[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 4104

Policy Framework Working Group                            Angelica Reyes
INTERNET-DRAFT                                              Antoni Barba
Updates: draft-ietf-policy-core-schema-16                    David Moron
                                       Technical University of Catalonia

                                                          Marcus Brunner
                                                                     NEC

                                                             Mircea Pana
                                                                MetaSolv

                                                           February 2003

                 Policy Core Extension LDAP Schema (PCELS)
                <draft-reyes-policy-core-ext-schema-01.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   This document defines a number of changes and extensions to the
   Policy Core LDAP Schema [PCLS] based on the specifications of the
   Policy Core Information Model Extensions [PCIM_EXT]. The changes
   include additional classes previously not covered, deprecation of
   some object classes defined in PCLS and changes to the existing class
   hierarchy in PCLS.

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119.







Reyes, et al.              Expires: August 2003                [Page  1]

INTERNET-DRAFT                  PCELS                      February 2003



Table of contents

   1. Introduction....................................................3
   2. Relationship to other Policy Framework Documents................3
   3. Inheritance Hierarchy for PCELS.................................3
   4. General Discussion of Mapping the Model Extensions to LDAP......6
     4.1 Summary of Class and Association Mappings....................6
     4.2 Summary of changes since PCLS................................10
     4.3 Attaching PolicyVariable and PolicyValues to
         PolicySimpleCondition and PolicySimpleAction.................10
     4.4 Aggregation of PolicyRules and PolicyGroups in PolicySets....10
     4.5 Aggregation of actions/conditions in PolicyRules and
         CompoundActions/Conditions...................................11
   5. Class Definitions...............................................16
     5.1  The pcimePolicySet Class....................................16
     5.2  The Structural Class pcimePolicySetAssociation..............17
     5.3  The moved pcimGroup class...................................18
     5.4  The Deprecated Class pcimGroupContainmentAuxClass...........19
     5.5  The Deprecated Class pcimRuleContainmentAuxClass............19
     5.6  The three new pcimeRule classes.............................20
     5.7  The Structural Class pcimeConditionAssociation..............22
     5.8  The Structural Class pcimeActionAssociation.................22
     5.9  The Three Deprecated pcimRule classes.......................23
     5.10  The Deprecated Class pcimRuleConditionAssociation..........25
     5.11  The Deprecated Class pcimeRuleActionAssociation............25
     5.12  The Auxiliary Class pcimeSimpleConditionAuxClass...........26
     5.13  The Auxiliary Class pcimeCompoundConditionAuxClass.........27
     5.14  The Auxiliary Class pcimeCompoundFilterAuxClass............27
     5.15  The Auxiliary Class pcimeSimpleActionAuxClass..............28
     5.16  The Auxiliary Class pcimeCompoundActionAuxClass............28
     5.17 The Abstract Class pcimeVariable............................29
     5.18 The auxiliary Class pcimeExplicitVariableAuxClass...........30
     5.19 The Auxiliary Class  pcimeImplicitVariableAuxClass..........30
     5.20 Subclasses of pcimeImplicitVariableAuxClass.................31
     5.21 The Auxiliary Class pcimeValueAuxClass......................34
     5.22 Subclasses of pcimeValueAuxClass............................35
     5.23 The three new Reusable Container classes....................38
     5.24 The three deprecated Repository classes.....................39
     5.25 The new class pcimeRoleCollection...........................40
   6. Recommended Schema Extension Methods............................41
   7. PCLS Data Migration Considerations..............................41
   8. Security Considerations.........................................41
   9. IANA Considerations.............................................42
     9.1 Object Identifiers...........................................42
     9.2 Object Identifier Descriptors................................42
   10. References.....................................................43
   11. Authors' Addresses.............................................43
   12. Full Copyright Statement.......................................44
   13. Appendix A: Issues.............................................44




Reyes, et al.              Expires: August 2003                [Page  2]

INTERNET-DRAFT                  PCELS                      February 2003



1. Introduction

   Within the context of this document, the term 'PCELS' (Policy Core
   Extension LDAP Schema) is used to refer to the LDAP object class
   definitions contained in this document.


2. Relationship to other Policy Framework Documents

  This document contains an LDAP schema representing the classes
  defined in the Policy Core Information Model Extensions [PCIM_EXT].
  Other documents may subsequently be produced, with mappings of the
  same PCIM extensions to other storage or transport technologies.
  The document is an extension to [PCLS], which defines the LDAP
  mapping of the Policy Core Information Model [PCIM] to an LDAP
  schema.


3. Inheritance Hierarchy for PCELS

   The following diagram illustrates the class hierarchy for the LDAP
   Classes defined in [PCLS] and the
   LDAP classes defined in this document:

   top
   |
   +---dlm1ManagedElement (abstract)
   |   |
   |   +---pcimPolicy (abstract)
   |   |   |
   |   |   +---pcimePolicySet (abstract new)
   |   |   |   |
   |   |   |   +---pcimGroup (abstract moved)
   |   |   |   |   |
   |   |   |   |   +--pcimGroupAuxClass (auxiliary moved)
   |   |   |   |   |
   |   |   |   |   +---pcimGroupInstance (structural moved)
   |   |   |   |
   |   |   |   +---pcimeRule (abstract new)
   |   |   |       |
   |   |   |       +---pcimeRuleAuxClass (auxiliary new)
   |   |   |       |
   |   |   |       +---pcimeRuleInstance (structural new)
   |   |   |
   |   |   +---pcimRule (abstract deprecated)
   |   |   |   |
   |   |   |   +---pcimRuleAuxClass (auxiliary deprecated)
   |   |   |   |
   |   |   |   +---pcimRuleInstance (structural deprecated)
   |   |   |



Reyes, et al.              Expires: August 2003                [Page  3]

INTERNET-DRAFT                  PCELS                      February 2003



   |   |   |
   |   |   +---pcimRuleConditionAssociation (structural deprecated)
   |   |   |
   |   |   +---pcimeConditionAssociation (structural new)
   |   |   |
   |   |   +---pcimRuleValidityAssociation (structural)
   |   |   |
   |   |   +---pcimRuleActionAssociation (structural deprecated)
   |   |   |
   |   |   +---pcimeActionAssociation (structural new)
   |   |   |
   |   |   +---pcimePolicySetAssociation (structural new)
   |   |   |
   |   |   +---pcimPolicyInstance (structural)
   |   |   |
   |   |   +---pcimElementAuxClass (auxiliary)
   |   |   |
   |   |   +---pcimeRoleCollection (structural new)
   |   |
   |   +---dlm1ManagedSystemElement (abstract)
   |          |
   |          +---dlm1LogicalElement (abstract)
   |              |
   |              +---dlm1System (abstract)
   |                  |
   |                  +---dlm1AdminDomain (abstract)
   |                      |
   |                      +---pcimRepository (abstract deprecated)
   |                      |   |
   |                      |   +---pcimRepositoryAuxClass
   |                      |   |   (auxiliary deprecated)
   |                      |   |
   |                      |   +---pcimRepositoryInstance
   |                      |       (structural deprecated)
   |                      |
   |                      +---pcimeReusableContainer (abstract new)
   |                          |
   |                          +---pcimeReusableContainerAuxClass
   |                          |   (auxiliary new)
   |                          |
   |                          +---pcimReusableContainerInstance
   |                              (structural new)
   |
   +---pcimConditionAuxClass (auxiliary)
   |   |
   |   +---pcimTPCAuxClass (auxiliary)
   |   |
   |   +---pcimConditionVendorAuxClass (auxiliary)
   |   |




Reyes, et al.              Expires: August 2003                [Page  4]

