draft-ietf-policy-pcim-ext-02.txt   draft-ietf-policy-pcim-ext-03.txt 
skipping to change at page 1, line 18 skipping to change at page 1, line 18
A. Westerinen A. Westerinen
Cisco Systems Cisco Systems
R. Chadha R. Chadha
Telcordia Technologies Telcordia Technologies
M. Brunner M. Brunner
NEC NEC
R. Cohen R. Cohen
Ntear LLC Ntear LLC
J. Strassner J. Strassner
INTELLLIDEN, Inc. INTELLLIDEN, Inc.
August 2001
Policy Core Information Model Extensions Policy Core Information Model Extensions
<draft-ietf-policy-pcim-ext-02.txt> <draft-ietf-policy-pcim-ext-03.txt>
Friday, July 20, 2001, 10:53 AM Monday, August 20, 2001, 1:31 PM
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts. may also distribute working documents as Internet-Drafts.
skipping to change at page 2, line 55 skipping to change at page 2, line 55
4.8.4. SimplePolicyActions.......................................31 4.8.4. SimplePolicyActions.......................................31
4.8.5. Policy Variables..........................................32 4.8.5. Policy Variables..........................................32
4.8.6. Explicitly Bound Policy Variables.........................33 4.8.6. Explicitly Bound Policy Variables.........................33
4.8.7. Implicitly Bound Policy Variables.........................34 4.8.7. Implicitly Bound Policy Variables.........................34
4.8.8. Structure and Usage of Pre-Defined Variables..............34 4.8.8. Structure and Usage of Pre-Defined Variables..............34
4.8.9. Rationale for Modeling Implicit Variables as Classes......35 4.8.9. Rationale for Modeling Implicit Variables as Classes......35
4.8.10. Policy Values............................................36 4.8.10. Policy Values............................................36
4.9. Packet Filtering............................................37 4.9. Packet Filtering............................................37
4.9.1. Domain-Level Packet Filters...............................37 4.9.1. Domain-Level Packet Filters...............................37
4.9.2. Device-Level Packet Filters...............................39 4.9.2. Device-Level Packet Filters...............................39
5. Class Definitions................................................39 4.10. Conformance to PCIM and PCIMe..............................39
5.1. The Abstract Class "PolicySet"..............................39 5. Class Definitions................................................40
5.2. Update PCIM's Class "PolicyGroup"...........................40 5.1. The Abstract Class "PolicySet"..............................40
5.3. Update PCIM's Class "PolicyRule"............................40 5.2. Update PCIM's Class "PolicyGroup"...........................41
5.4. The Class "SimplePolicyCondition"...........................41 5.3. Update PCIM's Class "PolicyRule"............................41
5.4. The Class "SimplePolicyCondition"...........................42
5.5. The Class "CompoundPolicyCondition".........................42 5.5. The Class "CompoundPolicyCondition".........................42
5.6. The Class "CompoundFilterCondition".........................42 5.6. The Class "CompoundFilterCondition".........................43
5.7. The Class "SimplePolicyAction"..............................43 5.7. The Class "SimplePolicyAction"..............................43
5.8. The Class "CompoundPolicyAction"............................43 5.8. The Class "CompoundPolicyAction"............................44
5.9. The Abstract Class "PolicyVariable".........................45 5.9. The Abstract Class "PolicyVariable".........................45
5.10. The Class "PolicyExplicitVariable".........................45 5.10. The Class "PolicyExplicitVariable".........................46
5.10.1. The Single-Valued Property "ModelClass"..................45 5.10.1. The Single-Valued Property "ModelClass"..................46
5.10.2. The Single-Valued Property ModelProperty.................46 5.10.2. The Single-Valued Property ModelProperty.................46
5.11. The Abstract Class "PolicyImplicitVariable"................46 5.11. The Abstract Class "PolicyImplicitVariable"................47
5.11.1. The Multi-Valued Property "ValueTypes"...................46 5.11.1. The Multi-Valued Property "ValueTypes"...................47
5.12. Subclasses of "PolicyImplicitVariable" Specified in PCIMe..47 5.12. Subclasses of "PolicyImplicitVariable" Specified in PCIMe..47
5.12.1. The Class "PolicySourceIPv4Variable".....................47 5.12.1. The Class "PolicySourceIPv4Variable".....................47
5.12.2. The Class "PolicySourceIPv6Variable".....................47 5.12.2. The Class "PolicySourceIPv6Variable".....................48
5.12.3. The Class "PolicyDestinationIPv4Variable"................47 5.12.3. The Class "PolicyDestinationIPv4Variable"................48
5.12.4. The Class "PolicyDestinationIPv6Variable"................47 5.12.4. The Class "PolicyDestinationIPv6Variable"................48
5.12.5. The Class "PolicySourcePortVariable".....................48 5.12.5. The Class "PolicySourcePortVariable".....................49
5.12.6. The Class "PolicyDestinationPortVariable"................48 5.12.6. The Class "PolicyDestinationPortVariable"................49
5.12.7. The Class "PolicyIPProtocolVariable".....................49 5.12.7. The Class "PolicyIPProtocolVariable".....................49
5.12.8. The Class "PolicyIPVersionVariable"......................49 5.12.8. The Class "PolicyIPVersionVariable"......................50
5.12.9. The Class "PolicyIPToSVariable"..........................49 5.12.9. The Class "PolicyIPToSVariable"..........................50
5.12.10. The Class "PolicyDSCPVariable"..........................49 5.12.10. The Class "PolicyDSCPVariable"..........................50
5.12.11. The Class "PolicyFlowIdVariable"........................50 5.12.11. The Class "PolicyFlowIdVariable"........................50
5.12.12. The Class "PolicySourceMACVariable".....................50 5.12.12. The Class "PolicySourceMACVariable".....................51
5.12.13. The Class "PolicyDestinationMACVariable"................50 5.12.13. The Class "PolicyDestinationMACVariable"................51
5.12.14. The Class "PolicyVLANVariable"..........................50 5.12.14. The Class "PolicyVLANVariable"..........................51
5.12.15. The Class "PolicyCoSVariable"...........................51 5.12.15. The Class "PolicyCoSVariable"...........................51
5.12.16. The Class "PolicyEthertypeVariable".....................51 5.12.16. The Class "PolicyEthertypeVariable".....................52
5.12.17. The Class "PolicySourceSAPVariable".....................51 5.12.17. The Class "PolicySourceSAPVariable".....................52
5.12.18. The Class "PolicyDestinationSAPVariable"................51 5.12.18. The Class "PolicyDestinationSAPVariable"................52
5.12.19. The Class "PolicySNAPVariable"..........................52 5.12.19. The Class "PolicySNAPVariable"..........................52
