draft-ietf-rap-frameworkpib-07.txt   draft-ietf-rap-frameworkpib-08.txt 
Internet Draft M. Fine Internet Draft M. Fine
Expires July 2002 K. McCloghrie Expires November 30, 2002 Atheros Comm.
File: draft-ietf-rap-frameworkpib-07.txt Cisco Systems File: draft-ietf-rap-frameworkpib-08.txt K. McCloghrie
Cisco Systems
J. Seligson J. Seligson
K. Chan K. Chan
Nortel Networks Nortel Networks
R. Sahita, Ed.
S. Hahn S. Hahn
R. Sahita Intel Labs
Intel
A. Smith A. Smith
Allegro Networks Allegro Networks
F. Reichmeyer F. Reichmeyer
PFN PFN
January 28, 2002 May 30, 2002
Framework Policy Information Base Framework Policy Information Base
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are all provisions of Section 10 of RFC2026. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF), its working documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts. distribute working documents as Internet-Drafts.
skipping to change at page 2, line 5 skipping to change at page 2, line 5
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as ''work in reference material or to cite them other than as ''work in
progress''. progress''.
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
Abstract Abstract
[SPPI] describes a structure for specifying policy information that Structure of Policy Provisioning Information (SPPI) describes a
can then be transmitted to a network device for the purpose of structure for specifying policy information that can then be
configuring policy at that device. The model underlying this transmitted to a network device for the purpose of configuring
structure is one of well-defined provisioning classes and instances policy at that device. The model underlying this structure is one
of these classes residing in a virtual information store called the of well-defined PRovisioning Classes (PRCs) and instances of these
classes (PRIs) residing in a virtual information store called the
Policy Information Base (PIB). Policy Information Base (PIB).
One way to provision policy is by means of the COPS protocol [COPS] One way to provision policy is by means of the Common Open Policy
with the extensions for provisioning [COPS-PR]. This protocol Service (COPS) protocol with the extensions for provisioning. This
supports multiple clients, each of which may provision policy for a protocol supports multiple clients, each of which may provision
specific policy domain such as QoS, virtual private networks, or policy for a specific policy domain such as QoS, virtual private
security. networks, or security.
As described in [COPS-PR], each client supports a non-overlapping As described in COPS usage for Policy Provisioning (COPS-PR), each
and independent set of PIB modules. However, some provisioning client supports a non-overlapping and independent set of PIB
classes are common to all subject-categories (client-types) and need modules. However, some PRovisioning Classes are common to all
to be present in each. This document defines a set of PRCs and subject-categories (client-types) and need to be present in each.
textual conventions that are common to all clients that provision This document defines a set of PRCs and textual conventions that are
policy using COPS for Provisioning. common to all clients that provision policy using COPS for
Provisioning.
1. Glossary 1. Glossary
PRC Provisioning Class. A type of policy data. PRC PRovisioning Class. A type of policy data. See [POLTERM].
PRI Provisioning Instance. An instance of a PRC. PRI PRovisioning Instance. An instance of a PRC. See [POLTERM].
PIB Policy Information Base. The database of policy information. PIB Policy Information Base. The database of policy information.
See [POLTERM]
PDP Policy Decision Point. See [RAP-FRAMEWORK]. PDP Policy Decision Point. See [RAP-FRAMEWORK].
PEP Policy Enforcement Point. See [RAP-FRAMEWORK]. PEP Policy Enforcement Point. See [RAP-FRAMEWORK].
PRID Provisioning Instance Identifier. Uniquely identifies an
instance of a PRC.
2. General PIB Concepts 2. General PIB Concepts
2.1. Roles 2.1. Roles
The policy to apply to an interface may depend on many factors such The policy to apply to an interface may depend on many factors such
as immutable characteristics of the interface (e.g., Ethernet or as immutable characteristics of the interface (e.g., Ethernet or
frame relay), the status of the interface (e.g., half or full frame relay), the status of the interface (e.g., half or full
duplex), or user configuration (e.g., branch office or headquarters duplex), or user configuration (e.g., branch office or headquarters
interface). Rather than specifying policies explicitly for each interface). Rather than specifying policies explicitly for each
interface of all devices in the network, policies are specified in interface of all devices in the network, policies are specified in
terms of interface functionality. terms of interface functionality.
To describe these functionalities of an interface we use the concept To describe these functionalities of an interface we use the concept
of "Roles". A Role is simply a string that is associated with an of "Roles". A Role is simply a string that is associated with an
interface. A given interface may have any number of roles interface. A given interface may have any number of roles
simultaneously. Provisioning classes have an attribute called a simultaneously. Provisioning classes have an attribute called a
"RoleCombinationŲ which is a lexicographically ordered set of roles. "RoleCombination" which is a lexicographically ordered set of roles.
Instances of a given provisioning class are applied to an interface Instances of a given PRovisioning Class are applied to an interface
if and only if the set of roles in the role combination matches the if and only if the set of roles in the role combination matches the
set of the roles of the interface. set of the roles of the interface.
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
Thus, roles provide a way to bind policy to interfaces without Thus, roles provide a way to bind policy to interfaces without
having to explicitly identify interfaces in a consistent manner having to explicitly identify interfaces in a consistent manner
across all network devices. (The SNMP experience with ifIndex has across all network devices. That is, roles provide a level of
proved this to be a difficult task.) That is, roles provide a level indirection to the application of a set of policies to specific
of indirection to the application of a set of policies to specific interfaces. This separates the policy definition from device
interfaces. Furthermore, if the same policy is being applied to implementation specific interface identification. Furthermore, if
several interfaces, that policy need be pushed to the device only the same policy is being applied to several interfaces, that policy
once, rather than once per interface, as long as the interfaces are need be pushed to the device only once, rather than once per
configured with the same role combination. interface, as long as the interfaces are configured with the same
role combination.
We point out that, in the event that the administrator needs to have We point out that, in the event that the administrator needs to have
unique policy for each interface, this can be achieved by unique policy for each interface, this can be achieved by
configuring each interface with a unique role. configuring each interface with a unique role.
The PEP sends all its Capability Set Names, Role Combinations, The PEP sends all its Capability Set Names, Role Combinations,
Policy Controlled Interfaces, and their relationships to the PDP in Policy Controlled Interfaces, and their relationships to the PDP in
the first COPS request (REQ) message for a handle and whenever any the first COPS request (REQ) message for a handle and whenever any
updates or deletes occur. The PDP can install new instances or updates or deletes occur. The PDP can install new instances or
change existing instances of these PRIs. This operation can also change existing instances of these PRIs. This operation can also
occur in subsequent request messages generated in response to COPS occur in subsequent request messages generated in response to COPS
state synchronization (SSQ) requests and local configuration state synchronization (SSQ) requests and local configuration
changes. changes.
The comparing of roles (or role combinations) is case sensitive. The comparing of roles (or role combinations) is case sensitive.
By convention, when formatting the role-combination for exchange By convention, when formatting the role-combination for exchange
within a protocol message, within a PIB/MIB object's value, or as a within a protocol message, within a PIB object's value, or as a
printed value, the set is formatted in lexicographical order of the printed value, the set is formatted in lexicographical order of the
role's ASCII values; that is, the role that is first is formatted role's ASCII values; that is, the role that is first is formatted
first. For example, "a+b" and "b+a" are NOT different role- first. For example, "a+b" and "b+a" are NOT different role-
combinations; rather, they are different formatting of the same combinations; rather, they are different formatting of the same
role-combination, and hence for this example: role-combination, and hence for this example:
- "a+b" is the valid formatting of that role-combination, - "a+b" is the valid formatting of that role-combination,
- "b+a" is an invalid formatting of that role-combination. - "b+a" is an invalid formatting of that role-combination.
The role-combination of interfaces to which no roles have been The role-combination of interfaces to which no roles have been
assigned is known as the "null" role-combination. (Note the assigned is known as the "null" role-combination. (Note the
skipping to change at page 4, line 5 skipping to change at page 4, line 5
combination "*" can be used. In addition to providing for interface- combination "*" can be used. In addition to providing for interface-
specific roles, it also allows for other optimizations in reducing specific roles, it also allows for other optimizations in reducing
the number of role-combinations for which a policy has to be the number of role-combinations for which a policy has to be
specified. For example: specified. For example:
Suppose we have three interfaces: Suppose we have three interfaces:
Roles A, B and R1 are assigned to interface I1 Roles A, B and R1 are assigned to interface I1
Roles A, B and R2 are assigned to interface I2 Roles A, B and R2 are assigned to interface I2
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
Roles A, B and R3 are assigned to interface I3 Roles A, B and R3 are assigned to interface I3
Then, a PRI of a fictional IfDscpAssignTable that has the following Then, a PRI of a fictional IfDscpAssignTable that has the following
values for its attributes: values for its attributes:
ifDscpAssignPrid = 1 ifDscpAssignPrid = 1
ifDscpAssignRoles = "*+A+B" ifDscpAssignRoles = "*+A+B"
ifDscpAssignName = "4queues" ifDscpAssignName = "4queues"
ifDscpAssignDscpMap = 1 ifDscpAssignDscpMap = 1
skipping to change at page 5, line 5 skipping to change at page 5, line 5
IF1: "finance" IF1: "finance"
IF2: "finance" IF2: "finance"
IF3: "manager" IF3: "manager"
Suppose, I also have a PDP with two policies: Suppose, I also have a PDP with two policies:
P1: Packets from finance department (role "finance") get DSCP 5 P1: Packets from finance department (role "finance") get DSCP 5
P2: Packets from managers (role "manager") get DSCP 6 P2: Packets from managers (role "manager") get DSCP 6
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
To obtain policy, the PEP reports to the PDP that it has some To obtain policy, the PEP reports to the PDP that it has some
interfaces with role combination "finance" and some with role interfaces with role combination "finance" and some with role
combination "manager". In response, the PDP downloads policy P1 combination "manager". In response, the PDP downloads policy P1
associated with role combination "finance" and downloads a second associated with role combination "finance" and downloads a second
policy P2 associated with role combination "manager". policy P2 associated with role combination "manager".
Now suppose the finance person attached to IF2 is promoted to Now suppose the finance person attached to IF2 is promoted to
manager and so the system administrator adds the role "manager" to manager and so the system administrator adds the role "manager" to
IF2. The PEP now reports to the PDP that it has three role IF2. The PEP now reports to the PDP that it has three role
skipping to change at page 5, line 42 skipping to change at page 5, line 42
The point here is that the PDP is required to determine what policy The point here is that the PDP is required to determine what policy
applies to this new role combination and to download a third policy applies to this new role combination and to download a third policy
to the PEP for the role combination "finance+manager" even if that to the PEP for the role combination "finance+manager" even if that
policy is the same as one already downloaded. The PEP is not policy is the same as one already downloaded. The PEP is not
required (or allowed) to construct policy for new role combinations required (or allowed) to construct policy for new role combinations
from existing policy. from existing policy.
2.2. Management of Role-Combinations from the PDP 2.2. Management of Role-Combinations from the PDP
The PEP notifies the PDP of the Role-Combination assigned to each The PEP notifies the PDP of the Role-Combination assigned to each
interface and ifCapSetName in a COPS configuration request interface and capability set name in a COPS configuration request
(instances of the frwkIfRoleComboTable). The first request sent to (instances of the frwkIfRoleComboTable). The first request sent to
the PDP must be a śfull state∆ request. A śfull state∆ request for a the PDP must be a 'full state' request. A 'full state' request for a
PEP includes all the notify and install-notify table PRIs for the PEP includes notify and install-notify table PRIs for the PEP which
PEP. must be interpreted as the complete state of the PEP and must not be
interpreted as updates to any previous set of PRIs sent in a
previous message. Any previous PRIs from the PEP should be discarded
when a 'full state' request is received for the particular request
handle. A request is specified as a 'full state' request by setting
the frwkPibIncarnationFullState attribute in the frwkPibIncarnation
PRI sent in the request.
All existing frwkIfRoleCombo instances must be sent to the PDP in All existing frwkIfRoleCombo instances must be sent to the PDP in
the first configuration request for a request handle. If the Role- the first configuration request for a request handle. If the Role-
Combinations are not assigned specific values, default ('null') Combinations are not assigned specific values, default ('null')
Role-Combinations must be sent to the PDP for all ifIndices active Role-Combinations must be sent to the PDP for all ifIndices active
on the PEP and updates must be sent every time the IfIndices are on the PEP and updates must be sent every time the IfIndices are
updated. The PEP may notify the PDP of the Interface Capability sets updated. The PEP may notify the PDP of the Capability sets (if any)
(if any) via the frwkIfCapSetTable. If the PEP does not need to via the frwkCapabilitySetTable. If the PEP does not need to notify
notify the PDP of capability sets, it must set the ifCapSetName in
Framework Policy Information Base May 30, 2002
the PDP of capability sets, it must set the capability set name in
the frwkIfRoleComboTable instances to a zero length string. the frwkIfRoleComboTable instances to a zero length string.
In response to this configuration request, if applicable, the PDP In response to this configuration request, if applicable, the PDP
may send policies for the PEP in a solicited decision or must send a may send policies for the PEP in a solicited decision or must send a
Framework Policy Information Base January 2002
null decision. The PEP must then send a solicited report message for null decision. The PEP must then send a solicited report message for
the decision. the decision.
At any later time, the PDP can update the Role-Combinations assigned At any later time, the PDP can update the Role-Combinations assigned
to a specific interface, identified by IfIndex, or for an aggregate, to a specific interface, identified by IfIndex, or for an aggregate,
identified by IfCapSetName, via an unsolicited decision to the PEP identified by the capability set name, via an unsolicited decision
on any open request handle. The PDP does this by sending updated to the PEP on any open request handle. The PDP does this by sending
PRIs for the frwkIfRoleComboTable. updated PRIs for the frwkIfRoleComboTable.
When the Interface Role Combination associations are updated by the When the Interface Role Combination associations are updated by the
PDP, the PEP SHOULD send updated śfull state∆ requests for all open PDP, the PEP SHOULD send updated 'full state' requests for all open
contexts (request handles). This is true even if the PEP's request contexts. A context is an instantiation of the PIB module(s)
state changes due to an internal event or if the state is changed by namespace identified by a unique COPS handle for a particular COPS
the PDP. If the role-combination updates were sent by the PDP, the client type. This is true even if the PEP's request state changes
PEP SHOULD send these updated requests only if it can process the due to an internal event or if the state is changed by the PDP. If
unsolicited decision containing the frwkIfRoleCombo PRIs the role-combination updates were sent by the PDP, the PEP SHOULD
successfully and it MUST do so after sending the success report for send these updated requests only if it can process the unsolicited
the unsolicited decision. If the PEP failed to process the decision decision containing the frwkIfRoleCombo PRIs successfully and it
(i.e., the frwkIfRoleCombo PRIs) it MUST only send a failure report MUST do so after sending the success report for the unsolicited
to the PDP. decision. If the PEP failed to process the decision (i.e., the
frwkIfRoleCombo PRIs) it MUST only send a failure report to the PDP.
On the other hand, the PDP must not expect to receive the updated On the other hand, the PDP must not expect to receive the updated
requests with the revised role-combination information until after requests with the revised role-combination information until after
it receives a success report for these updates from the PEP. If the it receives a success report for these updates from the PEP. If the
PDP does not receive updated requests on some request handles, the PDP does not receive updated requests on some request handles, the
PEP must not be sent decision updates for that frwkIfRoleCombo PEP must not be sent decision updates for that frwkIfRoleCombo
updates, i.e., the PDP must have the previous request state that it updates, i.e., the PDP must have the previous request state that it
maintained for that request handle. maintained for that request handle.
Note that, any unsolicited decisions received by the PEP in the time Note that, any unsolicited decisions received by the PEP in the time
skipping to change at page 6, line 54 skipping to change at page 7, line 4
sending policies if applicable or null decisions. The PEP must sending policies if applicable or null decisions. The PEP must
respond to these solicited decisions with solicited reports to respond to these solicited decisions with solicited reports to
complete the transaction. complete the transaction.
2.3. Updating a Request State 2.3. Updating a Request State
This section describes the messages exchanged between the PEP and This section describes the messages exchanged between the PEP and
PDP when the PEP is updating a previously sent request for a PDP when the PEP is updating a previously sent request for a
particular COPS handle. Note that a PEP can incrementally update a particular COPS handle. Note that a PEP can incrementally update a
request only if the frwkPibIncarnationFullState attribute is shown request only if the frwkPibIncarnationFullState attribute is shown
Framework Policy Information Base May 30, 2002
to be supported via the supported PRC table. If this attribute is to be supported via the supported PRC table. If this attribute is
not supported the PDP must treat all PEP requests as the full not supported the PDP must treat all PEP requests as the full
request state. request state.
2.3.1 Full Request State 2.3.1 Full Request State
Framework Policy Information Base January 2002
When the PEP wants to send the entire request state to the PDP (for When the PEP wants to send the entire request state to the PDP (for
example, in response to a Synchronize State Request from the PDP), example, in response to a Synchronize State Request from the PDP),
the PEP MUST send the incarnation instance with the the PEP MUST send the incarnation instance with the
frwkPibIncarnationFullState attribute set to TRUE. frwkPibIncarnationFullState attribute set to 'true'.
A PDP that receives an incarnation instance in the request message A PDP that receives an incarnation instance in the request message
with this attribute set to TRUE, must clear the request information with this attribute set to 'true', must clear the request
it maintains for this request handle and re-install the information information it maintains for this request handle and re-install the
received. information received.
If this attribute is set to FALSE or if the incarnation instance is If this attribute is set to 'false' or if the incarnation instance
missing in the request message, the request must be interpreted as is missing in the request message, the request must be interpreted
an incremental update to the previous request message. as an incremental update to the previous request message.
2.3.2 Installing PRIs in a Request 2.3.2 Installing PRIs in a Request
If the PEP wants to install additional PRIs for a request handle, If the PEP wants to install additional PRIs for a request handle,
the PEP MUST ensure that frwkPibIncarnationFullState attribute is the PEP MUST ensure that frwkPibIncarnationFullState attribute is
set to FALSE and the PEP MUST use new (unused in this context) set to 'false' and the PEP MUST use new (unused in this context)
InstanceIds [SPPI] for these PRIs. InstanceIds [SPPI] for these PRIs.
When a PDP receives instances with new InstanceIds for a request When a PDP receives instances with new InstanceIds for a request
with the frwkPibIncarnationFullState in the incarnation instance set with the frwkPibIncarnationFullState in the incarnation instance set
to FALSE or if the request has no incarnation information, it must to 'false' or if the request has no incarnation information, it must
interpret these PRIs as an incremental update to the request state interpret these PRIs as an incremental update to the request state
and add them to the request state it maintains for this handle. and add them to the request state it maintains for this handle.
2.3.3 Updating PRIs in a Request 2.3.3 Updating PRIs in a Request
If the PEP wants to update previously installed PRIs for a request If the PEP wants to update previously installed PRIs for a request
handle, the PEP MUST ensure that frwkPibIncarnationFullState handle, the PEP MUST ensure that frwkPibIncarnationFullState
attribute is set to FALSE for these PRIs. Note that the PEP must attribute is set to 'false' for these PRIs. Note that the PEP must
send the same InstanceIds for the PRIs being updated. If the PEP send the same InstanceIds for the PRIs being updated. If the PEP
uses new InstanceIds, the PDP must interpret them as Install's uses new InstanceIds, the PDP must interpret them as Install's
for this request state. for this request state.
When a PDP receives a request with instances having InstanceIds that When a PDP receives a request with instances having InstanceIds that
exist in its state for that handle with the exist in its state for that handle with the
frwkPibIncarnationFullState in the incarnation instance set to FALSE frwkPibIncarnationFullState in the incarnation instance set to
or if the request has no incarnation information, it must interpret 'false' or if the request has no incarnation information, it must
these PRIs as an update to the PRIs in the request state it interpret these PRIs as an update to the PRIs in the request state
maintains for this handle. it maintains for this handle.
2.3.4 Removing PRIs from a Request 2.3.4 Removing PRIs from a Request
If the PEP wants to remove previously installed PRIs for a request If the PEP wants to remove previously installed PRIs for a request
handle, the PEP MUST ensure that frwkPibIncarnationFullState handle, the PEP MUST ensure that frwkPibIncarnationFullState
attribute is set to FALSE and MUST send the PRI bindings with the attribute is set to 'false' and MUST send the PRI bindings with the
Framework Policy Information Base May 30, 2002
PRID set to the InstanceId of the PRI to be removed and the length PRID set to the InstanceId of the PRI to be removed and the length
field in the EPD object header set to the header length only, field in the EPD object header set to the header length only,
effectively setting the data length to zero. effectively setting the data length to zero.
Framework Policy Information Base January 2002
Note that the PEP must send the same InstanceIds for the PRIs being Note that the PEP must send the same InstanceIds for the PRIs being
removed. If the PEP sends new InstanceIds and the length field in removed. If the PEP sends new InstanceIds and the length field in
the EPD object header is set to the header length only (implying the the EPD object header is set to the header length only (implying the
data length is zero), the PEP is attempting to remove an data length is zero), the PEP is attempting to remove an
unknown/non-existent PRI. This SHOULD result in the PDP sending unknown/non-existent PRI. This SHOULD result in the PDP sending
error PRIs in the solicited decision (see section 2.3.6 for a error PRIs in the solicited decision (see section 2.3.6 for a
description of the frwkErrorTable). description of the frwkErrorTable).