INTERNET-DRAFT                  PCELS                      February 2003



   |   |
   |   +---pcimeSimpleConditionAuxClass (auxiliary new)
   |   |
   |   +---pcimeCompoundConditionAuxClass (auxiliary new)
   |       |
   |       +---pcimeCompoundFilterAuxClass (auxiliary new)
   |
   +---pcimActionAuxClass (auxiliary)
   |   |
   |   +---pcimActionVendorAuxClass (auxiliary)
   |   |
   |   +---pcimeSimpleActionAuxClass (auxiliary new)
   |   |
   |   +---pcimeCompoundActionAuxClass (auxiliary new)
   |
   +---pcimeVariable (abstract new)
   |   |
   |   +---pcimeExplicitVariableAuxClass (auxiliary new)
   |   |
   |   +---pcimeImplicitVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeSourceIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeSourceIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeDestinationIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeDestinationIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeSourcePortVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeDestinationPortVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeIPProtocolVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeIPVersionVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeIPToSVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeDSCPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeFlowIdVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeSourceMACVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeDestinationMACVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeVLANVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeCoSVariableAuxClass (auxiliary new)



Reyes, et al.              Expires: August 2003                [Page  5]

INTERNET-DRAFT                  PCELS                      February 2003



   |       |
   |       +---pcimeEthertypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeSourceSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeDestinationSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeSNAPOUIVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeSNAPTypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimeFlowDirectionVariableAuxClass (auxiliary new)
   |
   +---pcimeValueAuxClass (auxiliary new)
   |   |
   |   +---pcimeIPv4AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimeIPv6AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimeMACAddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimeStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcimeBitStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcimeIntegerValueAuxClass (auxiliary new)
   |   |
   |   +---pcimeBooleanValueAuxClass (auxiliary new)
   |
   +---pcimSubtreesPtrAuxClass (auxiliary)
   |
   +---pcimGroupContainmentAuxClass (auxiliary deprecated)
   |
   +---pcimRuleContainmentAuxClass (auxiliary deprecated)


4. General Discussion of Mapping the Model Extensions to LDAP

   The classes described below contain certain optimizations for a
   directory that uses LDAP as an access protocol. One example is the
   use of auxiliary classes to represent some of the associations
   defined in the information model. Note that other storage types might
   need to implement the association differently.


4.1 Summary of Class and Association Mappings

   Forty-nine of the classes in the PCELS come directly from the
   fourty-five corresponding classes in the information model
   extensions.The prefix "pcime" is used to identify these LDAP classes.



Reyes, et al.              Expires: August 2003                [Page  6]

INTERNET-DRAFT                  PCELS                      February 2003



+----------------------------------------------------------------------+
| Information Model (PCIM ext)  | LDAP Class(es)                       |
+----------------------------------------------------------------------+
| PolicySet                     | pcimePolicySet                       |
+----------------------------------------------------------------------+
| PolicyRule                    | pcimeRule                            |
|                               | pcimeRuleAuxClass                    |
|                               | pcimeRuleInstance                    |
+----------------------------------------------------------------------+
| SimplePolicyCondition         | pcimeSimpleConditionAuxClass         |
+----------------------------------------------------------------------+
| CompoundPolicyCondition       | pcimeCompoundConditionAuxClass       |
+----------------------------------------------------------------------+
| CompoundFilterCondition       | pcimeCompoundFilterAuxClass          |
+----------------------------------------------------------------------+
| SimplePolicyAction            | pcimeSimpleActionAuxClass            |
+----------------------------------------------------------------------+
| CompoundPolicyAction          | pcimeCompoundActionAuxClass          |
+----------------------------------------------------------------------+
| PolicyVariable                | pcimeVariable                        |
+----------------------------------------------------------------------+
| PolicyExplicitVariable        | pcimeExplicitVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyImplicitVariable        | pcimeImplicitVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicySourceIPv4Variable      | pcimeSourceIPv4VariableAuxClass      |
+----------------------------------------------------------------------+
| PolicySourceIPv6Variable      | pcimeSourceIPv6VariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyDestinationIPv4Variable | pcimeDestinationIPv4VariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationIPv6Variable | pcimeDestinationIPv6VariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourcePortVariable      | pcimeSourcePortVariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyDestinationPortVariable | pcimeDestinationPortVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyIPProtocolVariable      | pcimeIPProtocolVariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyIPVersionVariable       | pcimeIPVersionVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyIPToSVariable           | pcimeIPToSVariableAuxClass           |
+----------------------------------------------------------------------+
| PolicyDSCPVariable            | pcimeDSCPVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyFlowIDVariable          | pcimeFlowIDVariableAuxClass          |
+----------------------------------------------------------------------+
| PolicySourceMACVariable       | pcimeSourceMACVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationMACVariable  | pcimeDestinationMACVariableAuxClass  |



Reyes, et al.              Expires: August 2003                [Page  7]

INTERNET-DRAFT                  PCELS                      February 2003



+----------------------------------------------------------------------+
| PolicyVLANVariable            | pcimeVLANVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyCoSVariable             | pcimeCoSVariableAuxClass             |
+----------------------------------------------------------------------+
| PolicyEthertypeVariable       | pcimeEthertypeVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicySourceSAPVariable       | pcimeSourceSAPVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationSAPVariable  | pcimeDestinationSAPVariableAuxClass  |
+----------------------------------------------------------------------+
| PolicySNAPOUIVariable         | pcimeSNAPOUIVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicySNAPTypeVariable        | pcimeSNAPTypeVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyFlowDirectionVariable   | pcimeFlowDirectionVariableAuxClass   |
+----------------------------------------------------------------------+
| PolicyValue                   | pcimeValueAuxClass                   |
+----------------------------------------------------------------------+
| PolicyIPv4AddrValue           | pcimeIPv4AddrValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyIPv6AddrValue           | pcimeIPv6AddrValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyMACAddrValue            | pcimeMACAddrValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyStringValue             | pcimeStringValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyBitStringValue          | pcimeBitStringValueAuxClass          |
+----------------------------------------------------------------------+
| PolicyIntegerValue            | pcimeIntegerValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyBooleanValue            | pcimeBooleanValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyRoleCollection          | pcimeRoleCollection                  |
+----------------------------------------------------------------------+
| ReusablePolicyContainer       | pcimeReusableContainer               |
|                               | pcimeReusableContainerAuxClass       |
|                               | pcimeReusableContainerInstance       |
+----------------------------------------------------------------------+
| FilterEntryBase               | pcimeFilterEntryBase                 |
+----------------------------------------------------------------------+
| IPHeadersfilter               | pcimeIPHeadersfilter                 |
+----------------------------------------------------------------------+
| 8021Filter                    | pcime8021Filter                      |
+----------------------------------------------------------------------+
| FilterList                    | pcimeFilterList                      |
+----------------------------------------------------------------------+






Reyes, et al.              Expires: August 2003                [Page  8]

INTERNET-DRAFT                  PCELS                      February 2003



+----------------------------------------------------------------------+
| Information Model Association    | LDAP Attribute / Class            |
+----------------------------------------------------------------------+
| PolicySetComponent               | pcimePolicySetComponentList in    |
|                                  | pcimePolicySet and                |
|                                  | pcimePolicySetDN in               |
|                                  | pcimePolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicySetInSystem                | DIT Containment and               |
|                                  | pcimePolicySetDN in               |
|                                  | pcimePolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicyGroupInSystem              | (same as PolicySetInSystem)       |
+----------------------------------------------------------------------+
| PolicyRuleInSystem               | (same as PolicySetInSystem)       |
+----------------------------------------------------------------------+
| PolicyConditionStructure         | pcimConditionDN in                |
|                                  | pcimeConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyRule      | pcimeConditionList in             |
|                                  | pcimeRule and                     |
|                                  | pcimConditionDN in                |
|                                  | pcimeConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyCondition | pcimeConditionList in             |
|                                  | pcimeCompoundConditionAuxClass    |
|                                  | and pcimConditionDN in            |
|                                  | pcimeConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyActionStructure            | pcimActionDN in                   |
|                                  | pcimeActionAssociation            |
+----------------------------------------------------------------------+
| PolicyActionInPolicyRule         | pcimeActionList in                |
|                                  | pcimeRule and                     |
|                                  | pcimActionDN in                   |
|                                  | pcimeActionAssociation            |
+----------------------------------------------------------------------+
| PolicyActionInPolicyAction       | pcimeActionList in                |
|                                  | pcimeCompoundActionAuxClass       |
|                                  | and pcimActionDN in               |
|                                  | pcimeActionAssociation            |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcimeVariableDN in                |
| Condition                        | pcimeSimpleConditionAuxClass      |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicy        | pcimeValueDN in                   |
| Condition                        | pcimeSimpleConditionAuxClass      |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcimeVariableDN in                |
| Action                           | pcimeSimpleActionAuxClass         |



