied to PCELS as well. The reasons and details are presented in [X.501]. Note 3: Wherever possible, both an equality and a substring matching rule are defined for a particular attribute (as well as an ordering match rule to enable sorting of matching results). This provides additional implementation flexibility. Note 4: The following attribute definitions use only LDAP matching rules and syntax definitions from [LDAP_SYNTAX], [LDAP_SCHEMA] and [LDAP_MATCH]. The corresponding X.500 matching rules are defined in [X.520]. Note 5: Some of the following attribute definitions specify additional constraints on various data types (e.g., this integer has values that are valid from 1..10). Text has been added to instruct servers and applications what to do if a value outside of this range is encountered. In all cases, if a constraint is violated, then the policy rule(s) /group(s) SHOULD be treated as being disabled, meaning that execution of the policy rule(s) /group(s) SHOULD be stopped. 5.1 The Class pcelsPolicySet Pana, et al. Expires: July 2004 [page 21] INTERNET-DRAFT PCELS January 2004 The abstract class PolicySet is introduced in [PCIM_EXT] to provide an abstraction for an ordered set of rules /groups. This is mapped here to the pcelsPolicySet object class and may be used for identifying group and rule entries. A pcelsPolicySet instance aggregates other pcelsPolicySet instances using association entries. The association entries enable relative ordering of the aggregated pcelsPolicySet instances within the scope of the aggregating pcelsPolicySet. The pcelsPolicySetList attribute of a pcelsPolicySet instance references subordinated pcelsPolicySetAssociation entries. The aggregated pcelsPolicySet instances are either attached to the pcelsPolicySetAssociation entries as auxiliary object classes or referenced by the pcelsPolicySetAssociation instances using the pcelsPolicySetDN attribute. The definition of the abstract class pcelsPolicySet follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcelsPolicySet' DESC 'Abstract class that represents an ordered set of policies.' SUP pcimPolicy ABSTRACT MAY ( pcelsPolicySetName $ pcelsDecisionStrategy $ pcimRoles $ pcelsPolicySetList ) ) One of the attributes of the pcelsPolicySet class, pcimRoles is defined in the section 5.3 of [PCLS]. In the pcelsPolicySet class the pcimRole attribute preserves its syntax and semantics as defined by [PCLS] and [PCIM]. The attribute pcelsPolicySetName may be used as naming attribute for pcelsPolicySet entries: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsPolicySetName' DESC 'The user-friendly name of a policy set.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcelsDecisionStrategy is used to define the evaluation method among the rules in the policy set and is mapped directly from the PolicyDecisionStrategy property defined in [PCIM_EXT]. Pana, et al. Expires: July 2004 [page 22] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsDecisionStrategy' DESC 'The evaluation method used for the components of a in the pcelsPolicySet. Valid values: 1 (FirstMatching), 2 (AllMatching). Default value: 1.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcelsPolicySetList is used to realize the PolicySetComponent aggregation. ( IANA-ASSIGNED-OID.2.x NAME 'pcelsPolicySetList' DESC 'List of DN references to pcelsPolicySetAssociation entries used to aggregate policy sets.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) Note: For compatibility with [PCIM_EXT] that deprecates the aggregations PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup, the policy aggregation mechanism provided here by the classes pcelsPolicySet and pcelsPolicySetAssociation SHALL be used instead of the classes pcimGroup, pcimRuleContainmentAuxClass and pcimGroupContainmentAuxClass which are defined by [PCLS]. 5.2 The Structural Class pcelsPolicySetAssociation The pcelsPolicySetAssociation class is used to aggregate instances of pcelsPolicySet into other entries. Instances of the pcelsPolicySetAssociation class are always subordinated to the aggregating entry. When subordinated to a (subclass of) pcelsPolicySet, it realizes a (subclass of) PolicySetComponent aggregation. When subordinated to (subclass of) dlm1System, the pcelsPolicySetAssociation realizes a PolicySetInSystem association. The aggregation of a reusable instance of a (subclass of) pcelsPolicySet is referenced via the pcelsPolicySetDN attribute. A non-reusable instance of (subclass of) pcelsPolicySet is attached as auxiliary class directly to the pcelsPolicySetAssociation entry. If a pcelsPolicySetAssociation instance has a pcelsPolicySet attached to it then the attribute pcelsPolicySetDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. Pana, et al. Expires: July 2004 [page 23] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsPolicySetAssociation' DESC 'Structural class that contains attributes characterizing the relationship between a policy set and one of its components.' SUP pcimPolicy STRUCTURAL MUST ( pcelsPriority ) MAY ( pcelsPolicySetName $ pcelsPolicySetDN ) ) The Attribute pcelsPriority: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsPriority' DESC 'Policy priority. Valid values: any non-negative integer. Default value: 0.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The Attribute pcelsPolicySetDN: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsPolicySetDN' DESC 'DN reference to a pcelsPolicySet entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) 5.3 The Three Classes pcelsRule The pcelsRule is the base class representing policy rules. It re-implements the PolicyRule class with the new semantics specified by [PCIM_EXT], therefore without an absolute priority attribute but with the means to aggregate other policy (sub)rules. The former functionality is inherited from its superclass, the pcelsPolicySet. This class shares the Condition/Action aggregation methods with the pcelsCompoundConditionAuxClass and pcelsCompoundActionAuxClass object classes. Pana, et al. Expires: July 2004 [page 24] INTERNET-DRAFT PCELS January 2004 If a pcelsRule instance has a pcimConditionAuxClass attached to it then the attribute pcelsConditionList SHOULD NOT be present in the same entry for the purpose of associating other conditions to the rule. However, when such situation occurs the referenced conditions MUST NOT be considered as associated to the rule. If a pcelsRule instance has a pcimActionAuxClass attached to it then the attribute pcelsActionList should not be present in the same entry for the purpose of associating other actions to the rule. However, when such situation occurs the referenced actions must not be considered as associated to the rule. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsRule' DESC 'The base class for representing the "If Condition then Action" semantics associated with a Policy Rule' SUP pcelsPolicySet ABSTRACT MAY ( pcimRuleName $ pcimRuleEnabled $ pcimRuleValidityPeriodList $ pcimRuleUsage $ pcimRuleMandatory $ pcelsConditionListType $ pcelsConditionList $ pcelsActionList $ pcelsSequencedActions $ pcelsExecutionStrategy ) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsRuleAuxClass' DESC 'An auxiliary class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcelsRule AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsRuleInstance' DESC 'A structural class for representing the "If Condition then Action" semantics associated with a policy rule.' SUP pcelsRule STRUCTURAL ) Five of the attributes used by the pcelsRule class are defined in the section 5.3 of [PCLS]. These attributes are: pcimRuleName, pcimRuleEnabled, pcimRuleValidityPeriodList, pcimRuleUsage and pcimRuleMandatory. In the pcelsRule object class, these attributes preserve their syntax and semantics as defined by [PCLS] and [PCIM]. Pana, et al. Expires: July 2004 [page 25] INTERNET-DRAFT PCELS January 2004 The attributes pcimRuleConditionListType, pcimRuleConditionList, pcimRuleActionList and pcimRuleSequencedActions defined in [PCLS] are not used by pcelsRule. Instead, this class uses the new attributes pcelsConditionListType, pcelsConditionList, pcelsActionList and pcelsSequencedActions that are also used for similar purpose by either pcelsCompoundConditionAuxClass or pcelsCompoundActionAuxClass. The attribute definitions are: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsConditionListType' DESC 'Indicates whether the list of aggregated conditions is in disjunctive or in conjunctive normal form. Valid values: 1 (Disjunctive), 2 (Conjunctive). Default value: 1.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( IANA-ASSIGNED-OID.2.x NAME 'pcelsConditionList' DESC 'Unordered set of DN references to pcelsConditionAssociation entries used to aggregate policy conditions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcelsActionList' DESC 'Unordered set of DN references to pcelsActionAssociation entries used to aggregate policy actions.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( IANA-ASSIGNED-OID.2.x NAME 'pcelsSequencedActions' DESC 'Indicates whether the ordered execution of actions in an aggregate is Mandatory, Recommended or DontCare. Valid Values: 1 (Mandatory), 2(Recommended) 3 (DontCare). Default value: 3.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The new attribute pcelsExecutionStrategy is a direct mapping of the ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class. Pana, et al. Expires: July 2004 [page 26] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsExecutionStrategy' DESC 'Indicates the execution strategy to be used upon an action aggregate. Valid values: 1 (Do until success]), 2 (Do all) and 3 (Do until failure). Default value: 2.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) Note 1: [PCLS] implements the PolicyRuleValidityPeriod aggregation defined by [PCIM] using the attribute pcimRuleValidityPeriodList, the class pcimRuleValidityAssociation, (optionally) the attribute pcimTimePeriodCondition and the class pcimTPCAuxClass. This mechanism is reused here in the context of the pcelsRule object class. As result, the class pcimRuleValidityAssociation SHOULD be expected (and allowed) to have instances of pcelsRule as superior entries. Note 2: The PolicyGroup redefined by [PCIM_EXT] is not explicitly mapped to an object class. Instead, for representing ordered sets of policy rules, implementations SHALL use pcelsRule instances with no associated validity periods, policy conditions or policy actions. If submodels define specific PolicyGroup classes, such classes SHOULD derive directly from the pcelsPolicySet object class. Note 3: For compatibility with [PCIM_EXT] that deprecates the absolute priority mechanism, the class pcelsRule SHALL be used instead of the class pcimRule defined by [PCLS]. 5.4 The Structural Class pcelsConditionAssociation The pcelsConditionAssociation class is used to aggregate policy conditions in pcelsRule or in pcelsCompoundConditionAuxClass. Instances of this class are always subordinated to the aggregating pcelsRule or pcelsCompoundConditionAuxClass. When subordinated to a pcelsRule, the pcelsConditionAssociation implements the PolicyConditionInPolicyRule aggregation defined by [PCIM_EXT]. When subordinated to a pcelsCompoundConditionAuxClass, the pcelsConditionAssociation implements the PolicyConditionInPolicyCondition aggregation defined by [PCIM_EXT]. The aggregation of a reusable instance of (subclass of) pcimConditionAuxClass is referenced via the pcimConditionDN attribute. A non-reusable instance of (subclass of) pcimConditionAuxClass is attached directly to the pcelsConditionAssociation entry. Pana, et al. Expires: July 2004 [page 27] INTERNET-DRAFT PCELS January 2004 If a pcelsConditionAssociation instance has a pcimConditionAuxClass attached to it then the attribute pcimConditionDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsConditionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy condition and one of its aggregators: pcelsRule or pcelsCompoundConditionAuxClass. It is used in the realization of a policy condition structure.' SUP pcimRuleConditionAssociation STRUCTURAL ) This class extends the semantics of the pcimRuleConditionAssociation object class without using any new attributes. All its attributes are inherited from the pcimRuleConditionAssociation that is defined in section 5.4 of [PCLS]. 5.5 The Structural Class pcelsActionAssociation The pcelsActionAssociation class is used to aggregate policy actions in pcelsRule or in pcelsCompoundActionAuxClass. Instances of this class are always subordinated to the aggregating pcelsRule or pcelsCompoundActionAuxClass. When subordinated to a pcelsRule, the pcelsActionAssociation implements the PolicyActionInPolicyRule aggregation defined by [PCIM_EXT]. When subordinated to a pcelsCompoundActionAuxClass, the pcelsActionAssociation implements the PolicyActionInPolicyAction aggregation defined by [PCIM_EXT]. The aggregation of a reusable instance of (subclass of) pcimActionAuxClass is referenced via the pcimActionDN attribute. A non-reusable instance of (subclass of) pcimActionAuxClass is attached directly to the pcelsActionAssociation entry. If a pcelsActionAssociation instance has a pcimActionAuxClass attached to it then the attribute pcimActionDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. Pana, et al. Expires: July 2004 [page 28] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsActionAssociation' DESC 'This class contains attributes characterizing the relationship between a policy action and one of its aggregators: pcelsRule or pcelsCompoundActionAuxClass. It is used in the realization of a policy action structure.' SUP pcimRuleActionAssociation STRUCTURAL ) This class extends the semantics of the pcimRuleActionAssociation object class without using any new attributes. All its attributes are inherited from the pcimRuleActionAssociation that is defined in section 5.6 of [PCLS]. 5.6 The Auxiliary Class pcelsSimpleConditionAuxClass. This class implements a Value matching condition for a Variable. The "match" relationship is to be interpreted by analyzing the variable and value instances associated with the simple condition. Its two attributes realize the PolicyValueinSimplePolicyCondition and PolicyVariableinSimplePolicyCondition associations defined in [PCIM_EXT]. A reusable variable / value is associated to a pcelsSimpleConditionAuxClass via the pcelsVariableDN / pcelsValueDN reference from the simple condition entry. A non-reusable variable / value is associated directly as auxiliary object class to the pcelsSimpleConditionAuxClass entry. If a pcelsSimpleConditionAuxClass instance has a pcelsVariable attached to it then the attribute pcelsVariableDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. If a pcelsSimpleConditionAuxClass instance has a pcelsValueAuxClass attached to it then the attribute pcelsValueDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. The class definition follows: Pana, et al. Expires: July 2004 [page 29] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSimpleConditionAuxClass' DESC 'An auxiliary class that evaluates the matching between a value and a variable'. SUP pcimConditionAuxClass AUXILIARY MAY ( pcelsVariableDN $ pcelsValueDN ) ) The pcelsVariableDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVariableDN' DESC 'DN reference to a pcelsVariable entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) The pcelsValueDN attribute definition is: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsValueDN' DESC 'DN reference to a pcelsValueAuxClass entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) Note: An instance of pcelsSimpleActionAuxClass and an instance of pcelsSimpleConditionAuxClass MUST NOT be attached to a same entry. Because the two classes use the same mechanisms to associate Variables and Values, this restriction is necessary in order to avoid ambiguities. 