5.12.20. The Class "PolicyFlowDirectionVariable".................52 5.12.20. The Class "PolicyFlowDirectionVariable".................53
5.13. The Abstract Class "PolicyValue"...........................52 5.13. The Abstract Class "PolicyValue"...........................53
5.14. Subclasses of "PolicyValue" Specified in PCIMe.............53 5.14. Subclasses of "PolicyValue" Specified in PCIMe.............53
5.14.1. The Class "PolicyIPv4AddrValue"..........................53 5.14.1. The Class "PolicyIPv4AddrValue"..........................53
5.14.2. The Class "PolicyIPv6AddrValue...........................54 5.14.2. The Class "PolicyIPv6AddrValue...........................55
5.14.3. The Class "PolicyMACAddrValue"...........................55 5.14.3. The Class "PolicyMACAddrValue"...........................56
5.14.4. The Class "PolicyStringValue"............................55 5.14.4. The Class "PolicyStringValue"............................56
5.14.5. The Class "PolicyBitStringValue".........................56 5.14.5. The Class "PolicyBitStringValue".........................57
5.14.6. The Class "PolicyIntegerValue"...........................57 5.14.6. The Class "PolicyIntegerValue"...........................57
5.14.7. The Class "PolicyBooleanValue"...........................58 5.14.7. The Class "PolicyBooleanValue"...........................58
5.15. The Class "PolicyRoleCollection"...........................58 5.15. The Class "PolicyRoleCollection"...........................59
5.15.1. The Single-Valued Property "PolicyRole"..................58 5.15.1. The Single-Valued Property "PolicyRole"..................59
5.16. The Class "ReusablePolicyContainer"........................58 5.16. The Class "ReusablePolicyContainer"........................59
5.17. Deprecate PCIM's Class "PolicyRepository"..................59 5.17. Deprecate PCIM's Class "PolicyRepository"..................59
5.18. The Abstract Class "FilterEntryBase".......................59 5.18. The Abstract Class "FilterEntryBase".......................60
5.19. The Class "IPHeaderFilter".................................59 5.19. The Class "IpHeadersFilter"................................60
5.19.1. The Property IpVersion...................................60 5.19.1. The Property HdrIpVersion................................61
5.19.2. The Property SrcAddress..................................60 5.19.2. The Property HdrSrcAddress...............................61
5.19.3. The Property SrcMask.....................................60 5.19.3. The Property HdrSrcMask..................................61
5.19.4. The Property DestAddress.................................60 5.19.4. The Property HdrDestAddress..............................61
5.19.5. The Property DestMask....................................61 5.19.5. The Property HdrDestMask.................................62
5.19.6. The Property ProtocolID..................................61 5.19.6. The Property HdrProtocolID...............................62
5.19.7. The Property SrcPortStart................................61 5.19.7. The Property HdrSrcPortStart.............................62
5.19.8. The Property SrcPortEnd..................................61 5.19.8. The Property HdrSrcPortEnd...............................62
5.19.9. The Property DestPortStart...............................61 5.19.9. The Property HdrDestPortStart............................63
5.19.10. The Property DestPortEnd................................61 5.19.10. The Property HdrDestPortEnd.............................63
5.19.11. The Property DSCP.......................................62 5.19.11. The Property HdrDSCP....................................63
5.19.12. The Property FlowLabel..................................62 5.19.12. The Property HdrFlowLabel...............................64
5.20. The Class "8021Filter".....................................62 5.20. The Class "8021Filter".....................................64
5.20.1. The Property SrcMACAddr..................................62 5.20.1. The Property 8021HdrSrcMACAddr...........................64
5.20.2. The Property SrcMACMask..................................63 5.20.2. The Property 8021HdrSrcMACMask...........................64
5.20.3. The Property DestMACAddr.................................63 5.20.3. The Property 8021HdrDestMACAddr..........................65
5.20.4. The Property DestMACMask.................................63 5.20.4. The Property 8021HdrDestMACMask..........................65
5.20.5. The Property ProtocolID..................................63 5.20.5. The Property 8021HdrProtocolID...........................65
5.20.6. The Property PriorityValue...............................63 5.20.6. The Property 8021HdrPriorityValue........................65
5.20.7. The Property VLANID......................................63 5.20.7. The Property 8021HdrVLANID...............................65
5.21. The Class FilterList.......................................63 5.21. The Class FilterList.......................................66
5.21.1. The Property Direction...................................64 5.21.1. The Property Direction...................................66
6. Association and Aggregation Definitions..........................64 6. Association and Aggregation Definitions..........................67
6.1. The Aggregation "PolicySetComponent"........................64 6.1. The Aggregation "PolicySetComponent"........................67
6.2. Deprecate PCIM's Aggregation "PolicyGroupInPolicyGroup".....65 6.2. Deprecate PCIM's Aggregation "PolicyGroupInPolicyGroup".....67
6.3. Deprecate PCIM's Aggregation "PolicyRuleInPolicyGroup"......65 6.3. Deprecate PCIM's Aggregation "PolicyRuleInPolicyGroup"......68
6.4. The Abstract Association "PolicySetInSystem"................66 6.4. The Abstract Association "PolicySetInSystem"................68
6.5. Update PCIM's Weak Association "PolicyGroupInSystem"........66 6.5. Update PCIM's Weak Association "PolicyGroupInSystem"........69
6.6. Update PCIM's Weak Association "PolicyRuleInSystem".........67 6.6. Update PCIM's Weak Association "PolicyRuleInSystem".........69
6.7. The Abstract Aggregation "PolicyConditionStructure".........67 6.7. The Abstract Aggregation "PolicyConditionStructure".........70
6.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule".....68 6.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule".....70
6.9. The Aggregation "PolicyConditionInPolicyCondition"..........68 6.9. The Aggregation "PolicyConditionInPolicyCondition"..........70
6.10. The Abstract Aggregation "PolicyActionStructure"...........68 6.10. The Abstract Aggregation "PolicyActionStructure"...........71
6.11. Update PCIM's Aggregation "PolicyActionInPolicyRule".......68 6.11. Update PCIM's Aggregation "PolicyActionInPolicyRule".......71
6.12. The Aggregation "PolicyActionInPolicyAction"...............69 6.12. The Aggregation "PolicyActionInPolicyAction"...............71
6.13. The Aggregation "PolicyVariableInSimplePolicyCondition"....69 6.13. The Aggregation "PolicyVariableInSimplePolicyCondition"....71