Reyes, et al.              Expires: August 2003                [Page  9]

INTERNET-DRAFT                  PCELS                      February 2003



+----------------------------------------------------------------------+
| PolicyValueInSimplePolicyAction  | pcimeValueDN in                   |
|                                  | pcimeSimpleActionAuxClass         |
+----------------------------------------------------------------------+
| ReusablePolicy                   | DIT containment                   |
+----------------------------------------------------------------------+
| ExpectedPolicyValuesForVariable  | DIT containment or                |
|                                  | pcimeExpectedValueList in         |
|                                  | pcimeVariable                     |
+----------------------------------------------------------------------+
| ContainedDomain                  | DIT containment or                |
|                                  | pcimeReusableContainerList in     |
|                                  | pcimeReusableContainer            |
+----------------------------------------------------------------------+
| EntriesInFilterList              | DIT containment or                |
|                                  | pcimeFilterListEntriesList in     |
|                                  | pcimeFilterList                   |
+----------------------------------------------------------------------+
| ElementInPolicyRoleCollection    | DIT containment or                |
|                                  | pcimeElementList in               |
|                                  | pcimeRoleCollection               |
+----------------------------------------------------------------------+
| PolicyRoleCollectionInSystem     | DIT Containment                   |
+----------------------------------------------------------------------+


4.2 Summary of changes since PCLS
<to do>


4.3 Attaching PolicyVariable and PolicyValues to PolicySimpleCondition
   and PolicySimpleAction

   A PolicySimpleCondition as well as a PolicySimpleAction includes a
   single PolicyValue and a single PolicyVariable. Each of them can be
   attached or referenced by a DN.

   The attachment helps create compact PolicyCondition and PolicyAction
   definitions that can be efficiently provisioned and retrieved from
   the repository. On the other hand, referenced PolicyVariables and
   PolicyValues instances can be reused in the construction of multiple
   policies and permit the administrative partitioning of the data and
   policy definitions.


4.4 Aggregation of PolicyRules and PolicyGroups in PolicySets
<to do>






Reyes, et al.              Expires: August 2003                [Page 10]

INTERNET-DRAFT                  PCELS                      February 2003



4.5 Aggregation of actions/conditions in PolicyRules and
     CompoundActions/Conditions.

In PCIM_EXT were defined two new classes that offer the designer the
capability of creating more complex conditions and actions.
CompoundPolicyCondition and CompoundPolicyActionclasses are mapped in
the PCELS' CompoundConditionAuxClass and CompoundActionAuxClass
classes and inherit from pcimConditionAuxClass/pcimActionAuxClass
Because of this inheritance they are stored in the same way the
non-compound conditions/actions are. The compound conditions/actions
defined in the PCIM_EXT are extensions of the rule capability to
associate, grouping and evaluate/execute conditions/actions so the
conditions/actions are associated to the compounds conditions/actions
as they were associated to the rules in the PCLS.

In this section is explained how to store this classes in the
directory. As a general rule, the specific conditions/actions are DIT
contained under rule or compound condition/action classes and attached
to the association classes. The reusable conditions/actions, compound
and non-compound, are contained in reusable containers and attached to
policy instances.

The examples below illustrate the four possible cases combining
specific/reusable compound/non-compound condition/action. The rule has
two compound conditions, each one has two different conditions. The
schemes can be extended in order to store actions.

The mapping of compound conditions/actions and the schemas below are
based on the section 4.4 of the PCLS and how conditions and actions
are associated to rules and repositories.

- First case: specific compound condition/action with specific
   conditions/actions.




















Reyes, et al.              Expires: August 2003                [Page 11]

INTERNET-DRAFT                  PCELS                      February 2003



                         +--------------+
                  +------|     Rule     |------+
                  |      +--------------+      |
                  |           *    *           |
                  |   *********    *********   |
                  v   *                    *   v
                 +---------+          +---------+
               +-| CA1+cc1 |-+      +-| CA2+cc2 |-+
               | +---------+ |      | +---------+ |
               |     * *     |      |     * *     |
               |  **** ****  |      |  **** ****  |
               v  *       *  v      v  *       *  v
              +------+ +------+    +------+ +------+
              |CA3+c1| |CA4+c2|    |CA5+c3| |CA6+c4|
              +------+ +------+    +------+ +------+

                                            Figure 1.

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

#: Number.
CA#: pcimeConditionAssociation structural class.
cc#: pcimeCompoundConditionAuxClass auxiliary class.
c#: pcimConditionAuxClass' subclass.

Because the compound conditions/actions are specific to Rule, the
auxiliary classes  that represent them are attached to, structural
classes pcimeConditionAssociation or pcimeActionAssociation. These
structural classes represent the association between the rule and the
compound condition and compound action . The rule's specific condition/
action are DIT contained in rule entry.

The conditions/actions have to be tied to compound conditions/actions
in the same way as compound conditions/actions are tied to rules, but
association classes do the association between them compound
conditions/actions and its specific conditions/actions.












Reyes, et al.              Expires: August 2003                [Page 12]

INTERNET-DRAFT                  PCELS                      February 2003



- Second case: Rule's specific compound conditions/actions whit
  reusablecconditions/actions.


           +-------------+                   +---------------+
    +------|     Rule    |-----+             |  RepositoryX  |
    |      +-------------+     |             +---------------+
    |           *    *         |              *    *    *   *
    |           *    *         |           ****    *    *   *
    |   *********    ********  |           *       *    *   ********
    |   *                   *  v           *       *    *          *
    |   *               +---------+        *       *    ****       *
    |   *             +-| CA2+cc2 |-+      *       *       *       *
    |   *             | +---------+ |      *       *       *       *
    v   *             |    *  *     |      *       *       *       *
   +---------+        | ****  ****  |      *       *       *       *
+-| CA1+cc1 |-+      | *        *  v      *       *       *       *
| +---------+ |      | *     +------+  +-----+    *       *       *
|    *  *     |      v *     |  CA6 |->|S1+c4|    *       *       *
| ****  ****  |     +------+ +------+  +-----+ +-----+    *       *
| *        *  v     |  CA5 |------------------>|S2+c3|    *       *
| *     +------+    +------+                   +-----+ +-----+    *
v *     |  CA4 |-------------------------------------->|S3+c2|    *
+------+ +------+                                       +-----+ +-----+
|  CA3 |------------------------------------------------------->|S4+c1|
+------+                                                        +-----+

                                                 Figure 2.

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

#: Number.
CA#: pcimeConditionAssociation structural class.
cc#: pcimeCompoundConditionAuxClass auxiliary class.
c#: pcimConditionAuxClass' subclass.
S#: structural class

This case is similar to the first one. The conditions/actions  are
reusable so they are not attached  to the association classes but they
are attached to structural classes in the reusable container. It's
needed that the association classes tie the conditions/actions in
the reusable container using DN references.






Reyes, et al.              Expires: August 2003                [Page 13]

INTERNET-DRAFT                  PCELS                      February 2003



  -Third case: Reusable compound condition/action with specific
  conditions/actions.