5.7 The Auxiliary Class pcelsCompoundConditionAuxClass. This class represents a compound policy condition, formed by aggregation of other policy conditions. A boolean attribute indicates whether the compounded conditions are to be interpreted as disjunctive normal form or conjunctive normal form. The class definition follows: Pana, et al. Expires: July 2004 [page 30] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsCompoundConditionAuxClass' DESC 'An auxiliary class that represents a boolean combination of simpler conditions'. SUP pcimConditionAuxClass AUXILIARY MAY ( pcelsConditionListType $ pcelsConditionList ) ) The attribute pcelsConditionListType is used to specify whether the list of policy conditions associated with this compound policy condition is in disjunctive normal form (DNF) or conjunctive normal form (CNF). The attribute pcelsConditionList is an unordered set of DN references to conditions aggregated in the compound condition. These attributes are defined in section 5.3. 5.8 The Auxiliary Class pcelsCompoundFilterAuxClass. This class represents a domain-level filter and it typically contains a set of simple conditions. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsCompoundFilterAuxClass' DESC 'A compound condition with mirroring capabilities for traffic characterization.' SUP pcelsCompoundConditionAuxClass AUXILIARY MAY ( pcelsIsMirrored ) ) The Attribute pcelsIsMirrored: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIsMirrored' DESC 'Indicates whether traffic that mirrors the specified filter is to be treated as matching the filter. Default value: FALSE.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.9 The Auxiliary Class pcelsSimpleActionAuxClass. This class implements the action of assigning a Value to a Variable. Its two attributes realize the PolicyValueInSimplePolicyAction and PolciyVariableInSimplePolicyAction associations defined in [PCIM_EXT]. Pana, et al. Expires: July 2004 [page 31] INTERNET-DRAFT PCELS January 2004 A reusable variable / value is associated to a pcelsSimpleActionAuxClass via the pcelsVariableDN / pcelsValueDN reference from the simple action entry. A non-reusable variable / value is associated directly as auxiliary object class to the pcelsSimpleActionAuxClass entry. If a pcelsSimpleActionAuxClass instance has a pcelsVariable attached to it then the attribute pcelsVariableDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. If a pcelsSimpleActionAuxClass instance has a pcelsValueAuxClass attached to it then the attribute pcelsValueDN SHOULD NOT be present in the same entry. However, if such situation occurs this attribute MUST be ignored. The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSimpleActionAuxClass' DESC 'This class contains attributes characterizing the relationship between a Simple PolicyAction and one variable and one value.' SUP pcimActionAuxClass AUXILIARY MAY ( pcelsVariableDN $ pcelsValueDN ) ) The attributes are defined in section 5.6. A instance of pcelsSimpleActionAuxClass and an instance of pcelsSimpleConditionAuxClass MUST NOT be attached to a same entry. Because the two classes use the same mechanisms to associate Variables and Values, this restriction is necessary in order to avoid ambiguities. 5.10 The Auxiliary Class pcelsCompoundActionAuxClass. This class maps the CompoundPolicyAction class of the [PCIM_EXT]. The class definition follows: Pana, et al. Expires: July 2004 [page 32] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsCompoundActionAuxClass' DESC 'A class that aggregates simpler actions in a sequence with specific execution strategy.' SUP pcimActionAuxClass AUXILIARY MAY ( pcelsActionList $ pcelsSequencedActions $ pcelsExecutionStrategy ) ) The attributes pcelsSequencedActions, pcelsExecutionStrategy and pcelsActionList are defined in section 5.3 . 5.11 The Abstract Class pcelsVariable. Variables specify properties of a flow or an event that should be matched when evaluating the condition. A pcelsVariable instance selects the set of matched values through the ExpectedPolicyValuesForVariable association. A pcelsVariable entry may be associated to a set of pcelsValueAuxClass entries that represent its expected values. The expected values for a variable may be indicated by: (1) pcelsExpectedValueList references to reusable instances of pcelsValueAuxClass or by (2) pcelsExpectedValueList references to subordinated non-reusable instances of pcelsValueAuxClass ( IANA-ASSIGNED-OID.1.x NAME 'pcelsVariable' DESC 'Base class for representing a variable whose actual value can be matched against or set to a specific value.' SUP top ABSTRACT MAY ( pcelsVariableName $ pcelsExpectedValueList ) ) The attribute pcelsVariableName is an user-friendly name for the variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVariableName' DESC 'The user-friendly name of a variable.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Pana, et al. Expires: July 2004 [page 33] INTERNET-DRAFT PCELS January 2004 The attribute pcelsExpectedValueList is an unordered set of DN references to subclasses of pcelsValueAuxClass. It maps the [PCIM_EXT] ExpectedPolicyValuesForVariable association: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsExpectedValueList' DESC 'List of DN references to pcelsValueAuxClass entries that represent the acceptable values.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.12 The Auxiliary Class pcelsExplicitVariableAuxClass The subclass pcelsExplicitVariableAuxClass is defined as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcelsExplicitVariableAuxClass' DESC 'Explicitly defined policy variable evaluated within the context of the CIM Schema.' SUP pcelsVariable AUXILIARY MUST ( pcelsVariableModelClass $ pcelsVariableModelProperty ) ) The attribute pcelsVariableModelClass is a string specifying the class name whose property is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVariableModelClass' DESC 'Specifies a CIM class name or OID.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcelsVariableModelProperty is a string specifying the attribute, within the pcelsVariableModelClass, which is evaluated or set as a variable: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVariableModelProperty' DESC 'Specifies a CIM property name or OID.