6.14. The Aggregation "PolicyValueInSimplePolicyCondition".......70 6.14. The Aggregation "PolicyValueInSimplePolicyCondition".......72
6.15. The Aggregation "PolicyVariableInSimplePolicyAction".......70 6.15. The Aggregation "PolicyVariableInSimplePolicyAction".......73
6.16. The Aggregation "PolicyValueInSimplePolicyAction"..........71 6.16. The Aggregation "PolicyValueInSimplePolicyAction"..........73
6.17. The Association "ReusablePolicy"...........................72 6.17. The Association "ReusablePolicy"...........................74
6.18. Deprecate PCIM's "PolicyConditionInPolicyRepository".......72 6.18. Deprecate PCIM's "PolicyConditionInPolicyRepository".......74
6.19. Deprecate PCIM's "PolicyActionInPolicyRepository"..........72 6.19. Deprecate PCIM's "PolicyActionInPolicyRepository"..........75
6.20. The Association ExpectedPolicyValuesForVariable............72 6.20. The Association ExpectedPolicyValuesForVariable............75
6.21. The Aggregation "PolicyContainerInPolicyContainer".........73 6.21. The Aggregation "PolicyContainerInPolicyContainer".........76
6.22. Deprecate PCIM's "PolicyRepositoryInPolicyRepository"......74 6.22. Deprecate PCIM's "PolicyRepositoryInPolicyRepository"......76
6.23. The Aggregation "EntriesInFilterList"......................74 6.23. The Aggregation "EntriesInFilterList"......................76
6.23.1. The Reference GroupComponent.............................74 6.23.1. The Reference GroupComponent.............................77
6.23.2. The Reference PartComponent..............................74 6.23.2. The Reference PartComponent..............................77
6.23.3. The Property EntrySequence...............................75 6.23.3. The Property EntrySequence...............................77
6.24. The Aggregation "ElementInPolicyRoleCollection"............75 6.24. The Aggregation "ElementInPolicyRoleCollection"............77
6.25. The Weak Association "PolicyRoleCollectionInSystem"........75 6.25. The Weak Association "PolicyRoleCollectionInSystem"........77
7. Intellectual Property............................................76 7. Intellectual Property............................................78
8. Acknowledgements.................................................76 8. Acknowledgements.................................................79
9. Security Considerations..........................................76 9. Security Considerations..........................................79
10. References......................................................77 10. References......................................................79
11. Authors' Addresses..............................................78 11. Authors' Addresses..............................................80
12. Full Copyright Statement........................................79 12. Full Copyright Statement........................................81
13. Appendix A: Closed Issues.......................................80 13. Appendix A: Closed Issues.......................................82
1. Introduction 1. Introduction
This document (PCIM Extensions, abbreviated here to PCIMe) proposes a This document (PCIM Extensions, abbreviated here to PCIMe) proposes a
number of changes to the Policy Core Information Model (PCIM, RFC 3060 number of changes to the Policy Core Information Model (PCIM, RFC 3060
[3]). These changes include both extensions of PCIM into areas that it [3]). These changes include both extensions of PCIM into areas that it
did not previously cover, and changes to the existing PCIM classes and did not previously cover, and changes to the existing PCIM classes and
associations. Both sets of changes are done in a way that, to the extent associations. Both sets of changes are done in a way that, to the extent
possible, preserves interoperability with implementations of the original possible, preserves interoperability with implementations of the original
PCIM model. PCIM model.
skipping to change at page 6, line 9 skipping to change at page 6, line 9
then be "pulled up" into the new classes. The net effect is that then be "pulled up" into the new classes. The net effect is that
the existing classes have exactly the same properties they had the existing classes have exactly the same properties they had
before, but the properties are inherited rather than defined before, but the properties are inherited rather than defined
explicitly in the classes. explicitly in the classes.
o New subclasses may be defined below existing classes. o New subclasses may be defined below existing classes.
2.2. List of Changes to the Model 2.2. List of Changes to the Model
The following subsections provide a very brief overview of the changes to The following subsections provide a very brief overview of the changes to
PCIM defined in PCIMe. In several cases, the origin of the change is PCIM defined in PCIMe. In several cases, the origin of the change is
noted, as QPIM [5], ICIM [6], or QDDIM [14]. noted, as QPIM [5], ICPM [6], or QDDIM [14].
2.2.1. Changes to PolicyRepository 2.2.1. Changes to PolicyRepository
Because of the potential for confusion with the Policy Framework Because of the potential for confusion with the Policy Framework
component Policy Repository (from the four-box picture: Policy Management component Policy Repository (from the four-box picture: Policy Management
Tool, Policy Repository, PDP, PEP), "PolicyRepository" is a bad name for Tool, Policy Repository, PDP, PEP), "PolicyRepository" is a bad name for
the PCIM class representing a container of reusable policy elements. the PCIM class representing a container of reusable policy elements.
Thus the class PolicyRepository is being replaced with the class Thus the class PolicyRepository is being replaced with the class
ReusablePolicyContainer. To accomplish this change, it is necessary to ReusablePolicyContainer. To accomplish this change, it is necessary to
deprecate the PCIM class PolicyRepository and its three associations, and deprecate the PCIM class PolicyRepository and its three associations, and
skipping to change at page 6, line 43 skipping to change at page 6, line 43
aggregations, as well as PCIM'e two aggregations PolicyGroupInPolicyGroup aggregations, as well as PCIM'e two aggregations PolicyGroupInPolicyGroup
and PolicyRuleInPolicyGroup, are all being combined into a single and PolicyRuleInPolicyGroup, are all being combined into a single
aggregation PolicySetComponent.) These aggregations make it possible to aggregation PolicySetComponent.) These aggregations make it possible to
define larger "chunks" of reusable policy to place in a define larger "chunks" of reusable policy to place in a
ReusablePolicyContainer. These aggregations also introduce new semantics ReusablePolicyContainer. These aggregations also introduce new semantics
representing the contextual implications of having one PolicyRule representing the contextual implications of having one PolicyRule
executing within the scope of another PolicyRule. executing within the scope of another PolicyRule.