        +--------------+                  +--------------+
        |     Rule     |                  |  repositoryX |
    +---+--------------+----+             +--------------+
    |        *     *        |                  *    *
    |  *******     *******  |           ********    ********
    |  *                 *  v           *                  *
    |  *            +----------+    +---------+            *
    |  *            |   CA2    |--->| S1+cc2  |            *
    |  *            +----------+  +-+---------+-+          *
    |  *                          |     * *     |          *
    |  *                          |  **** ****  |          *
    |  *                          v  *       *  v          *
    |  *                         +------+ +------+         *
    |  *                         |CA5+c3| |CA6+c4|         *
    v  *                         +------+ +------+         *
  +----------+                                          +---------+
  |   CA1    |----------------------------------------->| S2+cc1  |
  +----------+                                        +-+---------+-+
                                                      |     * *     |
                                                      |  **** ****  |
                                                      v  *       *  v
                                                     +------+ +------+
                                                     |CA3+c1| |CA4+c2|
                                                     +------+ +------+

                                                 Figure 3.

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

#: Number.
CA#: pcimeConditionAssociation structural class.
cc#: pcimeCompoundConditionAuxClass auxiliary class.
c#: pcimConditionAuxClass' subclass.
S#: structural class

Because of the re-usability of the compound compound condition/action
they are attached to structural classes and stored in the reusable
container. They are related to the rule through the DN reference
between the association classes and the compound condition/action.
The specific conditions/actions are DIT contained in the compound
condition/action entries.




Reyes, et al.              Expires: August 2003                [Page 14]

INTERNET-DRAFT                  PCELS                      February 2003



-Fourth case: Reusable conditions/actions and compound
  conditions/actions.

          +------+          +---------------+    +---------------+
    +-----| Rule |-----+    |  RepositoryX  |    |  RepositoryY  |
    |     +------+     |    +---------------+    +---------------+
    |      *    *      |         *     *           *   *   *   *
    | ******    ****** |       ***     ***       ***   *   *   *****
    | *              * v       *         *       *     *   *       *
    | *          +-------+  +------+     *       *     *   ***     *
    | *          |  CA2  |->|S1+ca1|     *       *     *     *     *
    | *          +-------+  +------+     *       *     *     *     *
    | *                    /  *  *  \    *       *     *     *     *
    | *                    |**   ** |    *       *     *     *     *
    | *                    |*     * v    *       *     *     *     *
    | *                    |*   +---+    *    +-----+  *     *     *
    | *                    |*   |CA6|----*--->|S3+c4|  *     *     *
    | *                    v*   +---+    *    +-----+  *     *     *
    | *                    +---+         *          +-----+  *     *
    | *                    |CA5|---------*--------->|S4+c3|  *     *
    v *                    +---+         *          +-----+  *     *
  +-------+                           +------+               *     *
  |  CA1  |-------------------------->|S2+cc1|               *     *
  +-------+                           +------+               *     *
                                     /  *  *  \              *     *
                                     | **  ** |              *     *
                                     | *    * v              *     *
                                     | *  +---+           +-----+  *
                                     | *  |CA4|---------->|S5+c2|  *
                                     v *  +---+           +-----+  *
                                     +---+                      +-----+
                                     |CA3|--------------------->|S6+c1|
                                     +---+                      +-----+

                                                 Figure 4.

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

#: Number.
CA#: pcimeConditionAssociation structural class.
cc#: pcimeCompoundConditionAuxClass auxiliary class.
c#: pcimConditionAuxClass' subclass.
S#: structural class





Reyes, et al.              Expires: August 2003                [Page 15]

INTERNET-DRAFT                  PCELS                      February 2003



All the conditions/actions are reusable so they are stored in
reusable containers. The figure 4 illustrates two different
repositories or reusable containers but the number of containers in the
system depends on the policy administrator so the conditions/actions
could be stored in the same container or each condition/action could be
stored in a different container.


5. Class Definitions

5.1 The pcimePolicySet Class.

   The abstract class PolicySet in the [PCIM_EXT] is introduced to
   provide an abstraction for a set of rules. The class value
   'pcimePolicySet' is used as the mechanism for identifying group and
   rule- related instances in the DIT.

   In [PCIM_EXT], the classes PolicyGroup and PolicyRule are moved, so
   that they are now derived from PolicySet class.

A pcimePolicySet object refers to instances of pcimGroup and
   pcimeRule via the attribute pcimePolicySetList and the attribute
   pcimePolicySetDN in the pcimePolicySetAssociation object class.

   The definition of the abstract class
   pcimePolicySet:

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimePolicySet'
  DESC 'Abstract class that represents a collection of policies
        that form a coherent set.'
  SUP pcimPolicy
  ABSTRACT
  MAY ( pcimePolicySetName
      $ pcimeDecisionStrategy
      $ pcimRoles
      $ pcimePolicySetList )
)

One of the attributes of the pcimePolicySet class, the pcimRoles is
already defined in [PCLS]. The other three attributes are defined below.

The attribute pcimePolicySetName may be used as naming attribute for
pcimePolicySet entries:









Reyes, et al.              Expires: August 2003                [Page 16]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
  NAME 'pcimePolicySetName'
  DESC 'The user-friendly name of a policy set.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
)

The attribute pcimeDecisionStrategy is used to define the evaluation
method among the rules in the policy set and is mapped directly from the
PolicyDecisionStrategy property defined in [PCIM_EXT].

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeDecisionStrategy'
  DESC 'The evaluation method used for the components of a
        in the pcimePolicySet. Valid values: 1 [FirstMatching],
        2 [AllMatching]'
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE
)

The attibute pcimePolicySetList is used to realize the
PolicySetComponent aggregation.

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimePolicySetList'
  DESC 'List of DN references to the pcimePolicySetAssociation
        entries used to aggregate policy sets.'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)

The subclasses pcimGroup and pcimeRule are now derived from
pcimePolicySet.


5.2 The Structural Class pcimePolicySetAssociation

The pcimePolicySetAssociation class is used to aggregate components into
pcimePolicySet entries. Instances of this class are always subordinated
to the aggregating pcimePolicySet. The aggregation of reusable instances
of (subclasses of) pcimePolicySet are referenced via the
pcimePolicySetDN attribute. Non-reusable instances of (subclasses of)
pcimePolicySet are attached as auxiliary classes directly to the
pcimePolicySetAssociation entries.




Reyes, et al.              Expires: August 2003                [Page 17]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.x
  NAME 'pcimePolicySetAssociation'
  DESC 'Structural class that contains attributes characterizing
        the relationship between a policy set and one of its
        components.'
  SUP pcimPolicy
  STRUCTURAL
  MUST ( pcimePriority )
  MAY ( pcimePolicySetName
      $ pcimePolicySetDN )
)

The Attribute pcimePriority:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimePriority'
  DESC 'Policy priority.'
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE
)

The Attribute pcimePolicySetDN:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimePolicySetDN'
  DESC 'DN reference to a pcimePolicySet entry.'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  SINGLE-VALUE
)


5.3 The moved pcimGroup class

The pcimGroup is defined in [PCLS]. Its superclass is changed here so
that the pcimGroup can take advantage of the pcimePolicySet and its
aggregation method.

   (  IANA-ASSIGNED-OID.1.2
      NAME 'pcimGroup'
      DESC   'A container for a set of related pcimeRules and/or a set
              of related pcimGroups.'
      SUP     pcimePolicySet
      ABSTRACT
      MAY    (pcimGroupName)
   )





Reyes, et al.              Expires: August 2003                [Page 18]

INTERNET-DRAFT                  PCELS                      February 2003



5.4 The Deprecated Class pcimGroupContainmentAuxClass

The policy group aggregation is replaced by the more comprehensive
policy set aggregation. Therefore this class is deprecated:


( IANA-ASSIGNED-OID.1.22
  NAME 'pcimGroupContainmentAuxClass'
  DESC 'An auxiliary class used to bind pcimGroups to an
        appropriate container object.'
  OBSOLETE
  SUP top
  AUXILIARY
  MAY ( pcimGroupsAuxContainedSet )
)

The attribute pcimGroupsAuxContainedSet is also deprecated:

( IANA-ASSIGNED-OID.2.38
  NAME 'pcimGroupsAuxContainedSet'
  DESC 'DNs of pcimGroups associated in some way with the
        instance to which this attribute has been appended.'
  OBSOLETE
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)


5.5 The Deprecated Class pcimRuleContainmentAuxClass

The policy rule aggregation is replaced by the more comprehensive policy
set aggregation. Therefore this class is deprecated.


