draft-ietf-rap-frameworkpib-00.txt   draft-ietf-rap-frameworkpib-01.txt 
Network Working Group M. Fine Network Working Group M. Fine
Internet Draft K. McCloghrie Internet Draft K. McCloghrie
Expires September 2000 Cisco Systems Expires January 2001 Cisco Systems
J. Seligson J. Seligson
K. Chan K. Chan
Nortel Networks Nortel Networks
S. Hahn S. Hahn
R. Sahita
Intel Intel
A. Smith A. Smith
Extreme Networks No Affiliation
Francis Reichmeyer Francis Reichmeyer
IPHighway IPHighway
March 10, 2000 July 14, 2000
Framework Policy Information Base Framework Policy Information Base
draft-ietf-rap-frameworkpib-00.txt draft-ietf-rap-frameworkpib-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with
provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are
documents of the Internet Engineering Task Force (IETF), its areas, and working documents of the Internet Engineering Task Force (IETF), its
its working groups. Note that other groups may also distribute working areas, and its working groups. Note that other groups may also
documents as Internet-Drafts. distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six
and may be updated, replaced, or obsoleted by other documents at any months and may be updated, replaced, or obsoleted by other documents
time. It is inappropriate to use Internet-Drafts as reference material at any time. It is inappropriate to use Internet-Drafts as
or to cite them other than as ``work in progress.'' reference material or to cite them other than as ''work in
progress''.
To view the current status of any Internet-Draft, please check the To view the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in an Internet-Drafts Shadow ''1id-abstracts.txt'' listing contained in an Internet-Drafts Shadow
Directory, see http://www.ietf.org/shadow.html. Directory, see http://www.ietf.org/shadow.html.
Framework Policy Information Base March 2000 Framework Policy Information Base July 2000
1. Glossary 1. Glossary
PRC Policy Rule Class. A type of policy data. PRC Policy Rule Class. A type of policy data.
PRI Policy Rule Instance. An instance of a PRC. PRI Policy Rule Instance. An instance of a PRC.
PIB Policy Information Base. The database of policy information. PIB Policy Information Base. The database of policy information.
PDP Policy Decision Point. See [RAP-FRAMEWORK]. PDP Policy Decision Point. See [RAP-FRAMEWORK].
PEP Policy Enforcement Point. See [RAP-FRAMEWORK]. PEP Policy Enforcement Point. See [RAP-FRAMEWORK].
PRID Policy Rule Instance Identifier. Uniquely identifies an PRID Policy Rule Instance Identifier. Uniquely identifies an
instance of a a PRC. instance of a PRC.
2. Introduction 2. Introduction
[SPPI] describes a structure for specifying policy information that can [SPPI] describes a structure for specifying policy information that
then be transmitted to a network device for the purpose of configuring can then be transmitted to a network device for the purpose of
policy at that device. The model underlying this structure is one of configuring policy at that device. The model underlying this
well defined policy rule classes and instances of these classes residing structure is one of well-defined policy rule classes and instances
in a virtual information store called the Policy Information Base (PIB). of these classes residing in a virtual information store called the
Policy Information Base (PIB).
One way to provision policy is by means of the COPS protocol [COPS] with One way to provision policy is by means of the COPS protocol [COPS]
the extensions for provisioning [COPS-PR]. This protocol supports with the extensions for provisioning [COPS-PR]. This protocol
multiple clients, each of which may provision policy for a specific supports multiple clients, each of which may provision policy for a
policy domain such as QoS, virtual private networks, or security. specific policy domain such as QoS, virtual private networks, or
security.
As described in [COPS-PR], each client supports a non-overlapping and As described in [COPS-PR], each client supports a non-overlapping
independent PIB. However, some policy rule classes are common to all and independent set of PIB modules. However, some policy rule
client types and replicated in each. This document presents the PIB classes are common to all subject categories (client-types) and need
classes that are common to all clients that provision policy using COPS to be present in each. This document presents a set of PRCs that
for Provisioning. are common to all clients that provision policy using COPS for
Provisioning.
3. General PIB Concepts 3. General PIB Concepts
3.1. Roles 3.1. Roles
The policy to apply to an interface may depend on many factors such as The policy to apply to an interface may depend on many factors such
immutable characteristics of the interface (e.g., ethernet or frame as immutable characteristics of the interface (e.g., ethernet or
relay), the status of the interface (e.g., half or full duplex), or user frame relay), the status of the interface (e.g., half or full
configuration (e.g., branch office or headquarters interface). Rather duplex), or user configuration (e.g., branch office or headquarters
than specifying policies explicitly for each interface of all devices in interface). Rather than specifying policies explicitly for each
the network, policies are specified in terms of interface functionality. interface of all devices in the network, policies are specified in
terms of interface functionality.
To describe these functionalities of an interface we use the concept of To describe these functionalities of an interface we use the concept
"roles". A role is simply a string that is associated with an of "roles". A role is simply a string that is associated with an
interface. A given interface may have any number of roles interface. A given interface may have any number of roles
simultaneously. Policy rule classes have an attribute called a "role- simultaneously. Policy rule classes have an attribute called a
"role-combination" which is a lexicographically ordered set of
Framework Policy Information Base March 2000 roles. Instances of a given policy rule class are applied to an
interface if and only if the set of roles in the role combination
matches the set of the roles of the interface.
combination" which is an unordered set of roles. Instances of a given Framework Policy Information Base July 2000
policy rule class are applied to an interface if and only if the set of
roles in the role combination is identical to the set of the roles of
the interface.
Thus, roles provide a way to bind policy to interfaces without having to Thus, roles provide a way to bind policy to interfaces without
explicitly identify interfaces in a consistent manner across all network having to explicitly identify interfaces in a consistent manner
devices. (The SNMP experience with ifIndex has proved this to be a across all network devices. (The SNMP experience with ifIndex has
difficult task.) That is, roles provide a level of indirection to the proved this to be a difficult task.) That is, roles provide a level
application of a set of policies to specific interfaces. Furthermore, of indirection to the application of a set of policies to specific
if the same policy is being applied to several interfaces, that policy interfaces. Furthermore, if the same policy is being applied to
need be pushed to the device only once, rather than once per interface, several interfaces, that policy need be pushed to the device only
as long as the interfaces are configured with the same role combination. once, rather than once per interface, as long as the interfaces are
configured with the same role combination.
We point out that, in the event that the administrator needs to have We point out that, in the event that the administrator needs to have
unique policy for each interface, this can be achieved by configuring unique policy for each interface, this can be achieved by
each interface with a unique role. configuring each interface with a unique role.
The PEP reports all its role combinations to the PDP at connect time or The PEP reports all its role combinations to the PDP in the initial
whenever they change. COPS request (REQ) message and in subsequent request messages
generated in response to COPS state synchronization (SSQ) requests
and local configuration changes.
The comparing of roles (or role combinations) is case sensitive. The comparing of roles (or role combinations) is case sensitive.
The concept and usage of roles in this document is consistent with that By convention, when formatting the role-combination for exchange
specified in [POLICY]. Roles are currently under discussion in the within a protocol message, within a PIB/MIB object's value, or as a
IETF's Policy WG; as and when that discussion reaches a conclusion, this printed value, the set is formatted in lexicographical order of the
PIB will be updated in accordance with that conclusion. role's ASCII values; that is, the role that is first is formatted
first. For example, "a+b" and "b+a" are NOT different role-
combinations; rather, they are different formatting of the same
role-combination, and hence for this example:
- "a+b" is the valid formatting of that role-combination,
- "b+a" is an invalid formatting of that role-combination.
The role-combination of interfaces to which no roles have been
assigned is known as the "null" role-combination. (Note the
deliberate use of lower-case letters for "null" so that it avoids
confusion with the ASCII NULL character that has a value of zero but
a length of one.)
In an "install" or an "install-notify" class, the wildcard role-
combination "*" can be used. In addition to providing for interface-
specific roles, it also allows for other optimizations in reducing
the number of role-combinations for which a policy has to be
specified. For example:
Suppose we have three interfaces:
Roles A, B and R1 are assigned to interface I1
Roles A, B and R2 are assigned to interface I2
Roles A, B and R3 are assigned to interface I3
Framework Policy Information Base July 2000
Then, a PRI of the qosIfDscpAssignTable class which has the values:
qosIfDscpAssignPrid = 1
qosIfDscpAssignRoles = "*+A+B"
qosIfDscpAssignName = "4queues"
qosIfDscpAssignDscpMap = 1
will apply to all three interfaces, because "*" matches with R1, R2
and R3.
Formally,
- The wildcard role is denoted by "*",
- The "*" role is not allowed to be defined as part of the role-
combination of an interface as notified by the PEP to the PDP; it
is only allowed in policies installed/deleted via COPS-PR from
the PDP to the PEP.
- For a policy to apply to an interface when the policy's role-
combination is "*+a+b", then the interface's role-combination:
- Must include "a" and "b", and
- Can include zero or more other roles.
- The wildcard character "*" is listed before the other roles as
"*" is lexicographically before "a"; however, the wildcard matches
any zero or more roles, irrespective of lexicographical order.
For example: "*+b+e+g" would match "a+b+c+e+f+g"
The concept and usage of roles in this document is consistent with
that specified in [POLICY]. Roles are currently under discussion in
the IETF's Policy WG; as and when that discussion reaches a
conclusion, this PIB will be updated in accordance with that
conclusion.
3.1.1. An Example 3.1.1. An Example
The functioning of roles might be best understood by an example. The functioning of roles might be best understood by an example.
Suppose I have a device with three interfaces, with roles as follows: Suppose I have a device with three interfaces, with roles as
follows:
IF1: "finance" IF1: "finance"
IF2: "finance" IF2: "finance"
IF3: "manager" IF3: "manager"
Suppose, I also have a PDP with two policies: Suppose, I also have a PDP with two policies:
P1: Packets from finance department (role "finance") get PHB 5 P1: Packets from finance department (role "finance") get DSCP 5
P2: Packets from managers (role "manager") get PHB 6 P2: Packets from managers (role "manager") get DSCP 6
To obtain policy, the PEP reports to the PDP that it has some interfaces
with role combination "finance" and some with role combination
Framework Policy Information Base March 2000 To obtain policy, the PEP reports to the PDP that it has some
interfaces with role combination "finance" and some with role
combination "manager". In response, the PDP downloads policy P1
associated with role combination "finance" and downloads a second
policy P2 associated with role combination "manager".
"manager". In response, the PDP downloads policy P1 associated with Framework Policy Information Base July 2000
role combination "finance" and downloads a second policy P2 associated
with role combination "manager".