2.2.3. Priorities and Decision Strategies 2.2.3. Priorities and Decision Strategies
Drawing from both QPIM and ICIM, the Priority property has been Drawing from both QPIM and ICPM, the Priority property has been
deprecated in PolicyRule, and placed instead on the aggregation deprecated in PolicyRule, and placed instead on the aggregation
PolicySetComponent. The QPIM rules for resolving relative priorities PolicySetComponent. The QPIM rules for resolving relative priorities
across nested PolicyGroups and PolicyRules have been incorporated into across nested PolicyGroups and PolicyRules have been incorporated into
PCIMe as well. With the removal of the Priority property from PCIMe as well. With the removal of the Priority property from
PolicyRule, a new modeling dependency is introduced. In order to PolicyRule, a new modeling dependency is introduced. In order to
prioritize a PolicyRule/PolicyGroup relative to other prioritize a PolicyRule/PolicyGroup relative to other
PolicyRules/PolicyGroups, the elements being prioritized must all reside PolicyRules/PolicyGroups, the elements being prioritized must all reside
in one of three places: in a common PolicyGroup, in a common PolicyRule, in one of three places: in a common PolicyGroup, in a common PolicyRule,
or in a common System. or in a common System.
skipping to change at page 8, line 41 skipping to change at page 8, line 41
classes: classes:
o They support specification of filters for all of the fields in a o They support specification of filters for all of the fields in a
particular protocol header in a single object instance. With the particular protocol header in a single object instance. With the
domain-level classes, separate instances are needed for each domain-level classes, separate instances are needed for each
header field. header field.
o They provide native representations for the filter values, as o They provide native representations for the filter values, as
opposed to the string representation used by the domain-level opposed to the string representation used by the domain-level
classes. classes.
Device-level filter classes for the IP and 802 MAC headers are defined, Device-level filter classes for the IP-related headers (IP, UDP, and TCP)
respectively, in sections 5.19 and 5.20. and the 802 MAC headers are defined, respectively, in sections 5.19 and
5.20.
3. The Updated Class and Association Class Hierarchies 3. The Updated Class and Association Class Hierarchies
The following figure shows the class inheritance hierarchy for PCIMe. The following figure shows the class inheritance hierarchy for PCIMe.
Changes from the PCIM hierarchy are noted parenthetically. Changes from the PCIM hierarchy are noted parenthetically.
ManagedElement (abstract) ManagedElement (abstract)
| |
+--Policy (abstract) +--Policy (abstract)
| | | |
skipping to change at page 10, line 21 skipping to change at page 10, line 21
+--System (abstract) +--System (abstract)
| | | |
| +--AdminDomain (abstract) | +--AdminDomain (abstract)
| | | |
| +---ReusablePolicyContainer (new - 4.2) | +---ReusablePolicyContainer (new - 4.2)
| | | |
| +---PolicyRepository (deprecated - 4.2) | +---PolicyRepository (deprecated - 4.2)
| |
+--FilterEntryBase (abstract -- new - 5.18) +--FilterEntryBase (abstract -- new - 5.18)
| | | |
| +--IPHeaderFilter (new - 5.19) | +--IpHeadersFilter (new - 5.19)
| | | |
| +--8021Filter (new - 5.20) | +--8021Filter (new - 5.20)
| |
+--FilterList (new - 5.21) +--FilterList (new - 5.21)
Figure 1. Class Inheritance Hierarchy for PCIMe Figure 1. Class Inheritance Hierarchy for PCIMe
The following figure shows the association class hierarchy for PCIMe. As The following figure shows the association class hierarchy for PCIMe. As
before, changes from PCIM are noted parenthetically. before, changes from PCIM are noted parenthetically.
[unrooted] [unrooted]
skipping to change at page 14, line 25 skipping to change at page 14, line 25
different functional scopes, but there is no requirement to do so. different functional scopes, but there is no requirement to do so.
4.2. Reusable Policy Elements 4.2. Reusable Policy Elements
In PCIM, a distinction was drawn between reusable PolicyConditions and In PCIM, a distinction was drawn between reusable PolicyConditions and
PolicyActions and rule-specific ones. The PolicyRepository class was PolicyActions and rule-specific ones. The PolicyRepository class was
also defined, to serve as a container for these reusable elements. The also defined, to serve as a container for these reusable elements. The
name "PolicyRepository" has proven to be an unfortunate choice for the name "PolicyRepository" has proven to be an unfortunate choice for the
class that serves as a container for reusable policy elements. This term class that serves as a container for reusable policy elements. This term
is already used in documents like the Policy Framework, to denote the is already used in documents like the Policy Framework, to denote the
location from which the PEP retrieves all policy specifications, and into location from which the PDP retrieves all policy specifications, and into
which the Policy Management Tool places all policy specifications. which the Policy Management Tool places all policy specifications.
Consequently, the PolicyRepository class is being deprecated, in favor of Consequently, the PolicyRepository class is being deprecated, in favor of
a new class ReusablePolicyContainer. a new class ReusablePolicyContainer.
When a class is deprecated, any associations that refer to it must also When a class is deprecated, any associations that refer to it must also
be deprecated. So replacements are needed for the two associations be deprecated. So replacements are needed for the two associations
PolicyConditionInPolicyRepository and PolicyActionInPolicyRepository, as PolicyConditionInPolicyRepository and PolicyActionInPolicyRepository, as
well as for the aggregation PolicyRepositoryInPolicyRepository. In well as for the aggregation PolicyRepositoryInPolicyRepository. In
addition to renaming the PolicyRepository class to addition to renaming the PolicyRepository class to
ReusablePolicyContainer, however, PCIMe is also broadening the types of ReusablePolicyContainer, however, PCIMe is also broadening the types of
skipping to change at page 18, line 29 skipping to change at page 18, line 29
An implementation of the rule engine need not provide the action An implementation of the rule engine need not provide the action
sequencing but the actions MUST be sequenced by the PEP or PDP on its sequencing but the actions MUST be sequenced by the PEP or PDP on its
behalf. So, for example, the rule engine may provide an ordered list of behalf. So, for example, the rule engine may provide an ordered list of
actions to be executed by the PEP and any required serialization is then actions to be executed by the PEP and any required serialization is then
provided by the service configured by the rule engine. See section 4.5.2 provided by the service configured by the rule engine. See section 4.5.2
for a discussion of side effects. for a discussion of side effects.
