[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 4104

Policy Framework Working Group                       Mircea Pana, Editor
INTERNET-DRAFT                                                  MetaSolv
Updates: draft-ietf-policy-core-schema-16                 Angelica Reyes
                                                  University Veracruzana
                                                            Antoni Barba
                                                             David Moron
                                       Technical University of Catalonia
                                                          Marcus Brunner
                                                                     NEC

                                                            January 2004

                 Policy Core Extension LDAP Schema (PCELS)
                <draft-reyes-policy-core-ext-schema-04.txt>

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC 2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   This document defines a number of changes and extensions to the
   Policy Core LDAP Schema (RFC zzzz) based on the model extensions
   defined by RFC 3640. These changes and extensions consist of new LDAP
   object classes and attribute types. Some of the schema items defined
   in this document re-implement existing concepts in accordance with
   their new semantics modified by RFC 3640. The other schema items
   implement new concepts, not covered by RFC zzzz.
   This document updates RFC zzzz.

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [KEYWORDS].




Pana, et al.               Expires: July 2004                  [page 1]

INTERNET-DRAFT                  PCELS                      January 2004


Table of contents

   1. Introduction.....................................................3
   2. Relationship to other Policy Framework Documents.................3
   3. Inheritance Hierarchy for PCELS..................................3
   4. General Discussion of Mapping the Policy Core Information
      Model Extensions to LDAP.........................................7
     4.1 Summary of Class and Association Mappings.....................7
     4.2 Summary of changes since PCLS................................11
     4.3 Impact on existing implementations
         of the Policy Core LDAP Schema...............................13
     4.4 The Association of PolicyVariable and PolicyValues
         to PolicySimpleCondition and PolicySimpleAction..............13
     4.5 The Aggregation of PolicyRules and PolicyGroups in
         PolicySets...................................................14
     4.6 The Aggregation of actions /conditions in PolicyRules and
         CompoundActions /CompoundConditions..........................16
   5. Class Definitions...............................................21
     5.1  The Class pcelsPolicySet....................................21
     5.2  The Structural Class pcelsPolicySetAssociation..............23
     5.3  The Three Classes pcelsRule.................................24
     5.4  The Structural Class pcelsConditionAssociation..............27
     5.5  The Structural Class pcelsActionAssociation.................28
     5.6  The Auxiliary Class pcelsSimpleConditionAuxClass............29
     5.7  The Auxiliary Class pcelsCompoundConditionAuxClass..........30
     5.8  The Auxiliary Class pcelsCompoundFilterAuxClass.............31
     5.9  The Auxiliary Class pcelsSimpleActionAuxClass...............31
     5.10  The Auxiliary Class pcelsCompoundActionAuxClass............32
     5.11 The Abstract Class pcelsVariable............................33
     5.12 The Auxiliary Class pcelsExplicitVariableAuxClass...........34
     5.13 The Auxiliary Class  pcelsImplicitVariableAuxClass..........35
     5.14 The Subclasses of pcelsImplicitVariableAuxClass.............36
     5.15 The Auxiliary Class pcelsValueAuxClass......................38
     5.16 The Subclasses of pcelsValueAuxClass........................39
     5.17 The Three Classes pcelsReusableContainer....................41
     5.18 The Structural Class pcelsRoleCollection....................43
     5.19 The Abstract Class pcelsFilterEntry.........................44
     5.20 The Structural Class pcelsIPHeaders.........................45
     5.21 The Structural Class pcels8021Headers.......................49
     5.22 The Auxiliary Class pcelsFilterListAuxClass.................51
     5.23 The Auxiliary Class pcelsVendorVariableAuxClass.............52
     5.24 The Auxiliary Class pcelsVendorValueAuxClass................53
   6. Security Considerations.........................................54
   7. IANA Considerations.............................................55
     7.1 Object Identifiers...........................................55
     7.2 Object Identifier Descriptors................................55
   8. Normative References............................................58
   9. Informative References..........................................58
   10. Authors' Addresses.............................................59
   11. Intellectual Property..........................................59
   12. Full Copyright Statement.......................................60



Pana, et al.               Expires: July 2004                  [page 2]

INTERNET-DRAFT                  PCELS                      January 2004


PLEASE NOTE:

   OIDs for the schema elements in this document have not been assigned.
   This note is to be removed by the RFC editor before publication. All
   uses of OIDs are indicated symbolically: for example,
   IANA-ASSIGNED-OID.1.1 is a placeholder that will be replaced by a
   real OID that is assigned by IANA before publication. For details on
   OID assignment see section 7 IANA Considerations.


1. Introduction

   This document defines a number of changes and extensions to the
   Policy Core LDAP Schema [PCLS] based on the specifications of the
   Policy Core Information Model Extensions [PCIM_EXT]. These changes
   and extensions consist of new LDAP [LDAP] object classes and
   attribute types. Some of the schema items defined in this document
   re-implement existing concepts in accordance with their new semantics
   modified by [PCIM_EXT]. The other schema items implement new
   concepts, not covered by [PCLS].

   Within the context of this document, the term 'PCELS' (Policy Core
   Extension LDAP Schema) is used to refer to the LDAP object class
   definitions and the associated recommendations contained in this
   document.


2. Relationship to other Policy Framework Documents

   This document contains an LDAP schema mapping for the classes
   defined in the Policy Core Information Model Extensions [PCIM_EXT].
   Other documents may subsequently be produced, with mappings of the
   same [PCIM] extensions to other storage or transport technologies.
   The document is an extension to [PCLS], which defines the mapping
   of the Policy Core Information Model [PCIM] to an LDAP schema.


3. Inheritance Hierarchy for PCELS

   The following diagram illustrates the combined class hierarchy for
   the LDAP object classes defined in [PCLS] and in this document:













Pana, et al.               Expires: July 2004                  [page 3]

INTERNET-DRAFT                  PCELS                      January 2004


   top
   |
   +---dlm1ManagedElement (abstract)
   |   |
   |   +---pcimPolicy (abstract)
   |   |   |
   |   |   +---pcelsPolicySet (abstract new)
   |   |   |   |
   |   |   |   +---pcelsRule (abstract new)
   |   |   |       |
   |   |   |       +---pcelsRuleAuxClass (auxiliary new)
   |   |   |       |
   |   |   |       +---pcelsRuleInstance (structural new)
   |   |   |
   |   |   +---pcimRule (abstract)
   |   |   |   |
   |   |   |   +---pcimRuleAuxClass (auxiliary)
   |   |   |   |
   |   |   |   +---pcimRuleInstance (structural)
   |   |   |
   |   |   +---pcimRuleConditionAssociation (structural)
   |   |   |   |
   |   |   |   +---pcelsConditionAssociation (structural new)
   |   |   |
   |   |   +---pcimRuleValidityAssociation (structural)
   |   |   |
   |   |   +---pcimRuleActionAssociation (structural)
   |   |   |   |
   |   |   |   +---pcelsActionAssociation (structural new)
   |   |   |
   |   |   +---pcelsPolicySetAssociation (structural new)
   |   |   |
   |   |   +---pcimPolicyInstance (structural)
   |   |   |
   |   |   +---pcimElementAuxClass (auxiliary)
   |   |   |
   |   |   +---pcelsRoleCollection (structural new)
   |   |   |
   |   |   +---pcelsFilterEntry (abstract new)
   |   |       |
   |   |       +---pcelsIPHeaders (structural new)
   |   |       |
   |   |       +---pcels8021Headers (structural new)
   |   |
   |   +---dlm1ManagedSystemElement (abstract)
   |       |
   |       +---dlm1LogicalElement (abstract)
   |           |
   |           +---dlm1System (abstract)
   |               |
   |               +---dlm1AdminDomain (abstract)
   |                   |


Pana, et al.               Expires: July 2004                  [page 4]

INTERNET-DRAFT                  PCELS                      January 2004


   |                   +---pcimRepository (abstract)
   |                       |
   |                       +---pcelsReusableContainer (abstract new)
   |                           |
   |                           +---pcelsReusableContainerAuxClass
   |                           |   (auxiliary new)
   |                           |
   |                           +---pcelsReusableContainerInstance
   |                               (structural new)
   |
   +---pcimConditionAuxClass (auxiliary)
   |   |
   |   +---pcimTPCAuxClass (auxiliary)
   |   |
   |   +---pcimConditionVendorAuxClass (auxiliary)
   |   |
   |   +---pcelsSimpleConditionAuxClass (auxiliary new)
   |   |
   |   +---pcelsCompoundConditionAuxClass (auxiliary new)
   |   |   |
   |   |   +---pcelsCompoundFilterAuxClass (auxiliary new)
   |   |
   |   +---pcelsFilterListAuxClass (auxiliary new)
   |
   +---pcimActionAuxClass (auxiliary)
   |   |
   |   +---pcimActionVendorAuxClass (auxiliary)
   |   |
   |   +---pcelsSimpleActionAuxClass (auxiliary new)
   |   |
   |   +---pcelsCompoundActionAuxClass (auxiliary new)
   |
   +---pcelsVariable (abstract new)
   |   |
   |   +---pcelsVendorVariableAuxClass (auxiliary new)
   |   |
   |   +---pcelsExplicitVariableAuxClass (auxiliary new)
   |   |
   |   +---pcelsImplicitVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsSourceIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsSourceIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsDestinationIPv4VariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsDestinationIPv6VariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsSourcePortVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsDestinationPortVariableAuxClass (auxiliary new)
   |       |


Pana, et al.               Expires: July 2004                  [page 5]

INTERNET-DRAFT                  PCELS                      January 2004


   |       +---pcelsIPProtocolVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsIPVersionVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsIPToSVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsDSCPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsFlowIdVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsSourceMACVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsDestinationMACVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsVLANVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsCoSVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsEthertypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsSourceSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsDestinationSAPVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsSNAPOUIVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsSNAPTypeVariableAuxClass (auxiliary new)
   |       |
   |       +---pcelsFlowDirectionVariableAuxClass (auxiliary new)
   |
   +---pcelsValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsVendorValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsIPv4AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsIPv6AddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsMACAddrValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsBitStringValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsIntegerValueAuxClass (auxiliary new)
   |   |
   |   +---pcelsBooleanValueAuxClass (auxiliary new)
   |
   +---pcimSubtreesPtrAuxClass (auxiliary)
   |
   +---pcimGroupContainmentAuxClass (auxiliary)
   |


Pana, et al.               Expires: July 2004                  [page 6]

INTERNET-DRAFT                  PCELS                      January 2004


   +---pcimRuleContainmentAuxClass (auxiliary)


4. General Discussion of Mapping the Policy Core Information Model
   Extensions to LDAP

   The object classes described in this document contain certain
   optimizations for a directory that uses LDAP as an access protocol.
   One example is the use of auxiliary class attachment to LDAP entries
   to realize some of the associations defined in the information model.

   Note that other storage types might need to implement the association
   differently.


4.1 Summary of Class and Association Mappings

   The LDAP object classes defined in this document are a direct mapping
   from the corresponding classes and, in some cases, the associations
   defined in [PCIM_EXT]. Similarly, the LDAP attributes defined here
   are a direct mapping from the corresponding class properties. In some
   cases, associations defined in [PCIM_EXT] are simply mapped to
   reference attributes or realized through auxiliary class attachment.

   The classes pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass
   are not mapped from [PCIM_EXT], they are new classes added in order
   to increase the framework's capability to store variables and values
   that have not been modeled with specific properties. Just like for
   any other schema elements defined in this document or in [PCLS], a
   particular submodel schema will not, in general, need to use vendor
   specific variable and value classes. Submodel schemas should apply
   the recommendations of section 5.10 of [PCIM_EXT] with regards to
   the supported and unsupported elements.

   While [PCLS] uses the prefix "pcim" for the schema items that it
   defines, the object class and attribute names defined in this
   document are prefixed "pcels".

















