[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 4104

Policy Framework Working Group                            Angelica Reyes
INTERNET-DRAFT                                              Antoni Barba
Updates: draft-ietf-policy-core-schema-16                    David Moron
                                       Technical University of Catalonia

                                                          Marcus Brunner
                                                                     NEC

                                                             Mircea Pana
                                                                MetaSolv

                                                             August 2003


                 Policy Core Extension LDAP Schema (PCELS)
                <draft-reyes-policy-core-ext-schema-03.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   This document defines a number of changes and extensions to the
   Policy Core LDAP Schema [PCLS] based on the specifications of the
   Policy Core Information Model Extensions [PCIM_EXT]. The changes
   include additional object classes previously not covered, deprecation
   of some object classes and changes to the object class hierarchy
   defined in [PCLS].

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119.




Reyes, et al.              Expires: February 2004               [page 1]

INTERNET-DRAFT                  PCELS                        August 2003



Table of contents

   1. Introduction....................................................
   2. Relationship to other Policy Framework Documents................
   3. Inheritance Hierarchy for PCELS.................................
   4. General Discussion of Mapping the Policy Core Information
      Model Extensions to LDAP........................................
     4.1 Summary of Class and Association Mappings....................
     4.2 Summary of changes since PCLS................................
     4.3 The Association of PolicyVariable and PolicyValues
         to PolicySimpleCondition and PolicySimpleAction..............
     4.4 The Aggregation of PolicyRules and PolicyGroups in
         PolicySets...................................................
     4.5 The Aggregation of actions/conditions in PolicyRules and
     CompoundActions/CompoundConditions...............................
   5. Class Definitions...............................................
     5.1  The Class pcimPolicySet.....................................
     5.2  The Structural Class pcimPolicySetAssociation...............
     5.3  The Updated Class pcimGroup.................................
     5.4  The Deprecated Class pcimGroupContainmentAuxClass...........
     5.5  The Deprecated Class pcimRuleContainmentAuxClass............
     5.6  The Three Classes pcimPolicyRule............................
     5.7  The Structural Class pcimConditionAssociation...............
     5.8  The Structural Class pcimActionAssociation..................
     5.9  The Three Deprecated Classes pcimRule.......................
     5.10  The Deprecated Class pcimRuleConditionAssociation..........
     5.11  The Deprecated Class pcimRuleActionAssociation.............
     5.12  The Auxiliary Class pcimSimpleConditionAuxClass............
     5.13  The Auxiliary Class pcimCompoundConditionAuxClass..........
     5.14  The Auxiliary Class pcimCompoundFilterAuxClass.............
     5.15  The Auxiliary Class pcimSimpleActionAuxClass...............
     5.16  The Auxiliary Class pcimCompoundActionAuxClass.............
     5.17 The Abstract Class pcimVariable.............................
     5.18 The Auxiliary Class pcimExplicitVariableAuxClass............
     5.19 The Auxiliary Class  pcimImplicitVariableAuxClass...........
     5.20 The Subclasses of pcimImplicitVariableAuxClass..............
     5.21 The Auxiliary Class pcimValueAuxClass.......................
     5.22 The Subclasses of pcimValueAuxClass.........................
     5.23 The Three Classes pcimReusableContainer.....................
     5.24 The Three Deprecated Classes pcimRepository.................
     5.25 The Structural Class pcimRoleCollection.....................
     5.26 The Abstract Class pcimFilterEntry..........................
     5.27 The Structural Class pcimIPHeaders..........................
     5.28 The Structural Class pcim8021Headers........................
     5.29 The Auxiliary Class pcimFilterListAuxClass..................
     5.30 The Auxiliary Class pcimVendorVariableAuxClass..............
     5.31 The Auxiliary Class pcimVendorValueAuxClass.................
   6. Security Considerations.........................................
   7. IANA Considerations.............................................
     7.1 Object Identifiers...........................................
     7.2 Object Identifier Descriptors................................


Reyes, et al.              Expires: February 2004               [page 2]

INTERNET-DRAFT                  PCELS                        August 2003


   8. Normative References............................................
   9. Informative References..........................................
   10. Authors' Addresses.............................................
   11. Intellectual Property..........................................
   12. Full Copyright Statement.......................................


1. Introduction

   This document defines a number of changes and extensions to the
   Policy Core LDAP Schema [PCLS] based on the specifications of the
   Policy Core Information Model Extensions [PCIM_EXT]. The changes
   include additional object classes previously not covered, deprecation
   of some object classes and changes to the object class hierarchy
   defined in PCLS.

   Within the context of this document, the term 'PCELS' (Policy Core
   Extension LDAP Schema) is used to refer to the LDAP object class
   definitions contained in this document.


2. Relationship to other Policy Framework Documents

  This document contains an LDAP schema mapping for the classes
  defined in the Policy Core Information Model Extensions [PCIM_EXT].
  Other documents may subsequently be produced, with mappings of the
  same PCIM extensions to other storage or transport technologies.
  The document is an extension to [PCLS], which defines the mapping
  of the Policy Core Information Model [PCIM] to an LDAP schema.


3. Inheritance Hierarchy for PCELS

   The following diagram illustrates the combined class hierarchy for
   the LDAP object classes defined in [PCLS] and in this document:

   top
   |
   +---dlm1ManagedElement (abstract)
   |   |
   |   +---pcimPolicy (abstract)
   |   |   |
   |   |   +---pcimPolicySet (abstract new)
   |   |   |   |
   |   |   |   +---pcimGroup (abstract moved)
   |   |   |   |   |
   |   |   |   |   +--pcimGroupAuxClass (auxiliary moved)
   |   |   |   |   |
   |   |   |   |   +---pcimGroupInstance (structural moved)
   |   |   |   |




Reyes, et al.              Expires: February 2004               [page 3]

INTERNET-DRAFT                  PCELS                        August 2003


   |   |   |   |
   |   |   |   +---pcimPolicyRule (abstract new)
   |   |   |       |
   |   |   |       +---pcimPolicyRuleAuxClass (auxiliary new)
   |   |   |       |
   |   |   |       +---pcimPolicyRuleInstance (structural new)
   |   |   |
   |   |   +---pcimRule (abstract deprecated)
   |   |   |   |
   |   |   |   +---pcimRuleAuxClass (auxiliary deprecated)
   |   |   |   |
   |   |   |   +---pcimRuleInstance (structural deprecated)
   |   |   |
   |   |   +---pcimRuleConditionAssociation (structural deprecated)
   |   |   |
   |   |   +---pcimConditionAssociation (structural new)
   |   |   |
   |   |   +---pcimRuleValidityAssociation (structural)
   |   |   |
   |   |   +---pcimRuleActionAssociation (structural deprecated)
   |   |   |
   |   |   +---pcimActionAssociation (structural new)
   |   |   |
   |   |   +---pcimPolicySetAssociation (structural new)
   |   |   |
   |   |   +---pcimPolicyInstance (structural)
   |   |   |
   |   |   +---pcimElementAuxClass (auxiliary)
   |   |   |
   |   |   +---pcimRoleCollection (structural new)
   |   |   |
   |   |   +---pcimFilterEntry (abstract new)
   |   |       |
   |   |       +---pcimIPHeaders (structural new)
   |   |       |
   |   |       +---pcim8021Headers (structural new)
   |   |
   |   +---dlm1ManagedSystemElement (abstract)
   |       |
   |       +---dlm1LogicalElement (abstract)
   |           |
   |           +---dlm1System (abstract)
   |               |
   |               +---dlm1AdminDomain (abstract)
   |                   |
   |                   +---pcimRepository (abstract deprecated)
   |                   |   |
   |                   |   +---pcimRepositoryAuxClass
   |                   |   |   (auxiliary deprecated)
   |                   |   |
   |                   |   +---pcimRepositoryInstance
   |                   |       (structural deprecated)


Reyes, et al.              Expires: February 2004               [page 4]

INTERNET-DRAFT                  PCELS                        August 2003


   |                   |
   |                   +---pcimReusableContainer (abstract new)
   |                       |
   |                       +---pcimReusableContainerAuxClass
   |                       |   (auxiliary new)
   |                       |
   |                       +---pcimReusableContainerInstance
   |                           (structural new)
   |
   +---pcimConditionAuxClass (auxiliary)
   |   |
   |   +---pcimTPCAuxClass (auxiliary)
   |   |
   |   +---pcimConditionVendorAuxClass (auxiliary)
   |   |
   |   +---pcimSimpleConditionAuxClass (auxiliary new)
   |   |
   |   +---pcimCompoundConditionAuxClass (auxiliary new)
   |   |   |
   |   |   +---pcimCompoundFilterAuxClass (auxiliary new)
   |   |
   |   +---pcimFilterListAuxClass (auxiliary new)
   |
   +---pcimActionAuxClass (auxiliary)
   |   |
   |   +---pcimActionVendorAuxClass (auxiliary)
   |   |
   |   +---pcimSimpleActionAuxClass (auxiliary new)
   |   |
   |   +---pcimCompoundActionAuxClass (auxiliary new)
   |
   +---pcimVariable (abstract new)
   |   |
   |   +---pcimVendorVariableAuxClass (auxiliary new)
   |   |
   |   +---pcimExplicitVariableAuxClass (auxiliary new)
   |   |
   |   +---pcimImplicitVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourcePortVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationPortVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimIPProtocolVariableAuxClass (auxiliary new)


Reyes, et al.              Expires: February 2004               [page 5]

INTERNET-DRAFT                  PCELS                        August 2003


   |       |
   |       +---pcimIPVersionVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimIPToSVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDSCPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimFlowIdVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceMACVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationMACVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimVLANVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimCoSVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimEthertypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSourceSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimDestinationSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSNAPOUIVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimSNAPTypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcimFlowDirectionVariableAuxClass (auxiliary new)
   |
   +---pcimValueAuxClass (auxiliary new)
   |   |
   |   +---pcimVendorValueAuxClass (auxiliary new)
   |   |
   |   +---pcimIPv4AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimIPv6AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimMACAddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcimStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcimBitStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcimIntegerValueAuxClass (auxiliary new)
   |   |
   |   +---pcimBooleanValueAuxClass (auxiliary new)
   |
   +---pcimSubtreesPtrAuxClass (auxiliary)
   |
   +---pcimGroupContainmentAuxClass (auxiliary deprecated)
   |
   +---pcimRuleContainmentAuxClass (auxiliary deprecated)


Reyes, et al.              Expires: February 2004               [page 6]

INTERNET-DRAFT                  PCELS                        August 2003




4. General Discussion of Mapping the Policy Core Information Model
   Extensions to LDAP

   The object classes described in this document contain certain
   optimizations for a directory that uses LDAP as an access protocol.
   One example is the use of auxiliary class attachment to LDAP entries
   to realize some of the associations defined in the information model.