Now suppose the finance person attached to IF2 is promoted to manager Now suppose the finance person attached to IF2 is promoted to
and so the system administrator adds the role "manager" to IF2. The PEP manager and so the system administrator adds the role "manager" to
now reports to the PDP that it has three role combinations: some IF2. The PEP now reports to the PDP that it has three role
interfaces with role combination "finance", some with role combination combinations: some interfaces with role combination "finance", some
"manager" and some with role combination "finance+manager". In with role combination "manager" and some with role combination
response, the PDP downloads an additional third policy associated with "finance+manager". In response, the PDP downloads an additional
the new role combination "finance+manager". third policy associated with the new role combination
"finance+manager".
How the PDP determines the policy for this new role combination is How the PDP determines the policy for this new role combination is
entirely the responsibility of the PDP. It could do so algorithmically entirely the responsibility of the PDP. It could do so
or by rule. For example, there might be a rule that specifies that algorithmically or by rule. For example, there might be a rule that
manager policy takes preference over depertment policy. Or there might specifies that manager policy takes preference over department
be a third policy installed in the PDP as follows: policy. Or there might be a third policy installed in the PDP as
follows:
P3: Packets from finance managers (role "finance" and role P3: Packets from finance managers (role "finance" and role
"manager") get PHB 7 "manager") get DSCP 7
The point here is that the PDP is required to determine what policy The point here is that the PDP is required to determine what policy
applies to this new role combination and to download a third policy to applies to this new role combination and to download a third policy
the PEP for the role combination "finance+manager" even if that policy to the PEP for the role combination "finance+manager" even if that
is the same as one already downloaded. The PEP is not required (or policy is the same as one already downloaded. The PEP is not
allowed) to construct policy for new role combinations from existing required (or allowed) to construct policy for new role combinations
policy. from existing policy.
3.2. Multiple PIB Instances 3.2. Multiple PIB Instances
Similar to SNMP contexts, [COPS-PR] supports multiple, disjoint, [COPS-PR] supports multiple, disjoint, independent instances of the
independent instances of the PIB to represent multiple instances of PIB to represent multiple instances of configured policy. The
configured policy. The intent is to allow for the pre-provisioning of intent is to allow for the pre-provisioning of policy that can then
policy which can then be made active by a single, short decision from be made active by a single, short decision from the PDP.
the PDP.
With the COPS-PR protocol, each of these instances is identified by a A COPS context can be defined as an independent COPS request state
unique client handle. The creation and deletion of these PIB instances for a particular subject category (client-type).
is controlled by the PDP as described in [COPS-PR]. The intent is to
allow for the pre-provisioning of policy which can then be made active
by a single, short decision from the PDP.
Although many PIB instances may be configured on a device (the maximum With the COPS-PR protocol, each of these states are identified by a
unique client handle. The creation and deletion of these PIB
instances is controlled by the PDP as described in [COPS-PR].
Framework Policy Information Base March 2000 Although many PIB instances may be configured on a device (the
maximum number of these instances being determined by the device
itself) only one of them can be active at any given time, the active
one being selected by the PDP. To facilitate this selection, the
Framework PIB supports an attribute to make a PIB instance the
active one and, similarly, to report the active PIB instance to the
PDP in a COPS request message. This attribute is in the Incarnation
Table described below.
number of these instances being determined by the device itself) only Setting the attribute FrwkPibIncarnationActive to 'true' in one PIB
one of them can be active at any given time, the active one being instance MUST ensure that the attribute is 'false' in all other
selected by the PDP. To facilitate this selection, the Framework PIB contexts.
supports an attribute to make a PIB instance the active one and,
similarly, to report the active PIB instance to the PDP at connect time.
This attribute is in the Incarnation Table described below.
Setting the attribute policyPibIncarnationActive to 'true' in one PIB Framework Policy Information Base July 2000
instance automatically ensures that the attribute is 'false' in all
other contexts.
3.3. Reporting of Device Capabilities 3.3. Reporting of Device Capabilities
Each network device providing policy-based services has its own inherent Each network device providing policy-based services has its own
capabilities. These capabilities can be hardware specific, e.g., an inherent capabilities. These capabilities can be hardware specific,
ethernet interface supporting input classification, or can be statically e.g., an ethernet interface supporting input classification, or can
configured, e.g., supported queuing disciplines. These capabilities are be statically configured, e.g., supported queuing disciplines.
communicated to the PDP when initial policy is requested by the PEP. These capabilities are communicated to the PDP when initial policy
Knowing device capabilities, the PDP can send the policy rule instances is requested by the PEP. Knowing device capabilities, the PDP can
(PRIs) relevant to the specific device, rather than sending the entire send the policy rule instances (PRIs) relevant to the specific
PIB. device, rather than sending the entire PIB.
The PIB indicates which capabilities the PEP must report to the PDP by The PIB indicates which capabilities the PEP must report to the PDP
means of the POLICY-ACCESS clause as described in [SPPI]. by means of the PIB-ACCESS clause as described in [SPPI].
3.4. Reporting of Device Limitations 3.4. Reporting of Device Limitations
To facilitate efficient policy installation, it is important to To facilitate efficient policy installation, it is important to
understand a device's limitations in relation to the advertised device understand a device's limitations in relation to the advertised
capabilities. Limitations may be class-based, e.g., an "install" class device capabilities. Limitations may be class-based, e.g., an
is supported as a "notify" or only a limited number of class instances "install" class is supported as a "notify" or only a limited number
may be created, or attribute-based. Attribute limitations, such as of class instances may be created, or attribute-based. Attribute
supporting a restricted set of enumerations or requiring related limitations, such as supporting a restricted set of enumerations or
attributes to have certain values, detail implementation limitations at requiring related attributes to have certain values, detail
a fine level of granularity. implementation limitations at a fine level of granularity.
A PDP can avoid certain installation issues in a proactive fashion by
taking into account a device's limitations prior to policy installation
rather than in a reactive mode during installation. As with device
capabilities, device limitations are communicated to the PDP when
initial policy is requested.
Framework Policy Information Base March 2000 A PDP can avoid certain installation issues in a proactive fashion
by taking into account a device's limitations prior to policy
installation rather than in a reactive mode during installation. As
with device capabilities, device limitations are communicated to the
PDP when initial policy is requested.
Reported device limitations may be accompanied by guidance values that Reported device limitations may be accompanied by guidance values
can be used by a PDP to determine acceptable values for the identified that can be used by a PDP to determine acceptable values for the
attributes. The format of the guidance information must be specified identified attributes.
where the errors used to signal implementation limitations are defined.
4. Summary of the Framework PIB 4. Summary of the Framework PIB
The Framework PIB comprises four PRCs intended to describe the The Framework PIB comprises of three groups:
capabilities of the device and its current configuration.
The PRC Support Table 1. Base PIB classes Group
As the technology evolves, we expect devices to be enhanced with
new PIBs, existing PIBs to add new PRCs and existing PRCs to be This contains PRCs intended to describe the classes supported
augmented with new attributes. Also, it is likely that some by the PEP, limitations and its current configuration.
existing PRCs or individual attributes of PRCs will be deprecated.
The PRC Support Table describes the PRCs that the device supports PRC Support Table
as well as the individual attributes of each PRC. Using this
information the PDP can potentially tailor the policy to more As the technology evolves, we expect devices to be enhanced
closely match the capabilities of the device. with new PIBs, existing PIBs to add new PRCs and existing PRCs
to be augmented or extended with new attributes. Also, it is
likely that some existing PRCs or individual attributes of PRCs
will be deprecated. The PRC Support Table describes the PRCs
that the device supports as well as the individual attributes
of each PRC. Using this information the PDP can potentially
Framework Policy Information Base July 2000
tailor the policy to more closely match the capabilities of the
device. The PRC Support Table instances are specific to the
particular Subject Category (Client-Type). That is, the PRC
Support Table for Subject Category 'A' will not include
instances for classes supported by the Subject Category 'B'.
PIB Incarnation Table PIB Incarnation Table
This table contains exactly one row (corresponding to one PRI). It
identifies the PDP that was the last to download policy into the
device and also contains an identifier to identify the version of
the policy currently downloaded. This identifier, both its syntax
and value, is meaningful only to the PDPs. It is intended to be a
mechanism whereby a PDP, on connecting to a PEP, can easily
identify a known incarnation of policy.
The incarnation PRC also includes an attribute to indicate which This table contains exactly one row (corresponding to one PRI)
context is the active one at any given time. per context. It identifies the PDP that was the last to
download policy into the device and also contains an identifier
to identify the version of the policy currently downloaded.
This identifier, both its syntax and value, is meaningful only
to the PDPs. It is intended to be a mechanism whereby a PDP,
on connecting to a PEP, can easily identify a known incarnation
of policy. The incarnation PRC also includes an attribute to
indicate which context is the active one at the present time.
Policy Attribute Limitations Table Attribute Limitations Table
Some devices may not be able to implement the full range of values
for all attributes. In principle, each PRC supports a set of
errors that the PEP can report to the PDP in the event that the
specified policy is not implementable. There are two problems with
this: it may be preferable for the PDP to be informed of the device
limitations before actually attempting to install policy, and while
the error can indicate that a particular attribute value is
unacceptable to the PEP, this does not help the PDP ascertain which
values would be acceptable.
Framework Policy Information Base March 2000 Some devices may not be able to implement the full range of
values for all attributes. In principle, each PRC supports a
set of errors that the PEP can report to the PDP in the event
that the specified policy is not implementable. There are two
problems with this: it may be preferable for the PDP to be
informed of the device limitations before actually attempting
to install policy, and while the error can indicate that a
particular attribute value is unacceptable to the PEP, this
does not help the PDP ascertain which values would be
acceptable. To alleviate these limitations, the PEP can report
some limitations of attribute values in the Attribute
Limitations Table.
To alleviate these limitations, the PEP can report some limitations Device Identification Table
of attribute values in the Attribute Limitations Table.
Policy Device Identification
This class contains a single policy rule instance that contains This class contains a single policy rule instance that contains
device-specific information that is used to facilitate efficient device-specific information that is used to facilitate
policy installation by a PDP. The instance of this class is efficient policy installation by a PDP. The instance of this
reported to the PDP at client connect time so that the PDP can take class is reported to the PDP in a COPS request message so that
into account certain device characteristics during policy the PDP can take into account certain device characteristics
installation. during policy installation.
5. PIB Operational Overview 2. Device Capabilities group
All PRCs in this Framework PIB have POLICY-ACCESS values of notify or This group contains the PRCs that contain the types of interfaces
install-notify. Consequently the entire contents of these tables are of the device and the Role Combinations assigned to them.
reported to the PDP as part of each REQ message.
6. The Policy Framework PIB Module Interface Capabilities Set Table
POLICY-FRAMEWORK-PIB PIB-DEFINITIONS ::= BEGIN The interface types the PEP supports are described by rows in
this table (frwkIfCapSetTable). Each row, or instance of this
class, describes the characteristics of an interface type. The
Framework Policy Information Base July 2000
PEP notifies the PDP of these interface types and then the PDP
configures the interfaces, per role combination.