Pana, et al.               Expires: July 2004                  [page 7]

INTERNET-DRAFT                  PCELS                      January 2004


+----------------------------------------------------------------------+
| Information Model (PCIM_EXT)  | LDAP Class(es)                       |
+----------------------------------------------------------------------+
| PolicySet                     | pcelsPolicySet                       |
+----------------------------------------------------------------------+
| PolicyRule                    | pcelsRule                            |
|                               | pcelsRuleAuxClass                    |
|                               | pcelsRuleInstance                    |
+----------------------------------------------------------------------+
| PolicyGroup                   | pcelsPolicySet or pcelsRule          |
|                               | with no associated validity periods, |
|                               | conditions or actions                |
+----------------------------------------------------------------------+
| SimplePolicyCondition         | pcelsSimpleConditionAuxClass         |
+----------------------------------------------------------------------+
| CompoundPolicyCondition       | pcelsCompoundConditionAuxClass       |
+----------------------------------------------------------------------+
| CompoundFilterCondition       | pcelsCompoundFilterAuxClass          |
+----------------------------------------------------------------------+
| SimplePolicyAction            | pcelsSimpleActionAuxClass            |
+----------------------------------------------------------------------+
| CompoundPolicyAction          | pcelsCompoundActionAuxClass          |
+----------------------------------------------------------------------+
| PolicyVariable                | pcelsVariable                        |
+----------------------------------------------------------------------+
| --------------                | pcelsVendorVariableAuxClass          |
+-------------------------------+--------------------------------------+
| PolicyExplicitVariable        | pcelsExplicitVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyImplicitVariable        | pcelsImplicitVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicySourceIPv4Variable      | pcelsSourceIPv4VariableAuxClass      |
+----------------------------------------------------------------------+
| PolicySourceIPv6Variable      | pcelsSourceIPv6VariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyDestinationIPv4Variable | pcelsDestinationIPv4VariableAuxClass |
+----------------------------------------------------------------------+
| PolicyDestinationIPv6Variable | pcelsDestinationIPv6VariableAuxClass |
+----------------------------------------------------------------------+
| PolicySourcePortVariable      | pcelsSourcePortVariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyDestinationPortVariable | pcelsDestinationPortVariableAuxClass |
+----------------------------------------------------------------------+
| PolicyIPProtocolVariable      | pcelsIPProtocolVariableAuxClass      |
+----------------------------------------------------------------------+
| PolicyIPVersionVariable       | pcelsIPVersionVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyIPToSVariable           | pcelsIPToSVariableAuxClass           |
+----------------------------------------------------------------------+
| PolicyDSCPVariable            | pcelsDSCPVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyFlowIDVariable          | pcelsFlowIDVariableAuxClass          |


Pana, et al.               Expires: July 2004                  [page 8]

INTERNET-DRAFT                  PCELS                      January 2004


+----------------------------------------------------------------------+
| PolicySourceMACVariable       | pcelsSourceMACVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationMACVariable  | pcelsDestinationMACVariableAuxClass  |
+----------------------------------------------------------------------+
| PolicyVLANVariable            | pcelsVLANVariableAuxClass            |
+----------------------------------------------------------------------+
| PolicyCoSVariable             | pcelsCoSVariableAuxClass             |
+----------------------------------------------------------------------+
| PolicyEthertypeVariable       | pcelsEthertypeVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicySourceSAPVariable       | pcelsSourceSAPVariableAuxClass       |
+----------------------------------------------------------------------+
| PolicyDestinationSAPVariable  | pcelsDestinationSAPVariableAuxClass  |
+----------------------------------------------------------------------+
| PolicySNAPOUIVariable         | pcelsSNAPOUIVariableAuxClass         |
+----------------------------------------------------------------------+
| PolicySNAPTypeVariable        | pcelsSNAPTypeVariableAuxClass        |
+----------------------------------------------------------------------+
| PolicyFlowDirectionVariable   | pcelsFlowDirectionVariableAuxClass   |
+----------------------------------------------------------------------+
| PolicyValue                   | pcelsValueAuxClass                   |
+----------------------------------------------------------------------+
| -------------                 | pcelsVendorValueAuxClass             |
+-------------------------------+--------------------------------------+
| PolicyIPv4AddrValue           | pcelsIPv4AddrValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyIPv6AddrValue           | pcelsIPv6AddrValueAuxClass           |
+----------------------------------------------------------------------+
| PolicyMACAddrValue            | pcelsMACAddrValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyStringValue             | pcelsStringValueAuxClass             |
+----------------------------------------------------------------------+
| PolicyBitStringValue          | pcelsBitStringValueAuxClass          |
+----------------------------------------------------------------------+
| PolicyIntegerValue            | pcelsIntegerValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyBooleanValue            | pcelsBooleanValueAuxClass            |
+----------------------------------------------------------------------+
| PolicyRoleCollection          | pcelsRoleCollection                  |
+----------------------------------------------------------------------+
| ReusablePolicyContainer       | pcelsReusableContainer               |
|                               | pcelsReusableContainerAuxClass       |
|                               | pcelsReusableContainerInstance       |
+----------------------------------------------------------------------+
| FilterEntryBase               | pcelsFilterEntry                     |
+----------------------------------------------------------------------+
| IPHeadersfilter               | pcelsIPHeaders                       |
+----------------------------------------------------------------------+
| 8021Filter                    | pcels8021Headers                     |
+----------------------------------------------------------------------+
| FilterList                    | pcelsFilterListAuxClass              |


Pana, et al.               Expires: July 2004                  [page 9]

INTERNET-DRAFT                  PCELS                      January 2004


+----------------------------------------------------------------------+


+----------------------------------------------------------------------+
| Information Model Association    | LDAP Attribute / Class            |
+----------------------------------------------------------------------+
| PolicySetComponent               | pcelsPolicySetComponentList in    |
|                                  | pcelsPolicySet and                |
|                                  | pcelsPolicySetDN in               |
|                                  | pcelsPolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicySetInSystem                | DIT Containment and               |
|                                  | pcelsPolicySetDN in               |
|                                  | pcelsPolicySetAsociation          |
+----------------------------------------------------------------------+
| PolicyGroupInSystem              | (see PolicySetInSystem)           |
+----------------------------------------------------------------------+
| PolicyRuleInSystem               | (see PolicySetInSystem)           |
+----------------------------------------------------------------------+
| PolicyConditionStructure         | pcimConditionDN in                |
|                                  | pcelsConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyRule      | pcelsConditionList in             |
|                                  | pcelsRule and                     |
|                                  | pcimConditionDN in                |
|                                  | pcelsConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyConditionInPolicyCondition | pcelsConditionList in             |
|                                  | pcelsCompoundConditionAuxClass    |
|                                  | and pcimConditionDN in            |
|                                  | pcelsConditionAssociation         |
+----------------------------------------------------------------------+
| PolicyActionStructure            | pcimActionDN in                   |
|                                  | pcelsActionAssociation            |
+----------------------------------------------------------------------+
| PolicyActionInPolicyRule         | pcelsActionList in                |
|                                  | pcelsRule and                     |
|                                  | pcimActionDN in                   |
|                                  | pcelsActionAssociation            |
+----------------------------------------------------------------------+
| PolicyActionInPolicyAction       | pcelsActionList in                |
|                                  | pcelsCompoundActionAuxClass       |
|                                  | and pcimActionDN in               |
|                                  | pcelsActionAssociation            |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcelsVariableDN in                |
| Condition                        | pcelsSimpleConditionAuxClass      |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicy        | pcelsValueDN in                   |
| Condition                        | pcelsSimpleConditionAuxClass      |
+----------------------------------------------------------------------+
| PolicyVariableInSimplePolicy     | pcelsVariableDN in                |


Pana, et al.               Expires: July 2004                 [page 10]

INTERNET-DRAFT                  PCELS                      January 2004


| Action                           | pcelsSimpleActionAuxClass         |
+----------------------------------------------------------------------+
| PolicyValueInSimplePolicyAction  | pcelsValueDN in                   |
|                                  | pcelsSimpleActionAuxClass         |
+----------------------------------------------------------------------+
| ReusablePolicy                   | DIT containment                   |
+----------------------------------------------------------------------+
| ExpectedPolicyValuesForVariable  | pcelsExpectedValueList in         |
|                                  | pcelsVariable                     |
+----------------------------------------------------------------------+
| ContainedDomain                  | DIT containment or                |
|                                  | pcelsReusableContainerList in     |
|                                  | pcelsReusableContainer            |
+----------------------------------------------------------------------+
| EntriesInFilterList              | pcelsFilterEntryList in           |
|                                  | pcelsFilterListAuxClass           |
+----------------------------------------------------------------------+
| ElementInPolicyRoleCollection    | DIT containment or                |
|                                  | pcelsElementList in               |
|                                  | pcelsRoleCollection               |
+----------------------------------------------------------------------+
| PolicyRoleCollectionInSystem     | DIT Containment                   |
+----------------------------------------------------------------------+


4.2 Summary of changes since PCLS

   This section provides an overview of the changes relative to [PCLS]
   defined in this document:

   1. The concept of an ordered set of policies is introduced by means
   of two new object classes, pcelsPolicySet and
   pcelsPolicySetAssociation. These classes enable the aggregation and
   relative prioritization of policies (rules and /or groups). The
   attribute pcelsPriority used by the pcelsPolicySetAssociation object
   class indicates the relative priority of the aggregated components.
   The new policy aggregation mechanism provides an alternative to the
   aggregation mechanism defined by [PCLS] (pcimRuleContainmentAuxClass
   and /or pcimGroupContainmentAuxClass attaches to a pcimGroup).

   2. The attribute pcimRoles defined by [PCLS] is used here by the
   pcelsPolicySet object class. Thus, the role based policy selection
   mechanism is extended to all the subclasses of pcelsPolicySet.

   3. A new attribute pcelsDecisionStrategy is added on the
   pcelsPolicySet class as a mapping from the decision mechanism.








Pana, et al.               Expires: July 2004                 [page 11]

INTERNET-DRAFT                  PCELS                      January 2004


   4. A new class pcelsRule (with two subclasses), implements the
   modified semantics of the PolicyRule in accordance with [PCIM_EXT].
   This new class does not include an absolute priority attribute but
   pcelsRule entries can be prioritized relative to each other within
   a System (behavior inherited from its superior: pcelsPolicySet).
   The pcelsRule class also inherits from pcelsPolicySet the ability to
   aggregate other policy rules or groups. Hence, the ability to
   construct nested rule structures of arbitrary complexity.

   5. A new attribute pcelsExecutionStrategy is added to the
   pcelsRule and pcelsCompoundActionAuxClass classes to allow the
   specification of the expected behavior in case of multiple actions
   aggregated by a rule or by a compound action.

   6. Compound Conditions: The pcelsCompoundConditionAuxClass class is
   added in order to map the CompoundPolicyCondition class. A new class,
   pcelsConditionAssociation realizes the aggregation of policy
   conditions in a pcelsCompoundConditionAuxClass. The same association
   class is used to aggregate policy conditions in a pcelsRule.

   7. Compound Actions: The pcelsCompoundActionAuxClass class is
   added in order to map the CompoundPolicyAction class. A new class,
   pcelsActionAssociation realizes the aggregation of policy actions in
   a pcelsCompoundActionAuxClass. The same association class is used to
   aggregate policy actions in a pcelsRule.

   8. Simple Conditions, Simple Actions, Variables and Values: The
   simple condition, simple action, variable and value classes defined
   by [PCIM_EXT] are directly mapped to LDAP object classes. These are:
   pcelsSimpleConditionAuxClass, pcelsSimpleActionAuxClass,
   pcelsVariable and its subclasses, and pcelsValueAuxClass and its
   subclasses.

   9. A general extension mechanism is introduced for representing
   policy variables and values that have not been specifically modeled.
   The mechanism is intended for vendor-specific extensions.

   10. Reusable Policy Repository: A new class (with two subclasses),
   pcelsReusableContainer is created as a subclass of pcimRepository.
   While maintaining compatibility with older [PCLS] implementations,
   the addition of this class acknowledges the intent of [PCIM_EXT] to
   avoid the potential for confusion with the Policy Framework component
   named Policy Repository. The new class enables many-to-many
   associations between reusable policy containers.

   11. The ReusablePolicy association defined in [PCIM_EXT] is realized
   through subordination to a (subclass of) pcelsReusableContainer.
   Thus, reusable policy components (groups, rules, conditions, actions,
   variables and values) are may be defined as stand-alone entries or
   stand-alone groups of related entries subordinated (DIT contained)
   to a pcelsReusableContainer.



Pana, et al.               Expires: July 2004                 [page 12]

INTERNET-DRAFT                  PCELS                      January 2004


   12. Device level filter classes are added to the schema.

   13. The pcelsRoleCollection class is added to the schema to allow
   the association of policy roles to resources represented as LDAP
   entries.


4.3 Impact on existing implementations of the Policy Core LDAP Schema

   In general, the intent of PCELS is to extend the functionality
   offered by the Policy Core LDAP Schema. For the most part, the
   compatibility with [PCLS] is preserved. The few cases where
   compatibility can not be achieved due to fundamental changes imposed
   by [PCIM_EXT], are defined here as alternatives to the original
   implementation.

