draft-ietf-rap-frameworkpib-09.txt   rfc3318.txt 
Internet Draft M. Fine Network Working Group R. Sahita, Ed.
Expires December 2002 Atheros Comm. Request for Comments: 3318 S. Hahn
File: draft-ietf-rap-frameworkpib-09.txt K. McCloghrie Category: Informational Intel Labs
Cisco Systems K. Chan
J. Seligson Nortel Networks
K. Chan K. McCloghrie
Nortel Networks Cisco Systems
R. Sahita, Ed. March 2003
S. Hahn
Intel Labs
A. Smith
Harbour Networks
F. Reichmeyer
PFN
June 7, 2002
Framework Policy Information Base Framework Policy Information Base
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This memo provides information for the Internet community. It does
all provisions of Section 10 of RFC2026. Internet-Drafts are not specify an Internet standard of any kind. Distribution of this
working documents of the Internet Engineering Task Force (IETF), its memo is unlimited.
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as ''work in
progress''.
To view the current status of any Internet-Draft, please check the Copyright Notice
''1id-abstracts.txt'' listing contained in an Internet-Drafts Shadow
Directory, see http://www.ietf.org/shadow.html.
Framework Policy Information Base June 7, 2002 Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
This document defines a set of PRovisioning Classes (PRCs) and
textual conventions that are common to all clients that provision
policy using Common Open Policy Service (COPS) protocol for
Provisioning.
Structure of Policy Provisioning Information (SPPI) describes a Structure of Policy Provisioning Information (SPPI) describes a
structure for specifying policy information that can then be structure for specifying policy information that can then be
transmitted to a network device for the purpose of configuring transmitted to a network device for the purpose of configuring policy
policy at that device. The model underlying this structure is one at that device. The model underlying this structure is one of well-
of well-defined PRovisioning Classes (PRCs) and instances of these defined (PRCs) and instances of these classes (PRIs) residing in a
classes (PRIs) residing in a virtual information store called the virtual information store called the Policy Information Base (PIB).
Policy Information Base (PIB).
One way to provision policy is by means of the Common Open Policy One way to provision policy is by means of the (COPS) protocol with
Service (COPS) protocol with the extensions for provisioning. This the extensions for provisioning. This protocol supports multiple
protocol supports multiple clients, each of which may provision clients, each of which may provision policy for a specific policy
policy for a specific policy domain such as QoS, virtual private domain such as QoS, virtual private networks, or security.
networks, or security.
As described in COPS usage for Policy Provisioning (COPS-PR), each As described in COPS usage for Policy Provisioning (COPS-PR), each
client supports a non-overlapping and independent set of PIB client supports a non-overlapping and independent set of PIB modules.
modules. However, some PRovisioning Classes are common to all However, some PRovisioning Classes are common to all subject-
subject-categories (client-types) and need to be present in each. categories (client-types) and need to be present in each.
This document defines a set of PRCs and textual conventions that are
common to all clients that provision policy using COPS for Table of Contents
Provisioning.
Conventions used in this document.................................2
1. Glossary.......................................................2
2. General PIB Concepts...........................................3
2.1. Roles......................................................3
2.1.1. An Example.............................................5
2.2. Management of Role-Combinations from the PDP...............6
2.3. Updating a Request State...................................7
2.3.1 Full Request State......................................8
2.3.2 Installing PRIs in a Request............................8
2.3.3 Updating PRIs in a Request..............................8
2.3.4 Removing PRIs from a Request............................9
2.3.5 Removing EXTENDED, AUGMENTED PRIs.......................9
2.3.6 Error Handling in Request updates.......................9
2.4. Multiple PIB Instances....................................10
2.5. Reporting and Configuring of Device Capabilities..........11
2.6. Reporting of Device Limitations...........................12
3. The Framework TC PIB module...................................12
4. Summary of the Framework PIB..................................17
4.1. Base PIB classes Group....................................17
4.2. Device Capabilities group.................................19
4.3. Classifier group..........................................20
4.4. Marker group..............................................20
5. The Framework PIB Module......................................21
6. Security Considerations.......................................66
7. IANA Considerations...........................................67
8. References....................................................67
8.1 Normative References.......................................67
8.2 Informative References.....................................68
9. Acknowledgments...............................................68
10. Authors' Addresses...........................................69
11. Full Copyright Statement.....................................70
Conventions used in this document Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
this document are to be interpreted as described in [RFC-2119]. document are to be interpreted as described in [RFC2119].
1. Glossary 1. Glossary
PRC PRovisioning Class. A type of policy data. See [POLTERM]. PRC PRovisioning Class. A type of policy data. See [POLTERM].
PRI PRovisioning Instance. An instance of a PRC. See [POLTERM]. PRI PRovisioning Instance. An instance of a PRC. See [POLTERM].
PIB Policy Information Base. The database of policy information. PIB Policy Information Base. The database of policy information.
See [POLTERM] See [POLTERM]
PDP Policy Decision Point. See [RAP-FRAMEWORK]. PDP Policy Decision Point. See [RAP-FRAMEWORK].
PEP Policy Enforcement Point. See [RAP-FRAMEWORK]. PEP Policy Enforcement Point. See [RAP-FRAMEWORK].
2. General PIB Concepts 2. General PIB Concepts
2.1. Roles 2.1. Roles
The policy to apply to an interface may depend on many factors such The policy to apply to an interface may depend on many factors, such
as immutable characteristics of the interface (e.g., Ethernet or as immutable characteristics of the interface (e.g., Ethernet or
frame relay), the status of the interface (e.g., half or full frame relay), the status of the interface (e.g., half or full
duplex), or user configuration (e.g., branch office or headquarters duplex), or user configuration (e.g., branch office or headquarters
interface). Rather than specifying policies explicitly for each interface). Rather than specifying policies explicitly for each
interface of all devices in the network, policies are specified in interface of all devices in the network, policies are specified in
terms of interface functionality. terms of interface functionality.
To describe these functionalities of an interface we use the concept To describe these functionalities of an interface, we use the concept
of "Roles". A Role is simply a string that is associated with an of "Roles". A Role is simply a string that is associated with an
interface. A given interface may have any number of roles interface. A given interface may have any number of roles
simultaneously. Provisioning classes have an attribute called a
Framework Policy Information Base June 7, 2002
simultaneously. Provisioning classes have an attribute called a
"RoleCombination" which is a lexicographically ordered set of roles. "RoleCombination" which is a lexicographically ordered set of roles.
Instances of a given PRovisioning Class are applied to an interface Instances of a given PRovisioning Class are applied to an interface
if and only if the set of roles in the role combination matches the if and only if the set of roles in the role combination matches the
set of the roles of the interface. set of the roles of the interface.
Thus, roles provide a way to bind policy to interfaces without Thus, roles provide a way to bind policy to interfaces without having
having to explicitly identify interfaces in a consistent manner to explicitly identify interfaces in a consistent manner across all
across all network devices. That is, roles provide a level of network devices. That is, roles provide a level of indirection to
indirection to the application of a set of policies to specific the application of a set of policies to specific interfaces. This
interfaces. This separates the policy definition from device separates the policy definition from device implementation specific
implementation specific interface identification. Furthermore, if interface identification. Furthermore, if the same policy is being
the same policy is being applied to several interfaces, that policy applied to several interfaces, that policy needs to be pushed to the
need be pushed to the device only once, rather than once per device only once, rather than once per interface, as long as the
interface, as long as the interfaces are configured with the same interfaces are configured with the same role combination.
role combination.
We point out that, in the event that the administrator needs to have We point out that, in the event that the administrator needs to have
unique policy for each interface, this can be achieved by a unique policy for each interface, the administrator can configure
configuring each interface with a unique role. each interface with a unique role.
The PEP sends all its Capability Set Names, Role Combinations, The PEP sends all its Capability Set Names, Role Combinations, Policy
Policy Controlled Interfaces, and their relationships to the PDP in Controlled Interfaces, and their relationships to the PDP in the
the first COPS request (REQ) message for a handle and whenever any first COPS request (REQ) message for a handle, and whenever any
updates or deletes occur. The PDP can install new instances or updates or deletes occur. The PDP can install new instances or
change existing instances of these PRIs. This operation can also change existing instances of these PRIs. This operation can also
occur in subsequent request messages generated in response to COPS occur in subsequent request messages generated in response to COPS
state synchronization (SSQ) requests and local configuration state synchronization (SSQ) requests and local configuration changes.
changes.
The comparing of roles (or role combinations) is case sensitive. The comparing of roles (or role combinations) is case sensitive.
By convention, when formatting the role-combination for exchange By convention, when formatting the role-combination for exchange
within a protocol message, within a PIB object's value, or as a within a protocol message, within a PIB object's value, or as a
printed value, the set is formatted in lexicographical order of the printed value, the set is formatted in lexicographical order of the
role's ASCII values; that is, the role that is first is formatted role's ASCII values; that is, the role that is first is formatted
first. For example, "a+b" and "b+a" are NOT different role- first. For example, "a+b" and "b+a" are NOT different role-
combinations; rather, they are different formatting of the same combinations; rather, they are different formatting of the same
role-combination, and hence for this example: role-combination, and hence for this example:
- "a+b" is the valid formatting of that role-combination, - "a+b" is the valid formatting of that role-combination,
- "b+a" is an invalid formatting of that role-combination. - "b+a" is an invalid formatting of that role-combination.
The role-combination of interfaces to which no roles have been The role-combination of interfaces to which no roles have been
assigned is known as the "null" role-combination. (Note the assigned is known as the "null" role-combination. (Note the
deliberate use of lower-case letters for "null" so that it avoids deliberate use of lower-case letters for "null" so that it avoids
confusion with the ASCII NULL character that has a value of zero but confusion with the ASCII NULL character that has a value of zero but
a length of one.) a length of one.)
In an "install" or an "install-notify" class, the wildcard role- In an "install" or an "install-notify" class, the wildcard role-
skipping to change at page 3, line 56 skipping to change at page 4, line 23
- "a+b" is the valid formatting of that role-combination, - "a+b" is the valid formatting of that role-combination,
- "b+a" is an invalid formatting of that role-combination. - "b+a" is an invalid formatting of that role-combination.
The role-combination of interfaces to which no roles have been The role-combination of interfaces to which no roles have been
assigned is known as the "null" role-combination. (Note the assigned is known as the "null" role-combination. (Note the
deliberate use of lower-case letters for "null" so that it avoids deliberate use of lower-case letters for "null" so that it avoids
confusion with the ASCII NULL character that has a value of zero but confusion with the ASCII NULL character that has a value of zero but
a length of one.) a length of one.)