Interface Capability and Role Combo Table
The Interface Cap Set Table describes the types of interfaces
the PEP supports by their capabilities. Configuration is done
in terms of these interface types and the role combinations
assigned to them; The PDP does not deal with individual
interfaces on the device. Each row of this class is a
<interface type, Role Combo> two-tuple.
3. Classifier group
This group contains the IP and IEEE 802 Classifier elements. The
set of tables consist of a Base Filter table that is extended to
form the IP Filter table and the 802 Filter table. The Filter
Group table forms sets of filters.
Framework Policy Information Base July 2000
5. The Framework PIB Module
FRAMEWORK-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned32, Integer32, PolicyInstanceId, MODULE-IDENTITY, Unsigned32, Integer32, MODULE-IDENTITY,
MODULE-COMPLIANCE, OBJECT-TYPE, MODULE-COMPLIANCE, OBJECT-TYPE
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
TruthValue, TEXTUAL-CONVENTION PolicyInstanceId, PolicyReferenceId, Prid,
PolicyTagId
FROM COPS-PR-SPPI-TC
InetAddress
FROM INET-ADDRESS-MIB
TruthValue, TEXTUAL-CONVENTION, PhysAddress
FROM SNMPv2-TC FROM SNMPv2-TC
Role, RoleCombination Role, RoleCombination
FROM POLICY-DEVICE-AUX-MIB FROM POLICY-DEVICE-AUX-MIB
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB FROM SNMP-FRAMEWORK-MIB
OBJECT-GROUP OBJECT-GROUP
FROM SNMPv2-CONF; FROM SNMPv2-CONF;
policyFrameworkPib MODULE-IDENTITY frameworkPib MODULE-IDENTITY
CLIENT-TYPE { all } SUBJECT-CATEGORY { all }
LAST-UPDATED "200003101800Z" LAST-UPDATED "200007141200Z"
ORGANIZATION "IETF RAP WG" ORGANIZATION "IETF RAP WG"
CONTACT-INFO " CONTACT-INFO "
Michael Fine Michael Fine
Cisco Systems, Inc. Cisco Systems, Inc.
Framework Policy Information Base March 2000
170 West Tasman Drive 170 West Tasman Drive
San Jose, CA 95134-1706 USA San Jose, CA 95134-1706 USA
Phone: +1 408 527 8218 Phone: +1 408 527 8218
Email: mfine@cisco.com Email: mfine@cisco.com
Keith McCloghrie Keith McCloghrie
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive, 170 West Tasman Drive,
San Jose, CA 95134-1706 USA San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260 Phone: +1 408 526 5260
skipping to change at page 8, line 32 skipping to change at page 10, line 5
Santa Clara, CA 95054 USA Santa Clara, CA 95054 USA
Phone: +1 408 495 2992 Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com" Email: jseligso@nortelnetworks.com"
DESCRIPTION DESCRIPTION
"A PIB module containing the base set of policy "A PIB module containing the base set of policy
rule classes that are required for support of rule classes that are required for support of
all policies." all policies."
::= { tbd } ::= { tbd }
Framework Policy Information Base July 2000
-- --
-- The root OID for PRCs in the Framework PIB -- The root OID for PRCs in the Framework PIB
-- --
policyBasePibClass frwkBasePibClasses
OBJECT IDENTIFIER ::= { policyFrameworkPib 1 } OBJECT IDENTIFIER ::= { frameworkPib 1 }
-- --
-- Textual Conventions -- Textual Conventions
-- --
-- --
-- PRC Support Table -- PRC Support Table
-- --
policyPrcSupportTable OBJECT-TYPE frwkPrcSupportTable OBJECT-TYPE
SYNTAX SEQUENCE OF PolicyPrcSupportEntry SYNTAX SEQUENCE OF FrwkPrcSupportEntry
POLICY-ACCESS notify PIB-ACCESS notify,5
Framework Policy Information Base March 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Each instance of this class specifies a PRC that the device "Each instance of this class specifies a PRC that the device
supports and a bit string to indicate the attributes of the supports and a bit string to indicate the attributes of the
class that are supported. These PRIs are sent to the PDP to class that are supported. These PRIs are sent to the PDP to
indicate to the PDP which PRCs, and which attributes of these indicate to the PDP which PRCs, and which attributes of
PRCs, the device supports. This table can also be downloaded these PRCs, the device supports. This table can also be
by a network manager when static configuration is used. downloaded by a network manager when static configuration is
used.
All install and install-notify PRCs supported by the device All install and install-notify PRCs supported by the device
must be represented in this table." must be represented in this table. Notify PRCs may be
represented for informational purposes."
::= { policyBasePibClass 1 } ::= { frwkBasePibClasses 1 }
policyPrcSupportEntry OBJECT-TYPE frwkPrcSupportEntry OBJECT-TYPE
SYNTAX PolicyPrcSupportEntry SYNTAX FrwkPrcSupportEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the policyPrcSupport class that identifies a "An instance of the frwkPrcSupport class that identifies a
specific policy class and associated attributes as supported specific PRC and associated attributes as supported
by the device." by the device."
INDEX { policyPrcSupportPrid } INDEX { frwkPrcSupportPrid }
UNIQUENESS { policyPrcSupportSupportedPrc } UNIQUENESS { frwkPrcSupportSupportedPrc }
::= { policyPrcSupportTable 1 } ::= { frwkPrcSupportTable 1 }
PolicyPrcSupportEntry ::= SEQUENCE { Framework Policy Information Base July 2000
policyPrcSupportPrid PolicyInstanceId,
policyPrcSupportSupportedPrc OBJECT IDENTIFIER, FrwkPrcSupportEntry ::= SEQUENCE {
policyPrcSupportSupportedAttrs OCTET STRING, frwkPrcSupportPrid PolicyInstanceId,
policyPrcSupportMaxPris Unsigned32 frwkPrcSupportSupportedPrc OBJECT IDENTIFIER,
frwkPrcSupportSupportedAttrs OCTET STRING,
frwkPrcSupportMaxPris Unsigned32
} }
policyPrcSupportPrid OBJECT-TYPE frwkPrcSupportPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "An arbitrary integer index that uniquely identifies an
instance of the policyPrcSupport class." instance of the frwkPrcSupport class."
::= { policyPrcSupportEntry 1 } ::= { frwkPrcSupportEntry 1 }
policyPrcSupportSupportedPrc OBJECT-TYPE frwkPrcSupportSupportedPrc OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER SYNTAX OBJECT IDENTIFIER
Framework Policy Information Base March 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The object identifier of a supported PRC. There may not "The object identifier of a supported PRC. There may not
be more than one instance of the policyPrcSupport class with be more than one instance of the frwkPrcSupport class with
the same value of policyPrcSupportSupportedPrc." the same value of frwkPrcSupportSupportedPrc."
::= { policyPrcSupportEntry 2 } ::= { frwkPrcSupportEntry 2 }
policyPrcSupportSupportedAttrs OBJECT-TYPE frwkPrcSupportSupportedAttrs OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit string representing the supported attributes of the "A bit string representing the supported attributes of the
class that is identified by the policyPrcSupportSupportedPrc class that is identified by the frwkPrcSupportSupportedPrc
object. object.
Each bit of this bit mask corresponds to a class attribute, Each bit of this bit mask corresponds to a class attribute,
with the most significant bit of the i-th octet of this octet with the most significant bit of the i-th octet of this
string corresponding to the (8*i - 7)-th attribute, and the octet string corresponding to the (8*i - 7)-th attribute,
least significant bit of the i-th octet corresponding to the and the least significant bit of the i-th octet
(8*i)-th class attribute. Each bit of this bit mask specifies corresponding to the (8*i)-th class attribute. Each bit of
whether or not the corresponding class attribute is currently this bit mask specifies whether or not the corresponding
supported, with a '1' indicating support and a '0' indicating class attribute is currently supported, with a '1'
no support. If the value of this bit mask is N bits long and indicating support and a '0' indicating no support. If the
there are more than N class attributes then the bit mask is value of this bit mask is N bits long and there are more
logically extended with 0's to the required length." than N class attributes then the bit mask is logically
extended with 0's to the required length."
::= { policyPrcSupportEntry 3 } ::= { frwkPrcSupportEntry 3 }
policyPrcSupportMaxPris OBJECT-TYPE Framework Policy Information Base July 2000
frwkPrcSupportMaxPris OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A non-negative value indicating the maximum numbers of "A non-negative value indicating the maximum number of
policy rule instances that can be installed in the identified policy rule instances that can be installed in the
policy rule class. Note that actual number of PRIs that can identified policy rule class. Note that actual number of
be installed in a PRC at any given time may be less than PRIs that can be installed in a PRC at any given time may be
this value based on the current operational state (e.g., less than this value based on the current operational state
resources currently consumed) of the device." (e.g.,resources currently consumed) of the device."
::= { policyPrcSupportEntry 4 } ::= { frwkPrcSupportEntry 4 }
-- --
-- PIB Incarnation Table -- PIB Incarnation Table
-- --
Framework Policy Information Base March 2000 frwkPibIncarnationTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkPibIncarnationEntry
policyPibIncarnationTable OBJECT-TYPE PIB-ACCESS install-notify,7
SYNTAX SEQUENCE OF PolicyPibIncarnationEntry
POLICY-ACCESS install-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This class contains a single policy rule instance that "This class contains a single policy rule instance per
identifies the current incarnation of the PIB and the PDP installed context that identifies the current incarnation
or network manager that installed this incarnation. The of the PIB and the PDP or network manager that installed
instance of this class is reported to the PDP at client this incarnation. The instance of this class is reported to
connect time so that the PDP can (attempt to) ascertain the the PDP in the REQ message so that the PDP can (attempt to)
current state of the PIB. A network manager may use the ascertain the current state of the PIB and the active
instance to determine the state of the device with regard context. A network manager may use the instance to
to existing NMS interactions." determine the state of the device with regard to existing
NMS interactions."
::= { policyBasePibClass 2 } ::= { frwkBasePibClasses 2 }
policyPibIncarnationEntry OBJECT-TYPE frwkPibIncarnationEntry OBJECT-TYPE
SYNTAX PolicyPibIncarnationEntry SYNTAX FrwkPibIncarnationEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the policyPibIncarnation class. Only "An instance of the frwkPibIncarnation class. Only
one instance of this policy class is ever instantiated." one instance of this policy class is ever instantiated.
per context"
INDEX { policyPibIncarnationPrid } INDEX { frwkPibIncarnationPrid }
UNIQUENESS { policyPibIncarnationName } UNIQUENESS { frwkPibIncarnationName }
::= { policyPibIncarnationTable 1 } ::= { frwkPibIncarnationTable 1 }
PolicyPibIncarnationEntry ::= SEQUENCE { Framework Policy Information Base July 2000
policyPibIncarnationPrid PolicyInstanceId,
policyPibIncarnationName SnmpAdminString, FrwkPibIncarnationEntry ::= SEQUENCE {
policyPibIncarnationId OCTET STRING, frwkPibIncarnationPrid PolicyInstanceId,
policyPibIncarnationLongevity INTEGER, frwkPibIncarnationName SnmpAdminString,
policyPibIncarnationTtl Unsigned32, frwkPibIncarnationId OCTET STRING,
policyPibIncarnationActive TruthValue frwkPibIncarnationLongevity INTEGER,
frwkPibIncarnationTtl Unsigned32,
frwkPibIncarnationActive TruthValue
} }
policyPibIncarnationPrid OBJECT-TYPE frwkPibIncarnationPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An index to uniquely identify an instance of this "An index to uniquely identify an instance of this
policy class." policy class."