If the PEP sends new InstanceIds and the length field in the EPD If the PEP sends new InstanceIds and the length field in the EPD
object header is greater than the header length only (implying the object header is greater than the header length only (implying the
EPD object has some attributes encoded in it), the PDP will EPD object has some attributes encoded in it), the PDP will
interpret this as an install of the PRI if it can decode the EPD interpret this as an install of the PRI if it can decode the EPD
successfully. successfully.
When a PDP receives a request with instances having InstanceIds that When a PDP receives a request with instances having InstanceIds that
exist in its state for that handle with the exist in its state for that handle with the
frwkPibIncarnationFullState in the incarnation instance set to FALSE frwkPibIncarnationFullState in the incarnation instance set to
or if the request has no incarnation information, and the length 'false' or if the request has no incarnation information, and the
field in the EPD object header is set to the header length only length field in the EPD object header is set to the header length
(implying the data length is zero), it must remove these PRIs from only (implying the data length is zero), it must remove these PRIs
the request state it maintains for this handle. from the request state it maintains for this handle.
2.3.5 Removing EXTENDED, AUGMENTED PRIs 2.3.5 Removing EXTENDED, AUGMENTED PRIs
The PEP should remove the extended/augmented PRIs when it removes The PEP should remove the extended/augmented PRIs when it removes
the base PRIs in the same COPS message. See [SPPI] for description the base PRIs in the same COPS message. See [SPPI] for description
of EXTENDED/AUGMENTED PRCs. A PDP that receives removes for a base of EXTENDED/AUGMENTED PRCs. A PDP that receives removes for a base
PRI must implicitly remove the extensions. PRI must implicitly remove the extensions.
2.3.6 Error Handling in Request updates 2.3.6 Error Handling in Request updates
skipping to change at page 8, line 56 skipping to change at page 9, line 4
the InstanceId of the error-causing PRI. The PEP may then examine the InstanceId of the error-causing PRI. The PEP may then examine
these error PRIs and resend the modified request. Note that, until these error PRIs and resend the modified request. Note that, until
the PEP resends the request updates/removes it will have the PEP resends the request updates/removes it will have
configuration information for the last successful request state it configuration information for the last successful request state it
sent to the PDP. sent to the PDP.
2.4. Multiple PIB Instances 2.4. Multiple PIB Instances
[COPS-PR] supports multiple, disjoint, independent instances of the [COPS-PR] supports multiple, disjoint, independent instances of the
PIB to represent multiple instances of configured policy. The PIB to represent multiple instances of configured policy. The
Framework Policy Information Base May 30, 2002
intent is to allow for the pre-provisioning of policy that can then intent is to allow for the pre-provisioning of policy that can then
be made active by a single, short decision from the PDP. be made active by a single, short decision from the PDP.
Framework Policy Information Base January 2002
A COPS context can be defined as an independent COPS request state A COPS context can be defined as an independent COPS request state
for a particular subject category (client-type). for a particular subject category (client-type). A context may be an
outsourcing context or a configuration context. A configuration
context is an instance of the PIB triggered and controlled by the
PDP, which contains device setup information. This device
configuration information dictates the device behavior as specified
by the PDP. An outsourcing context on the other hand is a PIB
instance that is triggered from the PEP side and is a request to the
PDP for action. The action requested will be interpreted in the
domain of the client-type. Configuration contexts belong to a set of
configuration contexts for a specific client type - out of which one
configuration context may be active. However, multiple outsourcing
contexts can be active simultaneously.
With the COPS-PR protocol, each of these states is identified by a With the COPS-PR protocol, each of these states is identified by a
unique client handle. The creation and deletion of these PIB unique client handle. The creation and deletion of these PIB
instances can be controlled by the PDP as described in [COPS-PR] or instances can be controlled by the PDP as described in [COPS-PR] or
can be triggered by an event by the PEP. A PEP must open at least can be triggered by an event by the PEP. A PEP must open at least
one "request-state" for configuration for a given subject-category one "request-state" for configuration for a given subject-category
(client type). Additional "request-states" at the PEP may be (client type). Additional "request-states" at the PEP may be
initiated by the PDP or asynchronously generated by the PEP for initiated by the PDP or asynchronously generated by the PEP for
outsourcing due to local events, which will be fully specified by outsourcing due to local events, which will be fully specified by
the PRID/EPD data carried in the request. the PRID/EPD data carried in the request.
skipping to change at page 9, line 35 skipping to change at page 9, line 49
set to 'true' belong to this set. Contexts that do not belong to set to 'true' belong to this set. Contexts that do not belong to
this set have the frwkPibIncarnationInCtxtSet set to 'false' and this set have the frwkPibIncarnationInCtxtSet set to 'false' and
belong to the set of 'outsourcing contexts'. Note that a PEP can belong to the set of 'outsourcing contexts'. Note that a PEP can
have these two sets of contexts only if the have these two sets of contexts only if the
frwkPibIncarnationInCtxtSet attribute is shown to be supported via frwkPibIncarnationInCtxtSet attribute is shown to be supported via
the supported PRC table. If the frwkPibIncarnationInCtxtSet is not the supported PRC table. If the frwkPibIncarnationInCtxtSet is not
supported a PEP must treat all contexts as belonging to the set of supported a PEP must treat all contexts as belonging to the set of
'configuration contexts' i.e., at the most one context can be active 'configuration contexts' i.e., at the most one context can be active
at any given time. at any given time.
Note that in the event that a PEP has an interface capability change Note that in the event that a PEP has an capability change such as a
such as a card hot swap or any other change in its notify card hot swap or any other change in its notify information that may
information that may warrant a policy refresh, a subsequent complete warrant a policy refresh, a subsequent complete or incremental
or incremental request must be issued to the PDP containing the request must be issued to the PDP containing the new/updated
new/updated capabilities for all the configuration contexts. A capabilities for all the configuration contexts. A request for re-
request for re-configuration is issued for all request state configuration is issued for all request state configuration
configuration contexts, both for the active configuration context as contexts, both for the active configuration context as well as any
well as any inactive configuration contexts. This is to ensure that inactive configuration contexts. This is to ensure that when an
when an inactive configuration context is activated, it has been inactive configuration context is activated, it has been pre-
pre-configured with policies compatible with the PEP's current configured with policies compatible with the PEP's current
capabilities. capabilities.
Framework Policy Information Base May 30, 2002
Although many PIB instances may be configured on a device (the Although many PIB instances may be configured on a device (the
maximum number of these instances being determined by the device maximum number of these instances being determined by the device
itself) only one of the contexts from the 'configuration contexts' itself) only one of the contexts from the 'configuration contexts'
set can be active at any given time, the active one being selected set can be active at any given time, the active one being selected
by the PDP. The Framework PIB supports the attribute by the PDP. The Framework PIB supports the attribute
frwkPibIncarnationActive in the frwkPibIncarnationTable to allow the frwkPibIncarnationActive in the frwkPibIncarnationTable to allow the
PDP to denote the PIB instance as being active in a COPS decision PDP to denote the PIB instance as being active in a COPS decision
message, and similarly, to report the active state (active or not) message, and similarly, to report the active state (active or not)
of the PIB instance to the PDP in a COPS request message. of the PIB instance to the PDP in a COPS request message.
When the PEP installs an attribute frwkPibIncarnationActive that is When the PEP installs an attribute frwkPibIncarnationActive that is
'true' in one PIB instance which belongs to the 'configuration 'true' in one PIB instance which belongs to the 'configuration
contexts' set, the PEP must ensure, re-setting the attribute if contexts' set, the PEP must ensure, re-setting the attribute if
Framework Policy Information Base January 2002
necessary, that the frwkPibIncarnationActive attribute is 'false' necessary, that the frwkPibIncarnationActive attribute is 'false'
in all other installed contexts that belong to this set. To switch in all other installed contexts that belong to this set. To switch
contexts, the PDP should set the frwkPibIncarnationActive attribute contexts, the PDP should set the frwkPibIncarnationActive attribute
to 'true' in the context it wants to make the active context. The to 'true' in the context it wants to make the active context. The
PDP should set this attribute in a context to 'false' only if it PDP should set this attribute in a context to 'false' only if it
wants to send an inactive context to the PEP or deactivate the wants to send an inactive context to the PEP or deactivate the
active context on the PEP. If an active context is made inactive active context on the PEP. If an active context is made inactive
without activating another context, the PEP must not have any without activating another context, the PEP must not have any
policies enforced from any configuration contexts installed. policies enforced from any configuration contexts installed.
2.5. Reporting and Configuring of Device Capabilities 2.5. Reporting and Configuring of Device Capabilities
Each network device providing policy-based services has its own Each network device providing policy-based services has its own
inherent capabilities. These capabilities can be hardware specific, inherent capabilities. These capabilities can be hardware specific,
e.g., an Ethernet interface supporting input classification, or can e.g., an Ethernet interface supporting input classification, or can
be statically configured, e.g., supported queuing disciplines. be statically configured, e.g., supported queuing disciplines.
These capabilities are organized into Interface Capability Sets, These capabilities are organized into Capability Sets, with each
with each Capability Set given a unique name (ifCapSetName) and Capability Set given a unique name (frwkCapabilitySetName) and
associated with a set of Role Combinations. Each Role Combination associated with a set of Role Combinations. Each Role Combination
may in that way be associated with a set of interfaces. . These may in that way be associated with a set of interfaces. These
capabilities are communicated to the PDP when policy is requested by capabilities are communicated to the PDP when policy is requested by
the PEP. Knowing device capabilities, the PDP can send the the PEP. Knowing device capabilities, the PDP can send the PRIs
provisioning instances (PRIs) relevant to the specific device, relevant to the specific device, rather than sending the entire PIB.
rather than sending the entire PIB.
Specific capability PRCs may be defined in other PIBs. These Specific capability PRCs may be defined in other PIBs. These
capability instances are grouped via the frwkIfCapSetTable. If the capability instances are grouped via the frwkCapabilitySetTable. If
PEP wishes to send capability information to the PDP, the PIB must the PEP wishes to send capability information to the PDP, the PIB
indicate which capabilities the PEP may send to the PDP by means of must indicate which capabilities the PEP may send to the PDP by
the 'notify' PIB-ACCESS clause as described in [SPPI]. If a PIB does means of the 'notify' PIB-ACCESS clause as described in [SPPI]. If a
not have any capabilities to communicate to the PDP, it must not PIB does not have any capabilities to communicate to the PDP, it
send any instances for the frwkIfCapSetTable. If in this case the must not send any instances for the frwkCapabilitySetTable. If in
frwkIfRoleCombo table is used to communicate role combinations this case the frwkIfRoleCombo table is used to communicate role
assigned to interfaces (via IfIndex), the ifCapSetName attribute in combinations assigned to interfaces (via IfIndex), the
the frwkIfRoleComboTable instances must be set to a zero length frwkRoleComboCapSetName attribute in the frwkIfRoleComboTable
string. instances must be set to a zero length string.
2.6. Reporting of Device Limitations 2.6. Reporting of Device Limitations
To facilitate efficient policy installation, it is important to To facilitate efficient policy installation, it is important to
understand a device's limitations in relation to the advertised understand a device's limitations in relation to the advertised
device capabilities. Limitations may be class-based, e.g., an device capabilities. Limitations may be class-based, e.g., an
Framework Policy Information Base May 30, 2002
"install" class is supported as a "notify" or only a limited number "install" class is supported as a "notify" or only a limited number
of class instances may be created, or attribute-based. Attribute of class instances may be created, or attribute-based. Attribute
limitations, such as supporting a restricted set of enumerations or limitations, such as supporting a restricted set of enumerations or
requiring related attributes to have certain values, detail requiring related attributes to have certain values, detail
implementation limitations at a fine level of granularity. implementation limitations at a fine level of granularity.
A PDP can avoid certain installation issues in a proactive fashion A PDP can avoid certain installation issues in a proactive fashion
by taking into account a device's limitations prior to policy by taking into account a device's limitations prior to policy
installation rather than in a reactive mode during installation. As installation rather than in a reactive mode during installation. As
with device capabilities, device limitations are communicated to the with device capabilities, device limitations are communicated to the
PDP when policy is requested. PDP when policy is requested.
Framework Policy Information Base January 2002
Reported device limitations may be accompanied by guidance values Reported device limitations may be accompanied by guidance values
that can be used by a PDP to determine acceptable values for the that can be used by a PDP to determine acceptable values for the
identified attributes. identified attributes.
Framework Policy Information Base May 30, 2002
3. The Framework TC PIB module 3. The Framework TC PIB module
FRAMEWORK-TC-PIB PIB-DEFINITIONS ::= BEGIN FRAMEWORK-TC-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, TEXTUAL-CONVENTION, pib FROM COPS-PR-SPPI; IMPORTS MODULE-IDENTITY, TEXTUAL-CONVENTION, pib FROM COPS-PR-SPPI;
frwkTcPib MODULE-IDENTITY frwkTcPib MODULE-IDENTITY
SUBJECT-CATEGORIES { all } SUBJECT-CATEGORIES { all }
LAST-UPDATED "200111130400Z" LAST-UPDATED "200205300000Z"
ORGANIZATION "IETF RAP WG" ORGANIZATION "IETF RAP WG"
CONTACT-INFO "Keith McCloghrie CONTACT-INFO "Keith McCloghrie
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive, 170 West Tasman Drive,
San Jose, CA 95134-1706 USA San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260 Phone: +1 408 526 5260
Email: kzm@cisco.com Email: kzm@cisco.com
John Seligson John Seligson
Nortel Networks, Inc. Nortel Networks, Inc.
4401 Great America Parkway 4401 Great America Parkway
Santa Clara, CA 95054 USA Santa Clara, CA 95054 USA
Phone: +1 408 495 2992 Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com" Email: jseligso@nortelnetworks.com
Ravi Sahita
Intel Labs.
2111 NE 25th Ave.
Hillsboro, OR 97124 USA
Phone: +1 503 712 1554
Email: ravi.sahita@intel.com
RAP WG Mailing list: rap@ops.ietf.org "
DESCRIPTION DESCRIPTION
"The PIB module containing the Role and "The PIB module containing the Role and RoleCombination
RoleCombination Textual Conventions and other Textual Conventions and other generic TCs."
generic TCs." REVISION "200205300000Z"
DESCRIPTION
"Initial version, published in RFC xxxx."
-- xxxx to be assigned by IANA
::= { pib tbd } -- tbd to be assigned by IANA ::= { pib tbd } -- tbd to be assigned by IANA
Role ::= TEXTUAL-CONVENTION Role ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A role represents a functionality characteristic or "A role represents a functionality characteristic or
capability of a resource to which policies are applied. capability of a resource to which policies are applied.
Examples of roles include Backbone interface, Examples of roles include Backbone_interface,
Frame_Relay_interface, BGP-capable-router, web-server, Frame_Relay_interface, BGP-capable-router, web-server,
firewall, etc. firewall, etc.
Valid characters are a-z, A-Z, 0-9, period, hyphen and The only valid character set is US-ASCII. Valid characters
underscore. A role must not start with an underscore." are a-z, A-Z, 0-9, period, hyphen and underscore. A role
SYNTAX OCTET STRING (SIZE (1..31)) must always start with a letter (a-z or A-Z). A role must
not contain the US-ASCII characters '*' or '+' since they
RoleCombination ::= TEXTUAL-CONVENTION Framework Policy Information Base May 30, 2002
Framework Policy Information Base January 2002 have special meaning associated with them, explained in the
RoleCombination TEXTUAL CONVENTION."
SYNTAX OCTET STRING (SIZE (1..31))
RoleCombination ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A Display string consisting of a set of roles concatenated "An octet string containing concatenated Roles. For the
with a '+' character where the roles are in lexicographic format specification of roles, refer to the 'Role' TEXTUAL-
order from minimum to maximum. CONVENTION. A valid Role Combination must be formed by a set
For example, a+b and b+a are NOT different of valid Roles, concatenated by the US-ASCII character '+',
where tThe roles are in lexicographic order from minimum to
maximum. For example, 'a+b' and 'b+a' are NOT different
role-combinations; rather, they are different formatting of role-combinations; rather, they are different formatting of
the same (one) role-combination. the same (one) role-combination.
Notice the roles within a role-combination are in Notice the roles within a role-combination are in
Lexicographic order from minimum to maximum, hence, we Lexicographic order from minimum to maximum, hence, we
declare: declare:
a+b is the valid formatting of the role-combination, 'a+b' is the valid formatting of the role-combination,
b+a is an invalid formatting of the role-combination. 'b+a' is an invalid formatting of the role-combination.
Notice the need of zero-length role-combination as the role- Notice the need of zero-length role-combination as the role-
combination of interfaces to which no roles have been combination of interfaces to which no roles have been
assigned. This role-combination is also known as the null assigned. This role-combination is also known as the 'null'
role-combination. (Note the deliberate use of lower case role-combination. (Note the deliberate use of lower case
letters to avoid confusion with the ASCII NULL character letters to avoid confusion with the US-ASCII NULL character
which has a value of zero but length of one.)" which has a value of zero but length of one.)
The US-ASCII character '*' is used to specify a wild carded
Role Combination. '*' must not be used to wildcard Roles.
Hence, we declare:
'*+a+b' is a valid wild carded Role Combination.
'eth*+a+b' is not a valid wild carded Role Combination.
Note that since Roles are lexicographically listed in a Role
Combination, the following is an invalid role combination,
since '*' is lexicographically before 'a': 'a+b+*'."
SYNTAX OCTET STRING (SIZE (0..255)) SYNTAX OCTET STRING (SIZE (0..255))
PrcIdentifier ::= TEXTUAL-CONVENTION PrcIdentifierOid ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An OID that identifies a PRC. The value MUST be an OID "An OID that identifies a PRC. The value MUST be an OID
assigned to a PRC's row definition. An attribute with this assigned to a PRC's entry definition. The Entry definition
syntax can have the value 0.0 (zeroDotZero) to indicate that of a PRC has an OID value XxxTable.1 where XxxTable is the
it currently does not identify a PRC." OID assigned to the PRC table object.
An attribute with this syntax MUST specify a PRC, which is
defined in the PIB module(s) registered in the context of
the client-type used.
An attribute with this syntax cannot have the value 0.0
(zeroDotZero). If the attribute using this syntax can be set
Framework Policy Information Base May 30, 2002
to 0.0 use the PrcIdentifierOidOrZero TEXTUAL-CONVENTION
which makes such use explicit."
SYNTAX OBJECT IDENTIFIER
PrcIdentifierOidOrZero ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An OID that identifies a PRC or zeroDotZero (0.0). The
value MUST be an OID assigned to a PRC's entry definition or
0.0 (zeroDotZero). The Entry definition of a PRC has an OID
value XxxTable.1 where XxxTable is the OID assigned to the
PRC table object.
An attribute with this syntax can have the value 0.0
(zeroDotZero) to indicate that it currently does not
identify a PRC."
SYNTAX OBJECT IDENTIFIER SYNTAX OBJECT IDENTIFIER
AttrIdentifier ::= TEXTUAL-CONVENTION AttrIdentifier ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A Unsigned32 value that identifies an attribute in a PRC. "A Unsigned32 value that identifies an attribute in a PRC by
its sub-id. The sub-id is the OID assigned to this attribute
in the PRC definition.
A AttrIdentifier value is always interpreted within the A AttrIdentifier value is always interpreted within the
context of a PrcIdentifier value. The PrcIdentifier object context of an attribute of type PrcIdentifierOid or
which defines the context must be registered immediately PrcIdentifierOidOrZero. The PrcIdentifierOid (or
before the object which uses the AttrIdentifier textual PrcIdentifierOidOrZero) object which defines the context
convention. must be registered immediately before the object which uses
the AttrIdentifier textual convention. If the context
defining attribute is of type PrcIdentifierOidOrZero and has
the value 0.0, then in that case this attribute value has no
meaning.
An attribute with this syntax can have the value 0 to An attribute with this syntax MUST specify a sub-id which
MUST be defined in the PRC identified (if any) in the
PrcIdentifierOid (or PrcIdentifierOidOrZero) attribute. The
PrcIdentifierOid (orZero) and the AttrIdentifier attributes
together identify a particular attribute in a particular
PRC.
An attribute with this syntax cannot have the value 0
(zero). If the attribute using this syntax can be set
to 0 use the AttrIdentifierOrZero TEXTUAL-CONVENTION which
makes that explicit."
SYNTAX Unsigned32 (1..4294967295)
AttrIdentifierOrZero ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A Unsigned32 value that identifies an attribute in a PRC by
its sub-id or has the value 0 (zero). The sub-id if non-
zero, is the OID assigned to this attribute in the PRC
Framework Policy Information Base May 30, 2002
definition.