In an "install" or an "install-notify" class, the wildcard role- In an "install" or an "install-notify" class, the wildcard role-
combination "*" can be used. In addition to providing for interface- combination "*" can be used. In addition to providing for
specific roles, it also allows for other optimizations in reducing interface-specific roles, it also allows for other optimizations in
the number of role-combinations for which a policy has to be reducing the number of role-combinations for which a policy has to be
specified. For example: specified. For example:
Framework Policy Information Base June 7, 2002
Suppose we have three interfaces: Suppose we have three interfaces:
Roles A, B and R1 are assigned to interface I1 Roles A, B and R1 are assigned to interface I1
Roles A, B and R2 are assigned to interface I2 Roles A, B and R2 are assigned to interface I2
Roles A, B and R3 are assigned to interface I3 Roles A, B and R3 are assigned to interface I3
Then, a PRI of a fictional IfDscpAssignTable that has the following Then, a PRI of a fictional IfDscpAssignTable that has the following
values for its attributes: values for its attributes:
ifDscpAssignPrid = 1 ifDscpAssignPrid = 1
ifDscpAssignRoles = "*+A+B" ifDscpAssignRoles = "*+A+B"
ifDscpAssignName = "4queues" ifDscpAssignName = "4queues"
ifDscpAssignDscpMap = 1 ifDscpAssignDscpMap = 1
will apply to all three interfaces, because "*" matches with R1, R2 will apply to all three interfaces, because "*" matches with R1, R2
and R3. The policies can be assigned to an interface due to more and R3. The policies can be assigned to an interface due to more
than one wild-carded role combo matching a given interface's role than one wild-carded role combo matching a given interface's role
combo string. The PDP should attempt to resolve conflicts between combo string. The PDP should attempt to resolve conflicts between
policies before sending policies to the PEP. In the situation where policies before sending policies to the PEP. In the situation where
the PDP sends multiple policies to a PEP and they do conflict, the PDP sends multiple policies to a PEP and they do conflict, either
either because of an error by the PDP or because of a device- because of an error by the PDP or because of a device specific
specific conflict, then the PEP MUST reject the installation of the conflict, the PEP MUST reject the installation of the conflicting
conflicting policies and return an error. policies and return an error.
Formally, Formally,
- The wildcard Role is denoted by "*", - The wildcard Role is denoted by "*",
- The "*" Role is not allowed to be defined as part of the role- - The "*" Role is not allowed to be defined as part of the role-
combination of an interface as notified by the PEP to the PDP; it combination of an interface as notified by the PEP to the PDP; it
is only allowed in policies installed/deleted via COPS-PR from is only allowed in policies installed/deleted via COPS-PR from the
the PDP to the PEP. PDP to the PEP.
- For a policy to apply to an interface when the policy's role- - For a policy to apply to an interface when the policy's role-
combination is "*+a+b", then the interface's role-combination: combination is "*+a+b", the interface's role-combination:
- Must include "a" and "b", and - Must include "a" and "b", and
- Can include zero or more other roles. - Can include zero or more other roles.
- The wildcard character "*" is listed before the other roles as - The wildcard character "*" is listed before the other roles as "*"
"*" is lexicographically before "a"; however, the wildcard matches is lexicographically before "a"; however, the wildcard matches any
any zero or more roles, irrespective of lexicographical order. zero or more roles, irrespective of lexicographical order. For
For example: "*+b+e+g" would match "a+b+c+e+f+g" example: "*+b+e+g" would match "a+b+c+e+f+g".
Note that the characters "+" and "*" MUST not be used in an Note that the characters "+" and "*" MUST not be used in an
interface Role. The Framework Role PIB module in section 4 of this interface Role. The Framework Role PIB module in section 4 of this
document contains the Role and RoleCombination Textual Conventions. document contains the Role and RoleCombination Textual Conventions.
2.1.1. An Example 2.1.1. An Example
The functioning of roles might be best understood by an example. The functioning of roles might be best understood by an example.
Suppose I have a device with three interfaces, with roles as Suppose I have a device with three interfaces, with roles as follows:
follows:
IF1: "finance"
IF2: "finance"
IF3: "manager"
Framework Policy Information Base June 7, 2002 IF1: "finance"
IF2: "finance"
IF3: "manager"
Suppose, I also have a PDP with two policies: Suppose, I also have a PDP with two policies:
P1: Packets from finance department (role "finance") get DSCP 5 P1: Packets from finance department (role "finance") get DSCP 5
P2: Packets from managers (role "manager") get DSCP 6 P2: Packets from managers (role "manager") get DSCP 6
To obtain policy, the PEP reports to the PDP that it has some To obtain policy, the PEP reports to the PDP that it has some
interfaces with role combination "finance" and some with role interfaces with role combination "finance" and some with role
combination "manager". In response, the PDP downloads policy P1 combination "manager". In response, the PDP downloads policy P1
associated with role combination "finance" and downloads a second associated with role combination "finance" and downloads a second
policy P2 associated with role combination "manager". policy P2 associated with role combination "manager".
Now suppose the finance person attached to IF2 is promoted to Now suppose the finance person attached to IF2 is promoted to manager
manager and so the system administrator adds the role "manager" to and so the system administrator adds the role "manager" to IF2. The
IF2. The PEP now reports to the PDP that it has three role PEP now reports to the PDP that it has three role combinations: some
combinations: some interfaces with role combination "finance", some interfaces with role combination "finance", some with role
with role combination "manager" and some with role combination combination "manager" and some with role combination
"finance+manager". In response, the PDP downloads an additional "finance+manager". In response, the PDP downloads an additional
third policy associated with the new role combination third policy associated with the new role combination
"finance+manager". "finance+manager".
How the PDP determines the policy for this new role combination is How the PDP determines the policy for this new role combination is
entirely the responsibility of the PDP. It could do so entirely the responsibility of the PDP. It could do so
algorithmically or by rule. For example, there might be a rule that algorithmically or by rule. For example, there might be a rule that
specifies that manager policy takes preference over department specifies that manager policy takes preference over department
policy. Or there might be a third policy installed in the PDP as policy. Or there might be a third policy installed in the PDP as
follows: follows:
P3: Packets from finance managers (role "finance" and role P3: Packets from finance managers (role "finance" and role
"manager") get DSCP 7 "manager") get DSCP 7
The point here is that the PDP is required to determine what policy The point here is that the PDP is required to determine what policy
applies to this new role combination and to download a third policy applies to this new role combination and to download a third policy
to the PEP for the role combination "finance+manager" even if that to the PEP for the role combination "finance+manager", even if that
policy is the same as one already downloaded. The PEP is not policy is the same as one already downloaded. The PEP is not
required (or allowed) to construct policy for new role combinations required (or allowed) to construct policy for new role combinations
from existing policy. from existing policy.
2.2. Management of Role-Combinations from the PDP 2.2. Management of Role-Combinations from the PDP
The PEP notifies the PDP of the Role-Combination assigned to each The PEP notifies the PDP of the Role-Combination assigned to each
interface and capability set name in a COPS configuration request interface and capability set name in a COPS configuration request
(instances of the frwkIfRoleComboTable). The first request sent to (instances of the frwkIfRoleComboTable). The first request sent to
the PDP must be a 'full state' request. A 'full state' request for a the PDP must be a 'full state' request. A 'full state' request for a
PEP includes notify and install-notify table PRIs for the PEP which PEP includes notify and install-notify table PRIs for the PEP which
must be interpreted as the complete state of the PEP and must not be must be interpreted as the complete state of the PEP and must not be
interpreted as updates to any previous set of PRIs sent in a interpreted as updates to any previous set of PRIs sent in a previous
previous message. Any previous PRIs from the PEP should be discarded message. Any previous PRIs from the PEP should be discarded when a
when a 'full state' request is received for the particular request 'full state' request is received for the particular request handle.
handle. A request is specified as a 'full state' request by setting A request is specified as a 'full state' request by setting the
the frwkPibIncarnationFullState attribute in the frwkPibIncarnation frwkPibIncarnationFullState attribute in the frwkPibIncarnation PRI
PRI sent in the request. sent in the request.
All existing frwkIfRoleCombo instances must be sent to the PDP in All existing frwkIfRoleCombo instances must be sent to the PDP in the
the first configuration request for a request handle. If the Role- first configuration request for a request handle. If the Role-
Combinations are not assigned specific values, default ('null') Combinations are not assigned specific values, default ('null')
Role-Combinations must be sent to the PDP for all ifIndices active on
Framework Policy Information Base June 7, 2002 the PEP and updates must be sent every time the IfIndices are
updated. The PEP may notify the PDP of the Capability sets (if any)
Role-Combinations must be sent to the PDP for all ifIndices active via the frwkCapabilitySetTable. If the PEP does not need to notify
on the PEP and updates must be sent every time the IfIndices are
updated. The PEP may notify the PDP of the Capability sets (if any)
via the frwkCapabilitySetTable. If the PEP does not need to notify
the PDP of capability sets, it must set the capability set name in the PDP of capability sets, it must set the capability set name in
the frwkIfRoleComboTable instances to a zero length string. the frwkIfRoleComboTable instances to a zero length string.
In response to this configuration request, if applicable, the PDP In response to this configuration request, if applicable, the PDP may
may send policies for the PEP in a solicited decision or must send a send policies for the PEP in a solicited decision or must send a null
null decision. The PEP must then send a solicited report message for decision. The PEP must then send a solicited report message for the
the decision. decision.
At any later time, the PDP can update the Role-Combinations assigned At any later time, the PDP can update the Role-Combinations assigned
to a specific interface, identified by IfIndex, or for an aggregate, to a specific interface, identified by IfIndex, or for an aggregate,
identified by the capability set name, via an unsolicited decision identified by the capability set name, via an unsolicited decision to
to the PEP on any open request handle. The PDP does this by sending the PEP on any open request handle. The PDP does this by sending
updated PRIs for the frwkIfRoleComboTable. updated PRIs for the frwkIfRoleComboTable.