( IANA-ASSIGNED-OID.1.23
  NAME 'pcimRuleContainmentAuxClass'
  DESC 'An auxiliary class used to bind pcimRules to an
        appropriate container object.'
  OBSOLETE
  SUP top
  AUXILIARY
  MAY ( pcimRulesAuxContainedSet )
)

The attribute pcimRulesAuxContainedSet is also deprecated:








Reyes, et al.              Expires: August 2003                [Page 19]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.39
  NAME 'pcimRulesAuxContainedSet'
  DESC 'DNs of pcimRules associated in some way with the
        instance to which this attribute has been appended.'
  OBSOLETE
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)


5.6 The three new pcimeRule classes

The base class representing policy rules is redefined without a priority
attribute. In addition, this class uses the Condition and Action
aggregation methods as the CompoundCondition and the CompoundAction.

     (IANA-ASSIGNED-OID.1.x
      NAME 'pcimeRule'
      DESC   'The base class for representing the "If Condition then
              Action" semantics associated with a Policy Rule'
      SUP     pcimePolicySet
      ABSTRACT
      MAY    (pcimRuleName $ pcimRuleEnabled $
              pcimeConditionListType $ pcimeConditionList $
              pcimeActionList $ pcimRuleValidityPeriodList $
              pcimRuleUsage $ pcimRuleMandatory $
              pcimeSequencedActions $ pcimeExecutionStrategy)
     )

     ( IANA-ASSIGNED-OID.1.x
       NAME 'pcimeRuleAuxClass'
       DESC 'An auxiliary class for representing the "If Condition
             then Action" semantics associated with a policy rule.'
       SUP pcimeRule
       AUXILIARY
     )

     ( IANA-ASSIGNED-OID.1.x
       NAME 'pcimeRuleInstance'
       DESC 'A structural class for representing the "If Condition
             then Action" semantics associated with a policy rule.'
       SUP pcimeRule
       STRUCTURAL
     )

The attributes pcimRuleCoditionListType, pcimRuleConditionList and
pcimRuleActionList defined in [PCLS] are replaced in PCELS in order to
reuse them in pcimeCompoundConditionAuxClass and
pcimeCompoundActionAuxClass object classes. The definitions are as
follows:



Reyes, et al.              Expires: August 2003                [Page 20]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeConditionListType'
     DESC 'a value of 1 means that this policy rule is in disjunctive
           normal form; a value of 2 means that this policy rule is in
           conjunctive normal form.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
)

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeConditionList'
  DESC 'unordered set of Dns to the pcimeConditionAssociation
        entries used to aggregate policy conditions.'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeActionList'
     DESC 'Unordered set of DNs to the pcimeActionAssociation
           entries used to aggregate policy actions.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeSequencedActions'
  DESC 'Indicates whether the ordered execution of
        actions in an aggregate is mandatory, recommended,
        or dontCare.'
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE
)

The new attribute pcimeExecutionStrategy is a direct mapping of the
ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class.













Reyes, et al.              Expires: August 2003                [Page 21]

INTERNET-DRAFT                  PCELS                      February 2003



   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeExecutionStrategy'
     DESC 'Indicates the execution strategy to be used upon an action
           aggregate. VALUES: 1 [Do until success]; 2 [Do all]; 3 [do
           until failure]. Default value = 2.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )


5.7 The Structural Class pcimeConditionAssociation

This class is used to aggregate policy conditions in compound policy
conditions or policy rules.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimeConditionAssociation'
     DESC 'This class contains attributes characterizing the
        relationship between a policy condition and one of its
        aggregators: pcimeRule or pcimeCompoundConditionAuxClass).
        It is used in the realization of a policy condition structure.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimConditionGroupNumber
          $ pcimConditionNegated )
     MAY ( pcimConditionName
         $ pcimConditionDN )
    )

   Its attributes are defined in the section 5.4 of the [PCLS].


5.8 The Structural Class pcimeActionAssociation

This class is used to aggregate policy actions in compound policy
actions or policy rules. It implements the PolicyActionInPolicyRule and
PolicyActionInPolicyAction aggregations.

The class definition follows:












Reyes, et al.              Expires: August 2003                [Page 22]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeActionAssociation'
  DESC 'This class contains attributes characterizing the
        relationship between a policy action and one of its
        aggregators. It is used in the realization of a
        policy action structure.'
  SUP pcimPolicy
  STRUCTURAL
  MUST ( pcimActionOrder )
  MAY ( pcimActionName
      $ pcimActionDN )
)

   Its attributes are defined in [PCLS].


5.9 The Three Deprecated pcimRule classes

The class pcimRule and its subclasses are replaced by pcimeRule and its
subclasses. Therefore pcimeRule and its subclasses are deprecated.

( IANA-ASSIGNED-OID.1.5
  NAME 'pcimRule'
  DESC 'The base class for representing the "If Condition
        then Action" semantics associated with a policy rule.'
  OBSOLETE
  SUP pcimPolicy
  ABSTRACT
  MAY ( pcimRuleName
      $ pcimRuleEnabled
      $ pcimRuleConditionListType
      $ pcimRuleConditionList
      $ pcimRuleActionList
      $ pcimRuleValidityPeriodList
      $ pcimRuleUsage
      $ pcimRulePriority
      $ pcimRuleMandatory
      $ pcimRuleSequencedActions
      $ pcimRoles )
)

( IANA-ASSIGNED-OID.1.6
  NAME 'pcimRuleAuxClass'
  DESC 'An auxiliary class for representing the "If Condition
        then Action" semantics associated with a policy rule.'
  OBSOLETE
  SUP pcimRule
  AUXILIARY
)




Reyes, et al.              Expires: August 2003                [Page 23]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.7
  NAME 'pcimRuleInstance'
  DESC 'A structural class for representing the "If Condition
        then Action" semantics associated with a policy rule.'
  OBSOLETE
  SUP pcimRule
  STRUCTURAL
)

The following attributes are also deprecated since with the deprecation
of pcimRule, no other classes use them:

( IANA-ASSIGNED-OID.2.7
  NAME 'pcimRuleConditionListType'
  DESC 'A value of 1 means that this policy rule is in
        disjunctive normal form; a value of 2 means that this
        policy rule is in conjunctive normal form.'
  OBSOLETE
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE
)

( IANA-ASSIGNED-OID.2.8
  NAME 'pcimRuleConditionList'
  OBSOLETE
  DESC 'Unordered set of DNs of pcimRuleConditionAssociation
        entries representing associations between this policy
        rule and its conditions.'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)

( IANA-ASSIGNED-OID.2.9
  NAME 'pcimRuleActionList'
  OBSOLETE
  DESC 'Unordered set of DNs of pcimRuleActionAssociation
        entries representing associations between this policy
        rule and its actions.'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)










Reyes, et al.              Expires: August 2003                [Page 24]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.12
  NAME 'pcimRulePriority'
  DESC 'A non-negative integer for prioritizing this
        pcimRule relative to other pcimRules. A larger
        value indicates a higher priority.'
  OBSOLETE
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE
)


( IANA-ASSIGNED-OID.2.14
  NAME 'pcimRuleSequencedActions'
  DESC 'An integer enumeration indicating that the ordering of
        actions defined by the pcimActionOrder attribute is
        mandatory(1), recommended(2), or dontCare(3).'
  OBSOLETE
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
  SINGLE-VALUE
)


5.10 The Deprecated Class pcimRuleConditionAssociation.

This class is replaced by the more flexible pcimeConditionAssociation.

( IANA-ASSIGNED-OID.1.8
  NAME 'pcimRuleConditionAssociation'
  DESC 'This class contains attributes characterizing the
        relationship between a policy rule and one of its
        policy conditions.'
  OBSOLETE
  SUP pcimPolicy
  STRUCTURAL
  MUST ( pcimConditionGroupNumber
       $ pcimConditionNegated )
  MAY ( pcimConditionName
      $ pcimConditionDN )
)


5.11 The Deprecated Class pcimeRuleActionAssociation.

This class is replaced by the more flexible pcimeActionAssociation.