An AttrIdentifierOrZero value is always interpreted within
the context of an attribute of type PrcIdentifierOid or
PrcIdentifierOidOrZero. The PrcIdentifierOid (or
PrcIdentifierOidOrZero) object that defines the context must
be registered immediately before the object which uses the
AttrIdentifierOrZero textual convention. If the context
defining attribute is of type PrcIdentifierOidOrZero and has
the value 0.0, then in that case this attribute value has no
meaning.
An attribute with this syntax can have the value 0 (zero) to
indicate that it currently does not identify a PRC indicate that it currently does not identify a PRC
attribute." attribute. If it has a non-zero value, the
PrcIdentifierOid (orZero) and the AttrIdentifierOrZero
attributes together identify a particular attribute in a
particular PRC."
SYNTAX Unsigned32 SYNTAX Unsigned32
AttrIdentifierOid ::= TEXTUAL-CONVENTION AttrIdentifierOid ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An OID that identifies an attribute in a PRC. The value "An OID that identifies an attribute in a PRC. The value
MUST be an OID assigned to a PRC's attribute definition. The MUST be an OID assigned to a PRC's attribute definition. The
last sub-id is the sub-id of the attribute as it is
defined in the PRC entry definition. The prefix OID (after
dropping the last sub-id) is the OID assigned to the Entry
1.0 object of a defined PRC. The Entry definition
of a PRC has
an OID value XxxTable.1 where XxxTable is the OID assigned
to the PRC Table object.
Framework Policy Information Base January 2002 An attribute with this syntax MUST not have the value 0.0
(zeroDotZero). If 0.0 is a valid value, the TEXTUAL
CONVENTION AttrIdentifierOidOrZero must be used which makes
such use explicit."
SYNTAX OBJECT IDENTIFIER
last sub-id is the position of the attribute as it is AttrIdentifierOidOrZero ::= TEXTUAL-CONVENTION
defined in the PRC entry definition. The prefix OID (after STATUS current
dropping the last sub-id) is the OID assigned to a defined DESCRIPTION
PRC. An attribute with this syntax can have the value 0.0 "An OID that identifies an attribute in a PRC or has a value
0.0 (zeroDotZero). The value MUST be an OID assigned to a
PRC's attribute definition or the value 0.0.
If not 0.0, the last sub-id MUST be the sub-id of the
attribute as it is defined in the PRC Entry object
definition. The prefix OID (after dropping the last sub-id)
is the OID assigned to the Entry object of a defined PRC.
The Entry definition of a PRC has an OID value XxxTable.1
Where, XxxTable is the OID assigned to the PRC Table
object.
Framework Policy Information Base May 30, 2002
An attribute with this syntax can have the value 0.0
(zeroDotZero) to indicate that it currently does not (zeroDotZero) to indicate that it currently does not
identify a PRC's attribute." identify a PRC's attribute."
SYNTAX OBJECT IDENTIFIER SYNTAX OBJECT IDENTIFIER
ClientType ::= TEXTUAL-CONVENTION ClientType ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An Unsigned32 value that identifies a COPS Client-type "An Unsigned32 value that identifies a COPS Client-type. An
[COPS]. An attribute with this syntax must be set to zero if attribute with this syntax must be set to zero if it does
it does not specify a COPS client-type." not specify a COPS client-type for the PRI."
REFERENCE "[COPS]."
SYNTAX Unsigned32 (0..65535) SYNTAX Unsigned32 (0..65535)
ClientHandle ::= TEXTUAL-CONVENTION ClientHandle ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string that identifies a COPS Client handle "An octet string that identifies a COPS Client handle. A
[COPS]." zero length value implies the attribute does not specify a
valid client handle."
REFERENCE "[COPS]."
SYNTAX OCTET STRING (SIZE(0..65535)) SYNTAX OCTET STRING (SIZE(0..65535))
END END
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
4. Summary of the Framework PIB 4. Summary of the Framework PIB
The Framework PIB comprises of three groups: The Framework PIB defines four groups of PRCs:
4.1. Base PIB classes Group 4.1. Base PIB classes Group
This contains PRCs intended to describe the PRCs supported This contains PRCs intended to describe the PRCs supported
by the PEP, PRC and/or attribute limitations and its current by the PEP, PRC and/or attribute limitations and its current
configuration. configuration.
PRC Support Table PRC Support Table
As the technology evolves, we expect devices to be enhanced As the technology evolves, we expect devices to be enhanced
skipping to change at page 14, line 43 skipping to change at page 17, line 43
CATEGORY number assigned for the area of policy being managed CATEGORY number assigned for the area of policy being managed
(e.g. QoS, Security etc). (e.g. QoS, Security etc).
The PEP MUST ignore the attributes that it reports as not The PEP MUST ignore the attributes that it reports as not
Supported in the decision from the PDP. The PEP SHOULD not send Supported in the decision from the PDP. The PEP SHOULD not send
duplicate PRC support instances in a COPS Request and the PDP duplicate PRC support instances in a COPS Request and the PDP
MUST ignore duplicate instances and MUST use the first instance MUST ignore duplicate instances and MUST use the first instance
received for a supported PRC in a COPS Request. received for a supported PRC in a COPS Request.
PIB Incarnation Table PIB Incarnation Table
This table contains exactly one row (corresponding to one PRI) This PRC contains exactly one row (corresponding to one PRI)
per context. It identifies the PDP that was the last to per context. It identifies the PDP that was the last to
download policy into the device and also contains an identifier download policy into the device and also contains an identifier
to identify the version of the policy currently downloaded. to identify the version of the policy currently downloaded.
This identifier, both its syntax and value, is meaningful only This identifier, both its syntax and value, is meaningful only
to the PDPs. It is intended to be a mechanism whereby a PDP, to the PDPs. It is intended to be a mechanism whereby a PDP,
on connecting to a PEP, can easily identify a known incarnation when accepting a connection from a PEP, can easily identify a
of policy. This PRC defines a flag via which the installed known incarnation of policy. This PRC defines a flag via which
contexts are divided into a set of contexts out of which only the installed contexts are divided into a set of contexts
one context is active ('configuration contexts') and a set of ('configuration contexts') out of which only one context is
'outsourcing contexts'. The incarnation PRC also active and a the remaining contexts form a set of 'outsourcing
defines an attribute to indicate which context is the contexts' which are all active. The incarnation PRC also
active one at the present time in the 'configuration contexts' defines an attribute to indicate which configuration context is
set. The incarnation instance is specific to the particular the active one at the present time in the 'configuration
Subject Category (Client-Type). contexts' set. The incarnation instance is specific to the
particular Subject Category (Client-Type).
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
Component Limitations Table Component Limitations Table
Some devices may not be able to implement the full range of Some devices may not be able to implement the full range of
values for all attributes. In principle, each PRC supports a values for all attributes. In principle, each PRC supports a
set of errors that the PEP can report to the PDP in the event set of errors that the PEP can report to the PDP in the event
that the specified policy is not implementable. It may be that the specified policy is not implementable. It may be
preferable for the PDP to be informed of the device limitations preferable for the PDP to be informed of the device limitations
before actually attempting to install policy, and while the before actually attempting to install policy, and while the
error can indicate that a particular attribute value is error can indicate that a particular attribute value is
unacceptable to the PEP, this does not help the PDP ascertain unacceptable to the PEP, this does not help the PDP ascertain
which values would be acceptable. To alleviate these which values would be acceptable. To alleviate these
limitations, the PEP can report some limitations of attribute limitations, the PEP can report some limitations of attribute
values and/or classes and possibly guidance values for the values and/or classes and possibly guidance values for the
attribute in the Component Limitations Table attribute in the Component Limitations Table
Device Identification Table Device Identification Table
This class contains a single provisioning instance that This PRC contains a single PRI that contains device-specific
contains device-specific information that is used to facilitate information that is used to facilitate efficient policy
efficient policy installation by a PDP. The instance of this installation by a PDP. The instance of this PRC is reported
class is reported to the PDP in a COPS request message so that to the PDP in a COPS request message so that the PDP can take
the PDP can take into account certain device characteristics into account certain device characteristics during policy
during policy installation. installation.
4.2. Device Capabilities group 4.2. Device Capabilities group
This group contains the PRCs that describe the characteristics of This group contains the PRCs that describe the characteristics of
interfaces of the device and the Role Combinations assigned to interfaces of the device and the Role Combinations assigned to
them. them.
Interface Capabilities Set Table Capabilities Set Table
The interfaces the PEP supports are described by rows in The capabilities the PEP supports are described by rows in
this table (frwkIfCapSetTable). Each row, or instance of this this PRC (frwkCapabilitySetTable). Each row, or instance of
class, associates a unique interface name with a set of this class, associates a unique capability name with a set of
capabilities that the interface supports. The unique name is capabilities that an entity on the PEP may support. The unique
used to form a set of capabilities that the name represents. name is used to form a set of capabilities that the name
The capability references can specify instances in relevant represents. The capability references can specify instances in
capability tables in any PIB. The PEP notifies the PDP of these relevant capability tables in any PIB. The PEP notifies the PDP
interface names and capabilities and then the PDP configures of these capability sets and then the PDP configures
the interfaces, per role combination. The unique name the interfaces, per role combination. The unique name
(IfCapSetName) is not to be confused with the IfType object in (frwkCapabilitySetName) is not to be confused with the IfType
MIB-II [STD17]. object in the Interfaces Group MIB [RFC2863].
Interface and Role Combination Table Interface and Role Combination Table
The Interface Capabilities Set Table (explained above) The Capabilities Set Table (explained above) describes the
describes the interfaces the PEP supports by their entities on the PEP (for example, interfaces) by their
capabilities, by assigning the capability sets a unique name capabilities, by assigning the capability sets a unique name
(ifCapSetName). It is possible to tailor the behavior of (frwkCapabilitySetName). It is possible to tailor the behavior
interfaces by assigning specific role-combinations to the of interfaces by assigning specific role-combinations to the
capability sets. This allows interfaces with the same capability sets. This allows interfaces with the same
capability sets to be assigned different policies, based on the capability sets to be assigned different policies, based on the
current roles assigned to them. At the PDP, configuration is
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
current roles assigned to them. At the PDP, configuration is
done in terms of these interface capability set names and the done in terms of these interface capability set names and the
role-combinations assigned to them. Thus, each row of this role-combinations assigned to them. Thus, each row of this
class is a <Interface Index, interface capability set name, class is a <Interface Index, interface capability set name,
Role Combo> tuple, that indicates the roles that have been Role Combo> tuple, that indicates the roles that have been
assigned to a particular capability set (as identified by assigned to a particular capability set (as identified by
IfCapSetName) and to a particular ifCapSetName. Note that the frwkRoleComboCapSetName) and to a particular interface. Note
uniqueness criteria for this table has all the attributes, thus that the uniqueness criteria for this PRC has all the
a ifCapSetName may have multiple role-combinations that it is attributes, thus a frwkRoleComboCapSetName may have
associated with. Via the IfIndex, this table answers the multiple role-combinations that it is associated with. Via the
questions of śwhich interfaces have a specific role IfIndex, this PRC answers the questions of 'which interfaces
combination?∆ and śwhat role combination a specific interface have a specific role combination?' and 'what role combination a
is a part of?∆. specific interface is a part of?'.
4.3. Classifier group 4.3. Classifier group
This group contains the IP, IEEE 802 and Internal Label This group contains the IP, IEEE 802 and Internal Label
Classifier elements. The set of tables consist of a Base Filter Classifier elements. The set of tables consist of a Base Filter
table that contains the Index InstanceId and the Negation flag table that contains the Index InstanceId and the Negation flag
for the filter. This frwkBaseFilterTable is extended to form the for the filter. This frwkBaseFilterTable is extended to form the
IP Filter table, the 802 Filter table [802] and the Internal IP Filter table, the 802 Filter table [802] and the Internal
Label table. Filters may also be defined outside this document Label table. Filters may also be defined outside this document
and used to extend the Base Filter table. and used to extend the Base Filter table.
skipping to change at page 17, line 5 skipping to change at page 20, line 5
This group contains the 802 marker and internal label marker This group contains the 802 marker and internal label marker
PRCs. The 802 marker may be applied to mark 802 packets with the PRCs. The 802 marker may be applied to mark 802 packets with the
required VLAN Id and/or priority value. The Internal Label marker required VLAN Id and/or priority value. The Internal Label marker
is applied to traffic in order to label it with a network device is applied to traffic in order to label it with a network device
specific label. Such a label is used to assist the specific label. Such a label is used to assist the
differentiation of an input flow after it has been aggregated differentiation of an input flow after it has been aggregated
with other flows. The label is implementation specific and may with other flows. The label is implementation specific and may
be used for other policy related functions like flow accounting be used for other policy related functions like flow accounting
purposes and/or other data path treatments. purposes and/or other data path treatments.
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
5. The Framework PIB Module 5. The Framework PIB Module
FRAMEWORK-PIB PIB-DEFINITIONS ::= BEGIN FRAMEWORK-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
Unsigned32, Integer32, MODULE-IDENTITY, Unsigned32, Integer32, MODULE-IDENTITY,
MODULE-COMPLIANCE, OBJECT-TYPE, OBJECT-GROUP, pib MODULE-COMPLIANCE, OBJECT-TYPE, OBJECT-GROUP, pib
FROM COPS-PR-SPPI FROM COPS-PR-SPPI
InstanceId, Prid InstanceId, Prid
FROM COPS-PR-SPPI-TC FROM COPS-PR-SPPI-TC
RoleCombination, PrcIdentifier, AttrIdentifier, RoleCombination, PrcIdentifierOid, AttrIdentifier,
ClientType, ClientHandle ClientType, ClientHandle
FROM FRAMEWORK-TC-PIB FROM FRAMEWORK-TC-PIB
InetAddress, InetAddressType, InetAddress, InetAddressType,
InetAddressPrefixLength, InetPortNumber InetAddressPrefixLength, InetPortNumber
FROM INET-ADDRESS-MIB FROM INET-ADDRESS-MIB
InterfaceIndex InterfaceIndex
FROM IF-MIB FROM IF-MIB
DscpOrAny DscpOrAny
FROM DIFFSERV-DSCP-TC FROM DIFFSERV-DSCP-TC
TruthValue, PhysAddress TruthValue, PhysAddress
FROM SNMPv2-TC FROM SNMPv2-TC
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB; FROM SNMP-FRAMEWORK-MIB;
frameworkPib MODULE-IDENTITY frameworkPib MODULE-IDENTITY
SUBJECT-CATEGORIES { all } SUBJECT-CATEGORIES { all }
LAST-UPDATED "200201280400Z" LAST-UPDATED "200205300000Z"
ORGANIZATION "IETF RAP WG" ORGANIZATION "IETF RAP WG"
CONTACT-INFO " CONTACT-INFO "
Michael Fine Michael Fine
Cisco Systems, Inc. Atheros Communications
170 West Tasman Drive 529 Almanor Ave
San Jose, CA 95134-1706 USA Sunnyvale, CA 94085 USA
Phone: +1 408 527 8218 Phone: +1 408 773 5324
Email: mfine@cisco.com Email: mfine@atheros.com
Keith McCloghrie Keith McCloghrie
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive, 170 West Tasman Drive,
San Jose, CA 95134-1706 USA San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260 Phone: +1 408 526 5260
Email: kzm@cisco.com Email: kzm@cisco.com
John Seligson John Seligson
Nortel Networks, Inc. Nortel Networks, Inc.
4401 Great America Parkway 4401 Great America Parkway
Santa Clara, CA 95054 USA Santa Clara, CA 95054 USA
Phone: +1 408 495 2992 Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com" Email: jseligso@nortelnetworks.com
DESCRIPTION Ravi Sahita
"A PIB module containing the base set of provisioning Intel Labs.
2111 NE 25th Ave.
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
classes that are required for support of policies for Hillsboro, OR 97124 USA
all subject-categories." Phone: +1 503 712 1554
Email: ravi.sahita@intel.com
RAP WG Mailing list: rap@ops.ietf.org"
DESCRIPTION
"A PIB module containing the base set of PRCs that
provide support for management of multiple PIB contexts,
association of roles to device capabilities and other
reusable PRCs. PEPs are required for to implement this
PIB if the above features are desired. This PIB defines
PRCs applicable to 'all' subject-categories."
REVISION "200205300000Z"
DESCRIPTION
"Initial version, published in RFC xxxx."
-- xxxx to be assigned by IANA
::= { pib tbd } -- tbd to be assigned by IANA ::= { pib tbd } -- tbd to be assigned by IANA
-- --
-- The root OID for PRCs in the Framework PIB -- The root OID for PRCs in the Framework PIB
-- --
frwkBasePibClasses frwkBasePibClasses
OBJECT IDENTIFIER ::= { frameworkPib 1 } OBJECT IDENTIFIER ::= { frameworkPib 1 }
-- --
-- Textual Conventions
--
--
-- PRC Support Table -- PRC Support Table
-- --
frwkPrcSupportTable OBJECT-TYPE frwkPrcSupportTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkPrcSupportEntry SYNTAX SEQUENCE OF FrwkPrcSupportEntry
PIB-ACCESS notify PIB-ACCESS notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Each instance of this class specifies a PRC that the device "Each instance of this PRC specifies a PRC that the device
supports and a bit string to indicate the attributes of the supports and a bit string to indicate the attributes of the
class that are supported. These PRIs are sent to the PDP to class that are supported. These PRIs are sent to the PDP to
indicate to the PDP which PRCs, and which attributes of indicate to the PDP which PRCs, and which attributes of
these PRCs, the device supports. This table can also be these PRCs, the device supports.
downloaded by a network manager when static configuration is
used.
All install and install-notify PRCs supported by the device All install and install-notify PRCs supported by the device
must be represented in this table. Notify PRCs may be must be represented in this PRC. Notify PRCs may be
represented for informational purposes." represented for informational purposes."
::= { frwkBasePibClasses 1 } ::= { frwkBasePibClasses 1 }
frwkPrcSupportEntry OBJECT-TYPE frwkPrcSupportEntry OBJECT-TYPE
SYNTAX FrwkPrcSupportEntry SYNTAX FrwkPrcSupportEntry
STATUS current STATUS current
Framework Policy Information Base May 30, 2002
DESCRIPTION DESCRIPTION
"An instance of the frwkPrcSupport class that identifies a "An instance of the frwkPrcSupport class that identifies a
specific PRC and associated attributes as supported specific PRC and associated attributes as supported
by the device." by the device."
PIB-INDEX { frwkPrcSupportPrid } PIB-INDEX { frwkPrcSupportPrid }
UNIQUENESS { frwkPrcSupportSupportedPrc } UNIQUENESS { frwkPrcSupportSupportedPrc }
::= { frwkPrcSupportTable 1 } ::= { frwkPrcSupportTable 1 }
Framework Policy Information Base January 2002
FrwkPrcSupportEntry ::= SEQUENCE { FrwkPrcSupportEntry ::= SEQUENCE {
frwkPrcSupportPrid InstanceId, frwkPrcSupportPrid InstanceId,
frwkPrcSupportSupportedPrc PrcIdentifier, frwkPrcSupportSupportedPrc PrcIdentifierOid,
frwkPrcSupportSupportedAttrs OCTET STRING frwkPrcSupportSupportedAttrs OCTET STRING
} }
frwkPrcSupportPrid OBJECT-TYPE frwkPrcSupportPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "An arbitrary integer index that uniquely identifies an
instance of the frwkPrcSupport class." instance of the frwkPrcSupport class."
::= { frwkPrcSupportEntry 1 } ::= { frwkPrcSupportEntry 1 }
frwkPrcSupportSupportedPrc OBJECT-TYPE frwkPrcSupportSupportedPrc OBJECT-TYPE
SYNTAX PrcIdentifier SYNTAX PrcIdentifierOid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The object identifier of a supported PRC. The value is the "The object identifier of a supported PRC. The value is the
OID of the table entry. There may not be more than one OID of the Entry object of the PRC definition. The Entry
instance of the frwkPrcSupport class with the same value of Object definition of a PRC has an OID with value XxxTable.1
Where, XxxTable is the OID assigned to the PRC Table
Object definition. There may not be more than one instance
of the frwkPrcSupport class with the same value of
frwkPrcSupportSupportedPrc." frwkPrcSupportSupportedPrc."
::= { frwkPrcSupportEntry 2 } ::= { frwkPrcSupportEntry 2 }
frwkPrcSupportSupportedAttrs OBJECT-TYPE frwkPrcSupportSupportedAttrs OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A bit string representing the supported attributes of the "A bit string representing the supported attributes of the
class that is identified by the frwkPrcSupportSupportedPrc class that is identified by the frwkPrcSupportSupportedPrc
object. object.
Each bit of this bit string corresponds to a class Each bit of this bit string corresponds to a class
attribute, with the most significant bit of the i-th octet attribute, with the most significant bit of the i-th octet
of this octet string corresponding to the (8*i - 7)-th of this octet string corresponding to the (8*i - 7)-th
attribute, and the least significant bit of the i-th octet attribute, and the least significant bit of the i-th octet
Framework Policy Information Base May 30, 2002
corresponding to the (8*i)-th class attribute. Each bit corresponding to the (8*i)-th class attribute. Each bit
specifies whether or not the corresponding class attribute specifies whether or not the corresponding class attribute
is currently supported, with a '1' indicating support and a is currently supported, with a '1' indicating support and a
'0' indicating no support. If the value of this bit string '0' indicating no support.
is N bits long and there are more than N class attributes
then the bit string is logically extended with 0's to the
required length."