   PCELS does not obsolete nor deprecates the concepts implemented by
   [PCLS]. The new LDAP schema items are defined in this document in a
   way that avoids, to the extent possible, interference into the normal
   operation of a reasonably well executed implementation of [PCLS].
   The intent is to permit at least a harmless coexistence of the two
   models in the same data repository.

   It should be noted, however, that the PCELS introduces the following
   changes that may have an impact on some [PCLS] implementations:

   1. Some attributes originally used only by pcimRule are now also used
   by classes unknown to [PCLS] implementations (pcelsPolicySet and
   pcelsRule). In particular the attribute pcimRoles is also used by
   pcelsPolicySet for role based policy selection.

   2. Condition and action association classes originally used by only
   pcimRule are now used (through subclasses) by pcelsRule as well.

   3. pcimRepository containers may include entries of types unknown to
   [PCLS] implementations.

   When the choice exists, PCELS implementations SHOULD support the
   new schema and MAY also support the one defined by [PCLS]. For
   example, if PolicyRule support is required, an implementation SHOULD
   be able to read or read-write (as applicable) pcelsRule entires. The
   same implementation MAY be able to read or read-write pcimRule.

   Note: The provisions of section 5.10. "Conformance to PCIM and PCIMe"
   of [PCIM_EXT] apply to the LDAP schema items defined this document as
   well as to [PCLS].


4.4 The Association of PolicyVariable and PolicyValues
    to PolicySimpleCondition and PolicySimpleAction




Pana, et al.               Expires: July 2004                 [page 13]

INTERNET-DRAFT                  PCELS                      January 2004


   A PolicySimpleCondition as well as a PolicySimpleAction includes a
   single PolicyValue and a single PolicyVariable. Each of them can be
   attached or referenced by a DN.

   The attachment helps create compact PolicyCondition and PolicyAction
   definitions that can be efficiently provisioned and retrieved from
   the repository. On the other hand, referenced PolicyVariables and
   PolicyValues instances can be reused in the construction of multiple
   policies and permit the administrative partitioning of the data and
   policy definitions.


4.5 The Aggregation of PolicyRules and PolicyGroups in PolicySets

   In [PCIM_EXT], the two aggregations PolicyGroupInPolicyGroup and
   PolicyRuleInPolicyGroup, are combined into a single aggregation
   PolicySetComponent. This aggregation and the capability of
   association between a policy and the ReusablePolicyContainer offer
   new possibilities of reusability. Furthermore, these aggregations
   introduce new semantics representing the execution of one PolicyRule
   within the scope of another PolicyRule.

   Since PolicySet is defined in [PCIM_EXT], it is mapped in this
   document to a new class pcelsPolicySet in order to provide an
   abstraction for a set of policy rules or groups. The aggregation
   class PolicySetComponent in [PCIM_EXT] is mapped to a multi-value
   attribute pcelsPolicySetList in the pcelsPolicySet class and the
   attribute pcelsPolicySetDN in the pcelsPolicySetAssociation. These
   attributes refer to the nested rules and groups.

   It is possible to store a rule /group nested in an other rule /group
   in two ways. The first way is to define the nested rule /group as
   specific to the nesting rule /group. The second way is to define the
   nested rules /groups as reusable.

   First case: Specific nested sets (rules /groups).

                 +----------+
                 |Rule/Group|
                 |          |
           +-----|-        -|-----+
           |     +----------+     |
           |       *      *       |
           |       *      *       |
           |    ****      ****    |
           |    *            *    |
           v    *            *    v
         +-----------+   +-----------+
         | SA1+Set1  |   | SA2+Set2  |
         +-----------+   +-----------+




Pana, et al.               Expires: July 2004                 [page 14]

INTERNET-DRAFT                  PCELS                      January 2004


                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   Set#: pcelsRuleAuxClass auxiliary class.
   SA#: pcelsPolicySetAssocation structural class.

   The nesting pcelsPolicySet refers to instances of
   pcelsPolicySetAssociation using the attribute pcelsPolicySetList.
   These structural association classes are subordinated (DIT contained)
   to the pcelsPolicySet (rule or group) entry and represent the
   association between the set (rule or group) and its nested rules/
   groups. The nested pcelsPolicySet instances are attached (as
   auxiliary classes) to the association entries.

   Second case: Reusable nested sets (rules /groups).

                +----------+             +-------------+
                |Rule/Group|             | ContainerX  |
              +-|-        -|--+          |             |
              | +----------+  |          +-------------+
              |   *      *    |             *        *
              | ***      **** |             *        *
              | *           * v             *        *
              | *          +---+            *        *
              | *          |SA2|         +-------+   *
              v *          |  -|-------->|S1+Set2|   *
             +---+         +---+         +-------+   *
             |SA1|                               +-------+
             |  -|------------------------------>|S2+Set3|
             +---+                               +-------+

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   Set#: pcelsRuleAuxClass auxiliary class.
   SA#: PolicySetAssocation structural class.
   S#: structural class.








Pana, et al.               Expires: July 2004                 [page 15]

INTERNET-DRAFT                  PCELS                      January 2004


   The nesting pcelsPolicySet refers to instances of
   pcelsPolicySetAssociation using the attribute pcelsPolicySetList.
   These structural association classes are subordinated (DIT contained)
   to the pcelsPolicySet entry and represent the association between
   the set (rule or group) and its nested rules /groups. The reusable
   rules /groups are instantiated here as auxiliary classes and attached
   to pcimPolicyInstance entries in the reusable container. An other
   option is to use the structural subclasses for defining reusable
   rules /groups. The association classes belonging to a nesting policy
   set are reference the reusable rules /groups using the attribute
   pcelsPolicySetDN.

   A combination of both specific and reusable components is also
   allowed for the same policy set.


4.6 The Aggregation of actions /conditions in PolicyRules and
    CompoundActions /CompoundConditions

   [PCIM_EXT] defines two new classes that offer the designer the
   capability of creating more complex conditions and actions.
   CompoundPolicyCondition and CompoundPolicyActionclasses are mapped
   in this document to pcelsCompoundConditionAuxClass and
   pcelsCompoundActionAuxClass classes that are subclasses of
   pcimConditionAuxClass/pcimActionAuxClass. The compound conditions
   /actions defined in [PCIM_EXT] extend the capability of the rule to
   associate, group and evaluate conditions /execute actions. The
   conditions /actions are associated to compounds conditions /actions
   in the same way as they are associated to the rules.

   In this section it is explained how to store instances of these
   classes in an LDAP Directory. As a general rule, specific
   conditions /actions are subordinated (DIT contained) to the rule or
   compound condition /action that aggregates them and are attached
   to association class instances. Reusable conditions /actions, are
   subordinated to pcelsReusableContainer instances and attached to
   pcimPolicyInstance instances.

   The examples below illustrate the four possible cases combining
   specific /reusable compound /non-compound condition /action. The rule
   has two compound conditions, each one has two different conditions.
   The schemes can be extended in order to store actions.

   The examples below are based on and extend those illustrated in
   the section 4.4 of [PCLS].

   - First case: Specific compound condition /action with specific
   conditions /actions.






Pana, et al.               Expires: July 2004                 [page 16]

INTERNET-DRAFT                  PCELS                      January 2004


                         +--------------+
                  +------|     Rule     |------+
                  |      +--------------+      |
                  |           *    *           |
                  |   *********    *********   |
                  v   *                    *   v
                 +---------+          +---------+
               +-| CA1+cc1 |-+      +-| CA2+cc2 |-+
               | +---------+ |      | +---------+ |
               |     * *     |      |     * *     |
               |  **** ****  |      |  **** ****  |
               v  *       *  v      v  *       *  v
              +------+ +------+    +------+ +------+
              |CA3+c1| |CA4+c2|    |CA5+c3| |CA6+c4|
              +------+ +------+    +------+ +------+

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcelsConditionAssociation structural class.
   cc#: pcelsCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.

   Because the compound conditions /actions are specific to the Rule,
   They are auxiliary attachments to instances of the structural
   classes pcelsConditionAssociation or pcelsActionAssociation. These
   structural classes represent the association between the rule and
   the compound condition /action . The rule specific conditions
   /actions are therefore subordinated (DIT contained) to the rule
   entry.

   The conditions /actions are tied to the compound conditions /actions
   in the same way the compound conditions /actions are tied to rules.
   Association classes realize the association between the aggregating
   compound conditions /actions and the specific conditions /actions.

   - Second case: Rule specific compound conditions /actions with
   reusable conditions /actions.











Pana, et al.               Expires: July 2004                 [page 17]

INTERNET-DRAFT                  PCELS                      January 2004


           +-------------+                   +---------------+
    +------|     Rule    |-----+             |  ContainerX   |
    |      +-------------+     |             +---------------+
    |           *    *         |              *    *    *   *
    |           *    *         |           ****    *    *   *
    |   *********    ********  |           *       *    *   ********
    |   *                   *  v           *       *    *          *
    |   *               +---------+        *       *    ****       *
    |   *             +-| CA2+cc2 |-+      *       *       *       *
    |   *             | +---------+ |      *       *       *       *
    v   *             |    *  *     |      *       *       *       *
   +---------+        | ****  ****  |      *       *       *       *
 +-| CA1+cc1 |-+      | *        *  v      *       *       *       *
 | +---------+ |      | *     +------+  +-----+    *       *       *
 |    *  *     |      v *     |  CA6 |->|S1+c4|    *       *       *
 | ****  ****  |     +------+ +------+  +-----+ +-----+    *       *
 | *        *  v     |  CA5 |------------------>|S2+c3|    *       *
 | *      +------+   +------+                   +-----+ +-----+    *
 v *      |  CA4 |------------------------------------->|S3+c2|    *
 +------+ +------+                                      +-----+ +-----+
 |  CA3 |------------------------------------------------------>|S4+c1|
 +------+                                                       +-----+

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcelsConditionAssociation structural class.
   cc#: pcelsCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   This case is similar to the first one. The conditions /actions are
   reusable so they are not attached to the association classes but they
   are attached to structural classes in the reusable container. The
   association classes tie the conditions /actions in located in a
   reusable container to their aggregators using DN references.

   -Third case: Reusable compound condition /action with specific
   conditions /actions.










Pana, et al.               Expires: July 2004                 [page 18]

INTERNET-DRAFT                  PCELS                      January 2004


        +--------------+                  +--------------+
        |     Rule     |                  |  RepositoryX |
    +---+--------------+----+             +--------------+
    |        *     *        |                  *    *
    |  *******     *******  |           ********    ********
    |  *                 *  v           *                  *
    |  *            +----------+    +---------+            *
    |  *            |   CA2    |--->| S1+cc2  |            *
    |  *            +----------+  +-+---------+-+          *
    |  *                          |     * *     |          *
    |  *                          |  **** ****  |          *
    |  *                          v  *       *  v          *
    |  *                         +------+ +------+         *
    |  *                         |CA5+c3| |CA6+c4|         *
    v  *                         +------+ +------+         *
  +----------+                                          +---------+
  |   CA1    |----------------------------------------->| S2+cc1  |
  +----------+                                        +-+---------+-+
                                                      |     * *     |
                                                      |  **** ****  |
                                                      v  *       *  v
                                                     +------+ +------+
                                                     |CA3+c1| |CA4+c2|
                                                     +------+ +------+

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcelsConditionAssociation structural class.
   cc#: pcelsCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   Re-usable compound conditions /actions are attached to structural
   classes and stored in a reusable policy container. They are related
   to the rule through a DN reference attribute in the association
   classes.

   Specific conditions /actions are attached to association entries and
   subordinated (DIT contained) to the aggregating compound
   conditions /actions.

   -Fourth case: Reusable conditions /actions and compound
   conditions /actions.