   Note that other storage types might need to implement the association
   differently.



4.1 Summary of Class and Association Mappings

   The LDAP object classes defined in this document are a direct mapping
   from the corresponding classes and, in some cases, the associations
   defined in [PCIM_EXT]. Similarly, the LDAP attributes defined here
   are a direct mapping from the corresponding class properties. In some
   cases, associations defined in [PCIM_EXT] are simply mapped to
   reference attributes or realized through auxiliary class attachment.

   The classes pcimVendorVariableAuxClass and pcimVendorValueAuxClass
   are not mapped from [PCIM_EXT], they are new classes added in order
   to increase the framework's capability to store variables and values
   that have not been modeled with specific properties. Just like for
   any other schema elements defined in this document or in [PCLS], a
   particular submodel schema will not, in general, need to use vendor
   specific variable and value classes. Submodel schemas should apply
   the recommendations of section 5.10 of [PCIM_EXT] with regards to
   the supported and unsupported elements.

   Similar to [PCLS], the prefix "pcim" is used for all the object class
   and attribute names defined in this document.


















Reyes, et al.              Expires: February 2004               [page 7]

INTERNET-DRAFT                  PCELS                        August 2003


+----------------------------------------------------------------------+
| Information Model (PCIM ext)  | LDAP Class(es)                       |
+----------------------------------------------------------------------+
| PolicySet                     | pcimPolicySet                        |
+----------------------------------------------------------------------+
| PolicyRule                    | pcimPolicyRule                       |
|                               | pcimPolicyRuleAuxClass               |
|                               | pcimPolicyRuleInstance               |
+----------------------------------------------------------------------+
| SimplePolicyCondition         | pcimSimpleConditionAuxClass          |
+----------------------------------------------------------------------+
| CompoundPolicyCondition       | pcimCompoundConditionAuxClass        |
+----------------------------------------------------------------------+
| CompoundFilterCondition       | pcimCompoundFilterAuxClass           |
+----------------------------------------------------------------------+
| SimplePolicyAction            | pcimSimpleActionAuxClass             |
+----------------------------------------------------------------------+
| CompoundPolicyAction          | pcimCompoundActionAuxClass           |
+----------------------------------------------------------------------+
| PolicyVariable                | pcimVariable                         |
+----------------------------------------------------------------------+
| --------------                | pcimVendorVariableAuxClass           |
+-------------------------------+--------------------------------------+
| PolicyExplicitVariable        | pcimExplicitVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicyImplicitVariable        | pcimImplicitVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicySourceIPv4Variable      | pcimSourceIPv4VariableAuxClass       |
+----------------------------------------------------------------------+
| PolicySourceIPv6Variable      | pcimSourceIPv6VariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationIPv4Variable | pcimDestinationIPv4VariableAuxClass  |
+----------------------------------------------------------------------+
| PolicyDestinationIPv6Variable | pcimDestinationIPv6VariableAuxClass  |
+----------------------------------------------------------------------+
| PolicySourcePortVariable      | pcimSourcePortVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationPortVariable | pcimDestinationPortVariableAuxClass  |
+----------------------------------------------------------------------+
| PolicyIPProtocolVariable      | pcimIPProtocolVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyIPVersionVariable       | pcimIPVersionVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyIPToSVariable           | pcimIPToSVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyDSCPVariable            | pcimDSCPVariableAuxClass             |
+----------------------------------------------------------------------+
| PolicyFlowIDVariable          | pcimFlowIDVariableAuxClass           |
+----------------------------------------------------------------------+
| PolicySourceMACVariable       | pcimSourceMACVariableAuxClass        |
+----------------------------------------------------------------------+
|                               |                                      |


Reyes, et al.              Expires: February 2004               [page 8]

INTERNET-DRAFT                  PCELS                        August 2003


| PolicyDestinationMACVariable  | pcimDestinationMACVariableAuxClass   |
+----------------------------------------------------------------------+
| PolicyVLANVariable            | pcimVLANVariableAuxClass             |
+----------------------------------------------------------------------+
| PolicyCoSVariable             | pcimCoSVariableAuxClass              |
+----------------------------------------------------------------------+
| PolicyEthertypeVariable       | pcimEthertypeVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicySourceSAPVariable       | pcimSourceSAPVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyDestinationSAPVariable  | pcimDestinationSAPVariableAuxClass   |
+----------------------------------------------------------------------+
| PolicySNAPOUIVariable         | pcimSNAPOUIVariableAuxClass          |
+----------------------------------------------------------------------+
| PolicySNAPTypeVariable        | pcimSNAPTypeVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicyFlowDirectionVariable   | pcimFlowDirectionVariableAuxClass    |
+----------------------------------------------------------------------+
| PolicyValue                   | pcimValueAuxClass                    |
+----------------------------------------------------------------------+
| -------------                 | pcimVendorValueAuxClass              |
+-------------------------------+--------------------------------------+
| PolicyIPv4AddrValue           | pcimIPv4AddrValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyIPv6AddrValue           | pcimIPv6AddrValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyMACAddrValue            | pcimMACAddrValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyStringValue             | pcimStringValueAuxClass              |
+----------------------------------------------------------------------+
| PolicyBitStringValue          | pcimBitStringValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyIntegerValue            | pcimIntegerValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyBooleanValue            | pcimBooleanValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyRoleCollection          | pcimRoleCollection                   |
+----------------------------------------------------------------------+
| ReusablePolicyContainer       | pcimReusableContainer                |
|                               | pcimReusableContainerAuxClass        |
|                               | pcimReusableContainerInstance        |
+----------------------------------------------------------------------+
| FilterEntryBase               | pcimFilterEntry                      |
+----------------------------------------------------------------------+
| IPHeadersfilter               | pcimIPHeaders                        |
+----------------------------------------------------------------------+
| 8021Filter                    | pcim8021Headers                      |
+----------------------------------------------------------------------+
| FilterList                    | pcimFilterListAuxClass               |
+----------------------------------------------------------------------+




Reyes, et al.              Expires: February 2004               [page 9]

INTERNET-DRAFT                  PCELS                        August 2003


+----------------------------------------------------------------------+
| Information Model Association    | LDAP Attribute / Class            |
+----------------------------------------------------------------------+
| PolicySetComponent               | pcimPolicySetComponentList in     |
|                                  | pcimPolicySet and                 |
|                                  | pcimPolicySetDN in                |
|                                  | pcimPolicySetAsociation           |
+----------------------------------------------------------------------+
| PolicySetInSystem                | DIT Containment and               |
|                                  | pcimPolicySetDN in                |
|                                  | pcimPolicySetAsociation           |
+----------------------------------------------------------------------+
| PolicyGroupInSystem              | (same as PolicySetInSystem)       |
+----------------------------------------------------------------------+
| PolicyRuleInSystem               | (same as PolicySetInSystem)       |
+----------------------------------------------------------------------+
| PolicyConditionStructure         | pcimConditionDN in                |
|                                  | pcimConditionAssociation          |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyRule      | pcimConditionList in              |
|                                  | pcimPolicyRule and                |
|                                  | pcimConditionDN in                |
|                                  | pcimConditionAssociation          |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyCondition | pcimConditionList in              |
|                                  | pcimCompoundConditionAuxClass     |
|                                  | and pcimConditionDN in            |
|                                  | pcimConditionAssociation          |
+----------------------------------------------------------------------+
| PolicyActionStructure            | pcimActionDN in                   |
|                                  | pcimActionAssociation             |
+----------------------------------------------------------------------+
| PolicyActionInPolicyRule         | pcimActionList in                 |
|                                  | pcimPolicyRule and                |
|                                  | pcimActionDN in                   |
|                                  | pcimActionAssociation             |
+----------------------------------------------------------------------+
| PolicyActionInPolicyAction       | pcimActionList in                 |
|                                  | pcimCompoundActionAuxClass        |
|                                  | and pcimActionDN in               |
|                                  | pcimActionAssociation             |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcimVariableDN in                 |
| Condition                        | pcimSimpleConditionAuxClass       |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicy        | pcimValueDN in                    |
| Condition                        | pcimSimpleConditionAuxClass       |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcimVariableDN in                 |
| Action                           | pcimSimpleActionAuxClass          |
+----------------------------------------------------------------------+
|                                  |                                   |


Reyes, et al.              Expires: February 2004              [page 10]

INTERNET-DRAFT                  PCELS                        August 2003


| PolicyValueInSimplePolicyAction  | pcimValueDN in                    |
|                                  | pcimSimpleActionAuxClass          |
+----------------------------------------------------------------------+
| ReusablePolicy                   | DIT containment                   |
+----------------------------------------------------------------------+
| ExpectedPolicyValuesForVariable  | pcimExpectedValueList in          |
|                                  | pcimVariable                      |
+----------------------------------------------------------------------+
| ContainedDomain                  | DIT containment or                |
|                                  | pcimReusableContainerList in      |
|                                  | pcimReusableContainer             |
+----------------------------------------------------------------------+
| EntriesInFilterList              | pcimFilterEntryList in            |
|                                  | pcimFilterListAuxClass            |
+----------------------------------------------------------------------+
| ElementInPolicyRoleCollection    | DIT containment or                |
|                                  | pcimElementList in                |
|                                  | pcimRoleCollection                |
+----------------------------------------------------------------------+
| PolicyRoleCollectionInSystem     | DIT Containment                   |
+----------------------------------------------------------------------+


4.2 Summary of changes since PCLS

   This section provides an overview of the changes to PCLS defined in
   this document:

   1. Changes to the pcimRepository: Because of the potential for
   confusion with the Policy Framework component Policy Repository as
   described in section 3.2.1 in [PCIM_EXT], the class is now called
   pcimReusableContainer. Its subclasses have been renamed as well.

   2. The pcimGroupContainmentAuxClass and pcimRuleContainmentAuxClass
   auxiliary classes used to map the PolicyRuleInPolicyGroup and
   PolicyGroupInPolicyGroup aggregations defined by [PCIM] are replaced
   by the structural class pcimPolicySetAssociation and the attribute
   pcimPolicySetList added to the abstract class pcimPolicySet. The
   section 4.4 presents the details related to this association.

   3. The class pcimRule is deprecated and with it the absolute
   prioritization of policy rules is no longer available. A relative
   prioritization of policies is introduced through the attribute
   pcimPriority in the pcimPolicySet object class. This attribute
   indicates the relative priority of the components of a policy set or,
   for a PolicySetInSystem, the priority of the referenced policy set
   relative to the other policy sets associated to this system.


   4. A new attribute pcimDecisionStrategy is added on the pcimPolicySet
   class in order to map the decision mechanism described in [PCIM_EXT].