4.5.1. Structuring Decision Strategies 4.5.1. Structuring Decision Strategies
When policy sets are nested, as shown in Figure 3. , the decision As discussed in Sections 4.3 and 4.4, PolicySet instances may be nested
strategies may be nested arbitrarily. In this example, the relative arbitrarily. For a FirstMatching decision strategy on a PolicySet, any
priorities for the nested rules, high to low, are 1A, 1B1, 1X2, 1B3, 1C, contained PolicySet that matches satisfies the termination criteria for
1C1, 1X2 and 1C3. (Note that PolicyRule 1X2 is included in both the FirstMatching strategy. A PolicySet is considered to match if it is
PolicyGroup 1B and PolicyRule 1C, but with different priorities.) Of a PolicyRule and its conditions evaluate to True, or if the PolicySet is
course, which rules are enforced is also dependent on which rules, if a PolicyGroup and at least one of its contained PolicyGroups or
any, match. PolicyRules match. The priority associated with contained PolicySets,
then, determines when to terminate rule evaluation in the structured set
of rules.
In the example shown in Figure 3, the relative priorities for the nested
rules, high to low, are 1A, 1B1, 1X2, 1B3, 1C, 1C1, 1X2 and 1C3. (Note
that PolicyRule 1X2 is included in both PolicyGroup 1B and PolicyRule 1C,
but with different priorities.) Of course, which rules are enforced is
also dependent on which rules, if any, match.
PolicyGroup 1: FirstMatching PolicyGroup 1: FirstMatching
| |
+-- Pri=6 -- PolicyRule 1A +-- Pri=6 -- PolicyRule 1A
| |
+-- Pri=5 -- PolicyGroup 1B: AllMatching +-- Pri=5 -- PolicyGroup 1B: AllMatching
| | | |
| +-- Pri=5 -- PolicyGroup 1B1: AllMatching | +-- Pri=5 -- PolicyGroup 1B1: AllMatching
| | | | | |
| | +---- etc. | | +---- etc.
skipping to change at page 39, line 18 skipping to change at page 39, line 18
o FlowDirection "In" / FlowDirection "Out" o FlowDirection "In" / FlowDirection "Out"
o Source IP address / Destination IP address o Source IP address / Destination IP address
o Source port / Destination port o Source port / Destination port
o Source MAC address / Destination MAC address o Source MAC address / Destination MAC address
o Source [layer-2] SAP / Destination [layer-2] SAP. o Source [layer-2] SAP / Destination [layer-2] SAP.
4.9.2. Device-Level Packet Filters 4.9.2. Device-Level Packet Filters
At the device level, packet header filters are represented by two At the device level, packet header filters are represented by two
subclasses of the abstract class FilterEntryBase: IPHeaderFilter and subclasses of the abstract class FilterEntryBase: IpHeadersFilter and
8021Filter. Submodels of PCIMe may define other subclasses of 8021Filter. Submodels of PCIMe may define other subclasses of
FilterEntryBase in addition to these two; ICIM [6], for example, defines FilterEntryBase in addition to these two; ICPM [6], for example, defines
subclasses for IPsec-specific filters. subclasses for IPsec-specific filters.
Instances of the subclasses of FilterEntryBase are not used directly as Instances of the subclasses of FilterEntryBase are not used directly as
filters. They are always aggregated into a FilterList, by the filters. They are always aggregated into a FilterList, by the
aggregation EntriesInFilterList. For PCIMe and its submodels, the aggregation EntriesInFilterList. For PCIMe and its submodels, the
EntrySequence property in this aggregation always takes its default value EntrySequence property in this aggregation always takes its default value
'0', indicating that the aggregated filter entries are ANDed together. '0', indicating that the aggregated filter entries are ANDed together.
The FilterList class includes an enumeration property Direction, The FilterList class includes an enumeration property Direction,
representing the direction of the traffic flow to which the FilterList is representing the direction of the traffic flow to which the FilterList is
to be applied. The value Mirrored(4) for Direction represents exactly to be applied. The value Mirrored(4) for Direction represents exactly
the same thing as the IsMirrored boolean does in CompoundFilterCondition. the same thing as the IsMirrored boolean does in CompoundFilterCondition.
See Section 4.9.1 for details. See Section 4.9.1 for details.
4.10. Conformance to PCIM and PCIMe
Because PCIM and PCIMe provide the core classes for modeling policies,
they are not in general sufficient by themselves for representing actual
policy rules. Submodels, such as QPIM and ICPM, provide the means for
expressing policy rules, by defining subclasses of the classes defined in
PCIM and PCIMe, and/or by indicating how the PolicyVariables and
PolicyValues defined in PCIMe can be used to express conditions and
actions applicable to the submodel.
A particular submodel will not, in general, need to use every element
defined in PCIM and PCIMe. For the elements it does not use, a submodel
SHOULD remain silent on whether its implementations must support the
element, must not support the element, should support the element, etc.
For the elements it does use, a submodel SHOULD indicate which elements
its implementations must support, which elements they should support, and
which elements they may support.
PCIM and PCIMe themselves simply define elements that may be of use to
submodels. These documents remain silent on whether implementations are
required to support an element, should support it, etc.
This model (and derived submodels) defines conditions and actions that
are used by policy rules. While the conditions and actions defined
herein are straightforward and may be presumed to be widely supported, as
submodels are developed it is likely that situations will arise in which
specific conditions or actions are not supported by some part of the
policy execution system. Similarly, situations may also occur where
rules contain syntactic or semantic errors.
It should be understood that the behavior and effect of undefined or
incorrectly defined conditions or actions is not prescribed by this
information model. While it would be helpful if it were prescribed, the
variations in implementation restrict the ability for this information
model to control the effect. For example, if an implementation only
detected that a PEP could not enforce a given action on that PEP, it
would be very difficult to declare that such a failure should affect
other PEPs, or the PDP process. On the other hand, if the PDP determines
that it cannot properly evaluate a condition, that failure may well
affect all applications of the containing rules.
5. Class Definitions 5. Class Definitions
The following definitions supplement those in PCIM itself. PCIM The following definitions supplement those in PCIM itself. PCIM
definitions that are not DEPRECATED here are still current parts of the definitions that are not DEPRECATED here are still current parts of the
overall Policy Core Information Model. overall Policy Core Information Model.
5.1. The Abstract Class "PolicySet" 5.1. The Abstract Class "PolicySet"
PolicySet is an abstract class that may group policies into a structured PolicySet is an abstract class that may group policies into a structured
set of policies. set of policies.
skipping to change at page 59, line 50 skipping to change at page 60, line 35
NAME FilterEntryBase NAME FilterEntryBase
DESCRIPTION An abstract class representing a single DESCRIPTION An abstract class representing a single
filter that is aggregated into a filter that is aggregated into a
FilterList via the aggregation FilterList via the aggregation
EntriesInFilterList. EntriesInFilterList.