When the Interface Role Combination associations are updated by the When the Interface Role Combination associations are updated by the
PDP, the PEP SHOULD send updated 'full state' requests for all open PDP, the PEP SHOULD send updated 'full state' requests for all open
contexts. A context is an instantiation of the PIB module(s) contexts. A context is an instantiation of the PIB module(s)
namespace identified by a unique COPS handle for a particular COPS namespace identified by a unique COPS handle for a particular COPS
client type. This is true even if the PEP's request state changes client type. This is true even if the PEP's request state changes
due to an internal event or if the state is changed by the PDP. If due to an internal event or if the state is changed by the PDP. If
the role-combination updates were sent by the PDP, the PEP SHOULD the role-combination updates were sent by the PDP, the PEP SHOULD
send these updated requests only if it can process the unsolicited send these updated requests only if it can process the unsolicited
decision containing the frwkIfRoleCombo PRIs successfully and it decision containing the frwkIfRoleCombo PRIs successfully, and it
MUST do so after sending the success report for the unsolicited MUST do so after sending the success report for the unsolicited
decision. If the PEP failed to process the decision (i.e., the decision. If the PEP failed to process the decision (i.e., the
frwkIfRoleCombo PRIs) it MUST only send a failure report to the PDP. frwkIfRoleCombo PRIs), it MUST only send a failure report to the PDP.
On the other hand, the PDP must not expect to receive the updated On the other hand, the PDP must not expect to receive the updated
requests with the revised role-combination information until after requests with the revised role-combination information until after it
it receives a success report for these updates from the PEP. If the receives a success report for these updates from the PEP. If the PDP
PDP does not receive updated requests on some request handles, the does not receive updated requests on some request handles, the PEP
PEP must not be sent decision updates for that frwkIfRoleCombo must not be sent decision updates for that frwkIfRoleCombo updates,
updates, i.e., the PDP must have the previous request state that it i.e., the PDP must have the previous request state that it maintained
maintained for that request handle. for that request handle.
Note that, any unsolicited decisions received by the PEP in the time Note that, any unsolicited decisions received by the PEP in the time
period after it receives updates to its Role-Combination period after it receives updates to its Role-Combination associations
associations and before receiving solicited decisions for the and before receiving solicited decisions for the updated requests it
updated requests it sent for all context handles, must be ignored sent for all context handles, could possibly contain outdated
since they would contain outdated decisions sent by the PDP for the policies corresponding to the old Role-Combination associations as
old request information. notified by this PEP in a previous request state.
The PDP must respond to the updated requests by solicited decisions, The PDP must respond to the updated requests by solicited decisions,
sending policies if applicable or null decisions. The PEP must sending policies if applicable or null decisions. The PEP must
respond to these solicited decisions with solicited reports to respond to these solicited decisions with solicited reports to
complete the transaction. complete the transaction.
2.3. Updating a Request State 2.3. Updating a Request State
Framework Policy Information Base June 7, 2002
This section describes the messages exchanged between the PEP and This section describes the messages exchanged between the PEP and PDP
PDP when the PEP is updating a previously sent request for a when the PEP is updating a previously sent request for a particular
particular COPS handle. Note that a PEP can incrementally update a COPS handle. Note that a PEP can incrementally update a request only
request only if the frwkPibIncarnationFullState attribute is shown if the frwkPibIncarnationFullState attribute is shown to be supported
to be supported via the supported PRC table. If this attribute is via the supported PRC table. If this attribute is not supported, the
not supported the PDP must treat all PEP requests as the full PDP must treat all PEP requests as the full request state.
request state.
2.3.1 Full Request State 2.3.1 Full Request State
When the PEP wants to send the entire request state to the PDP (for When the PEP wants to send the entire request state to the PDP (for
example, in response to a Synchronize State Request from the PDP), example, in response to a Synchronize State Request from the PDP),
the PEP MUST send the incarnation instance with the the PEP MUST send the incarnation instance with the
frwkPibIncarnationFullState attribute set to 'true'. frwkPibIncarnationFullState attribute set to 'true'.
A PDP that receives an incarnation instance in the request message A PDP that receives an incarnation instance in the request message
with this attribute set to 'true', must clear the request with this attribute set to 'true', must clear the request information
information it maintains for this request handle and re-install the it maintains for this request handle and re-install the information
information received. received.
If this attribute is set to 'false' or if the incarnation instance If this attribute is set to 'false' or if the incarnation instance is
is missing in the request message, the request must be interpreted missing in the request message, the request must be interpreted as an
as an incremental update to the previous request message. incremental update to the previous request message.
2.3.2 Installing PRIs in a Request 2.3.2 Installing PRIs in a Request
If the PEP wants to install additional PRIs for a request handle, If the PEP wants to install additional PRIs for a request handle, the
the PEP MUST ensure that frwkPibIncarnationFullState attribute is PEP MUST ensure that the frwkPibIncarnationFullState attribute is set
set to 'false' and the PEP MUST use new (unused in this context) to 'false', and the PEP MUST use new (unused in this context)
InstanceIds [SPPI] for these PRIs. InstanceIds [SPPI] for these PRIs.
When a PDP receives instances with new InstanceIds for a request When a PDP receives instances with new InstanceIds for a request with
with the frwkPibIncarnationFullState in the incarnation instance set the frwkPibIncarnationFullState in the incarnation instance set to
to 'false' or if the request has no incarnation information, it must 'false', or if the request has no incarnation information, it must
interpret these PRIs as an incremental update to the request state interpret these PRIs as an incremental update to the request state
and add them to the request state it maintains for this handle. and add them to the request state it maintains for this handle.
2.3.3 Updating PRIs in a Request 2.3.3 Updating PRIs in a Request
If the PEP wants to update previously installed PRIs for a request If the PEP wants to update previously installed PRIs for a request
handle, the PEP MUST ensure that frwkPibIncarnationFullState handle, the PEP MUST ensure that the frwkPibIncarnationFullState
attribute is set to 'false' for these PRIs. Note that the PEP must attribute is set to 'false' for these PRIs. Note that the PEP must
send the same InstanceIds for the PRIs being updated. If the PEP send the same InstanceIds for the PRIs being updated. If the PEP
uses new InstanceIds, the PDP must interpret them as Install's uses new InstanceIds, the PDP must interpret them as Install's for
for this request state. this request state.
When a PDP receives a request with instances having InstanceIds that When a PDP receives a request with instances having InstanceIds that
exist in its state for that handle with the exist in its state for that handle with the
frwkPibIncarnationFullState in the incarnation instance set to frwkPibIncarnationFullState in the incarnation instance set to
'false' or if the request has no incarnation information, it must 'false' or if the request has no incarnation information, it must
interpret these PRIs as an update to the PRIs in the request state interpret these PRIs as an update to the PRIs in the request state it
it maintains for this handle. maintains for this handle.
2.3.4 Removing PRIs from a Request 2.3.4 Removing PRIs from a Request
Framework Policy Information Base June 7, 2002
If the PEP wants to remove previously installed PRIs for a request If the PEP wants to remove previously installed PRIs for a request
handle, the PEP MUST ensure that frwkPibIncarnationFullState handle, the PEP MUST ensure that the frwkPibIncarnationFullState
attribute is set to 'false' and MUST send the PRI bindings with the attribute is set to 'false', and MUST send the PRI bindings with the
PRID set to the InstanceId of the PRI to be removed and the length PRID set to the InstanceId of the PRI to be removed, and the length
field in the EPD object header set to the header length only, field in the EPD object header set to the header length only,
effectively setting the data length to zero. effectively setting the data length to zero.
Note that the PEP must send the same InstanceIds for the PRIs being Note that the PEP must send the same InstanceIds for the PRIs being
removed. If the PEP sends new InstanceIds and the length field in removed. If the PEP sends new InstanceIds and the length field in
the EPD object header is set to the header length only (implying the the EPD object header is set to the header length only (implying the
data length is zero), the PEP is attempting to remove an data length is zero), the PEP is attempting to remove an
unknown/non-existent PRI. This SHOULD result in the PDP sending unknown/non-existent PRI. This SHOULD result in the PDP sending
error PRIs in the solicited decision (see section 2.3.6 for a error PRIs in the solicited decision (see section 2.3.6 for a
description of the frwkErrorTable). description of the frwkErrorTable).
If the PEP sends new InstanceIds and the length field in the EPD If the PEP sends new InstanceIds, and the length field in the EPD
object header is greater than the header length only (implying the object header is greater than the header length only (implying the
EPD object has some attributes encoded in it), the PDP will EPD object has some attributes encoded in it), the PDP will interpret
interpret this as an install of the PRI if it can decode the EPD this as an install of the PRI if it can decode the EPD successfully.
successfully.
When a PDP receives a request with instances having InstanceIds that When a PDP receives a request with instances having InstanceIds that
exist in its state for that handle with the exist in its state for that handle with the
frwkPibIncarnationFullState in the incarnation instance set to frwkPibIncarnationFullState in the incarnation instance set to
'false' or if the request has no incarnation information, and the 'false', or if the request has no incarnation information, and the
length field in the EPD object header is set to the header length length field in the EPD object header is set to the header length
only (implying the data length is zero), it must remove these PRIs only (implying the data length is zero), it must remove these PRIs
from the request state it maintains for this handle. from the request state it maintains for this handle.
2.3.5 Removing EXTENDED, AUGMENTED PRIs 2.3.5 Removing EXTENDED, AUGMENTED PRIs
The PEP should remove the extended/augmented PRIs when it removes The PEP should remove the extended/augmented PRIs when it removes the
the base PRIs in the same COPS message. See [SPPI] for description base PRIs in the same COPS message. See [SPPI] for a description of
of EXTENDED/AUGMENTED PRCs. A PDP that receives removes for a base EXTENDED/AUGMENTED PRCs. A PDP that receives removes for a base PRI
PRI must implicitly remove the extensions. must implicitly remove the extensions.
2.3.6 Error Handling in Request updates 2.3.6 Error Handling in Request updates
If the PDP cannot process all the request installs/updates/removes If the PDP cannot process all the request installs/updates/removes in
in the COPS request message successfully, it MUST rollback to its the COPS request message successfully, it MUST rollback to its
previous request state and it MUST send a solicited decision to the previous request state and it MUST send a solicited decision to the
PEP that contains frwkErrorTable instances. These instances contain PEP that contains frwkErrorTable instances. These instances contain
an error code and a sub-code as defined in the [COPS-PR] CPERR an error code and a sub-code as defined in the [COPS-PR] CPERR
object. For example if the PEP tries to remove an instance that does object. For example, if the PEP tries to remove an instance that
not exist, the 'priInstanceInvalid' error code must be sent to the does not exist, the 'priInstanceInvalid' error code must be sent to
PEP in a frwkError PRI. The frwkError PRIs also contain the PRC and the PEP in a frwkError PRI. The frwkError PRIs also contain the PRC
the InstanceId of the error-causing PRI. The PEP may then examine and the InstanceId of the error-causing PRI. The PEP may then
these error PRIs and resend the modified request. Note that, until examine these error PRIs and resend the modified request. Note that,
the PEP resends the request updates/removes it will have until the PEP resends the request updates/removes, it will have
configuration information for the last successful request state it configuration information for the last successful request state it
sent to the PDP. sent to the PDP.