::= { policyPibIncarnationEntry 1 } ::= { frwkPibIncarnationEntry 1 }
Framework Policy Information Base March 2000
policyPibIncarnationName OBJECT-TYPE frwkPibIncarnationName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The name of the PDP that installed the current incarnation of "The name of the PDP that installed the current incarnation
the PIB into the device. By default, it is the zero length of the PIB into the device. By default, it is the zero
string." length string."
::= { policyPibIncarnationEntry 2 } ::= { frwkPibIncarnationEntry 2 }
policyPibIncarnationId OBJECT-TYPE frwkPibIncarnationId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An ID to identify the current incarnation. It has meaning "An ID to identify the current incarnation. It has meaning
to the PDP/manager that installed the PIB and perhaps its to the PDP/manager that installed the PIB and perhaps its
standby PDPs/managers. By default, it is the zero-length standby PDPs/managers. By default, it is the zero-length
string." string."
::= { policyPibIncarnationEntry 3 } ::= { frwkPibIncarnationEntry 3 }
policyPibIncarnationLongevity OBJECT-TYPE Framework Policy Information Base July 2000
frwkPibIncarnationLongevity OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
expireNever(1), expireNever(1),
expireImmediate(2), expireImmediate(2),
expireOnTimeout(3) expireOnTimeout(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute controls what the PEP does with the "This attribute controls what the PEP does with the
downloaded policy on receipt of a Client Close message or a downloaded policy on a Client Close message or a loss of
loss of connection to the PDP. connection to the PDP.
If set to expireNever, the PEP continues to operate with the If set to expireNever, the PEP continues to operate with the
installed policy indefinitely. If set to expireImmediate, the installed policy indefinitely. If set to expireImmediate,
PEP immediately expires the policy obtained from the PDP and the PEP immediately expires the policy obtained from the PDP
installs policy from local configuration. If set to and installs policy from local configuration. If set to
expireOnTimeout, the PEP continues to operate with the expireOnTimeout, the PEP continues to operate with the
policy installed by the PDP for a period of time specified by policy installed by the PDP for a period of time specified
policyPibIncarnationTtl. After this time (and it has not by frwkPibIncarnationTtl. After this time (and it has not
reconnected to the original or new PDP) the PEP expires this reconnected to the original or new PDP) the PEP expires this
policy and reverts to local configuration. policy and reverts to local configuration.
For all cases, it is the responsibility of the PDP to check For all cases, it is the responsibility of the PDP to check
the incarnation and download new policy, if necessary, on a the incarnation and download new policy, if necessary, on a
Framework Policy Information Base March 2000
reconnect. reconnect.
Policy enforcement timing only applies to policies that have Policy enforcement timing only applies to policies that have
been installed dynamically (e.g., by a PDP via COPS)." been installed dynamically (e.g., by a PDP via COPS)."
::= { policyPibIncarnationEntry 3 } ::= { frwkPibIncarnationEntry 4 }
policyPibIncarnationTtl OBJECT-TYPE frwkPibIncarnationTtl OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of seconds after a Client Close or TCP timeout "The number of seconds after a Client Close or TCP timeout
for which the PEP continues to enforce the policy in the PIB. for which the PEP continues to enforce the policy in the
PIB.
After this interval, the PIB is considered expired and the After this interval, the PIB is considered expired and the
device no longer enforces the policy installed in the PIB. device no longer enforces the policy installed in the PIB.
This attribute is only meaningful if This attribute is only meaningful if
policyPibIncarnationLongevity is set to expireOnTimeout." frwkPibIncarnationLongevity is set to expireOnTimeout."
::= { policyPibIncarnationEntry 4 } ::= { frwkPibIncarnationEntry 5 }
policyPibIncarnationActive OBJECT-TYPE Framework Policy Information Base July 2000
frwkPibIncarnationActive OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If this attribute is set to TRUE, then the PIB instance "If this attribute is set to TRUE, then the PIB instance
to which this PRI belongs becomes the active PIB instance. to which this PRI belongs becomes the active PIB instance.
The previous active instance becomes inactive and the The previous active instance MUST become inactive and the
policyPibIncarnationActive attribute in that PIB instance is frwkPibIncarnationActive attribute in that PIB instance
automatically set to false." MUST be set to false."
::= { policyPibIncarnationEntry 5 } ::= { frwkPibIncarnationEntry 6 }
-- --
-- Device Identification Table -- Device Identification Table
-- --
-- This table supports the ability to export general -- This table supports the ability to export general
-- purpose device information to facilitate efficient -- purpose device information to facilitate efficient
-- communication between the device and a PDP -- communication between the device and a PDP
policyDeviceIdentificationTable OBJECT-TYPE
SYNTAX SEQUENCE OF PolicyDeviceIdentificationEntry
POLICY-ACCESS notify
Framework Policy Information Base March 2000
frwkDeviceIdTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkDeviceIdEntry
PIB-ACCESS notify,5
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This class contains a single policy rule instance that "This class contains a single policy rule instance that
contains device-specific information that is used to contains device-specific information that is used to
facilitate efficient policy installation by a PDP. The facilitate efficient policy installation by a PDP. The
instance of this class is reported to the PDP at client instance of this class is reported to the PDP in a COPS
connect time so that the PDP can take into account certain request message so that the PDP can take into account
device characteristics during policy installation." certain device characteristics during policy installation."
::= { policyDeviceConfig 3 } ::= { frwkBasePibClasses 3 }
policyDeviceIdentificationEntry OBJECT-TYPE frwkDeviceIdEntry OBJECT-TYPE
SYNTAX PolicyDeviceIdentificationEntry SYNTAX FrwkDeviceIdEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the policyDeviceIdentification class. Only "An instance of the frwkDeviceId class. Only one instance of
one instance of this policy class is ever instantiated." this policy class is ever instantiated."
INDEX { policyDeviceIdentificationPrid } INDEX { frwkDeviceIdPrid }
UNIQUENESS { policyDeviceIdentificationDescr, UNIQUENESS { frwkDeviceIdDescr }
policyDeviceIdentificationMaxMsg }
::= { policyDeviceIdentificationTable 1 }
PolicyDeviceIdentificationEntry ::= SEQUENCE { ::= { frwkDeviceIdTable 1 }
policyDeviceIdentificationPrid PolicyInstanceId,
policyDeviceIdentificationDescr SnmpAdminString, Framework Policy Information Base July 2000
policyDeviceIdentificationMaxMsg Unsigned32
FrwkDeviceIdEntry ::= SEQUENCE {
frwkDeviceIdPrid PolicyInstanceId,
frwkDeviceIdDescr SnmpAdminString,
frwkDeviceIdMaxMsg Unsigned32,
frwkDeviceIdMaxContexts Unsigned32
} }
policyDeviceIndentificationPrid OBJECT-TYPE frwkDeviceIdPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An index to uniquely identify an instance of this "An index to uniquely identify an instance of this
policy class." policy class."
::= { policyDeviceIdentificationEntry 1 } ::= { frwkDeviceIdEntry 1 }
policyDeviceIdentificationDescr OBJECT-TYPE frwkDeviceIdDescr OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..255)) SYNTAX SnmpAdminString (SIZE(0..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A textual description of the PEP. This "A textual description of the PEP. This value should include
value should include the name and version the name and version identification of the PEP's hardware
identification of the PEP's hardware and and software."
Framework Policy Information Base March 2000
software."
::= { policyDeviceIdentificationEntry 2 } ::= { frwkDeviceIdEntry 2 }
policyDeviceIdentificationMaxMsg OBJECT-TYPE frwkDeviceIdMaxMsg OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The maximum message size, in octets, that the device "The maximum message size, in octets, that the device
is capable of processing. Received messages with a is capable of processing. Received messages with a
size in excess of this value must cause the PEP to return an size in excess of this value must cause the PEP to return an
error to the PDP containing the global error code error to the PDP containing the global error code
'maxMsgSizeExceeded'." 'maxMsgSizeExceeded'."
::= { policyDeviceIdentificationEntry 3 } ::= { frwkDeviceIdEntry 3 }
frwkDeviceIdMaxContexts OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"The maximum number of unique contexts supported by
the device."
::= { frwkDeviceIdEntry 4 }
Framework Policy Information Base July 2000
-- --
-- Component Limitations Table
-- --
-- This table supports the ability to export information -- This table supports the ability to export information
-- detailing policy class/attribute implementation limitations -- detailing policy class/attribute implementation limitations
-- to the policy management system. -- to the policy management system.
policyCompLimitsTable OBJECT-TYPE frwkCompLimitsTable OBJECT-TYPE
SYNTAX SEQUENCE OF PolicyCompLimitsEntry SYNTAX SEQUENCE OF FrwkCompLimitsEntry
POLICY-ACCESS notify PIB-ACCESS notify,6
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Each instance of this class identifies a policy class or "Each instance of this class identifies a policy class or
attribute and a limitation related to the implementaion of attribute and a limitation related to the implementation of
the class/attribute in the device. Additional information the class/attribute in the device. Additional information
providing guidance related to the limitation may also be providing guidance related to the limitation may also be
present. These PRIs are sent to the PDP to indicate which present. These PRIs are sent to the PDP to indicate which
PRCs or PRC attributes the device supports in a restricted PRCs or PRC attributes the device supports in a restricted
manner." manner."
::= { policyDeviceConfig 4 } ::= { frwkBasePibClasses 4 }
policyCompLimitsEntry OBJECT-TYPE frwkCompLimitsEntry OBJECT-TYPE
SYNTAX PolicyCompLimitsEntry SYNTAX FrwkCompLimitsEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the policyCompLimits class that identifies "An instance of the frwkCompLimits class that identifies
a PRC or PRC attribute and a limitation related to the PRC a PRC or PRC attribute and a limitation related to the PRC
Framework Policy Information Base March 2000
or PRC attribute implementation supported by the device. or PRC attribute implementation supported by the device.
All PRIs of this class represent errors that would be All PRIs of this class represent errors that would be
returned in relation to the identified component for policy returned in relation to the identified component for policy
installation requests that don't abide by the restrictions installation requests that don't abide by the restrictions
indicated by the error code and, possibly, a provided indicated by the limitation type (error code) and, possibly,
guidance value." a provided guidance value."