DERIVED FROM LogicalElement DERIVED FROM LogicalElement
TYPE Abstract TYPE Abstract
PROPERTIES IsNegated PROPERTIES IsNegated
5.19. The Class "IPHeaderFilter" 5.19. The Class "IpHeadersFilter"
This concrete class contains the most commonly required properties for
performing filtering on IP, TCP or UDP headers. Properties not present
in an instance of IPHeadersFilter are treated as 'all values'. A
property HdrIpVersion identifies whether the IP addresses in an instance
are IPv4 or IPv6 addresses. Since the source and destination IP
addresses come from the same packet header, they will always be of the
same type.
This concrete class makes it possible to represent an entire IP header
filter in a single object. A property IpVersion identifies whether the
IP addresses in an instance are IPv4 or IPv6 addresses. (Since the
source and destination IP addresses come from the same packet header,
they will always be of the same type.)
The class definition is as follows: The class definition is as follows:
NAME IPHeaderFilter NAME IpHeadersFilter
DESCRIPTION A class representing an entire IP DESCRIPTION A class representing an entire IP
header filter, or any subset of one. header filter, or any subset of one.
DERIVED FROM FilterEntryBase DERIVED FROM FilterEntryBase
TYPE Concrete TYPE Concrete
PROPERTIES IpVersion, SrcAddress, SrcMask, PROPERTIES HdrIpVersion, HdrSrcAddress, HdrSrcMask,
DestAddress, DestMask, ProtocolID, HdrDestAddress, HdrDestMask, HdrProtocolID,
SrcPortStart, SrcPortEnd, HdrSrcPortStart, HdrSrcPortEnd,
DestPortStart, DestPortEnd, DSCP, HdrDestPortStart, HdrDestPortEnd, HdrDSCP,
FlowLabel HdrFlowLabel
5.19.1. The Property IpVersion 5.19.1. The Property HdrIpVersion
This property is an 8-bit unsigned integer, identifying the version of This property is an 8-bit unsigned integer, identifying the version of
the IP addresses to be filtered on. IP versions are identified as they the IP addresses to be filtered on. IP versions are identified as they
are in the Version field of the IP packet header - IPv4 = 4, IPv6 = 6. are in the Version field of the IP packet header - IPv4 = 4, IPv6 = 6.
These two values are the only ones defined for this property. These two values are the only ones defined for this property.
The value of this property determines the sizes of the OctetStrings in The value of this property determines the sizes of the OctetStrings in
the four properties SrcAddress, SrcMask, DestAddress, and DestMask, as the four properties HdrSrcAddress, HdrSrcMask, HdrDestAddress, and
follows: HdrDestMask, as follows:
o IPv4: OctetString(SIZE (4)) o IPv4: OctetString(SIZE (4))
o IPv6: OctetString(SIZE (16|20)), depending on whether a scope o IPv6: OctetString(SIZE (16|20)), depending on whether a scope
identifier is present identifier is present
5.19.2. The Property SrcAddress If a value for this property is not provided, then the filter does not
consider IP version in selecting matching packets, i.e., IP version
matches for all values. In this case, the HdrSrcAddress, HdrSrcMask,
HdrDestAddress, and HdrDestMask must also not be present.
5.19.2. The Property HdrSrcAddress
This property is an OctetString, of a size determined by the value of the This property is an OctetString, of a size determined by the value of the
IpVersion property, representing a source IP address. This value is HdrIpVersion property, representing a source IP address. This value is
compared to the source address in the IP header, subject to the mask compared to the source address in the IP header, subject to the mask
represented in the SrcMask property. represented in the HdrSrcMask property.
5.19.3. The Property SrcMask If a value for this property is not provided, then the filter does not
consider HdrSrcAddress in selecting matching packets, i.e., HdrSrcAddress
matches for all values.
5.19.3. The Property HdrSrcMask
This property is an OctetString, of a size determined by the value of the This property is an OctetString, of a size determined by the value of the
IpVersion property, representing a mask to be used in comparing the HdrIpVersion property, representing a mask to be used in comparing the
source address in the IP header with the value represented in the source address in the IP header with the value represented in the
SrcAddress property. HdrSrcAddress property.
5.19.4. The Property DestAddress If a value for this property is not provided, then the filter does not
consider HdrSrcMask in selecting matching packets, i.e., the value of
HdrSrcAddress must match the source address in the packet exactly.
5.19.4. The Property HdrDestAddress
This property is an OctetString, of a size determined by the value of the This property is an OctetString, of a size determined by the value of the
IpVersion property, representing a destination IP address. This value is HdrIpVersion property, representing a destination IP address. This value
compared to the destination address in the IP header, subject to the mask is compared to the destination address in the IP header, subject to the
represented in the DestMask property. mask represented in the HdrDestMask property.
5.19.5. The Property DestMask If a value for this property is not provided, then the filter does not
consider HdrDestAddress in selecting matching packets, i.e.,
HdrDestAddress matches for all values.
5.19.5. The Property HdrDestMask
This property is an OctetString, of a size determined by the value of the This property is an OctetString, of a size determined by the value of the
IpVersion property, representing a mask to be used in comparing the HdrIpVersion property, representing a mask to be used in comparing the
destination address in the IP header with the value represented in the destination address in the IP header with the value represented in the
DestAddress property. HdrDestAddress property.
5.19.6. The Property ProtocolID If a value for this property is not provided, then the filter does not
consider HdrDestMask in selecting matching packets, i.e., the value of
HdrDestAddress must match the destination address in the packet exactly.
5.19.6. The Property HdrProtocolID
This property is an 8-bit unsigned integer, representing an IP protocol This property is an 8-bit unsigned integer, representing an IP protocol
type. This value is compared to the Protocol field in the IP header. type. This value is compared to the Protocol field in the IP header.
5.19.7. The Property SrcPortStart If a value for this property is not provided, then the filter does not
consider HdrProtocolID in selecting matching packets, i.e., HdrProtocolID
matches for all values.
5.19.7. The Property HdrSrcPortStart
This property is a 16-bit unsigned integer, representing the lower end of This property is a 16-bit unsigned integer, representing the lower end of
a range of UDP or TCP source ports. The upper end of the range is a range of UDP or TCP source ports. The upper end of the range is
represented by the SrcPortEnd property. The value of SrcPortStart MUST represented by the HdrSrcPortEnd property. The value of HdrSrcPortStart
be no greater than the value of SrcPortEnd. A single port is indicated MUST be no greater than the value of HdrSrcPortEnd. A single port is
by equal values for SrcPortStart and SrcPortEnd. indicated by equal values for HdrSrcPortStart and HdrSrcPortEnd.
