[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 4104

INTERNET-DRAFT                  PCELS                          June 2003


Policy Framework Working Group                            Angelica Reyes
INTERNET-DRAFT                                              Antoni Barba
Updates: draft-ietf-policy-core-schema-16                    David Moron
                                       Technical University of Catalonia

                                                          Marcus Brunner
                                                                     NEC

                                                             Mircea Pana
                                                                MetaSolv

                                                               June 2003

                 Policy Core Extension LDAP Schema (PCELS)
                <draft-reyes-policy-core-ext-schema-02.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   This document defines a number of changes and extensions to the
   Policy Core LDAP Schema [PCLS] based on the specifications of the
   Policy Core Information Model Extensions [PCIM_EXT]. The changes
   include additional object classes previously not covered, deprecation
   of some object classes and changes to the object class hierarchy
   defined in PCLS.

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119.




Reyes, et al.              Expires: December 2003               [page 1]

INTERNET-DRAFT                  PCELS                          June 2003


Table of contents

   1. Introduction....................................................
   2. Relationship to other Policy Framework Documents................
   3. Inheritance Hierarchy for PCELS.................................
   4. General Discussion of Mapping the Policy Core Information
      Model Extensions to LDAP........................................
     4.1 Summary of Class and Association Mappings....................
     4.2 Summary of changes since PCLS................................
     4.3 The Association of PolicyVariable and PolicyValues
         to PolicySimpleCondition and PolicySimpleAction..............
     4.4 The Aggregation of PolicyRules and PolicyGroups in
         PolicySets...................................................
     4.5 The Aggregation of actions/conditions in PolicyRules and
     CompoundActions/CompoundConditions...............................
   5. Class Definitions...............................................
     5.1  The Class pcimPolicySet.....................................
     5.2  The Structural Class pcimPolicySetAssociation...............
     5.3  The Updated Class pcimGroup.................................
     5.4  The Deprecated Class pcimGroupContainmentAuxClass...........
     5.5  The Deprecated Class pcimRuleContainmentAuxClass............
     5.6  The Three Classes pcimPolicyRule............................
     5.7  The Structural Class pcimConditionAssociation...............
     5.8  The Structural Class pcimActionAssociation..................
     5.9  The Three Deprecated Classes pcimRule.......................
     5.10  The Deprecated Class pcimRuleConditionAssociation..........
     5.11  The Deprecated Class pcimRuleActionAssociation.............
     5.12  The Auxiliary Class pcimSimpleConditionAuxClass............
     5.13  The Auxiliary Class pcimCompoundConditionAuxClass..........
     5.14  The Auxiliary Class pcimCompoundFilterAuxClass.............
     5.15  The Auxiliary Class pcimSimpleActionAuxClass...............
     5.16  The Auxiliary Class pcimCompoundActionAuxClass.............
     5.17 The Abstract Class pcimVariable.............................
     5.18 The Auxiliary Class pcimExplicitVariableAuxClass............
     5.19 The Auxiliary Class  pcimImplicitVariableAuxClass...........
     5.20 The Subclasses of pcimImplicitVariableAuxClass..............
     5.21 The Auxiliary Class pcimValueAuxClass.......................
     5.22 The Subclasses of pcimValueAuxClass.........................
     5.23 The Three Classes pcimReusableContainer.....................
     5.24 The Three Deprecated Classes pcimRepository.................
     5.25 The Structural Class pcimRoleCollection.....................
     5.26 The Abstract Class pcimFilterEntry..........................
     5.27 The Structural Class pcimIPHeaders..........................
     5.28 The Structural Class pcim8021Headers........................
     5.29 The Auxiliary Class pcimFilterListAuxClass..................
   6. Security Considerations.........................................
   7. IANA Considerations.............................................
     7.1 Object Identifiers...........................................
     7.2 Object Identifier Descriptors................................
   8. References......................................................
   9. Authors' Addresses..............................................
   10. Full Copyright Statement.......................................
   Appendix A: Issues.................................................

Reyes, et al.              Expires: December 2003               [page 2]

INTERNET-DRAFT                  PCELS                          June 2003




1. Introduction

   This document defines a number of changes and extensions to the
   Policy Core LDAP Schema [PCLS] based on the specifications of the
   Policy Core Information Model Extensions [PCIM_EXT]. The changes
   include additional object classes previously not covered, deprecation
   of some object classes and changes to the object class hierarchy
   defined in PCLS.

   Within the context of this document, the term 'PCELS' (Policy Core
   Extension LDAP Schema) is used to refer to the LDAP object class
   definitions contained in this document.


2. Relationship to other Policy Framework Documents

  This document contains an LDAP schema mapping for the classes
  defined in the Policy Core Information Model Extensions [PCIM_EXT].
  Other documents may subsequently be produced, with mappings of the
  same PCIM extensions to other storage or transport technologies.
  The document is an extension to [PCLS], which defines the mapping
  of the Policy Core Information Model [PCIM] to an LDAP schema.


3. Inheritance Hierarchy for PCELS

   The following diagram illustrates the combined class hierarchy for
   the LDAP object classes defined in [PCLS] and in this document:

   top
   |
   +---dlm1ManagedElement (abstract)
   |   |
   |   +---pcimPolicy (abstract)
   |   |   |
   |   |   +---pcimPolicySet (abstract new)
   |   |   |   |
   |   |   |   +---pcimGroup (abstract moved)
   |   |   |   |   |
   |   |   |   |   +--pcimGroupAuxClass (auxiliary moved)
   |   |   |   |   |
   |   |   |   |   +---pcimGroupInstance (structural moved)
   |   |   |   |
   |   |   |   +---pcimPolicyRule (abstract new)
   |   |   |       |
   |   |   |       +---pcimPolicyRuleAuxClass (auxiliary new)
   |   |   |       |
   |   |   |       +---pcimPolicyRuleInstance (structural new)
   |   |   |
   |   |   +---pcimRule (abstract deprecated)
   |   |   |   |

Reyes, et al.              Expires: December 2003               [page 3]

INTERNET-DRAFT                  PCELS                          June 2003


   |   |   |   +---pcimRuleAuxClass (auxiliary deprecated)
   |   |   |   |
   |   |   |   +---pcimRuleInstance (structural deprecated)
   |   |   |
   |   |   +---pcimRuleConditionAssociation (structural deprecated)
   |   |   |
   |   |   +---pcimConditionAssociation (structural new)
   |   |   |
   |   |   +---pcimRuleValidityAssociation (structural)
   |   |   |
   |   |   +---pcimRuleActionAssociation (structural deprecated)
   |   |   |
   |   |   +---pcimActionAssociation (structural new)
   |   |   |
   |   |   +---pcimPolicySetAssociation (structural new)
   |   |   |
   |   |   +---pcimPolicyInstance (structural)
   |   |   |
   |   |   +---pcimElementAuxClass (auxiliary)
   |   |   |
   |   |   +---pcimRoleCollection (structural new)
   |   |   |
   |   |   +---pcimFilterEntry (abstract new)
   |   |       |
   |   |       +---pcimIPHeaders (structural new)
   |   |       |
   |   |       +---pcim8021Headers (structural new)
   |   |
   |   +---dlm1ManagedSystemElement (abstract)
   |       |
   |       +---dlm1LogicalElement (abstract)
   |           |
   |           +---dlm1System (abstract)
   |               |
   |               +---dlm1AdminDomain (abstract)
   |                   |
   |                   +---pcimRepository (abstract deprecated)
   |                   |   |
   |                   |   +---pcimRepositoryAuxClass
   |                   |   |   (auxiliary deprecated)
   |                   |   |
   |                   |   +---pcimRepositoryInstance
   |                   |       (structural deprecated)
   |                   |
   |                   +---pcimReusableContainer (abstract new)
   |                       |
   |                       +---pcimReusableContainerAuxClass
   |                       |   (auxiliary new)
   |                       |
   |                       +---pcimReusableContainerInstance
   |                           (structural new)
   |
   +---pcimConditionAuxClass (auxiliary)

Reyes, et al.              Expires: December 2003               [page 4]

INTERNET-DRAFT                  PCELS                          June 2003


   |   |
   |   +---pcimTPCAuxClass (auxiliary)
   |   |
   |   +---pcimConditionVendorAuxClass (auxiliary)
   |   |
   |   +---pcimSimpleConditionAuxClass (auxiliary new)
   |   |
   |   +---pcimCompoundConditionAuxClass (auxiliary new)
   |   |   |
   |   |   +---pcimCompoundFilterAuxClass (auxiliary new)
   |   |
   |   +---pcimFilterListAuxClass (auxiliary new)
   |
   +---pcimActionAuxClass (auxiliary)
   |   |
   |   +---pcimActionVendorAuxClass (auxiliary)
   |   |
   |   +---pcimSimpleActionAuxClass (auxiliary new)
   |   |
   |   +---pcimCompoundActionAuxClass (auxiliary new)
   |
   +---pcimVariable (abstract new)
   |   |
   |   +---pcimExplicitVariableAuxClass (auxiliary new)
   |   |
   |   +---pcimImplicitVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourcePortVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationPortVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimIPProtocolVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimIPVersionVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimIPToSVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDSCPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimFlowIdVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceMACVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationMACVariableAuxClass (auxiliary new)
   |       |

Reyes, et al.              Expires: December 2003               [page 5]

INTERNET-DRAFT                  PCELS                          June 2003


   |       +---pcimVLANVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimCoSVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimEthertypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSNAPOUIVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSNAPTypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimFlowDirectionVariableAuxClass (auxiliary new)
   |
   +---pcimValueAuxClass (auxiliary new)
   |   |
   |   +---pcimIPv4AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimIPv6AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimMACAddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcimBitStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcimIntegerValueAuxClass (auxiliary new)
   |   |
   |   +---pcimBooleanValueAuxClass (auxiliary new)
   |
   +---pcimSubtreesPtrAuxClass (auxiliary)
   |
   +---pcimGroupContainmentAuxClass (auxiliary deprecated)
   |
   +---pcimRuleContainmentAuxClass (auxiliary deprecated)


4. General Discussion of Mapping the Policy Core Information Model
   Extensions to LDAP

   The object classes described in this document contain certain
   optimizations for a directory that uses LDAP as an access protocol.
   One example is the use of auxiliary class attachment to LDAP entries
   to realize some of the associations defined in the information model.