Reyes, et al.              Expires: February 2004              [page 11]

INTERNET-DRAFT                  PCELS                        August 2003


   5. The attribute pcimRoles is moved to the class pcimPolicySet from
   the deprecated class pcimRule. Thus, the role based policy selection
   mechanism is preserved and extended to all the subclasses of
   pcimPolicySet.

   6. The new attribute pcimExecutionStrategy is added to the
   pcimPolicyRule class to allow the specification of the expected
   behavior in the case where there are multiple actions aggregated by
   a rule or by a compound action.

   7. Compound Conditions: The pcimCompoundConditionAuxClass class is
   added in order to map the CompoundPolicyCondition [PCIM_EXT]'s class.
   A new class, pcimConditionAssociation, is introduced to realize the
   aggregation of policy conditions in a pcimCompoundConditionAuxClass.
   The same class is used to aggregate policy conditions in a
   pcimPolicyRule while the pcimRuleConditionAssociation defined in
   [PCLS] for this purpose, is deprecated.

   8. Compound Actions: The pcimCompoundActionAuxClass class is
   added in order to map the CompoundPolicyAction [PCIM_EXT]'s class.
   A new class, pcimActionAssociation, is introduced to realize the
   aggregation of policy actions in a pcimCompoundActionAuxClass.
   The same class is used to aggregate policy actions in a
   pcimPolicyRule while the pcimRuleActionAssociation defined in [PCLS]
   for this purpose, is deprecated.

   9. Variables and values: The classes defined in [PCIM_EXT] for the
   implementation of simple conditions and actions directly mapped to
   auxiliary classes. These classes are: pcimSimpleConditionAuxClass,
   pcimSimpleActionAuxClass, pcimVariable and its subclasses, and
   pcimValue and its subclasses.

   10. Reusable conditions, actions, groups, rules, variables and values
   are subordinated (DIT contained) to a pcimReusableContainer entry.
   Thus, the ReusablePolicy association defined in [PCIM_EXT] is
   Realized through subordination.

   11. Device level filter classes are added to the schema.

   12. The pcimRoleCollection class is added to the schema to allow
   the association of policy roles to resources represented as LDAP
   entries.

   13. A general extension mechanism is introduced for representing
   policy variables and values that have not been specifically modeled.
   The mechanism is intended for vendor-specific extensions.








Reyes, et al.              Expires: February 2004              [page 12]

INTERNET-DRAFT                  PCELS                        August 2003


4.3 The Association of PolicyVariable and PolicyValues
    to PolicySimpleCondition and PolicySimpleAction

   A PolicySimpleCondition as well as a PolicySimpleAction includes a
   single PolicyValue and a single PolicyVariable. Each of them can be
   attached or referenced by a DN.

   The attachment helps create compact PolicyCondition and PolicyAction
   definitions that can be efficiently provisioned and retrieved from
   the repository. On the other hand, referenced PolicyVariables and
   PolicyValues instances can be reused in the construction of multiple
   policies and permit the administrative partitioning of the data and
   policy definitions.


4.4 The Aggregation of PolicyRules and PolicyGroups in PolicySets

   In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and
   PolicyRuleInPolicyGroup, are combined into a single aggregation
   PolicySetComponent. This aggregation and the capability of
   association between a policy and the ReusablePolicyContainer offer
   new possibilities of reusability. Furthermore, these aggregations
   introduce new semantics representing the execution of one PolicyRule
   withing the scope of another PolicyRule.

   Since PolicySet is defined in [PCIM_EXT], it is mapped in this
   document to a new class pcimPolicySet in order to provide an
   abstraction for a set of policy rules or groups. The aggregation
   class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value
   attribute pcimPolicySetList in the pcimPolicySet class and the
   attribute pcimPolicySetDN in the pcimPolicySetAssociation. These
   attributes refer to the nested rules and groups.

   It is possible to store a rule/group nested in an other rule/group
   in two ways. The first way is to define the nested rule/group as
   specific to the nesting rule/group. The second way is to define the
   nested rules/groups as reusable.

















Reyes, et al.              Expires: February 2004              [page 13]

INTERNET-DRAFT                  PCELS                        August 2003


   First case: Specific nested sets (rules/groups).

                 +----------+
                 |Rule/Group|
                 |          |
           +-----|-        -|-----+
           |     +----------+     |
           |       *      *       |
           |       *      *       |
           |    ****      ****    |
           |    *            *    |
           v    *            *    v
         +-----------+   +-----------+
         | SA1+Set1  |   | SA2+Set2  |
         +-----------+   +-----------+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass auxiliary class.
   SA#: pcimPolicySetAssocation structural class.

   The nesting pcimPolicySet refers to instances of
   pcimPolicySetAssociation using the attribute pcimPolicySetList. These
   strucural association classes are subordinated (DIT contained) to the
   pcimPolicySet (rule or group) entry and represent the
   association between the set (rule or group) and its nested rules/
   groups. The nested pcimPolicySet instances are attached (as auxiliary
   classes) to the association entries.



















Reyes, et al.              Expires: February 2004              [page 14]

INTERNET-DRAFT                  PCELS                        August 2003


   Second case: Reusable nested sets (rules/groups).

                +----------+             +-------------+
                |Rule/Group|             | RepositoryX |
              +-|-        -|--+          |             |
              | +----------+  |          +-------------+
              |   *      *    |             *        *
              | ***      **** |             *        *
              | *           * v             *        *
              | *          +---+            *        *
              | *          |SA2|         +-------+   *
              v *          |  -|-------->|S1+Set2|   *
             +---+         +---+         +-------+   *
             |SA1|                               +-------+
             |  -|------------------------------>|S2+Set3|
             +---+                               +-------+

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   Set#: pcimPolicyRuleAuxClass or pcimGroupAuxClass class.
   SA#: PolicySetAssocation structural class.
   S#: structural class.


   The nesting pcimPolicySet refers to instances of
   pcimPolicySetAssociation using the attribute pcimPolicySetList.
   These structural association classes are subordinated (DIT contained)
   to the pcimPolicySet entry and represent the association between
   the set (rule or group) and its nested rules/groups. The reusable
   rules/groups are instantiated here as auxiliary classes and attached
   to pcimPolicyInstance entries in the reusable container. An other
   option is to use the structural subclasses for defining reusable
   rules/groups. The association classes belonging to a nesting policy
   set are reference the reusable rules/groups using the attribute
   pcimPolicySetDN.

   A combination of both specific and reusable components is also
   allowed for the same policy set.











Reyes, et al.              Expires: February 2004              [page 15]

INTERNET-DRAFT                  PCELS                        August 2003


4.5 The Aggregation of actions/conditions in PolicyRules and
     CompoundActions/CompoundConditions

   [PCIM_EXT] defines two new classes that offer the designer the
   capability of creating more complex conditions and actions.
   CompoundPolicyCondition and CompoundPolicyActionclasses are mapped
   in this document to pcimCompoundConditionAuxClass and
   pcimCompoundActionAuxClass classes that are subclasses of
   pcimConditionAuxClass/pcimActionAuxClass. The compound
   conditions/actions defined in [PCIM_EXT] extend the capability of the
   rule to associate, group and evaluate/execute conditions/actions. The
   conditions/actions are associated to compounds conditions/actions in
   the same way as they are associated to the rules.

   In this section it is explained how to store instances of these
   classes in an LDAP Directory. As a general rule, specific
   conditions/actions are subordinated (DIT contained) to the rule or
   compound condition/action that aggregates them and are attached
   to association class instances. Reusable conditions/actions, are
   subordinated to pcimReusableContainer instances and attached to
   pcimPolicyInstance instances.

   The examples below illustrate the four possible cases combining
   specific/reusable compound/non-compound condition/action. The rule
   has two compound conditions, each one has two different conditions.
   The schemes can be extended in order to store actions.

   The examples below are based on and extend those illustrated in
   the section 4.4 of [PCLS].

























Reyes, et al.              Expires: February 2004              [page 16]

INTERNET-DRAFT                  PCELS                        August 2003


   - First case: Specific compound condition/action with specific
   conditions/actions.


                         +--------------+
                  +------|     Rule     |------+
                  |      +--------------+      |
                  |           *    *           |
                  |   *********    *********   |
                  v   *                    *   v
                 +---------+          +---------+
               +-| CA1+cc1 |-+      +-| CA2+cc2 |-+
               | +---------+ |      | +---------+ |
               |     * *     |      |     * *     |
               |  **** ****  |      |  **** ****  |
               v  *       *  v      v  *       *  v
              +------+ +------+    +------+ +------+
              |CA3+c1| |CA4+c2|    |CA5+c3| |CA6+c4|
              +------+ +------+    +------+ +------+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.

   Because the compound conditions/actions are specific to the Rule,
   They are auxiliary attachments to instances of the structural
   classes pcimConditionAssociation or pcimActionAssociation. These
   structural classes represent the association between the rule and
   the compound condition/action . The rule specific conditions/actions
   are therefore subordinated (DIT contained) to the rule entry.

   The conditions/actions are tied to the compound conditions/actions
   in the same way the compound conditions/actions are tied to rules.
   Association classes realize the association between the aggregating
   compound conditions/actions and the specific conditions/actions.










Reyes, et al.              Expires: February 2004              [page 17]

INTERNET-DRAFT                  PCELS                        August 2003


   - Second case: Rule specific compound conditions/actions whith
   reusable conditions/actions.


           +-------------+                   +---------------+
    +------|     Rule    |-----+             |  RepositoryX  |
    |      +-------------+     |             +---------------+
    |           *    *         |              *    *    *   *
    |           *    *         |           ****    *    *   *
    |   *********    ********  |           *       *    *   ********
    |   *                   *  v           *       *    *          *
    |   *               +---------+        *       *    ****       *
    |   *             +-| CA2+cc2 |-+      *       *       *       *
    |   *             | +---------+ |      *       *       *       *
    v   *             |    *  *     |      *       *       *       *
   +---------+        | ****  ****  |      *       *       *       *
 +-| CA1+cc1 |-+      | *        *  v      *       *       *       *
 | +---------+ |      | *     +------+  +-----+    *       *       *
 |    *  *     |      v *     |  CA6 |->|S1+c4|    *       *       *
 | ****  ****  |     +------+ +------+  +-----+ +-----+    *       *
 | *        *  v     |  CA5 |------------------>|S2+c3|    *       *
 | *      +------+   +------+                   +-----+ +-----+    *
 v *      |  CA4 |------------------------------------->|S3+c2|    *
 +------+ +------+                                      +-----+ +-----+
 |  CA3 |------------------------------------------------------>|S4+c1|
 +------+                                                       +-----+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   This case is similar to the first one. The conditions/actions are
   reusable so they are not attached to the association classes but they
   are attached to structural classes in the reusable container. The
   association classes tie the conditions/actions in located in a
   reusable container to their aggregators using DN references.