A source port filter is evaluated by testing whether the source port A source port filter is evaluated by testing whether the source port
identified in the IP header falls within the range of values between identified in the IP header falls within the range of values between
SrcPortStart and SrcPortEnd, including these two end points. HdrSrcPortStart and HdrSrcPortEnd, including these two end points.
5.19.8. The Property SrcPortEnd If a value for this property is not provided, then the filter does not
consider HdrSrcPortStart in selecting matching packets, i.e., there is no
lower bound in matching source port values.
5.19.8. The Property HdrSrcPortEnd
This property is a 16-bit unsigned integer, representing the upper end of This property is a 16-bit unsigned integer, representing the upper end of
a range of UDP or TCP source ports. The lower end of the range is a range of UDP or TCP source ports. The lower end of the range is
represented by the SrcPortStart property. The value of SrcPortEnd MUST represented by the HdrSrcPortStart property. The value of HdrSrcPortEnd
be no less than the value of SrcPortStart. A single port is indicated by MUST be no less than the value of HdrSrcPortStart. A single port is
equal values for SrcPortStart and SrcPortEnd. indicated by equal values for HdrSrcPortStart and HdrSrcPortEnd.
A source port filter is evaluated by testing whether the source port A source port filter is evaluated by testing whether the source port
identified in the IP header falls within the range of values between identified in the IP header falls within the range of values between
SrcPortStart and SrcPortEnd, including these two end points. HdrSrcPortStart and HdrSrcPortEnd, including these two end points.
5.19.9. The Property DestPortStart If a value for this property is not provided, then the filter does not
consider HdrSrcPortEnd in selecting matching packets, i.e., there is no
upper bound in matching source port values.
5.19.9. The Property HdrDestPortStart
This property is a 16-bit unsigned integer, representing the lower end of This property is a 16-bit unsigned integer, representing the lower end of
a range of UDP or TCP destination ports. The upper end of the range is a range of UDP or TCP destination ports. The upper end of the range is
represented by the DestPortEnd property. The value of DestPortStart MUST represented by the HdrDestPortEnd property. The value of
be no greater than the value of DestPortEnd. A single port is indicated HdrDestPortStart MUST be no greater than the value of HdrDestPortEnd. A
by equal values for DestPortStart and DestPortEnd. single port is indicated by equal values for HdrDestPortStart and
HdrDestPortEnd.
A destination port filter is evaluated by testing whether the destination A destination port filter is evaluated by testing whether the destination
port identified in the IP header falls within the range of values between port identified in the IP header falls within the range of values between
DestPortStart and DestPortEnd, including these two end points. HdrDestPortStart and HdrDestPortEnd, including these two end points.
5.19.10. The Property DestPortEnd If a value for this property is not provided, then the filter does not
consider HdrDestPortStart in selecting matching packets, i.e., there is
no lower bound in matching destination port values.
5.19.10. The Property HdrDestPortEnd
This property is a 16-bit unsigned integer, representing the upper end of This property is a 16-bit unsigned integer, representing the upper end of
a range of UDP or TCP destination ports. The lower end of the range is a range of UDP or TCP destination ports. The lower end of the range is
represented by the DestPortStart property. The value of DestPortEnd MUST represented by the HdrDestPortStart property. The value of
be no less than the value of DestPortStart. A single port is indicated HdrDestPortEnd MUST be no less than the value of HdrDestPortStart. A
by equal values for DestPortStart and DestPortEnd. single port is indicated by equal values for HdrDestPortStart and
HdrDestPortEnd.
A destination port filter is evaluated by testing whether the destination A destination port filter is evaluated by testing whether the destination
port identified in the IP header falls within the range of values between port identified in the IP header falls within the range of values between
DestPortStart and DestPortEnd, including these two end points. HdrDestPortStart and HdrDestPortEnd, including these two end points.
5.19.11. The Property DSCP If a value for this property is not provided, then the filter does not
consider HdrDestPortEnd in selecting matching packets, i.e., there is no
upper bound in matching destination port values.
The property DSCP is defined as a uint8, restricted to the range 0..63. 5.19.11. The Property HdrDSCP
Since DSCPs are defined as discrete code points, with no inherent
The property HdrDSCP is defined as a uint8, restricted to the range
0..63. Since DSCPs are defined as discrete code points, with no inherent
structure, there is no semantically significant relationship between structure, there is no semantically significant relationship between
different DSCPs. Consequently, there is no provision for specifying a different DSCPs. Consequently, there is no provision for specifying a
range of DSCPs in this property. range of DSCPs in this property.
5.19.12. The Property FlowLabel If a value for this property is not provided, then the filter does not
consider HdrDSCP in selecting matching packets, i.e., HdrDSCP matches for
all values.
5.19.12. The Property HdrFlowLabel
The 20-bit Flow Label field in the IPv6 header may be used by a source to The 20-bit Flow Label field in the IPv6 header may be used by a source to
label sequences of packets for which it requests special handling by IPv6 label sequences of packets for which it requests special handling by IPv6
devices, such as non-default quality of service or 'real-time' service. devices, such as non-default quality of service or 'real-time' service.
This property is an octet string of size 3 (that is, 24 bits), in which This property is an octet string of size 3 (that is, 24 bits), in which
the 20-bit Flow Label appears in the rightmost 20 bits, padded on the the 20-bit Flow Label appears in the rightmost 20 bits, padded on the
left with b'0000'. left with b'0000'.
If a value for this property is not provided, then the filter does not
consider HdrFlowLabel in selecting matching packets, i.e., HdrFlowLabel
matches for all values.
5.20. The Class "8021Filter" 5.20. The Class "8021Filter"
This concrete class allows 802.1.source and destination MAC addresses, as This concrete class allows 802.1.source and destination MAC addresses, as
well as the 802.1 protocol ID, priority, and VLAN identifier fields, to well as the 802.1 protocol ID, priority, and VLAN identifier fields, to
be expressed in a single object be expressed in a single object
The class definition is as follows: The class definition is as follows:
NAME 8021Filter NAME 8021Filter
DESCRIPTION A class that allows 802.1 source DESCRIPTION A class that allows 802.1 source
and destination MAC address and and destination MAC address and
protocol ID, priority, and VLAN protocol ID, priority, and VLAN
identifier filters to be identifier filters to be
expressed in a single object. expressed in a single object.