::= { frwkPrcSupportEntry 3 } If the value of this bit string is N bits long and there are
more than N class attributes then the bit string is
logically extended with 0's to the required length.
On the other hand, If the PDP receives a bit string of
length N and there are less that N class attributes then the
PDP should ignore the extra bits in the bit string, i.e.,
assume those attributes are unsupported."
REFERENCE
"[COPS-PR] Section 2.2.1."
Framework Policy Information Base January 2002 ::= { frwkPrcSupportEntry 3 }
-- --
-- PIB Incarnation Table -- PIB Incarnation Table
-- --
frwkPibIncarnationTable OBJECT-TYPE frwkPibIncarnationTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkPibIncarnationEntry SYNTAX SEQUENCE OF FrwkPibIncarnationEntry
PIB-ACCESS install-notify PIB-ACCESS install-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This class contains a single provisioning instance per "This PRC contains a single PRovisioning Instance per
installed context that identifies the current incarnation installed context that identifies the current incarnation
of the PIB and the PDP or network manager that installed of the PIB and the PDP or network manager that installed
this incarnation. The instance of this class is reported to this incarnation. The instance of this PRC is reported to
the PDP in the REQ message so that the PDP can (attempt to) the PDP in the REQ message so that the PDP can (attempt to)
ascertain the current state of the PIB. A network manager ascertain the current state of the PIB. A network manager
may use the instance to determine the state of the device." may use the instance to determine the state of the device."
::= { frwkBasePibClasses 2 } ::= { frwkBasePibClasses 2 }
frwkPibIncarnationEntry OBJECT-TYPE frwkPibIncarnationEntry OBJECT-TYPE
SYNTAX FrwkPibIncarnationEntry SYNTAX FrwkPibIncarnationEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the frwkPibIncarnation class. Only "An instance of the frwkPibIncarnation class. Only
one instance of this provisioning class is ever one instance of this PRC is ever instantiated per context"
instantiated per context"
PIB-INDEX { frwkPibIncarnationPrid } PIB-INDEX { frwkPibIncarnationPrid }
::= { frwkPibIncarnationTable 1 } ::= { frwkPibIncarnationTable 1 }
FrwkPibIncarnationEntry ::= SEQUENCE { FrwkPibIncarnationEntry ::= SEQUENCE {
frwkPibIncarnationPrid InstanceId, frwkPibIncarnationPrid InstanceId,
frwkPibIncarnationName SnmpAdminString, frwkPibIncarnationName SnmpAdminString,
frwkPibIncarnationId OCTET STRING, frwkPibIncarnationId OCTET STRING,
frwkPibIncarnationLongevity Unsigned32, frwkPibIncarnationLongevity INTEGER,
Framework Policy Information Base May 30, 2002
frwkPibIncarnationTtl Unsigned32, frwkPibIncarnationTtl Unsigned32,
frwkPibIncarnationInCtxtSet TruthValue, frwkPibIncarnationInCtxtSet TruthValue,
frwkPibIncarnationActive TruthValue, frwkPibIncarnationActive TruthValue,
frwkPibIncarnationFullState TruthValue frwkPibIncarnationFullState TruthValue
} }
frwkPibIncarnationPrid OBJECT-TYPE frwkPibIncarnationPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An index to uniquely identify an instance of this "An index to uniquely identify an instance of this PRC."
provisioning class."
::= { frwkPibIncarnationEntry 1 } ::= { frwkPibIncarnationEntry 1 }
Framework Policy Information Base January 2002
frwkPibIncarnationName OBJECT-TYPE frwkPibIncarnationName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString (SIZE (0..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The name of the PDP that installed the current incarnation "The name of the PDP that installed the current incarnation
of the PIB into the device. By default, it is the zero of the PIB into the device. By default, it is the zero
length string." length string."
::= { frwkPibIncarnationEntry 2 } ::= { frwkPibIncarnationEntry 2 }
frwkPibIncarnationId OBJECT-TYPE frwkPibIncarnationId OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING (SIZE (0..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An ID to identify the current incarnation. It has meaning "An ID to identify the current incarnation. It has meaning
to the PDP/manager that installed the PIB and perhaps its to the PDP/manager that installed the PIB and perhaps its
standby PDPs/managers. By default, it is the zero-length standby PDPs/managers. By default, it is the zero-length
string." string."
::= { frwkPibIncarnationEntry 3 } ::= { frwkPibIncarnationEntry 3 }
frwkPibIncarnationLongevity OBJECT-TYPE frwkPibIncarnationLongevity OBJECT-TYPE
SYNTAX Unsigned32 { SYNTAX INTEGER {
expireNever(1), expireNever(1),
expireImmediate(2), expireImmediate(2),
expireOnTimeout(3) expireOnTimeout(3)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute controls what the PEP does with the "This attribute controls what the PEP does with the
downloaded policy on a Client Close message or a loss of downloaded policy on a Client Close message or a loss of
connection to the PDP. connection to the PDP.
If set to expireNever, the PEP continues to operate with the If set to expireNever, the PEP continues to operate with the
installed policy indefinitely. If set to expireImmediate, installed policy indefinitely. If set to expireImmediate,
the PEP immediately expires the policy obtained from the PDP the PEP immediately expires the policy obtained from the PDP
and installs policy from local configuration. If set to and installs policy from local configuration. If set to
expireOnTimeout, the PEP continues to operate with the expireOnTimeout, the PEP continues to operate with the
policy installed by the PDP for a period of time specified policy installed by the PDP for a period of time specified
Framework Policy Information Base May 30, 2002
by frwkPibIncarnationTtl. After this time (and it has not by frwkPibIncarnationTtl. After this time (and it has not
reconnected to the original or new PDP) the PEP expires this reconnected to the original or new PDP) the PEP expires this
policy and reverts to local configuration. policy and reverts to local configuration.
For all cases, it is the responsibility of the PDP to check For all cases, it is the responsibility of the PDP to check
the incarnation and download new policy, if necessary, on a the incarnation and download new policy, if necessary, on a
reconnect. On receiving a Remove-State [COPS-PR] for the reconnect. On receiving a Remove-State for the active
active context, this attribute value MUST be ignored and the context, this attribute value MUST be ignored and the PEP
PEP should expire the policy in that active context should expire the policy in that active context immediately.
immediately.
Policy enforcement timing only applies to policies that have Policy enforcement timing only applies to policies that have
been installed dynamically (e.g., by a PDP via COPS)." been installed dynamically (e.g., by a PDP via COPS)."
REFERENCE
"COPS Usage for Policy Provisioning. [COPS-PR]."
::= { frwkPibIncarnationEntry 4 } ::= { frwkPibIncarnationEntry 4 }
Framework Policy Information Base January 2002
frwkPibIncarnationTtl OBJECT-TYPE frwkPibIncarnationTtl OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
UNITS "seconds" UNITS "seconds"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of seconds after a Client Close or TCP timeout "The number of seconds after a Client Close or TCP timeout
for which the PEP continues to enforce the policy in the for which the PEP continues to enforce the policy in the
PIB. After this interval, the PIB is considered expired and PIB. After this interval, the PIB is considered expired and
the device no longer enforces the policy installed in the the device no longer enforces the policy installed in the
PIB. PIB.
skipping to change at page 22, line 30 skipping to change at page 25, line 46
::= { frwkPibIncarnationEntry 5 } ::= { frwkPibIncarnationEntry 5 }
frwkPibIncarnationInCtxtSet OBJECT-TYPE frwkPibIncarnationInCtxtSet OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When the PDP installs a PRI with this flag set to 'true' it "When the PDP installs a PRI with this flag set to 'true' it
implies this context belongs to the set of contexts out of implies this context belongs to the set of contexts out of
which at the most one context can be active at a given time. which at the most one context can be active at a given time.
If this attribute is set to false this context is one of the If this attribute is set to 'false' this context is one of
outsourcing (simultaneous active) contexts on the PEP." the outsourcing (simultaneous active) contexts on the PEP.
This attribute is 'true' for all contexts belong to the set
of configuration contexts. Within the configuration context
set, one context can be active identified by the
frwkPibIncarnationActive attribute."
REFERENCE
"TruthValue TC [SNMPv2TC]."
::= { frwkPibIncarnationEntry 6 } ::= { frwkPibIncarnationEntry 6 }
frwkPibIncarnationActive OBJECT-TYPE frwkPibIncarnationActive OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
Framework Policy Information Base May 30, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"When the PDP installs a PRI on the PEP with this attribute "When the PDP installs a PRI on the PEP with this attribute
set to 'true', then the PIB instance to which this PRI set to 'true' and if this context belongs to the
belongs must become the active PIB instance if this context 'configuration contexts' set, i.e., the
belongs to the 'configuration contexts' set. In this case, frwkPibIncarnationInCtxtSet is set to 'true', then the PIB
the previous active instance from this set MUST become instance to which this PRI belongs must become the active
inactive and the frwkPibIncarnationActive attribute in that PIB instance. In this case, the previous active instance
PIB instance MUST be set to 'false'. from this set MUST become inactive and the
frwkPibIncarnationActive attribute in that PIB instance MUST
be set to 'false'.
When the PDP installs an attribute frwkPibIncarnationActive When the PDP installs an attribute frwkPibIncarnationActive
on the PEP that is 'true' in one PIB instance and if the on the PEP that is 'true' in one PIB instance and if the
context belongs to the 'configuration contexts' set, the PEP context belongs to the 'configuration contexts' set, the PEP
must ensure, re-setting the attribute if necessary, that the must ensure, re-setting the attribute if necessary, that the
frwkPibIncarnationActive attribute is 'false' in all other frwkPibIncarnationActive attribute is 'false' in all other
contexts which belong to the 'configuration contexts' set." contexts which belong to the 'configuration contexts' set."
::= { frwkPibIncarnationEntry 7 } ::= { frwkPibIncarnationEntry 7 }
Framework Policy Information Base January 2002
frwkPibIncarnationFullState OBJECT-TYPE frwkPibIncarnationFullState OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute is interpreted only when sent in a COPS "This attribute is interpreted only when sent in a COPS
request message from the PEP to the PDP. It does not have request message from the PEP to the PDP. It does not have
any meaning when sent from the PDP to the PDP. any meaning when sent from the PDP to the PEP.
If this attribute is set to TRUE by the PEP, then the If this attribute is set to 'true' by the PEP, then the
request that the PEP sends to the PDP must be interpreted as request that the PEP sends to the PDP must be interpreted as
the complete configuration request for the PEP. The PDP must the complete configuration request for the PEP. The PDP must
in this case refresh the request information for that in this case refresh the request information for the
handle. If this attribute is set to FALSE, then the request handle that the request containing this PRI was received on.
PRIs sent in the request must be interpreted as updates to If this attribute is set to 'false', then the
the previous request PRIs sent for that handle. See section request PRIs sent in the request must be interpreted as
3.3 for details on updating request state information." updates to the previous request PRIs sent using that handle.
See section 3.3 for details on updating request state
information."
REFERENCE
"RFC xxxx Section 2.3"
::= { frwkPibIncarnationEntry 8 } ::= { frwkPibIncarnationEntry 8 }
-- --
-- Device Identification Table -- Device Identification Table
-- --
-- This table supports the ability to export general
-- purpose device information to facilitate efficient
-- communication between the device and a PDP
frwkDeviceIdTable OBJECT-TYPE frwkDeviceIdTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkDeviceIdEntry SYNTAX SEQUENCE OF FrwkDeviceIdEntry
PIB-ACCESS notify PIB-ACCESS notify
STATUS current STATUS current
Framework Policy Information Base May 30, 2002
DESCRIPTION DESCRIPTION
"This class contains a single provisioning instance that "This PRC contains a single PRovisioning Instance that
contains device-specific information that is used to contains general purpose device-specific information that is
facilitate efficient policy installation by a PDP. The used to facilitate efficient policy communication by a PDP.
instance of this class is reported to the PDP in a COPS The instance of this PRC is reported to the PDP in a COPS
request message so that the PDP can take into account request message so that the PDP can take into account
certain device characteristics during policy installation." certain device characteristics during policy installation."
::= { frwkBasePibClasses 3 } ::= { frwkBasePibClasses 3 }
frwkDeviceIdEntry OBJECT-TYPE frwkDeviceIdEntry OBJECT-TYPE
SYNTAX FrwkDeviceIdEntry SYNTAX FrwkDeviceIdEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the frwkDeviceId class. Only one instance of "An instance of the frwkDeviceId class. Only one instance of
this provisioning class is ever instantiated." this PRC is ever instantiated."
PIB-INDEX { frwkDeviceIdPrid } PIB-INDEX { frwkDeviceIdPrid }
::= { frwkDeviceIdTable 1 } ::= { frwkDeviceIdTable 1 }
Framework Policy Information Base January 2002
FrwkDeviceIdEntry ::= SEQUENCE { FrwkDeviceIdEntry ::= SEQUENCE {
frwkDeviceIdPrid InstanceId, frwkDeviceIdPrid InstanceId,
frwkDeviceIdDescr SnmpAdminString, frwkDeviceIdDescr SnmpAdminString,
frwkDeviceIdMaxMsg Unsigned32, frwkDeviceIdMaxMsg Unsigned32,
frwkDeviceIdMaxContexts Unsigned32 frwkDeviceIdMaxContexts Unsigned32
} }
frwkDeviceIdPrid OBJECT-TYPE frwkDeviceIdPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An index to uniquely identify an instance of this "An index to uniquely identify an instance of this PRC."
provisioning class."
::= { frwkDeviceIdEntry 1 } ::= { frwkDeviceIdEntry 1 }
frwkDeviceIdDescr OBJECT-TYPE frwkDeviceIdDescr OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString (SIZE (1..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A textual description of the PEP. This value should include "A textual description of the PEP. This value should include
the name and version identification of the PEP's hardware the name and version identification of the PEP's hardware
and software." and software."
::= { frwkDeviceIdEntry 2 } ::= { frwkDeviceIdEntry 2 }
frwkDeviceIdMaxMsg OBJECT-TYPE frwkDeviceIdMaxMsg OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32 (64..4294967295)
UNITS "octets" UNITS "octets"
Framework Policy Information Base May 30, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The maximum message size, in octets, that the device "The maximum COPS-PR message size, in octets, that the
is capable of processing. Received messages with a device is capable of processing. Received messages with a
size in excess of this value must cause the PEP to return an size in excess of this value must cause the PEP to return an
error to the PDP containing the global error code error to the PDP containing the global error code
'maxMsgSizeExceeded'. This is an additional error-avoidance 'maxMsgSizeExceeded'. This is an additional error-avoidance
mechanism to allow the administrator to have the ability to mechanism to allow the administrator to know the maximum
control the message size of messages sent to the device. The message size supported so that they have the ability to
device should send the MAX value for Unsigned32 for control the message size of messages sent to the device.
this attribute if it not defined." This attribute must have a non-zero value. The device should
send the MAX value for Unsigned32 for this attribute if it
not defined."
DEFVAL { 4294967295 }
::= { frwkDeviceIdEntry 3 } ::= { frwkDeviceIdEntry 3 }
frwkDeviceIdMaxContexts OBJECT-TYPE frwkDeviceIdMaxContexts OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32 (1..4294967295)
UNITS "contexts" UNITS "contexts"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Framework Policy Information Base January 2002
"The maximum number of unique contexts supported by "The maximum number of unique contexts supported by
the device. This is an additional error-avoidance mechanism the device. This is an additional error-avoidance mechanism
to allow the administrators to have the ability to control to allow the administrators to have the ability to know the
the number of contexts installed on the device. The maximum number of contexts supported so that they can
device should send the MAX value for Unsigned32 for control the number of configuration contexts they install on
this attribute if it not defined." the device. This attribute must have a non-zero value. The
device should send the MAX value for Unsigned32 for this
attribute if it not defined."
DEFVAL { 4294967295 }
::= { frwkDeviceIdEntry 4 } ::= { frwkDeviceIdEntry 4 }
-- --
-- Component Limitations Table -- Component Limitations Table
-- --
-- This table supports the ability to export information
-- detailing provisioning class/attribute implementation limitations
-- to the policy management system. Instances of this PRC apply only
-- for PRCs with access type 'install' or 'install-notify'.
frwkCompLimitsTable OBJECT-TYPE frwkCompLimitsTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkCompLimitsEntry SYNTAX SEQUENCE OF FrwkCompLimitsEntry
PIB-ACCESS notify PIB-ACCESS notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Each instance of this class identifies a provisioning class "This PRC supports the ability to export information
detailing PRC/attribute implementation limitations to the
policy management system. Instances of this PRC apply only
for PRCs with access type 'install' or 'install-notify'.
Each instance of this PRC identifies a PRovisioning Class
or attribute and a limitation related to the implementation or attribute and a limitation related to the implementation
of the class/attribute in the device. Additional information of the class/attribute in the device. Additional information
providing guidance related to the limitation may also be providing guidance related to the limitation may also be
Framework Policy Information Base May 30, 2002
present. These PRIs are sent to the PDP to indicate which present. These PRIs are sent to the PDP to indicate which
PRCs or PRC attributes the device supports in a restricted PRCs or PRC attributes the device supports in a restricted
manner." manner."
::= { frwkBasePibClasses 4 } ::= { frwkBasePibClasses 4 }
frwkCompLimitsEntry OBJECT-TYPE frwkCompLimitsEntry OBJECT-TYPE
SYNTAX FrwkCompLimitsEntry SYNTAX FrwkCompLimitsEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the frwkCompLimits class that identifies "An instance of the frwkCompLimits class that identifies
a PRC or PRC attribute and a limitation related to the PRC a PRC or PRC attribute and a limitation related to the PRC
or PRC attribute implementation supported by the device. or PRC attribute implementation supported by the device.
[COPS-PR] lists the error codes that MUST be returned (if COPS-PR lists the error codes that MUST be returned (if
applicable)for policy installation that don't abide by the applicable)for policy installation that don't abide by the
restrictions indicated by the limitations exported. [SPPI] restrictions indicated by the limitations exported. [SPPI]
defines an INSTALL-ERRORS clause that allows PIB designers defines an INSTALL-ERRORS clause that allows PIB designers
to define PRC specific error codes that can be returned for to define PRC specific error codes that can be returned for
policy installation. This allows efficient debugging of PIB policy installation. This allows efficient debugging of PIB
implementations." implementations."
REFERENCE
"COPS Usage for Policy Provisioning. [COPS-PR]."
PIB-INDEX { frwkCompLimitsPrid } PIB-INDEX { frwkCompLimitsPrid }
UNIQUENESS { frwkCompLimitsComponent, UNIQUENESS { frwkCompLimitsComponent,
frwkCompLimitsAttrPos, frwkCompLimitsAttrPos,
frwkCompLimitsNegation, frwkCompLimitsNegation,
frwkCompLimitsType, frwkCompLimitsType,
Framework Policy Information Base January 2002
frwkCompLimitsSubType, frwkCompLimitsSubType,
frwkCompLimitsGuidance } frwkCompLimitsGuidance }
::= { frwkCompLimitsTable 1 } ::= { frwkCompLimitsTable 1 }
FrwkCompLimitsEntry ::= SEQUENCE { FrwkCompLimitsEntry ::= SEQUENCE {
frwkCompLimitsPrid InstanceId, frwkCompLimitsPrid InstanceId,
frwkCompLimitsComponent PrcIdentifier, frwkCompLimitsComponent PrcIdentifierOid,
frwkCompLimitsAttrPos AttrIdentifier, frwkCompLimitsAttrPos AttrIdentifier,
frwkCompLimitsNegation TruthValue, frwkCompLimitsNegation TruthValue,
frwkCompLimitsType Unsigned32, frwkCompLimitsType INTEGER,
frwkCompLimitsSubType Unsigned32, frwkCompLimitsSubType INTEGER,
frwkCompLimitsGuidance OCTET STRING frwkCompLimitsGuidance OCTET STRING
} }
frwkCompLimitsPrid OBJECT-TYPE frwkCompLimitsPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "An arbitrary integer index that uniquely identifies an
instance of the frwkCompLimits class." instance of the frwkCompLimits class."
::= { frwkCompLimitsEntry 1 } ::= { frwkCompLimitsEntry 1 }
frwkCompLimitsComponent OBJECT-TYPE frwkCompLimitsComponent OBJECT-TYPE
SYNTAX PrcIdentifier
Framework Policy Information Base May 30, 2002
SYNTAX PrcIdentifierOid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value is the OID of a PRC (the table entry) which is "The value is the OID of a PRC (the table entry) which is
supported in some limited fashion or contains an attribute supported in some limited fashion or contains an attribute
that is supported in some limited fashion with regard to that is supported in some limited fashion with regard to
it's definition in the associated PIB module. The same OID it's definition in the associated PIB module. The same OID
may appear in the table several times, once for each may appear in the table several times, once for each
implementation limitation acknowledged by the device." implementation limitation acknowledged by the device."