   Note that other storage types might need to implement the association
   differently.





Reyes, et al.              Expires: December 2003               [page 6]

INTERNET-DRAFT                  PCELS                          June 2003


4.1 Summary of Class and Association Mappings

   The LDAP object classes defined in this document are a direct mapping
   from the corresponding classes and, in some cases, the associations
   defined in [PCIM_EXT]. Similarly, the LDAP attributes defined here
   are a direct mapping from the corresponding class properties. In some
   cases, associations defined in [PCIM_EXT] are simply mapped to
   reference attributes or realized through auxiliary class attachment.

   Similar to [PCLS], the prefix "pcim" is used for all the object class
   and attribute names defined in this document.

+----------------------------------------------------------------------+
| Information Model (PCIM ext)  | LDAP Class(es)                       |
+----------------------------------------------------------------------+
| PolicySet                     | pcimPolicySet                        |
+----------------------------------------------------------------------+
| PolicyRule                    | pcimPolicyRule                       |
|                               | pcimPolicyRuleAuxClass               |
|                               | pcimPolicyRuleInstance               |
+----------------------------------------------------------------------+
| SimplePolicyCondition         | pcimSimpleConditionAuxClass          |
+----------------------------------------------------------------------+
| CompoundPolicyCondition       | pcimCompoundConditionAuxClass        |
+----------------------------------------------------------------------+
| CompoundFilterCondition       | pcimCompoundFilterAuxClass           |
+----------------------------------------------------------------------+
| SimplePolicyAction            | pcimSimpleActionAuxClass             |
+----------------------------------------------------------------------+
| CompoundPolicyAction          | pcimCompoundActionAuxClass           |
+----------------------------------------------------------------------+
| PolicyVariable                | pcimVariable                         |
+----------------------------------------------------------------------+
| PolicyExplicitVariable        | pcimExplicitVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicyImplicitVariable        | pcimImplicitVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicySourceIPv4Variable      | pcimSourceIPv4VariableAuxClass       |
+----------------------------------------------------------------------+
| PolicySourceIPv6Variable      | pcimSourceIPv6VariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationIPv4Variable | pcimDestinationIPv4VariableAuxClass  |
+----------------------------------------------------------------------+
| PolicyDestinationIPv6Variable | pcimDestinationIPv6VariableAuxClass  |
+----------------------------------------------------------------------+
| PolicySourcePortVariable      | pcimSourcePortVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationPortVariable | pcimDestinationPortVariableAuxClass  |
+----------------------------------------------------------------------+
| PolicyIPProtocolVariable      | pcimIPProtocolVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyIPVersionVariable       | pcimIPVersionVariableAuxClass        |
+----------------------------------------------------------------------+

Reyes, et al.              Expires: December 2003               [page 7]

INTERNET-DRAFT                  PCELS                          June 2003


| PolicyIPToSVariable           | pcimIPToSVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyDSCPVariable            | pcimDSCPVariableAuxClass             |
+----------------------------------------------------------------------+
| PolicyFlowIDVariable          | pcimFlowIDVariableAuxClass           |
+----------------------------------------------------------------------+
| PolicySourceMACVariable       | pcimSourceMACVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyDestinationMACVariable  | pcimDestinationMACVariableAuxClass   |
+----------------------------------------------------------------------+
| PolicyVLANVariable            | pcimVLANVariableAuxClass             |
+----------------------------------------------------------------------+
| PolicyCoSVariable             | pcimCoSVariableAuxClass              |
+----------------------------------------------------------------------+
| PolicyEthertypeVariable       | pcimEthertypeVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicySourceSAPVariable       | pcimSourceSAPVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyDestinationSAPVariable  | pcimDestinationSAPVariableAuxClass   |
+----------------------------------------------------------------------+
| PolicySNAPOUIVariable         | pcimSNAPOUIVariableAuxClass          |
+----------------------------------------------------------------------+
| PolicySNAPTypeVariable        | pcimSNAPTypeVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicyFlowDirectionVariable   | pcimFlowDirectionVariableAuxClass    |
+----------------------------------------------------------------------+
| PolicyValue                   | pcimValueAuxClass                    |
+----------------------------------------------------------------------+
| PolicyIPv4AddrValue           | pcimIPv4AddrValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyIPv6AddrValue           | pcimIPv6AddrValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyMACAddrValue            | pcimMACAddrValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyStringValue             | pcimStringValueAuxClass              |
+----------------------------------------------------------------------+
| PolicyBitStringValue          | pcimBitStringValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyIntegerValue            | pcimIntegerValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyBooleanValue            | pcimBooleanValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyRoleCollection          | pcimRoleCollection                   |
+----------------------------------------------------------------------+
| ReusablePolicyContainer       | pcimReusableContainer                |
|                               | pcimReusableContainerAuxClass        |
|                               | pcimReusableContainerInstance        |
+----------------------------------------------------------------------+
| FilterEntryBase               | pcimFilterEntry                      |
+----------------------------------------------------------------------+
| IPHeadersfilter               | pcimIPHeaders                        |
+----------------------------------------------------------------------+
| 8021Filter                    | pcim8021Headers                      |

Reyes, et al.              Expires: December 2003               [page 8]

INTERNET-DRAFT                  PCELS                          June 2003


+----------------------------------------------------------------------+
| FilterList                    | pcimFilterListAuxClass               |
+----------------------------------------------------------------------+

+----------------------------------------------------------------------+
| Information Model Association    | LDAP Attribute / Class            |
+----------------------------------------------------------------------+
| PolicySetComponent               | pcimPolicySetComponentList in     |
|                                  | pcimPolicySet and                 |
|                                  | pcimPolicySetDN in                |
|                                  | pcimPolicySetAsociation           |
+----------------------------------------------------------------------+
| PolicySetInSystem                | DIT Containment and               |
|                                  | pcimPolicySetDN in                |
|                                  | pcimPolicySetAsociation           |
+----------------------------------------------------------------------+
| PolicyGroupInSystem              | (same as PolicySetInSystem)       |
+----------------------------------------------------------------------+
| PolicyRuleInSystem               | (same as PolicySetInSystem)       |
+----------------------------------------------------------------------+
| PolicyConditionStructure         | pcimConditionDN in                |
|                                  | pcimConditionAssociation          |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyRule      | pcimConditionList in              |
|                                  | pcimPolicyRule and                |
|                                  | pcimConditionDN in                |
|                                  | pcimConditionAssociation          |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyCondition | pcimConditionList in              |
|                                  | pcimCompoundConditionAuxClass     |
|                                  | and pcimConditionDN in            |
|                                  | pcimConditionAssociation          |
+----------------------------------------------------------------------+
| PolicyActionStructure            | pcimActionDN in                   |
|                                  | pcimActionAssociation             |
+----------------------------------------------------------------------+
| PolicyActionInPolicyRule         | pcimActionList in                 |
|                                  | pcimPolicyRule and                |
|                                  | pcimActionDN in                   |
|                                  | pcimActionAssociation             |
+----------------------------------------------------------------------+
| PolicyActionInPolicyAction       | pcimActionList in                 |
|                                  | pcimCompoundActionAuxClass        |
|                                  | and pcimActionDN in               |
|                                  | pcimActionAssociation             |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcimVariableDN in                 |
| Condition                        | pcimSimpleConditionAuxClass       |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicy        | pcimValueDN in                    |
| Condition                        | pcimSimpleConditionAuxClass       |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcimVariableDN in                 |

Reyes, et al.              Expires: December 2003               [page 9]

INTERNET-DRAFT                  PCELS                          June 2003


| Action                           | pcimSimpleActionAuxClass          |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicyAction  | pcimValueDN in                    |
|                                  | pcimSimpleActionAuxClass          |
+----------------------------------------------------------------------+
| ReusablePolicy                   | DIT containment                   |
+----------------------------------------------------------------------+
| ExpectedPolicyValuesForVariable  | pcimExpectedValueList in          |
|                                  | pcimVariable                      |
+----------------------------------------------------------------------+
| ContainedDomain                  | DIT containment or                |
|                                  | pcimReusableContainerList in      |
|                                  | pcimReusableContainer             |
+----------------------------------------------------------------------+
| EntriesInFilterList              | pcimFilterEntryList in            |
|                                  | pcimFilterListAuxClass            |
+----------------------------------------------------------------------+
| ElementInPolicyRoleCollection    | DIT containment or                |
|                                  | pcimElementList in                |
|                                  | pcimRoleCollection                |
+----------------------------------------------------------------------+
| PolicyRoleCollectionInSystem     | DIT Containment                   |
+----------------------------------------------------------------------+


4.2 Summary of changes since PCLS

   This section provides an overview of the changes to PCLS defined in
   this document:

   1. Changes to the pcimRepository: Because of the potential for
   confusion with the Policy Framework component Policy Repository as
   described in section 3.2.1 in [PCIM_EXT], the class is now called
   pcimReusableContainer. Its subclasses have been renamed as well.

   2. The pcimGroupContainmentAuxClass and pcimRuleContainmentAuxClass
   auxiliary classes used to map the PolicyRuleInPolicyGroup and
   PolicyGroupInPolicyGroup aggregations defined by [PCIM] are replaced
   by the structural class pcimPolicySetAssociation and the attribute
   pcimPolicySetList added to the abstract class pcimPolicySet. The
   section 4.4 presents the details related to this association.

   3. The class pcimRule is deprecated and with it the absolute
   prioritization of policy rules is no longer available. A relative
   prioritization of policies is introduced through the attribute
   pcimPriority in the pcimPolicySet object class. This attribute
   indicates the relative priority of the components of a policy set or,
   for a PolicySetInSystem, the priority of the referenced policy set
   relative to the other policy sets associated to this system.





Reyes, et al.              Expires: December 2003               [page 10]

INTERNET-DRAFT                  PCELS                          June 2003


   4. A new attribute pcimDecisionStrategy is added on the pcimPolicySet
   class in order to map the decision mechanism described in [PCIM_EXT].