INDEX { policyCompLimitsPrid } INDEX { frwkCompLimitsPrid }
UNIQUENESS { policyCompLimitsComponent, UNIQUENESS { frwkCompLimitsComponent,
policyCompLimitsType, frwkCompLimitsType,
policyCompLimitsGuidance } frwkCompLimitsSubType,
frwkCompLimitsGuidance }
::= { policyCompLimitsTable 1 } ::= { frwkCompLimitsTable 1 }
PolicyCompLimitsEntry ::= SEQUENCE { FrwkCompLimitsEntry ::= SEQUENCE {
policyCompLimitsPrid PolicyInstanceId, frwkCompLimitsPrid PolicyInstanceId,
policyCompLimitsComponent OBJECT IDENTIFIER, frwkCompLimitsComponent OBJECT IDENTIFIER,
policyCompLimitsType Integer32, frwkCompLimitsType Integer32,
policyCompLimitsGuidance OCTET STRING frwkCompLimitsSubType INTEGER,
frwkCompLimitsGuidance OCTET STRING
} }
policyCompLimitsPrid OBJECT-TYPE Framework Policy Information Base July 2000
frwkCompLimitsPrid OBJECT-TYPE
SYNTAX PolicyInstanceId SYNTAX PolicyInstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "An arbitrary integer index that uniquely identifies an
instance of the policyCompLimits class." instance of the frwkCompLimits class."
::= { policyCompLimitsEntry 1 } ::= { frwkCompLimitsEntry 1 }
policyCompLimitsComponent OBJECT-TYPE frwkCompLimitsComponent OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER SYNTAX OBJECT IDENTIFIER
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The object identifier of a PRC or PRC attribute that "The object identifier of a PRC or PRC attribute that
is supported in some limited fashion with regard to it's is supported in some limited fashion with regard to it's
definition in the associated PIB module. The same PRC or definition in the associated PIB module. The same PRC or
PRC attribute identifier may appear in the table several PRC attribute identifier may appear in the table several
times, once for each implementation limitation times, once for each implementation limitation
acknowledged by the device." acknowledged by the device."
::= { policyCompLimitsEntry 2 } ::= { frwkCompLimitsEntry 2 }
policyCompLimitsType OBJECT-TYPE frwkCompLimitsType OBJECT-TYPE
SYNTAX Integer32 SYNTAX Integer32
Framework Policy Information Base March 2000
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A value describing an implementation limitation for the "A value describing an implementation limitation for the
device related to the PRC or PRC attribute identified by device related to the PRC or PRC attribute identified by
the policyCompLimitsComponent data in this class instance. the frwkCompLimitsComponent data in this class instance.
Values for this object are derived from the defined Values for this object are derived from the defined
error values associated with the PRC of the identified error values associated with the PRC of the identified
attribute or the PRC itself. All genericPrc and specificPrc attribute or the PRC itself. All genericPrc and specificPrc
(defined in a PRC INSTALL-ERRORS clause) error codes (defined in a PRC INSTALL-ERRORS clause) error codes
represent valid limitation type values. represent valid limitation type values. The enumeration
values for generic Class-Specific errors are listed in
[COPS-PR].
For example, an implementation of the qosIpAce class may For example, an implementation of the frwkIpFilter class may
be limited in several ways, such as address mask, protocol be limited in several ways, such as address mask, protocol
and Layer 4 port options. These limitations could be and Layer 4 port options. These limitations could be
exported using this table with the following instances: exported using this table with the following instances:
Prid Component Type Guidance Component Type
1 'qosIpAceDstAddrMask' 'valueSupLimited' 0xFFFFFFFF --------------------------------------------------
2 'qosIpAceSrcAddrMask' 'valueSupLimited' 0xFFFFFFFF 'frwkIpFilterDstAddrMask' 'attrValueSupLimited'
3 'qosIpAceProtocol' 'valueSupLimited' 0x06 -- TCP 'frwkIpFilterSrcAddrMask' 'attrValueSupLimited'
4 'qosIpAceProtocol' 'valueSupLimited' 0x17 -- UDP 'frwkIpFilterProtocol' 'attrValueSupLimited'
5 'qosIpAceDstL4PortMin' 'invalidDstL4PortData' 'frwkIpFilterProtocol' 'attrValueSupLimited'
6 'qosIpAceDstL4PortMax' 'invalidDstL4PortData' 'frwkIpFilterDstL4PortMin' 'invalidDstL4PortData'
7 'qosIpAcePermit' 'enumSupLimited' 'true' 'frwkIpFilterDstL4PortMax' 'invalidDstL4PortData'
'frwkBaseFilterPermit' 'attrEnumSupLimited'
Framework Policy Information Base July 2000
The above entries describe a number of limitations that The above entries describe a number of limitations that
may be in effect for the qosIpAce class on a given device. may be in effect for the frwkIpFilter class on a given
The limitations include restrictions on acceptable values device. The limitations include restrictions on acceptable
for certain attributes and indications of the relationship values for certain attributes and indications of the
between related attributes." relationship between related attributes.
::= { policyCompLimitsEntry 3 } Also, an implementation of a PRC may be limited in the ways
it can be accessed. For instance:
Component Type
--------------------------------------------------
'DscpMapEntry' 'priNotifyOnly'
policyCompLimitsGuidance OBJECT-TYPE If the errors defined in the INSTALL-ERRORS section are not
SYNTAX OCTET STRING (SIZE(0..64)) generic Class-Specific errors (in the example,
'invalidDstL4PortData') then the Error code sent should be
'priSpecificError'[COPS-PR] and the Sub-Error code should
contain the enumeration value from the INSTALL-ERRORS
section for the PRC (in the example, the enumeration value
for 'invalidDstL4PortData') [SPPI]."
::= { frwkCompLimitsEntry 3 }
frwkCompLimitsSubType OBJECT-TYPE
SYNTAX INTEGER {
none(1),
lengthMin(2),
lengthMax(3),
rangeMin(4),
rangeMax(5),
enumMin(6),
enumMax(7),
enumOnly(8),
valueOnly(9),
extendsOid(10)
}
STATUS current
DESCRIPTION
"This object indicates the type of guidance related
to the noted limitation (as indicated by the
frwkCompLimitsType attribute) that is provided
in the frwkCompLimitsGuidance attribute.
A value of 'none(1)' means that no additional
guidance is provided for the noted limitation type.
A value of 'lengthMin(2)' means that the guidance
attribute provides data related to the minimum
acceptable length for the value of the identified
component. A corresponding class instance
specifying the 'lengthMax(3)' value is required
in conjunction with this sub-type.
Framework Policy Information Base July 2000
A value of 'lengthMax(3)' means that the guidance
attribute provides data related to the maximum
acceptable length for the value of the identified
component. A corresponding class instance
specifying the 'lengthMin(2)' value is required
in conjunction with this sub-type.
A value of 'rangeMin(4)' means that the guidance
attribute provides data related to the lower bound
of the range for the value of the identified
component. A corresponding class instance
specifying the 'rangeMax(5)' value is required
in conjunction with this sub-type.
A value of 'rangeMax(5)' means that the guidance
attribute provides data related to the upper bound
of the range for the value of the identified
component. A corresponding class instance
specifying the 'rangeMin(4)' value is required
in conjunction with this sub-type.
A value of 'enumMin(6)' means that the guidance
attribute provides data related to the lowest
enumeration acceptable for the value of the
identified component. A corresponding
class instance specifying the 'enumMax(7)'
value is required in conjunction with this sub-type.
A value of 'enumMin(7)' means that the guidance
attribute provides data related to the largest
enumeration acceptable for the value of the
identified component. A corresponding
class instance specifying the 'enumMin(6)'
value is required in conjunction with this sub-type.
A value of 'enumOnly(8)' means that the guidance
attribute provides data related to a single
enumeration acceptable for the value of the
identified component.
A value of 'valueOnly(9)' means that the guidance
attribute provides data related to a single
value that is acceptable for the identified
component.
A value of 'extendsOid(10)' means that the guidance
attribute provides data related to a PRC that
AUGMENTS or EXTENDS the identified policy class."
::= { frwkCompLimitsEntry 4 }
Framework Policy Information Base July 2000
frwkCompLimitsGuidance OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A value used to convey additional information related "A value used to convey additional information related
to the implementation limitation noted by the to the implementation limitation noted by the
policyCompLimitsType attribute. The value of this frwkCompLimitsType and frwkCompLimitsSubType
attribute must interpreted in the context of the attribute. The value of this attribute must be
policyCompLimitsType value. Note that a guidance value interpreted in the context of the frwkCompLimitsType and
will not necessarily be provided for all exported frwkCompLimitsSubType values. Note that a guidance
limitations. value will not necessarily be provided for all exported
limitations. If a guidance value is not provided, the
value must be a zero-length string.
Framework Policy Information Base March 2000 The format of the guidance value, if one is present as
indicated by the frwkCompLimitsSubType attribute,
is described by the following table. Note that the
type of guidance value is dictated by the type of the
component whose limitation is being exported.
Well-known genericPrc error codes that are applicable Base Type Length Value
to all PRCs, such as 'attrValueSupLimited' and --------- ------ -----
'attrEnumSupLimited', have guidance value semantics INTEGER <none> 32-bit value
as follows: OCTET STRING 1 byte <length> octets of data
OID 1 byte <length> 32-bit OID components."
genericPrc Guidance Semantics ::= { frwkCompLimitsEntry 5 }
attrValueSupLimited Integer32 (4 octets) with supported
value
attrEnumSupLimited Integer32 (4 octets) with supported
enumeration
attrMaxLengthExceeded Integer32 (4 octets) with maximum
supported length for attribute
The specificPrc error codes have the semantics of the --
associated guidance value specified where the -- The device interface capabilities and role combo classes group
installation error is defined if appropriate. Errors --
for which the semantics of the guidance value are not
specified require this value to be treated in an
implementation dependent manner."
::= { policyCompLimitsEntry 4 } frwkDeviceCapClasses
OBJECT IDENTIFIER ::= { frameworkPib 2 }
--
-- Interface Capability Set Table
--
frwkIfCapSetTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIfCapSetEntry
PIB-ACCESS notify,4
STATUS current
DESCRIPTION
"Interface type definitions. This class describes the types
of interfaces that exist on the device. An interface type is
defined by its name. Associated with each interface type is
a set of capabilities. These capabilities are used by the
PDP to determine policy information to be associated with
interfaces of this type."
::= { frwkDeviceCapClasses 1 }
Framework Policy Information Base July 2000
frwkIfCapSetEntry OBJECT-TYPE
SYNTAX FrwkIfCapSetEntry
STATUS current
DESCRIPTION
"An instance of this class describes the characteristics
of a type of an interface."