::= { frwkCompLimitsEntry 2 } ::= { frwkCompLimitsEntry 2 }
frwkCompLimitsAttrPos OBJECT-TYPE frwkCompLimitsAttrPos OBJECT-TYPE
SYNTAX AttrIdentifier SYNTAX AttrIdentifier
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The relative position of the attribute within the PRC "The relative position of the attribute within the PRC
specified by the frwkCompLimitsComponent. A value of 1 would specified by the frwkCompLimitsComponent. A value of 1 would
represent the first columnar object in the PRC and a value represent the first columnar object in the PRC and a value
of N would represent the Nth columnar object in the PRC. A of N would represent the Nth columnar object in the PRC. A
NULL value indicates that the limit applies to the PRC value of zero (0) indicates that the limit applies to the
itself and not to a specific attribute." PRC itself and not to a specific attribute."
::= { frwkCompLimitsEntry 3 } ::= { frwkCompLimitsEntry 3 }
Framework Policy Information Base January 2002
frwkCompLimitsNegation OBJECT-TYPE frwkCompLimitsNegation OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A boolean value ,if TRUE, negates the component limit "A boolean value ,if 'true', negates the component limit
exported." exported."
::= { frwkCompLimitsEntry 4 } ::= { frwkCompLimitsEntry 4 }
frwkCompLimitsType OBJECT-TYPE frwkCompLimitsType OBJECT-TYPE
SYNTAX Unsigned32 { SYNTAX INTEGER {
priSpaceLimited(1), priSpaceLimited(1),
attrValueSupLimited(2), attrValueSupLimited(2),
attrEnumSupLimited(3), attrEnumSupLimited(3),
attrLengthLimited(4), attrLengthLimited(4),
prcLimitedNotify(5) prcLimitedNotify(5)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A value describing an implementation limitation for the "A value describing an implementation limitation for the
device related to the PRC or PRC attribute identified by device related to the PRC or PRC attribute identified by
the frwkCompLimitsComponent and the frwkCompLimitsAttrPos the frwkCompLimitsComponent and the frwkCompLimitsAttrPos
attributes in this class instance. attributes.
Values for this object are one of the following: Values for this object are one of the following:
Framework Policy Information Base May 30, 2002
priSpaceLimited(1) - No more instances than that specified priSpaceLimited(1) - No more instances than that specified
by the guidance value may be installed in the given class. by the guidance value may be installed in the given class.
The component identified MUST be a valid PRC. The SubType The component identified MUST be a valid PRC. The SubType
used MUST be valueOnly(9). used MUST be valueOnly(9).
attrValueSupLimited(2) - Limited values are acceptable for attrValueSupLimited(2) - Limited values are acceptable for
the identified component. The component identified MUST be a the identified component. The component identified MUST be a
valid PRC attribute. The guidance OCTET STRING will be valid PRC attribute. The guidance OCTET STRING will be
decoded according to the attribute type. decoded according to the attribute type.
skipping to change at page 28, line 5 skipping to change at page 31, line 32
value for the identified component is limited. The component value for the identified component is limited. The component
identified MUST be a valid PRC attribute of base-type OCTET identified MUST be a valid PRC attribute of base-type OCTET
STRING. STRING.
prcLimitedNotify (5) - The component is currently limited prcLimitedNotify (5) - The component is currently limited
for use by request or report messages prohibiting decision for use by request or report messages prohibiting decision
installation. The component identified must be a valid PRC." installation. The component identified must be a valid PRC."
::= { frwkCompLimitsEntry 5 } ::= { frwkCompLimitsEntry 5 }
Framework Policy Information Base January 2002
frwkCompLimitsSubType OBJECT-TYPE frwkCompLimitsSubType OBJECT-TYPE
SYNTAX Unsigned32 { SYNTAX INTEGER {
none(1), none(1),
lengthMin(2), lengthMin(2),
lengthMax(3), lengthMax(3),
rangeMin(4), rangeMin(4),
rangeMax(5), rangeMax(5),
enumMin(6), enumMin(6),
enumMax(7), enumMax(7),
enumOnly(8), enumOnly(8),
valueOnly(9), valueOnly(9),
bitMask(10) bitMask(10)
skipping to change at page 28, line 35 skipping to change at page 32, line 4
in the frwkCompLimitsGuidance attribute. in the frwkCompLimitsGuidance attribute.
A value of 'none(1)' means that no additional A value of 'none(1)' means that no additional
guidance is provided for the noted limitation type. guidance is provided for the noted limitation type.
A value of 'lengthMin(2)' means that the guidance A value of 'lengthMin(2)' means that the guidance
attribute provides data related to the minimum attribute provides data related to the minimum
acceptable length for the value of the identified acceptable length for the value of the identified
component. A corresponding class instance component. A corresponding class instance
specifying the 'lengthMax(3)' value is required specifying the 'lengthMax(3)' value is required
Framework Policy Information Base May 30, 2002
in conjunction with this sub-type. in conjunction with this sub-type.
A value of 'lengthMax(3)' means that the guidance A value of 'lengthMax(3)' means that the guidance
attribute provides data related to the maximum attribute provides data related to the maximum
acceptable length for the value of the identified acceptable length for the value of the identified
component. A corresponding class instance component. A corresponding class instance
specifying the 'lengthMin(2)' value is required specifying the 'lengthMin(2)' value is required
in conjunction with this sub-type. in conjunction with this sub-type.
A value of 'rangeMin(4)' means that the guidance A value of 'rangeMin(4)' means that the guidance
skipping to change at page 29, line 4 skipping to change at page 32, line 32
A value of 'rangeMax(5)' means that the guidance A value of 'rangeMax(5)' means that the guidance
attribute provides data related to the upper bound attribute provides data related to the upper bound
of the range for the value of the identified of the range for the value of the identified
component. A corresponding class instance component. A corresponding class instance
specifying the 'rangeMin(4)' value is required specifying the 'rangeMin(4)' value is required
in conjunction with this sub-type. in conjunction with this sub-type.
A value of 'enumMin(6)' means that the guidance A value of 'enumMin(6)' means that the guidance
attribute provides data related to the lowest attribute provides data related to the lowest
Framework Policy Information Base January 2002
enumeration acceptable for the value of the enumeration acceptable for the value of the
identified component. A corresponding identified component. A corresponding
class instance specifying the 'enumMax(7)' class instance specifying the 'enumMax(7)'
value is required in conjunction with this sub-type. value is required in conjunction with this sub-type.
A value of 'enumMax(7)' means that the guidance A value of 'enumMax(7)' means that the guidance
attribute provides data related to the largest attribute provides data related to the largest
enumeration acceptable for the value of the enumeration acceptable for the value of the
identified component. A corresponding identified component. A corresponding
class instance specifying the 'enumMin(6)' class instance specifying the 'enumMin(6)'
skipping to change at page 29, line 36 skipping to change at page 33, line 4
value that is acceptable for the identified value that is acceptable for the identified
component. component.
A value of 'bitMask(10)' means that the guidance A value of 'bitMask(10)' means that the guidance
attribute is a bit mask such that all the combinations of attribute is a bit mask such that all the combinations of
bits set in the bitmask are acceptable values for the bits set in the bitmask are acceptable values for the
identified component which should be an attribute of type identified component which should be an attribute of type
'BITS'. 'BITS'.
For example, an implementation of the frwkIpFilter class may For example, an implementation of the frwkIpFilter class may
Framework Policy Information Base May 30, 2002
be limited in several ways, such as address mask, protocol be limited in several ways, such as address mask, protocol
and Layer 4 port options. These limitations could be and Layer 4 port options. These limitations could be
exported using this table with the following instances: exported using this PRC with the following instances:
Component Type Sub-Type Guidance Component Type Sub-Type Guidance
------------------------------------------------------------ ------------------------------------------------------------
DstPrefixLength attrValueSupLimited valueOnly 24 DstPrefixLength attrValueSupLimited valueOnly 24
SrcPrefixLength attrValueSupLimited valueOnly 24 SrcPrefixLength attrValueSupLimited valueOnly 24
Protocol attrValueSupLimited rangeMin 10 Protocol attrValueSupLimited rangeMin 10
Protocol attrValueSupLimited rangeMax 20 Protocol attrValueSupLimited rangeMax 20
The above entries describe a number of limitations that The above entries describe a number of limitations that
may be in effect for the frwkIpFilter class on a given may be in effect for the frwkIpFilter class on a given
skipping to change at page 30, line 5 skipping to change at page 33, line 31
values for certain attributes. values for certain attributes.
Also, an implementation of a PRC may be limited in the ways Also, an implementation of a PRC may be limited in the ways
it can be accessed. For instance, for a fictitious PRC it can be accessed. For instance, for a fictitious PRC
dscpMapEntry, which has a PIB-ACCESS of 'install-notify': dscpMapEntry, which has a PIB-ACCESS of 'install-notify':
Component Type SubType Guidance Component Type SubType Guidance
------------------------------------------------------------ ------------------------------------------------------------
dscpMapEntry prcLimitedNotify none zero-length string." dscpMapEntry prcLimitedNotify none zero-length string."
Framework Policy Information Base January 2002
::= { frwkCompLimitsEntry 6 } ::= { frwkCompLimitsEntry 6 }
frwkCompLimitsGuidance OBJECT-TYPE frwkCompLimitsGuidance OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A value used to convey additional information related "A value used to convey additional information related
to the implementation limitation. Note that a guidance to the implementation limitation. Note that a guidance
value will not necessarily be provided for all exported value will not necessarily be provided for all exported
limitations. If a guidance value is not provided, the limitations. If a guidance value is not provided, the
value must be a zero-length string. value must be a zero-length string.
The format of the guidance value, if one is present as The format of the guidance value, if one is present as
indicated by the frwkCompLimitsSubType attribute, indicated by the frwkCompLimitsSubType attribute,
is described by the following table. Note that the is described by the following table. Note that the
type of guidance value is dictated by the type of the format of guidance value is dictated by the base-type of
component whose limitation is being exported, interpreted the component whose limitation is being exported,
in the context of the frwkCompLimitsType and interpreted in the context of the frwkCompLimitsType and
frwkCompLimitsSubType values. frwkCompLimitsSubType values. Any other restrictions
(such as size/range/enumerated value) on the guidance
value MUST be complied with according to the definition
of the component for which guidance is being specified.
Note that numbers are encoded in network byte order. Note that numbers are encoded in network byte order.
Base Type Value Base Type Value
--------- ----- --------- -----
Unsigned32/Integer32 32-bit value. Unsigned32/Integer32/INTEGER 32-bit value.
Unsigned64/Integer64 64-bit Value. Unsigned64/Integer64 64-bit Value.
OCTET STRING octets of data. OCTET STRING octets of data.
Framework Policy Information Base May 30, 2002
OID 32-bit OID components. OID 32-bit OID components.
BITS Binary octets of length same as BITS Binary octets of length
Component specified." same as Component specified."
::= { frwkCompLimitsEntry 7 } ::= { frwkCompLimitsEntry 7 }
-- --
-- Complete Reference specification table -- Complete Reference specification table
-- --
frwkReferenceTable OBJECT-TYPE frwkReferenceTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkReferenceEntry SYNTAX SEQUENCE OF FrwkReferenceEntry
PIB-ACCESS install-notify PIB-ACCESS install-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Each instance of this class specifies a reference to a PRI "Each instance of this PRC specifies a reference to a PRI
in a specific PIB context (handle) for a specific client- in a specific PIB context (handle) for a specific client-
type." type. This table gives the PDP the ability to set up
policies that span installed contexts and the PEP the
ability to reference instances in another, perhaps
configured context. The PEP must send a
'attrReferenceUnknown' COPS-PR error to the PDP if it
encounters an invalid reference. "
REFERENCE "[COPS-PR] error codes section 4.5."
::= { frwkBasePibClasses 5 } ::= { frwkBasePibClasses 5 }
Framework Policy Information Base January 2002
frwkReferenceEntry OBJECT-TYPE frwkReferenceEntry OBJECT-TYPE
SYNTAX FrwkReferenceEntry SYNTAX FrwkReferenceEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Entry specification for the frwkReferenceTable." "Entry specification for the frwkReferenceTable."
PIB-INDEX { frwkReferencePrid } PIB-INDEX { frwkReferencePrid }
UNIQUENESS { } UNIQUENESS { }
::= { frwkReferenceTable 1 } ::= { frwkReferenceTable 1 }
skipping to change at page 31, line 28 skipping to change at page 35, line 4
FrwkReferenceEntry ::= SEQUENCE { FrwkReferenceEntry ::= SEQUENCE {
frwkReferencePrid InstanceId, frwkReferencePrid InstanceId,
frwkReferenceClientType ClientType, frwkReferenceClientType ClientType,
frwkReferenceClientHandle ClientHandle, frwkReferenceClientHandle ClientHandle,
frwkReferenceInstance Prid frwkReferenceInstance Prid
} }
frwkReferencePrid OBJECT-TYPE frwkReferencePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
Framework Policy Information Base May 30, 2002
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "An arbitrary integer index that uniquely identifies an
instance of the frwkReference class." instance of the frwkReference class."
::= { frwkReferenceEntry 1 } ::= { frwkReferenceEntry 1 }
frwkReferenceClientType OBJECT-TYPE frwkReferenceClientType OBJECT-TYPE
SYNTAX ClientType SYNTAX ClientType
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 32, line 5 skipping to change at page 35, line 33
frwkReferenceClientHandle OBJECT-TYPE frwkReferenceClientHandle OBJECT-TYPE
SYNTAX ClientHandle SYNTAX ClientHandle
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Must be set to specify a valid client-handle in the scope "Must be set to specify a valid client-handle in the scope
of the client-type specified." of the client-type specified."
::= { frwkReferenceEntry 3 } ::= { frwkReferenceEntry 3 }
Framework Policy Information Base January 2002
frwkReferenceInstance OBJECT-TYPE frwkReferenceInstance OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"References a PRI in the context identified by "References a PRI in the context identified by
frwkReferenceClientHandle for client-type identified by frwkReferenceClientHandle for client-type identified by
frwkReferenceClientType." frwkReferenceClientType."
::= { frwkReferenceEntry 4 } ::= { frwkReferenceEntry 4 }
-- --
-- Error specification table -- Error specification table
-- --
frwkErrorTable OBJECT-TYPE frwkErrorTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkErrorEntry SYNTAX SEQUENCE OF FrwkErrorEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Each instance of this class specifies a class specific "Each instance of this PRC specifies a class specific
error object. Instances of this table are transient." error object. Instances of this PRC are transient, i.e.,
instances received in a COPS decision message must not to be
maintained by the PEP in its copy of the PIB instances. This
Framework Policy Information Base May 30, 2002
PRC allows a PDP to send error information to the PEP if the
PDP cannot process updates to a Request successfully."
::= { frwkBasePibClasses 6 } ::= { frwkBasePibClasses 6 }
frwkErrorEntry OBJECT-TYPE frwkErrorEntry OBJECT-TYPE
SYNTAX FrwkErrorEntry SYNTAX FrwkErrorEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Entry specification for the frwkErrorTable." "Entry specification for the frwkErrorTable."
PIB-INDEX { frwkErrorPrid } PIB-INDEX { frwkErrorPrid }
UNIQUENESS { } UNIQUENESS {
frwkErrorCode,
frwkErrorSubCode,
frwkErrorPrc,
frwkErrorInstance
}
::= { frwkErrorTable 1 } ::= { frwkErrorTable 1 }
FrwkErrorEntry ::= SEQUENCE { FrwkErrorEntry ::= SEQUENCE {
frwkErrorPrid InstanceId, frwkErrorPrid InstanceId,
frwkErrorCode Unsigned32, frwkErrorCode Unsigned32,
frwkErrorSubCode Unsigned32, frwkErrorSubCode Unsigned32,
frwkErrorPrc PrcIdentifier, frwkErrorPrc PrcIdentifierOid,
frwkErrorInstance InstanceId frwkErrorInstance InstanceId
} }
frwkErrorPrid OBJECT-TYPE frwkErrorPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "An arbitrary integer index that uniquely identifies an
instance of the frwkError class." instance of the frwkError class."
::= { frwkErrorEntry 1 } ::= { frwkErrorEntry 1 }
Framework Policy Information Base January 2002
frwkErrorCode OBJECT-TYPE frwkErrorCode OBJECT-TYPE
SYNTAX Unsigned32 (0..65535) SYNTAX Unsigned32 (0..65535)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Error code defined in [COPS-PR] CPERR object." "Error code defined in COPS-PR CPERR object."
REFERENCE
"COPS Usage for Policy Provisioning. [COPS-PR]."
::= { frwkErrorEntry 2 } ::= { frwkErrorEntry 2 }
frwkErrorSubCode OBJECT-TYPE frwkErrorSubCode OBJECT-TYPE
SYNTAX Unsigned32 (0..65535) SYNTAX Unsigned32 (0..65535)
Framework Policy Information Base May 30, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The class-specific error object is used to communicate "The class-specific error object is used to communicate
errors relating to specific PRCs." errors relating to specific PRCs."
::= { frwkErrorEntry 3 } ::= { frwkErrorEntry 3 }
frwkErrorPrc OBJECT-TYPE frwkErrorPrc OBJECT-TYPE
SYNTAX PrcIdentifier SYNTAX PrcIdentifierOid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The PRC due to which the error specified by codes "The PRC due to which the error specified by codes
(frwkErrorCode , frwkErrorSubCode) occurred." (frwkErrorCode , frwkErrorSubCode) occurred."
::= { frwkErrorEntry 4 } ::= { frwkErrorEntry 4 }
frwkErrorInstance OBJECT-TYPE frwkErrorInstance OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The PRI of the identified PRC (frwkErrorPrc) due to which "The PRI of the identified PRC (frwkErrorPrc) due to which
the error specified by codes (frwkErrorCode , the error specified by codes (frwkErrorCode ,
frwkErrorSubCode) occurred. Must be set to zero if unused." frwkErrorSubCode) occurred. Must be set to zero if unused."
::= { frwkErrorEntry 5 } ::= { frwkErrorEntry 5 }
-- --
-- The device interface capabilities and role combo classes group -- The device capabilities and role combo classes group
-- --
frwkDeviceCapClasses frwkDeviceCapClasses
OBJECT IDENTIFIER ::= { frameworkPib 2 } OBJECT IDENTIFIER ::= { frameworkPib 2 }
Framework Policy Information Base January 2002
-- --
-- Interface Capability Set Table -- Capability Set Table
-- --
frwkIfCapSetTable OBJECT-TYPE frwkCapabilitySetTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIfCapSetEntry SYNTAX SEQUENCE OF FrwkCapabilitySetEntry
PIB-ACCESS notify PIB-ACCESS notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This class describes the interfaces that exist on the "This PRC describes the capability sets that exist on the
device. Associated with each interface is a set of interfaces on the device. The capability set is given a
capabilities. The capability set is given a unique name that unique name that identifies a set. These capability set
identifies the interface type. These capabilities are used names are used by the PDP to determine policy information to
by the PDP to determine policy information to be associated
with interfaces of this type." Framework Policy Information Base May 30, 2002
be associated with interfaces that possess similar sets of
capabilities."
::= { frwkDeviceCapClasses 1 } ::= { frwkDeviceCapClasses 1 }
frwkIfCapSetEntry OBJECT-TYPE frwkCapabilitySetEntry OBJECT-TYPE
SYNTAX FrwkIfCapSetEntry SYNTAX FrwkCapabilitySetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of this class describes the characteristics "An instance of this PRC describes a particular set of
of a type of an interface." capabilities and associates a unique name with the set."
PIB-INDEX { frwkIfCapSetPrid } PIB-INDEX { frwkCapabilitySetPrid }
UNIQUENESS { frwkIfCapSetName, UNIQUENESS { frwkCapabilitySetName,
frwkIfCapSetCapability } frwkCapabilitySetCapability }
::= { frwkIfCapSetTable 1 } ::= { frwkCapabilitySetTable 1 }
FrwkIfCapSetEntry ::= SEQUENCE { FrwkCapabilitySetEntry ::= SEQUENCE {
frwkIfCapSetPrid InstanceId, frwkCapabilitySetPrid InstanceId,
frwkIfCapSetName SnmpAdminString, frwkCapabilitySetName SnmpAdminString,
frwkIfCapSetCapability Prid frwkCapabilitySetCapability Prid
} }
frwkIfCapSetPrid OBJECT-TYPE frwkCapabilitySetPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies a "An arbitrary integer index that uniquely identifies a
instance of the class." instance of the class."
::= { frwkIfCapSetEntry 1 } ::= { frwkCapabilitySetEntry 1 }
frwkIfCapSetName OBJECT-TYPE frwkCapabilitySetName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString (SIZE (1..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The name for the capability set. This name is the unique
identifier of a set of capabilities. This attribute must not
be assigned a zero-length string."
Framework Policy Information Base January 2002 ::= { frwkCapabilitySetEntry 2 }
"The name for the capability set. The capability set name
is the unique identifier of an interface type."