   5. The attribute pcimRoles is moved to the class pcimPolicySet from
   the deprecated class pcimRule. Thus, the role based policy selection
   mechanism is preserved and extended to all the subclasses of
   pcimPolicySet.

   6. The new attribute pcimExecutionStrategy is added to the
   pcimPolicyRule class to allow the specification of the expected
   behavior in the case where there are multiple actions aggregated by
   a rule or by a compound action.

   7. Compound Conditions: The pcimCompoundConditionAuxClass class is
   added in order to map the CompoundPolicyCondition [PCIM_EXT]'s class.
   A new class, pcimConditionAssociation, is introduced to realize the
   aggregation of policy conditions in a pcimCompoundConditionAuxClass.
   The same class is used to aggregate policy conditions in a
   pcimPolicyRule while the pcimRuleConditionAssociation defined in
   [PCLS] for this purpose, is deprecated.

   8. Compound Actions: The pcimCompoundActionAuxClass class is
   added in order to map the CompoundPolicyAction [PCIM_EXT]'s class.
   A new class, pcimActionAssociation, is introduced to realize the
   aggregation of policy actions in a pcimCompoundActionAuxClass.
   The same class is used to aggregate policy actions in a
   pcimPolicyRule while the pcimRuleActionAssociation defined in [PCLS]
   for this purpose, is deprecated.

   9. Variables and values: The classes defined in [PCIM_EXT] for the
   implementation of simple conditions and actions directly mapped to
   auxiliary classes. These classes are: pcimSimpleConditionAuxClass,
   pcimSimpleActionAuxClass, pcimVariable and its subclasses, and
   pcimValue and its subclasses.

   10. Reusable conditions, actions, groups, rules, variables and values
   are subordinated (DIT contained) to a pcimReusableContainer entry.
   Thus, the ReusablePolicy association defined in [PCIM_EXT] is
   Realized through subordination.

   11. Device level filter classes are added to the schema.

   12. The pcimRoleCollection class is added to the schema to allow
   the association of policy roles to resources represented as LDAP
   entries.


4.3 The Association of PolicyVariable and PolicyValues
    to PolicySimpleCondition and PolicySimpleAction





Reyes, et al.              Expires: December 2003               [page 11]

INTERNET-DRAFT                  PCELS                          June 2003


   A PolicySimpleCondition as well as a PolicySimpleAction includes a
   single PolicyValue and a single PolicyVariable. Each of them can be
   attached or referenced by a DN.

   The attachment helps create compact PolicyCondition and PolicyAction
   definitions that can be efficiently provisioned and retrieved from
   the repository. On the other hand, referenced PolicyVariables and
   PolicyValues instances can be reused in the construction of multiple
   policies and permit the administrative partitioning of the data and
   policy definitions.


4.4 The Aggregation of PolicyRules and PolicyGroups in PolicySets

   In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and
   PolicyRuleInPolicyGroup, are combined into a single aggregation
   PolicySetComponent. This aggregation and the capability of
   association between a policy and the ReusablePolicyContainer offer
   new possibilities of reusability. Furthermore, these aggregations
   introduce new semantics representing the execution of one PolicyRule
   withing the scope of another PolicyRule.

   Since PolicySet is defined in [PCIM_EXT], it is mapped in this
   document to a new class pcimPolicySet in order to provide an
   abstraction for a set of policy rules or groups. The aggregation
   class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value
   attribute pcimPolicySetList in the pcimPolicySet class and the
   attribute pcimPolicySetDN in the pcimPolicySetAssociation. These
   attributes refer to the nested rules and groups.

   It is possible to store a rule/group nested in an other rule/group
   in two ways. The first way is to define the nested rule/group as
   specific to the nesting rule/group. The second way is to define the
   nested rules/groups as reusable.

   First case: Specific nested sets (rules/groups).

                 +----------+
                 |Rule/Group|
                 |          |
           +-----|-        -|-----+
           |     +----------+     |
           |       *      *       |
           |       *      *       |
           |    ****      ****    |
           |    *            *    |
           v    *            *    v
         +-----------+   +-----------+
         | SA1+Set1  |   | SA2+Set2  |
         +-----------+   +-----------+




Reyes, et al.              Expires: December 2003               [page 12]

INTERNET-DRAFT                  PCELS                          June 2003


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass auxiliary class.
   SA#: pcimPolicySetAssocation structural class.

   The nesting pcimPolicySet refers to instances of
   pcimPolicySetAssociation using the attribute pcimPolicySetList. These
   strucural association classes are subordinated (DIT contained) to the
   pcimPolicySet (rule or group) entry and represent the
   association between the set (rule or group) and its nested rules/
   groups. The nested pcimPolicySet instances are attached (as auxiliary
   classes) to the association entries.

   Second case: Reusable nested sets (rules/groups).

                +----------+             +-------------+
                |Rule/Group|             | RepositoryX |
              +-|-        -|--+          |             |
              | +----------+  |          +-------------+
              |   *      *    |             *        *
              | ***      **** |             *        *
              | *           * v             *        *
              | *          +---+            *        *
              | *          |SA2|         +-------+   *
              v *          |  -|-------->|S1+Set2|   *
             +---+         +---+         +-------+   *
             |SA1|                               +-------+
             |  -|------------------------------>|S2+Set3|
             +---+                               +-------+

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass class.
   SA#: PolicySetAssocation structural class.
   S#: structural class.








Reyes, et al.              Expires: December 2003               [page 13]

INTERNET-DRAFT                  PCELS                          June 2003


   The nesting pcimPolicySet refers to instances of
   pcimPolicySetAssociation using the attribute pcimPolicySetList.
   These structural association classes are subordinated (DIT contained)
   to the pcimPolicySet entry and represent the association between
   the set (rule or group) and its nested rules/groups. The reusable
   rules/groups are instantiated here as auxiliary classes and attached
   to pcimPolicyInstance entries in the reusable container. An other
   option is to use the structural subclasses for defining reusable
   rules/groups. The association classes belonging to a nesting policy
   set are reference the reusable rules/groups using the attribute
   pcimPolicySetDN.

   A combination of both specific and reusable components is also
   allowed for the same policy set.


4.5 The Aggregation of actions/conditions in PolicyRules and
     CompoundActions/CompoundConditions

   [PCIM_EXT] defines two new classes that offer the designer the
   capability of creating more complex conditions and actions.
   CompoundPolicyCondition and CompoundPolicyActionclasses are mapped
   in this document to pcimCompoundConditionAuxClass and
   pcimCompoundActionAuxClass classes that are subclasses of
   pcimConditionAuxClass/pcimActionAuxClass. The compound
   conditions/actions defined in [PCIM_EXT] extend the capability of the
   rule to associate, group and evaluate/execute conditions/actions. The
   conditions/actions are associated to compounds conditions/actions in
   the same way as they are associated to the rules.

   In this section it is explained how to store instances of these
   classes in an LDAP Directory. As a general rule, specific
   conditions/actions are subordinated (DIT contained) to the rule or
   compound condition/action that aggregates them and are attached
   to association class instances. Reusable conditions/actions, are
   subordinated to pcimReusableContainer instances and attached to
   pcimPolicyInstance instances.

   The examples below illustrate the four possible cases combining
   specific/reusable compound/non-compound condition/action. The rule
   has two compound conditions, each one has two different conditions.
   The schemes can be extended in order to store actions.

   The examples below are based on and extend those illustrated in
   the section 4.4 of [PCLS].

   - First case: Specific compound condition/action with specific
   conditions/actions.






Reyes, et al.              Expires: December 2003               [page 14]

INTERNET-DRAFT                  PCELS                          June 2003


                         +--------------+
                  +------|     Rule     |------+
                  |      +--------------+      |
                  |           *    *           |
                  |   *********    *********   |
                  v   *                    *   v
                 +---------+          +---------+
               +-| CA1+cc1 |-+      +-| CA2+cc2 |-+
               | +---------+ |      | +---------+ |
               |     * *     |      |     * *     |
               |  **** ****  |      |  **** ****  |
               v  *       *  v      v  *       *  v
              +------+ +------+    +------+ +------+
              |CA3+c1| |CA4+c2|    |CA5+c3| |CA6+c4|
              +------+ +------+    +------+ +------+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.

   Because the compound conditions/actions are specific to the Rule,
   They are auxiliary attachments to instances of the structural
   classes pcimConditionAssociation or pcimActionAssociation. These
   structural classes represent the association between the rule and
   the compound condition/action . The rule specific conditions/actions
   are therefore subordinated (DIT contained) to the rule entry.

   The conditions/actions are tied to the compound conditions/actions
   in the same way the compound conditions/actions are tied to rules.
   Association classes realize the association between the aggregating
   compound conditions/actions and the specific conditions/actions.

   - Second case: Rule specific compound conditions/actions whith
   reusable conditions/actions.











Reyes, et al.              Expires: December 2003               [page 15]

INTERNET-DRAFT                  PCELS                          June 2003


           +-------------+                   +---------------+
    +------|     Rule    |-----+             |  RepositoryX  |
    |      +-------------+     |             +---------------+
    |           *    *         |              *    *    *   *
    |           *    *         |           ****    *    *   *
    |   *********    ********  |           *       *    *   ********
    |   *                   *  v           *       *    *          *
    |   *               +---------+        *       *    ****       *
    |   *             +-| CA2+cc2 |-+      *       *       *       *
    |   *             | +---------+ |      *       *       *       *
    v   *             |    *  *     |      *       *       *       *
   +---------+        | ****  ****  |      *       *       *       *
 +-| CA1+cc1 |-+      | *        *  v      *       *       *       *
 | +---------+ |      | *     +------+  +-----+    *       *       *
 |    *  *     |      v *     |  CA6 |->|S1+c4|    *       *       *
 | ****  ****  |     +------+ +------+  +-----+ +-----+    *       *
 | *        *  v     |  CA5 |------------------>|S2+c3|    *       *
 | *      +------+   +------+                   +-----+ +-----+    *
 v *      |  CA4 |------------------------------------->|S3+c2|    *
 +------+ +------+                                      +-----+ +-----+
 |  CA3 |------------------------------------------------------>|S4+c1|
 +------+                                                       +-----+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   This case is similar to the first one. The conditions/actions are
   reusable so they are not attached to the association classes but they
   are attached to structural classes in the reusable container. The
   association classes tie the conditions/actions in located in a
   reusable container to their aggregators using DN references.