Framework Policy Information Base June 7, 2002
2.4. Multiple PIB Instances 2.4. Multiple PIB Instances
[COPS-PR] supports multiple, disjoint, independent instances of the [COPS-PR] supports multiple, disjoint, independent instances of the
PIB to represent multiple instances of configured policy. The PIB to represent multiple instances of configured policy. The intent
intent is to allow for the pre-provisioning of policy that can then is to allow for the pre-provisioning of policy that can then be made
be made active by a single, short decision from the PDP. active by a single, short decision from the PDP.
A COPS context can be defined as an independent COPS request state A COPS context can be defined as an independent COPS request state
for a particular subject category (client-type). A context may be an for a particular subject category (client-type). A context may be an
outsourcing context or a configuration context. A configuration outsourcing context or a configuration context. A configuration
context is an instance of the PIB triggered and controlled by the context is an instance of the PIB triggered and controlled by the
PDP, which contains device setup information. This device PDP, which contains device setup information. This device
configuration information dictates the device behavior as specified configuration information dictates the device behavior as specified
by the PDP. An outsourcing context on the other hand is a PIB by the PDP. An outsourcing context on the other hand, is a PIB
instance that is triggered from the PEP side and is a request to the instance that is triggered from the PEP side and is a request to the
PDP for action. The action requested will be interpreted in the PDP for action. The action requested will be interpreted in the
domain of the client-type. Configuration contexts belong to a set of domain of the client-type. Configuration contexts belong to a set of
configuration contexts for a specific client type - out of which one configuration contexts for a specific client type - out of which one
configuration context may be active. However, multiple outsourcing configuration context may be active. However, multiple outsourcing
contexts can be active simultaneously. contexts can be active simultaneously.
With the COPS-PR protocol, each of these states is identified by a With the [COPS-PR] protocol, each of these states is identified by a
unique client handle. The creation and deletion of these PIB unique client handle. The creation and deletion of these PIB
instances can be controlled by the PDP as described in [COPS-PR] or instances can be controlled by the PDP as described in [COPS-PR] or
can be triggered by an event by the PEP. A PEP must open at least can be triggered by an event by the PEP. A PEP must open at least
one "request-state" for configuration for a given subject-category one "request-state" for configuration for a given subject-category
(client type). Additional "request-states" at the PEP may be (client type). Additional "request-states" at the PEP may be
initiated by the PDP or asynchronously generated by the PEP for initiated by the PDP or asynchronously generated by the PEP for
outsourcing due to local events, which will be fully specified by outsourcing due to local events, which will be fully specified by the
the PRID/EPD data carried in the request. PRID/EPD data carried in the request.
The frwkPibIncarnationInCtxtSet flag defines a set of contexts out The frwkPibIncarnationInCtxtSet flag defines a set of contexts out of
of which only one context can be active at any given time. This set which only one context can be active at any given time. This set is
is called the 'configuration contexts' set. At the most one context called the 'configuration contexts' set. At most, one context may be
may be active from this 'configuration context' set at any given active from this 'configuration context' set at any given time.
time. Contexts that have the frwkPibIncarnationInCtxtSet attribute Contexts that have the frwkPibIncarnationInCtxtSet attribute set to
set to 'true' belong to this set. Contexts that do not belong to 'true' belong to this set. Contexts that do not belong to this set
this set have the frwkPibIncarnationInCtxtSet set to 'false' and have the frwkPibIncarnationInCtxtSet set to 'false' and belong to the
belong to the set of 'outsourcing contexts'. Note that a PEP can set of 'outsourcing contexts'. Note that a PEP can have these two
have these two sets of contexts only if the sets of contexts only if the frwkPibIncarnationInCtxtSet attribute is
frwkPibIncarnationInCtxtSet attribute is shown to be supported via shown to be supported via the supported PRC table. If the
the supported PRC table. If the frwkPibIncarnationInCtxtSet is not frwkPibIncarnationInCtxtSet is not supported, a PEP must treat all
supported a PEP must treat all contexts as belonging to the set of contexts as belonging to the set of 'configuration contexts' i.e., at
'configuration contexts' i.e., at the most one context can be active the most one context can be active at any given time.
at any given time.
Note that in the event that a PEP has an capability change such as a Note that in the event that a PEP has a capability change such as a
card hot swap or any other change in its notify information that may card hot swap or any other change in its notify information that may
warrant a policy refresh, a subsequent complete or incremental warrant a policy refresh, a subsequent complete or incremental
request must be issued to the PDP containing the new/updated request must be issued to the PDP containing the new/updated
capabilities for all the configuration contexts. A request for re- capabilities for all the configuration contexts. A request for re-
configuration is issued for all request state configuration configuration is issued for all request state configuration contexts,
contexts, both for the active configuration context as well as any both for the active configuration context as well as any inactive
inactive configuration contexts. This is to ensure that when an configuration contexts. This is to ensure that when an inactive
configuration context is activated, it has been pre-configured with
Framework Policy Information Base June 7, 2002 policies compatible with the PEP's current capabilities.
inactive configuration context is activated, it has been pre-
configured with policies compatible with the PEP's current
capabilities.
Although many PIB instances may be configured on a device (the Although many PIB instances may be configured on a device (the
maximum number of these instances being determined by the device maximum number of these instances being determined by the device
itself) only one of the contexts from the 'configuration contexts' itself), only one of the contexts from the 'configuration contexts'
set can be active at any given time, the active one being selected set can be active at any given time; the active one being selected by
by the PDP. The Framework PIB supports the attribute the PDP. The Framework PIB supports the attribute
frwkPibIncarnationActive in the frwkPibIncarnationTable to allow the frwkPibIncarnationActive in the frwkPibIncarnationTable to allow the
PDP to denote the PIB instance as being active in a COPS decision PDP to denote the PIB instance as being active in a COPS decision
message, and similarly, to report the active state (active or not) message, and similarly, to report the active state (active or not) of
of the PIB instance to the PDP in a COPS request message. the PIB instance to the PDP in a COPS request message.
When the PEP installs an attribute frwkPibIncarnationActive that is When the PEP installs an attribute frwkPibIncarnationActive that is
'true' in one PIB instance which belongs to the 'configuration 'true' in one PIB instance which belongs to the 'configuration
contexts' set, the PEP must ensure, re-setting the attribute if contexts' set, the PEP must ensure, re-setting the attribute if
necessary, that the frwkPibIncarnationActive attribute is 'false' necessary, that the frwkPibIncarnationActive attribute is 'false' in
in all other installed contexts that belong to this set. To switch all other installed contexts that belong to this set. To switch
contexts, the PDP should set the frwkPibIncarnationActive attribute contexts, the PDP should set the frwkPibIncarnationActive attribute
to 'true' in the context it wants to make the active context. The to 'true' in the context it wants to make the active context. The
PDP should set this attribute in a context to 'false' only if it PDP should set this attribute in a context to 'false' only if it
wants to send an inactive context to the PEP or deactivate the wants to send an inactive context to the PEP or deactivate the active
active context on the PEP. If an active context is made inactive context on the PEP. If an active context is made inactive without
without activating another context, the PEP must not have any activating another context, the PEP must not have any policies
policies enforced from any configuration contexts installed. enforced from any configuration contexts installed.
2.5. Reporting and Configuring of Device Capabilities 2.5. Reporting and Configuring of Device Capabilities
Each network device providing policy-based services has its own Each network device providing policy-based services has its own
inherent capabilities. These capabilities can be hardware specific, inherent capabilities. These capabilities can be hardware specific,
e.g., an Ethernet interface supporting input classification, or can e.g., an Ethernet interface supporting input classification, or can
be statically configured, e.g., supported queuing disciplines. be statically configured, e.g., supported queuing disciplines. These
These capabilities are organized into Capability Sets, with each capabilities are organized into Capability Sets, with each Capability
Capability Set given a unique name (frwkCapabilitySetName) and Set given a unique name (frwkCapabilitySetName) and associated with a
associated with a set of Role Combinations. Each Role Combination set of Role Combinations. In that way, each Role Combination may be
may in that way be associated with a set of interfaces. These associated with a set of interfaces. These capabilities are
capabilities are communicated to the PDP when policy is requested by communicated to the PDP when policy is requested by the PEP. Knowing
the PEP. Knowing device capabilities, the PDP can send the PRIs device capabilities, the PDP can send the PRIs relevant to the
relevant to the specific device, rather than sending the entire PIB. specific device, rather than sending the entire PIB.
Specific capability PRCs may be defined in other PIBs. These Specific capability PRCs may be defined in other PIBs. These
capability instances are grouped via the frwkCapabilitySetTable. If capability instances are grouped via the frwkCapabilitySetTable. If
the PEP wishes to send capability information to the PDP, the PIB the PEP wishes to send capability information to the PDP, the PIB
must indicate which capabilities the PEP may send to the PDP by must indicate which capabilities the PEP may send to the PDP by means
means of the 'notify' PIB-ACCESS clause as described in [SPPI]. If a of the 'notify' PIB-ACCESS clause as described in [SPPI]. If a PIB
PIB does not have any capabilities to communicate to the PDP, it does not have any capabilities to communicate to the PDP, it must not
must not send any instances for the frwkCapabilitySetTable. If in send any instances for the frwkCapabilitySetTable. If in this case
this case the frwkIfRoleCombo table is used to communicate role the frwkIfRoleCombo table is used to communicate role combinations
combinations assigned to interfaces (via IfIndex), the assigned to interfaces (via IfIndex), the frwkRoleComboCapSetName
frwkRoleComboCapSetName attribute in the frwkIfRoleComboTable attribute in the frwkIfRoleComboTable instances must be set to a zero
instances must be set to a zero length string. length string.
2.6. Reporting of Device Limitations 2.6. Reporting of Device Limitations
Framework Policy Information Base June 7, 2002
To facilitate efficient policy installation, it is important to To facilitate efficient policy installation, it is important to
understand a device's limitations in relation to the advertised understand a device's limitations in relation to the advertised
device capabilities. Limitations may be class-based, e.g., an device capabilities. Limitations may be class-based, e.g., an
"install" class is supported as a "notify" or only a limited number "install" class is supported as a "notify" or only a limited number
of class instances may be created, or attribute-based. Attribute of class instances may be created, or attribute-based. Attribute
limitations, such as supporting a restricted set of enumerations or limitations, such as supporting a restricted set of enumerations or
requiring related attributes to have certain values, detail requiring related attributes to have certain values, detail
implementation limitations at a fine level of granularity. implementation limitations at a fine level of granularity.