INDEX { frwkIfCapSetPrid }
UNIQUENESS { frwkIfCapSetName,
frwkIfCapSetCapability }
::= { frwkIfCapSetTable 1 }
FrwkIfCapSetEntry ::= SEQUENCE {
frwkIfCapSetPrid PolicyInstanceId,
frwkIfCapSetName SnmpAdminString,
frwkIfCapSetCapability Prid
}
frwkIfCapSetPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies a
instance of the class."
::= { frwkIfCapSetEntry 1 }
frwkIfCapSetName OBJECT-TYPE
SYNTAX SnmpAdminString
STATUS current
DESCRIPTION
"The name for the capability set. The capability set name
is the unique identifier of an interface type."
::= { frwkIfCapSetEntry 2 }
frwkIfCapSetCapability OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
"The complete OID specifying the PRC and the instance of the
PRC containing a set of capabilities of the interface."
::= { frwkIfCapSetEntry 3 }
Framework Policy Information Base July 2000
--
-- Interface Capabilities Set Name and Role Combination Table
--
frwkIfCapSetRoleComboTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIfCapSetRoleComboEntry
PIB-ACCESS notify,4
STATUS current
DESCRIPTION
"Policy for an interface may depend not only on the type
of interface but also on its roles. This table specifies
all the <interface type, role combination> tuples currently
on the device."
::= { frwkDeviceCapClasses 2 }
frwkIfCapSetRoleComboEntry OBJECT-TYPE
SYNTAX FrwkIfCapSetRoleComboEntry
STATUS current
DESCRIPTION
"An instance of this class describes a combination of an
interface type and a role combination."
INDEX { frwkIfCapSetRoleComboPrid }
UNIQUENESS { frwkIfCapSetRoleComboName,
frwkIfCapSetRoleComboRoles }
::= { frwkIfCapSetRoleComboTable 1 }
FrwkIfCapSetRoleComboEntry ::= SEQUENCE {
frwkIfCapSetRoleComboPrid PolicyInstanceId,
frwkIfCapSetRoleComboName SnmpAdminString,
frwkIfCapSetRoleComboRoles RoleCombination
}
frwkIfCapSetRoleComboPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies a
instance of the class."
::= { frwkIfCapSetRoleComboEntry 1 }
Framework Policy Information Base July 2000
frwkIfCapSetRoleComboName OBJECT-TYPE
SYNTAX SnmpAdminString
STATUS current
DESCRIPTION
"The name of the interface type. This name must exist in
frwkIfCapSetTable."
::= { frwkIfCapSetRoleComboEntry 2 }
frwkIfCapSetRoleComboRoles OBJECT-TYPE
SYNTAX RoleCombination
STATUS current
DESCRIPTION
"A role combination. The PEP requires policy for interfaces
with this role combination and of type
frwkIfCapSetRoleComboName"
::= { frwkIfCapSetRoleComboEntry 3 }
--
-- The Classification classes group
--
frwkClassifierClasses
OBJECT IDENTIFIER ::= { frameworkPib 3 }
--
-- The Base Filter Table
--
frwkBaseFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkBaseFilterEntry
PIB-ACCESS install,3
STATUS current
DESCRIPTION
"The Base Filter class. A packet has to match all
fields in an Filter. Wildcards may be specified for those
fields that are not relevant."
::= { frwkClassifierClasses 1 }
frwkBaseFilterEntry OBJECT-TYPE
SYNTAX FrwkBaseFilterEntry
STATUS current
DESCRIPTION
"An instance of the frwkBaseFilter class."
INDEX { frwkBaseFilterPrid }
::= { frwkBaseFilterTable 1 }
Framework Policy Information Base July 2000
FrwkBaseFilterEntry ::= SEQUENCE {
frwkBaseFilterPrid PolicyInstanceId,
frwkBaseFilterPermit TruthValue
}
frwkBaseFilterPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify this Filter among all
the Filters."
::= { frwkBaseFilterEntry 1 }
frwkBaseFilterPermit OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"If the packet matches this filter and the value of this
attribute is true, then the matching process terminates
and the action associated with this filter (indirectly
through the filter group) is applied to the packet. If the
value of this attribute is false, then no more filters in
the filter group are compared to this packet and matching
continues with the first filter of the next filter group."
::= { frwkBaseFilterEntry 2 }
--
-- The IP Filter Table
--
frwkIpFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIpFilterEntry
PIB-ACCESS install,11
STATUS current
DESCRIPTION
"Filter definitions. A packet has to match all fields in a
filter. Wildcards may be specified for those fields that
are not relevant."
INSTALL-ERRORS {
invalidDstL4PortData(1),
invalidSrcL4PortData(2)
}
::= { frwkClassifierClasses 2 }
Framework Policy Information Base July 2000
frwkIpFilterEntry OBJECT-TYPE
SYNTAX FrwkIpFilterEntry
STATUS current
DESCRIPTION
"An instance of the frwkIpFilter class."
EXTENDS { frwkBaseFilterEntry }
UNIQUENESS { frwkIpFilterDstAddr,
frwkIpFilterDstAddrMask,
frwkIpFilterSrcAddr,
frwkIpFilterSrcAddrMask,
frwkIpFilterDscp,
frwkIpFilterProtocol,
frwkIpFilterDstL4PortMin,
frwkIpFilterDstL4PortMax,
frwkIpFilterSrcL4PortMin,
frwkIpFilterSrcL4PortMax }
::= { frwkIpFilterTable 1 }
FrwkIpFilterEntry ::= SEQUENCE {
frwkIpFilterDstAddr InetAddress,
frwkIpFilterDstAddrMask InetAddress,
frwkIpFilterSrcAddr InetAddress,
frwkIpFilterSrcAddrMask InetAddress,
frwkIpFilterDscp Integer32,
frwkIpFilterProtocol INTEGER,
frwkIpFilterDstL4PortMin INTEGER,
frwkIpFilterDstL4PortMax INTEGER,
frwkIpFilterSrcL4PortMin INTEGER,
frwkIpFilterSrcL4PortMax INTEGER
}
frwkIpFilterDstAddr OBJECT-TYPE
SYNTAX InetAddress
STATUS current
DESCRIPTION
"The IP address to match against the packet's destination IP
address."
::= { frwkIpFilterEntry 1 }
Framework Policy Information Base July 2000
frwkIpFilterDstAddrMask OBJECT-TYPE
SYNTAX InetAddress
STATUS current
DESCRIPTION
"A mask for the matching of the destination IP address.
A zero bit in the mask means that the corresponding bit in
the address always matches."
::= { frwkIpFilterEntry 2 }
frwkIpFilterSrcAddr OBJECT-TYPE
SYNTAX InetAddress
STATUS current
DESCRIPTION
"The IP address to match against the packet's source IP
address."
::= { frwkIpFilterEntry 3 }
frwkIpFilterSrcAddrMask OBJECT-TYPE
SYNTAX InetAddress
STATUS current
DESCRIPTION
"A mask for the matching of the source IP address."
::= { frwkIpFilterEntry 4 }
frwkIpFilterDscp OBJECT-TYPE
SYNTAX Integer32 (-1 | 0..63)
STATUS current
DESCRIPTION
"The value that the DSCP in the packet can have and
match this filter. A value of -1 indicates that a specific
DSCP value has not been defined and thus all DSCP values
are considered a match."
::= { frwkIpFilterEntry 5 }
frwkIpFilterProtocol OBJECT-TYPE
SYNTAX INTEGER (0..255)
STATUS current
DESCRIPTION
"The IP protocol to match against the packet's protocol.
A value of zero means match all."
::= { frwkIpFilterEntry 6 }
Framework Policy Information Base July 2000
frwkIpFilterDstL4PortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"The minimum value that the packet's layer 4 destination
port number can have and match this filter."
::= { frwkIpFilterEntry 7 }
frwkIpFilterDstL4PortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 destination
port number can have and match this filter. This value must
be equal to or greater that the value specified for this
filter in frwkIpFilterDstL4PortMin."
::= { frwkIpFilterEntry 8 }
frwkIpFilterSrcL4PortMin OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"The minimum value that the packet's layer 4 source port
number can have and match this filter."
::= { frwkIpFilterEntry 9 }
frwkIpFilterSrcL4PortMax OBJECT-TYPE
SYNTAX INTEGER (0..65535)
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 source port
number can have and match this filter. This value must be
equal to or greater that the value specified for this filter
in frwkIpFilterSrcL4PortMin."
::= { frwkIpFilterEntry 10 }
Framework Policy Information Base July 2000
--
-- The IEEE 802 Filter Table
--
-- The IEEE 802 Filter Table supports the specification of IEEE
-- 802-based (e.g., 802.3) information that is used to perform
-- traffic classification.
--
frwk802FilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF Frwk802FilterEntry
PIB-ACCESS install,9
STATUS current
DESCRIPTION
"IEEE 802-based filter definitions. A class that contains
attributes of IEEE 802 (e.g., 802.3) traffic that form
filters that are used to perform traffic classification."
::= { frwkClassifierClasses 3 }
frwk802FilterEntry OBJECT-TYPE
SYNTAX Frwk802FilterEntry
STATUS current
DESCRIPTION
"IEEE 802-based filter definitions. An entry specifies
(potentially) several distinct matching components. Each
component is tested against the data in a frame
individually. An overall match occurs when all of the
individual components match the data they are compared
against in the frame being processed. A failure of any
one test causes the overall match to fail.
Wildcards may be specified for those fields that are not
relevant."
EXTENDS { frwkBaseFilterEntry }
UNIQUENESS { frwk802FilterDstAddr,
frwk802FilterDstAddrMask,
frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask,
frwk802FilterVlanId,
frwk802FilterVlanTagRequired,
frwk802FilterEtherType,
frwk802FilterUserPriority }
::= { frwk802FilterTable 1 }
Framework Policy Information Base July 2000
Frwk802FilterEntry ::= SEQUENCE {
frwk802FilterDstAddr PhysAddress,
frwk802FilterDstAddrMask PhysAddress,
frwk802FilterSrcAddr PhysAddress,
frwk802FilterSrcAddrMask PhysAddress,
frwk802FilterVlanId Integer32,
frwk802FilterVlanTagRequired INTEGER,
frwk802FilterEtherType Integer32,
frwk802FilterUserPriority BITS
}
frwk802FilterDstAddr OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"The 802 address against which the 802 DA of incoming
traffic streams will be compared. Frames whose 802 DA
matches the physical address specified by this object,
taking into account address wildcarding as specified by the
frwk802FilterDstAddrMask object, are potentially subject to
the processing guidelines that are associated with this
entry through the related action class."
::= { frwk802FilterEntry 1 }
frwk802FilterDstAddrMask OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"This object specifies the bits in a 802 destination address
that should be considered when performing a 802 DA
comparison against the address specified in the
frwk802FilterDstAddr object.
The value of this object represents a mask that is logically
and'ed with the 802 DA in received frames to derive the
value to be compared against the frwk802FilterDstAddr
address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The
frwk802FilterDstAddr value must also be masked using this
value prior to any comparisons.