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Pana, et al. Expires: July 2004 [page 34] INTERNET-DRAFT PCELS January 2004 5.13 The Auxiliary Class pcelsImplicitVariableAuxClass The subclass pcelsImplicitVariableAuxClass is defined as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcelsImplicitVariableAuxClass' DESC 'Implicitly defined policy variables whose evaluation depends on the usage context. Subclasses specify the data type and semantics of the variables.' SUP pcelsVariable AUXILIARY MUST ( pcelsExpectedValueTypes ) ) The attribute pcelsExpectedValueTypes is the direct mapping from the valueTypes property in the [PCIM_EXT] PolicyImplicitVariable class. This attribute represents a set of allowed value types to be used with this variable. ( IANA-ASSIGNED-OID.2.x NAME 'pcelsExpectedValueTypes' DESC 'List of object class names or OIDs of subclasses of pcelsValueAuxClass that define acceptable value types.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 5.14 The Subclasses of pcelsImplicitVariableAuxClass ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSourceIPv4VariableAuxClass' DESC 'Source IP v4 address' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSourceIPv6VariableAuxClass' DESC 'Source IP v6 address' SUP pcelsImplicitVariableAuxClass AUXILIARY ) Pana, et al. Expires: July 2004 [page 35] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsDestinationIPv4VariableAuxClass' DESC 'Destination IP v4 address' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsDestinationIPv6VariableAuxClass' DESC 'Destination IP v6 address' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSourcePortVariableAuxClass' DESC 'Source port' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsDestinationPortVariableAuxClass' DESC 'Destination port' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsIPProtocolVariableAuxClass' DESC 'IP protocol number' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsIPVersionVariableAuxClass' DESC 'IP version number' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsIPToSVariableAuxClass' DESC 'IP ToS' SUP pcelsImplicitVariableAuxClass AUXILIARY ) Pana, et al. Expires: July 2004 [page 36] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsDSCPVariableAuxClass' DESC 'DiffServ code point' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsFlowIdVariableAuxClass' DESC 'Flow Identifier' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSourceMACVariableAuxClass' DESC 'Source MAC address' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsDestinationMACVariableAuxClass' DESC 'Destination MAC address' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsVLANVariableAuxClass' DESC 'VLAN' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsCoSVariableAuxClass' DESC 'Class of service' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsEthertypeVariableAuxClass' DESC 'Ethertype' SUP pcelsImplicitVariableAuxClass AUXILIARY ) Pana, et al. Expires: July 2004 [page 37] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSourceSAPVariableAuxClass' DESC 'Source SAP' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsDestinationSAPVariableAuxClass' DESC 'Destination SAP' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSNAPOUIVariableAuxClass' DESC 'SNAP OUI' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsSNAPTypeVariableAuxClass' DESC 'SNAP type' SUP pcelsImplicitVariableAuxClass AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsFlowDirectionVariableAuxClass' DESC 'Flow direction' SUP pcelsImplicitVariableAuxClass AUXILIARY ) 5.15 The Auxiliary Class pcelsValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsValueAuxClass' DESC 'Base class for representing a value that can be matched against or set for a specific variable.' SUP top AUXILIARY MAY ( pcelsValueName ) ) The Attribute pcelsValueName: Pana, et al. Expires: July 2004 [page 38] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsValueName' DESC 'The user-friendly name of a value.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 5.16 The Subclasses of pcelsValueAuxClass. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsIPv4AddrValueAuxClass' DESC 'IPv4 address value.' SUP pcelsValueAuxClass AUXILIARY MUST ( pcelsIPv4AddrList ) ) The Attribute pcelsIPv4AddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPv4AddrList' DESC 'List of IPv4 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsIPv6AddrValueAuxClass' DESC 'IPv6 address value.' SUP pcelsValueAuxClass AUXILIARY MUST ( pcelsIPv6AddrList ) ) The Attribute pcelsIPv6AddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPv6AddrList' DESC 'List of IPv6 address values, ranges or hosts.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Pana, et al. Expires: July 2004 [page 39] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsMACAddrValueAuxClass' DESC 'MAC address value.' SUP pcelsValueAuxClass AUXILIARY MUST ( pcelsMACAddrList ) ) The Attribute pcelsMACAddrList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsMACAddrList' DESC 'List of MAC address values or ranges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsStringValueAuxClass' DESC 'String value.' SUP pcelsValueAuxClass AUXILIARY MUST ( pcelsStringList ) ) The Attribute pcelsStringList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsStringList' DESC 'List of strings or wildcarded strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsBitStringValueAuxClass' DESC 'Bit string value.' SUP pcelsValueAuxClass AUXILIARY MUST ( pcelsBitStringList ) ) The Attribute pcelsBitStringList: Pana, et al. Expires: July 2004 [page 40] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsBitStringList' DESC 'List of bit strings or masked bit strings.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsIntegerValueAuxClass' DESC 'Integer value.' SUP pcelsValueAuxClass AUXILIARY MUST ( pcelsIntegerList ) ) The Attribute pcelsIntegerList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIntegerList' DESC 'List of integers or integer ranges.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsBooleanValueAuxClass' DESC 'Boolean value.' SUP pcelsValueAuxClass AUXILIARY MUST ( pcelsBoolean ) ) The Attribute pcelsBoolean: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsBoolean' DESC 'A boolean value.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.17 The Three Classes pcelsReusableContainer Pana, et al. Expires: July 2004 [page 41] INTERNET-DRAFT PCELS January 2004 This class represents a container of reusable policy elements. The elements contained in a reusable policy container are aggregated via subordination to a pcelsReusableContainer instance (DIT containment). A reusable policy container can include the elements of an other reusable policy container by aggregating the container itself. This is realized by DIT containment when the policy containers are subordinated to one an other, or by reference when the aggregating policy container references the aggregated one using the attribute pcelsReusableContainerList. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsReusableContainer' DESC 'A container for reusable policy information.' SUP pcimRepository ABSTRACT MAY ( pcelsReusableContainerName $ pcelsReusableContainerList ) ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsReusableContainerAuxClass ' DESC 'An auxiliary class that can be used to aggregate reusable policy information.' SUP pcelsReusableContainer AUXILIARY ) ( IANA-ASSIGNED-OID.1.x NAME 'pcelsReusableContainerInstance' DESC 'A structural class that can be used to aggregate reusable policy information.' SUP pcelsReusableContainer STRUCTURAL ) The Attribute pcelsReusableContainerName: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsReusableContainerName' DESC 'The user-friendly name of a reusable policy container.