::= { frwkIfCapSetEntry 2 }
frwkIfCapSetCapability OBJECT-TYPE frwkCapabilitySetCapability OBJECT-TYPE
SYNTAX Prid SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The complete PRC OID and instance identifier specifying the "The complete PRC OID and instance identifier specifying the
capability PRC instance for the interface." capability PRC instance for the interface. This attribute
references a specific instance of a capability table. The
capability table whose instance is referenced must be
::= { frwkIfCapSetEntry 3 } Framework Policy Information Base May 30, 2002
defined in the client type specific PIB that this PIB is
used with. The referenced capability instance becomes a part
of the set of capabilities associated with the specified
frwkCapabilitySetName."
::= { frwkCapabilitySetEntry 3 }
-- --
-- Interface and Role Combination Tables -- Interface and Role Combination Tables
-- --
frwkRoleComboTable OBJECT-TYPE frwkRoleComboTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkRoleComboEntry SYNTAX SEQUENCE OF FrwkRoleComboEntry
PIB-ACCESS install-notify PIB-ACCESS install-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 35, line 42 skipping to change at page 39, line 35
assigned to any interface on a PEP. The identification of assigned to any interface on a PEP. The identification of
the interface is to be defined by its extensions or the interface is to be defined by its extensions or
referencing PRCs." referencing PRCs."
::= { frwkDeviceCapClasses 2 } ::= { frwkDeviceCapClasses 2 }
frwkRoleComboEntry OBJECT-TYPE frwkRoleComboEntry OBJECT-TYPE
SYNTAX FrwkRoleComboEntry SYNTAX FrwkRoleComboEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of this class describes one association of an "An instance of this PRC describes one association of an
interface to a role-combination and capability set name . interface to a role-combination and capability set name .
Note that an interface can have multiple associations. This Note that an interface can have multiple associations. This
constraint is controlled by the extending or referencing constraint is controlled by the extending or referencing
PRC's uniqueness clause." PRC's uniqueness clause."
PIB-INDEX { frwkRoleComboPrid } PIB-INDEX { frwkRoleComboPrid }
UNIQUENESS { } UNIQUENESS { }
::= { frwkRoleComboTable 1 } ::= { frwkRoleComboTable 1 }
FrwkRoleComboEntry ::= SEQUENCE { FrwkRoleComboEntry ::= SEQUENCE {
frwkRoleComboPrid InstanceId, frwkRoleComboPrid InstanceId,
Framework Policy Information Base January 2002
frwkRoleComboRoles RoleCombination, frwkRoleComboRoles RoleCombination,
frwkRoleComboCapSetName SnmpAdminString frwkRoleComboCapSetName SnmpAdminString
} }
frwkRoleComboPrid OBJECT-TYPE frwkRoleComboPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
Framework Policy Information Base May 30, 2002
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "An arbitrary integer index that uniquely identifies an
instance of the class." instance of the class."
::= { frwkRoleComboEntry 1 } ::= { frwkRoleComboEntry 1 }
frwkRoleComboRoles OBJECT-TYPE frwkRoleComboRoles OBJECT-TYPE
SYNTAX RoleCombination SYNTAX RoleCombination
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The role combination assigned to a specific interface." "The role combination assigned to a specific interface."
::= { frwkRoleComboEntry 2 } ::= { frwkRoleComboEntry 2 }
frwkRoleComboCapSetName OBJECT-TYPE frwkRoleComboCapSetName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString (SIZE (0..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The name of the interface capability set associated with "The name of the capability set associated with
the Role Combination specified in frwkRoleComboRoles. the Role Combination specified in frwkRoleComboRoles. If
This name must exist in frwkIfCapSetTable." this is a zero length string it implies the PEP is not
exporting any capability set information for this
RoleCombination. The PDP must then use the RoleCombinations
provided as the only means of assigning policies
If a non-zero length string is specified, the name must
exist in frwkCapabilitySetTable."
::= { frwkRoleComboEntry 3 } ::= { frwkRoleComboEntry 3 }
-- --
-- Interface, Role Combinatrion association via IfIndex -- Interface, Role Combination association via IfIndex
-- --
frwkIfRoleComboTable OBJECT-TYPE frwkIfRoleComboTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIfRoleComboEntry SYNTAX SEQUENCE OF FrwkIfRoleComboEntry
PIB-ACCESS install-notify PIB-ACCESS install-notify
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table enumerates the interface to role combination and "This PRC enumerates the interface to role combination and
IfCapSetName mapping for all policy managed interfaces of a frwkRoleComboCapSetName mapping for all policy managed
device. Policy for an interface depends not only on the interfaces of a device. Policy for an interface depends not
capability set of an interface but also on its roles. This only on the capability set of an interface but also on its
table specifies all the <interface index, interface roles. This table specifies all the <interface index,
capability set name, role combination> tuples currently on interface capability set name, role combination> tuples
the device" currently on the device"
::= { frwkDeviceCapClasses 3 } ::= { frwkDeviceCapClasses 3 }
Framework Policy Information Base January 2002
frwkIfRoleComboEntry OBJECT-TYPE frwkIfRoleComboEntry OBJECT-TYPE
SYNTAX FrwkIfRoleComboEntry SYNTAX FrwkIfRoleComboEntry
STATUS current STATUS current
Framework Policy Information Base May 30, 2002
DESCRIPTION DESCRIPTION
"An instance of this class describes the association of "An instance of this PRC describes the association of
a interface to an IfCapSetName and a role combination. a interface to an capability set name and a role
Note that a IfCapSetName can have multiple role combinations combination.
assigned to it, but an IfIndex can have only one role Note that a capability set name can have multiple role
combination associated." combinations assigned to it, but an IfIndex can have only
one role combination associated."
EXTENDS { frwkRoleComboEntry } EXTENDS { frwkRoleComboEntry }
UNIQUENESS { frwkIfRoleComboIfIndex, UNIQUENESS { frwkIfRoleComboIfIndex,
frwkRoleComboCapSetName } frwkRoleComboCapSetName }
::= { frwkIfRoleComboTable 1 } ::= { frwkIfRoleComboTable 1 }
FrwkIfRoleComboEntry ::= SEQUENCE { FrwkIfRoleComboEntry ::= SEQUENCE {
frwkIfRoleComboIfIndex InterfaceIndex frwkIfRoleComboIfIndex InterfaceIndex
} }
frwkIfRoleComboIfIndex OBJECT-TYPE frwkIfRoleComboIfIndex OBJECT-TYPE
SYNTAX InterfaceIndex SYNTAX InterfaceIndex
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The ifIndex value for which this conceptual row provides "The value of this attribute is the ifIndex which is
policy information via the use of role combination." associated with the specified RoleCombination and interface
capability set name."
::= { frwkIfRoleComboEntry 1 } ::= { frwkIfRoleComboEntry 1 }
-- --
-- The Classification classes group -- The Classification classes group
-- --
frwkClassifierClasses frwkClassifierClasses
OBJECT IDENTIFIER ::= { frameworkPib 3 } OBJECT IDENTIFIER ::= { frameworkPib 3 }
-- --
-- The Base Filter Table -- The Base Filter Table
-- --
frwkBaseFilterTable OBJECT-TYPE frwkBaseFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkBaseFilterEntry SYNTAX SEQUENCE OF FrwkBaseFilterEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Framework Policy Information Base January 2002
"The Base Filter class. A packet has to match all "The Base Filter class. A packet has to match all
fields in an Filter. Wildcards may be specified for those fields in an Filter. Wildcards may be specified for those
fields that are not relevant." fields that are not relevant."
Framework Policy Information Base May 30, 2002
::= { frwkClassifierClasses 1 } ::= { frwkClassifierClasses 1 }
frwkBaseFilterEntry OBJECT-TYPE frwkBaseFilterEntry OBJECT-TYPE
SYNTAX FrwkBaseFilterEntry SYNTAX FrwkBaseFilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the frwkBaseFilter class." "An instance of the frwkBaseFilter class."
PIB-INDEX { frwkBaseFilterPrid } PIB-INDEX { frwkBaseFilterPrid }
skipping to change at page 38, line 43 skipping to change at page 42, line 39
the Filters." the Filters."
::= { frwkBaseFilterEntry 1 } ::= { frwkBaseFilterEntry 1 }
frwkBaseFilterNegation OBJECT-TYPE frwkBaseFilterNegation OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute behaves like a logical NOT for the filter. "This attribute behaves like a logical NOT for the filter.
If the packet matches this filter and the value of this If the packet matches this filter and the value of this
attribute is true, the action associated with this filter attribute is 'true', the action associated with this filter
is not applied to the packet. If the value of this is not applied to the packet. If the value of this
attribute is false, then the action is applied to the attribute is 'false', then the action is applied to the
packet." packet."
::= { frwkBaseFilterEntry 2 } ::= { frwkBaseFilterEntry 2 }
-- --
-- The IP Filter Table -- The IP Filter Table
-- --
frwkIpFilterTable OBJECT-TYPE frwkIpFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIpFilterEntry SYNTAX SEQUENCE OF FrwkIpFilterEntry
Framework Policy Information Base January 2002
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Filter definitions. A packet has to match all fields in a "Filter definitions. A packet has to match all fields in a
Framework Policy Information Base May 30, 2002
filter. Wildcards may be specified for those fields that filter. Wildcards may be specified for those fields that
are not relevant." are not relevant."
INSTALL-ERRORS { INSTALL-ERRORS {
invalidDstL4PortData(1), invalidDstL4PortData(1),
invalidSrcL4PortData(2) invalidSrcL4PortData(2)
} }
::= { frwkClassifierClasses 2 } ::= { frwkClassifierClasses 2 }
frwkIpFilterEntry OBJECT-TYPE frwkIpFilterEntry OBJECT-TYPE
skipping to change at page 40, line 5 skipping to change at page 43, line 54
frwkIpFilterSrcPrefixLength InetAddressPrefixLength, frwkIpFilterSrcPrefixLength InetAddressPrefixLength,
frwkIpFilterDscp DscpOrAny, frwkIpFilterDscp DscpOrAny,
frwkIpFilterFlowId Unsigned32, frwkIpFilterFlowId Unsigned32,
frwkIpFilterProtocol Integer32, frwkIpFilterProtocol Integer32,
frwkIpFilterDstL4PortMin InetPortNumber, frwkIpFilterDstL4PortMin InetPortNumber,
frwkIpFilterDstL4PortMax InetPortNumber, frwkIpFilterDstL4PortMax InetPortNumber,
frwkIpFilterSrcL4PortMin InetPortNumber, frwkIpFilterSrcL4PortMin InetPortNumber,
frwkIpFilterSrcL4PortMax InetPortNumber frwkIpFilterSrcL4PortMax InetPortNumber
} }
Framework Policy Information Base January 2002
frwkIpFilterAddrType OBJECT-TYPE frwkIpFilterAddrType OBJECT-TYPE
SYNTAX InetAddressType SYNTAX InetAddressType
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The address type enumeration value [INETADDR] to specify
the type of the packet's IP address." Framework Policy Information Base May 30, 2002
"The address type enumeration value to specify the type of
the packet's IP address.
While other types of addresses are defined in the
InetAddressType textual convention, an IP filter can only
use IPv4 and IPv6 addresses directly to classify traffic.
All other InetAddressTypes require mapping to the
corresponding Ipv4 or IPv6 address before being used to
classify traffic. Therefore, this object as such is not
limited to IPv4 and IPv6 addresses, i.e., it can be assigned
any of the valid values defined in the InetAddressType TC,
but the mapping of the address values to IPv4 or IPv6
addresses for the address attributes (frwkIpFilterDstAddr
and frwkIpFilterSrcAddr) must be done by the PEP."
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
::= { frwkIpFilterEntry 1 } ::= { frwkIpFilterEntry 1 }
frwkIpFilterDstAddr OBJECT-TYPE frwkIpFilterDstAddr OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IP address [INETADDR] to match against the packet's "The IP address to match against the packet's
destination IP address. frwkIpFilterDstPrefixLength destination IP address. If the address type is 'ipv4',
indicates the number of bits that are relevant. " 'ipv6', 'ipv4z' or 'ipv6z' then, the attribute
frwkIpFilterDstPrefixLength indicates the number of bits
that are relevant. "
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
::= { frwkIpFilterEntry 2 } ::= { frwkIpFilterEntry 2 }
frwkIpFilterDstPrefixLength OBJECT-TYPE frwkIpFilterDstPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength SYNTAX InetAddressPrefixLength
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The length of a mask for the matching of the destination "The length of a mask for the matching of the destination
IP address. Masks are constructed by setting bits in IP address. This attribute is interpreted only if the
sequence from the most-significant bit downwards for InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the
most-significant bit downwards for
frwkIpFilterDstPrefixLength bits length. All other bits in frwkIpFilterDstPrefixLength bits length. All other bits in
the mask, up to the number needed to fill the length of the mask, up to the number needed to fill the length of
the address frwkIpFilterDstAddr are cleared to zero. A zero the address frwkIpFilterDstAddr are cleared to zero. A zero
bit in the mask then means that the corresponding bit in bit in the mask then means that the corresponding bit in
the address always matches." the address always matches.
In IPv4 addresses, a length of 0 indicates a match of any
address; a length of 32 indicates a match of a single host
Framework Policy Information Base May 30, 2002
address, and a length between 0 and 32 indicates the use of
a CIDR Prefix. IPv6 is similar, except that prefix lengths
range from 0..128."
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
DEFVAL { 0 }
::= { frwkIpFilterEntry 3 } ::= { frwkIpFilterEntry 3 }
frwkIpFilterSrcAddr OBJECT-TYPE frwkIpFilterSrcAddr OBJECT-TYPE
SYNTAX InetAddress SYNTAX InetAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IP address to match against the packet's source IP "The IP address to match against the packet's source IP
address. frwkIpFilterSrcPrefixLength indicates the address. If the address type is 'ipv4', 'ipv6', 'ipv4z' or
number of bits that are relevant. " 'ipv6z' then, the attribute frwkIpFilterSrcPrefixLength
indicates the number of bits that are relevant."
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
::= { frwkIpFilterEntry 4 } ::= { frwkIpFilterEntry 4 }
frwkIpFilterSrcPrefixLength OBJECT-TYPE frwkIpFilterSrcPrefixLength OBJECT-TYPE
SYNTAX InetAddressPrefixLength SYNTAX InetAddressPrefixLength
UNITS "bits" UNITS "bits"
STATUS current STATUS current
Framework Policy Information Base January 2002
DESCRIPTION DESCRIPTION
"The length of a mask for the matching of the source IP "The length of a mask for the matching of the source IP
address. Masks are constructed by setting bits in sequence address. This attribute is interpreted only if the
from the most-significant bit downwards for InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the
most-significant bit downwards for
frwkIpFilterSrcPrefixLength bits length. All other bits in frwkIpFilterSrcPrefixLength bits length. All other bits in
the mask, up to the number needed to fill the length of the mask, up to the number needed to fill the length of
the address frwkIpFilterSrcAddr are cleared to zero. A the address frwkIpFilterSrcAddr are cleared to zero. A
zero bit in the mask then means that the corresponding bit zero bit in the mask then means that the corresponding bit
in the address always matches." in the address always matches.
In IPv4 addresses, a length of 0 indicates a match of any
address; a length of 32 indicates a match of a single host
address, and a length between 0 and 32 indicates the use of
a CIDR Prefix. IPv6 is similar, except that prefix lengths
range from 0..128."
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
DEFVAL { 0 }
::= { frwkIpFilterEntry 5 } ::= { frwkIpFilterEntry 5 }
Framework Policy Information Base May 30, 2002
frwkIpFilterDscp OBJECT-TYPE frwkIpFilterDscp OBJECT-TYPE
SYNTAX DscpOrAny SYNTAX DscpOrAny
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value that the DSCP in the packet can have and "The value that the DSCP in the packet can have and
match this filter. A value of -1 indicates that a specific match this filter. A value of -1 indicates that a specific
DSCP value has not been defined and thus all DSCP values DSCP value has not been defined and thus all DSCP values
are considered a match." are considered a match."
REFERENCE
"[DS-MIB]."
DEFVAL { -1 }
::= { frwkIpFilterEntry 6 } ::= { frwkIpFilterEntry 6 }
frwkIpFilterFlowId OBJECT-TYPE frwkIpFilterFlowId OBJECT-TYPE
SYNTAX Unsigned32 (0..1048575) SYNTAX Unsigned32 (0..1048575)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The flow identifier in an IPv6 header." "The flow identifier in an IPv6 header."
::= { frwkIpFilterEntry 7 } ::= { frwkIpFilterEntry 7 }
frwkIpFilterProtocol OBJECT-TYPE frwkIpFilterProtocol OBJECT-TYPE
SYNTAX Integer32 (-1 | 0..255) SYNTAX Integer32 (-1 | 0..255)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IP protocol to match against the packet's protocol. "The layer-4 protocol Id to match against the IPv4 protocol
A value of -1 means match all." number or the IPv6 Next-Header number in the packet. A value
of -1 means match all. Note the protocol number of 255 is
reserved by IANA, and Next-Header number of 0 is used in
IPv6."
DEFVAL { -1 }
::= { frwkIpFilterEntry 8 } ::= { frwkIpFilterEntry 8 }
frwkIpFilterDstL4PortMin OBJECT-TYPE frwkIpFilterDstL4PortMin OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The minimum value that the packet's layer 4 destination "The minimum value that the packet's layer 4 destination
port number can have and match this filter. This value must port number can have and match this filter. This value must
be equal to or lesser that the value specified for this be equal to or lesser that the value specified for this
filter in frwkIpFilterDstL4PortMax." filter in frwkIpFilterDstL4PortMax.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterDstL4PortMin is greater than
frwkIpFilterDstL4PortMax"
REFERENCE "[COPS-PR] error codes section 4.5."
DEFVAL { 0 }
::= { frwkIpFilterEntry 9 } ::= { frwkIpFilterEntry 9 }
frwkIpFilterDstL4PortMax OBJECT-TYPE frwkIpFilterDstL4PortMax OBJECT-TYPE
SYNTAX InetPortNumber
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
SYNTAX InetPortNumber
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The maximum value that the packet's layer 4 destination "The maximum value that the packet's layer 4 destination
port number can have and match this filter. This value must port number can have and match this filter. This value must
be equal to or greater that the value specified for this be equal to or greater that the value specified for this
filter in frwkIpFilterDstL4PortMin." filter in frwkIpFilterDstL4PortMin.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterDstL4PortMax is less than
frwkIpFilterDstL4PortMin"
REFERENCE "[COPS-PR] error codes section 4.5."
DEFVAL { 65535 }
::= { frwkIpFilterEntry 10 } ::= { frwkIpFilterEntry 10 }
frwkIpFilterSrcL4PortMin OBJECT-TYPE frwkIpFilterSrcL4PortMin OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The minimum value that the packet's layer 4 source port "The minimum value that the packet's layer 4 source port
number can have and match this filter. This value must number can have and match this filter. This value must
be equal to or lesser that the value specified for this be equal to or lesser that the value specified for this
filter in frwkIpFilterSrcL4PortMax." filter in frwkIpFilterSrcL4PortMax.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterSrcL4PortMin is greated than
frwkIpFilterSrcL4PortMax"
REFERENCE "[COPS-PR] error codes section 4.5."
DEFVAL { 0 }
::= { frwkIpFilterEntry 11 } ::= { frwkIpFilterEntry 11 }
frwkIpFilterSrcL4PortMax OBJECT-TYPE frwkIpFilterSrcL4PortMax OBJECT-TYPE
SYNTAX InetPortNumber SYNTAX InetPortNumber
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The maximum value that the packet's layer 4 source port "The maximum value that the packet's layer 4 source port
number can have and match this filter. This value must be number can have and match this filter. This value must be
equal to or greater that the value specified for this filter equal to or greater that the value specified for this filter
in frwkIpFilterSrcL4PortMin." in frwkIpFilterSrcL4PortMin.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterSrcL4PortMax is less than
frwkIpFilterSrcL4PortMin"
REFERENCE "[COPS-PR] error codes section 4.5."
DEFVAL { 65535 }
::= { frwkIpFilterEntry 12 } ::= { frwkIpFilterEntry 12 }
Framework Policy Information Base May 30, 2002
-- --
-- The IEEE 802 Filter Table -- The IEEE 802 Filter Table
-- --
-- The IEEE 802 Filter Table supports the specification of IEEE
-- 802-based [802] (e.g., 802.3) information that is used to perform
-- traffic classification.
--
frwk802FilterTable OBJECT-TYPE frwk802FilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF Frwk802FilterEntry SYNTAX SEQUENCE OF Frwk802FilterEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IEEE 802-based filter definitions. A class that contains "IEEE 802-based filter definitions. A class that contains
attributes of IEEE 802 (e.g., 802.3) traffic that form attributes of IEEE 802 (e.g., 802.3) traffic that form
filters that are used to perform traffic classification." filters that are used to perform traffic classification."
REFERENCE
Framework Policy Information Base January 2002 "IEEE Standards for Local and Metropolitan Area Networks.