The length of this object in octets must equal the length in
octets of the frwk802FilterDstAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterDstAddr object."
::= { frwk802FilterEntry 2 }
Framework Policy Information Base July 2000
frwk802FilterSrcAddr OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"The 802 MAC address against which the 802 MAC SA of
incoming traffic streams will be compared. Frames whose 802
MAC SA matches the physical address specified by this
object, taking into account address wildcarding as specified
by the frwk802FilterSrcAddrMask object, are potentially
subject to the processing guidelines that are associated
with this entry through the related action class."
::= { frwk802FilterEntry 3 }
frwk802FilterSrcAddrMask OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"This object specifies the bits in a 802 MAC source address
that should be considered when performing a 802 MAC SA
comparison against the address specified in the
frwk802FilterSrcAddr object.
The value of this object represents a mask that is logically
and'ed with the 802 MAC SA in received frames to derive the
value to be compared against the frwk802FilterSrcAddr
address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The
frwk802FilterSrcAddr value must also be masked using this
value prior to any comparisons.
The length of this object in octets must equal the length in
octets of the frwk802FilterSrcAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterSrcAddr object."
::= { frwk802FilterEntry 4 }
frwk802FilterVlanId OBJECT-TYPE
SYNTAX Integer32 (-1 | 1..4094)
STATUS current
DESCRIPTION
"The VLAN ID (VID) that uniquely identifies a VLAN
within the device. This VLAN may be known or unknown
(i.e., traffic associated with this VID has not yet
been seen by the device) at the time this entry
is instantiated.
Setting the frwk802FilterVlanId object to -1 indicates that
VLAN data should not be considered during traffic
classification."
::= { frwk802FilterEntry 5 }
Framework Policy Information Base July 2000
frwk802FilterVlanTagRequired OBJECT-TYPE
SYNTAX INTEGER {
taggedOnly(1),
priorityTaggedPlus(2),
untaggedOnly(3),
ignoreTag(4)
}
STATUS current
DESCRIPTION
"This object indicates whether the presence of an
IEEE 802.1Q VLAN tag in data link layer frames must
be considered when determining if a given frame
matches this 802 filter entry.
A value of 'taggedOnly(1)' means that only frames
containing a VLAN tag with a non-Null VID (i.e., a
VID in the range 1..4094) will be considered a match.
A value of 'priorityTaggedPlus(2)' means that only
frames containing a VLAN tag, regardless of the value
of the VID, will be considered a match.
A value of 'untaggedOnly(3)' indicates that only
untagged frames will match this filter component.
The presence of a VLAN tag is not taken into
consideration in terms of a match if the value is
'ignoreTag(4)'."
::= { frwk802FilterEntry 6 }
frwk802FilterEtherType OBJECT-TYPE
SYNTAX Integer32 (-1 | 0..'ffff'h)
STATUS current
DESCRIPTION
"This object specifies the value that will be compared
against the value contained in the EtherType field of an
IEEE 802 frame. Example settings would include 'IP'
(0x0800), 'ARP' (0x0806) and 'IPX' (0x8137).
Setting the frwk802FilterEtherTypeMin object to -1 indicates
that EtherType data should not be considered during traffic
classification.
Note that the position of the EtherType field depends on
the underlying frame format. For Ethernet-II encapsulation,
the EtherType field follows the 802 MAC source address. For
802.2 LLC/SNAP encapsulation, the EtherType value follows
the Organization Code field in the 802.2 SNAP header. The
value that is tested with regard to this filter component
therefore depends on the data link layer frame format being
Framework Policy Information Base July 2000
used. If this 802 filter component is active when there is
no EtherType field in a frame (e.g., 802.2 LLC), a match is
implied."
::= { frwk802FilterEntry 7 }
frwk802FilterUserPriority OBJECT-TYPE
SYNTAX BITS {
matchPriority0(0),
matchPriority1(1),
matchPriority2(2),
matchPriority3(3),
matchPriority4(4),
matchPriority5(5),
matchPriority6(6),
matchPriority7(7)
}
STATUS current
DESCRIPTION
"The set of values, representing the potential range
of user priority values, against which the value contained
in the user priority field of a tagged 802.1 frame is
compared. A test for equality is performed when determining
if a match exists between the data in a data link layer
frame and the value of this 802 filter component. Multiple
values may be set at one time such that potentially several
different user priority values may match this 802 filter
component.
Setting all of the bits that are associated with this
object causes all user priority values to match this
attribute. This essentially makes any comparisons
with regard to user priority values unnecessary. Untagged
frames are treated as an implicit match."
::= { frwk802FilterEntry 8 }
--
-- The Filter Group Definition Table
--
frwkFilterGroupDefnTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkFilterGroupDefnEntry
PIB-ACCESS install,5
STATUS current
DESCRIPTION
"A class that defines Filter Groups. Each Group being an
ordered list of filters. Each instance of this class
identifies one filter of a group and the precedence order of
that filter with respect to other filters in the same
group."
Framework Policy Information Base July 2000
INSTALL-ERRORS {
priPrecedenceConflict(1) -- precedence conflict detected
}
::= { frwkClassifierClasses 4 }
frwkFilterGroupDefnEntry OBJECT-TYPE
SYNTAX FrwkFilterGroupDefnEntry
STATUS current
DESCRIPTION
"An instance of the frwkFilterGroupDefn class."
INDEX { frwkFilterGroupDefnPrid }
UNIQUENESS { frwkFilterGroupDefnId,
frwkFilterGroupDefnFilterId }
::= { frwkFilterGroupDefnTable 1 }
FrwkFilterGroupDefnEntry ::= SEQUENCE {
frwkFilterGroupDefnPrid PolicyInstanceId,
frwkFilterGroupDefnId PolicyTagId,
frwkFilterGroupDefnFilterId PolicyReferenceId,
frwkFilterGroupDefnFilterPrecedence Unsigned32
}
frwkFilterGroupDefnPrid OBJECT-TYPE
SYNTAX PolicyInstanceId
STATUS current
DESCRIPTION
"Unique index of this policy rule instance."
::= { frwkFilterGroupDefnEntry 1 }
frwkFilterGroupDefnId OBJECT-TYPE
SYNTAX PolicyTagId
STATUS current
DESCRIPTION
"An ID for this Filter Group. There will be one instance of
the class frwkFilterGroupDefn with this ID for each
instance of the Base filter class in the Filter Group per
role combination.
Note that this identifier is used in instances of the
Class that associate a Filter Group with an interface
set and specific actions. An active Filter Group-Target
association prohibits the deletion of all of the
frwkFilterGroupDefn instances with a given
Framework Policy Information Base July 2000
frwkFilterGroupDefnId (i.e., at
least one entry for the specific frwkFilterGroupDefnId
must be present in this table) until the Filter Group-Target
association is terminated."
::= { frwkFilterGroupDefnEntry 2 }
frwkFilterGroupDefnFilterId OBJECT-TYPE
SYNTAX PolicyReferenceId
PIB-REFERENCES {frwkBaseFilterEntry}
STATUS current
DESCRIPTION
"This attribute specifies the filter in the
frwkBaseFilterTable that is in the Filter Group specified by
frwkFilterGroupDefnId at the position specified by the
FilterPrecedence attribute.
Attempting to specify an unknown class instance will result
in an appropriate error indication being returned to the
entity that is attempting to install the conflicting entry.
For example, a 'priUnknown(2)' error indication is returned
to the policy server in this situation."
::= { frwkFilterGroupDefnEntry 3 }
frwkFilterGroupDefnFilterPrecedence OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"The precedence order of this filter. The precedence order
determines the position of this filter in the Filter Group.
A filter with a given precedence order is positioned in the
Filter group before one with a higher-valued
precedence order.
Precedence values within a group must be unique otherwise
instance installation will be prohibited and an error
value will be returned."
::= { frwkFilterGroupDefnEntry 4 }
Framework Policy Information Base July 2000
-- --
-- Conformance Section -- Conformance Section
-- --
policyBasePibConformance frwkBasePibConformance
OBJECT IDENTIFIER ::= { policyFrameworkPib 2 } OBJECT IDENTIFIER ::= { frameworkPib 4 }
policyBasePibCompliances frwkBasePibCompliances
OBJECT IDENTIFIER ::= { policyBasePibConformance 1 } OBJECT IDENTIFIER ::= { frwkBasePibConformance 1 }
policyBasePibGroups
OBJECT IDENTIFIER ::= { policyBasePibConformance 2 }
policyBasePibCompliance MODULE-COMPLIANCE frwkBasePibGroups
OBJECT IDENTIFIER ::= { frwkBasePibConformance 2 }
frwkBasePibCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Describes the requirements for conformance to the "Describes the requirements for conformance to the
Policy Framework PIB." Framework PIB."
MODULE -- this module MODULE -- this module
MANDATORY-GROUPS { policyPrcSupportGroup, MANDATORY-GROUPS { frwkPrcSupportGroup,
policyDevicePibIncarnationGroup, frwkPibIncarnationGroup,
policyDeviceIdentificationGroup, frwkDeviceIdGroup,
policyCompLimitsGroup } frwkCompLimitsGroup,
frwkIfCapSetGroup,
Framework Policy Information Base March 2000 frwkIfCapSetRoleComboGroup }
OBJECT policyDevicePibIncarnationLongevity OBJECT frwkPibIncarnationLongevity
MIN-ACCESS notify PIB-MIN-ACCESS notify
DESCRIPTION "Install support is not required." DESCRIPTION "Install support is not required."
OBJECT policyDevicePibIncarnationTtl OBJECT frwkPibIncarnationTtl
MIN-ACCESS notify PIB-MIN-ACCESS notify
DESCRIPTION "Install support is not required." DESCRIPTION "Install support is not required."
OBJECT policyDevicePibIncarnationActiveContext OBJECT frwkPibIncarnationActive
MIN-ACCESS notify PIB-MIN-ACCESS notify
DESCRIPTION "Install support is not required." DESCRIPTION "Install support is not required."
::= { policyBasePibCompliances 1 } GROUP frwkBaseFilterGroup
DESCRIPTION
"The frwkBaseFilterGroup is mandatory if filtering
based on traffic components is supported."
policyPrcSupportGroup OBJECT-GROUP GROUP frwkIpFilterGroup
DESCRIPTION
"The frwkIpFilterGroup is mandatory if filtering
based on IP traffic components is supported."
Framework Policy Information Base July 2000
GROUP frwk802FilterGroup
DESCRIPTION
"The frwk802FilterGroup is mandatory if filtering
based on 802 traffic criteria is supported."
GROUP frwkFilterGroupDefnGroup
DESCRIPTION
"The frwkFilterGroupDefnGroup is mandatory if
filtering based on IP traffic components is
supported."