A PDP can avoid certain installation issues in a proactive fashion A PDP can avoid certain installation issues in a proactive fashion by
by taking into account a device's limitations prior to policy taking into account a device's limitations prior to policy
installation rather than in a reactive mode during installation. As installation rather than in a reactive mode during installation. As
with device capabilities, device limitations are communicated to the with device capabilities, device limitations are communicated to the
PDP when policy is requested. PDP when policy is requested.
Reported device limitations may be accompanied by guidance values Reported device limitations may be accompanied by guidance values
that can be used by a PDP to determine acceptable values for the that can be used by a PDP to determine acceptable values for the
identified attributes. identified attributes.
Framework Policy Information Base June 7, 2002
3. The Framework TC PIB module 3. The Framework TC PIB module
FRAMEWORK-TC-PIB PIB-DEFINITIONS ::= BEGIN FRAMEWORK-TC-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, TEXTUAL-CONVENTION, pib FROM COPS-PR-SPPI;
frwkTcPib MODULE-IDENTITY
SUBJECT-CATEGORIES { all }
LAST-UPDATED "200206070000Z"
ORGANIZATION "IETF RAP WG"
CONTACT-INFO "Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive,
San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260
Email: kzm@cisco.com
John Seligson
Nortel Networks, Inc.
4401 Great America Parkway
Santa Clara, CA 95054 USA
Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com
Ravi Sahita IMPORTS MODULE-IDENTITY, TEXTUAL-CONVENTION,
Intel Labs. Unsigned32, pib FROM COPS-PR-SPPI;
2111 NE 25th Ave.
Hillsboro, OR 97124 USA
Phone: +1 503 712 1554
Email: ravi.sahita@intel.com
RAP WG Mailing list: rap@ops.ietf.org " frwkTcPib MODULE-IDENTITY
DESCRIPTION SUBJECT-CATEGORIES { all }
"The PIB module containing the Role and RoleCombination LAST-UPDATED "200302130000Z" -- 13 Feb 2003
Textual Conventions and other generic TCs." ORGANIZATION "IETF RAP WG"
REVISION "200206070000Z" CONTACT-INFO "Keith McCloghrie
DESCRIPTION Cisco Systems, Inc.
"Initial version, published in RFC xxxx." 170 West Tasman Drive,
-- xxxx to be assigned by IANA San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260
Email: kzm@cisco.com
::= { pib tbd } -- tbd to be assigned by IANA John Seligson
Nortel Networks, Inc.
4401 Great America Parkway
Santa Clara, CA 95054 USA
Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com
Role ::= TEXTUAL-CONVENTION Ravi Sahita
STATUS current Intel Labs.
DESCRIPTION 2111 NE 25th Ave.
"A role represents a functionality characteristic or Hillsboro, OR 97124 USA
capability of a resource to which policies are applied. Phone: +1 503 712 1554
Examples of roles include Backbone_interface, Email: ravi.sahita@intel.com
Frame_Relay_interface, BGP-capable-router, web-server,
firewall, etc.
The only valid character set is US-ASCII. Valid characters
are a-z, A-Z, 0-9, period, hyphen and underscore. A role
must always start with a letter (a-z or A-Z). A role must
not contain the US-ASCII characters '*' or '+' since they
Framework Policy Information Base June 7, 2002 RAP WG Mailing list: rap@ops.ietf.org "
DESCRIPTION
"The PIB module containing the Role and RoleCombination
Textual Conventions and other generic TCs.
have special meaning associated with them, explained in the Copyright (C) The Internet Society (2003). This version of
RoleCombination TEXTUAL CONVENTION." this PIB module is part of RFC 3318; see the RFC itself for
SYNTAX OCTET STRING (SIZE (1..31)) full legal notices."
RoleCombination ::= TEXTUAL-CONVENTION REVISION "200302130000Z" -- 13 Feb 2003
STATUS current DESCRIPTION "Initial version, published in RFC 3318."
DESCRIPTION ::= { pib 3 }
"An octet string containing concatenated Roles. For the
format specification of roles, refer to the 'Role' TEXTUAL-
CONVENTION. A valid Role Combination must be formed by a set
of valid Roles, concatenated by the US-ASCII character '+',
where tThe roles are in lexicographic order from minimum to
maximum. For example, 'a+b' and 'b+a' are NOT different
role-combinations; rather, they are different formatting of
the same (one) role-combination.
Notice the roles within a role-combination are in Role ::= TEXTUAL-CONVENTION
Lexicographic order from minimum to maximum, hence, we STATUS current
declare: DESCRIPTION
'a+b' is the valid formatting of the role-combination, "A role represents a functionality characteristic or
'b+a' is an invalid formatting of the role-combination. capability of a resource to which policies are applied.
Examples of roles include Backbone_interface,
Frame_Relay_interface, BGP-capable-router, web-server,
firewall, etc.
The only valid character set is US-ASCII. Valid characters
are a-z, A-Z, 0-9, period, hyphen and underscore. A role
must always start with a letter (a-z or A-Z). A role must
not contain the US-ASCII characters '*' or '+' since they
have special meaning associated with them, explained in the
RoleCombination TEXTUAL CONVENTION."
Notice the need of zero-length role-combination as the role- SYNTAX OCTET STRING (SIZE (1..31))
combination of interfaces to which no roles have been
assigned. This role-combination is also known as the 'null'
role-combination. (Note the deliberate use of lower case
letters to avoid confusion with the US-ASCII NULL character
which has a value of zero but length of one.)
The US-ASCII character '*' is used to specify a wild carded RoleCombination ::= TEXTUAL-CONVENTION
Role Combination. '*' must not be used to wildcard Roles. STATUS current
Hence, we declare: DESCRIPTION
'*+a+b' is a valid wild carded Role Combination. "An octet string containing concatenated Roles. For the
'eth*+a+b' is not a valid wild carded Role Combination. format specification of roles, refer to the 'Role' TEXTUAL-
CONVENTION. A valid Role Combination must be formed by a set
of valid Roles, concatenated by the US-ASCII character '+',
where the roles are in lexicographic order from minimum to
maximum. For example, 'a+b' and 'b+a' are NOT different
role-combinations; rather, they are different formatting of
the same (one) role-combination.
Note that since Roles are lexicographically listed in a Role Notice the roles within a role-combination are in
Combination, the following is an invalid role combination, Lexicographic order from minimum to maximum, hence, we
since '*' is lexicographically before 'a': 'a+b+*'." declare:
SYNTAX OCTET STRING (SIZE (0..255)) 'a+b' is the valid formatting of the role-combination,
'b+a' is an invalid formatting of the role-combination.
PrcIdentifierOid ::= TEXTUAL-CONVENTION Notice the need of zero-length role-combination as the role-
STATUS current combination of interfaces to which no roles have been
DESCRIPTION assigned. This role-combination is also known as the 'null'
"An OID that identifies a PRC. The value MUST be an OID role-combination. (Note the deliberate use of lower case
assigned to a PRC's entry definition. The Entry definition letters to avoid confusion with the US-ASCII NULL character
of a PRC has an OID value XxxTable.1 where XxxTable is the which has a value of zero but length of one.)
OID assigned to the PRC table object.
An attribute with this syntax MUST specify a PRC, which is The US-ASCII character '*' is used to specify a wild carded
defined in the PIB module(s) registered in the context of Role Combination. '*' must not be used to wildcard Roles.
the client-type used. Hence, we declare:
'*+a+b' is a valid wild carded Role Combination.
'eth*+a+b' is not a valid wild carded Role Combination.
Note that since Roles are lexicographically listed in a Role
Combination, the following is an invalid role combination,
since '*' is lexicographically before 'a': 'a+b+*'."
SYNTAX OCTET STRING (SIZE (0..255))
An attribute with this syntax cannot have the value 0.0 PrcIdentifierOid ::= TEXTUAL-CONVENTION
(zeroDotZero). If the attribute using this syntax can be set STATUS current
DESCRIPTION
"An OID that identifies a PRC. The value MUST be an OID
assigned to a PRC's entry definition. The Entry definition
of a PRC has an OID value XxxTable.1 where XxxTable is the
OID assigned to the PRC table object.
Framework Policy Information Base June 7, 2002 An attribute with this syntax MUST specify a PRC, which is
defined in the PIB module(s) registered in the context of
the client-type used.
to 0.0 use the PrcIdentifierOidOrZero TEXTUAL-CONVENTION An attribute with this syntax cannot have the value 0.0
(zeroDotZero). If the attribute using this syntax can be set
to 0.0 use the PrcIdentifierOidOrZero TEXTUAL-CONVENTION
which makes such use explicit." which makes such use explicit."
SYNTAX OBJECT IDENTIFIER SYNTAX OBJECT IDENTIFIER
PrcIdentifierOidOrZero ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An OID that identifies a PRC or zeroDotZero (0.0). The
value MUST be an OID assigned to a PRC's entry definition or
0.0 (zeroDotZero). The Entry definition of a PRC has an OID
value XxxTable.1 where XxxTable is the OID assigned to the
PRC table object.
An attribute with this syntax can have the value 0.0
(zeroDotZero) to indicate that it currently does not
identify a PRC."
SYNTAX OBJECT IDENTIFIER
AttrIdentifier ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A Unsigned32 value that identifies an attribute in a PRC by
its sub-id. The sub-id is the OID assigned to this attribute
in the PRC definition.
A AttrIdentifier value is always interpreted within the
context of an attribute of type PrcIdentifierOid or
PrcIdentifierOidOrZero. The PrcIdentifierOid (or
PrcIdentifierOidOrZero) object which defines the context
must be registered immediately before the object which uses
the AttrIdentifier textual convention. If the context
defining attribute is of type PrcIdentifierOidOrZero and has
the value 0.0, then in that case this attribute value has no
meaning.
An attribute with this syntax MUST specify a sub-id which PrcIdentifierOidOrZero ::= TEXTUAL-CONVENTION
MUST be defined in the PRC identified (if any) in the STATUS current
PrcIdentifierOid (or PrcIdentifierOidOrZero) attribute. The DESCRIPTION
PrcIdentifierOid (orZero) and the AttrIdentifier attributes "An OID that identifies a PRC or zeroDotZero (0.0). The
together identify a particular attribute in a particular value MUST be an OID assigned to a PRC's entry definition or
PRC. 0.0 (zeroDotZero). The Entry definition of a PRC has an OID
value XxxTable.1 where XxxTable is the OID assigned to the
PRC table object.