Pana, et al.               Expires: July 2004                 [page 19]

INTERNET-DRAFT                  PCELS                      January 2004


          +------+          +---------------+    +---------------+
    +-----| Rule |-----+    |  ContainerX   |    |  ContainerY   |
    |     +------+     |    +---------------+    +---------------+
    |      *    *      |         *     *           *   *   *   *
    | ******    ****** |       ***     ***       ***   *   *   *****
    | *              * v       *         *       *     *   *       *
    | *          +-------+  +------+     *       *     *   ***     *
    | *          |  CA2  |->|S1+ca1|     *       *     *     *     *
    | *          +-------+  +------+     *       *     *     *     *
    | *                    /  *  *  \    *       *     *     *     *
    | *                    |**   ** |    *       *     *     *     *
    | *                    |*     * v    *       *     *     *     *
    | *                    |*   +---+    *    +-----+  *     *     *
    | *                    |*   |CA6|----*--->|S3+c4|  *     *     *
    | *                    v*   +---+    *    +-----+  *     *     *
    | *                  +---+           *          +-----+  *     *
    | *                  |CA5|-----------*--------->|S4+c3|  *     *
    v *                  +---+           *          +-----+  *     *
  +-------+                           +------+               *     *
  |  CA1  |-------------------------->|S2+cc1|               *     *
  +-------+                           +------+               *     *
                                     /  *  *  \              *     *
                                     | **  ** |              *     *
                                     | *    * v              *     *
                                     | *  +---+           +-----+  *
                                     | *  |CA4|---------->|S5+c2|  *
                                     v *  +---+           +-----+  *
                                    +---+                      +-----+
                                    |CA3|--------------------->|S6+c1|
                                    +---+                      +-----+

                       +------------------------------+
                       |LEGEND:                       |
                       |  ***** DIT containment       |
                       |    +   auxiliary attachment  |
                       |  ----> DN reference          |
                       +------------------------------+

   #: Number.
   CA#: pcelsConditionAssociation structural class.
   cc#: pcelsCompoundConditionAuxClass auxiliary class.
   c#: subclass of pcimConditionAuxClass.
   S#: structural class

   All the conditions /actions are reusable so they are stored in
   reusable containers. The figure above illustrates two different
   reusable policy containers but the number of containers in the
   system is decided based on administrative reasons. The conditions,
   actions, etc. may be stored in the same container or in different
   containers with no impact on the policy definition semantics.




Pana, et al.               Expires: July 2004                 [page 20]

INTERNET-DRAFT                  PCELS                      January 2004


5. Class Definitions

   The semantics for the policy information classes that are to be
   mapped directly from the information model to an LDAP representation
   are detailed in [PCIM_EXT]. Consequently, this document presents only
   a brief reference to those semantics. The focus here is on the
   mapping from the information model (which is independent of
   repository type and access protocol) to a form that can be accessed
   using LDAP. For various reasons including LDAP specific optimization,
   this mapping is not always 1:1. Some new classes and attributes
   needed to be created (that were not part of [PCIM] or [PCIM_EXT]) to
   implement the LDAP mapping. These new LDAP-only classes are fully
   defined in this document.

   The following notes apply to this section in its entirety.

   Note 1: The formal language for specifying the classes, attributes,
   and DIT structure and content rules is that defined in [LDAP_SYNTAX].
   In the following definitions, the class and attribute definitions
   follow [LDAP_SYNTAX] but they are line-wrapped to enhance human
   readability.

   Note 2: Even though not explicitly noted in the following class and
   attribute definitions, implementations may define DIT structure and
   content rules where applicable and supported by the underlying LDAP
   infrastructure. In such cases, the DIT structure rule considerations
   presented by section 5 of [PCLS] must be applied to PCELS as well.
   The reasons and details are presented in [X.501].

   Note 3: Wherever possible, both an equality and a substring matching
   rule are defined for a particular attribute (as well as an ordering
   match rule to enable sorting of matching results). This provides
   additional implementation flexibility.

   Note 4: The following attribute definitions use only LDAP matching
   rules and syntax definitions from [LDAP_SYNTAX], [LDAP_SCHEMA] and
   [LDAP_MATCH]. The corresponding X.500 matching rules are defined in
   [X.520].

   Note 5: Some of the following attribute definitions specify
   additional constraints on various data types (e.g., this integer has
   values that are valid from 1..10). Text has been added to instruct
   servers and applications what to do if a value outside of this range
   is encountered. In all cases, if a constraint is violated, then the
   policy rule(s) /group(s) SHOULD be treated as being disabled, meaning
   that execution of the policy rule(s) /group(s) SHOULD be stopped.


5.1 The Class pcelsPolicySet





Pana, et al.               Expires: July 2004                 [page 21]

INTERNET-DRAFT                  PCELS                      January 2004


   The abstract class PolicySet is introduced in [PCIM_EXT] to
   provide an abstraction for an ordered set of rules /groups. This is
   mapped here to the pcelsPolicySet object class and may be used for
   identifying group and rule entries. A pcelsPolicySet instance
   aggregates other pcelsPolicySet instances using association entries.
   The association entries enable relative ordering of the aggregated
   pcelsPolicySet instances within the scope of the aggregating
   pcelsPolicySet.

   The pcelsPolicySetList attribute of a pcelsPolicySet instance
   references subordinated pcelsPolicySetAssociation entries.
   The aggregated pcelsPolicySet instances are either attached to the
   pcelsPolicySetAssociation entries as auxiliary object classes or
   referenced by the pcelsPolicySetAssociation instances using the
   pcelsPolicySetDN attribute.

   The definition of the abstract class pcelsPolicySet follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsPolicySet'
     DESC 'Abstract class that represents an ordered set of policies.'
     SUP pcimPolicy
     ABSTRACT
     MAY ( pcelsPolicySetName
         $ pcelsDecisionStrategy
         $ pcimRoles
         $ pcelsPolicySetList )
   )

   One of the attributes of the pcelsPolicySet class, pcimRoles is
   defined in the section 5.3 of [PCLS]. In the pcelsPolicySet class
   the pcimRole attribute preserves its syntax and semantics as defined
   by [PCLS] and [PCIM].

   The attribute pcelsPolicySetName may be used as naming attribute for
   pcelsPolicySet entries:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsPolicySetName'
     DESC 'The user-friendly name of a policy set.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcelsDecisionStrategy is used to define the evaluation
   method among the rules in the policy set and is mapped directly from
   the PolicyDecisionStrategy property defined in [PCIM_EXT].




Pana, et al.               Expires: July 2004                 [page 22]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsDecisionStrategy'
     DESC 'The evaluation method used for the components of a
           in the pcelsPolicySet. Valid values: 1 (FirstMatching),
           2 (AllMatching). Default value: 1.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcelsPolicySetList is used to realize the
   PolicySetComponent aggregation.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsPolicySetList'
     DESC 'List of DN references to pcelsPolicySetAssociation
           entries used to aggregate policy sets.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   Note: For compatibility with [PCIM_EXT] that deprecates the
   aggregations PolicyRuleInPolicyGroup and PolicyGroupInPolicyGroup,
   the policy aggregation mechanism provided here by the classes
   pcelsPolicySet and pcelsPolicySetAssociation SHALL be used instead
   of the classes pcimGroup, pcimRuleContainmentAuxClass and
   pcimGroupContainmentAuxClass which are defined by [PCLS].


5.2 The Structural Class pcelsPolicySetAssociation

   The pcelsPolicySetAssociation class is used to aggregate instances
   of pcelsPolicySet into other entries. Instances of the
   pcelsPolicySetAssociation class are always subordinated to the
   aggregating entry. When subordinated to a (subclass of)
   pcelsPolicySet, it realizes a (subclass of) PolicySetComponent
   aggregation. When subordinated to (subclass of) dlm1System, the
   pcelsPolicySetAssociation realizes a PolicySetInSystem association.

   The aggregation of a reusable instance of a (subclass of)
   pcelsPolicySet is referenced via the pcelsPolicySetDN attribute. A
   non-reusable instance of (subclass of) pcelsPolicySet is attached as
   auxiliary class directly to the pcelsPolicySetAssociation entry.

   If a pcelsPolicySetAssociation instance has a pcelsPolicySet attached
   to it then the attribute pcelsPolicySetDN SHOULD NOT be present in
   the same entry. However, if such situation occurs this attribute MUST
   be ignored.





Pana, et al.               Expires: July 2004                 [page 23]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsPolicySetAssociation'
     DESC 'Structural class that contains attributes characterizing
           the relationship between a policy set and one of its
           components.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcelsPriority )
     MAY ( pcelsPolicySetName
         $ pcelsPolicySetDN )
   )

   The Attribute pcelsPriority:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsPriority'
     DESC 'Policy priority. Valid values: any non-negative integer.
           Default value: 0.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The Attribute pcelsPolicySetDN:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsPolicySetDN'
     DESC 'DN reference to a pcelsPolicySet entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )


5.3 The Three Classes pcelsRule

   The pcelsRule is the base class representing policy rules.
   It re-implements the PolicyRule class with the new semantics
   specified by [PCIM_EXT], therefore without an absolute priority
   attribute but with the means to aggregate other policy (sub)rules.
   The former functionality is inherited from its superclass,
   the pcelsPolicySet.

   This class shares the Condition/Action aggregation methods with the
   pcelsCompoundConditionAuxClass and pcelsCompoundActionAuxClass
   object classes.







Pana, et al.               Expires: July 2004                 [page 24]

INTERNET-DRAFT                  PCELS                      January 2004


   If a pcelsRule instance has a pcimConditionAuxClass attached to
   it then the attribute pcelsConditionList SHOULD NOT be present in the
   same entry for the purpose of associating other conditions to the
   rule. However, when such situation occurs the referenced conditions
   MUST NOT be considered as associated to the rule.

   If a pcelsRule instance has a pcimActionAuxClass attached to it
   then the attribute pcelsActionList should not be present in the same
   entry for the purpose of associating other actions to the rule.
   However, when such situation occurs the referenced actions must not
   be considered as associated to the rule.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsRule'
     DESC 'The base class for representing the "If Condition then
           Action" semantics associated with a Policy Rule'
     SUP pcelsPolicySet
     ABSTRACT
     MAY ( pcimRuleName
         $ pcimRuleEnabled
         $ pcimRuleValidityPeriodList
         $ pcimRuleUsage
         $ pcimRuleMandatory
         $ pcelsConditionListType
         $ pcelsConditionList
         $ pcelsActionList
         $ pcelsSequencedActions
         $ pcelsExecutionStrategy )
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsRuleAuxClass'
     DESC 'An auxiliary class for representing the "If Condition
           then Action" semantics associated with a policy rule.'
     SUP pcelsRule
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsRuleInstance'
     DESC 'A structural class for representing the "If Condition
           then Action" semantics associated with a policy rule.'
     SUP pcelsRule
     STRUCTURAL
   )

   Five of the attributes used by the pcelsRule class are defined
   in the section 5.3 of [PCLS]. These attributes are: pcimRuleName,
   pcimRuleEnabled, pcimRuleValidityPeriodList, pcimRuleUsage and
   pcimRuleMandatory. In the pcelsRule object class, these attributes
   preserve their syntax and semantics as defined by [PCLS] and [PCIM].



Pana, et al.               Expires: July 2004                 [page 25]

INTERNET-DRAFT                  PCELS                      January 2004


   The attributes pcimRuleConditionListType, pcimRuleConditionList,
   pcimRuleActionList and pcimRuleSequencedActions defined in [PCLS] are
   not used by pcelsRule. Instead, this class uses the new attributes
   pcelsConditionListType, pcelsConditionList, pcelsActionList and
   pcelsSequencedActions that are also used for similar purpose by
   either pcelsCompoundConditionAuxClass or pcelsCompoundActionAuxClass.

   The attribute definitions are:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsConditionListType'
     DESC 'Indicates whether the list of aggregated conditions is in
           disjunctive or in conjunctive normal form. Valid values:
           1 (Disjunctive), 2 (Conjunctive). Default value: 1.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsConditionList'
     DESC 'Unordered set of DN references to pcelsConditionAssociation
           entries used to aggregate policy conditions.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsActionList'
     DESC 'Unordered set of DN references to pcelsActionAssociation
           entries used to aggregate policy actions.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsSequencedActions'
     DESC 'Indicates whether the ordered execution of
           actions in an aggregate is Mandatory, Recommended
           or DontCare. Valid Values: 1 (Mandatory), 2(Recommended)
           3 (DontCare). Default value: 3.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The new attribute pcelsExecutionStrategy is a direct mapping of the
   ExecutionStrategy property in the [PCIM_EXT]'s PolicyRule class.




Pana, et al.               Expires: July 2004                 [page 26]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsExecutionStrategy'
     DESC 'Indicates the execution strategy to be used upon an action
           aggregate. Valid values: 1 (Do until success]), 2 (Do all)
           and 3 (Do until failure). Default value: 2.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   Note 1: [PCLS] implements the PolicyRuleValidityPeriod aggregation
   defined by [PCIM] using the attribute pcimRuleValidityPeriodList, the
   class pcimRuleValidityAssociation, (optionally) the attribute
   pcimTimePeriodCondition and the class pcimTPCAuxClass. This mechanism
   is reused here in the context of the pcelsRule object class. As
   result, the class pcimRuleValidityAssociation SHOULD be expected
   (and allowed) to have instances of pcelsRule as superior entries.