::= { frwkBasePibCompliances 1 }
frwkPrcSupportGroup OBJECT-GROUP
OBJECTS { OBJECTS {
policyPrcSupportSupportedPrc, frwkPrcSupportSupportedPrc,
policyPrcSupportSupportedAttrs, frwkPrcSupportSupportedAttrs,
policyPrcSupportMaxPris frwkPrcSupportMaxPris
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the policyPrcSupportTable." "Objects from the frwkPrcSupportTable."
::= { policyBasePibGroups 1 } ::= { frwkBasePibGroups 1 }
policyDevicePibIncarnationGroup OBJECT-GROUP frwkPibIncarnationGroup OBJECT-GROUP
OBJECTS { OBJECTS {
policyDevicePibIncarnationName, frwkPibIncarnationName,
policyDevicePibIncarnationId, frwkPibIncarnationId,
policyDevicePibIncarnationLongevity, frwkPibIncarnationLongevity,
policyDevicePibIncarnationTtl, frwkPibIncarnationTtl,
policyDevicePibIncarnationActiveContext frwkPibIncarnationActive
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the policyDevicePibIncarnationTable." "Objects from the frwkDevicePibIncarnationTable."
::= { policyBasePibGroups 2 } ::= { frwkBasePibGroups 2 }
policyDeviceIdentificationGroup OBJECT-GROUP frwkDeviceIdGroup OBJECT-GROUP
OBJECTS { OBJECTS {
policyDeviceIdentificationDescr, frwkDeviceIdDescr,
policyDeviceIdentificationMaxMsg frwkDeviceIdMaxMsg,
frwkDeviceIdMaxContexts }
STATUS current
DESCRIPTION
"Objects from the frwkDeviceIdTable."
::= { frwkBasePibGroups 3 }
Framework Policy Information Base July 2000
frwkCompLimitsGroup OBJECT-GROUP
OBJECTS {
frwkCompLimitsComponent,
frwkCompLimitsType,
frwkCompLimitsGuidance,
frwkCompLimitsSubType }
STATUS current
DESCRIPTION
"Objects from the frwkCompLimitsTable."
::= { frwkBasePibGroups 4 }
frwkIfCapSetGroup OBJECT-GROUP
OBJECTS {
frwkIfCapSetName,
frwkIfCapSetCapability
} }
STATUS current
DESCRIPTION
"Objects from the frwkIfCapSetTable."
Framework Policy Information Base March 2000 ::= { frwkBasePibGroups 5 }
frwkIfCapSetRoleComboGroup OBJECT-GROUP
OBJECTS {
frwkIfCapSetRoleComboName,
frwkIfCapSetRoleComboRoles
}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the policyDeviceIdentificationTable." "Objects from the frwkIfCapSetRoleComboTable."
::= { policyBasePibGroups 3 } ::= { frwkBasePibGroups 6 }
policyCompLimitsGroup OBJECT-GROUP frwkBaseFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
policyCompLimitsComponent, frwkBaseFilterPermit
policyCompLimitsType,
policyCompLimitsGuidance
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the policyCompLimitsTable." "Objects from the frwkBaseFilterTable."
::= { policyBasePibGroups 4 } ::= { frwkBasePibGroups 7 }
Framework Policy Information Base July 2000
frwkIpFilterGroup OBJECT-GROUP
OBJECTS {
frwkIpFilterDstAddr,
frwkIpFilterDstAddrMask,
frwkIpFilterSrcAddr,
frwkIpFilterSrcAddrMask,
frwkIpFilterDscp,
frwkIpFilterProtocol,
frwkIpFilterDstL4PortMin,
frwkIpFilterDstL4PortMax,
frwkIpFilterSrcL4PortMin,
frwkIpFilterSrcL4PortMax
}
STATUS current
DESCRIPTION
"Objects from the frwkIpFilterTable."
::= { frwkBasePibGroups 8 }
frwk802FilterGroup OBJECT-GROUP
OBJECTS {
frwk802FilterDstAddr,
frwk802FilterDstAddrMask,
frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask,
frwk802FilterVlanId,
frwk802FilterVlanTagRequired,
frwk802FilterEtherType,
frwk802FilterUserPriority
}
STATUS current
DESCRIPTION
"Objects from the frwk802FilterTable."
::= { frwkBasePibGroups 9 }
frwkFilterGroupDefnGroup OBJECT-GROUP
OBJECTS {
frwkFilterGroupDefnId,
frwkFilterGroupDefnFilterId,
frwkFilterGroupDefnFilterPrecedence
}
STATUS current
DESCRIPTION
"Objects from the frwkFilterGroupDefnTable."
::= { frwkBasePibGroups 10 }
END END
Framework Policy Information Base March 2000 Framework Policy Information Base July 2000
7. Security Considerations 6. Security Considerations
The information contained in a PIB when transported by the COPS protocol The information contained in a PIB when transported by the COPS
[COPS-PR] may be sensitive, and its function of provisioning a PEP protocol [COPS-PR] may be sensitive, and its function of
requires that only authorized communication take place. The use of provisioning a PEP requires that only authorized communication take
IPSEC between PDP and PEP, as described in [COPS], provides the place. The use of IPSEC between PDP and PEP, as described in
necessary protection against these threats. [COPS], provides the necessary protection against these threats.
8. Intellectual Property Considerations 7. Intellectual Property Considerations
The IETF is being notified of intellectual property rights claimed in The IETF is being notified of intellectual property rights claimed
regard to some or all of the specification contained in this document. in regard to some or all of the specification contained in this
For more information consult the online list of claimed rights. document. For more information consult the online list of claimed
rights.
9. Authors' Addresses 8. Author Information and Acknowledgments
Michael Fine Michael Fine
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive 170 West Tasman Drive
San Jose, CA 95134-1706 USA San Jose, CA 95134-1706 USA
Phone: +1 408 527 8218 Phone: +1 408 527 8218
Email: mfine@cisco.com Email: mfine@cisco.com
Keith McCloghrie Keith McCloghrie
Cisco Systems, Inc. Cisco Systems, Inc.
skipping to change at page 22, line 5 skipping to change at page 41, line 5
Phone: +1 408 495 2992 Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com Email: jseligso@nortelnetworks.com
Kwok Ho Chan Kwok Ho Chan
Nortel Networks, Inc. Nortel Networks, Inc.
600 Technology Park Drive 600 Technology Park Drive
Billerica, MA 01821 USA Billerica, MA 01821 USA
Phone: +1 978 288 8175 Phone: +1 978 288 8175
Email: khchan@nortelnetworks.com Email: khchan@nortelnetworks.com
Framework Policy Information Base March 2000 Framework Policy Information Base July 2000
Scott Hahn Scott Hahn
Intel Intel Corp.
2111 NE 25th Avenue 2111 NE 25th Avenue
Hillsboro, OR 97124 USA Hillsboro, OR 97124 USA
Phone: +1 503 264 8231 Phone: +1 503 264 8231
Email: scott.hahn@intel.com Email: scott.hahn@intel.com
Ravi Sahita
Intel Corp.
2111 NE 25th Avenue
Hillsboro, OR 97124 USA
Phone: +1 503 712 1554
Email: ravi.sahita@intel.com
Andrew Smith Andrew Smith
Extreme Networks Fax: +1 415 345 1827
10460 Bandley Drive Email: ah_smith@pacbell.net
Cupertino CA 95014 USA
Phone: +1 408 342 0999
Email: andrew@extremenetworks.com
Francis Reichmeyer Francis Reichmeyer
IPHighway Inc. IPHighway Inc.
Parker Plaza, 16th Floor Parker Plaza, 16th Floor
400 Kelby St. 400 Kelby St.
Fort-Lee, NJ 07024 Fort-Lee, NJ 07024
Phone: (201) 585-0800 Phone: (201) 585-0800
Email: FranR@iphighway.com Email: FranR@iphighway.com
10. References Special thanks to Carol Bell and David Durham for their many
significant comments.
[COPS] Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan, R., and 9. References
[COPS]
Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan, R., and
A. Sastry, "The COPS (Common Open Policy Service) Protocol" A. Sastry, "The COPS (Common Open Policy Service) Protocol"
RFC 2748, January 2000. RFC 2748, January 2000.
[COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, [COPS-PR]
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie,
"COPS Usage for Policy Provisioning," F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage
draft-ietf-rap-cops-pr-02.txt, March 2000. for Policy Provisioning," draft-ietf-rap-pr-03.txt,
July 2000.
[SPPI] K. McCloghrie, et.al., "Structure of Policy Provisioning [SPPI]
Information," draft-ietf-rap-sppi-00.txt, march 2000. K. McCloghrie, et.al., "Structure of Policy Provisioning
Information," draft-ietf-rap-sppi-01.txt, July 2000.
[POLICY] M. Stevens, W. Weiss H. Mahon, B. Moore, J. Strassner, [POLICY]
M. Stevens, W. Weiss H. Mahon, B. Moore, J. Strassner,
G. Waters, A. Westerinen, J. Wheeler, "Policy Framework", G. Waters, A. Westerinen, J. Wheeler, "Policy Framework",
draft-ietf-policy-framework-00.txt, September 1999. draft-ietf-policy-framework-00.txt, September 1999.
[RAP-FRAMEWORK] R. Yavatkar, D. Pendarakis, "A Framework for Framework Policy Information Base July 2000
Policy-based Admission Control",
draft-ietf-rap-framework-03.txt, April 1999.
Framework Policy Information Base March 2000 [RAP-FRAMEWORK]
R. Yavatkar, D. Pendarakis, "A Framework for Policy-based
Admission Control", RFC 2753, January 2000.
[SNMP-SMI] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, [SNMP-SMI]
M. Rose and S. Waldbusser, "Structure of Management Information K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. Rose
and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
Framework Policy Information Base March 2000 Framework Policy Information Base July 2000
Table of Contents Table of Contents
1 Glossary ........................................................ 2 Status of this Memo...............................................1
2 Introduction .................................................... 2 1. Glossary......................................................2
3 General PIB Concepts ............................................ 2 2. Introduction..................................................2
3.1 Roles ......................................................... 2 3. General PIB Concepts..........................................2
3.1.1 An Example .................................................. 3 3.1. Roles.......................................................2
3.2 Multiple PIB Instances ........................................ 4 3.1.1. An Example................................................4
3.3 Reporting of Device Capabilities .............................. 5 3.2. Multiple PIB Instances......................................5
3.4 Reporting of Device Limitations ............................... 5 3.3. Reporting of Device Capabilities............................6
4 Summary of the Framework PIB .................................... 6 3.4. Reporting of Device Limitations.............................6
5 PIB Operational Overview ........................................ 7 4. Summary of the Framework PIB..................................6
6 The Policy Framework PIB Module ................................. 7 5. The Framework PIB Module......................................9
7 Security Considerations ......................................... 21 6. Security Considerations......................................40
8 Intellectual Property Considerations ............................ 21 7. Intellectual Property Considerations.........................40
9 Authors' Addresses .............................................. 21 8. Author Information and Acknowledgments........................40
10 References ..................................................... 22 9. References...................................................41
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/