An attribute with this syntax cannot have the value 0 An attribute with this syntax can have the value 0.0
(zero). If the attribute using this syntax can be set (zeroDotZero) to indicate that it currently does not
to 0 use the AttrIdentifierOrZero TEXTUAL-CONVENTION which identify a PRC."
makes that explicit." SYNTAX OBJECT IDENTIFIER
SYNTAX Unsigned32 (1..4294967295)
AttrIdentifierOrZero ::= TEXTUAL-CONVENTION AttrIdentifier ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A Unsigned32 value that identifies an attribute in a PRC by "A Unsigned32 value that identifies an attribute in a PRC by
its sub-id or has the value 0 (zero). The sub-id if non- its sub-id. The sub-id is the OID assigned to this attribute
zero, is the OID assigned to this attribute in the PRC in the PRC definition.
Framework Policy Information Base June 7, 2002 A AttrIdentifier value is always interpreted within the
context of an attribute of type PrcIdentifierOid or
PrcIdentifierOidOrZero. The PrcIdentifierOid (or
PrcIdentifierOidOrZero) object which defines the context
must be registered immediately before the object which uses
the AttrIdentifier textual convention. If the context
defining attribute is of type PrcIdentifierOidOrZero and has
the value 0.0, then in that case this attribute value has no
meaning.
definition. An attribute with this syntax MUST specify a sub-id which
MUST be defined in the PRC identified (if any) in the
PrcIdentifierOid (or PrcIdentifierOidOrZero) attribute. The
PrcIdentifierOid (orZero) and the AttrIdentifier attributes
together identify a particular attribute in a particular
PRC.
An AttrIdentifierOrZero value is always interpreted within An attribute with this syntax cannot have the value 0
the context of an attribute of type PrcIdentifierOid or (zero). If the attribute using this syntax can be set
PrcIdentifierOidOrZero. The PrcIdentifierOid (or to 0 use the AttrIdentifierOrZero TEXTUAL-CONVENTION which
PrcIdentifierOidOrZero) object that defines the context must makes that explicit."
be registered immediately before the object which uses the SYNTAX Unsigned32 (1..4294967295)
AttrIdentifierOrZero textual convention. If the context
defining attribute is of type PrcIdentifierOidOrZero and has
the value 0.0, then in that case this attribute value has no
meaning.
An attribute with this syntax can have the value 0 (zero) to AttrIdentifierOrZero ::= TEXTUAL-CONVENTION
indicate that it currently does not identify a PRC STATUS current
attribute. If it has a non-zero value, the DESCRIPTION
PrcIdentifierOid (orZero) and the AttrIdentifierOrZero "A Unsigned32 value that identifies an attribute in a PRC by
attributes together identify a particular attribute in a its sub-id or has the value 0 (zero). The sub-id if non-
particular PRC." zero, is the OID assigned to this attribute in the PRC
SYNTAX Unsigned32 definition.
AttrIdentifierOid ::= TEXTUAL-CONVENTION An AttrIdentifierOrZero value is always interpreted within
STATUS current the context of an attribute of type PrcIdentifierOid or
DESCRIPTION PrcIdentifierOidOrZero. The PrcIdentifierOid (or
"An OID that identifies an attribute in a PRC. The value PrcIdentifierOidOrZero) object that defines the context must
MUST be an OID assigned to a PRC's attribute definition. The be registered immediately before the object which uses the
last sub-id is the sub-id of the attribute as it is AttrIdentifierOrZero textual convention. If the context
defined in the PRC entry definition. The prefix OID (after defining attribute is of type PrcIdentifierOidOrZero and has
dropping the last sub-id) is the OID assigned to the Entry the value 0.0, then in that case this attribute value has no
object of a defined PRC. The Entry definition of a PRC has meaning.
an OID value XxxTable.1 where XxxTable is the OID assigned
to the PRC Table object.
An attribute with this syntax MUST not have the value 0.0 An attribute with this syntax can have the value 0 (zero) to
(zeroDotZero). If 0.0 is a valid value, the TEXTUAL indicate that it currently does not identify a PRC
CONVENTION AttrIdentifierOidOrZero must be used which makes attribute. If it has a non-zero value, the
such use explicit." PrcIdentifierOid (orZero) and the AttrIdentifierOrZero
SYNTAX OBJECT IDENTIFIER attributes together identify a particular attribute in a
particular PRC."
SYNTAX Unsigned32
AttrIdentifierOidOrZero ::= TEXTUAL-CONVENTION AttrIdentifierOid ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An OID that identifies an attribute in a PRC or has a value "An OID that identifies an attribute in a PRC. The value
0.0 (zeroDotZero). The value MUST be an OID assigned to a MUST be an OID assigned to a PRC's attribute definition. The
PRC's attribute definition or the value 0.0. last sub-id is the sub-id of the attribute as it is
defined in the PRC entry definition. The prefix OID (after
dropping the last sub-id) is the OID assigned to the Entry
object of a defined PRC. The Entry definition of a PRC has
an OID value XxxTable.1 where XxxTable is the OID assigned
to the PRC Table object.
If not 0.0, the last sub-id MUST be the sub-id of the An attribute with this syntax MUST not have the value 0.0
attribute as it is defined in the PRC Entry object (zeroDotZero). If 0.0 is a valid value, the TEXTUAL
definition. The prefix OID (after dropping the last sub-id) CONVENTION AttrIdentifierOidOrZero must be used which makes
is the OID assigned to the Entry object of a defined PRC. such use explicit."
The Entry definition of a PRC has an OID value XxxTable.1
Where, XxxTable is the OID assigned to the PRC Table
object.
Framework Policy Information Base June 7, 2002 SYNTAX OBJECT IDENTIFIER
An attribute with this syntax can have the value 0.0 AttrIdentifierOidOrZero ::= TEXTUAL-CONVENTION
(zeroDotZero) to indicate that it currently does not STATUS current
identify a PRC's attribute." DESCRIPTION
SYNTAX OBJECT IDENTIFIER "An OID that identifies an attribute in a PRC or has a value
0.0 (zeroDotZero). The value MUST be an OID assigned to a
PRC's attribute definition or the value 0.0.
ClientType ::= TEXTUAL-CONVENTION If not 0.0, the last sub-id MUST be the sub-id of the
STATUS current attribute as it is defined in the PRC Entry object
DESCRIPTION definition. The prefix OID (after dropping the last sub-id)
"An Unsigned32 value that identifies a COPS Client-type. An is the OID assigned to the Entry object of a defined PRC.
attribute with this syntax must be set to zero if it does The Entry definition of a PRC has an OID value XxxTable.1
not specify a COPS client-type for the PRI." Where, XxxTable is the OID assigned to the PRC Table
REFERENCE "[COPS]." object.
SYNTAX Unsigned32 (0..65535)
ClientHandle ::= TEXTUAL-CONVENTION An attribute with this syntax can have the value 0.0
STATUS current (zeroDotZero) to indicate that it currently does not
DESCRIPTION identify a PRC's attribute."
"An octet string that identifies a COPS Client handle. A SYNTAX OBJECT IDENTIFIER
zero length value implies the attribute does not specify a
valid client handle."
REFERENCE "[COPS]."
SYNTAX OCTET STRING (SIZE(0..65535))
END ClientType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An Unsigned32 value that identifies a COPS Client-type. An
attribute with this syntax must be set to zero if it does
not specify a COPS client-type for the PRI."
REFERENCE
"The COPS (Common Open Policy Service) Protocol, RFC 2748."
SYNTAX Unsigned32 (0..65535)
Framework Policy Information Base June 7, 2002 ClientHandle ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An octet string that identifies a COPS Client handle. A
zero length value implies the attribute does not specify a
valid client handle."
REFERENCE
"The COPS (Common Open Policy Service) Protocol, RFC 2748."
SYNTAX OCTET STRING (SIZE(0..65535))
END
4. Summary of the Framework PIB 4. Summary of the Framework PIB
The Framework PIB defines four groups of PRCs: The Framework PIB defines four groups of PRCs:
4.1. Base PIB classes Group 4.1. Base PIB classes Group
This contains PRCs intended to describe the PRCs supported This contains PRCs intended to describe the PRCs supported by the
by the PEP, PRC and/or attribute limitations and its current PEP, PRC and/or attribute limitations and its current configuration.
configuration.
PRC Support Table PRC Support Table
As the technology evolves, we expect devices to be enhanced As the technology evolves, we expect devices to be enhanced
with new PIBs, existing PIBs to add new PRCs and existing PRCs with new PIBs, existing PIBs to add new PRCs and existing PRCs
to be augmented or extended with new attributes. Also, it is to be augmented or extended with new attributes. Also, it is
likely that some existing PRCs or individual attributes of PRCs likely that some existing PRCs or individual attributes of PRCs
will be deprecated. The PRC Support Table describes the PRCs will be deprecated. The PRC Support Table describes the PRCs
that the device supports as well as the individual attributes that the device supports as well as the individual attributes
of each PRC. Using this information the PDP can potentially of each PRC. Using this information the PDP can potentially
tailor the policy to more closely match the capabilities of the tailor the policy to more closely match the capabilities of the
device. The PRC Support Table instances are specific to the device. The PRC Support Table instances are specific to the
particular Subject Category (Client-Type). That is, the PRC particular Subject Category (Client-Type). That is, the PRC
Support Table for Subject Category 'A' will not include Support Table for Subject Category 'A' will not include
instances for classes supported by the Subject Category 'B'. instances for classes supported by the Subject Category 'B'.
Note that the COPS client-type [COPS] used for Framework PIB Note that the COPS client-type [COPS] used for Framework PIB
PRIs sent/received over COPS-PR MUST be the unique SUBJECT- PRIs sent/received over COPS-PR MUST be the unique SUBJECT-
CATEGORY number assigned for the area of policy being managed CATEGORY number assigned for the area of policy being managed
(e.g. QoS, Security etc). (e.g., QoS, Security etc). The PEP MUST ignore the attributes
The PEP MUST ignore the attributes that it reports as not that it reports as not Supported in the decision from the PDP.