   -Third case: Reusable compound condition/action with specific
   conditions/actions.









Reyes, et al.              Expires: December 2003               [page 16]

INTERNET-DRAFT                  PCELS                          June 2003


        +--------------+                  +--------------+
        |     Rule     |                  |  repositoryX |
    +---+--------------+----+             +--------------+
    |        *     *        |                  *    *
    |  *******     *******  |           ********    ********
    |  *                 *  v           *                  *
    |  *            +----------+    +---------+            *
    |  *            |   CA2    |--->| S1+cc2  |            *
    |  *            +----------+  +-+---------+-+          *
    |  *                          |     * *     |          *
    |  *                          |  **** ****  |          *
    |  *                          v  *       *  v          *
    |  *                         +------+ +------+         *
    |  *                         |CA5+c3| |CA6+c4|         *
    v  *                         +------+ +------+         *
  +----------+                                          +---------+
  |   CA1    |----------------------------------------->| S2+cc1  |
  +----------+                                        +-+---------+-+
                                                      |     * *     |
                                                      |  **** ****  |
                                                      v  *       *  v
                                                     +------+ +------+
                                                     |CA3+c1| |CA4+c2|
                                                     +------+ +------+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   Re-usable compound conditions/actions are attached to structural
   classes and stored in a reusable policy container. They are related
   to the rule through a DN reference attribute in the association
   classes.

   Specific conditions/actions are attached to association entries and
   subordinated (DIT contained) to the aggregating compound
   conditions/actions.

   -Fourth case: Reusable conditions/actions and compound
   conditions/actions.




Reyes, et al.              Expires: December 2003               [page 17]

INTERNET-DRAFT                  PCELS                          June 2003


          +------+          +---------------+    +---------------+
    +-----| Rule |-----+    |  RepositoryX  |    |  RepositoryY  |
    |     +------+     |    +---------------+    +---------------+
    |      *    *      |         *     *           *   *   *   *
    | ******    ****** |       ***     ***       ***   *   *   *****
    | *              * v       *         *       *     *   *       *
    | *          +-------+  +------+     *       *     *   ***     *
    | *          |  CA2  |->|S1+ca1|     *       *     *     *     *
    | *          +-------+  +------+     *       *     *     *     *
    | *                    /  *  *  \    *       *     *     *     *
    | *                    |**   ** |    *       *     *     *     *
    | *                    |*     * v    *       *     *     *     *
    | *                    |*   +---+    *    +-----+  *     *     *
    | *                    |*   |CA6|----*--->|S3+c4|  *     *     *
    | *                    v*   +---+    *    +-----+  *     *     *
    | *                  +---+           *          +-----+  *     *
    | *                  |CA5|-----------*--------->|S4+c3|  *     *
    v *                  +---+           *          +-----+  *     *
  +-------+                           +------+               *     *
  |  CA1  |-------------------------->|S2+cc1|               *     *
  +-------+                           +------+               *     *
                                     /  *  *  \              *     *
                                     | **  ** |              *     *
                                     | *    * v              *     *
                                     | *  +---+           +-----+  *
                                     | *  |CA4|---------->|S5+c2|  *
                                     v *  +---+           +-----+  *
                                    +---+                      +-----+
                                    |CA3|--------------------->|S6+c1|
                                    +---+                      +-----+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   All the conditions/actions are reusable so they are stored in
   reusable containers. The figure above illustrates two different
   reusable policy containers but the number of containers in the
   system is decided based on administrative reasons. The conditions,
   actions, etc. may be stored in the same container or in different
   containers with no impact on the policy definition semantics.



Reyes, et al.              Expires: December 2003               [page 18]

INTERNET-DRAFT                  PCELS                          June 2003


5. Class Definitions

5.1 The Class pcimPolicySet

   The abstract class PolicySet in the [PCIM_EXT] is introduced to
   provide an abstraction for a set of rules. The class value
   'pcimPolicySet' is used as the mechanism for identifying group and
   rule- related instances in the DIT.

   In [PCIM_EXT], the classes PolicyGroup and PolicyRule are moved, so
   that they are now derived from PolicySet class.

   A pcimPolicySet object refers to instances of pcimGroup and
   pcimPolicyRule via the attribute pcimPolicySetList and the attribute
   pcimPolicySetDN in the pcimPolicySetAssociation object class.

   The definition of the abstract class pcimPolicySet:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicySet'
     DESC 'Abstract class that represents a collection of policies
           that form a coherent set.'
     SUP pcimPolicy
     ABSTRACT
     MAY ( pcimPolicySetName
         $ pcimDecisionStrategy
         $ pcimRoles
         $ pcimPolicySetList )
   )

   One of the attributes of the pcimPolicySet class, the pcimRoles is
   already defined in [PCLS]. The other three attributes are defined
   below.

   The attribute pcimPolicySetName may be used as naming attribute for
   pcimPolicySet entries:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPolicySetName'
     DESC 'The user-friendly name of a policy set.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcimDecisionStrategy is used to define the evaluation
   method among the rules in the policy set and is mapped directly from
   the PolicyDecisionStrategy property defined in [PCIM_EXT].




Reyes, et al.              Expires: December 2003               [page 19]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimDecisionStrategy'
     DESC 'The evaluation method used for the components of a
           in the pcimPolicySet. Valid values: 1 [FirstMatching],
           2 [AllMatching]'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attibute pcimPolicySetList is used to realize the
   PolicySetComponent aggregation.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPolicySetList'
     DESC 'List of DN references to the pcimPolicySetAssociation
           entries used to aggregate policy sets.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   The subclasses pcimGroup and pcimPolicyRule are now derived from
   pcimPolicySet.


5.2 The Structural Class pcimPolicySetAssociation

   The pcimPolicySetAssociation class is used to aggregate components
   into pcimPolicySet entries. Instances of this class are always
   subordinated to the aggregating pcimPolicySet. The aggregation of a
   reusable instance of (subclass of) pcimPolicySet is referenced via
   the pcimPolicySetDN attribute. A non-reusable instance of (subclass
   of) pcimPolicySet is attached as auxiliary class directly to the
   pcimPolicySetAssociation entry.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicySetAssociation'
     DESC 'Structural class that contains attributes characterizing
           the relationship between a policy set and one of its
           components.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimPriority )
     MAY ( pcimPolicySetName
         $ pcimPolicySetDN )
   )

   The Attribute pcimPriority:





Reyes, et al.              Expires: December 2003               [page 20]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPriority'
     DESC 'Policy priority.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The Attribute pcimPolicySetDN:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPolicySetDN'
     DESC 'DN reference to a pcimPolicySet entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )


5.3 The Updated Class pcimGroup

   The pcimGroup is defined in [PCLS]. Its superclass is changed here
   so that the pcimGroup can take advantage of the pcimPolicySet and
   its aggregation method.

   (  IANA-ASSIGNED-OID.1.2
      NAME 'pcimGroup'
      DESC   'A container for a set of related pcimPolicyRule entries
              and/or a set of related pcimGroup entries.'
      SUP     pcimPolicySet
      ABSTRACT
      MAY    (pcimGroupName)
   )


5.4 The Deprecated Class pcimGroupContainmentAuxClass

   The policy group aggregation is replaced by the more comprehensive
   policy set aggregation. Therefore this class is deprecated.

   The attribute pcimGroupsAuxContainedSet only used in the definition
   of the deprecated pcimGroupContainmentAuxClass object class is also
   deprecated.


5.5 The Deprecated Class pcimRuleContainmentAuxClass

   The policy rule aggregation is replaced by the more comprehensive
   policy set aggregation. Therefore this class is deprecated.




Reyes, et al.              Expires: December 2003               [page 21]

INTERNET-DRAFT                  PCELS                          June 2003


   The attribute pcimRulesAuxContainedSet only used in the definition
   of the deprecated pcimRuleContainmentAuxClass object class is also
   deprecated.


5.6 The Three Classes pcimPolicyRule

   The base class representing policy rules is redefined without a
   priority attribute. In addition, this class uses the Condition and
   Action aggregation methods similar to the CompoundCondition and the
   CompoundAction.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicyRule'
     DESC 'The base class for representing the "If Condition then
           Action" semantics associated with a Policy Rule'
     SUP pcimPolicySet
     ABSTRACT
     MAY ( pcimRuleName
         $ pcimRuleEnabled
         $ pcimConditionListType
         $ pcimConditionList
         $ pcimActionList
         $ pcimRuleValidityPeriodList
         $ pcimRuleUsage
         $ pcimRuleMandatory
         $ pcimSequencedActions
         $ pcimExecutionStrategy )
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicyRuleAuxClass'
     DESC 'An auxiliary class for representing the "If Condition
           then Action" semantics associated with a policy rule.'
     SUP pcimPolicyRule
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicyRuleInstance'
     DESC 'A structural class for representing the "If Condition
           then Action" semantics associated with a policy rule.'
     SUP pcimPolicyRule
     STRUCTURAL
   )

   The attributes pcimRuleCoditionListType, pcimRuleConditionList and
   pcimRuleActionList defined in [PCLS] are replaced by
   pcimConditionListType, pcimConditionList and pcimActionList. The new
   attributes are used in pcimPolicyRule as well as in
   the pcimCompoundConditionAuxClass and pcimCompoundActionAuxClass
   object classes.


Reyes, et al.              Expires: December 2003               [page 22]

INTERNET-DRAFT                  PCELS                          June 2003


   The attribute definitions are:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimConditionListType'
     DESC 'a value of 1 means that this policy rule is in disjunctive
           normal form; a value of 2 means that this policy rule is in
           conjunctive normal form.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimConditionList'
     DESC 'unordered set of Dns to the pcimConditionAssociation
           entries used to aggregate policy conditions.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimActionList'
     DESC 'Unordered set of DNs to the pcimActionAssociation
           entries used to aggregate policy actions.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimSequencedActions'
     DESC 'Indicates whether the ordered execution of
           actions in an aggregate is Mandatory, Recommended,
           or DontCare.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The new attribute pcimExecutionStrategy is a direct mapping of the
   ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class.