   Note 2: The PolicyGroup redefined by [PCIM_EXT] is not explicitly
   mapped to an object class. Instead, for representing ordered sets of
   policy rules, implementations SHALL use pcelsRule instances with no
   associated validity periods, policy conditions or policy actions. If
   submodels define specific PolicyGroup classes, such classes SHOULD
   derive directly from the pcelsPolicySet object class.

   Note 3: For compatibility with [PCIM_EXT] that deprecates the
   absolute priority mechanism, the class pcelsRule SHALL be used
   instead of the class pcimRule defined by [PCLS].


5.4 The Structural Class pcelsConditionAssociation

   The pcelsConditionAssociation class is used to aggregate policy
   conditions in pcelsRule or in pcelsCompoundConditionAuxClass.
   Instances of this class are always subordinated to the aggregating
   pcelsRule or pcelsCompoundConditionAuxClass. When subordinated
   to a pcelsRule, the pcelsConditionAssociation implements the
   PolicyConditionInPolicyRule aggregation defined by [PCIM_EXT]. When
   subordinated to a pcelsCompoundConditionAuxClass, the
   pcelsConditionAssociation implements the
   PolicyConditionInPolicyCondition aggregation defined by [PCIM_EXT].

   The aggregation of a reusable instance of (subclass of)
   pcimConditionAuxClass is referenced via the pcimConditionDN
   attribute. A non-reusable instance of (subclass of)
   pcimConditionAuxClass is attached directly to the
   pcelsConditionAssociation entry.






Pana, et al.               Expires: July 2004                 [page 27]

INTERNET-DRAFT                  PCELS                      January 2004


   If a pcelsConditionAssociation instance has a pcimConditionAuxClass
   attached to it then the attribute pcimConditionDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsConditionAssociation'
     DESC 'This class contains attributes characterizing the
           relationship between a policy condition and one of its
           aggregators: pcelsRule or
           pcelsCompoundConditionAuxClass. It is used in the
           realization of a policy condition structure.'
     SUP pcimRuleConditionAssociation
     STRUCTURAL
   )

   This class extends the semantics of the pcimRuleConditionAssociation
   object class without using any new attributes. All its attributes are
   inherited from the pcimRuleConditionAssociation that is defined in
   section 5.4 of [PCLS].


5.5 The Structural Class pcelsActionAssociation

   The pcelsActionAssociation class is used to aggregate policy
   actions in pcelsRule or in pcelsCompoundActionAuxClass.
   Instances of this class are always subordinated to the aggregating
   pcelsRule or pcelsCompoundActionAuxClass. When subordinated
   to a pcelsRule, the pcelsActionAssociation implements the
   PolicyActionInPolicyRule aggregation defined by [PCIM_EXT]. When
   subordinated to a pcelsCompoundActionAuxClass, the
   pcelsActionAssociation implements the
   PolicyActionInPolicyAction aggregation defined by [PCIM_EXT].

   The aggregation of a reusable instance of (subclass of)
   pcimActionAuxClass is referenced via the pcimActionDN
   attribute. A non-reusable instance of (subclass of)
   pcimActionAuxClass is attached directly to the
   pcelsActionAssociation entry.

   If a pcelsActionAssociation instance has a pcimActionAuxClass
   attached to it then the attribute pcimActionDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.










Pana, et al.               Expires: July 2004                 [page 28]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsActionAssociation'
     DESC 'This class contains attributes characterizing the
           relationship between a policy action and one of its
           aggregators: pcelsRule or
           pcelsCompoundActionAuxClass. It is used in the
           realization of a policy action structure.'
     SUP pcimRuleActionAssociation
     STRUCTURAL
   )

   This class extends the semantics of the pcimRuleActionAssociation
   object class without using any new attributes. All its attributes are
   inherited from the pcimRuleActionAssociation that is defined in
   section 5.6 of [PCLS].


5.6 The Auxiliary Class pcelsSimpleConditionAuxClass.

   This class implements a Value matching condition for a Variable.
   The "match" relationship is to be interpreted by analyzing
   the variable and value instances associated with the simple
   condition. Its two attributes realize the
   PolicyValueinSimplePolicyCondition and
   PolicyVariableinSimplePolicyCondition associations defined in
   [PCIM_EXT].

   A reusable variable / value is associated to a
   pcelsSimpleConditionAuxClass via the pcelsVariableDN / pcelsValueDN
   reference from the simple condition entry. A non-reusable variable
   / value is associated directly as auxiliary object class to the
   pcelsSimpleConditionAuxClass entry.

   If a pcelsSimpleConditionAuxClass instance has a pcelsVariable
   attached to it then the attribute pcelsVariableDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.
   If a pcelsSimpleConditionAuxClass instance has a pcelsValueAuxClass
   attached to it then the attribute pcelsValueDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.

   The class definition follows:











Pana, et al.               Expires: July 2004                 [page 29]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSimpleConditionAuxClass'
     DESC 'An auxiliary class that evaluates the matching between a
           value and a variable'.
     SUP pcimConditionAuxClass
     AUXILIARY
     MAY ( pcelsVariableDN
         $ pcelsValueDN )
   )

   The pcelsVariableDN attribute definition is:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVariableDN'
     DESC 'DN reference to a pcelsVariable entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )

   The pcelsValueDN attribute definition is:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsValueDN'
     DESC 'DN reference to a pcelsValueAuxClass entry.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
     SINGLE-VALUE
   )

   Note: An instance of pcelsSimpleActionAuxClass and an instance of
   pcelsSimpleConditionAuxClass MUST NOT be attached to a same
   entry. Because the two classes use the same mechanisms to
   associate Variables and Values, this restriction is necessary
   in order to avoid ambiguities.


5.7 The Auxiliary Class pcelsCompoundConditionAuxClass.

   This class represents a compound policy condition, formed by
   aggregation of other policy conditions. A boolean attribute indicates
   whether the compounded conditions are to be interpreted as
   disjunctive normal form or conjunctive normal form.

   The class definition follows:









Pana, et al.               Expires: July 2004                 [page 30]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsCompoundConditionAuxClass'
     DESC 'An auxiliary class that represents a boolean combination
           of simpler conditions'.
     SUP pcimConditionAuxClass
     AUXILIARY
     MAY ( pcelsConditionListType
         $ pcelsConditionList )
   )

   The attribute pcelsConditionListType is used to specify whether the
   list of policy conditions associated with this compound policy
   condition is in disjunctive normal form (DNF) or conjunctive normal
   form (CNF). The attribute pcelsConditionList is an unordered set of
   DN references to conditions aggregated in the compound condition.
   These attributes are defined in section 5.3.


5.8 The Auxiliary Class pcelsCompoundFilterAuxClass.

   This class represents a domain-level filter and it typically contains
   a set of simple conditions.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsCompoundFilterAuxClass'
     DESC 'A compound condition with mirroring capabilities for traffic
           characterization.'
     SUP pcelsCompoundConditionAuxClass
     AUXILIARY
     MAY ( pcelsIsMirrored )
   )

   The Attribute pcelsIsMirrored:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIsMirrored'
     DESC 'Indicates whether traffic that mirrors the
           specified filter is to be treated as matching
           the filter. Default value: FALSE.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.9 The Auxiliary Class pcelsSimpleActionAuxClass.

   This class implements the action of assigning a Value to a Variable.
   Its two attributes realize the PolicyValueInSimplePolicyAction and
   PolciyVariableInSimplePolicyAction associations defined in
   [PCIM_EXT].



Pana, et al.               Expires: July 2004                 [page 31]

INTERNET-DRAFT                  PCELS                      January 2004


   A reusable variable / value is associated to a
   pcelsSimpleActionAuxClass via the pcelsVariableDN / pcelsValueDN
   reference from the simple action entry. A non-reusable variable
   / value is associated directly as auxiliary object class to the
   pcelsSimpleActionAuxClass entry.

   If a pcelsSimpleActionAuxClass instance has a pcelsVariable
   attached to it then the attribute pcelsVariableDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.
   If a pcelsSimpleActionAuxClass instance has a pcelsValueAuxClass
   attached to it then the attribute pcelsValueDN SHOULD NOT be
   present in the same entry. However, if such situation occurs this
   attribute MUST be ignored.

   The class definition is as follows:
   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSimpleActionAuxClass'
     DESC 'This class contains attributes characterizing the
           relationship between a Simple PolicyAction and one
           variable and one value.'
     SUP pcimActionAuxClass
     AUXILIARY
     MAY ( pcelsVariableDN
         $ pcelsValueDN )
   )

   The attributes are defined in section 5.6.

   A instance of pcelsSimpleActionAuxClass and an instance of
   pcelsSimpleConditionAuxClass MUST NOT be attached to a same
   entry. Because the two classes use the same mechanisms to
   associate Variables and Values, this restriction is necessary
   in order to avoid ambiguities.


5.10 The Auxiliary Class pcelsCompoundActionAuxClass.

   This class maps the CompoundPolicyAction class of the [PCIM_EXT].

   The class definition follows:













Pana, et al.               Expires: July 2004                 [page 32]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsCompoundActionAuxClass'
     DESC 'A class that aggregates simpler actions in a sequence
           with specific execution strategy.'
     SUP pcimActionAuxClass
     AUXILIARY
     MAY ( pcelsActionList
         $ pcelsSequencedActions
         $ pcelsExecutionStrategy )
   )

   The attributes pcelsSequencedActions, pcelsExecutionStrategy and
   pcelsActionList are defined in section 5.3 .


5.11 The Abstract Class pcelsVariable.

   Variables specify properties of a flow or an event that should be
   matched when evaluating the condition. A pcelsVariable instance
   selects the set of matched values through the
   ExpectedPolicyValuesForVariable association.
   A pcelsVariable entry may be associated to a set of
   pcelsValueAuxClass entries that represent its expected values. The
   expected values for a variable may be indicated by:
      (1) pcelsExpectedValueList references to reusable instances of
          pcelsValueAuxClass or by
      (2) pcelsExpectedValueList references to subordinated non-reusable
          instances of pcelsValueAuxClass

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsVariable'
     DESC 'Base class for representing a variable whose actual
           value can be matched against or set to a specific value.'
     SUP top
     ABSTRACT
     MAY ( pcelsVariableName
         $ pcelsExpectedValueList )
   )

   The attribute pcelsVariableName is an user-friendly name for the
   variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVariableName'
     DESC 'The user-friendly name of a variable.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )



Pana, et al.               Expires: July 2004                 [page 33]

INTERNET-DRAFT                  PCELS                      January 2004


   The attribute pcelsExpectedValueList is an unordered set of DN
   references to subclasses of pcelsValueAuxClass. It maps the
   [PCIM_EXT] ExpectedPolicyValuesForVariable association:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsExpectedValueList'
     DESC 'List of DN references to pcelsValueAuxClass
           entries that represent the acceptable values.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.12 The Auxiliary Class pcelsExplicitVariableAuxClass

   The subclass pcelsExplicitVariableAuxClass is defined as
   follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsExplicitVariableAuxClass'
     DESC 'Explicitly defined policy variable evaluated within the
           context of the CIM Schema.'
     SUP pcelsVariable
     AUXILIARY
     MUST ( pcelsVariableModelClass
          $ pcelsVariableModelProperty )
   )

   The attribute pcelsVariableModelClass is a string specifying the
   class name whose property is evaluated or set as a variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVariableModelClass'
     DESC 'Specifies a CIM class name or OID.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcelsVariableModelProperty is a string specifying the
   attribute, within the pcelsVariableModelClass, which is evaluated or
   set as a variable:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVariableModelProperty'
     DESC 'Specifies a CIM property name or OID.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )




Pana, et al.               Expires: July 2004                 [page 34]

INTERNET-DRAFT                  PCELS                      January 2004


5.13 The Auxiliary Class pcelsImplicitVariableAuxClass

   The subclass pcelsImplicitVariableAuxClass is defined as
   follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsImplicitVariableAuxClass'
     DESC 'Implicitly defined policy variables whose evaluation
           depends on the usage context. Subclasses specify
           the data type and semantics of the variables.'
     SUP pcelsVariable
     AUXILIARY
     MUST ( pcelsExpectedValueTypes )
   )