Reyes, et al.              Expires: February 2004              [page 18]

INTERNET-DRAFT                  PCELS                        August 2003


   -Third case: Reusable compound condition/action with specific
   conditions/actions.

        +--------------+                  +--------------+
        |     Rule     |                  |  repositoryX |
    +---+--------------+----+             +--------------+
    |        *     *        |                  *    *
    |  *******     *******  |           ********    ********
    |  *                 *  v           *                  *
    |  *            +----------+    +---------+            *
    |  *            |   CA2    |--->| S1+cc2  |            *
    |  *            +----------+  +-+---------+-+          *
    |  *                          |     * *     |          *
    |  *                          |  **** ****  |          *
    |  *                          v  *       *  v          *
    |  *                         +------+ +------+         *
    |  *                         |CA5+c3| |CA6+c4|         *
    v  *                         +------+ +------+         *
  +----------+                                          +---------+
  |   CA1    |----------------------------------------->| S2+cc1  |
  +----------+                                        +-+---------+-+
                                                      |     * *     |
                                                      |  **** ****  |
                                                      v  *       *  v
                                                     +------+ +------+
                                                     |CA3+c1| |CA4+c2|
                                                     +------+ +------+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   Re-usable compound conditions/actions are attached to structural
   classes and stored in a reusable policy container. They are related
   to the rule through a DN reference attribute in the association
   classes.

   Specific conditions/actions are attached to association entries and
   subordinated (DIT contained) to the aggregating compound
   conditions/actions.




Reyes, et al.              Expires: February 2004              [page 19]

INTERNET-DRAFT                  PCELS                        August 2003


   -Fourth case: Reusable conditions/actions and compound
   conditions/actions.

          +------+          +---------------+    +---------------+
    +-----| Rule |-----+    |  RepositoryX  |    |  RepositoryY  |
    |     +------+     |    +---------------+    +---------------+
    |      *    *      |         *     *           *   *   *   *
    | ******    ****** |       ***     ***       ***   *   *   *****
    | *              * v       *         *       *     *   *       *
    | *          +-------+  +------+     *       *     *   ***     *
    | *          |  CA2  |->|S1+ca1|     *       *     *     *     *
    | *          +-------+  +------+     *       *     *     *     *
    | *                    /  *  *  \    *       *     *     *     *
    | *                    |**   ** |    *       *     *     *     *
    | *                    |*     * v    *       *     *     *     *
    | *                    |*   +---+    *    +-----+  *     *     *
    | *                    |*   |CA6|----*--->|S3+c4|  *     *     *
    | *                    v*   +---+    *    +-----+  *     *     *
    | *                  +---+           *          +-----+  *     *
    | *                  |CA5|-----------*--------->|S4+c3|  *     *
    v *                  +---+           *          +-----+  *     *
  +-------+                           +------+               *     *
  |  CA1  |-------------------------->|S2+cc1|               *     *
  +-------+                           +------+               *     *
                                     /  *  *  \              *     *
                                     | **  ** |              *     *
                                     | *    * v              *     *
                                     | *  +---+           +-----+  *
                                     | *  |CA4|---------->|S5+c2|  *
                                     v *  +---+           +-----+  *
                                    +---+                      +-----+
                                    |CA3|--------------------->|S6+c1|
                                    +---+                      +-----+


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcimConditionAssociation structural class.
   cc#: pcimCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class







Reyes, et al.              Expires: February 2004              [page 20]

INTERNET-DRAFT                  PCELS                        August 2003


   All the conditions/actions are reusable so they are stored in
   reusable containers. The figure above illustrates two different
   reusable policy containers but the number of containers in the
   system is decided based on administrative reasons. The conditions,
   actions, etc. may be stored in the same container or in different
   containers with no impact on the policy definition semantics.


5. Class Definitions

5.1 The Class pcimPolicySet

   The abstract class PolicySet in the [PCIM_EXT] is introduced to
   provide an abstraction for a set of rules. The class value
   'pcimPolicySet' is used as the mechanism for identifying group and
   rule- related instances in the DIT.

   In [PCIM_EXT], the classes PolicyGroup and PolicyRule are moved, so
   that they are now derived from PolicySet class.

   A pcimPolicySet object refers to instances of pcimGroup and
   pcimPolicyRule via the attribute pcimPolicySetList and the attribute
   pcimPolicySetDN in the pcimPolicySetAssociation object class.

   The definition of the abstract class pcimPolicySet:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicySet'
     DESC 'Abstract class that represents a collection of policies
           that form a coherent set.'
     SUP pcimPolicy
     ABSTRACT
     MAY ( pcimPolicySetName
         $ pcimDecisionStrategy
         $ pcimRoles
         $ pcimPolicySetList )
   )

   One of the attributes of the pcimPolicySet class, the pcimRoles is
   already defined in [PCLS]. The other three attributes are defined
   below.













Reyes, et al.              Expires: February 2004              [page 21]

INTERNET-DRAFT                  PCELS                        August 2003


   The attribute pcimPolicySetName may be used as naming attribute for
   pcimPolicySet entries:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPolicySetName'
     DESC 'The user-friendly name of a policy set.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcimDecisionStrategy is used to define the evaluation
   method among the rules in the policy set and is mapped directly from
   the PolicyDecisionStrategy property defined in [PCIM_EXT].

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimDecisionStrategy'
     DESC 'The evaluation method used for the components of a
           in the pcimPolicySet. Valid values: 1 [FirstMatching],
           2 [AllMatching]'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attibute pcimPolicySetList is used to realize the
   PolicySetComponent aggregation.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPolicySetList'
     DESC 'List of DN references to pcimPolicySetAssociation
           entries used to aggregate policy sets.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   The subclasses pcimGroup and pcimPolicyRule are now derived from
   pcimPolicySet.













Reyes, et al.              Expires: February 2004              [page 22]

INTERNET-DRAFT                  PCELS                        August 2003


5.2 The Structural Class pcimPolicySetAssociation

   The pcimPolicySetAssociation class is used to aggregate components
   into pcimPolicySet entries. Instances of this class are always
   subordinated to the aggregating pcimPolicySet. The aggregation of a
   reusable instance of (subclass of) pcimPolicySet is referenced via
   the pcimPolicySetDN attribute. A non-reusable instance of (subclass
   of) pcimPolicySet is attached as auxiliary class directly to the
   pcimPolicySetAssociation entry.

   If a pcimPolicySetAssociation instance has a pcimPolicySet attached
   to it then the attribute pcimPolicySetDN SHOULD NOT be present in the
   same entry. However, if such situation occurs this attribute MUST be
   ignored.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicySetAssociation'
     DESC 'Structural class that contains attributes characterizing
           the relationship between a policy set and one of its
           components.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimPriority )
     MAY ( pcimPolicySetName
         $ pcimPolicySetDN )
   )

   The Attribute pcimPriority:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPriority'
     DESC 'Policy priority.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The Attribute pcimPolicySetDN:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimPolicySetDN'
     DESC 'DN reference to a pcimPolicySet entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )







Reyes, et al.              Expires: February 2004              [page 23]

INTERNET-DRAFT                  PCELS                        August 2003


5.3 The Updated Class pcimGroup

   The pcimGroup is defined in [PCLS]. Its superclass is changed here
   so that the pcimGroup can take advantage of the pcimPolicySet and
   its aggregation method.

   (  IANA-ASSIGNED-OID.1.2
      NAME 'pcimGroup'
      DESC   'A container for a set of related pcimPolicyRule entries
              and/or a set of related pcimGroup entries.'
      SUP     pcimPolicySet
      ABSTRACT
      MAY    (pcimGroupName)
   )


5.4 The Deprecated Class pcimGroupContainmentAuxClass

   The policy group aggregation is replaced by the more comprehensive
   policy set aggregation. Therefore this class is deprecated.

   The attribute pcimGroupsAuxContainedSet only used in the definition
   of the deprecated pcimGroupContainmentAuxClass object class is also
   deprecated.


5.5 The Deprecated Class pcimRuleContainmentAuxClass

   The policy rule aggregation is replaced by the more comprehensive
   policy set aggregation. Therefore this class is deprecated.

   The attribute pcimRulesAuxContainedSet only used in the definition
   of the deprecated pcimRuleContainmentAuxClass object class is also
   deprecated.


5.6 The Three Classes pcimPolicyRule

   The base class representing policy rules is redefined without a
   priority attribute. In addition, this class uses the Condition and
   Action aggregation methods similar to the CompoundCondition and the
   CompoundAction.

   If a pcimPolicyRule instance has a pcimConditionAuxClass attached to
   it then the attribute pcimConditionList SHOULD NOT be present in the
   same entry for the purpose of associating other conditions to the
   rule. However, when such situation occurs the referenced conditions
   MUST NOT be considered as associated to the rule.






Reyes, et al.              Expires: February 2004              [page 24]

INTERNET-DRAFT                  PCELS                        August 2003


   If a pcimPolicyRule instance has a pcimActionAuxClass attached to it
   then the attribute pcimActionList should not be present in the same
   entry for the purpose of associating other actions to the rule.
   However, when such situation occurs the referenced actions must not
   be considered as associated to the rule.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicyRule'
     DESC 'The base class for representing the "If Condition then
           Action" semantics associated with a Policy Rule'
     SUP pcimPolicySet
     ABSTRACT
     MAY ( pcimRuleName
         $ pcimRuleEnabled
         $ pcimConditionListType
         $ pcimConditionList
         $ pcimActionList
         $ pcimRuleValidityPeriodList
         $ pcimRuleUsage
         $ pcimRuleMandatory
         $ pcimSequencedActions
         $ pcimExecutionStrategy )
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicyRuleAuxClass'
     DESC 'An auxiliary class for representing the "If Condition
           then Action" semantics associated with a policy rule.'
     SUP pcimPolicyRule
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimPolicyRuleInstance'
     DESC 'A structural class for representing the "If Condition
           then Action" semantics associated with a policy rule.'
     SUP pcimPolicyRule
     STRUCTURAL
   )

   The attributes pcimRuleCoditionListType, pcimRuleConditionList and
   pcimRuleActionList defined in [PCLS] are replaced by
   pcimConditionListType, pcimConditionList and pcimActionList. The new
   attributes are used in pcimPolicyRule as well as in
   the pcimCompoundConditionAuxClass and pcimCompoundActionAuxClass
   object classes.