Reyes, et al.              Expires: December 2003               [page 23]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimExecutionStrategy'
     DESC 'Indicates the execution strategy to be used upon an action
           aggregate. VALUES: 1 [Do until success]; 2 [Do all]; 3 [do
           until failure]. Default value = 2.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )


5.7 The Structural Class pcimConditionAssociation

   This class is used to aggregate policy conditions in compound policy
   conditions or policy rules. It implements the
   PolicyConditionInPolicyRule and PolicyConditionInPolicyCondition
   aggregations. The pcimConditionAssociation class is used to aggregate
   policy conditions into pcimPolicyRule or
   pcimCompoundConditionAuxClass entries. Instances of this class are
   always subordinated to the aggregating pcimPolicyRule or
   pcimCompoundConditionAuxClass. The aggregation of a reusable instance
   of (subclass of) pcimConditionAuxClass is referenced via the
   pcimConditionDN attribute. A non-reusable instance of (subclass of)
   pcimConditionAuxClass is attached directly to the
   pcimConditionAssociation entry.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimConditionAssociation'
     DESC 'This class contains attributes characterizing the
           relationship between a policy condition and one of its
           aggregators: pcimPolicyRule or pcimCompoundConditionAuxClass.
           It is used in the realization of a policy condition
           structure.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimConditionGroupNumber
          $ pcimConditionNegated )
     MAY ( pcimConditionName
         $ pcimConditionDN )
   )

   Its attributes are defined in the section 5.4 of the [PCLS].


5.8 The Structural Class pcimActionAssociation








Reyes, et al.              Expires: December 2003               [page 24]

INTERNET-DRAFT                  PCELS                          June 2003


   This class is used to aggregate policy actions in compound policy
   actions or policy rules. It implements the PolicyActionInPolicyRule
   and PolicyActionInPolicyAction aggregations. The
   pcimActionAssociation class is used to aggregate policy actions into
   pcimPolicyRule or pcimCompoundActionAuxClass entries. Instances of
   this class are always subordinated to the aggregating pcimPolicyRule
   or pcimCompoundActionAuxClass. The aggregation of a reusable instance
   of (subclass of) pcimActionAuxClass is referenced via the
   pcimActionDN attribute. A non-reusable instance of (subclass of)
   pcimActionAuxClass is attached directly to the pcimActionAssociation
   entry.

   The class definition follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimActionAssociation'
     DESC 'This class contains attributes characterizing the
           relationship between a policy action and one of its
           aggregators. It is used in the realization of a
           policy action structure.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimActionOrder )
     MAY ( pcimActionName
         $ pcimActionDN )
   )

   Its attributes are defined in [PCLS].


5.9 The Three Deprecated Classes pcimRule

   The class pcimRule and its subclasses are replaced by pcimPolicyRule
   and its subclasses. Therefore pcimRule and its subclasses are
   deprecated.

   The following attributes only used in the definition of the
   deprecated pcimRule object class are also deprecated:
      pcimRuleConditionListType
      pcimRuleConditionList
      pcimRuleActionList
      pcimRulePriority
      pcimRuleSequencedActions


5.10 The Deprecated Class pcimRuleConditionAssociation.

   This class is replaced by the more flexible pcimConditionAssociation.


5.11 The Deprecated Class pcimRuleActionAssociation.



Reyes, et al.              Expires: December 2003               [page 25]

INTERNET-DRAFT                  PCELS                          June 2003


   This class is replaced by the more flexible pcimActionAssociation.


5.12 The Auxiliary Class pcimSimpleConditionAuxClass.

   This class indicates if a specific <variable> match with a specific
   <value>. The "match" relationship is to be interpreted by analyzing
   the variable and value instances associated with the simple
   condition. Its two attributes realize the
   PolicyValueinSimplePolicyCondition and
   PolicyVariableinSimplePolicyCondition associations defined in
   [PCIM_EXT].

   A reusable variable / value is associated to a
   pcimSimpleConditionAuxClass via the pcimVariableDN / pcimValueDN
   reference from the simple condition entry. A non-reusable variable
   / value is associated directly as auxiliary object class to the
   pcimSimpleConditionAuxClass entry.

   The class definition follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSimpleConditionAuxClass'
     DESC 'An auxiliary class that evaluate the matching between a
           value and a variable'.
     SUP pcimConditionAuxClass
     AUXILIARY
     MAY ( pcimVariableDN
         $ pcimValueDN )
   )


   The pcimVariableDN attribute definition is:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableDN'
     DESC 'DN reference to a pcimVariable entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )

   The pcimValueDN attribute definition is:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimValueDN'
     DESC 'DN reference to a pcimValue entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )



Reyes, et al.              Expires: December 2003               [page 26]

INTERNET-DRAFT                  PCELS                          June 2003


   A instance of pcimSimpleActionAuxClass and an instance of
   pcimSimpleConditionAuxClass MUST NOT be attached to a same
   entry. Because the two classes use the same mechanisms to
   associate Variables and Values, this restriction is necessary
   in order to avoid ambiguities.


5.13 The Auxiliary Class pcimCompoundConditionAuxClass.

   This class represents a compound policy condition, formed by
   aggregation of other policy conditions. A boolean attribute indicates
   whether the compounded conditions are to be interpreted as
   disjunctive normal form or conjunctive normal form.

   The class definition follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCompoundConditionAuxClass'
     DESC 'An auxiliary class that represents a boolean combination
           of simpler conditions'.
     SUP pcimConditionAuxClass
     AUXILIARY
     MAY ( pcimConditionListType
         $ pcimConditionList )
   )

   The attribute pcimConditionListType is used to specify whether the
   list of policy conditions associated with this compound policy
   condition is in disjunctive normal form (DNF) or conjunctive normal
   form (CNF). The attribute pcimConditionList is an unordered set of
   DNs to conditions aggregated in the compound condition.

   The attributes are defined in section 5.6.


5.14 The Auxiliary Class pcimCompoundFilterAuxClass.

   This class represents a domain-level filter and it typically contains
   a set of simple conditions.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCompoundFilterAuxClass'
     DESC 'A compound condition with mirroring capabilities for traffic
           caracterization.'
     SUP pcimCompoundConditionAuxClass
     AUXILIARY
     MAY ( pcimIsMirrored )
   )

   The Attribute pcimIsMirrored:




Reyes, et al.              Expires: December 2003               [page 27]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIsMirrored'
     DESC 'Indicates whether traffic that mirrors the
           specified filter is to be treated as matching
           the filter.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.15 The Auxiliary Class pcimSimpleActionAuxClass.

   This class overwrites an old value of the <variable> and set the new
   <value>. Its two attributes realize the
   PolicyValueInSimplePolicyAction and
   PolciyVariableInSimplePolicyAction associations defined in
   [PCIM_EXT].

   A reusable variable / value is associated to a
   pcimSimpleActionAuxClass via the pcimVariableDN / pcimValueDN
   reference from the simple action entry. A non-reusable variable
   / value is associated directly as auxiliary object class to the
   pcimSimpleActionAuxClass entry.

   The class definition is as follows:
   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSimpleActionAuxClass'
     DESC 'This class contains attributes characterizing the
           relationship between a Simple PolicyAction and one
           variable and one value.'
     SUP pcimActionAuxClass
     AUXILIARY
     MAY ( pcimVariableDN
         $ pcimValueDN )
   )

   The attributes are defined in section 5.12.

   A instance of pcimSimpleActionAuxClass and an instance of
   pcimSimpleConditionAuxClass MUST NOT be attached to a same
   entry. Because the two classes use the same mechanisms to
   associate Variables and Values, this restriction is necessary
   in order to avoid ambiguities.


5.16 The Auxiliary Class pcimCompoundActionAuxClass.

   This class maps the CompoundPolicyAction class of the [PCIM_EXT].

   The class definition follows:



Reyes, et al.              Expires: December 2003               [page 28]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCompoundActionAuxClass'
     DESC 'A class that aggregates simpler actions in a sequence
           with specific execution strategy.'
     SUP pcimActionAuxClass
     AUXILIARY
     MAY ( pcimActionList
         $ pcimSequencedActions
         $ pcimExecutionStrategy )
   )

   The attributes pcimSequencedActions, pcimExecutionStrategy and
   pcimActionList are defined in 5.6 section.


5.17 The Abstract Class pcimVariable.

   Variables specify the property of a flow or an event that should be
   matched when evaluating the condition. A given variable selects the
   set of matchable values through the
   ExpectedPolicyValuesForVariable association.
   A pcimVariable entry may be associated to a set of pcimValueAuxClass
   entries that represent its expected values. The expected values for
   a variable may be indicated by:
      (1) pcimExpectedValueList references to reusable instances of
          pcimValueAuxClass or by
      (2) subordinated non-reusable instances of pcimValueAuxClass

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimVariable'
     DESC 'Base class for representing a variable whose actual
           value can be matched against or set to a specific value.'
     SUP top
     ABSTRACT
     MAY ( pcimVariableName
         $ pcimExpectedValueList )
   )

   The attribute pcimVariableName is an user-friendly name for the
   variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableName'
     DESC 'The user-friendly name of a variable.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )




Reyes, et al.              Expires: December 2003               [page 29]

INTERNET-DRAFT                  PCELS                          June 2003


   The attribute pcimExpectedValueList is an unordered set of DNs to
   subclasses of pcimValueAuxClass. It maps the [PCIM_EXT]
   ExpectedPolicyValuesForVariable association:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimExpectedValueList'
     DESC 'List of DN references to the pcimValueAuxClass
           entries that represent the acceptable values.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.18 The Auxiliary Class pcimExplicitVariableAuxClass