Supported in the decision from the PDP. The PEP SHOULD not send The PEP SHOULD not send duplicate PRC support instances in a
duplicate PRC support instances in a COPS Request and the PDP COPS Request and the PDP MUST ignore duplicate instances and
MUST ignore duplicate instances and MUST use the first instance MUST use the first instance received for a supported PRC in a
received for a supported PRC in a COPS Request. COPS Request.
PIB Incarnation Table PIB Incarnation Table
This PRC contains exactly one row (corresponding to one PRI) This PRC contains exactly one row (corresponding to one PRI)
per context. It identifies the PDP that was the last to per context. It identifies the PDP that was the last to
download policy into the device and also contains an identifier download policy into the device and also contains an identifier
to identify the version of the policy currently downloaded. to identify the version of the policy currently downloaded.
This identifier, both its syntax and value, is meaningful only This identifier, both its syntax and value, is meaningful only
to the PDPs. It is intended to be a mechanism whereby a PDP, to the PDPs. It is intended to be a mechanism whereby a PDP,
when accepting a connection from a PEP, can easily identify a when accepting a connection from a PEP, can easily identify a
known incarnation of policy. This PRC defines a flag via which known incarnation of policy. This PRC defines a flag via which
the installed contexts are divided into a set of contexts the installed contexts are divided into a set of contexts
('configuration contexts') out of which only one context is ('configuration contexts') out of which only one context is
active and a the remaining contexts form a set of 'outsourcing active and a the remaining contexts form a set of 'outsourcing
contexts' which are all active. The incarnation PRC also contexts' which are all active. The incarnation PRC also
defines an attribute to indicate which configuration context is defines an attribute to indicate which configuration context is
the active one at the present time in the 'configuration the active one at the present time in the 'configuration
contexts' set. The incarnation instance is specific to the contexts' set. The incarnation instance is specific to the
particular Subject Category (Client-Type). particular Subject Category (Client-Type).
Component Limitations Table Component Limitations Table
Framework Policy Information Base June 7, 2002 Some devices may not be able to implement the full range of
values for all attributes. In principle, each PRC supports a
Some devices may not be able to implement the full range of set of errors that the PEP can report to the PDP in the event
values for all attributes. In principle, each PRC supports a that the specified policy is not implementable. It may be
set of errors that the PEP can report to the PDP in the event preferable for the PDP to be informed of the device limitations
that the specified policy is not implementable. It may be before actually attempting to install policy, and while the
preferable for the PDP to be informed of the device limitations error can indicate that a particular attribute value is
before actually attempting to install policy, and while the unacceptable to the PEP, this does not help the PDP ascertain
error can indicate that a particular attribute value is which values would be acceptable. To alleviate these
unacceptable to the PEP, this does not help the PDP ascertain limitations, the PEP can report some limitations of attribute
which values would be acceptable. To alleviate these values and/or classes and possibly guidance values for the
limitations, the PEP can report some limitations of attribute attribute in the Component Limitations Table
values and/or classes and possibly guidance values for the
attribute in the Component Limitations Table
Device Identification Table Device Identification Table
This PRC contains a single PRI that contains device-specific This PRC contains a single PRI that contains device-specific
information that is used to facilitate efficient policy information that is used to facilitate efficient policy
installation by a PDP. The instance of this PRC is reported installation by a PDP. The instance of this PRC is reported to
to the PDP in a COPS request message so that the PDP can take the PDP in a COPS request message so that the PDP can take into
into account certain device characteristics during policy account certain device characteristics during policy
installation. installation.
4.2. Device Capabilities group 4.2. Device Capabilities group
This group contains the PRCs that describe the characteristics of This group contains the PRCs that describe the characteristics of
interfaces of the device and the Role Combinations assigned to interfaces of the device and the Role Combinations assigned to them.
them.
Capabilities Set Table Capabilities Set Table
The capabilities the PEP supports are described by rows in The capabilities the PEP supports are described by rows in this
this PRC (frwkCapabilitySetTable). Each row, or instance of PRC (frwkCapabilitySetTable). Each row, or instance of this
this class, associates a unique capability name with a set of class, associates a unique capability name with a set of
capabilities that an entity on the PEP may support. The unique capabilities that an entity on the PEP may support. The unique
name is used to form a set of capabilities that the name name is used to form a set of capabilities that the name
represents. The capability references can specify instances in represents. The capability references can specify instances in
relevant capability tables in any PIB. The PEP notifies the PDP relevant capability tables in any PIB. The PEP notifies the
of these capability sets and then the PDP configures PDP of these capability sets and then the PDP configures the
the interfaces, per role combination. The unique name interfaces, per role combination. The unique name
(frwkCapabilitySetName) is not to be confused with the IfType (frwkCapabilitySetName) is not to be confused with the IfType
object in the Interfaces Group MIB [RFC2863]. object in the Interfaces Group MIB [RFC2863].
Interface and Role Combination Table Interface and Role Combination Table
The Capabilities Set Table (explained above) describes the The Capabilities Set Table (explained above) describes the
entities on the PEP (for example, interfaces) by their entities on the PEP (for example, interfaces) by their
capabilities, by assigning the capability sets a unique name capabilities, by assigning the capability sets a unique name
(frwkCapabilitySetName). It is possible to tailor the behavior (frwkCapabilitySetName). It is possible to tailor the behavior
of interfaces by assigning specific role-combinations to the of interfaces by assigning specific role-combinations to the
capability sets. This allows interfaces with the same capability sets. This allows interfaces with the same
capability sets to be assigned different policies, based on the capability sets to be assigned different policies, based on the
current roles assigned to them. At the PDP, configuration is current roles assigned to them. At the PDP, configuration is
done in terms of these interface capability set names and the done in terms of these interface capability set names and the
role-combinations assigned to them. Thus, each row of this
Framework Policy Information Base June 7, 2002 class is a <Interface Index, interface capability set name,
Role Combo> tuple, that indicates the roles that have been
role-combinations assigned to them. Thus, each row of this assigned to a particular capability set (as identified by
class is a <Interface Index, interface capability set name, frwkRoleComboCapSetName) and to a particular interface. Note
Role Combo> tuple, that indicates the roles that have been that the uniqueness criteria for this PRC has all the
assigned to a particular capability set (as identified by attributes, thus a frwkRoleComboCapSetName may have multiple
frwkRoleComboCapSetName) and to a particular interface. Note role-combinations that it is associated with. Via the IfIndex,
that the uniqueness criteria for this PRC has all the this PRC answers the questions of 'which interfaces have a
attributes, thus a frwkRoleComboCapSetName may have specific role combination?' and 'what role combination a
multiple role-combinations that it is associated with. Via the specific interface is a part of?'.
IfIndex, this PRC answers the questions of 'which interfaces
have a specific role combination?' and 'what role combination a
specific interface is a part of?'.
4.3. Classifier group 4.3. Classifier group
This group contains the IP, IEEE 802 and Internal Label This group contains the IP, IEEE 802 and Internal Label Classifier
Classifier elements. The set of tables consist of a Base Filter elements. The set of tables consist of a Base Filter table that
table that contains the Index InstanceId and the Negation flag contains the Index InstanceId and the Negation flag for the filter.
for the filter. This frwkBaseFilterTable is extended to form the This frwkBaseFilterTable is extended to form the IP Filter table, the
IP Filter table, the 802 Filter table [802] and the Internal 802 Filter table [802] and the Internal Label table. Filters may
Label table. Filters may also be defined outside this document also be defined outside this document and used to extend the Base
and used to extend the Base Filter table. Filter table.
The Extended classes do not have a separate Index value. The Extended classes do not have a separate Index value. Instances of
Instances of the extended classes have the same indices as their the extended classes have the same indices as their base class
base class instance. Inheritance is achieved using the EXTENDS instance. Inheritance is achieved using the EXTENDS keyword as
keyword as defined in [SPPI]. defined in [SPPI].
4.4. Marker group 4.4. Marker group
This group contains the 802 marker and internal label marker This group contains the 802 marker and internal label marker PRCs.
PRCs. The 802 marker may be applied to mark 802 packets with the The 802 marker may be applied to mark 802 packets with the required
required VLAN Id and/or priority value. The Internal Label marker VLAN Id and/or priority value. The Internal Label marker is applied
is applied to traffic in order to label it with a network device to traffic in order to label it with a network device specific label.
specific label. Such a label is used to assist the Such a label is used to assist the differentiation of an input flow
differentiation of an input flow after it has been aggregated after it has been aggregated with other flows. The label is
with other flows. The label is implementation specific and may implementation specific and may be used for other policy related
be used for other policy related functions like flow accounting functions like flow accounting purposes and/or other data path
purposes and/or other data path treatments. treatments.
Framework Policy Information Base June 7, 2002
5. The Framework PIB Module 5. The Framework PIB Module
FRAMEWORK-PIB PIB-DEFINITIONS ::= BEGIN FRAMEWORK-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS
Unsigned32, Integer32, MODULE-IDENTITY,
MODULE-COMPLIANCE, OBJECT-TYPE, OBJECT-GROUP, pib
FROM COPS-PR-SPPI
InstanceId, Prid
FROM COPS-PR-SPPI-TC
RoleCombination, PrcIdentifierOid, AttrIdentifier,
ClientType, ClientHandle
FROM FRAMEWORK-TC-PIB
InetAddress, InetAddressType,
InetAddressPrefixLength, InetPortNumber
FROM INET-ADDRESS-MIB
InterfaceIndex
FROM IF-MIB
DscpOrAny
FROM DIFFSERV-DSCP-TC
TruthValue, PhysAddress
FROM SNMPv2-TC
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
frameworkPib MODULE-IDENTITY
SUBJECT-CATEGORIES { all }
LAST-UPDATED "200206070000Z"
ORGANIZATION "IETF RAP WG"
CONTACT-INFO "
Michael Fine
Atheros Communications
529 Almanor Ave
Sunnyvale, CA 94085 USA
Phone: +1 408 773 5324
Email: mfine@atheros.com
Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive,
San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260
Email: kzm@cisco.com
John Seligson
Nortel Networks, Inc.
4401 Great America Parkway
Santa Clara, CA 95054 USA
Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com
Ravi Sahita
Intel Labs.
2111 NE 25th Ave.
Framework Policy Information Base June 7, 2002
Hillsboro, OR 97124 USA
Phone: +1 503 712 1554
Email: ravi.sahita@intel.com
RAP WG Mailing list: rap@ops.ietf.org"
DESCRIPTION
"A PIB module containing the base set of PRCs that
provide support for management of multiple PIB contexts,
association of roles to device capabilities and other
reusable PRCs. PEPs are required for to implement this
PIB if the above features are desired. This PIB defines
PRCs applicable to 'all' subject-categories."