Reyes, et al.              Expires: February 2004              [page 25]

INTERNET-DRAFT                  PCELS                        August 2003


   The attribute definitions are:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimConditionListType'
     DESC 'a value of 1 means that this policy rule is in disjunctive
           normal form; a value of 2 means that this policy rule is in
           conjunctive normal form.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimConditionList'
     DESC 'unordered set of DN references to pcimConditionAssociation
           entries used to aggregate policy conditions.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimActionList'
     DESC 'Unordered set of DN references to pcimActionAssociation
           entries used to aggregate policy actions.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimSequencedActions'
     DESC 'Indicates whether the ordered execution of
           actions in an aggregate is Mandatory, Recommended,
           or DontCare.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )















Reyes, et al.              Expires: February 2004              [page 26]

INTERNET-DRAFT                  PCELS                        August 2003


   The new attribute pcimExecutionStrategy is a direct mapping of the
   ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimExecutionStrategy'
     DESC 'Indicates the execution strategy to be used upon an action
           aggregate. VALUES: 1 [Do until success]; 2 [Do all]; 3 [do
           until failure]. Default value = 2.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )


5.7 The Structural Class pcimConditionAssociation

   This class is used to aggregate policy conditions in compound policy
   conditions or policy rules. It implements the
   PolicyConditionInPolicyRule and PolicyConditionInPolicyCondition
   aggregations. The pcimConditionAssociation class is used to aggregate
   policy conditions into pcimPolicyRule or
   pcimCompoundConditionAuxClass entries. Instances of this class are
   always subordinated to the aggregating pcimPolicyRule or
   pcimCompoundConditionAuxClass. The aggregation of a reusable instance
   of (subclass of) pcimConditionAuxClass is referenced via the
   pcimConditionDN attribute. A non-reusable instance of (subclass of)
   pcimConditionAuxClass is attached directly to the
   pcimConditionAssociation entry.

   If a pcimConditionAssociation instance has a pcimConditionAuxClass
   attached to it then the attribute pcimConditionDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimConditionAssociation'
     DESC 'This class contains attributes characterizing the
           relationship between a policy condition and one of its
           aggregators: pcimPolicyRule or pcimCompoundConditionAuxClass.
           It is used in the realization of a policy condition
           structure.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimConditionGroupNumber
          $ pcimConditionNegated )
     MAY ( pcimConditionName
         $ pcimConditionDN )
   )

   Its attributes are defined in the section 5.4 of the [PCLS].



Reyes, et al.              Expires: February 2004              [page 27]

INTERNET-DRAFT                  PCELS                        August 2003



5.8 The Structural Class pcimActionAssociation

   This class is used to aggregate policy actions in compound policy
   actions or policy rules. It implements the PolicyActionInPolicyRule
   and PolicyActionInPolicyAction aggregations. The
   pcimActionAssociation class is used to aggregate policy actions into
   pcimPolicyRule or pcimCompoundActionAuxClass entries. Instances of
   this class are always subordinated to the aggregating pcimPolicyRule
   or pcimCompoundActionAuxClass. The aggregation of a reusable instance
   of (subclass of) pcimActionAuxClass is referenced via the
   pcimActionDN attribute. A non-reusable instance of (subclass of)
   pcimActionAuxClass is attached directly to the pcimActionAssociation
   entry.

   If a pcimActionAssociation instance has a pcimActionAuxClass attached
   to it then the attribute pcimActionDN SHOULD NOT be present in the
   same entry. However, if such situation occurs this attribute MUST be
   ignored.

   The class definition follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimActionAssociation'
     DESC 'This class contains attributes characterizing the
           relationship between a policy action and one of its
           aggregators. It is used in the realization of a
           policy action structure.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimActionOrder )
     MAY ( pcimActionName
         $ pcimActionDN )
   )

   Its attributes are defined in [PCLS].


5.9 The Three Deprecated Classes pcimRule

   The class pcimRule and its subclasses are replaced by pcimPolicyRule
   and its subclasses. Therefore pcimRule and its subclasses are
   deprecated.

   The following attributes only used in the definition of the
   deprecated pcimRule object class are also deprecated:
      pcimRuleConditionListType
      pcimRuleConditionList
      pcimRuleActionList
      pcimRulePriority
      pcimRuleSequencedActions



Reyes, et al.              Expires: February 2004              [page 28]

INTERNET-DRAFT                  PCELS                        August 2003



5.10 The Deprecated Class pcimRuleConditionAssociation.

   This class is replaced by the more flexible pcimConditionAssociation.


5.11 The Deprecated Class pcimRuleActionAssociation.

   This class is replaced by the more flexible pcimActionAssociation.


5.12 The Auxiliary Class pcimSimpleConditionAuxClass.

   This class indicates if a specific <variable> match with a specific
   <value>. The "match" relationship is to be interpreted by analyzing
   the variable and value instances associated with the simple
   condition. Its two attributes realize the
   PolicyValueinSimplePolicyCondition and
   PolicyVariableinSimplePolicyCondition associations defined in
   [PCIM_EXT].

   A reusable variable / value is associated to a
   pcimSimpleConditionAuxClass via the pcimVariableDN / pcimValueDN
   reference from the simple condition entry. A non-reusable variable
   / value is associated directly as auxiliary object class to the
   pcimSimpleConditionAuxClass entry.

   If a pcimSimpleConditionAuxClass instance has a pcimVariable
   attached to it then the attribute pcimVariableDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.
   If a pcimSimpleConditionAuxClass instance has a pcimValueAuxClass
   attached to it then the attribute pcimValueDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.

   The class definition follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSimpleConditionAuxClass'
     DESC 'An auxiliary class that evaluate the matching between a
           value and a variable'.
     SUP pcimConditionAuxClass
     AUXILIARY
     MAY ( pcimVariableDN
         $ pcimValueDN )
   )







Reyes, et al.              Expires: February 2004              [page 29]

INTERNET-DRAFT                  PCELS                        August 2003


   The pcimVariableDN attribute definition is:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableDN'
     DESC 'DN reference to a pcimVariable entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )

   The pcimValueDN attribute definition is:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimValueDN'
     DESC 'DN reference to a pcimValueAuxClass entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )

   A instance of pcimSimpleActionAuxClass and an instance of
   pcimSimpleConditionAuxClass MUST NOT be attached to a same
   entry. Because the two classes use the same mechanisms to
   associate Variables and Values, this restriction is necessary
   in order to avoid ambiguities.


5.13 The Auxiliary Class pcimCompoundConditionAuxClass.

   This class represents a compound policy condition, formed by
   aggregation of other policy conditions. A boolean attribute indicates
   whether the compounded conditions are to be interpreted as
   disjunctive normal form or conjunctive normal form.

   The class definition follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCompoundConditionAuxClass'
     DESC 'An auxiliary class that represents a boolean combination
           of simpler conditions'.
     SUP pcimConditionAuxClass
     AUXILIARY
     MAY ( pcimConditionListType
         $ pcimConditionList )
   )









Reyes, et al.              Expires: February 2004              [page 30]

INTERNET-DRAFT                  PCELS                        August 2003


   The attribute pcimConditionListType is used to specify whether the
   list of policy conditions associated with this compound policy
   condition is in disjunctive normal form (DNF) or conjunctive normal
   form (CNF). The attribute pcimConditionList is an unordered set of
   DN references to conditions aggregated in the compound condition.
   These attributes are defined in section 5.6.


5.14 The Auxiliary Class pcimCompoundFilterAuxClass.

   This class represents a domain-level filter and it typically contains
   a set of simple conditions.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCompoundFilterAuxClass'
     DESC 'A compound condition with mirroring capabilities for traffic
           caracterization.'
     SUP pcimCompoundConditionAuxClass
     AUXILIARY
     MAY ( pcimIsMirrored )
   )

   The Attribute pcimIsMirrored:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIsMirrored'
     DESC 'Indicates whether traffic that mirrors the
           specified filter is to be treated as matching
           the filter.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.15 The Auxiliary Class pcimSimpleActionAuxClass.

   This class overwrites an old value of the <variable> and set the new
   <value>. Its two attributes realize the
   PolicyValueInSimplePolicyAction and
   PolciyVariableInSimplePolicyAction associations defined in
   [PCIM_EXT].

   A reusable variable / value is associated to a
   pcimSimpleActionAuxClass via the pcimVariableDN / pcimValueDN
   reference from the simple action entry. A non-reusable variable
   / value is associated directly as auxiliary object class to the
   pcimSimpleActionAuxClass entry.






Reyes, et al.              Expires: February 2004              [page 31]

INTERNET-DRAFT                  PCELS                        August 2003


   If a pcimSimpleActionAuxClass instance has a pcimVariable
   attached to it then the attribute pcimVariableDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.
   If a pcimSimpleActionAuxClass instance has a pcimValueAuxClass
   attached to it then the attribute pcimValueDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.

   The class definition is as follows:
   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSimpleActionAuxClass'
     DESC 'This class contains attributes characterizing the
           relationship between a Simple PolicyAction and one
           variable and one value.'
     SUP pcimActionAuxClass
     AUXILIARY
     MAY ( pcimVariableDN
         $ pcimValueDN )
   )

   The attributes are defined in section 5.12.

   A instance of pcimSimpleActionAuxClass and an instance of
   pcimSimpleConditionAuxClass MUST NOT be attached to a same
   entry. Because the two classes use the same mechanisms to
   associate Variables and Values, this restriction is necessary
   in order to avoid ambiguities.


5.16 The Auxiliary Class pcimCompoundActionAuxClass.

   This class maps the CompoundPolicyAction class of the [PCIM_EXT].

   The class definition follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCompoundActionAuxClass'
     DESC 'A class that aggregates simpler actions in a sequence
           with specific execution strategy.'
     SUP pcimActionAuxClass
     AUXILIARY
     MAY ( pcimActionList
         $ pcimSequencedActions
         $ pcimExecutionStrategy )
   )

   The attributes pcimSequencedActions, pcimExecutionStrategy and
   pcimActionList are defined in 5.6 section.