   The subclass pcimExplicitVariableAuxClass is defined as
   follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimExplicitVariableAuxClass'
     DESC 'Explicitly defined policy variable evaluated within the
           context of the CIM Schema.'
     SUP pcimVariable
     AUXILIARY
     MUST ( pcimVariableModelClass
          $ pcimVariableModelProperty )
   )

   The attribute pcimVariableModelClass is a string specifying the
   class name whose property is evaluated or set as a variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableModelClass'
     DESC 'Specifies a CIM class name or oid.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcimVariableModelProperty is a string specifying the
   attribute, within the pcimVariableModelClass, which is evaluated or
   set as a variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableModelProperty'
     DESC 'Specifies a CIM property name or oid.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )




Reyes, et al.              Expires: December 2003               [page 30]

INTERNET-DRAFT                  PCELS                          June 2003


5.19 The Auxiliary Class pcimImplicitVariableAuxClass

   The subclass pcimImplicitVariableAuxClass is defined as
   follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimImplicitVariableAuxClass'
     DESC 'Implicitly defined policy variables whose evaluation
           depends on the usage context. Subclasses specify
           the data type and semantics of the variables.'
     SUP pcimVariable
     AUXILIARY
     MUST ( pcimExpectedValueTypes )
   )

   The attribute pcimExpectedValueTypes is the direct mapping from the
   valueTypes property in the [PCIM_EXT] PolicyImplicitVariable class.
   This attribute representes a set of allowed value types to be used
   with this variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimExpectedValueTypes'
     DESC 'List of object class names or oids of subclasses
           of pcimValueAuxClass that define acceptable
           value types.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )


5.20 The Subclasses of pcimImplicitVariableAuxClass

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceIPv4VariableAuxClass'
     DESC 'Source IP v4 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceIPv6VariableAuxClass'
     DESC 'Source IP v6 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationIPv4VariableAuxClass'
     DESC 'Destination IP v4 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )


Reyes, et al.              Expires: December 2003               [page 31]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationIPv6VariableAuxClass'
     DESC 'Destination IP v6 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourcePortVariableAuxClass'
     DESC 'Source port'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationPortVariableAuxClass'
     DESC 'Destination port'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPProtocolVariableAuxClass'
     DESC 'IP protocol number'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPVersionVariableAuxClass'
     DESC 'IP version number'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPToSVariableAuxClass'
     DESC 'IP ToS'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDSCPVariableAuxClass'
     DESC 'DiffServ code point'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )






Reyes, et al.              Expires: December 2003               [page 32]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFlowIdVariableAuxClass'
     DESC 'Flow Identifier'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceMACVariableAuxClass'
     DESC 'Source MAC address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationMACVariableAuxClass'
     DESC 'Destination MAC address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimVLANVariableAuxClass'
     DESC 'VLAN'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCoSVariableAuxClass'
     DESC 'Class of service'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimEthertypeVariableAuxClass'
     DESC 'Ethertype'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceSAPVariableAuxClass'
     DESC 'Source SAP'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )






Reyes, et al.              Expires: December 2003               [page 33]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationSAPVariableAuxClass'
     DESC 'Destination SAP'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSNAPOUIVariableAuxClass'
     DESC 'SNAP OUI'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSNAPTypeVariableAuxClass'
     DESC 'SNAP type'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFlowDirectionVariableAuxClass'
     DESC 'Flow direction'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )


5.21 The Auxiliary Class pcimValueAuxClass.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimValueAuxClass'
     DESC 'Base class for representing a value that can be
           matched against or set for a specific variable.'
     SUP top
     AUXILIARY
     MAY ( pcimValueName )
   )

   The Attribute pcimValueName:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimValueName'
     DESC 'The user-friendly name of a value.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )



Reyes, et al.              Expires: December 2003               [page 34]

INTERNET-DRAFT                  PCELS                          June 2003


5.22 The Subclasses of pcimValueAuxClass.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPv4AddrValueAuxClass'
     DESC 'IP v4 address value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimIPv4AddrList )
   )

   The Attribute pcimIPv4AddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPv4AddrList'
     DESC 'List of IPv4 address values, ranges or hosts.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPv6AddrValueAuxClass'
     DESC 'IP v6 address value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimIPv6AddrList )
   )

   The Attribute pcimIPv6AddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPv6AddrList'
     DESC 'List of IPv6 address values, ranges or hosts.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimMACAddrValueAuxClass'
     DESC 'MAC address value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimMACAddrList )
   )

   The Attribute pcimMACAddrList:





Reyes, et al.              Expires: December 2003               [page 35]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimMACAddrList'
     DESC 'List of MAC address values or ranges.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimStringValueAuxClass'
     DESC 'String value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimStringList )
   )

   The Attribute pcimStringList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimStringList'
     DESC 'List of strings or wildcarded strings.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimBitStringValueAuxClass'
     DESC 'Bit string value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimBitStringList )
   )

   The Attribute pcimBitStringList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimBitStringList'
     DESC 'List of bit strings or masked bit strings.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )








Reyes, et al.              Expires: December 2003               [page 36]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIntegerValueAuxClass'
     DESC 'Integer value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimIntegerList )
   )

   The Attribute pcimIntegerList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIntegerList'
     DESC 'List of integers or integer ramges.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimBooleanValueAuxClass'
     DESC 'Boolean value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimBoolean )
   )

   The Attribute pcimBoolean:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimBoolean'
     DESC 'A boolean value.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.23 The Three Classes pcimReusableContainer

   This class represents a container of reusable policy elements.
   The elements of a reusable container are aggregated via DIT
   containment. A reusable policy container can include the elements
   of other reusable policy containers by aggregating the container
   itself. This is realized by referencing the aggregated container
   by means of the attribute pcimReusableContainerList.








Reyes, et al.              Expires: December 2003               [page 37]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimReusableContainer'
     DESC 'A container for reusable policy information.'
     SUP dlm1AdminDomain
     ABSTRACT
     MAY ( pcimReusableContainerName
         $ pcimReusableContainerList )
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimReusableContainerAuxClass '
     DESC 'An auxiliary class that can be used to aggregate
           reusable policy information.'
     SUP pcimReusableContainer
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimReusableContainerInstance'
     DESC 'A structural class that can be used to aggregate
           reusable policy information.'
     SUP pcimReusableContainer
     STRUCTURAL
   )

   The Attribute pcimReusableContainerName:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimReusableContainerName'
     DESC 'The user-friendly name of a reusable policy container.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimReusableContainerList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimReusableContainerList'
     DESC 'List of DN references to the pcimReusableContainer
           entries.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.24 The Three Deprecated Classes pcimRepository.

   The pcimRepository and its subclasses are deprecated in favor of the
   pcimReusableContainer and its subclasses.


Reyes, et al.              Expires: December 2003               [page 38]

INTERNET-DRAFT                  PCELS                          June 2003



   The pcimRepositoryNameattribute only used in the definition of the
   deprecated pcimRepository object class is also deprecated.


5.25 The Structural Class pcimRoleCollection.

   The pcimRoleCollection class creates the means for the association
   of policy roles to resources represented as LDAP entries.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimRoleCollection'
     DESC 'This class is used to group together entries
           that share a same role.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimRole )
     MAY ( pcimRoleCollectionName
         $ pcimElementList )
   )

   The Attribute pcimRole:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimRole'
     DESC 'String representing a role.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimRoleCollectionName:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimRoleCollectionName'
     DESC 'The user-friendly name of a role collection.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimElementList:








Reyes, et al.              Expires: December 2003               [page 39]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimElementList'
     DESC 'List of DN references to the entries representing
           managed elements.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.26 The Abstract Class pcimFilterEntry

   The abstract class pcimFilterEntry implements the FilterEntryBase
   class from [PCIM_EXT]. This class is the base class for defining
   message or packet filters.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFilterEntry'
     DESC 'This class is used as a base class for
           representing message or packet filters.'
     SUP pcimPolicy
     ABSTRACT
     MAY ( pcimFilterName
         $ pcimFilterIsNegated )
   )

   The Attribute pcimFilterName may be used as naming attribute for
   filter entries:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterName'
     DESC 'The user-friendly name of a filter.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimIsMirrored indicates whether the specified
   criteria is to be negated or not in the process of matching a
   message or packet against the filter:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterIsNegated'
     DESC 'If TRUE, indicates that the filter matches all but
           the messages or packets that conform to the specified
           criteria. Default: FALSE.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )



Reyes, et al.              Expires: December 2003               [page 40]

INTERNET-DRAFT                  PCELS                          June 2003


5.27 The Structural Class pcimIPHeaders.


   The class pcimIPHeaders implements the IpHeadersFilter class of
   the [PCIM_EXT] model. It provides means for filtering traffic by
   values in the IP header. Optional attributes, if not specified shall
   be treated as 'all values'.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPHeaders'
     DESC 'This class defines an IP header filter.'
     SUP pcimFilterEntry
     STRUCTURAL
     MAY ( pcimIPHdrVersion
         $ pcimIPHdrSourceAddress
         $ pcimIPHdrSourceAddressEndOfRange
         $ pcimIPHdrSourceMask
         $ pcimIPHdrDestAddress
         $ pcimIPHdrDestAddressEndOfRange
         $ pcimIPHdrDestMask
         $ pcimIPHdrProtocolID
         $ pcimIPHdrSourcePortStart
         $ pcimIPHdrSourcePortEnd
         $ pcimIPHdrDestPortStart
         $ pcimIPHdrDestPortEnd
         $ pcimIPHdrDSCPList
         $ pcimIPHdrFlowLabel )
   )

   The attribute pcimIPHdrVersion identifies the IP version and dictates
   the format for the IP version dependent attribute values in a
   pcimIPHeaders entry. These attributes are:
      pcimIPHdrSourceAddress
      pcimIPHdrSourceAddressEndOfRange
      pcimIPHdrSourceMask
      pcimIPHdrDestAddress
      pcimIPHdrDestAddressEndOfRange
      pcimIPHdrDestMask

   If a value for this attribute is not provided, then the filter does
   not consider IP version in selecting matching packets. In this case,
   IP version dependent attributes must not be present in the filter
   entry. The possible values of pcimIPHdrVersion are '4' and '6'.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrVersion'
     DESC 'The IP version.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )


Reyes, et al.              Expires: December 2003               [page 41]

INTERNET-DRAFT                  PCELS                          June 2003


    The attribute pcimIPHdrSourceAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourceAddress'
     DESC 'The IP source address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrSourceAddressEndOfRange:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourceAddressEndOfRange'
     DESC 'The end or address range for the IP source address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrSourceMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourceMask'
     DESC 'The address mask for the IP source address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestAddress'
     DESC 'The IP destination address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestAddressEndOfRange:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestAddressEndOfRange'
     DESC 'The end of address range for the IP destination address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestMask:



Reyes, et al.              Expires: December 2003               [page 42]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestMask'
     DESC 'The address mask for the IP destination address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrProtocolID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrProtocolID'
     DESC 'The IP protocol type.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcimIPHdrSourcePortStart:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourcePortStart'
     DESC 'The start of the source port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcimIPHdrSourcePortEnd:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourcePortEnd'
     DESC 'The end of the source port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestPortStart:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestPortStart'
     DESC 'The start of the destination port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )



Reyes, et al.              Expires: December 2003               [page 43]

INTERNET-DRAFT                  PCELS                          June 2003


   The attribute pcimIPHdrDestPortEnd:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestPortEnd'
     DESC 'The end of the destination port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The multivalue attribute pcimIPHdrDSCPList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDSCPList'
     DESC 'The DSCP values.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcimIPHdrFlowLabel:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrFlowLabel'
     DESC 'The IP flow label.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )


5.28 The Structural Class pcim8021Headers.

   ( IANA-ASSIGNED-OID.1.x
     NAME ' pcim8021Headers'
     DESC 'This class defines an 802.1 header filter.'
     SUP pcimFilterEntry
     STRUCTURAL
     MAY ( pcim8021HdrSourceMACAddress
         $ pcim8021HdrSourceMACMask
         $ pcim8021HdrDestMACAddress
         $ pcim8021HdrDestMACMask
         $ pcim8021HdrProtocolID
         $ pcim8021HdrPriority
         $ pcim8021HdrVLANID )
   )

   The attribute pcim8021HdrSourceMACAddress:





Reyes, et al.              Expires: December 2003               [page 44]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrSourceMACAddress'
     DESC 'The source MAC address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcim8021HdrSourceMACMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrSourceMACMask'
     DESC 'The source MAC address mask.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcim8021HdrDestMACAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrDestMACAddress'
     DESC 'The destination MAC address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcim8021HdrDestMACMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrDestMACMask'
     DESC 'The destination MAC address mask.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcim8021HdrProtocolID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrProtocolID'
     DESC 'The 802.1 protocol ID.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcim8021HdrPriority:





Reyes, et al.              Expires: December 2003               [page 45]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrPriority'
     DESC 'The 802.1 priority.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcim8021HdrVLANID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrVLANID'
     DESC 'The 802.1 VLAN ID.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )


5.29 The Auxiliary Class pcimFilterListAuxClass.

   This class represents a set of device-level filters aggregated
   in a policy condition. Therefore, instances of this class can be
   used in policy rules or as elements of more complex compound
   conditions. The aggregation EntriesInFilterList from the
   [PCIM_EXT] model is implemented by the multi-value attribute
   pcimFilterEntryList. The EntrySequence property of the aggregation
   EntriesInFilterList that is restricted to its default value ('0')
   in the [PCIM_EXT] model is redundant and therefore not implemented.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFilterListAuxClass'
     DESC 'This class is used to aggregate filters
           represented as subclasses of pcimFilterEntry.'
     SUP pcimConditionAuxClass
     STRUCTURAL
     MAY ( pcimFilterListName
         $ pcimFilterDirection
         $ pcimFilterEntryList )
   )

   The Attribute pcimFilterListName may be used as naming attribute
   for filter lists:











Reyes, et al.              Expires: December 2003               [page 46]

INTERNET-DRAFT                  PCELS                          June 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterListName'
     DESC 'The user-friendly name of a filter list.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcimFilterDirection indicates the direction
   of the packets or messages relative to the interface where
   the filter is applied. The possible values are:
   NotApplicable(0), Input(1), Output(2), Both(3), Mirrored(4).

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterDirection'
     DESC 'The direction of the packets or messages
           to which this filter is to be applied.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcimFilterEntryList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterEntryList'
     DESC 'List of DN references to the pcimFilterEntry entries.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


6. Security Considerations

This topic is based on requirements from previous [PCLS] documents []
and also takes into account other RFCs about the same security aspects
entitled as following:

   RFC 2829 (Authentication Methods for LDAP)
   RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for
             Transport Layer Security)

These RFC documents provide a general framework for security
architecture of the system. However some comments have to be provided
as a consequence of the inclusion of extensions in this own document
and its relation with PCLS doc.






Reyes, et al.              Expires: December 2003               [page 47]

INTERNET-DRAFT                  PCELS                          June 2003


Due to the new considered scenarios, with reusability and information
containers located in other DITs etc, these conditions are expressed in
chapter 4.4 of the [PCLS] document. As a consequence, new types of
threats in the system have to be considered. In fact, it is necessary to
define new security services in order to protect against these new
aspects. As a result of this, the following new security services are
defined:

1) Authentication between entities of the network
2) Mutual authentication between network operator and network entities
   (p.e. DITs)
3) Integrity and confidentiality of links between network entities and
   also in the LDAP directories.

Several definitions and security mechanisms related about DITs can also
obtained from the following ITU specification: X.509 The Directory.
Authentication framework

Furthermore, the obtention of the OIDs and values of the attributes from
the DITs in a distributed scenario has as a consequence the interaction
between diverse network entities with changes of security domain
and/or administrative domain.

In this directory scenario, with migration of data, the use of DSP
(Directory Service Protocol) protocol with types of queries like
referral, chaining and multicasting with different key management and
authentication among network entities would have to be considered.


7. IANA Considerations

7.1 Object Identifiers

   It IS NOT requested that IANA register an LDAP Object Identifer
   for use in this technical specification. The OID assigned as base
   for identifying the schema elements defined in [PCLS] will be reused
   for the schema elements defined in this document.


7.2 Object Identifier Descriptors

   It is requested that IANA register the LDAP Descriptors used
   in this technical specification as detailed in the following
   template:










Reyes, et al.              Expires: December 2003               [page 48]

INTERNET-DRAFT                  PCELS                          June 2003


   Subject: Request for LDAP Descriptor Registration Update
   Descriptor (short name): see comment
   Object Identifier: see comment
   Person & email address to contact for further information:
      Mircea Pana (mpana@metasolv.com)
   Usage: see comment
   Specification: RFC XXXX
   Author/Change Controller: IESG
   Comments:

   The following descriptors should be added:

   NAME                                    Type  OID
   --------------                          ----  ------------
   pcimPolicySet                           O     IANA-ASSIGNED-OID.1.x
   pcimPolicySetName                       A     IANA-ASSIGNED-OID.2.x
   pcimDecisionStrategy                    A     IANA-ASSIGNED-OID.2.x
   pcimPolicySetList                       A     IANA-ASSIGNED-OID.2.x
   pcimPolicySetAssociation                O     IANA-ASSIGNED-OID.1.x
   pcimPriority                            A     IANA-ASSIGNED-OID.2.x
   pcimPolicySetDN                         A     IANA-ASSIGNED-OID.2.x
   pcimPolicyRule                          O     IANA-ASSIGNED-OID.1.x
   pcimPolicyRuleAuxClass                  O     IANA-ASSIGNED-OID.1.x
   pcimPolicyRuleInstance                  O     IANA-ASSIGNED-OID.1.x
   pcimConditionListType                   A     IANA-ASSIGNED-OID.2.x
   pcimConditionList                       A     IANA-ASSIGNED-OID.2.x
   pcimActionList                          A     IANA-ASSIGNED-OID.2.x
   pcimSequencedActions                    A     IANA-ASSIGNED-OID.2.x
   pcimExecutionStrategy                   A     IANA-ASSIGNED-OID.2.x
   pcimConditionAssociation                O     IANA-ASSIGNED-OID.1.x
   pcimActionAssociation                   O     IANA-ASSIGNED-OID.1.x
   pcimSimpleConditionAuxClass             O     IANA-ASSIGNED-OID.1.x
   pcimVariableDN                          A     IANA-ASSIGNED-OID.2.x
   pcimValueDN                             A     IANA-ASSIGNED-OID.2.x
   pcimCompoundConditionAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimCompoundFilterAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimIsMirrored                          A     IANA-ASSIGNED-OID.2.x
   pcimSimpleActionAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimCompoundActionAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimVariable                            O     IANA-ASSIGNED-OID.1.x
   pcimVariableName                        A     IANA-ASSIGNED-OID.2.x
   pcimExpectedValueList                   A     IANA-ASSIGNED-OID.2.x
   pcimExplicitVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcimVariableModelClass                  A     IANA-ASSIGNED-OID.2.x
   pcimVariableModelProperty               A     IANA-ASSIGNED-OID.2.x
   pcimImplicitVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcimExpectedValueTypes                  A     IANA-ASSIGNED-OID.2.x
   pcimSourceIPv4VariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimSourceIPv6VariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimDestinationIPv4VariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcimDestinationIPv6VariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcimSourcePortVariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimDestinationPortVariableAuxClass     O     IANA-ASSIGNED-OID.1.x

Reyes, et al.              Expires: December 2003               [page 49]