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcelsReusableContainerList: Pana, et al. Expires: July 2004 [page 42] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsReusableContainerList' DESC 'List of DN references to pcelsReusableContainer entries.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) Note: For compliance with [PCIM_EXT] that deprecates the PolicyRepository class, implementations SHALL use the subclasses of pcelsReusableContainer defined here instead of the classes pcimRepositoryInstance and pcimRepositoryAuxClass. 5.18 The Structural Class pcelsRoleCollection. The pcelsRoleCollection class creates the means for the association of policy roles to resources represented as LDAP entries. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsRoleCollection' DESC 'This class is used to group together entries that share a same role.' SUP pcimPolicy STRUCTURAL MUST ( pcelsRole ) MAY ( pcelsRoleCollectionName $ pcelsElementList ) ) The Attribute pcelsRole: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsRole' DESC 'String representing a role.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcelsRoleCollectionName: Pana, et al. Expires: July 2004 [page 43] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsRoleCollectionName' DESC 'The user-friendly name of a role collection.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The Attribute pcelsElementList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsElementList' DESC 'List of DN references to entries representing managed elements.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.19 The Abstract Class pcelsFilterEntry The abstract class pcelsFilterEntry implements the FilterEntryBase class from [PCIM_EXT]. This class is the base class for defining message or packet filters. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsFilterEntry' DESC 'This class is used as a base class for representing message or packet filters.' SUP pcimPolicy ABSTRACT MAY ( pcelsFilterName $ pcelsFilterIsNegated ) ) The Attribute pcelsFilterName may be used as naming attribute for filter entries: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsFilterName' DESC 'The user-friendly name of a filter.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) Pana, et al. Expires: July 2004 [page 44] INTERNET-DRAFT PCELS January 2004 The Attribute pcelsFilterIsNegated indicates whether the specified criteria is to be negated or not in the process of matching a message or packet against the filter: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsFilterIsNegated' DESC 'If TRUE, indicates that the filter matches all but the messages or packets that conform to the specified criteria. Default: FALSE.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 5.20 The Structural Class pcelsIPHeaders. The class pcelsIPHeaders implements the IpHeadersFilter class of the [PCIM_EXT] model. It provides means for filtering traffic by values in the IP header. Optional attributes, if not specified shall be treated as 'all values'. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsIPHeaders' DESC 'This class defines an IP header filter.' SUP pcelsFilterEntry STRUCTURAL MAY ( pcelsIPHdrVersion $ pcelsIPHdrSourceAddress $ pcelsIPHdrSourceAddressEndOfRange $ pcelsIPHdrSourceMask $ pcelsIPHdrDestAddress $ pcelsIPHdrDestAddressEndOfRange $ pcelsIPHdrDestMask $ pcelsIPHdrProtocolID $ pcelsIPHdrSourcePortStart $ pcelsIPHdrSourcePortEnd $ pcelsIPHdrDestPortStart $ pcelsIPHdrDestPortEnd $ pcelsIPHdrDSCPList $ pcelsIPHdrFlowLabel ) ) Pana, et al. Expires: July 2004 [page 45] INTERNET-DRAFT PCELS January 2004 The attribute pcelsIPHdrVersion identifies the IP version and dictates the format for the IP version dependent attribute values in a pcelsIPHeaders entry. These attributes are: pcelsIPHdrSourceAddress pcelsIPHdrSourceAddressEndOfRange pcelsIPHdrSourceMask pcelsIPHdrDestAddress pcelsIPHdrDestAddressEndOfRange pcelsIPHdrDestMask If a value for this attribute is not provided, then the filter does not consider IP version in selecting matching packets. In this case, IP version dependent attributes must not be present in the filter entry. The possible values of pcelsIPHdrVersion are '4' and '6'. ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrVersion' DESC 'The IP version. Valid values: 4, 6.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcelsIPHdrSourceAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrSourceAddress' DESC 'The IP source address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcelsIPHdrSourceAddressEndOfRange: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrSourceAddressEndOfRange' DESC 'The end or address range for the IP source address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcelsIPHdrSourceMask: Pana, et al. Expires: July 2004 [page 46] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrSourceMask' DESC 'The address mask for the IP source address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcelsIPHdrDestAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrDestAddress' DESC 'The IP destination address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcelsIPHdrDestAddressEndOfRange: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrDestAddressEndOfRange' DESC 'The end of address range for the IP destination address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcelsIPHdrDestMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrDestMask' DESC 'The address mask for the IP destination address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcelsIPHdrProtocolID: Pana, et al. Expires: July 2004 [page 47] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrProtocolID' DESC 'The IP protocol type. Valid values: 0..255.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcelsIPHdrSourcePortStart: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrSourcePortStart' DESC 'The start of the source port range. Valid values: 0..65535.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcelsIPHdrSourcePortEnd: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrSourcePortEnd' DESC 'The end of the source port range. Valid values: 0..65535.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcelsIPHdrDestPortStart: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrDestPortStart' DESC 'The start of the destination port range. Valid values: 0..65535.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The attribute pcelsIPHdrDestPortEnd: Pana, et al. Expires: July 2004 [page 48] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrDestPortEnd' DESC 'The end of the destination port range. Valid values: 0..65535.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) The multi-value attribute pcelsIPHdrDSCPList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrDSCPList' DESC 'The DSCP values. Valid values: 0..63.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcelsIPHdrFlowLabel: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsIPHdrFlowLabel' DESC 'The IP flow label.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) 5.21 The Structural Class pcels8021Headers. ( IANA-ASSIGNED-OID.1.x NAME ' pcels8021Headers' DESC 'This class defines an 802.1 header filter.' SUP pcelsFilterEntry STRUCTURAL MAY ( pcels8021HdrSourceMACAddress $ pcels8021HdrSourceMACMask $ pcels8021HdrDestMACAddress $ pcels8021HdrDestMACMask $ pcels8021HdrProtocolID $ pcels8021HdrPriority $ pcels8021HdrVLANID ) ) The attribute pcels8021HdrSourceMACAddress: Pana, et al. Expires: July 2004 [page 49] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcels8021HdrSourceMACAddress' DESC 'The source MAC address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcels8021HdrSourceMACMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcels8021HdrSourceMACMask' DESC 'The source MAC address mask.