   The attribute pcelsExpectedValueTypes is the direct mapping from the
   valueTypes property in the [PCIM_EXT] PolicyImplicitVariable class.
   This attribute represents a set of allowed value types to be used
   with this variable.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsExpectedValueTypes'
     DESC 'List of object class names or OIDs of subclasses
           of pcelsValueAuxClass that define acceptable
           value types.'
     EQUALITY caseIgnoreMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )


5.14 The Subclasses of pcelsImplicitVariableAuxClass

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSourceIPv4VariableAuxClass'
     DESC 'Source IP v4 address'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSourceIPv6VariableAuxClass'
     DESC 'Source IP v6 address'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )









Pana, et al.               Expires: July 2004                 [page 35]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsDestinationIPv4VariableAuxClass'
     DESC 'Destination IP v4 address'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsDestinationIPv6VariableAuxClass'
     DESC 'Destination IP v6 address'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSourcePortVariableAuxClass'
     DESC 'Source port'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsDestinationPortVariableAuxClass'
     DESC 'Destination port'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsIPProtocolVariableAuxClass'
     DESC 'IP protocol number'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsIPVersionVariableAuxClass'
     DESC 'IP version number'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsIPToSVariableAuxClass'
     DESC 'IP ToS'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )






Pana, et al.               Expires: July 2004                 [page 36]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsDSCPVariableAuxClass'
     DESC 'DiffServ code point'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsFlowIdVariableAuxClass'
     DESC 'Flow Identifier'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSourceMACVariableAuxClass'
     DESC 'Source MAC address'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsDestinationMACVariableAuxClass'
     DESC 'Destination MAC address'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsVLANVariableAuxClass'
     DESC 'VLAN'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsCoSVariableAuxClass'
     DESC 'Class of service'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsEthertypeVariableAuxClass'
     DESC 'Ethertype'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )






Pana, et al.               Expires: July 2004                 [page 37]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSourceSAPVariableAuxClass'
     DESC 'Source SAP'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsDestinationSAPVariableAuxClass'
     DESC 'Destination SAP'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSNAPOUIVariableAuxClass'
     DESC 'SNAP OUI'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsSNAPTypeVariableAuxClass'
     DESC 'SNAP type'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsFlowDirectionVariableAuxClass'
     DESC 'Flow direction'
     SUP pcelsImplicitVariableAuxClass
     AUXILIARY
   )


5.15 The Auxiliary Class pcelsValueAuxClass.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsValueAuxClass'
     DESC 'Base class for representing a value that can be
           matched against or set for a specific variable.'
     SUP top
     AUXILIARY
     MAY ( pcelsValueName )
   )

   The Attribute pcelsValueName:






Pana, et al.               Expires: July 2004                 [page 38]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsValueName'
     DESC 'The user-friendly name of a value.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )


5.16 The Subclasses of pcelsValueAuxClass.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsIPv4AddrValueAuxClass'
     DESC 'IPv4 address value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MUST ( pcelsIPv4AddrList )
   )

   The Attribute pcelsIPv4AddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPv4AddrList'
     DESC 'List of IPv4 address values, ranges or hosts.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsIPv6AddrValueAuxClass'
     DESC 'IPv6 address value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MUST ( pcelsIPv6AddrList )
   )

   The Attribute pcelsIPv6AddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPv6AddrList'
     DESC 'List of IPv6 address values, ranges or hosts.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )




Pana, et al.               Expires: July 2004                 [page 39]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsMACAddrValueAuxClass'
     DESC 'MAC address value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MUST ( pcelsMACAddrList )
   )

   The Attribute pcelsMACAddrList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsMACAddrList'
     DESC 'List of MAC address values or ranges.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsStringValueAuxClass'
     DESC 'String value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MUST ( pcelsStringList )
   )

   The Attribute pcelsStringList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsStringList'
     DESC 'List of strings or wildcarded strings.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsBitStringValueAuxClass'
     DESC 'Bit string value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MUST ( pcelsBitStringList )
   )

   The Attribute pcelsBitStringList:







Pana, et al.               Expires: July 2004                 [page 40]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsBitStringList'
     DESC 'List of bit strings or masked bit strings.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsIntegerValueAuxClass'
     DESC 'Integer value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MUST ( pcelsIntegerList )
   )

   The Attribute pcelsIntegerList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIntegerList'
     DESC 'List of integers or integer ranges.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsBooleanValueAuxClass'
     DESC 'Boolean value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MUST ( pcelsBoolean )
   )

   The Attribute pcelsBoolean:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsBoolean'
     DESC 'A boolean value.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.17 The Three Classes pcelsReusableContainer






Pana, et al.               Expires: July 2004                 [page 41]

INTERNET-DRAFT                  PCELS                      January 2004


   This class represents a container of reusable policy elements. The
   elements contained in a reusable policy container are aggregated via
   subordination to a pcelsReusableContainer instance (DIT containment).
   A reusable policy container can include the elements of an other
   reusable policy container by aggregating the container itself. This
   is realized by DIT containment when the policy containers are
   subordinated to one an other, or by reference when the aggregating
   policy container references the aggregated one using the attribute
   pcelsReusableContainerList.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsReusableContainer'
     DESC 'A container for reusable policy information.'
     SUP pcimRepository
     ABSTRACT
     MAY ( pcelsReusableContainerName
         $ pcelsReusableContainerList )
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsReusableContainerAuxClass '
     DESC 'An auxiliary class that can be used to aggregate
           reusable policy information.'
     SUP pcelsReusableContainer
     AUXILIARY
   )

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsReusableContainerInstance'
     DESC 'A structural class that can be used to aggregate
           reusable policy information.'
     SUP pcelsReusableContainer
     STRUCTURAL
   )

   The Attribute pcelsReusableContainerName:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsReusableContainerName'
     DESC 'The user-friendly name of a reusable policy container.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcelsReusableContainerList:






Pana, et al.               Expires: July 2004                 [page 42]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsReusableContainerList'
     DESC 'List of DN references to pcelsReusableContainer
           entries.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )

   Note: For compliance with [PCIM_EXT] that deprecates the
   PolicyRepository class, implementations SHALL use the subclasses
   of pcelsReusableContainer defined here instead of the
   classes pcimRepositoryInstance and pcimRepositoryAuxClass.


5.18 The Structural Class pcelsRoleCollection.

   The pcelsRoleCollection class creates the means for the association
   of policy roles to resources represented as LDAP entries.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsRoleCollection'
     DESC 'This class is used to group together entries
           that share a same role.'
     SUP pcimPolicy
     STRUCTURAL
     MUST ( pcelsRole )
     MAY ( pcelsRoleCollectionName
         $ pcelsElementList )
   )

   The Attribute pcelsRole:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsRole'
     DESC 'String representing a role.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcelsRoleCollectionName:











Pana, et al.               Expires: July 2004                 [page 43]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsRoleCollectionName'
     DESC 'The user-friendly name of a role collection.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The Attribute pcelsElementList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsElementList'
     DESC 'List of DN references to entries representing
           managed elements.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.19 The Abstract Class pcelsFilterEntry

   The abstract class pcelsFilterEntry implements the FilterEntryBase
   class from [PCIM_EXT]. This class is the base class for defining
   message or packet filters.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsFilterEntry'
     DESC 'This class is used as a base class for
           representing message or packet filters.'
     SUP pcimPolicy
     ABSTRACT
     MAY ( pcelsFilterName
         $ pcelsFilterIsNegated )
   )

   The Attribute pcelsFilterName may be used as naming attribute for
   filter entries:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsFilterName'
     DESC 'The user-friendly name of a filter.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )





Pana, et al.               Expires: July 2004                 [page 44]

INTERNET-DRAFT                  PCELS                      January 2004


   The Attribute pcelsFilterIsNegated indicates whether the specified
   criteria is to be negated or not in the process of matching a
   message or packet against the filter:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsFilterIsNegated'
     DESC 'If TRUE, indicates that the filter matches all but
           the messages or packets that conform to the specified
           criteria. Default: FALSE.'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
     SINGLE-VALUE
   )


5.20 The Structural Class pcelsIPHeaders.

   The class pcelsIPHeaders implements the IpHeadersFilter class of
   the [PCIM_EXT] model. It provides means for filtering traffic by
   values in the IP header. Optional attributes, if not specified shall
   be treated as 'all values'.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsIPHeaders'
     DESC 'This class defines an IP header filter.'
     SUP pcelsFilterEntry
     STRUCTURAL
     MAY ( pcelsIPHdrVersion
         $ pcelsIPHdrSourceAddress
         $ pcelsIPHdrSourceAddressEndOfRange
         $ pcelsIPHdrSourceMask
         $ pcelsIPHdrDestAddress
         $ pcelsIPHdrDestAddressEndOfRange
         $ pcelsIPHdrDestMask
         $ pcelsIPHdrProtocolID
         $ pcelsIPHdrSourcePortStart
         $ pcelsIPHdrSourcePortEnd
         $ pcelsIPHdrDestPortStart
         $ pcelsIPHdrDestPortEnd
         $ pcelsIPHdrDSCPList
         $ pcelsIPHdrFlowLabel )
   )












Pana, et al.               Expires: July 2004                 [page 45]

INTERNET-DRAFT                  PCELS                      January 2004


   The attribute pcelsIPHdrVersion identifies the IP version and
   dictates the format for the IP version dependent attribute values in
   a pcelsIPHeaders entry. These attributes are:
      pcelsIPHdrSourceAddress
      pcelsIPHdrSourceAddressEndOfRange
      pcelsIPHdrSourceMask
      pcelsIPHdrDestAddress
      pcelsIPHdrDestAddressEndOfRange
      pcelsIPHdrDestMask

   If a value for this attribute is not provided, then the filter does
   not consider IP version in selecting matching packets. In this case,
   IP version dependent attributes must not be present in the filter
   entry. The possible values of pcelsIPHdrVersion are '4' and '6'.

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrVersion'
     DESC 'The IP version. Valid values: 4, 6.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

    The attribute pcelsIPHdrSourceAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrSourceAddress'
     DESC 'The IP source address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrSourceAddressEndOfRange:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrSourceAddressEndOfRange'
     DESC 'The end or address range for the IP source address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrSourceMask:







Pana, et al.               Expires: July 2004                 [page 46]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrSourceMask'
     DESC 'The address mask for the IP source address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrDestAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrDestAddress'
     DESC 'The IP destination address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrDestAddressEndOfRange:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrDestAddressEndOfRange'
     DESC 'The end of address range for the IP destination address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrDestMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrDestMask'
     DESC 'The address mask for the IP destination address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrProtocolID:











Pana, et al.               Expires: July 2004                 [page 47]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrProtocolID'
     DESC 'The IP protocol type. Valid values: 0..255.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrSourcePortStart:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrSourcePortStart'
     DESC 'The start of the source port range. Valid values: 0..65535.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrSourcePortEnd:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrSourcePortEnd'
     DESC 'The end of the source port range. Valid values: 0..65535.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrDestPortStart:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrDestPortStart'
     DESC 'The start of the destination port range.
           Valid values: 0..65535.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The attribute pcelsIPHdrDestPortEnd:










Pana, et al.               Expires: July 2004                 [page 48]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrDestPortEnd'
     DESC 'The end of the destination port range.
           Valid values: 0..65535.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
     SINGLE-VALUE
   )

   The multi-value attribute pcelsIPHdrDSCPList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrDSCPList'
     DESC 'The DSCP values. Valid values: 0..63.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcelsIPHdrFlowLabel:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsIPHdrFlowLabel'
     DESC 'The IP flow label.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )


5.21 The Structural Class pcels8021Headers.

   ( IANA-ASSIGNED-OID.1.x
     NAME ' pcels8021Headers'
     DESC 'This class defines an 802.1 header filter.'
     SUP pcelsFilterEntry
     STRUCTURAL
     MAY ( pcels8021HdrSourceMACAddress
         $ pcels8021HdrSourceMACMask
         $ pcels8021HdrDestMACAddress
         $ pcels8021HdrDestMACMask
         $ pcels8021HdrProtocolID
         $ pcels8021HdrPriority
         $ pcels8021HdrVLANID )
   )

   The attribute pcels8021HdrSourceMACAddress:





Pana, et al.               Expires: July 2004                 [page 49]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcels8021HdrSourceMACAddress'
     DESC 'The source MAC address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcels8021HdrSourceMACMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcels8021HdrSourceMACMask'
     DESC 'The source MAC address mask.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcels8021HdrDestMACAddress:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcels8021HdrDestMACAddress'
     DESC 'The destination MAC address.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcels8021HdrDestMACMask:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcels8021HdrDestMACMask'
     DESC 'The destination MAC address mask.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE
   )

   The attribute pcels8021HdrProtocolID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcels8021HdrProtocolID'
     DESC 'The 802.1 protocol ID. Valid values: 0..65535.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )



Pana, et al.               Expires: July 2004                 [page 50]

INTERNET-DRAFT                  PCELS                      January 2004


   The attribute pcels8021HdrPriority:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcels8021HdrPriority'
     DESC 'The 802.1 priority. Valid values: 0..7.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcels8021HdrVLANID:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcels8021HdrVLANID'
     DESC 'The 802.1 VLAN ID. Valid values: 0..4095.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )


5.22 The Auxiliary Class pcelsFilterListAuxClass.

   This class represents a set of device-level filters aggregated
   in a policy condition. Therefore, instances of this class can be
   used in policy rules or as elements of more complex compound
   conditions. The aggregation EntriesInFilterList from the
   [PCIM_EXT] model is implemented by the multi-value attribute
   pcelsFilterEntryList. The EntrySequence property of the aggregation
   EntriesInFilterList that is restricted to its default value ('0')
   in the [PCIM_EXT] model is redundant and therefore not implemented.