INTERNET-DRAFT                  PCELS                          June 2003


   pcimIPProtocolVariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimIPVersionVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimIPToSVariableAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcimDSCPVariableAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimFlowIdVariableAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimSourceMACVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimDestinationMACVariableAuxClass      O     IANA-ASSIGNED-OID.1.x
   pcimVLANVariableAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimCoSVariableAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcimEthertypeVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimSourceSAPVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimDestinationSAPVariableAuxClass      O     IANA-ASSIGNED-OID.1.x
   pcimSNAPOUIVariableAuxClass             O     IANA-ASSIGNED-OID.1.x
   pcimSNAPTypeVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcimFlowDirectionVariableAuxClass       O     IANA-ASSIGNED-OID.1.x
   pcimValueAuxClass                       O     IANA-ASSIGNED-OID.1.x
   pcimValueName                           A     IANA-ASSIGNED-OID.2.x
   pcimIPv4AddrValueAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcimIPv4AddrList                        A     IANA-ASSIGNED-OID.2.x
   pcimIPv6AddrValueAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcimIPv6AddrList                        A     IANA-ASSIGNED-OID.2.x
   pcimMACAddrValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimMACAddrList                         A     IANA-ASSIGNED-OID.2.x
   pcimStringValueAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcimStringList                          A     IANA-ASSIGNED-OID.2.x
   pcimBitStringValueAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimBitStringList                       A     IANA-ASSIGNED-OID.2.x
   pcimIntegerValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimIntegerList                         A     IANA-ASSIGNED-OID.2.x
   pcimBooleanValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimBoolean                             A     IANA-ASSIGNED-OID.2.x
   pcimReusableContainer                   O     IANA-ASSIGNED-OID.1.x
   pcimReusableContainerAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimReusableContainerInstance           O     IANA-ASSIGNED-OID.1.x
   pcimReusableContainerName               A     IANA-ASSIGNED-OID.2.x
   pcimReusableContainerList               A     IANA-ASSIGNED-OID.2.x
   pcimRoleCollection                      O     IANA-ASSIGNED-OID.1.x
   pcimRole                                A     IANA-ASSIGNED-OID.2.x
   pcimRoleCollectionName                  A     IANA-ASSIGNED-OID.2.x
   pcimElementList                         A     IANA-ASSIGNED-OID.2.x
   pcimFilterEntry                         O     IANA-ASSIGNED-OID.1.x
   pcimFilterName                          A     IANA-ASSIGNED-OID.2.x
   pcimFilterIsNegated                     A     IANA-ASSIGNED-OID.2.x
   pcimIPHeaders                           O     IANA-ASSIGNED-OID.1.x
   pcimIPHdrVersion                        A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourceAddress                  A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourceAddressEndOfRange        A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourceMask                     A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestAddress                    A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestAddressEndOfRange          A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestMask                       A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrProtocolID                     A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourcePortStart                A     IANA-ASSIGNED-OID.2.x

Reyes, et al.              Expires: December 2003               [page 50]

INTERNET-DRAFT                  PCELS                          June 2003


   pcimIPHdrSourcePortEnd                  A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestPortStart                  A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestPortEnd                    A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDSCPList                       A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrFlowLabel                      A     IANA-ASSIGNED-OID.2.x
   pcim8021Headers                         O     IANA-ASSIGNED-OID.1.x
   pcim8021HdrSourceMACAddress             A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrSourceMACMask                A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrDestMACAddress               A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrDestMACMask                  A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrProtocolID                   A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrPriority                     A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrVLANID                       A     IANA-ASSIGNED-OID.2.x
   pcimFilterListAuxClass                  O     IANA-ASSIGNED-OID.1.x
   pcimFilterListName                      A     IANA-ASSIGNED-OID.2.x
   pcimFilterDirection                     A     IANA-ASSIGNED-OID.2.x
   pcimFilterEntryList                     A     IANA-ASSIGNED-OID.2.x


8. References

[CIM]      Distributed Management Task Force, Inc., "Common Information
           Model (CIM) Schema", version 2.3, March 2000. The components
           of the CIM v2.3 schema are available via links on the
           following DMTF web page:  http://www.dmtf.org/spec/cims.html

[PCIM]     B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
           Model -- Version 1 Specification", RFC 3060, May, 2000.

[PCIM_EXT] B. Moore at el., "Policy Core Information Model (PCIM)
           Extensions", RFC 3460, January 2003.

[PCLS]     J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core
           LDAP Schema", Internet Draft, work in progress,
           draft-ietf-policy-core-schema-16.txt.

[LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
            Considerations for the Lightweight Directory Access Protocol
            (LDAP)", BCP 64, RFC 3383, September 2002.


9. Authors' Addresses

   Angelica Reyes, Antoni Barba, David Moron
   Technical University of Catalonia
   Jordi-Girona 1-3
   08034 Barcelona
   Spain
   [angelica|telabm|dmoron]@mat.upc.es





Reyes, et al.              Expires: December 2003               [page 51]

INTERNET-DRAFT                  PCELS                          June 2003


   Marcus Brunner
   NEC Europe Ltd.
   Kurfuersten Anlage 34
   D-69115 Heidelberg
   Germany
   brunner@ccrle.nec.de

   Mircea Pana
   MetaSolv Software Inc.
   360 Legget Drive
   Ottawa, Ontario, Canada
   K2K 3N1
   mpana@metasolv.com


10. Full Copyright Statement

  Copyright (C) The Internet Society (2002). All Rights Reserved.

  This document and translations of it may be copied and furnished to
  others, and derivative works that comment on or otherwise explain it
  or assist in its implementation may be prepared, copied, published
  and distributed, in whole or in part, without restriction of any
  kind, provided that the above copyright notice and this paragraph are
  included on all such copies and derivative works. However, this
  document itself may not be modified in any way, such as by removing
  the copyright notice or references to the Internet Society or other
  Internet organizations, except as needed for the purpose of
  developing Internet standards in which case the procedures for
  copyrights defined in the Internet Standards process must be
  followed, or as required to translate it into languages other than
  English.

  The limited permissions granted above are perpetual and will not be
  revoked by the Internet Society or its successors or assigns.

  This document and the information contained herein is provided on an
  "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
  TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN
  BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
  HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
  MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Appendix A: Issues

   Some classes need to be added:







Reyes, et al.              Expires: December 2003               [page 52]

INTERNET-DRAFT                  PCELS                          June 2003


   1. pcimReusablePolicyContainer subclasses.
   Since pcimRepository and its two subclasses are deprecated we have
   needed to add the pcimReusablePolicyContainer and two subclasses:
   pcimReusableContainerInstance (structural) and
   pcimReusableContainerAuxClass(auxiliary). The class
   pcimReusableContainer is defined as an abstract class so
   pcimReusableContainer subclasses are needed in order to
   instanciate classes in the directory.
   RESOLUTION: This issue has been resolved in sections 5.23 and 5.24.

   2.We have to add the subclasses pcimRuleActionAssociation
   and pcimActionAssociation
   RESOLUTION: This issue has been resolved using the class
   pcimActionAssociation. See section 5.8

   3. We have to clarify next classes
    pcimPolicyVariableAuxClass.
    pcimPolicyVariableInstance.
    pcimPolicyExplicitVariableAuxClass.
    pcimPolicyImplicitVariableInstance.
   RESOLUTION: This issue has been resolved in sections from 5.17 to
   5.22

   4. We have to clarify the mapping of next classes
   PolicyValue and its subclasses.
   PolicyImpliciyVariable subclasses.
   RESOLUTION: This issue has been resolved in sections from 5.19 to
   5.22

   We also consider the next points:
   5. To define classes to search errors and classes to detect failures
   in the system
   RESOLUTION: not in scope for this document

   6. Because of the policy server is centralized and the LDAP is
   distributed hierarchically could be necessary to add classes in order
   to find duplicates in the information. It can occur, for example when
   updating is excessively often.
   RESOLUTION: implementation specific. not in scope for this document

   7. Mapping between Network domains and the updating of information.
   Servers via resource management programs could manage some of these
   topics, even though it is necessary to add specific classes.
   RESOLUTION: not in scope for this document










Reyes, et al.              Expires: December 2003               [page 53]

INTERNET-DRAFT                  PCELS                          June 2003


   8. The PolicyRoleCollection class from [PCIM_EXT] is implemented as
   the pcimRoleCollection structural object class. This object class is
   a subclass of the abstract pcimPolicy defined in [PCLS]. As a
   consequence pcimRoleCollection instances can be located and retrieved
   by LDAP clients that implement the mechanism defined in the section
   4.5 of [PCLS]. An other option to consider is the implementation of
   pcimRoleCollection as a triplet of abstract / structural / auxiliary
   subclasses of the abstract dlm1Collection defined by [CIM]. In such
   case, however, in order to permit the utilization of the location and
   retrieval mechanism mentioned above, it would be necessary to attach
   a pcimElementAuxClass to the pcimRoleCollection instances.
   RESOLUTION: The authors agree on the current implementation.

   9. Considerations about the relation between performance related to
   retrieval of information  and storage capacity of DITs.
   RESOLUTION: not in scope for this document

   10. The following PCIM EXT classes and aggregations need to be
   addressed: FilterEntryBase, IpHeadersFilter, 8021Filter, FilterList
   and EntriesInFilterList.
   RESOLUTION: defined in Subsections 5.26-5.29

   11. pcimFilterEntry implements the FilterEntry but is a subclass
   of pcimPolicy and not a subclass of [CIM]'s dlm1LogicalElement.
   RESOLUTION: the authors agree with this implementation that has
   practical advantages over the other options.

   12. pcimFilterListAuxClass implements the FilterList but is a
   subclass of pcimConditionAuxClass and not a subclass of [CIM]'s
   dlm1LogicalElement.
   RESOLUTION: the authors agree with this implementation that has
   practical advantages over the other options.

   13. A limitation of this LDAP schema can lead to an ambiguous
   situation when a SimpleCondition and a SimpleAction are collocated.
   I.e. when they are attached to the same entry, for example in a
   Simple policy rule construct. In such situation a (non-reusable)
   Value or Variable attached to the same entry may be interpreted as
   being associated to either (or both) the condition and the action.
   More than that, since the pcimValueDN and pcimVariableDN attributes
   are used in both the SimpleCondition and the SimpleAction to
   associate a reusable Value or Variable, the ownership of the
   attribute is confusing in case of collocated condition and action.
   RESOLUTION: Added note to explicitly make
   pcimSimpleConditionAuxClass and pcimSimpleActionAuxClass
   mutually exclusive in an LDAP entry.








Reyes, et al.              Expires: December 2003               [page 54]


Html markup produced by rfcmarkup 1.108, available from http://tools.ietf.org/tools/rfcmarkup/