Reyes, et al.              Expires: August 2003                [Page 25]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.10
  NAME 'pcimRuleActionAssociation'
  DESC 'This class contains attributes characterizing the
        relationship between a policy rule and one of its
        policy actions.'
  OBSOLETE
  SUP pcimPolicy
  STRUCTURAL
  MUST ( pcimActionOrder )
  MAY ( pcimActionName
      $ pcimActionDN )
)


5.12 The Auxiliary Class pcimeSimpleConditionAuxClass.

   This class indicates if a specific <variable> match with a specific
   <value>. The "match" relationship is to be interpreted by analyzing
   the variable and value instances associated with the simple
   condition.
   There is an attribute to realize
   pcimePolicyValueinSimplePolicyCondition and
   pcimePolicyVariableinSimplePolicyCondition associations.

   The class definition is as follows:

   (  IANA-ASSIGNED-OID.1.x
      NAME 'pcimeSimpleConditionAuxClass'
      DESC   'An auxiliary class that evaluate the matching between a
              value and a variable'.
      SUP     pcimConditionAuxClass
      AUXILIARY
      MAY (pcimeVariableDN $ pcimeValueDN)
   )

   There are two attributes that may be in the
   pcimeSimpleConditionAuxClass class: the attribute pcimeVariableDN and
   pcimeValueDN.

   The pcimeVariableDN attribute definition is:


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeVariableDN'
     DESC 'DN reference to a pcimeVariable entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )




Reyes, et al.              Expires: August 2003                [Page 26]

INTERNET-DRAFT                  PCELS                      February 2003



   The pcimeValueDN attribute definition is:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeValueDN'
     DESC 'DN reference to a pcimeValue entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )


5.13 The Auxiliary Class pcimeCompoundConditionAuxClass.

   This class represents a compound policy condition, formed by
   aggregation of simple policy conditions. There is an attribute
   representing a boolean combination of simpler conditions.

   The class definition is as follows:

   (  IANA-ASSIGNED-OID.1.x
      NAME "pcimeCompoundConditionAuxClass"
      DESC   "An auxiliary class that represents a boolean combination
              of simpler conditions".
      SUP     pcimConditionAuxClass
      AUXILIARY
      MAY   (pcimeConditionListType $ pcimeConditionList)
   )

   The attribute pcimeConditionListType is used to specify whether the
   list of policy conditions associated with this compound policy
   condition is in disjunctive normal form (DNF) or conjunctive normal
   form (CNF). The attribute pcimeConditionList is an unordered set of
   DNs to conditions aggregated in the compound condition.

   The attributes are defined in section 5.6.


5.14 The Auxiliary Class pcimeCompoundFilterAuxClass.

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeCompoundFilterAuxClass'
  DESC 'A compound condition with mirroring capabilities for traffic
        caracterization.'
  SUP pcimeCompoundConditionAuxClass
  AUXILIARY
  MAY ( pcimeIsMirrored )
)

The Attribute pcimeIsMirrored:




Reyes, et al.              Expires: August 2003                [Page 27]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeIsMirrored'
  DESC 'Indicates whether traffic that mirrors the
        specified filter is to be treated as matching
        the filter.'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE
)


5.15 The Auxiliary Class pcimeSimpleActionAuxClass.

   This class overwrites an old value of the <variable> and set the new
   <value>. There is an attribute to realize
   pcimePolicyValueInSimplePolicyAction, pcimeValueDN, and
   pcimePolciyVariableInSimplePolicyAction associations,
   pcimeVariableDN. The first attribute is used to attach a variable to
   a SimplePolicyAction and the second one is used to attach a value to
   a SimplePolicyAction.

   The class definition is as follows:
   (  IANA-ASSIGNED-OID.1.x
      NAME 'pcimeSimpleActionAuxClass'
      DESC   'This class contains attributes characterizing the
              relationship between a Simple PolicyAction and one
              variable and one value.'
      SUP pcimActionAuxClass
      AUXILIARY
      MAY (pcimeVariableDN $ pcimeValueDN)
   )

The attributes are defined in section 5.12.


5.16 The Auxiliary Class pcimeCompoundActionAuxClass.

This class maps the CompoundPolicyAction class of the [PCIM_EXT].
The class definition is as follows:

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeCompoundActionAuxClass'
  DESC 'A class that aggregates simpler actions in a sequence
        with specific execution strategy.'
  SUP pcimActionAuxClass
  AUXILIARY
  MAY ( pcimeActionList
      $ pcimeSequencedActions
      $ pcimeExecutionStrategy )
)



Reyes, et al.              Expires: August 2003                [Page 28]

INTERNET-DRAFT                  PCELS                      February 2003




The attributes pcimeSequencedActions, pcimeExecutionStrategy and
pcimeActionList are defined in 5.6 section.


5.17 The Abstract Class pcimeVariable.

Variables specify the property of a flow or an event that should be
matched when evaluating the condition. A given variable selects the
set of matchable value types through the
ExpectedPolicyValuesForVariable association.
The classes definitions are as follows. First, the definition of the
abstract class pcimePolicyVariable:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimeVariable'
     DESC 'Base class for representing a variable whose actual
           value can be matched against or set to a specific value.'
     SUP top
     ABSTRACT
     MAY ( pcimeVariableName $ pcimeExpectedValueList )
   )

   The attribute pcimeVariableName is an user-friendly name for the
   variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeVariableName'
     DESC 'The user-friendly name of a variable.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

The attribute pcimeExpectedValueList is an unordered set of DNs to
subclasses   of  pcimeValueAuxClass. It maps the PCIM_EXT's
ExpectedPolicyValuesForVariable association:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeExpectedValueList'
     DESC 'List of DN references to the pcimeValueAuxClass
           entries that represent the acceptable values.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )






Reyes, et al.              Expires: August 2003                [Page 29]

INTERNET-DRAFT                  PCELS                      February 2003



5.18 The auxiliary Class pcimeExplicitVariableAuxClass

   The subclass pcimeExplicitVariableAuxClass is defined as
   follows:

   (  IANA-ASSIGNED-OID.1.x
      NAME 'pcimeExplicitVariableAuxClass'
      DESC 'Explicitly defined policy variable evaluated within the
            context of the CIM Schema.'
      SUP pcimeVariable
      AUXILIARY
      MUST ( pcimeVariableModelClass $ pcimeVariableModelProperty )
   )

   The attribute pcimeVariableModelClass is a string specifying the
   class name whose property is evaluated or set as a variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeVariableModelClass'
     DESC 'Specifies a CIM class name or oid.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

The attribute pcimeVariableModelProperty is a string specifying the
attribute, within the pcimeVariableModelClass, which is evaluated or
set as a    variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeVariableModelProperty'
     DESC 'Specifies a CIM property name or oid.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )


5.19 The Auxiliary Class  pcimeImplicitVariableAuxClass

   The subclass pcimeImplicitVariableAuxClass is defined as
   follows:











Reyes, et al.              Expires: August 2003                [Page 30]

INTERNET-DRAFT                  PCELS                      February 2003



   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimeImplicitVariableAuxClass'
     DESC 'Implicitly defined policy variables whose evaluation
           depends on the usage context. Subclasses specify
           the data type and semantics of the variables.'
     SUP pcimeVariable
     AUXILIARY
     MUST ( pcimeExpectedValueTypes )
)

The attribute pcimeExpectedValueTypes is the direct mapping from the
valueTypes property in the PCIM_EXT's PolicyImplicitVariable class.
This attribute representes a set of allowed value types to be used with
this variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimeExpectedValueTypes'
     DESC 'List of object class names or oids of subclasses
           of pcimeValueAuxClass that define acceptable
           value types.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )


5.20 Subclasses of pcimeImplicitVariableAuxClass

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeSourceIPv4VariableAuxClass'
  DESC 'Source IP v4 address'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeSourceIPv6VariableAuxClass'
  DESC 'Source IP v6 address'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeDestinationIPv4VariableAuxClass'
  DESC 'Destination IP v4 address'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)






Reyes, et al.              Expires: August 2003                [Page 31]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeDestinationIPv6VariableAuxClass'
  DESC 'Destination IP v6 address'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeSourcePortVariableAuxClass'
  DESC 'Source port'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeDestinationPortVariableAuxClass'
  DESC 'Destination port'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeIPProtocolVariableAuxClass'
  DESC 'IP protocol number'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeIPVersionVariableAuxClass'
  DESC 'IP version nulmer'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeIPToSVariableAuxClass'
  DESC 'IP ToS'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeDSCPVariableAuxClass'
  DESC 'DiffServ code point'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)





Reyes, et al.              Expires: August 2003                [Page 32]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeFlowIdVariableAuxClass'
  DESC 'Flow Identifier'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeSourceMACVariableAuxClass'
  DESC 'Source MAC address'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeDestinationMACVariableAuxClass'
  DESC 'Destination MAC address'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeVLANVariableAuxClass'
  DESC 'VLAN'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeCoSVariableAuxClass'
  DESC 'Class of service'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeEthertypeVariableAuxClass'
  DESC 'Ethertype'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeSourceSAPVariableAuxClass'
  DESC 'Source SAP'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)





Reyes, et al.              Expires: August 2003                [Page 33]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeDestinationSAPVariableAuxClass'
  DESC 'Destination SAP'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeSNAPOUIVariableAuxClass'
  DESC 'SNAP OUI'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeSNAPTypeVariableAuxClass'
  DESC 'SNAP type'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeFlowDirectionVariableAuxClass'
  DESC 'Flow direction'
  SUP pcimeImplicitVariableAuxClass
  AUXILIARY
)


5.21 The Auxiliary Class pcimeValueAuxClass.

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeValueAuxClass'
  DESC 'Base class for representing a value that can be
        matched against or set for a specific variable.'
  SUP top
  AUXILIARY
  MAY ( pcimeValueName )
)

The Attribute pcimeValueName:












Reyes, et al.              Expires: August 2003                [Page 34]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeValueName'
  DESC 'The user-friendly name of a value.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
)


5.22 Subclasses of pcimeValueAuxClass.

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeIPv4AddrValueAuxClass'
  DESC 'IP v4 address value.'
  SUP pcimeValueAuxClass
  AUXILIARY
  MUST ( pcimeIPv4AddrList )
)

The Attribute pcimeIPv4AddrList:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeIPv4AddrList'
  DESC 'List of IPv4 address values, ranges or hosts.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)


( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeIPv6AddrValueAuxClass'
  DESC 'IP v6 address value.'
  SUP pcimeValueAuxClass
  AUXILIARY
  MUST ( pcimeIPv6AddrList )
)

The Attribute pcimeIPv6AddrList:











Reyes, et al.              Expires: August 2003                [Page 35]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeIPv6AddrList'
  DESC 'List of IPv6 address values, ranges or hosts.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)


( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeMACAddrValueAuxClass'
  DESC 'MAC address value.'
  SUP pcimeValueAuxClass
  AUXILIARY
  MUST ( pcimeMACAddrList )
)

The Attribute pcimeMACAddrList:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeMACAddrList'
  DESC 'List of MAC address values or ranges.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)


( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeStringValueAuxClass'
  DESC 'String value.'
  SUP pcimeValueAuxClass
  AUXILIARY
  MUST ( pcimeStringList )
)

The Attribute pcimeStringList:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeStringList'
  DESC 'List of strings or wildcarded strings.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)





Reyes, et al.              Expires: August 2003                [Page 36]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeBitStringValueAuxClass'
  DESC 'Bit string value.'
  SUP pcimeValueAuxClass
  AUXILIARY
  MUST ( pcimeBitStringList )
)

The Attribute pcimeBitStringList:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeBitStringList'
  DESC 'List of bit strings or masked bit strings.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)


( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeIntegerValueAuxClass'
  DESC 'Integer value.'
  SUP pcimeValueAuxClass
  AUXILIARY
  MUST ( pcimeIntegerList )
)

The Attribute pcimeIntegerList:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeIntegerList'
  DESC 'List of integers or integer ramges.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)


( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeBooleanValueAuxClass'
  DESC 'Boolean value.'
  SUP pcimeValueAuxClass
  AUXILIARY
  MUST ( pcimeBoolean )
)

The Attribute pcimeBoolean:




Reyes, et al.              Expires: August 2003                [Page 37]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeBoolean'
  DESC 'A boolean value.'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE
)


5.23 The three new Reusable Container classes.

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeReusableContainer'
  DESC 'A container for reusable policy information.'
  SUP dlm1AdminDomain
  ABSTRACT
  MAY ( pcimeReusableContainerName
      $ pcimeReusableContainerList )
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeReusableContainerAuxClass '
  DESC 'An auxiliary class that can be used to aggregate
        reusable policy information.'
  SUP pcimeReusableContainer
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeReusableContainerInstance'
  DESC 'A structural class that can be used to aggregate
        reusable policy information.'
SUP pcimeReusableContainer
STRUCTURAL
)

The Attribute pcimeReusableContainerName:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeReusableContainerName'
  DESC 'The user-friendly name of a reusable policy container.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
)

The Attribute pcimeReusableContainerList:




Reyes, et al.              Expires: August 2003                [Page 38]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeReusableContainerList'
  DESC 'List of DN references to the pcimeReusableContainer
        entries.'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)


5.24 The three deprecated Repository classes.

The pcimRepository and its subclasses are replaced by the
pcimeReusableContainer and its subclasses.

( IANA-ASSIGNED-OID.1.18
  NAME 'pcimRepository'
  DESC 'A container for reusable policy information.'
  OBSOLETE
  SUP dlm1AdminDomain
  ABSTRACT
  MAY ( pcimRepositoryName )
)

( IANA-ASSIGNED-OID.1.19
  NAME 'pcimRepositoryAuxClass'
  DESC 'An auxiliary class that can be used to aggregate
        reusable policy information.'
  OBSOLETE
  SUP pcimRepository
  AUXILIARY
)

( IANA-ASSIGNED-OID.1.20
  NAME 'pcimRepositoryInstance'
  DESC 'A structural class that can be used to aggregate
        reusable policy information.'
  OBSOLETE
  SUP pcimRepository
  STRUCTURAL
)

The following attribute is also deprecated:











Reyes, et al.              Expires: August 2003                [Page 39]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.36
  NAME 'pcimRepositoryName'
  DESC 'The user-friendly name of this policy repository.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
)


5.25 The new class pcimeRoleCollection.

( IANA-ASSIGNED-OID.1.x
  NAME 'pcimeRoleCollection'
  DESC 'This class is used to group together entries
        that share a same role.'
  SUP pcimPolicy
  STRUCTURAL
  MUST ( pcimeRole )
  MAY ( pcimeRoleCollectionName
      $ pcimeElementList )
)

The Attribute pcimeRole:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeRole'
  DESC 'String representing a role.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
)

The Attribute pcimeRoleCollectionName:

( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeRoleCollectionName'
  DESC 'The user-friendly name of a role collection.'
  EQUALITY caseIgnoreMatch
  ORDERING caseIgnoreOrderingMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
)

The Attribute pcimeElementList:




Reyes, et al.              Expires: August 2003                [Page 40]

INTERNET-DRAFT                  PCELS                      February 2003



( IANA-ASSIGNED-OID.2.x
  NAME 'pcimeElementList'
  DESC 'List of DN references to the entries representing
        managed elements.'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)


6. Recommended Schema Extension Methods
<to do>


7. PCLS Data Migration Considerations
<to do>


8. Security Considerations


This topic is based on requirements from previous [PCLS] documents []
and also takes into account other RFCs about the same security aspects
entitled as following:

   RFC 2829 (AuthenticationMethods for LDAP)
   RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for
             Transport Layer Security)

These RFC documents provide a general framework for security
architecture of the system. However some comments have to be provided
as a consequence of the inclusion of extensions in this own document
and its relation with PCLS doc.