DERIVED FROM FilterEntryBase DERIVED FROM FilterEntryBase
TYPE Concrete TYPE Concrete
PROPERTIES SrcMACAddr, SrcMACMask, DestMACAddr, PROPERTIES 8021HdrSrcMACAddr, 8021HdrSrcMACMask,
DestMACMask, ProtocolID, PriorityValue, 8021HdrDestMACAddr, 8021HdrDestMACMask,
VLANID 8021HdrProtocolID, 8021HdrPriorityValue,
8021HDRVLANID
5.20.1. The Property SrcMACAddr 5.20.1. The Property 8021HdrSrcMACAddr
This property is an OctetString of size 6, representing a 48-bit source This property is an OctetString of size 6, representing a 48-bit source
MAC address in canonical format. This value is compared to the MAC address in canonical format. This value is compared to the
SourceAddress field in the MAC header, subject to the mask represented in SourceAddress field in the MAC header, subject to the mask represented in
the SrcMACMask property. the 8021HdrSrcMACMask property.
5.20.2. The Property SrcMACMask If a value for this property is not provided, then the filter does not
consider 8021HdrSrcMACAddr in selecting matching packets, i.e.,
8021HdrSrcMACAddr matches for all values.
5.20.2. The Property 8021HdrSrcMACMask
This property is an OctetString of size 6, representing a 48-bit mask to This property is an OctetString of size 6, representing a 48-bit mask to
be used in comparing the SourceAddress field in the MAC header with the be used in comparing the SourceAddress field in the MAC header with the
value represented in the SrcMACAddr property. value represented in the 8021HdrSrcMACAddr property.
5.20.3. The Property DestMACAddr If a value for this property is not provided, then the filter does not
consider 8021HdrSrcMACMask in selecting matching packets, i.e., the value
of 8021HdrSrcMACAddr must match the source MAC address in the packet
exactly.
5.20.3. The Property 8021HdrDestMACAddr
This property is an OctetString of size 6, representing a 48-bit This property is an OctetString of size 6, representing a 48-bit
destination MAC address in canonical format. This value is compared to destination MAC address in canonical format. This value is compared to
the DestinationAddress field in the MAC header, subject to the mask the DestinationAddress field in the MAC header, subject to the mask
represented in the DestMACMask property. represented in the 8021HdrDestMACMask property.
5.20.4. The Property DestMACMask If a value for this property is not provided, then the filter does not
consider 8021HdrDestMACAddr in selecting matching packets, i.e.,
8021HdrDestMACAddr matches for all values.
5.20.4. The Property 8021HdrDestMACMask
This property is an OctetString of size 6, representing a 48-bit mask to This property is an OctetString of size 6, representing a 48-bit mask to
be used in comparing the DestinationAddress field in the MAC header with be used in comparing the DestinationAddress field in the MAC header with
the value represented in the DestMACAddr property. the value represented in the 8021HdrDestMACAddr property.
5.20.5. The Property ProtocolID If a value for this property is not provided, then the filter does not
consider 8021HdrDestMACMask in selecting matching packets, i.e., the
value of 8021HdrDestMACAddr must match the destination MAC address in the
packet exactly.
5.20.5. The Property 8021HdrProtocolID
This property is a 16-bit unsigned integer, representing an Ethernet This property is a 16-bit unsigned integer, representing an Ethernet
protocol type. This value is compared to the Ethernet Type field in the protocol type. This value is compared to the Ethernet Type field in the
802.3 MAC header. 802.3 MAC header.
5.20.6. The Property PriorityValue If a value for this property is not provided, then the filter does not
consider 8021HdrProtocolID in selecting matching packets, i.e.,
8021HdrProtocolID matches for all values.
5.20.6. The Property 8021HdrPriorityValue
This property is an 8-bit unsigned integer, representing an 802.1Q This property is an 8-bit unsigned integer, representing an 802.1Q
priority. This value is compared to the Priority field in the 802.1Q priority. This value is compared to the Priority field in the 802.1Q
header. Since the 802.1Q Priority field consists of 3 bits, the values header. Since the 802.1Q Priority field consists of 3 bits, the values
for this property are limited to the range 0..7. for this property are limited to the range 0..7.
5.20.7. The Property VLANID If a value for this property is not provided, then the filter does not
consider 8021HdrPriorityValue in selecting matching packets, i.e.,
8021HdrPriorityValue matches for all values.
5.20.7. The Property 8021HdrVLANID
This property is a 32-bit unsigned integer, representing an 802.1Q VLAN This property is a 32-bit unsigned integer, representing an 802.1Q VLAN
Identifier. This value is compared to the VLAN ID field in the 802.1Q Identifier. This value is compared to the VLAN ID field in the 802.1Q
header. Since the 802.1Q VLAN ID field consists of 12 bits, the values header. Since the 802.1Q VLAN ID field consists of 12 bits, the values
for this property are limited to the range 0..4095. for this property are limited to the range 0..4095.
If a value for this property is not provided, then the filter does not
consider 8021HdrVLANID in selecting matching packets, i.e., 8021HdrVLANID
matches for all values.
5.21. The Class FilterList 5.21. The Class FilterList
This is a concrete class that aggregates instances of (subclasses of) This is a concrete class that aggregates instances of (subclasses of)
FilterEntryBase via the aggregation EntriesInFilterList. It is possible FilterEntryBase via the aggregation EntriesInFilterList. It is possible
to aggregate different types of filters into a single FilterList - for to aggregate different types of filters into a single FilterList - for
example, packet header filters (represented by the IPHeaderFilter class) example, packet header filters (represented by the IpHeadersFilter class)
and security filters (represented by subclasses of FilterEntryBase and security filters (represented by subclasses of FilterEntryBase
defined by IPsec). defined by IPsec).
The aggregation property EntriesInFilterList.EntrySequence serves to The aggregation property EntriesInFilterList.EntrySequence serves to
order the filter entries in a FilterList. This is necessary when order the filter entries in a FilterList. This is necessary when
algorithms such as "Match First" are used to identify traffic based on an algorithms such as "Match First" are used to identify traffic based on an
aggregated set of FilterEntries. In modeling QoS classifiers, however, aggregated set of FilterEntries. In modeling QoS classifiers, however,
this property is always set to 0, to indicate that the aggregated filter this property is always set to 0, to indicate that the aggregated filter
entries are ANDed together to form a selector for a class of traffic. entries are ANDed together to form a selector for a class of traffic.
 End of changes. 72 change blocks. 
179 lines changed or deleted 316 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/