Reyes, et al.              Expires: February 2004              [page 32]

INTERNET-DRAFT                  PCELS                        August 2003


5.17 The Abstract Class pcimVariable.

   Variables specify the property of a flow or an event that should be
   matched when evaluating the condition. A given variable selects the
   set of matchable values through the
   ExpectedPolicyValuesForVariable association.
   A pcimVariable entry may be associated to a set of pcimValueAuxClass
   entries that represent its expected values. The expected values for
   a variable may be indicated by:
      (1) pcimExpectedValueList references to reusable instances of
          pcimValueAuxClass or by
      (2) pcimExpectedValueList references to subordinated non-reusable
          instances of pcimValueAuxClass

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimVariable'
     DESC 'Base class for representing a variable whose actual
           value can be matched against or set to a specific value.'
     SUP top
     ABSTRACT
     MAY ( pcimVariableName
         $ pcimExpectedValueList )
   )

   The attribute pcimVariableName is an user-friendly name for the
   variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableName'
     DESC 'The user-friendly name of a variable.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcimExpectedValueList is an unordered set of DN
   references to subclasses of pcimValueAuxClass. It maps the [PCIM_EXT]
   ExpectedPolicyValuesForVariable association:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimExpectedValueList'
     DESC 'List of DN references to pcimValueAuxClass
           entries that represent the acceptable values.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )






Reyes, et al.              Expires: February 2004              [page 33]

INTERNET-DRAFT                  PCELS                        August 2003


5.18 The Auxiliary Class pcimExplicitVariableAuxClass

   The subclass pcimExplicitVariableAuxClass is defined as
   follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimExplicitVariableAuxClass'
     DESC 'Explicitly defined policy variable evaluated within the
           context of the CIM Schema.'
     SUP pcimVariable
     AUXILIARY
     MUST ( pcimVariableModelClass
          $ pcimVariableModelProperty )
   )

   The attribute pcimVariableModelClass is a string specifying the
   class name whose property is evaluated or set as a variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableModelClass'
     DESC 'Specifies a CIM class name or oid.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcimVariableModelProperty is a string specifying the
   attribute, within the pcimVariableModelClass, which is evaluated or
   set as a variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVariableModelProperty'
     DESC 'Specifies a CIM property name or oid.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

















Reyes, et al.              Expires: February 2004              [page 34]

INTERNET-DRAFT                  PCELS                        August 2003


5.19 The Auxiliary Class pcimImplicitVariableAuxClass

   The subclass pcimImplicitVariableAuxClass is defined as
   follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimImplicitVariableAuxClass'
     DESC 'Implicitly defined policy variables whose evaluation
           depends on the usage context. Subclasses specify
           the data type and semantics of the variables.'
     SUP pcimVariable
     AUXILIARY
     MUST ( pcimExpectedValueTypes )
   )

   The attribute pcimExpectedValueTypes is the direct mapping from the
   valueTypes property in the [PCIM_EXT] PolicyImplicitVariable class.
   This attribute representes a set of allowed value types to be used
   with this variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimExpectedValueTypes'
     DESC 'List of object class names or oids of subclasses
           of pcimValueAuxClass that define acceptable
           value types.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )


5.20 The Subclasses of pcimImplicitVariableAuxClass

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceIPv4VariableAuxClass'
     DESC 'Source IP v4 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceIPv6VariableAuxClass'
     DESC 'Source IP v6 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )









Reyes, et al.              Expires: February 2004              [page 35]

INTERNET-DRAFT                  PCELS                        August 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationIPv4VariableAuxClass'
     DESC 'Destination IP v4 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationIPv6VariableAuxClass'
     DESC 'Destination IP v6 address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourcePortVariableAuxClass'
     DESC 'Source port'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationPortVariableAuxClass'
     DESC 'Destination port'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPProtocolVariableAuxClass'
     DESC 'IP protocol number'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPVersionVariableAuxClass'
     DESC 'IP version number'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPToSVariableAuxClass'
     DESC 'IP ToS'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )






Reyes, et al.              Expires: February 2004              [page 36]

INTERNET-DRAFT                  PCELS                        August 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDSCPVariableAuxClass'
     DESC 'DiffServ code point'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFlowIdVariableAuxClass'
     DESC 'Flow Identifier'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceMACVariableAuxClass'
     DESC 'Source MAC address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationMACVariableAuxClass'
     DESC 'Destination MAC address'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimVLANVariableAuxClass'
     DESC 'VLAN'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimCoSVariableAuxClass'
     DESC 'Class of service'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimEthertypeVariableAuxClass'
     DESC 'Ethertype'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )






Reyes, et al.              Expires: February 2004              [page 37]

INTERNET-DRAFT                  PCELS                        August 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSourceSAPVariableAuxClass'
     DESC 'Source SAP'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimDestinationSAPVariableAuxClass'
     DESC 'Destination SAP'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSNAPOUIVariableAuxClass'
     DESC 'SNAP OUI'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimSNAPTypeVariableAuxClass'
     DESC 'SNAP type'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFlowDirectionVariableAuxClass'
     DESC 'Flow direction'
     SUP pcimImplicitVariableAuxClass
     AUXILIARY
   )


5.21 The Auxiliary Class pcimValueAuxClass.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimValueAuxClass'
     DESC 'Base class for representing a value that can be
           matched against or set for a specific variable.'
     SUP top
     AUXILIARY
     MAY ( pcimValueName )
   )








Reyes, et al.              Expires: February 2004              [page 38]

INTERNET-DRAFT                  PCELS                        August 2003


   The Attribute pcimValueName:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimValueName'
     DESC 'The user-friendly name of a value.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )


5.22 The Subclasses of pcimValueAuxClass.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPv4AddrValueAuxClass'
     DESC 'IP v4 address value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimIPv4AddrList )
   )

   The Attribute pcimIPv4AddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPv4AddrList'
     DESC 'List of IPv4 address values, ranges or hosts.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPv6AddrValueAuxClass'
     DESC 'IP v6 address value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimIPv6AddrList )
   )













Reyes, et al.              Expires: February 2004              [page 39]

INTERNET-DRAFT                  PCELS                        August 2003


   The Attribute pcimIPv6AddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPv6AddrList'
     DESC 'List of IPv6 address values, ranges or hosts.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimMACAddrValueAuxClass'
     DESC 'MAC address value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimMACAddrList )
   )

   The Attribute pcimMACAddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimMACAddrList'
     DESC 'List of MAC address values or ranges.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimStringValueAuxClass'
     DESC 'String value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimStringList )
   )

   The Attribute pcimStringList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimStringList'
     DESC 'List of strings or wildcarded strings.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )






Reyes, et al.              Expires: February 2004              [page 40]

INTERNET-DRAFT                  PCELS                        August 2003


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimBitStringValueAuxClass'
     DESC 'Bit string value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimBitStringList )
   )

   The Attribute pcimBitStringList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimBitStringList'
     DESC 'List of bit strings or masked bit strings.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIntegerValueAuxClass'
     DESC 'Integer value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimIntegerList )
   )

   The Attribute pcimIntegerList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIntegerList'
     DESC 'List of integers or integer ramges.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimBooleanValueAuxClass'
     DESC 'Boolean value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MUST ( pcimBoolean )
   )









Reyes, et al.              Expires: February 2004              [page 41]

INTERNET-DRAFT                  PCELS                        August 2003


   The Attribute pcimBoolean:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimBoolean'
     DESC 'A boolean value.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.23 The Three Classes pcimReusableContainer

   This class represents a container of reusable policy elements.
   The elements of a reusable container are aggregated via DIT
   containment. A reusable policy container can include the elements
   of other reusable policy containers by aggregating the container
   itself. This is realized by referencing the aggregated container
   by means of the attribute pcimReusableContainerList.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimReusableContainer'
     DESC 'A container for reusable policy information.'
     SUP dlm1AdminDomain
     ABSTRACT
     MAY ( pcimReusableContainerName
         $ pcimReusableContainerList )
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimReusableContainerAuxClass '
     DESC 'An auxiliary class that can be used to aggregate
           reusable policy information.'
     SUP pcimReusableContainer
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimReusableContainerInstance'
     DESC 'A structural class that can be used to aggregate
           reusable policy information.'
     SUP pcimReusableContainer
     STRUCTURAL
   )










Reyes, et al.              Expires: February 2004              [page 42]

INTERNET-DRAFT                  PCELS                        August 2003


   The Attribute pcimReusableContainerName:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimReusableContainerName'
     DESC 'The user-friendly name of a reusable policy container.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimReusableContainerList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimReusableContainerList'
     DESC 'List of DN references to pcimReusableContainer
           entries.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.24 The Three Deprecated Classes pcimRepository.

   The pcimRepository and its subclasses are deprecated in favor of the
   pcimReusableContainer and its subclasses.


   The pcimRepositoryNameattribute only used in the definition of the
   deprecated pcimRepository object class is also deprecated.


5.25 The Structural Class pcimRoleCollection.

   The pcimRoleCollection class creates the means for the association
   of policy roles to resources represented as LDAP entries.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimRoleCollection'
     DESC 'This class is used to group together entries
           that share a same role.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcimRole )
     MAY ( pcimRoleCollectionName
         $ pcimElementList )
   )






Reyes, et al.              Expires: February 2004              [page 43]

INTERNET-DRAFT                  PCELS                        August 2003


   The Attribute pcimRole:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimRole'
     DESC 'String representing a role.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimRoleCollectionName:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimRoleCollectionName'
     DESC 'The user-friendly name of a role collection.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimElementList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimElementList'
     DESC 'List of DN references to entries representing
           managed elements.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.26 The Abstract Class pcimFilterEntry

   The abstract class pcimFilterEntry implements the FilterEntryBase
   class from [PCIM_EXT]. This class is the base class for defining
   message or packet filters.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFilterEntry'
     DESC 'This class is used as a base class for
           representing message or packet filters.'
     SUP pcimPolicy
     ABSTRACT
     MAY ( pcimFilterName
         $ pcimFilterIsNegated )
   )




Reyes, et al.              Expires: February 2004              [page 44]

INTERNET-DRAFT                  PCELS                        August 2003


   The Attribute pcimFilterName may be used as naming attribute for
   filter entries:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterName'
     DESC 'The user-friendly name of a filter.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcimIsMirrored indicates whether the specified
   criteria is to be negated or not in the process of matching a
   message or packet against the filter:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterIsNegated'
     DESC 'If TRUE, indicates that the filter matches all but
           the messages or packets that conform to the specified
           criteria. Default: FALSE.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.27 The Structural Class pcimIPHeaders.