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsFilterListAuxClass'
     DESC 'This class is used to aggregate filters
           represented as subclasses of pcelsFilterEntry.'
     SUP pcimConditionAuxClass
     STRUCTURAL
     MAY ( pcelsFilterListName
         $ pcelsFilterDirection
         $ pcelsFilterEntryList )
   )

   The Attribute pcelsFilterListName may be used as naming attribute
   for filter lists:









Pana, et al.               Expires: July 2004                 [page 51]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsFilterListName'
     DESC 'The user-friendly name of a filter list.'
     EQUALITY caseIgnoreMatch
     ORDERING caseIgnoreOrderingMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
     SINGLE-VALUE
   )

   The attribute pcelsFilterDirection indicates the direction
   of the packets or messages relative to the interface where
   the filter is applied. The possible values are:
   NotApplicable(0), Input(1), Output(2), Both(3), Mirrored(4).

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsFilterDirection'
     DESC 'The direction of the packets or messages
           to which this filter is to be applied.
           Valid values: 0 (NotApplicable), 1 (Input), 2 (Output),
           3 (Both) and 4 (Mirrored). Default value: 0.'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   )

   The attribute pcelsFilterEntryList:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsFilterEntryList'
     DESC 'List of DN references to pcelsFilterEntry entries.'
     EQUALITY distinguishedNameMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   )


5.23 The Auxiliary Class pcelsVendorVariableAuxClass.

   This class provides a general extension mechanism for representing
   policy variables that have not been modeled with specific properties.
   Instead, its two properties are used to define the content and format
   of the variable, as explained below. This class is intended for
   vendor-specific extensions that are not amenable to using
   pcelsVariable; standardized extensions SHOULD NOT use this class.

   The class definition is as follows:








Pana, et al.               Expires: July 2004                 [page 52]

INTERNET-DRAFT                  PCELS                      January 2004


   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsVendorVariableAuxClass'
     DESC 'A class that defines a registered means to describe a
           policy variable.'
     SUP pcelsVariable
     AUXILIARY
     MAY ( pcelsVendorVariableData $
           pcelsVendorVariableEncoding )
   )

   The pcelsVendorVariableData attribute is a multi-valued attribute. It
   provides a general mechanism for representing policy variables that
   have not been modeled as specific attributes. This information is
   encoded in a set of octet strings. The format of the octet strings is
   identified by the OID stored in the pcelsVendorVariableEncoding
   attribute. This attribute is defined as follows:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVendorVariableData'
     DESC 'Mechanism for representing variables that have not
           been modeled as specific attributes. Their format is
           identified by the OID stored in the attribute
           pcelsVendorVariableEncoding.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
   )

   The pcelsVendorVariableEncoding attribute is used to identify the
   format and semantics for the pcelsVendorVariableData attribute. This
   attribute is defined as follows:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVendorVariableEncoding'
     DESC 'An OID identifying the format and semantics for the
           pcelsVendorVariableData for this instance.'
     EQUALITY objectIdentifierMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
     SINGLE-VALUE
   )


5.24 The Auxiliary Class pcelsVendorValueAuxClass.

   This class provides a general extension mechanism for representing
   policy values that have not been modeled with specific properties.
   Instead, its two properties are used to define the content and format
   of the value, as explained below. This class is intended for
   vendor-specific extensions that are not amenable to using
   pcelsValueAuxClass; standardized extensions SHOULD NOT use this
   class.



Pana, et al.               Expires: July 2004                 [page 53]

INTERNET-DRAFT                  PCELS                      January 2004


   The class definition is as follows:

   ( IANA-ASSIGNED-OID.1.x
     NAME 'pcelsVendorValueAuxClass'
     DESC 'A class that defines a registered means to describe a
           policy value.'
     SUP pcelsValueAuxClass
     AUXILIARY
     MAY ( pcelsVendorValueData $
           pcelsVendorValueEncoding )
   )

   The pcelsVendorValueData attribute is a multi-valued attribute. It
   provides a general mechanism for representing policy values that
   have not been modeled as specific attributes. This information is
   encoded in a set of octet strings. The format of the octet strings is
   identified by the OID stored in the pcelsVendorValueEncoding
   attribute. This attribute is defined as follows:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVendorValueData'
     DESC 'Mechanism for representing values that have not
           been modeled as specific attributes. Their format is
           identified by the OID stored in the attribute
           pcelsVendorValueEncoding.'
     EQUALITY octetStringMatch
     ORDERING octetStringOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
   )

   The pcelsVendorValueEncoding attribute is used to identify the
   format and semantics for the pcelsVendorValueData attribute. This
   attribute is defined as follows:

   ( IANA-ASSIGNED-OID.2.x
     NAME 'pcelsVendorValueEncoding'
     DESC 'An OID identifying the format and semantics for the
           pcelsVendorValueData for this instance.'
     EQUALITY objectIdentifierMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
     SINGLE-VALUE
   )


6. Security Considerations

   The Policy Core LDAP Schema [PCLS] describes the general security
   considerations related to the general core policy schema. The
   extensions defined in this document do not introduce any additional
   considerations related to security.




Pana, et al.               Expires: July 2004                 [page 54]

INTERNET-DRAFT                  PCELS                      January 2004


7. IANA Considerations

7.1 Object Identifiers

   It is requested that IANA register an LDAP Object Identifier
   for use in this technical specification according to the
   following template:

   Subject: Request for LDAP OID Registration
   Person & e-mail address to contact for further information:
   Mircea Pana (mpana@metasolv.com)
   Specification: RFC xxxx
   Author/Change Controller: IESG
   Comments:
      The assigned OID will be used as a base for identifying
      a number of schema elements defined in this document.


7.2 Object Identifier Descriptors

   It is requested that IANA register the LDAP Descriptors used
   in this technical specification as detailed in the following
   template:

   Subject: Request for LDAP Descriptor Registration Update
   Descriptor (short name): see comment
   Object Identifier: see comment
   Person & e-mail address to contact for further information:
      Mircea Pana (mpana@metasolv.com)
   Usage: see comment
   Specification: RFC xxxx
   Author/Change Controller: IESG
   Comments:

   The following descriptors should be added:

   NAME                                    Type  OID
   --------------                          ----  ------------
   pcelsPolicySet                           O     IANA-ASSIGNED-OID.1.x
   pcelsPolicySetName                       A     IANA-ASSIGNED-OID.2.x
   pcelsDecisionStrategy                    A     IANA-ASSIGNED-OID.2.x
   pcelsPolicySetList                       A     IANA-ASSIGNED-OID.2.x
   pcelsPolicySetAssociation                O     IANA-ASSIGNED-OID.1.x
   pcelsPriority                            A     IANA-ASSIGNED-OID.2.x
   pcelsPolicySetDN                         A     IANA-ASSIGNED-OID.2.x
   pcelsRule                                O     IANA-ASSIGNED-OID.1.x
   pcelsRuleAuxClass                        O     IANA-ASSIGNED-OID.1.x
   pcelsRuleInstance                        O     IANA-ASSIGNED-OID.1.x
   pcelsConditionListType                   A     IANA-ASSIGNED-OID.2.x
   pcelsConditionList                       A     IANA-ASSIGNED-OID.2.x
   pcelsActionList                          A     IANA-ASSIGNED-OID.2.x
   pcelsSequencedActions                    A     IANA-ASSIGNED-OID.2.x


Pana, et al.               Expires: July 2004                 [page 55]

INTERNET-DRAFT                  PCELS                      January 2004


   pcelsExecutionStrategy                   A     IANA-ASSIGNED-OID.2.x
   pcelsConditionAssociation                O     IANA-ASSIGNED-OID.1.x
   pcelsActionAssociation                   O     IANA-ASSIGNED-OID.1.x
   pcelsSimpleConditionAuxClass             O     IANA-ASSIGNED-OID.1.x
   pcelsVariableDN                          A     IANA-ASSIGNED-OID.2.x
   pcelsValueDN                             A     IANA-ASSIGNED-OID.2.x
   pcelsCompoundConditionAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcelsCompoundFilterAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcelsIsMirrored                          A     IANA-ASSIGNED-OID.2.x
   pcelsSimpleActionAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcelsCompoundActionAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcelsVariable                            O     IANA-ASSIGNED-OID.1.x
   pcelsVariableName                        A     IANA-ASSIGNED-OID.2.x
   pcelsExpectedValueList                   A     IANA-ASSIGNED-OID.2.x
   pcelsExplicitVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcelsVariableModelClass                  A     IANA-ASSIGNED-OID.2.x
   pcelsVariableModelProperty               A     IANA-ASSIGNED-OID.2.x
   pcelsImplicitVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcelsExpectedValueTypes                  A     IANA-ASSIGNED-OID.2.x
   pcelsSourceIPv4VariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcelsSourceIPv6VariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcelsDestinationIPv4VariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcelsDestinationIPv6VariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcelsSourcePortVariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcelsDestinationPortVariableAuxClass     O     IANA-ASSIGNED-OID.1.x
   pcelsIPProtocolVariableAuxClass          O     IANA-ASSIGNED-OID.1.x
   pcelsIPVersionVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcelsIPToSVariableAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcelsDSCPVariableAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcelsFlowIdVariableAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcelsSourceMACVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcelsDestinationMACVariableAuxClass      O     IANA-ASSIGNED-OID.1.x
   pcelsVLANVariableAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcelsCoSVariableAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcelsEthertypeVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcelsSourceSAPVariableAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcelsDestinationSAPVariableAuxClass      O     IANA-ASSIGNED-OID.1.x
   pcelsSNAPOUIVariableAuxClass             O     IANA-ASSIGNED-OID.1.x
   pcelsSNAPTypeVariableAuxClass            O     IANA-ASSIGNED-OID.1.x
   pcelsFlowDirectionVariableAuxClass       O     IANA-ASSIGNED-OID.1.x
   pcelsValueAuxClass                       O     IANA-ASSIGNED-OID.1.x
   pcelsValueName                           A     IANA-ASSIGNED-OID.2.x
   pcelsIPv4AddrValueAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcelsIPv4AddrList                        A     IANA-ASSIGNED-OID.2.x
   pcelsIPv6AddrValueAuxClass               O     IANA-ASSIGNED-OID.1.x
   pcelsIPv6AddrList                        A     IANA-ASSIGNED-OID.2.x
   pcelsMACAddrValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcelsMACAddrList                         A     IANA-ASSIGNED-OID.2.x
   pcelsStringValueAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcelsStringList                          A     IANA-ASSIGNED-OID.2.x
   pcelsBitStringValueAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcelsBitStringList                       A     IANA-ASSIGNED-OID.2.x


Pana, et al.               Expires: July 2004                 [page 56]