[802]"
::= { frwkClassifierClasses 3 } ::= { frwkClassifierClasses 3 }
frwk802FilterEntry OBJECT-TYPE frwk802FilterEntry OBJECT-TYPE
SYNTAX Frwk802FilterEntry SYNTAX Frwk802FilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IEEE 802-based filter definitions. An entry specifies "IEEE 802-based filter definitions. An entry specifies
(potentially) several distinct matching components. Each (potentially) several distinct matching components. Each
component is tested against the data in a frame component is tested against the data in a frame
individually. An overall match occurs when all of the individually. An overall match occurs when all of the
skipping to change at page 43, line 40 skipping to change at page 49, line 4
frwk802FilterVlanId, frwk802FilterVlanId,
frwk802FilterVlanTagRequired, frwk802FilterVlanTagRequired,
frwk802FilterEtherType, frwk802FilterEtherType,
frwk802FilterUserPriority } frwk802FilterUserPriority }
::= { frwk802FilterTable 1 } ::= { frwk802FilterTable 1 }
Frwk802FilterEntry ::= SEQUENCE { Frwk802FilterEntry ::= SEQUENCE {
frwk802FilterDstAddr PhysAddress, frwk802FilterDstAddr PhysAddress,
frwk802FilterDstAddrMask PhysAddress, frwk802FilterDstAddrMask PhysAddress,
Framework Policy Information Base May 30, 2002
frwk802FilterSrcAddr PhysAddress, frwk802FilterSrcAddr PhysAddress,
frwk802FilterSrcAddrMask PhysAddress, frwk802FilterSrcAddrMask PhysAddress,
frwk802FilterVlanId Integer32, frwk802FilterVlanId Integer32,
frwk802FilterVlanTagRequired Unsigned32, frwk802FilterVlanTagRequired INTEGER,
frwk802FilterEtherType Integer32, frwk802FilterEtherType Integer32,
frwk802FilterUserPriority BITS frwk802FilterUserPriority BITS
} }
frwk802FilterDstAddr OBJECT-TYPE frwk802FilterDstAddr OBJECT-TYPE
SYNTAX PhysAddress SYNTAX PhysAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The 802 address against which the 802 DA of incoming "The 802 address against which the 802 DA of incoming
traffic streams will be compared. Frames whose 802 DA traffic streams will be compared. Frames whose 802 DA
matches the physical address specified by this object, matches the physical address specified by this object,
taking into account address wildcarding as specified by the taking into account address wildcarding as specified by the
Framework Policy Information Base January 2002
frwk802FilterDstAddrMask object, are potentially subject to frwk802FilterDstAddrMask object, are potentially subject to
the processing guidelines that are associated with this the processing guidelines that are associated with this
entry through the related action class." entry through the related action class."
REFERENCE
"[SMNPv2TC]."
::= { frwk802FilterEntry 1 } ::= { frwk802FilterEntry 1 }
frwk802FilterDstAddrMask OBJECT-TYPE frwk802FilterDstAddrMask OBJECT-TYPE
SYNTAX PhysAddress SYNTAX PhysAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object specifies the bits in a 802 destination address "This object specifies the bits in a 802 destination address
that should be considered when performing a 802 DA that should be considered when performing a 802 DA
comparison against the address specified in the comparison against the address specified in the
skipping to change at page 44, line 39 skipping to change at page 50, line 4
The length of this object in octets must equal the length in The length of this object in octets must equal the length in
octets of the frwk802FilterDstAddr. Note that a mask with no octets of the frwk802FilterDstAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterDstAddr object." frwk802FilterDstAddr object."
::= { frwk802FilterEntry 2 } ::= { frwk802FilterEntry 2 }
frwk802FilterSrcAddr OBJECT-TYPE frwk802FilterSrcAddr OBJECT-TYPE
SYNTAX PhysAddress SYNTAX PhysAddress
Framework Policy Information Base May 30, 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The 802 MAC address against which the 802 MAC SA of "The 802 MAC address against which the 802 MAC SA of
incoming traffic streams will be compared. Frames whose 802 incoming traffic streams will be compared. Frames whose 802
MAC SA matches the physical address specified by this MAC SA matches the physical address specified by this
object, taking into account address wildcarding as specified object, taking into account address wildcarding as specified
by the frwk802FilterSrcAddrMask object, are potentially by the frwk802FilterSrcAddrMask object, are potentially
subject to the processing guidelines that are associated subject to the processing guidelines that are associated
with this entry through the related action class." with this entry through the related action class."
::= { frwk802FilterEntry 3 } ::= { frwk802FilterEntry 3 }
frwk802FilterSrcAddrMask OBJECT-TYPE frwk802FilterSrcAddrMask OBJECT-TYPE
SYNTAX PhysAddress SYNTAX PhysAddress
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object specifies the bits in a 802 MAC source address "This object specifies the bits in a 802 MAC source address
that should be considered when performing a 802 MAC SA that should be considered when performing a 802 MAC SA
comparison against the address specified in the comparison against the address specified in the
Framework Policy Information Base January 2002
frwk802FilterSrcAddr object. frwk802FilterSrcAddr object.
The value of this object represents a mask that is logically The value of this object represents a mask that is logically
and'ed with the 802 MAC SA in received frames to derive the and'ed with the 802 MAC SA in received frames to derive the
value to be compared against the frwk802FilterSrcAddr value to be compared against the frwk802FilterSrcAddr
address. A zero bit in the mask thus means that the address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The corresponding bit in the address always matches. The
frwk802FilterSrcAddr value must also be masked using this frwk802FilterSrcAddr value must also be masked using this
value prior to any comparisons. value prior to any comparisons.
skipping to change at page 45, line 41 skipping to change at page 50, line 60
been seen by the device) at the time this entry been seen by the device) at the time this entry
is instantiated. is instantiated.
Setting the frwk802FilterVlanId object to -1 indicates that Setting the frwk802FilterVlanId object to -1 indicates that
VLAN data should not be considered during traffic VLAN data should not be considered during traffic
classification." classification."
::= { frwk802FilterEntry 5 } ::= { frwk802FilterEntry 5 }
frwk802FilterVlanTagRequired OBJECT-TYPE frwk802FilterVlanTagRequired OBJECT-TYPE
SYNTAX Unsigned32 { SYNTAX INTEGER {
Framework Policy Information Base May 30, 2002
taggedOnly(1), taggedOnly(1),
priorityTaggedPlus(2), priorityTaggedPlus(2),
untaggedOnly(3), untaggedOnly(3),
ignoreTag(4) ignoreTag(4)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates whether the presence of an "This object indicates whether the presence of an
IEEE 802.1Q VLAN tag in data link layer frames must IEEE 802.1Q VLAN tag in data link layer frames must
be considered when determining if a given frame be considered when determining if a given frame
matches this 802 filter entry. matches this 802 filter entry.
A value of 'taggedOnly(1)' means that only frames A value of 'taggedOnly(1)' means that only frames
containing a VLAN tag with a non-Null VID (i.e., a containing a VLAN tag with a non-Null VID (i.e., a
VID in the range 1..4094) will be considered a match. VID in the range 1..4094) will be considered a match.
A value of 'priorityTaggedPlus(2)' means that only A value of 'priorityTaggedPlus(2)' means that only
frames containing a VLAN tag, regardless of the value frames containing a VLAN tag, regardless of the value
Framework Policy Information Base January 2002
of the VID, will be considered a match. of the VID, will be considered a match.
A value of 'untaggedOnly(3)' indicates that only A value of 'untaggedOnly(3)' indicates that only
untagged frames will match this filter component. untagged frames will match this filter component.
The presence of a VLAN tag is not taken into The presence of a VLAN tag is not taken into
consideration in terms of a match if the value is consideration in terms of a match if the value is
'ignoreTag(4)'." 'ignoreTag(4)'."
::= { frwk802FilterEntry 6 } ::= { frwk802FilterEntry 6 }
skipping to change at page 46, line 42 skipping to change at page 52, line 5
the underlying frame format. For Ethernet-II encapsulation, the underlying frame format. For Ethernet-II encapsulation,
the EtherType field follows the 802 MAC source address. For the EtherType field follows the 802 MAC source address. For
802.2 LLC/SNAP encapsulation, the EtherType value follows 802.2 LLC/SNAP encapsulation, the EtherType value follows
the Organization Code field in the 802.2 SNAP header. The the Organization Code field in the 802.2 SNAP header. The
value that is tested with regard to this filter component value that is tested with regard to this filter component
therefore depends on the data link layer frame format being therefore depends on the data link layer frame format being
used. If this 802 filter component is active when there is used. If this 802 filter component is active when there is
no EtherType field in a frame (e.g., 802.2 LLC), a match is no EtherType field in a frame (e.g., 802.2 LLC), a match is
implied." implied."
Framework Policy Information Base May 30, 2002
::= { frwk802FilterEntry 7 } ::= { frwk802FilterEntry 7 }
frwk802FilterUserPriority OBJECT-TYPE frwk802FilterUserPriority OBJECT-TYPE
SYNTAX BITS { SYNTAX BITS {
matchPriority0(0), matchPriority0(0),
matchPriority1(1), matchPriority1(1),
matchPriority2(2), matchPriority2(2),
matchPriority3(3), matchPriority3(3),
matchPriority4(4), matchPriority4(4),
matchPriority5(5), matchPriority5(5),
matchPriority6(6), matchPriority6(6),
matchPriority7(7) matchPriority7(7)
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The set of values, representing the potential range "The set of values, representing the potential range
Framework Policy Information Base January 2002
of user priority values, against which the value contained of user priority values, against which the value contained
in the user priority field of a tagged 802.1 frame is in the user priority field of a tagged 802.1 frame is
compared. A test for equality is performed when determining compared. A test for equality is performed when determining
if a match exists between the data in a data link layer if a match exists between the data in a data link layer
frame and the value of this 802 filter component. Multiple frame and the value of this 802 filter component. Multiple
values may be set at one time such that potentially several values may be set at one time such that potentially several
different user priority values may match this 802 filter different user priority values may match this 802 filter
component. component.
Setting all of the bits that are associated with this Setting all of the bits that are associated with this
skipping to change at page 47, line 44 skipping to change at page 53, line 4
classification based on the internal flow label set by the classification based on the internal flow label set by the
PEP possibly after ingress classification to avoid PEP possibly after ingress classification to avoid
re-classification at the egress interface on the same PEP." re-classification at the egress interface on the same PEP."
::= { frwkClassifierClasses 4 } ::= { frwkClassifierClasses 4 }
frwkILabelFilterEntry OBJECT-TYPE frwkILabelFilterEntry OBJECT-TYPE
SYNTAX FrwkILabelFilterEntry SYNTAX FrwkILabelFilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
Framework Policy Information Base May 30, 2002
"Internal label filter entry definition." "Internal label filter entry definition."
EXTENDS { frwkBaseFilterEntry } EXTENDS { frwkBaseFilterEntry }
UNIQUENESS { frwkBaseFilterNegation, UNIQUENESS { frwkBaseFilterNegation,
frwkILabelFilterILabel } frwkILabelFilterILabel }
::= { frwkILabelFilterTable 1 } ::= { frwkILabelFilterTable 1 }
FrwkILabelFilterEntry ::= SEQUENCE { FrwkILabelFilterEntry ::= SEQUENCE {
frwkILabelFilterILabel OCTET STRING frwkILabelFilterILabel OCTET STRING
} }
frwkILabelFilterILabel OBJECT-TYPE frwkILabelFilterILabel OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX OCTET STRING
STATUS current STATUS current
Framework Policy Information Base January 2002
DESCRIPTION DESCRIPTION
"The Label that this flow uses for differentiating traffic "The Label that this flow uses for differentiating traffic
flows. The flow labeling is meant for network device flows. The flow labeling is meant for network device
internal usage. A value of zero length string matches all internal usage. A value of zero length string matches all
internal labels." internal labels."
::= { frwkILabelFilterEntry 1 } ::= { frwkILabelFilterEntry 1 }
-- --
-- The Marker classes group -- The Marker classes group
-- --
skipping to change at page 48, line 40 skipping to change at page 54, line 5
specified VLAN id, priority level." specified VLAN id, priority level."
::= { frwkMarkerClasses 1 } ::= { frwkMarkerClasses 1 }
frwk802MarkerEntry OBJECT-TYPE frwk802MarkerEntry OBJECT-TYPE
SYNTAX Frwk802MarkerEntry SYNTAX Frwk802MarkerEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"frwk802Marker entry definition." "frwk802Marker entry definition."
Framework Policy Information Base May 30, 2002
PIB-INDEX { frwk802MarkerPrid } PIB-INDEX { frwk802MarkerPrid }
UNIQUENESS { frwk802MarkerVlanId, UNIQUENESS { frwk802MarkerVlanId,
frwk802MarkerPriority } frwk802MarkerPriority }
::= { frwk802MarkerTable 1 } ::= { frwk802MarkerTable 1 }
Frwk802MarkerEntry::= SEQUENCE { Frwk802MarkerEntry::= SEQUENCE {
frwk802MarkerPrid InstanceId, frwk802MarkerPrid InstanceId,
frwk802MarkerVlanId Unsigned32, frwk802MarkerVlanId Unsigned32,
frwk802MarkerPriority Unsigned32 frwk802MarkerPriority Unsigned32
} }
frwk802MarkerPrid OBJECT-TYPE frwk802MarkerPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
Framework Policy Information Base January 2002
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify this 802 Marker." "An integer index to uniquely identify this 802 Marker."
::= { frwk802MarkerEntry 1 } ::= { frwk802MarkerEntry 1 }
frwk802MarkerVlanId OBJECT-TYPE frwk802MarkerVlanId OBJECT-TYPE
SYNTAX Unsigned32 (1..4094) SYNTAX Unsigned32 (1..4094)
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 49, line 44 skipping to change at page 55, line 5
frwkILabelMarkerTable OBJECT-TYPE frwkILabelMarkerTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkILabelMarkerEntry SYNTAX SEQUENCE OF FrwkILabelMarkerEntry
PIB-ACCESS install PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The Internal Label Marker class. A flow in a PEP can be "The Internal Label Marker class. A flow in a PEP can be
marked with an internal label using this PRC." marked with an internal label using this PRC."
::= { frwkMarkerClasses 2 } ::= { frwkMarkerClasses 2 }
Framework Policy Information Base May 30, 2002
frwkILabelMarkerEntry OBJECT-TYPE frwkILabelMarkerEntry OBJECT-TYPE
SYNTAX FrwkILabelMarkerEntry SYNTAX FrwkILabelMarkerEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"frwkILabelkMarker entry definition." "frwkILabelkMarker entry definition."
PIB-INDEX { frwkILabelMarkerPrid } PIB-INDEX { frwkILabelMarkerPrid }
UNIQUENESS { frwkILabelMarkerILabel } UNIQUENESS { frwkILabelMarkerILabel }
::= { frwkILabelMarkerEntry 1 } ::= { frwkILabelMarkerTable 1 }
FrwkILabelMarkerEntry::= SEQUENCE { FrwkILabelMarkerEntry::= SEQUENCE {
Framework Policy Information Base January 2002
frwkILabelMarkerPrid InstanceId, frwkILabelMarkerPrid InstanceId,
frwkILabelMarkerILabel OCTET STRING frwkILabelMarkerILabel OCTET STRING
} }
frwkILabelMarkerPrid OBJECT-TYPE frwkILabelMarkerPrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An integer index to uniquely identify this Label Marker." "An integer index to uniquely identify this Label Marker."
skipping to change at page 50, line 34 skipping to change at page 55, line 46
used for other policy related functions like flow used for other policy related functions like flow
accounting purposes and/or other data path treatments." accounting purposes and/or other data path treatments."
::= { frwkILabelMarkerEntry 2 } ::= { frwkILabelMarkerEntry 2 }
-- --
-- Conformance Section -- Conformance Section
-- --
frwkBasePibConformance frwkBasePibConformance
OBJECT IDENTIFIER ::= { frameworkPib 4 } OBJECT IDENTIFIER ::= { frameworkPib 5 }
frwkBasePibCompliances frwkBasePibCompliances
OBJECT IDENTIFIER ::= { frwkBasePibConformance 1 } OBJECT IDENTIFIER ::= { frwkBasePibConformance 1 }
frwkBasePibGroups frwkBasePibGroups
OBJECT IDENTIFIER ::= { frwkBasePibConformance 2 } OBJECT IDENTIFIER ::= { frwkBasePibConformance 2 }
Framework Policy Information Base May 30, 2002
frwkBasePibCompliance MODULE-COMPLIANCE frwkBasePibCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Describes the requirements for conformance to the "Describes the requirements for conformance to the
Framework PIB." Framework PIB."
MODULE -- this module MODULE -- this module
MANDATORY-GROUPS { frwkPrcSupportGroup, MANDATORY-GROUPS { frwkPrcSupportGroup,
frwkPibIncarnationGroup, frwkPibIncarnationGroup,
frwkDeviceIdGroup, frwkDeviceIdGroup,
frwkCompLimitsGroup, frwkCompLimitsGroup,
frwkIfCapSetGroup, frwkCapabilitySetGroup,
frwkRoleComboGroup, frwkRoleComboGroup,
Framework Policy Information Base January 2002
frwkIfRoleComboGroup } frwkIfRoleComboGroup }
OBJECT frwkPibIncarnationLongevity OBJECT frwkPibIncarnationLongevity
PIB-MIN-ACCESS notify PIB-MIN-ACCESS notify
DESCRIPTION "Install support is not required." DESCRIPTION
"Install support is required if policy expiration is to
be supported."
OBJECT frwkPibIncarnationTtl OBJECT frwkPibIncarnationTtl
PIB-MIN-ACCESS notify PIB-MIN-ACCESS notify
DESCRIPTION "Install support is not required." DESCRIPTION
"Install support is required if policy expiration is to
be supported."
OBJECT frwkPibIncarnationInCtxtSet OBJECT frwkPibIncarnationInCtxtSet
PIB-MIN-ACCESS notify PIB-MIN-ACCESS notify
DESCRIPTION "Install support is not required." DESCRIPTION
"Install support is required if configuration contexts
and outsourcing contexts are both to be supported."
OBJECT frwkPibIncarnationFullState OBJECT frwkPibIncarnationFullState
PIB-MIN-ACCESS notify PIB-MIN-ACCESS notify
DESCRIPTION "Install support is not required." DESCRIPTION
"Install support is required if incremental updates to
request states is to be supported."
GROUP frwkReferenceGroup GROUP frwkReferenceGroup
DESCRIPTION DESCRIPTION
"The frwkReferenceGroup is mandatory if referencing "The frwkReferenceGroup is mandatory if referencing
across PIB contexts for specific client-types is across PIB contexts for specific client-types is to be
supported." supported."
GROUP frwkErrorGroup GROUP frwkErrorGroup
DESCRIPTION DESCRIPTION
"The frwkErrorGroup is mandatory sending errors in "The frwkErrorGroup is mandatory sending errors in
decisions is required." decisions is to be supported."
GROUP frwkBaseFilterGroup GROUP frwkBaseFilterGroup
DESCRIPTION DESCRIPTION
"The frwkBaseFilterGroup is mandatory if filtering "The frwkBaseFilterGroup is mandatory if filtering
based on traffic components is supported." based on traffic components is to be supported."
Framework Policy Information Base May 30, 2002
GROUP frwkIpFilterGroup GROUP frwkIpFilterGroup
DESCRIPTION DESCRIPTION
"The frwkIpFilterGroup is mandatory if filtering "The frwkIpFilterGroup is mandatory if filtering
based on IP traffic components is supported." based on IP traffic components is to be supported."
GROUP frwk802FilterGroup GROUP frwk802FilterGroup
DESCRIPTION DESCRIPTION
"The frwk802FilterGroup is mandatory if filtering "The frwk802FilterGroup is mandatory if filtering
based on 802 traffic criteria is supported." based on 802 traffic criteria is to be supported."
GROUP frwkILabelFilterGroup GROUP frwkILabelFilterGroup
DESCRIPTION DESCRIPTION
"The frwkILabelFilterGroup is mandatory if filtering "The frwkILabelFilterGroup is mandatory if filtering
based on PEP internal label is supported." based on PEP internal label is to be supported."
GROUP frwk802MarkerGroup GROUP frwk802MarkerGroup
DESCRIPTION DESCRIPTION
"The frwk802MarkerGroup is mandatory if marking a packet "The frwk802MarkerGroup is mandatory if marking a packet
with 802 traffic criteria is to be supported."
Framework Policy Information Base January 2002
with 802 traffic criteria is supported."
GROUP frwkILabelMarkerGroup GROUP frwkILabelMarkerGroup
DESCRIPTION DESCRIPTION
"The frwkILabelMarkerGroup is mandatory if marking a "The frwkILabelMarkerGroup is mandatory if marking a
flow with internal labels is supported." flow with internal labels is to be supported."
::= { frwkBasePibCompliances 1 } ::= { frwkBasePibCompliances 1 }
frwkPrcSupportGroup OBJECT-GROUP frwkPrcSupportGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkPrcSupportSupportedPrc, frwkPrcSupportSupportedPrc,
frwkPrcSupportSupportedAttrs } frwkPrcSupportSupportedAttrs }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkPrcSupportTable." "Objects from the frwkPrcSupportTable."
skipping to change at page 52, line 41 skipping to change at page 58, line 5
frwkPibIncarnationTtl, frwkPibIncarnationTtl,
frwkPibIncarnationActive, frwkPibIncarnationActive,
frwkPibIncarnationFullState frwkPibIncarnationFullState
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkDevicePibIncarnationTable." "Objects from the frwkDevicePibIncarnationTable."