   The class pcimIPHeaders implements the IpHeadersFilter class of
   the [PCIM_EXT] model. It provides means for filtering traffic by
   values in the IP header. Optional attributes, if not specified shall
   be treated as 'all values'.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimIPHeaders'
     DESC 'This class defines an IP header filter.'
     SUP pcimFilterEntry
     STRUCTURAL
     MAY ( pcimIPHdrVersion
         $ pcimIPHdrSourceAddress
         $ pcimIPHdrSourceAddressEndOfRange
         $ pcimIPHdrSourceMask
         $ pcimIPHdrDestAddress
         $ pcimIPHdrDestAddressEndOfRange
         $ pcimIPHdrDestMask
         $ pcimIPHdrProtocolID
         $ pcimIPHdrSourcePortStart
         $ pcimIPHdrSourcePortEnd
         $ pcimIPHdrDestPortStart
         $ pcimIPHdrDestPortEnd


Reyes, et al.              Expires: February 2004              [page 45]

INTERNET-DRAFT                  PCELS                        August 2003


         $ pcimIPHdrDSCPList
         $ pcimIPHdrFlowLabel )
   )

   The attribute pcimIPHdrVersion identifies the IP version and dictates
   the format for the IP version dependent attribute values in a
   pcimIPHeaders entry. These attributes are:
      pcimIPHdrSourceAddress
      pcimIPHdrSourceAddressEndOfRange
      pcimIPHdrSourceMask
      pcimIPHdrDestAddress
      pcimIPHdrDestAddressEndOfRange
      pcimIPHdrDestMask

   If a value for this attribute is not provided, then the filter does
   not consider IP version in selecting matching packets. In this case,
   IP version dependent attributes must not be present in the filter
   entry. The possible values of pcimIPHdrVersion are '4' and '6'.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrVersion'
     DESC 'The IP version.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

    The attribute pcimIPHdrSourceAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourceAddress'
     DESC 'The IP source address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrSourceAddressEndOfRange:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourceAddressEndOfRange'
     DESC 'The end or address range for the IP source address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )







Reyes, et al.              Expires: February 2004              [page 46]

INTERNET-DRAFT                  PCELS                        August 2003


   The attribute pcimIPHdrSourceMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourceMask'
     DESC 'The address mask for the IP source address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestAddress'
     DESC 'The IP destination address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestAddressEndOfRange:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestAddressEndOfRange'
     DESC 'The end of address range for the IP destination address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestMask'
     DESC 'The address mask for the IP destination address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcimIPHdrProtocolID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrProtocolID'
     DESC 'The IP protocol type.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )




Reyes, et al.              Expires: February 2004              [page 47]

INTERNET-DRAFT                  PCELS                        August 2003


   The attribute pcimIPHdrSourcePortStart:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourcePortStart'
     DESC 'The start of the source port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcimIPHdrSourcePortEnd:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrSourcePortEnd'
     DESC 'The end of the source port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestPortStart:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestPortStart'
     DESC 'The start of the destination port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcimIPHdrDestPortEnd:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDestPortEnd'
     DESC 'The end of the destination port range.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )











Reyes, et al.              Expires: February 2004              [page 48]

INTERNET-DRAFT                  PCELS                        August 2003


   The multivalue attribute pcimIPHdrDSCPList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrDSCPList'
     DESC 'The DSCP values.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcimIPHdrFlowLabel:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimIPHdrFlowLabel'
     DESC 'The IP flow label.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )


5.28 The Structural Class pcim8021Headers.

   ( IANA-ASSIGNED-OID.1.x
     NAME ' pcim8021Headers'
     DESC 'This class defines an 802.1 header filter.'
     SUP pcimFilterEntry
     STRUCTURAL
     MAY ( pcim8021HdrSourceMACAddress
         $ pcim8021HdrSourceMACMask
         $ pcim8021HdrDestMACAddress
         $ pcim8021HdrDestMACMask
         $ pcim8021HdrProtocolID
         $ pcim8021HdrPriority
         $ pcim8021HdrVLANID )
   )

   The attribute pcim8021HdrSourceMACAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrSourceMACAddress'
     DESC 'The source MAC address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )








Reyes, et al.              Expires: February 2004              [page 49]

INTERNET-DRAFT                  PCELS                        August 2003


   The attribute pcim8021HdrSourceMACMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrSourceMACMask'
     DESC 'The source MAC address mask.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcim8021HdrDestMACAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrDestMACAddress'
     DESC 'The destination MAC address.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcim8021HdrDestMACMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrDestMACMask'
     DESC 'The destination MAC address mask.'
     EQUALITY octetStringMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcim8021HdrProtocolID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrProtocolID'
     DESC 'The 802.1 protocol ID.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcim8021HdrPriority:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrPriority'
     DESC 'The 802.1 priority.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )





Reyes, et al.              Expires: February 2004              [page 50]

INTERNET-DRAFT                  PCELS                        August 2003


   The attribute pcim8021HdrVLANID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcim8021HdrVLANID'
     DESC 'The 802.1 VLAN ID.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )


5.29 The Auxiliary Class pcimFilterListAuxClass.

   This class represents a set of device-level filters aggregated
   in a policy condition. Therefore, instances of this class can be
   used in policy rules or as elements of more complex compound
   conditions. The aggregation EntriesInFilterList from the
   [PCIM_EXT] model is implemented by the multi-value attribute
   pcimFilterEntryList. The EntrySequence property of the aggregation
   EntriesInFilterList that is restricted to its default value ('0')
   in the [PCIM_EXT] model is redundant and therefore not implemented.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimFilterListAuxClass'
     DESC 'This class is used to aggregate filters
           represented as subclasses of pcimFilterEntry.'
     SUP pcimConditionAuxClass
     STRUCTURAL
     MAY ( pcimFilterListName
         $ pcimFilterDirection
         $ pcimFilterEntryList )
   )

   The Attribute pcimFilterListName may be used as naming attribute
   for filter lists:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterListName'
     DESC 'The user-friendly name of a filter list.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcimFilterDirection indicates the direction
   of the packets or messages relative to the interface where
   the filter is applied. The possible values are:
   NotApplicable(0), Input(1), Output(2), Both(3), Mirrored(4).




Reyes, et al.              Expires: February 2004              [page 51]

INTERNET-DRAFT                  PCELS                        August 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterDirection'
     DESC 'The direction of the packets or messages
           to which this filter is to be applied.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcimFilterEntryList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimFilterEntryList'
     DESC 'List of DN references to pcimFilterEntry entries.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.30 The Auxiliary Class pcimVendorVariableAuxClass.

   This class provides a general extension mechanism for representing
   policy variables that have not been modeled with specific properties.
   Instead, its two properties are used to define the content and format
   of the variable, as explained below. This class is intended for
   vendor-specific extensions that are not amenable to using
   pcimVariable; standardized extensions SHOULD NOT use this class.

   The class definition is as follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimVendorVariableAuxClass'
     DESC 'A class that defines a registered means to describe a
           policy variable.'
     SUP pcimVariable
     AUXILIARY
     MAY ( pcimVendorVariableData $
           pcimVendorVariableEncoding )
   )

   The pcimVendorVariableData attribute is a multi-valued attribute. It
   provides a general mechanism for representing policy variables that
   have not been modeled as specific attributes. This information is
   encoded in a set of octet strings. The format of the octet strings is
   identified by the OID stored in the pcimVendorVariableEncoding
   attribute. This attribute is defined as follows:








Reyes, et al.              Expires: February 2004              [page 52]

INTERNET-DRAFT                  PCELS                        August 2003


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVendorVariableData'
     DESC 'Mechanism for representing variables that have not
           been modeled as specific attributes. Their format is
           identified by the OID stored in the attribute
           pcimVendorVariableEncoding.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
   )

   The pcimVendorVariableEncoding attribute is used to identify the
   format and semantics for the pcimVendorVariableData attribute. This
   attribute is defined as follows:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVendorVariableEncoding'
     DESC 'An OID identifying the format and semantics for the
           pcimVendorVariableData for this instance.'
     EQUALITY objectIdentifierMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
     SINGLE-VALUE
   )


5.31 The Auxiliary Class pcimVendorValueAuxClass.

   This class provides a general extension mechanism for representing
   policy values that have not been modeled with specific properties.
   Instead, its two properties are used to define the content and format
   of the value, as explained below. This class is intended for
   vendor-specific extensions that are not amenable to using
   pcimValueAuxClass; standardized extensions SHOULD NOT use this class.

   The class definition is as follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcimVendorValueAuxClass'
     DESC 'A class that defines a registered means to describe a
           policy value.'
     SUP pcimValueAuxClass
     AUXILIARY
     MAY ( pcimVendorValueData $
           pcimVendorValueEncoding )
   )









Reyes, et al.              Expires: February 2004              [page 53]

INTERNET-DRAFT                  PCELS                        August 2003


   The pcimVendorValueData attribute is a multi-valued attribute. It
   provides a general mechanism for representing policy values that
   have not been modeled as specific attributes. This information is
   encoded in a set of octet strings. The format of the octet strings is
   identified by the OID stored in the pcimVendorValueEncoding
   attribute. This attribute is defined as follows:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVendorValueData'
     DESC 'Mechanism for representing values that have not
           been modeled as specific attributes. Their format is
           identified by the OID stored in the attribute
           pcimVendorValueEncoding.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
   )

   The pcimVendorValueEncoding attribute is used to identify the
   format and semantics for the pcimVendorValueData attribute. This
   attribute is defined as follows:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcimVendorValueEncoding'
     DESC 'An OID identifying the format and semantics for the
           pcimVendorValueData for this instance.'
     EQUALITY objectIdentifierMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
     SINGLE-VALUE
   )


6. Security Considerations

   This topic is based on requirements from previous [PCLS] documents
   and also takes into account other RFCs about the same security
   aspects entitled as following:

   RFC 2829 (Authentication Methods for LDAP)
   RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for
             Transport Layer Security)

   These RFC documents provide a general framework for security
   architecture of the system. However some comments have to be provided
   as a consequence of the inclusion of extensions in this own document
   and its relation with PCLS doc.








Reyes, et al.              Expires: February 2004              [page 54]

INTERNET-DRAFT                  PCELS                        August 2003


   Due to the new considered scenarios, with reusability and information
   containers located in other DITs etc, these conditions are expressed
   in chapter 4.4 of the [PCLS] document. As a consequence, new types of
   threats in the system have to be considered. In fact, it is necessary
   to define new security services in order to protect against these new
   aspects. As a result of this, the following new security services are
   defined:

   1) Authentication between entities of the network
   2) Mutual authentication between network operator and network
      entities (p.e. DITs)
   3) Integrity and confidentiality of links between network entities
      and also in the LDAP directories.

   Several definitions and security mechanisms related about DITs can
   also obtained from the following ITU specification: X.509 The
   Directory Authentication framework

   Furthermore, the obtention of the OIDs and values of the attributes
   From the DITs in a distributed scenario has as a consequence the
   Interaction between diverse network entities with changes of security
   Domain and/or administrative domain.

   In this directory scenario, with migration of data, the use of DSP
   (Directory Service Protocol) protocol with types of queries like
   referral, chaining and multicasting with different key management and
   authentication among network entities would have to be considered.


7. IANA Considerations

7.1 Object Identifiers

   It is requested that IANA register an LDAP Object Identifier
   for use in this technical specification according to the
   following template:

   Subject: Request for LDAP OID Registration
   Person & email address to contact for further information:
   Mircea Pana (mpana@metasolv.com)
   Specification: RFC XXXX
   Author/Change Controller: IESG
   Comments:
      The assigned OID will be used as a base for identifying
      a number of schema elements defined in this document.