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcels8021HdrDestMACAddress: ( IANA-ASSIGNED-OID.2.x NAME 'pcels8021HdrDestMACAddress' DESC 'The destination MAC address.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcels8021HdrDestMACMask: ( IANA-ASSIGNED-OID.2.x NAME 'pcels8021HdrDestMACMask' DESC 'The destination MAC address mask.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) The attribute pcels8021HdrProtocolID: ( IANA-ASSIGNED-OID.2.x NAME 'pcels8021HdrProtocolID' DESC 'The 802.1 protocol ID. Valid values: 0..65535.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) Pana, et al. Expires: July 2004 [page 50] INTERNET-DRAFT PCELS January 2004 The attribute pcels8021HdrPriority: ( IANA-ASSIGNED-OID.2.x NAME 'pcels8021HdrPriority' DESC 'The 802.1 priority. Valid values: 0..7.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcels8021HdrVLANID: ( IANA-ASSIGNED-OID.2.x NAME 'pcels8021HdrVLANID' DESC 'The 802.1 VLAN ID. Valid values: 0..4095.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 5.22 The Auxiliary Class pcelsFilterListAuxClass. This class represents a set of device-level filters aggregated in a policy condition. Therefore, instances of this class can be used in policy rules or as elements of more complex compound conditions. The aggregation EntriesInFilterList from the [PCIM_EXT] model is implemented by the multi-value attribute pcelsFilterEntryList. The EntrySequence property of the aggregation EntriesInFilterList that is restricted to its default value ('0') in the [PCIM_EXT] model is redundant and therefore not implemented. ( IANA-ASSIGNED-OID.1.x NAME 'pcelsFilterListAuxClass' DESC 'This class is used to aggregate filters represented as subclasses of pcelsFilterEntry.' SUP pcimConditionAuxClass STRUCTURAL MAY ( pcelsFilterListName $ pcelsFilterDirection $ pcelsFilterEntryList ) ) The Attribute pcelsFilterListName may be used as naming attribute for filter lists: Pana, et al. Expires: July 2004 [page 51] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.2.x NAME 'pcelsFilterListName' DESC 'The user-friendly name of a filter list.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The attribute pcelsFilterDirection indicates the direction of the packets or messages relative to the interface where the filter is applied. The possible values are: NotApplicable(0), Input(1), Output(2), Both(3), Mirrored(4). ( IANA-ASSIGNED-OID.2.x NAME 'pcelsFilterDirection' DESC 'The direction of the packets or messages to which this filter is to be applied. Valid values: 0 (NotApplicable), 1 (Input), 2 (Output), 3 (Both) and 4 (Mirrored). Default value: 0.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) The attribute pcelsFilterEntryList: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsFilterEntryList' DESC 'List of DN references to pcelsFilterEntry entries.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) 5.23 The Auxiliary Class pcelsVendorVariableAuxClass. This class provides a general extension mechanism for representing policy variables that have not been modeled with specific properties. Instead, its two properties are used to define the content and format of the variable, as explained below. This class is intended for vendor-specific extensions that are not amenable to using pcelsVariable; standardized extensions SHOULD NOT use this class. The class definition is as follows: Pana, et al. Expires: July 2004 [page 52] INTERNET-DRAFT PCELS January 2004 ( IANA-ASSIGNED-OID.1.x NAME 'pcelsVendorVariableAuxClass' DESC 'A class that defines a registered means to describe a policy variable.' SUP pcelsVariable AUXILIARY MAY ( pcelsVendorVariableData $ pcelsVendorVariableEncoding ) ) The pcelsVendorVariableData attribute is a multi-valued attribute. It provides a general mechanism for representing policy variables that have not been modeled as specific attributes. This information is encoded in a set of octet strings. The format of the octet strings is identified by the OID stored in the pcelsVendorVariableEncoding attribute. This attribute is defined as follows: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVendorVariableData' DESC 'Mechanism for representing variables that have not been modeled as specific attributes. Their format is identified by the OID stored in the attribute pcelsVendorVariableEncoding.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) The pcelsVendorVariableEncoding attribute is used to identify the format and semantics for the pcelsVendorVariableData attribute. This attribute is defined as follows: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVendorVariableEncoding' DESC 'An OID identifying the format and semantics for the pcelsVendorVariableData for this instance.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE ) 5.24 The Auxiliary Class pcelsVendorValueAuxClass. This class provides a general extension mechanism for representing policy values that have not been modeled with specific properties. Instead, its two properties are used to define the content and format of the value, as explained below. This class is intended for vendor-specific extensions that are not amenable to using pcelsValueAuxClass; standardized extensions SHOULD NOT use this class. Pana, et al. Expires: July 2004 [page 53] INTERNET-DRAFT PCELS January 2004 The class definition is as follows: ( IANA-ASSIGNED-OID.1.x NAME 'pcelsVendorValueAuxClass' DESC 'A class that defines a registered means to describe a policy value.' SUP pcelsValueAuxClass AUXILIARY MAY ( pcelsVendorValueData $ pcelsVendorValueEncoding ) ) The pcelsVendorValueData attribute is a multi-valued attribute. It provides a general mechanism for representing policy values that have not been modeled as specific attributes. This information is encoded in a set of octet strings. The format of the octet strings is identified by the OID stored in the pcelsVendorValueEncoding attribute. This attribute is defined as follows: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVendorValueData' DESC 'Mechanism for representing values that have not been modeled as specific attributes. Their format is identified by the OID stored in the attribute pcelsVendorValueEncoding.' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) The pcelsVendorValueEncoding attribute is used to identify the format and semantics for the pcelsVendorValueData attribute. This attribute is defined as follows: ( IANA-ASSIGNED-OID.2.x NAME 'pcelsVendorValueEncoding' DESC 'An OID identifying the format and semantics for the pcelsVendorValueData for this instance.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE ) 6. Security Considerations The Policy Core LDAP Schema [PCLS] describes the general security considerations related to the general core policy schema. The extensions defined in this document do not introduce any additional considerations related to security. Pana, et al. Expires: July 2004 [page 54] INTERNET-DRAFT PCELS January 2004 7. IANA Considerations 7.1 Object Identifiers It is requested that IANA register an LDAP Object Identifier for use in this technical specification according to the following template: Subject: Request for LDAP OID Registration Person & e-mail address to contact for further information: Mircea Pana (mpana@metasolv.com) Specification: RFC xxxx Author/Change Controller: IESG Comments: The assigned OID will be used as a base for identifying a number of schema elements defined in this document. 