Due to the new considered scenarios, with reusability and information
containers located in other DITs etc, these conditions are expressed in
chapter 4.4 of the [PCLS] document. As a consequence, new types of
threats in the system have to be considered. In fact, it is necessary to
define new security services in order to protect against these new
aspects. As a result of this, the following new security services are
defined:

1) Athentication between entities of the network
2) Mutual authentication between network operator and network entities
   (p.e. DITs)
3) Integrity and confidentiality of links between network entities and
   also in the LDAP directories.

Several definitions and security mechanisms related about DITs can also
obtained from the following ITU specification: X.509 The Directory.
Authentication framework



Reyes, et al.              Expires: August 2003                [Page 41]

INTERNET-DRAFT                  PCELS                      February 2003



Furthermore, the obtention of the OIDs and values of the attributes from
the DITs in a distributed scenario has as a consequence the interaction
between diverse network entities with changes of security domain
and/or administrative domain.

In this directory scenario, with migration of data, the use of DSP
(Directory Service Protocol) protocol with types of queries like
referral, chaining and multicasting with different key management and
authentication among network entities would have to be considered.


9. IANA Considerations

9.1 Object Identifiers

   It is requested that IANA register an LDAP Object Identifer
   for use in this technical specification according to the
   following template:

   Subject: Request for LDAP OID Registration
   Person & email address to contact for further information:
      XXX
   Specification: RFC XXXX
   Author/Change Controller: IESG
   Comments:
      The assigned OID will be used as a base for identifying
      a number of schema elements defined in this document.


9.2 Object Identifier Descriptors

   It is requested that IANA register the LDAP Descriptors used
   in this technical specification as detailed in the following
   template:

   Subject: Request for LDAP Descriptor Registration Update
   Descriptor (short name): see comment
   Object Identifier: see comment
   Person & email address to contact for further information:
      Bob Moore (remoore@us.ibm.com)
   Usage: see comment
   Specification: RFC XXXX
   Author/Change Controller: IESG
   Comments:









Reyes, et al.              Expires: August 2003                [Page 42]

INTERNET-DRAFT                  PCELS                      February 2003



   The following descriptors should be added:
NAME                            Type    OID
   --------------                  ----    ------------
   pcimeXXX                        O       IANA-ASSIGNED-OID.1.1


10. References

[CIM]      Distributed Management Task Force, Inc., "Common Information
           Model (CIM) Schema", version 2.3, March 2000. The components
           of the CIM v2.3 schema are available via links on the
           following DMTF web page:  http://www.dmtf.org/spec/cims.html

[PCIM]     B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
           Model -- Version 1 Specification", RFC 3060, May, 2000.

[PCIM_EXT] B. Moore at el., "Policy Core Information Model (PCIM)
           Extensions", RFC 3460, January 2003.

[PCLS]     J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core
           LDAP Schema", Internet Draft, work in progress,
           draft-ietf-policy-core-schema-16.txt.

[LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
            Considerations for the Lightweight Directory Access Protocol
            (LDAP)", BCP 64, RFC 3383, September 2002.


11. Authors' Addresses

   Angelica Reyes, Antoni Barba, David Moron
   Technical University of Catalonia
   Jordi-Girona 1-3
   08034 Barcelona
   Spain
   [angelica|telabm|dmoron]@mat.upc.es

   Marcus Brunner
   NEC Europe Ltd.
   Kurfuersten Anlage 34
   D-69115 Heidelberg
   Germany
   brunner@ccrle.nec.de

   Mircea Pana
   MetaSolv Software Inc.
   360 Legget Drive
   Ottawa, Ontario, Canada
   K2K 3N1
   mpana@metasolv.com



Reyes, et al.              Expires: August 2003                [Page 43]

INTERNET-DRAFT                  PCELS                      February 2003



12. Full Copyright Statement

  Copyright (C) The Internet Society (2002). All Rights Reserved.

  This document and translations of it may be copied and furnished to
  others, and derivative works that comment on or otherwise explain it
  or assist in its implementation may be prepared, copied, published
  and distributed, in whole or in part, without restriction of any
  kind, provided that the above copyright notice and this paragraph are
  included on all such copies and derivative works. However, this
  document itself may not be modified in any way, such as by removing
  the copyright notice or references to the Internet Society or other
  Internet organizations, except as needed for the purpose of
  developing Internet standards in which case the procedures for
  copyrights defined in the Internet Standards process must be
  followed, or as required to translate it into languages other than
  English.

  The limited permissions granted above are perpetual and will not be
  revoked by the Internet Society or its successors or assigns.

  This document and the information contained herein is provided on an
  "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
  TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN
  BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
  HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
  MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Appendix A: Issues

   Some classes need to be added:

   1. pcimeReusablePolicyContainer subclasses.
   Since pcimeRepository and its two subclasses are deprecated we have
   needed to add the pcimeReusablePolicyContainer and two subclasses:
   pcimeReusableContainerInstance (structural) and
   pcimeReusableContainerAuxClass(auxiliary). The class
   pcimeReusableContainer is defined as an abstract class so
   pcimeReusableContainer subclasses are needed in order to
   instanciate classes in the directory.
   RESOLUTION: This issue has been resolved in sections 5.23 and 5.24.

2.We have to add the subclasses pcimRuleActionAssociation
   and pcimActionAssociation
   RESOLUTION: This issue has been resolved using the class
   pcimeActionAssociation. See section 5.8






Reyes, et al.              Expires: August 2003                [Page 44]

INTERNET-DRAFT                  PCELS                      February 2003



3. We have to clarify next classes
   pcimePolicyVariableAuxClass.
    pcimePolicyVariableInstance.
    pcimePolicyExplicitVariableAuxClass.
    pcimePolicyImplicitVariableInstance.
RESOLUTION: This issue has been resolved in sections     from 5.17 to
5.22

   4. We have to clarify the mapping of next classes
   PolicyValue and its subclasses.
    PolicyImpliciyVariable subclasses.
RESOLUTION: This issue has been resolved in sections from 5.19 to 5.22


We also consider the next points:
   5. To define classes to search errors and classes to detect failures
   in the system
   (Still it is an open issue)

   6. Because of the policy server is centralized and the LDAP is
   distributed hierarchically could be necessary to add classes in order
   to find duplicates in the information. It can occur, for example when
   updating is excessively often.
(Still it is an open issue)

   7. Mapping between Network domains and the updating of information.
(Still it is an open issue)
   Servers via resource management programs could manage some of these
   topics, even though it is necessary to add specific classes.
(Still it is an open issue)

8. The PolicyRoleCollection class from [PCIM_EXT] is implemented as the
pcimeRoleCollection structural object class. This object class is a
subclass of the abstract pcimPolicy defined in [PCLS]. As a consequence
pcimeRoleCollection instances can be located and retrieved by LDAP
clients that implement the mechanism defined in the section 4.5 of
[PCLS]. An other option to consider is the implementation of
pcimeRoleCollection as a triplet of abstract / structural / auxiliary
subclasses of the abstract dlm1Collection defined by [CIM]. In such
case, however, in order to permit the utilization of the location and
retrieval mechanism mentioned above, it would be necessary to attach a
pcimElementAuxClass to the pcimeRoleCollection instances.
RESOLUTION: CLOSED. The authors agree on the current implementation.

9. Considerations about the relation between performance related to
retrieval of information  and storage capacity of DITs.

10. The following PCIM EXT classes and aggregations need to be addressed:
   FilterEntryBase, IpHeadersFilter, 8021Filter, FilterList and
   EntriesInFilterList.



Reyes, et al.              Expires: August 2003                [Page 45]
INTERNET-DRAFT                  PCELS                      February 2003


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/