INTERNET-DRAFT                  PCELS                      January 2004


   pcelsIntegerValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcelsIntegerList                         A     IANA-ASSIGNED-OID.2.x
   pcelsBooleanValueAuxClass                O     IANA-ASSIGNED-OID.1.x
   pcelsBoolean                             A     IANA-ASSIGNED-OID.2.x
   pcelsReusableContainer                   O     IANA-ASSIGNED-OID.1.x
   pcelsReusableContainerAuxClass           O     IANA-ASSIGNED-OID.1.x
   pcelsReusableContainerInstance           O     IANA-ASSIGNED-OID.1.x
   pcelsReusableContainerName               A     IANA-ASSIGNED-OID.2.x
   pcelsReusableContainerList               A     IANA-ASSIGNED-OID.2.x
   pcelsRoleCollection                      O     IANA-ASSIGNED-OID.1.x
   pcelsRole                                A     IANA-ASSIGNED-OID.2.x
   pcelsRoleCollectionName                  A     IANA-ASSIGNED-OID.2.x
   pcelsElementList                         A     IANA-ASSIGNED-OID.2.x
   pcelsFilterEntry                         O     IANA-ASSIGNED-OID.1.x
   pcelsFilterName                          A     IANA-ASSIGNED-OID.2.x
   pcelsFilterIsNegated                     A     IANA-ASSIGNED-OID.2.x
   pcelsIPHeaders                           O     IANA-ASSIGNED-OID.1.x
   pcelsIPHdrVersion                        A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrSourceAddress                  A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrSourceAddressEndOfRange        A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrSourceMask                     A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrDestAddress                    A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrDestAddressEndOfRange          A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrDestMask                       A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrProtocolID                     A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrSourcePortStart                A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrSourcePortEnd                  A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrDestPortStart                  A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrDestPortEnd                    A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrDSCPList                       A     IANA-ASSIGNED-OID.2.x
   pcelsIPHdrFlowLabel                      A     IANA-ASSIGNED-OID.2.x
   pcels8021Headers                         O     IANA-ASSIGNED-OID.1.x
   pcels8021HdrSourceMACAddress             A     IANA-ASSIGNED-OID.2.x
   pcels8021HdrSourceMACMask                A     IANA-ASSIGNED-OID.2.x
   pcels8021HdrDestMACAddress               A     IANA-ASSIGNED-OID.2.x
   pcels8021HdrDestMACMask                  A     IANA-ASSIGNED-OID.2.x
   pcels8021HdrProtocolID                   A     IANA-ASSIGNED-OID.2.x
   pcels8021HdrPriority                     A     IANA-ASSIGNED-OID.2.x
   pcels8021HdrVLANID                       A     IANA-ASSIGNED-OID.2.x
   pcelsFilterListAuxClass                  O     IANA-ASSIGNED-OID.1.x
   pcelsFilterListName                      A     IANA-ASSIGNED-OID.2.x
   pcelsFilterDirection                     A     IANA-ASSIGNED-OID.2.x
   pcelsFilterEntryList                     A     IANA-ASSIGNED-OID.2.x
   pcelsVendorVariableAuxClass              O     IANA-ASSIGNED-OID.1.x
   pcelsVendorVariableData                  A     IANA-ASSIGNED-OID.2.x
   pcelsVendorVariableEncoding              A     IANA-ASSIGNED-OID.2.x
   pcelsVendorValueAuxClass                 O     IANA-ASSIGNED-OID.1.x
   pcelsVendorValueData                     A     IANA-ASSIGNED-OID.2.x
   pcelsVendorValueEncoding                 A     IANA-ASSIGNED-OID.2.x

   where Type A is Attribute, Type O is ObjectClass



Pana, et al.               Expires: July 2004                 [page 57]

INTERNET-DRAFT                  PCELS                      January 2004



8. Normative References

[CIM]      Distributed Management Task Force, Inc., "Common Information
           Model (CIM) Specification", Version 2.2, June 14, 1999. This
           document is available on the following DMTF web page:
           http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf

[CIM_LDAP] Distributed Management Task Force, Inc., "DMTF LDAP Schema
           for the CIM v2.5 Core Information Model", April 15, 2002.
           This document is available on the following DMTF web page:
           http://www.dmtf.org/standards/documents/DEN/DSP0123.pdf

[PCIM]     B. Moore, E. Ellesson, J. Strassner, "Policy Core Information
           Model -- Version 1 Specification", RFC 3060, May 2000.

[PCIM_EXT] B. Moore et al., "Policy Core Information Model (PCIM)
           Extensions", RFC 3460, January 2003.

[PCLS]     J. Strassner, E. Ellesson, B. Moore, R. Moats, "Policy Core
           LDAP Schema", Internet Draft, work in progress,
           draft-ietf-policy-core-schema-16.txt.

[LDAP]     Hodges, J., and Morgan R., "Lightweight Directory Access
           Protocol (v3): Technical Specification", RFC 3377,
           September 2002.

[LDAP_SYNTAX] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight
           Directory Access Protocol(v3): Attribute Syntax Definitions",
           RFC 2252, December 1997.

[LDAP_SCHEMA] M. Wahl, "A Summary of the X.500(96) User Schema for use
           with LDAPv3", RFC 2256, December 1997.

[LDAP_MATCH] K. Zeilenga, ed., "LDAP: Additional Matching Rules",
           draft-zeilenga-ldap-user-schema-mr-00.txt, June 2003.

[X.501]    The Directory: Models. ITU-T Recommendation X.501, 2001.

[X.520]    The Directory: Selected Attribute Types. ITU-T Recommendation
           X.520, 2001.


9. Informative References

[KEYWORDS] S. Bradner, "Key words for use in RFCs to Indicate
           Requirement Levels", BCP 14, RFC 2119, March 1997.

[PROCESS]  R. Hovey, S. Bradner, "The Organizations Involved in
           the IETF Standards Process", BCP 11, RFC 2028, October 1996.




Pana, et al.               Expires: July 2004                 [page 58]

INTERNET-DRAFT                  PCELS                      January 2004


[LDAP-IANA] K. Zeilenga, "Internet Assigned Numbers Authority (IANA)
           Considerations for the Lightweight Directory Access Protocol
           (LDAP)", BCP 64, RFC 3383, September 2002.


10. Authors' Addresses

   Angelica Reyes
   University Veracruzana
   Spain
   xalitta@yahoo.com

   Antoni Barba, David Moron
   Technical University of Catalonia
   Jordi-Girona 1-3
   08034 Barcelona
   Spain
   [telabm|dmoron]@mat.upc.es

   Marcus Brunner
   NEC Europe Ltd.
   Kurfuersten Anlage 34
   D-69115 Heidelberg
   Germany
   brunner@ccrle.nec.de

   Mircea Pana
   MetaSolv Software Inc.
   360 Legget Drive
   Ottawa, Ontario, Canada
   K2K 3N1
   mpana@metasolv.com


11. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.




Pana, et al.               Expires: July 2004                 [page 59]

INTERNET-DRAFT                  PCELS                      January 2004


   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.


12. Full Copyright Statement

  Copyright (C) The Internet Society (2003). All Rights Reserved.

  This document and translations of it may be copied and furnished to
  others, and derivative works that comment on or otherwise explain it
  or assist in its implementation may be prepared, copied, published
  and distributed, in whole or in part, without restriction of any
  kind, provided that the above copyright notice and this paragraph are
  included on all such copies and derivative works. However, this
  document itself may not be modified in any way, such as by removing
  the copyright notice or references to the Internet Society or other
  Internet organizations, except as needed for the purpose of
  developing Internet standards in which case the procedures for
  copyrights defined in the Internet Standards process must be
  followed, or as required to translate it into languages other than
  English.

  The limited permissions granted above are perpetual and will not be
  revoked by the Internet Society or its successors or assigns.

  This document and the information contained herein is provided on an
  "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
  TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDIN
  BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
  HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
  MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Notes to the RFC Editor

   This note is to be removed before publication.
   "zzzz" in "RFC zzzz" is to be replaced with the RFC number assigned
   to [PCLS].
   "xxxx" in "RFC xxxx" is to be replaced with the RFC number assigned
   to this document.
   Section "PLEASE NOTE:" is to be removed upon assignment OID
   assignment by IANA.


Appendix A: Changes in this revision

   1. This revision does not deprecate schema items defined in PCLS.
   The "Abstract" of this document has been modified accordingly.



Pana, et al.               Expires: July 2004                 [page 60]

INTERNET-DRAFT                  PCELS                      January 2004


   2. To make them easily distinguishable from the object classes and
   attributes defined in PCLS, the schema items defined in this document
   are now prefixed "pcels" instead of "pcim".

   3. In previous versions of this document the pcimPolicyGroup object
   class (initially defined by PCLS) was redefined as a subclass of
   pcimPolicySet (now pcelsPolicySet). This modification has been
   abandoned.

   4. Added note on PolicyGroup representation as pcelsRule or
   pcelsPolicySet.

   5. Abandoned deprecation of pcimRepository and modified
   pcelsReusableContainer to subclass pcimRepository.

   6. Added general considerations in the opening of the schema
   definitions (section 5).

   7. Added text to clarify which attributes defined in PCLS are also
   used in object classes defined here.

   8. Instead of deprecating pcimRuleConditionAssociation and replacing
   it with pcelsConditionAssociation, the latter object class has been
   modified, so that is now a subclass of pcimRuleConditionAssociation
   which is no longer deprecated.

   9. Instead of deprecating pcimRuleActionAssociation and replacing it
   with pcelsActionAssociation, the latter object class has been
   modified, so that is now a subclass of pcimRuleActionAssociation
   which is no longer deprecated.

   10. The class pcimRule and its subclasses defined by PCLS are no
   longer deprecated. A note has been added to clarify the issue
   regarding the functionality replacement for compatibility with
   PCIM_EXT.

   11. The pcimGroupContainmentAuxClass and pcimRuleContainmentAuxClass
   object classes defined by PCLS are no longer deprecated. A note has
   been added to clarify the issue regarding the functionality
   replacement for compatibility with PCIM_EXT.

   12. Added text to explicitly describe the use of
   pcelsPolicySetAssociation for the realization of the
   PolicySetInSystem association. This was unclear in previous
   revisions.

   13. Revised "Summary of changes since PCLS" in accordance with the
   changes listed above.

   14. Revised security considerations.




Pana, et al.               Expires: July 2004                 [page 61]

INTERNET-DRAFT                  PCELS                      January 2004


   15. Updated normative and informative references.

   16. Added section to explain impact on PCLS implementations.

   17. Added note on OID assignment status. (before section 1).

   18. For compliance with NITS, the abstract does not use citations.

   19. Added text to indicate valid and default attribute values where
   applicable.


Appendix B: Open Issues

   1. Should RFC 2119 be cited as normative reference? PCIM_EXT, PCLS
   and other documents refer to RFC 2119 as an informative reference.

   2. The object classes pcelsVendorVariable and pcelsVendorValue
   defined in this document are not mapped from PCIM_EXT.
   Pro: It is estimated that non-standard submodels and their LDAP
   schema implementations will need to define a considerable number of
   new PolicyVariable and PolicyValue subtypes. In order to avoid an
   explosion of LDAP class definitions, the pcelsVendorVariable and
   pcelsVendorValue classes introduce a value based extension mechanism
   for handling new data types. These classes do not introduce a new
   concept but rather a new extension mechanism for an existing concept.
   A similar mechanism is defined by PCIM and implemented by PCLS for
   creating vendor specific PolicyCondition and PolicyAction entries.
   Con: Since PCIM_EXT does not define such classes this document should
   not do it either. The purpose of this document this document is to
   map the PCIM_EXT model to an LDAP schema, therefore such
   functionality is outside its scope.

   3. PolicyGroup is not explicitly mapped to an LDAP object class.
   Pro: Since the PolicyRule has now the capability to aggregate other
   PolicyRule instances, this class includes the functionality of the
   PolicyGroup. Therefore, an explicitly implementation of the
   PolicyGroup class is unnecessary.
   Con: The PolicyRule and the PolicyGroup have different semantics so
   they should be defined using different classes.

   4. pcelsReusableContainer is defined as a subclass of pcimRepository.
   Therefore the new class is an extension to the old one, not an
   alternative to it.
   Pro: As a subclass of pcimRepository, pcelsReusableContainer
   is compatible with older implementations that expect containers of
   reusable policy elements to be implemented as pcimRepository
   entries. The new class extends the functionality of the
   pcimRepository class by implementing the ContainedDomain aggregation.
   Con: pcelsReusableContainer as subclass of pcimRepository has
   potentially detrimental implications on Object Oriented models.



Pana, et al.               Expires: July 2004                 [page 62]

INTERNET-DRAFT                  PCELS                      January 2004


   5. pcelsConditionAssociation is defined as a subclass of
   pcimRuleConditionAssociation. It extends the applicability of
   the old class to the aggregation of PolicyContition instances as
   components of CompoundPolicyContitions.
   Pro: The Condition aggregation mechanism can be reused in both Rule
   and CompoundCondition, therefore making it possible to optimize
   their implementation.
   Con: Mapping of the PCIM_EXT aggregations is implicit therefore more
   difficult for some implementations to detect.













































Pana, et al.               Expires: July 2004                 [page 63]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/