7.2 Object Identifier Descriptors It is requested that IANA register the LDAP Descriptors used in this technical specification as detailed in the following template: Subject: Request for LDAP Descriptor Registration Update Descriptor (short name): see comment Object Identifier: see comment Person & e-mail address to contact for further information: Mircea Pana (mpana@metasolv.com) Usage: see comment Specification: RFC xxxx Author/Change Controller: IESG Comments: The following descriptors should be added: NAME Type OID -------------- ---- ------------ pcelsPolicySet O IANA-ASSIGNED-OID.1.x pcelsPolicySetName A IANA-ASSIGNED-OID.2.x pcelsDecisionStrategy A IANA-ASSIGNED-OID.2.x pcelsPolicySetList A IANA-ASSIGNED-OID.2.x pcelsPolicySetAssociation O IANA-ASSIGNED-OID.1.x pcelsPriority A IANA-ASSIGNED-OID.2.x pcelsPolicySetDN A IANA-ASSIGNED-OID.2.x pcelsRule O IANA-ASSIGNED-OID.1.x pcelsRuleAuxClass O IANA-ASSIGNED-OID.1.x pcelsRuleInstance O IANA-ASSIGNED-OID.1.x pcelsConditionListType A IANA-ASSIGNED-OID.2.x pcelsConditionList A IANA-ASSIGNED-OID.2.x pcelsActionList A IANA-ASSIGNED-OID.2.x pcelsSequencedActions A IANA-ASSIGNED-OID.2.x Pana, et al. Expires: July 2004 [page 55] INTERNET-DRAFT PCELS January 2004 pcelsExecutionStrategy A IANA-ASSIGNED-OID.2.x pcelsConditionAssociation O IANA-ASSIGNED-OID.1.x pcelsActionAssociation O IANA-ASSIGNED-OID.1.x pcelsSimpleConditionAuxClass O IANA-ASSIGNED-OID.1.x pcelsVariableDN A IANA-ASSIGNED-OID.2.x pcelsValueDN A IANA-ASSIGNED-OID.2.x pcelsCompoundConditionAuxClass O IANA-ASSIGNED-OID.1.x pcelsCompoundFilterAuxClass O IANA-ASSIGNED-OID.1.x pcelsIsMirrored A IANA-ASSIGNED-OID.2.x pcelsSimpleActionAuxClass O IANA-ASSIGNED-OID.1.x pcelsCompoundActionAuxClass O IANA-ASSIGNED-OID.1.x pcelsVariable O IANA-ASSIGNED-OID.1.x pcelsVariableName A IANA-ASSIGNED-OID.2.x pcelsExpectedValueList A IANA-ASSIGNED-OID.2.x pcelsExplicitVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsVariableModelClass A IANA-ASSIGNED-OID.2.x pcelsVariableModelProperty A IANA-ASSIGNED-OID.2.x pcelsImplicitVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsExpectedValueTypes A IANA-ASSIGNED-OID.2.x pcelsSourceIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsSourceIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsDestinationIPv4VariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsDestinationIPv6VariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsSourcePortVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsDestinationPortVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsIPProtocolVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsIPVersionVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsIPToSVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsDSCPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsFlowIdVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsSourceMACVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsDestinationMACVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsVLANVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsCoSVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsEthertypeVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsSourceSAPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsDestinationSAPVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsSNAPOUIVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsSNAPTypeVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsFlowDirectionVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsValueName A IANA-ASSIGNED-OID.2.x pcelsIPv4AddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsIPv4AddrList A IANA-ASSIGNED-OID.2.x pcelsIPv6AddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsIPv6AddrList A IANA-ASSIGNED-OID.2.x pcelsMACAddrValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsMACAddrList A IANA-ASSIGNED-OID.2.x pcelsStringValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsStringList A IANA-ASSIGNED-OID.2.x pcelsBitStringValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsBitStringList A IANA-ASSIGNED-OID.2.x Pana, et al. Expires: July 2004 [page 56] INTERNET-DRAFT PCELS January 2004 pcelsIntegerValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsIntegerList A IANA-ASSIGNED-OID.2.x pcelsBooleanValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsBoolean A IANA-ASSIGNED-OID.2.x pcelsReusableContainer O IANA-ASSIGNED-OID.1.x pcelsReusableContainerAuxClass O IANA-ASSIGNED-OID.1.x pcelsReusableContainerInstance O IANA-ASSIGNED-OID.1.x pcelsReusableContainerName A IANA-ASSIGNED-OID.2.x pcelsReusableContainerList A IANA-ASSIGNED-OID.2.x pcelsRoleCollection O IANA-ASSIGNED-OID.1.x pcelsRole A IANA-ASSIGNED-OID.2.x pcelsRoleCollectionName A IANA-ASSIGNED-OID.2.x pcelsElementList A IANA-ASSIGNED-OID.2.x pcelsFilterEntry O IANA-ASSIGNED-OID.1.x pcelsFilterName A IANA-ASSIGNED-OID.2.x pcelsFilterIsNegated A IANA-ASSIGNED-OID.2.x pcelsIPHeaders O IANA-ASSIGNED-OID.1.x pcelsIPHdrVersion A IANA-ASSIGNED-OID.2.x pcelsIPHdrSourceAddress A IANA-ASSIGNED-OID.2.x pcelsIPHdrSourceAddressEndOfRange A IANA-ASSIGNED-OID.2.x pcelsIPHdrSourceMask A IANA-ASSIGNED-OID.2.x pcelsIPHdrDestAddress A IANA-ASSIGNED-OID.2.x pcelsIPHdrDestAddressEndOfRange A IANA-ASSIGNED-OID.2.x pcelsIPHdrDestMask A IANA-ASSIGNED-OID.2.x pcelsIPHdrProtocolID A IANA-ASSIGNED-OID.2.x pcelsIPHdrSourcePortStart A IANA-ASSIGNED-OID.2.x pcelsIPHdrSourcePortEnd A IANA-ASSIGNED-OID.2.x pcelsIPHdrDestPortStart A IANA-ASSIGNED-OID.2.x pcelsIPHdrDestPortEnd A IANA-ASSIGNED-OID.2.x pcelsIPHdrDSCPList A IANA-ASSIGNED-OID.2.x pcelsIPHdrFlowLabel A IANA-ASSIGNED-OID.2.x pcels8021Headers O IANA-ASSIGNED-OID.1.x pcels8021HdrSourceMACAddress A IANA-ASSIGNED-OID.2.x pcels8021HdrSourceMACMask A IANA-ASSIGNED-OID.2.x pcels8021HdrDestMACAddress A IANA-ASSIGNED-OID.2.x pcels8021HdrDestMACMask A IANA-ASSIGNED-OID.2.x pcels8021HdrProtocolID A IANA-ASSIGNED-OID.2.x pcels8021HdrPriority A IANA-ASSIGNED-OID.2.x pcels8021HdrVLANID A IANA-ASSIGNED-OID.2.x pcelsFilterListAuxClass O IANA-ASSIGNED-OID.1.x pcelsFilterListName A IANA-ASSIGNED-OID.2.x pcelsFilterDirection A IANA-ASSIGNED-OID.2.x pcelsFilterEntryList A IANA-ASSIGNED-OID.2.x pcelsVendorVariableAuxClass O IANA-ASSIGNED-OID.1.x pcelsVendorVariableData A IANA-ASSIGNED-OID.2.x pcelsVendorVariableEncoding A IANA-ASSIGNED-OID.2.x pcelsVendorValueAuxClass O IANA-ASSIGNED-OID.1.x pcelsVendorValueData A IANA-ASSIGNED-OID.2.x pcelsVendorValueEncoding A IANA-ASSIGNED-OID.2.x where Type A is Attribute, Type O is ObjectClass Pana, et al. Expires: July 2004 [page 57] INTERNET-DRAFT PCELS January 2004 8. Normative References [CIM] Distributed Management Task Force, Inc., "Common Information Model (CIM) Specification", Version 2.2, June 14, 1999. This document is available on the following DMTF web page: http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf [CIM_LDAP] Distributed Management Task Force, Inc., "DMTF LDAP Schema for the CIM v2.5 Core Information Model", April 15, 2002. This document is available on the following DMTF web page: http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf [PCIM] B. Moore, E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, May 2000. [PCIM_EXT] B. Moore et al., "Policy Core Information Model (PCIM) Extensions", RFC 3460, January 2003. [PCLS] J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core LDAP Schema", Internet Draft, work in progress, draft-ietf-policy-core-schema-16.txt. [LDAP] Hodges, J., and Morgan R., "Lightweight Directory Access Protocol (v3): Technical Specification", RFC 3377, September 2002. [LDAP_SYNTAX] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight Directory Access Protocol(v3): Attribute Syntax Definitions", RFC 2252, December 1997. [LDAP_SCHEMA] M. Wahl, "A Summary of the X.500(96) User Schema for use with LDAPv3", RFC 2256, December 1997. [LDAP_MATCH] K. Zeilenga, ed., "LDAP: Additional Matching Rules", draft-zeilenga-ldap-user-schema-mr-00.txt, June 2003. [X.501] The Directory: Models. ITU-T Recommendation X.501, 2001. [X.520] The Directory: Selected Attribute Types. ITU-T Recommendation X.520, 2001. 