::= { frwkBasePibGroups 2 } ::= { frwkBasePibGroups 2 }
Framework Policy Information Base May 30, 2002
frwkDeviceIdGroup OBJECT-GROUP frwkDeviceIdGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkDeviceIdDescr, frwkDeviceIdDescr,
frwkDeviceIdMaxMsg, frwkDeviceIdMaxMsg,
frwkDeviceIdMaxContexts } frwkDeviceIdMaxContexts }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkDeviceIdTable." "Objects from the frwkDeviceIdTable."
::= { frwkBasePibGroups 3 } ::= { frwkBasePibGroups 3 }
frwkCompLimitsGroup OBJECT-GROUP frwkCompLimitsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkCompLimitsComponent, frwkCompLimitsComponent,
frwkCompLimitsAttrPos, frwkCompLimitsAttrPos,
frwkCompLimitsNegation, frwkCompLimitsNegation,
frwkCompLimitsType, frwkCompLimitsType,
frwkCompLimitsSubType, frwkCompLimitsSubType,
Framework Policy Information Base January 2002
frwkCompLimitsGuidance } frwkCompLimitsGuidance }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkCompLimitsTable." "Objects from the frwkCompLimitsTable."
::= { frwkBasePibGroups 4 } ::= { frwkBasePibGroups 4 }
frwkReferenceGroup OBJECT-GROUP frwkReferenceGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkReferenceClientType, frwkReferenceClientType,
frwkReferenceClientHandle, frwkReferenceClientHandle,
frwkReferencePrid, } frwkReferencePrid }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkReferenceTable." "Objects from the frwkReferenceTable."
::= { frwkBasePibGroups 5 } ::= { frwkBasePibGroups 5 }
frwkErrorGroup OBJECT-GROUP frwkErrorGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkErrorCode, frwkErrorCode,
frwkErrorSubCode, frwkErrorSubCode,
frwkErrorPrc, frwkErrorPrc,
frwkErrorInstance } frwkErrorInstance }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkErrorTable." "Objects from the frwkErrorTable."
::= { frwkBasePibGroups 6 } ::= { frwkBasePibGroups 6 }
frwkIfCapSetGroup OBJECT-GROUP frwkCapabilitySetGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkIfCapSetName, frwkCapabilitySetName,
frwkIfCapSetCapability } frwkCapabilitySetCapability }
STATUS current STATUS current
Framework Policy Information Base May 30, 2002
DESCRIPTION DESCRIPTION
"Objects from the frwkIfCapSetTable." "Objects from the frwkCapabilitySetTable."
::= { frwkBasePibGroups 7 } ::= { frwkBasePibGroups 7 }
frwkRoleComboGroup OBJECT-GROUP frwkRoleComboGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkRoleComboRoles, frwkRoleComboRoles,
frwkRoleComboCapSetName } frwkRoleComboCapSetName }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkRoleComboTable." "Objects from the frwkRoleComboTable."
::= { frwkBasePibGroups 8 } ::= { frwkBasePibGroups 8 }
Framework Policy Information Base January 2002
frwkIfRoleComboGroup OBJECT-GROUP frwkIfRoleComboGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkIfRoleComboIfIndex } frwkIfRoleComboIfIndex }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkIfRoleComboTable." "Objects from the frwkIfRoleComboTable."
::= { frwkBasePibGroups 9 } ::= { frwkBasePibGroups 9 }
frwkBaseFilterGroup OBJECT-GROUP frwkBaseFilterGroup OBJECT-GROUP
skipping to change at page 54, line 33 skipping to change at page 59, line 48
::= { frwkBasePibGroups 10 } ::= { frwkBasePibGroups 10 }
frwkIpFilterGroup OBJECT-GROUP frwkIpFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkIpFilterAddrType, frwkIpFilterAddrType,
frwkIpFilterDstAddr, frwkIpFilterDstAddr,
frwkIpFilterDstPrefixLength, frwkIpFilterDstPrefixLength,
frwkIpFilterSrcAddr, frwkIpFilterSrcAddr,
frwkIpFilterSrcPrefixLength, frwkIpFilterSrcPrefixLength,
frwkIpFilterDscp, frwkIpFilterDscp,
frwkIpFilterFlowId frwkIpFilterFlowId,
frwkIpFilterProtocol, frwkIpFilterProtocol,
frwkIpFilterDstL4PortMin, frwkIpFilterDstL4PortMin,
frwkIpFilterDstL4PortMax, frwkIpFilterDstL4PortMax,
frwkIpFilterSrcL4PortMin, frwkIpFilterSrcL4PortMin,
frwkIpFilterSrcL4PortMax } frwkIpFilterSrcL4PortMax }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkIpFilterTable." "Objects from the frwkIpFilterTable."
Framework Policy Information Base May 30, 2002
::= { frwkBasePibGroups 11 } ::= { frwkBasePibGroups 11 }
frwk802FilterGroup OBJECT-GROUP frwk802FilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwk802FilterDstAddr, frwk802FilterDstAddr,
frwk802FilterDstAddrMask, frwk802FilterDstAddrMask,
frwk802FilterSrcAddr, frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask, frwk802FilterSrcAddrMask,
frwk802FilterVlanId, frwk802FilterVlanId,
frwk802FilterVlanTagRequired, frwk802FilterVlanTagRequired,
frwk802FilterEtherType, frwk802FilterEtherType,
frwk802FilterUserPriority } frwk802FilterUserPriority }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwk802FilterTable." "Objects from the frwk802FilterTable."
Framework Policy Information Base January 2002
::= { frwkBasePibGroups 12 } ::= { frwkBasePibGroups 12 }
frwkILabelFilterGroup OBJECT-GROUP frwkILabelFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS { frwkILabelFilterILabel }
FrwkILabelFilterILabel }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkILabelFilterTable." "Objects from the frwkILabelFilterTable."
::= { frwkBasePibGroups 13 } ::= { frwkBasePibGroups 13 }
frwk802MarkerGroup OBJECT-GROUP frwk802MarkerGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwk802MarkerVlanId, frwk802MarkerVlanId,
frwk802MarkerPriority } frwk802MarkerPriority }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwk802MarkerTable." "Objects from the frwk802MarkerTable."
::= { frwkBasePibGroups 14 } ::= { frwkBasePibGroups 14 }
frwkILabelMarkerGroup OBJECT-GROUP frwkILabelMarkerGroup OBJECT-GROUP
OBJECTS { OBJECTS { frwkILabelMarkerILabel }
FrwkILabelMarkerILabel }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkILabelMarkerTable." "Objects from the frwkILabelMarkerTable."
::= { frwkBasePibGroups 15 } ::= { frwkBasePibGroups 15 }
END END
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
6. Security Considerations 6. Security Considerations
It is clear that this PIB is used for configuration using [COPS-PR], It is clear that this PIB is used for configuration using [COPS-PR],
and anything that can be configured can be misconfigured, with and anything that can be configured can be misconfigured, with
potentially disastrous effect. At this writing, no security holes potentially disastrous effect. At this writing, no security holes
have been identified beyond those that the COPS base protocol have been identified beyond those that the COPS base protocol
security is itself intended to address. These relate primarily to security is itself intended to address. These relate primarily to
controlled access to sensitive information and the ability to controlled access to sensitive information and the ability to
configure a device - or which might result from operator error, configure a device - or which might result from operator error,
which is beyond the scope of any security architecture. which is beyond the scope of any security architecture.
There are a number of provisioning classes defined in this PIB that There are a number of PRovisioning Classes defined in this PIB that
have a PIB-ACCESS clause of install and install-notify (read- have a PIB-ACCESS clause of install and install-notify (read-
create). Such objects may be considered sensitive or vulnerable in create). These are:
some network environments. The support for "Install" or "Install-
Notify" decisions sent over [COPS-PR] in a non-secure environment frwkPibIncarnationTable: Malicious access of this PRC can cause the
without proper protection can have a negative effect on network PEP to use an incorrect context of policies.
operations. There are a number of provisioning classes in this PIB frwkReferenceTable: Malicious access of this PRC can cause the PEP
that may contain information that may be sensitive from a business to interpret the installed policy in an incorrect manner.
frwkErrorTable: Malicious access of this PRC can cause the PEP to
incorrectly assume that the PDP could not process its messages.
FrwkCapabilitySetTable, frwkRoleComboTable and frwkIfRoleComboTable:
Malicious access of these PRCs can cause the PEP to apply policies
to the wrong interfaces.
FrwkBaseFilterTable, frwkIpFilterTable, frwk802FilterTable and
frwkILabelFilterTable: Malicious access of these PRCs can cause
unintended classification of traffic on the PEP potentially leading
to incorrect policies being applied.
frwk802MarkerTable, frwkILabelMarkerTable: Malicious access of these
PRCs can cause unintended marking of traffic on the PEP potentially
leading to incorrect policies being applied.
Such objects may be considered sensitive or vulnerable in some
network environments. The support for "Install" or "Install-Notify"
decisions sent over [COPS-PR] in a non-secure environment without
proper protection can have a negative effect on network operations.
There are a number of PRovisioning Classes in this PIB that may
contain information that may be sensitive from a business
perspective, in that they may represent a customer's service perspective, in that they may represent a customer's service
contract or the filters that the service provider chooses to apply contract or the filters that the service provider chooses to apply
to a customer's ingress or egress traffic. There are no PRCs that to a customer's ingress or egress traffic. There are no PRCs that
are sensitive in their own right, such as passwords or monetary are sensitive in their own right, such as passwords or monetary
amounts. It may be important to control even "Notify"(read-only) amounts. It may be important to control even "Notify"(read-only)
access to these PRCs and possibly to even encrypt the values of access to these PRCs and possibly to even encrypt the values of
these PRIs when sending them over the network via COPS-PR. The use these PRIs when sending them over the network via COPS-PR. The use
of IPSEC between the PDP and the PEP, as described in [COPS], of IPSEC between the PDP and the PEP, as described in [COPS],
provides the necessary protection against security threats. However, provides the necessary protection against security threats. However,
even if the network itself is secure, there is no control as to who even if the network itself is secure, there is no control as to who
on the secure network is allowed to "Install/Notify" on the secure network is allowed to "Install/Notify"
(read/change/create/delete) the PRIs in this PIB. (read/change/create/delete) the PRIs in this PIB.
Framework Policy Information Base May 30, 2002
It is then a customer/user responsibility to ensure that the PEP/PDP It is then a customer/user responsibility to ensure that the PEP/PDP
giving access to an instance of this PIB, is properly configured to giving access to an instance of this PIB, is properly configured to
give access to the PRIs only to those principals (users) that have give access to the PRIs only to those principals (users) that have
legitimate rights to indeed "Install" or "Notify" (change/create/ legitimate rights to indeed "Install" or "Notify" (change/create/
delete) them. delete) them.
7. RFC Editor Considerations 7. RFC Editor Considerations
This document references [INETADDR] which is in the IESG last call This document normatively references [INETADDR] and [DS-MIB] which
stage. This document references it as an Internet Draft. Please use are in the IESG last call stage. Please use the corresponding RFC
the corresponding RFC number prior to publishing of this document as numbers prior to publishing of this document as a RFC.
a RFC.
8. IANA Considerations 8. IANA Considerations
This document describes the frameworkPib and frwkTcPib Policy This document describes the frameworkPib and frwkTcPib Policy
Information Base (PIB) modules for standardization. An IANA assigned Information Base (PIB) modules for standardization under the "pib"
PIB number is requested for both [SPPI]. branch registered with IANA. An IANA assigned PIB number is
requested for both under the "pib" branch.
Framework Policy Information Base January 2002 Both these PIBs use "all" in the SUBJECT-CATEGORIES clause, i.e.,
they apply to all COPS client types. No new COPS client type is to
be registered for these two PIB modules.
9. Author Information and Acknowledgments 9. Author Information and Acknowledgments
Michael Fine Michael Fine
Cisco Systems, Inc. Atheros Communications
170 West Tasman Drive 529 Almanor Ave
San Jose, CA 95134-1706 USA Sunnyvale, CA 94085 USA
Phone: +1 408 527 8218 Phone: +1 408 773 5324
Email: mfine@cisco.com Email: mfine@atheros.com
Keith McCloghrie Keith McCloghrie
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive 170 West Tasman Drive
San Jose, CA 95134-1706 USA San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260 Phone: +1 408 526 5260
Email: kzm@cisco.com Email: kzm@cisco.com
John Seligson John Seligson
Nortel Networks, Inc. Nortel Networks, Inc.
4401 Great America Parkway 4401 Great America Parkway
Santa Clara, CA 95054 USA Santa Clara, CA 95054 USA
Phone: +1 408 495 2992 Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com Email: jseligso@nortelnetworks.com
Kwok Ho Chan Kwok Ho Chan
Nortel Networks, Inc. Nortel Networks, Inc.
600 Technology Park Drive 600 Technology Park Drive
Billerica, MA 01821 USA Billerica, MA 01821 USA
Framework Policy Information Base May 30, 2002
Phone: +1 978 288 8175 Phone: +1 978 288 8175
Email: khchan@nortelnetworks.com Email: khchan@nortelnetworks.com
Scott Hahn
Intel Corp.
2111 NE 25th Avenue
Hillsboro, OR 97124 USA
Phone: +1 503 264 8231
Email: scott.hahn@intel.com
Ravi Sahita Ravi Sahita
Intel Corp. Intel Labs.
2111 NE 25th Avenue 2111 NE 25th Avenue
Hillsboro, OR 97124 USA Hillsboro, OR 97124 USA
Phone: +1 503 712 1554 Phone: +1 503 712 1554
Email: ravi.sahita@intel.com Email: ravi.sahita@intel.com
Scott Hahn
Intel Labs.
2111 NE 25th Avenue
Hillsboro, OR 97124 USA
Phone: +1 503 264 8231
Email: scott.hahn@intel.com
Andrew Smith Andrew Smith
Allegro Networks Allegro Networks
6399 San Ignacio Ave. 6399 San Ignacio Ave.
San Jose San Jose
CA 95119 CA 95119
FAX: 415 345 1827 FAX: 415 345 1827
Email: andrew@allegronetworks.com Email: andrew@allegronetworks.com
Framework Policy Information Base January 2002
Francis Reichmeyer Francis Reichmeyer
PFN, Inc. PFN, Inc.
University Park at MIT University Park at MIT
26 Landsdowne Street 26 Landsdowne Street
Cambridge, MA 02139 Cambridge, MA 02139
Phone: +1 617 494 9980 Phone: +1 617 494 9980
Email: franr@pfn.com Email: franr@pfn.com
Special thanks to Carol Bell and David Durham for their many Special thanks to Carol Bell and David Durham for their many
significant comments. significant comments.
Framework Policy Information Base May 30, 2002
10. References 10. References
10.1 Normative References
[COPS] [COPS]
Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan, R., and Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan, R., and
A. Sastry, "The COPS (Common Open Policy Service) Protocol" A. Sastry, "The COPS (Common Open Policy Service) Protocol"
RFC 2748, January 2000. RFC 2748, January 2000.
[COPS-PR] [COPS-PR]
K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie,
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage
for Policy Provisioning," RFC 3084, March 2001. for Policy Provisioning," RFC 3084, March 2001.
[SPPI] [SPPI]
K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Hahn, K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Hahn,
R. Sahita, A. Smith, F. Reichmeyer, "Structure of Policy R. Sahita, A. Smith, F. Reichmeyer, "Structure of Policy
Provisioning Information," RFC 3159, August 2001. Provisioning Information," RFC 3159, August 2001.
[RAP-FRAMEWORK]
R. Yavatkar, D. Pendarakis, "A Framework for Policy-based
Admission Control", RFC 2753, January 2000.
[SNMP-SMI] [SNMP-SMI]
K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. Rose K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. Rose
and S. Waldbusser, "Structure of Management Information and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[INETADDR] [INETADDR]
M. Daniele, B. Haberman, S. Routhier and J. Schoenwaelder M. Daniele, B. Haberman, S. Routhier and J. Schoenwaelder
"Textual Conventions for Internet Network Addresses" "Textual Conventions for Internet Network Addresses"
draft-ietf-ops-rfc2851-update-06.txt, December 17, 2001 RFC3291, May 2002
[IFMIB]
K. McCloghrie, F. Kastenholz, "The Interface Group MIB using
SMIv2" RFC 2233, November 1977.
[802] [802]
IEEE Standards for Local and Metropolitan Area Networks: IEEE Standards for Local and Metropolitan Area Networks:
Overview and Architecture, ANSI/IEEE Std 802, 1990. Overview and Architecture, ANSI/IEEE Std 802, 1990.
Framework Policy Information Base January 2002
[SNMPFRWK] [SNMPFRWK]
Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2571, for Describing SNMP Management Frameworks", RFC 2571,
May 1999 May 1999
[STD17] [RFC2863]
K. McCloghrie, M. Rose "Management Information Base for Network K. McCloghrie, F. Kastenholz, "The Interfaces Group MIB",
Management of TCP/IP-based internets: MIB-II" STD 17, RFC 1213, RFC 2863, June 2000
March 1991
[DS-MIB]
F. Baker, K. Chan, A. Smith, "Management Information Base for
the Differentiated Services Architecture",
draft-ietf-diffserv-mib-16.txt, November 2001
[SNMPv2TC]
K. McCloghrie, D. Perkins, J. Schoenwaelder, "Textual
Conventions for SMIv2", RFC 2579, STD 58, April 1999
Framework Policy Information Base May 30, 2002
[RFC2279]
F. Yergeau, "UTF-8, a transformation format of ISO 10646",
RFC 2279, January 1998
10.2 Informative References
[RAP-FRAMEWORK]
R. Yavatkar, D. Pendarakis, "A Framework for Policy-based
Admission Control", RFC 2753, January 2000.
[POLTERM]
A. Westerinen, J. Schnizlein, J. Strassner, M. Scherling, B.
Quinn, S. Herzog, A. Huynh, M. Carlson, J. Perry, S.
Waldbusser, "Terminology for Policy-Based Management", RFC
3198, November 2001.
11. Full Copyright 11. Full Copyright
Copyright (C) The Internet Society (2001). All Rights Reserved. This Copyright (C) The Internet Society (2001). All Rights Reserved. This
document and translations of it may be copied and furnished to document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this are included on all such copies and derivative works. However, this
skipping to change at page 60, line 5 skipping to change at page 66, line 5
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Framework Policy Information Base January 2002 Framework Policy Information Base May 30, 2002
Table of Contents Table of Contents
Status of this Memo...............................................1 Status of this Memo...............................................1
Abstract..........................................................2 Abstract..........................................................2
1. Glossary.......................................................2 1. Glossary.......................................................2
2. General PIB Concepts...........................................2 2. General PIB Concepts...........................................2
2.1. Roles........................................................2 2.1. Roles........................................................2
2.1.1. An Example.................................................4 2.1.1. An Example.................................................4
2.2. Management of Role-Combinations from the PDP.................5 2.2. Management of Role-Combinations from the PDP.................5
2.3. Updating a Request State.....................................6 2.3. Updating a Request State.....................................6
2.3.1 Full Request State..........................................6 2.3.1 Full Request State..........................................7
2.3.2 Installing PRIs in a Request................................7 2.3.2 Installing PRIs in a Request................................7
2.3.3 Updating PRIs in a Request..................................7 2.3.3 Updating PRIs in a Request..................................7
2.3.4 Removing PRIs from a Request................................7 2.3.4 Removing PRIs from a Request................................7
2.3.5 Removing EXTENDED, AUGMENTED PRIs...........................8 2.3.5 Removing EXTENDED, AUGMENTED PRIs...........................8
2.3.6 Error Handling in Request updates...........................8 2.3.6 Error Handling in Request updates...........................8
2.4. Multiple PIB Instances.......................................8 2.4. Multiple PIB Instances.......................................8
2.5. Reporting and Configuring of Device Capabilities............10 2.5. Reporting and Configuring of Device Capabilities............10
2.6. Reporting of Device Limitations.............................10 2.6. Reporting of Device Limitations.............................10
3. The Framework TC PIB module...................................11 3. The Framework TC PIB module...................................12
4. Summary of the Framework PIB..................................14 4. Summary of the Framework PIB..................................17
4.1. Base PIB classes Group......................................14 4.1. Base PIB classes Group......................................17
4.2. Device Capabilities group...................................15 4.2. Device Capabilities group...................................18
4.3. Classifier group............................................16 4.3. Classifier group............................................19
4.4. Marker group................................................16 4.4. Marker group................................................19
5. The Framework PIB Module......................................17 5. The Framework PIB Module......................................20
6. Security Considerations.......................................56 6. Security Considerations.......................................61
7. RFC Editor Considerations.....................................56 7. RFC Editor Considerations.....................................62
8. IANA Considerations...........................................56 8. IANA Considerations...........................................62
9. Author Information and Acknowledgments........................57 9. Author Information and Acknowledgments........................62
10. References...................................................58 10. References...................................................64
11. Full Copyright...............................................59 10.1 Normative References........................................64
10.2 Informative References......................................65
11. Full Copyright...............................................65
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/