Reyes, et al.              Expires: February 2004              [page 55]

INTERNET-DRAFT                  PCELS                        August 2003


7.2 Object Identifier Descriptors

   It is requested that IANA register the LDAP Descriptors used
   in this technical specification as detailed in the following
   template:

   Subject: Request for LDAP Descriptor Registration Update
   Descriptor (short name): see comment
   Object Identifier: see comment
   Person & email address to contact for further information:
      Mircea Pana (mpana@metasolv.com)
   Usage: see comment
   Specification: RFC XXXX
   Author/Change Controller: IESG
   Comments:

   The following descriptors should be added:

   NAME                                    Type  OID
   --------------                          ----  ------------
   pcimPolicySet                           O     IANA-ASSIGNED-OID.1.x
   pcimPolicySetName                       A     IANA-ASSIGNED-OID.2.x
   pcimDecisionStrategy                    A     IANA-ASSIGNED-OID.2.x
   pcimPolicySetList                       A     IANA-ASSIGNED-OID.2.x
   pcimPolicySetAssociation                O     IANA-ASSIGNED-OID.1.x
   pcimPriority                            A     IANA-ASSIGNED-OID.2.x
   pcimPolicySetDN                         A     IANA-ASSIGNED-OID.2.x
   pcimPolicyRule                          O     IANA-ASSIGNED-OID.1.x
   pcimPolicyRuleAuxClass                  O     IANA-ASSIGNED-OID.1.x
   pcimPolicyRuleInstance                  O     IANA-ASSIGNED-OID.1.x
   pcimConditionListType                   A     IANA-ASSIGNED-OID.2.x
   pcimConditionList                       A     IANA-ASSIGNED-OID.2.x
   pcimActionList                          A     IANA-ASSIGNED-OID.2.x
   pcimSequencedActions                    A     IANA-ASSIGNED-OID.2.x
   pcimExecutionStrategy                   A     IANA-ASSIGNED-OID.2.x
   pcimConditionAssociation                O     IANA-ASSIGNED-OID.1.x
   pcimActionAssociation                   O     IANA-ASSIGNED-OID.1.x
   pcimSimpleConditionAuxClass             O     IANA-ASSIGNED-OID.1.x
   pcimVariableDN                          A     IANA-ASSIGNED-OID.2.x
   pcimValueDN                             A     IANA-ASSIGNED-OID.2.x
   pcimCompoundConditionAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimCompoundFilterAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimIsMirrored                          A     IANA-ASSIGNED-OID.2.x
   pcimSimpleActionAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimCompoundActionAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimVariable                            O     IANA-ASSIGNED-OID.1.x
   pcimVariableName                        A     IANA-ASSIGNED-OID.2.x
   pcimExpectedValueList                   A     IANA-ASSIGNED-OID.2.x
   pcimExplicitVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcimVariableModelClass                  A     IANA-ASSIGNED-OID.2.x
   pcimVariableModelProperty               A     IANA-ASSIGNED-OID.2.x
   pcimImplicitVariableAuxClass            O     IANA-ASSIGNED-OID.1.x


Reyes, et al.              Expires: February 2004              [page 56]

INTERNET-DRAFT                  PCELS                        August 2003


   pcimExpectedValueTypes                  A     IANA-ASSIGNED-OID.2.x
   pcimSourceIPv4VariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimSourceIPv6VariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimDestinationIPv4VariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcimDestinationIPv6VariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcimSourcePortVariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimDestinationPortVariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcimIPProtocolVariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcimIPVersionVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimIPToSVariableAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcimDSCPVariableAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimFlowIdVariableAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimSourceMACVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimDestinationMACVariableAuxClass      O     IANA-ASSIGNED-OID.1.x
   pcimVLANVariableAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimCoSVariableAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcimEthertypeVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimSourceSAPVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimDestinationSAPVariableAuxClass      O     IANA-ASSIGNED-OID.1.x
   pcimSNAPOUIVariableAuxClass             O     IANA-ASSIGNED-OID.1.x
   pcimSNAPTypeVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcimFlowDirectionVariableAuxClass       O     IANA-ASSIGNED-OID.1.x
   pcimValueAuxClass                       O     IANA-ASSIGNED-OID.1.x
   pcimValueName                           A     IANA-ASSIGNED-OID.2.x
   pcimIPv4AddrValueAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcimIPv4AddrList                        A     IANA-ASSIGNED-OID.2.x
   pcimIPv6AddrValueAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcimIPv6AddrList                        A     IANA-ASSIGNED-OID.2.x
   pcimMACAddrValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimMACAddrList                         A     IANA-ASSIGNED-OID.2.x
   pcimStringValueAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcimStringList                          A     IANA-ASSIGNED-OID.2.x
   pcimBitStringValueAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimBitStringList                       A     IANA-ASSIGNED-OID.2.x
   pcimIntegerValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimIntegerList                         A     IANA-ASSIGNED-OID.2.x
   pcimBooleanValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcimBoolean                             A     IANA-ASSIGNED-OID.2.x
   pcimReusableContainer                   O     IANA-ASSIGNED-OID.1.x
   pcimReusableContainerAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcimReusableContainerInstance           O     IANA-ASSIGNED-OID.1.x
   pcimReusableContainerName               A     IANA-ASSIGNED-OID.2.x
   pcimReusableContainerList               A     IANA-ASSIGNED-OID.2.x
   pcimRoleCollection                      O     IANA-ASSIGNED-OID.1.x
   pcimRole                                A     IANA-ASSIGNED-OID.2.x
   pcimRoleCollectionName                  A     IANA-ASSIGNED-OID.2.x
   pcimElementList                         A     IANA-ASSIGNED-OID.2.x
   pcimFilterEntry                         O     IANA-ASSIGNED-OID.1.x
   pcimFilterName                          A     IANA-ASSIGNED-OID.2.x
   pcimFilterIsNegated                     A     IANA-ASSIGNED-OID.2.x
   pcimIPHeaders                           O     IANA-ASSIGNED-OID.1.x
   pcimIPHdrVersion                        A     IANA-ASSIGNED-OID.2.x


Reyes, et al.              Expires: February 2004              [page 57]

INTERNET-DRAFT                  PCELS                        August 2003


   pcimIPHdrSourceAddress                  A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourceAddressEndOfRange        A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourceMask                     A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestAddress                    A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestAddressEndOfRange          A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestMask                       A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrProtocolID                     A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourcePortStart                A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrSourcePortEnd                  A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestPortStart                  A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDestPortEnd                    A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrDSCPList                       A     IANA-ASSIGNED-OID.2.x
   pcimIPHdrFlowLabel                      A     IANA-ASSIGNED-OID.2.x
   pcim8021Headers                         O     IANA-ASSIGNED-OID.1.x
   pcim8021HdrSourceMACAddress             A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrSourceMACMask                A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrDestMACAddress               A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrDestMACMask                  A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrProtocolID                   A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrPriority                     A     IANA-ASSIGNED-OID.2.x
   pcim8021HdrVLANID                       A     IANA-ASSIGNED-OID.2.x
   pcimFilterListAuxClass                  O     IANA-ASSIGNED-OID.1.x
   pcimFilterListName                      A     IANA-ASSIGNED-OID.2.x
   pcimFilterDirection                     A     IANA-ASSIGNED-OID.2.x
   pcimFilterEntryList                     A     IANA-ASSIGNED-OID.2.x
   pcimVendorVariableAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcimVendorVariableData                  A     IANA-ASSIGNED-OID.2.x
   pcimVendorVariableEncoding              A     IANA-ASSIGNED-OID.2.x
   pcimVendorValueAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcimVendorValueData                     A     IANA-ASSIGNED-OID.2.x
   pcimVendorValueEncoding                 A     IANA-ASSIGNED-OID.2.x

   where Type A is Attribute, Type O is ObjectClass


8. Normative References

[CIM]      Distributed Management Task Force, Inc., "Common Information
           Model (CIM) Specification", Version 2.2, June 14, 1999. This
           document is available on the following DMTF web page:
           http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf

[CIM_LDAP] Distributed Management Task Force, Inc., "DMTF LDAP Schema
           for the CIM v2.5 Core Information Model", April 15, 2002.
           This document is available on the following DMTF web page:
           http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf

[PCIM]     B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
           Model -- Version 1 Specification", RFC 3060, May, 2000.





Reyes, et al.              Expires: February 2004              [page 58]

INTERNET-DRAFT                  PCELS                        August 2003


[PCIM_EXT] B. Moore at el., "Policy Core Information Model (PCIM)
           Extensions", RFC 3460, January 2003.

[PCLS]     J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core
           LDAP Schema", Internet Draft, work in progress,
           draft-ietf-policy-core-schema-16.txt.


9. Informative References

[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
           Requirement Levels", BCP 14, RFC 2119, March 1997.

[PROCESS]  Hovey, R., and S. Bradner, "The Organizations Involved in
           the IETF Standards Process", BCP 11, RFC 2028, October 1996.

[LDAP-IANA] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
           Considerations for the Lightweight Directory Access Protocol
           (LDAP)", BCP 64, RFC 3383, September 2002.


10. Authors' Addresses

   Angelica Reyes, Antoni Barba, David Moron
   Technical University of Catalonia
   Jordi-Girona 1-3
   08034 Barcelona
   Spain
   [angelica|telabm|dmoron]@mat.upc.es

   Marcus Brunner
   NEC Europe Ltd.
   Kurfuersten Anlage 34
   D-69115 Heidelberg
   Germany
   brunner@ccrle.nec.de

   Mircea Pana
   MetaSolv Software Inc.
   360 Legget Drive
   Ottawa, Ontario, Canada
   K2K 3N1
   mpana@metasolv.com











Reyes, et al.              Expires: February 2004              [page 59]

INTERNET-DRAFT                  PCELS                        August 2003


11. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.


12. Full Copyright Statement

  Copyright (C) The Internet Society (2003). All Rights Reserved.

  This document and translations of it may be copied and furnished to
  others, and derivative works that comment on or otherwise explain it
  or assist in its implementation may be prepared, copied, published
  and distributed, in whole or in part, without restriction of any
  kind, provided that the above copyright notice and this paragraph are
  included on all such copies and derivative works. However, this
  document itself may not be modified in any way, such as by removing
  the copyright notice or references to the Internet Society or other
  Internet organizations, except as needed for the purpose of
  developing Internet standards in which case the procedures for
  copyrights defined in the Internet Standards process must be
  followed, or as required to translate it into languages other than
  English.

  The limited permissions granted above are perpetual and will not be
  revoked by the Internet Society or its successors or assigns.

  This document and the information contained herein is provided on an
  "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
  TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN
  BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
  HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
  MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.



Reyes, et al.              Expires: February 2004              [page 60]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/