9. Informative References [KEYWORDS] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [PROCESS] R. Hovey, S. Bradner, "The Organizations Involved in the IETF Standards Process", BCP 11, RFC 2028, October 1996. Pana, et al. Expires: July 2004 [page 58] INTERNET-DRAFT PCELS January 2004 [LDAP-IANA] K. Zeilenga, "Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)", BCP 64, RFC 3383, September 2002. 10. Authors' Addresses Angelica Reyes University Veracruzana Spain xalitta@yahoo.com Antoni Barba, David Moron Technical University of Catalonia Jordi-Girona 1-3 08034 Barcelona Spain [telabm|dmoron]@mat.upc.es Marcus Brunner NEC Europe Ltd. Kurfuersten Anlage 34 D-69115 Heidelberg Germany brunner@ccrle.nec.de Mircea Pana MetaSolv Software Inc. 360 Legget Drive Ottawa, Ontario, Canada K2K 3N1 mpana@metasolv.com 11. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. Pana, et al. Expires: July 2004 [page 59] INTERNET-DRAFT PCELS January 2004 The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 12. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Notes to the RFC Editor This note is to be removed before publication. "zzzz" in "RFC zzzz" is to be replaced with the RFC number assigned to [PCLS]. "xxxx" in "RFC xxxx" is to be replaced with the RFC number assigned to this document. Section "PLEASE NOTE:" is to be removed upon assignment OID assignment by IANA. Appendix A: Changes in this revision 1. This revision does not deprecate schema items defined in PCLS. The "Abstract" of this document has been modified accordingly. Pana, et al. Expires: July 2004 [page 60] INTERNET-DRAFT PCELS January 2004 2. To make them easily distinguishable from the object classes and attributes defined in PCLS, the schema items defined in this document are now prefixed "pcels" instead of "pcim". 3. In previous versions of this document the pcimPolicyGroup object class (initially defined by PCLS) was redefined as a subclass of pcimPolicySet (now pcelsPolicySet). This modification has been abandoned. 4. Added note on PolicyGroup representation as pcelsRule or pcelsPolicySet. 5. Abandoned deprecation of pcimRepository and modified pcelsReusableContainer to subclass pcimRepository. 6. Added general considerations in the opening of the schema definitions (section 5). 7. Added text to clarify which attributes defined in PCLS are also used in object classes defined here. 8. Instead of deprecating pcimRuleConditionAssociation and replacing it with pcelsConditionAssociation, the latter object class has been modified, so that is now a subclass of pcimRuleConditionAssociation which is no longer deprecated. 9. Instead of deprecating pcimRuleActionAssociation and replacing it with pcelsActionAssociation, the latter object class has been modified, so that is now a subclass of pcimRuleActionAssociation which is no longer deprecated. 10. The class pcimRule and its subclasses defined by PCLS are no longer deprecated. A note has been added to clarify the issue regarding the functionality replacement for compatibility with PCIM_EXT. 11. The pcimGroupContainmentAuxClass and pcimRuleContainmentAuxClass object classes defined by PCLS are no longer deprecated. A note has been added to clarify the issue regarding the functionality replacement for compatibility with PCIM_EXT. 12. Added text to explicitly describe the use of pcelsPolicySetAssociation for the realization of the PolicySetInSystem association. This was unclear in previous revisions. 13. Revised "Summary of changes since PCLS" in accordance with the changes listed above. 14. Revised security considerations. Pana, et al. Expires: July 2004 [page 61] INTERNET-DRAFT PCELS January 2004 15. Updated normative and informative references. 16. Added section to explain impact on PCLS implementations. 17. Added note on OID assignment status. (before section 1). 18. For compliance with NITS, the abstract does not use citations. 19. Added text to indicate valid and default attribute values where applicable. Appendix B: Open Issues 1. Should RFC 2119 be cited as normative reference? PCIM_EXT, PCLS and other documents refer to RFC 2119 as an informative reference. 2. The object classes pcelsVendorVariable and pcelsVendorValue defined in this document are not mapped from PCIM_EXT. Pro: It is estimated that non-standard submodels and their LDAP schema implementations will need to define a considerable number of new PolicyVariable and PolicyValue subtypes. In order to avoid an explosion of LDAP class definitions, the pcelsVendorVariable and pcelsVendorValue classes introduce a value based extension mechanism for handling new data types. These classes do not introduce a new concept but rather a new extension mechanism for an existing concept. A similar mechanism is defined by PCIM and implemented by PCLS for creating vendor specific PolicyCondition and PolicyAction entries. Con: Since PCIM_EXT does not define such classes this document should not do it either. The purpose of this document this document is to map the PCIM_EXT model to an LDAP schema, therefore such functionality is outside its scope. 3. PolicyGroup is not explicitly mapped to an LDAP object class. Pro: Since the PolicyRule has now the capability to aggregate other PolicyRule instances, this class includes the functionality of the PolicyGroup. Therefore, an explicitly implementation of the PolicyGroup class is unnecessary. Con: The PolicyRule and the PolicyGroup have different semantics so they should be defined using different classes. 4. pcelsReusableContainer is defined as a subclass of pcimRepository. Therefore the new class is an extension to the old one, not an alternative to it. Pro: As a subclass of pcimRepository, pcelsReusableContainer is compatible with older implementations that expect containers of reusable policy elements to be implemented as pcimRepository entries. The new class extends the functionality of the pcimRepository class by implementing the ContainedDomain aggregation. Con: pcelsReusableContainer as subclass of pcimRepository has potentially detrimental implications on Object Oriented models. Pana, et al. Expires: July 2004 [page 62] INTERNET-DRAFT PCELS January 2004 5. pcelsConditionAssociation is defined as a subclass of pcimRuleConditionAssociation. It extends the applicability of the old class to the aggregation of PolicyContition instances as components of CompoundPolicyContitions. Pro: The Condition aggregation mechanism can be reused in both Rule and CompoundCondition, therefore making it possible to optimize their implementation. Con: Mapping of the PCIM_EXT aggregations is implicit therefore more difficult for some implementations to detect. Pana, et al. Expires: July 2004 [page 63]