REVISION "200206070000Z"
DESCRIPTION
"Initial version, published in RFC xxxx."
-- xxxx to be assigned by IANA
::= { pib tbd } -- tbd to be assigned by IANA
--
-- The root OID for PRCs in the Framework PIB
--
frwkBasePibClasses
OBJECT IDENTIFIER ::= { frameworkPib 1 }
--
-- PRC Support Table
--
frwkPrcSupportTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkPrcSupportEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
"Each instance of this PRC specifies a PRC that the device
supports and a bit string to indicate the attributes of the
class that are supported. These PRIs are sent to the PDP to
indicate to the PDP which PRCs, and which attributes of
these PRCs, the device supports.
All install and install-notify PRCs supported by the device
must be represented in this PRC. Notify PRCs may be
represented for informational purposes."
::= { frwkBasePibClasses 1 }
frwkPrcSupportEntry OBJECT-TYPE
SYNTAX FrwkPrcSupportEntry
STATUS current
Framework Policy Information Base June 7, 2002
DESCRIPTION
"An instance of the frwkPrcSupport class that identifies a
specific PRC and associated attributes as supported
by the device."
PIB-INDEX { frwkPrcSupportPrid }
UNIQUENESS { frwkPrcSupportSupportedPrc }
::= { frwkPrcSupportTable 1 }
FrwkPrcSupportEntry ::= SEQUENCE {
frwkPrcSupportPrid InstanceId,
frwkPrcSupportSupportedPrc PrcIdentifierOid,
frwkPrcSupportSupportedAttrs OCTET STRING
}
frwkPrcSupportPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies an
instance of the frwkPrcSupport class."
::= { frwkPrcSupportEntry 1 }
frwkPrcSupportSupportedPrc OBJECT-TYPE
SYNTAX PrcIdentifierOid
STATUS current
DESCRIPTION
"The object identifier of a supported PRC. The value is the
OID of the Entry object of the PRC definition. The Entry
Object definition of a PRC has an OID with value XxxTable.1
Where, XxxTable is the OID assigned to the PRC Table
Object definition. There may not be more than one instance
of the frwkPrcSupport class with the same value of
frwkPrcSupportSupportedPrc."
::= { frwkPrcSupportEntry 2 }
frwkPrcSupportSupportedAttrs OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"A bit string representing the supported attributes of the
class that is identified by the frwkPrcSupportSupportedPrc
object.
Each bit of this bit string corresponds to a class
attribute, with the most significant bit of the i-th octet
of this octet string corresponding to the (8*i - 7)-th
attribute, and the least significant bit of the i-th octet
Framework Policy Information Base June 7, 2002
corresponding to the (8*i)-th class attribute. Each bit
specifies whether or not the corresponding class attribute
is currently supported, with a '1' indicating support and a
'0' indicating no support.
If the value of this bit string is N bits long and there are
more than N class attributes then the bit string is
logically extended with 0's to the required length.
On the other hand, If the PDP receives a bit string of
length N and there are less that N class attributes then the
PDP should ignore the extra bits in the bit string, i.e.,
assume those attributes are unsupported."
REFERENCE
"[COPS-PR] Section 2.2.1."
::= { frwkPrcSupportEntry 3 }
--
-- PIB Incarnation Table
--
frwkPibIncarnationTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkPibIncarnationEntry
PIB-ACCESS install-notify
STATUS current
DESCRIPTION
"This PRC contains a single PRovisioning Instance per
installed context that identifies the current incarnation
of the PIB and the PDP or network manager that installed
this incarnation. The instance of this PRC is reported to
the PDP in the REQ message so that the PDP can (attempt to)
ascertain the current state of the PIB. A network manager
may use the instance to determine the state of the device."
::= { frwkBasePibClasses 2 }
frwkPibIncarnationEntry OBJECT-TYPE
SYNTAX FrwkPibIncarnationEntry
STATUS current
DESCRIPTION
"An instance of the frwkPibIncarnation class. Only
one instance of this PRC is ever instantiated per context"
PIB-INDEX { frwkPibIncarnationPrid }
::= { frwkPibIncarnationTable 1 }
FrwkPibIncarnationEntry ::= SEQUENCE {
frwkPibIncarnationPrid InstanceId,
frwkPibIncarnationName SnmpAdminString,
frwkPibIncarnationId OCTET STRING,
frwkPibIncarnationLongevity INTEGER,
Framework Policy Information Base June 7, 2002
frwkPibIncarnationTtl Unsigned32,
frwkPibIncarnationInCtxtSet TruthValue,
frwkPibIncarnationActive TruthValue,
frwkPibIncarnationFullState TruthValue
}
frwkPibIncarnationPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this PRC."
::= { frwkPibIncarnationEntry 1 }
frwkPibIncarnationName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
STATUS current
DESCRIPTION
"The name of the PDP that installed the current incarnation
of the PIB into the device. A zero-length string value for
this type implies the PDP has not assigned this type any
value. By default, it is the zero length string."
::= { frwkPibIncarnationEntry 2 }
frwkPibIncarnationId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..255))
STATUS current
DESCRIPTION
"An ID to identify the current incarnation. It has meaning
to the PDP/manager that installed the PIB and perhaps its
standby PDPs/managers. A zero-length string value for
this type implies the PDP has not assigned this type any
value. By default, it is the zero-length string."
::= { frwkPibIncarnationEntry 3 }
frwkPibIncarnationLongevity OBJECT-TYPE
SYNTAX INTEGER {
expireNever(1),
expireImmediate(2),
expireOnTimeout(3)
}
STATUS current
DESCRIPTION
"This attribute controls what the PEP does with the
downloaded policy on a Client Close message or a loss of
connection to the PDP.
If set to expireNever, the PEP continues to operate with the
installed policy indefinitely. If set to expireImmediate,
the PEP immediately expires the policy obtained from the PDP
and installs policy from local configuration. If set to
Framework Policy Information Base June 7, 2002
expireOnTimeout, the PEP continues to operate with the
policy installed by the PDP for a period of time specified
by frwkPibIncarnationTtl. After this time (and it has not
reconnected to the original or new PDP) the PEP expires this
policy and reverts to local configuration.
For all cases, it is the responsibility of the PDP to check
the incarnation and download new policy, if necessary, on a
reconnect. On receiving a Remove-State for the active
context, this attribute value MUST be ignored and the PEP
should expire the policy in that active context immediately.
Policy enforcement timing only applies to policies that have
been installed dynamically (e.g., by a PDP via COPS)."
REFERENCE
"COPS Usage for Policy Provisioning. [COPS-PR]."
::= { frwkPibIncarnationEntry 4 }
frwkPibIncarnationTtl OBJECT-TYPE
SYNTAX Unsigned32
UNITS "seconds"
STATUS current
DESCRIPTION
"The number of seconds after a Client Close or TCP timeout
for which the PEP continues to enforce the policy in the
PIB. After this interval, the PIB is considered expired and
the device no longer enforces the policy installed in the
PIB.
This attribute is only meaningful if
frwkPibIncarnationLongevity is set to expireOnTimeout."
::= { frwkPibIncarnationEntry 5 }
frwkPibIncarnationInCtxtSet OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"When the PDP installs a PRI with this flag set to 'true' it
implies this context belongs to the set of contexts out of
which at the most one context can be active at a given time.
If this attribute is set to 'false' this context is one of
the outsourcing (simultaneous active) contexts on the
PEP.
This attribute is 'true' for all contexts belong to the set
of configuration contexts. Within the configuration context
set, one context can be active identified by the
frwkPibIncarnationActive attribute."
REFERENCE
"TruthValue TC [SNMPv2TC]."
::= { frwkPibIncarnationEntry 6 }
Framework Policy Information Base June 7, 2002
frwkPibIncarnationActive OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"When the PDP installs a PRI on the PEP with this attribute
set to 'true' and if this context belongs to the
'configuration contexts' set, i.e., the
frwkPibIncarnationInCtxtSet is set to 'true', then the PIB
instance to which this PRI belongs must become the active
PIB instance. In this case, the previous active instance
from this set MUST become inactive and the
frwkPibIncarnationActive attribute in that PIB instance MUST
be set to 'false'.
When the PDP installs an attribute frwkPibIncarnationActive
on the PEP that is 'true' in one PIB instance and if the
context belongs to the 'configuration contexts' set, the PEP
must ensure, re-setting the attribute if necessary, that the
frwkPibIncarnationActive attribute is 'false' in all other
contexts which belong to the 'configuration contexts' set."
::= { frwkPibIncarnationEntry 7 }
frwkPibIncarnationFullState OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"This attribute is interpreted only when sent in a COPS
request message from the PEP to the PDP. It does not have
any meaning when sent from the PDP to the PEP.
If this attribute is set to 'true' by the PEP, then the
request that the PEP sends to the PDP must be interpreted as
the complete configuration request for the PEP. The PDP must
in this case refresh the request information for the
handle that the request containing this PRI was received on.
If this attribute is set to 'false', then the
request PRIs sent in the request must be interpreted as
updates to the previous request PRIs sent using that handle.
See section 3.3 for details on updating request state
information."
REFERENCE
"RFC xxxx Section 2.3"
::= { frwkPibIncarnationEntry 8 } IMPORTS
Unsigned32, Integer32, MODULE-IDENTITY,
MODULE-COMPLIANCE, OBJECT-TYPE, OBJECT-GROUP, pib
FROM COPS-PR-SPPI
InstanceId, Prid
FROM COPS-PR-SPPI-TC
RoleCombination, PrcIdentifierOid, AttrIdentifierOrZero,
ClientType, ClientHandle
FROM FRAMEWORK-TC-PIB
InetAddress, InetAddressType,
InetAddressPrefixLength, InetPortNumber
FROM INET-ADDRESS-MIB
InterfaceIndex
FROM IF-MIB
DscpOrAny
FROM DIFFSERV-DSCP-TC
TruthValue, PhysAddress
FROM SNMPv2-TC
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
-- frameworkPib MODULE-IDENTITY
-- Device Identification Table SUBJECT-CATEGORIES { all }
-- LAST-UPDATED "200302130000Z" -- 13 Feb 2003
ORGANIZATION "IETF RAP WG"
CONTACT-INFO "
Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive,
San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260
Email: kzm@cisco.com
frwkDeviceIdTable OBJECT-TYPE John Seligson
Nortel Networks, Inc.
4401 Great America Parkway
Santa Clara, CA 95054 USA
Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com
Ravi Sahita
Intel Labs.
2111 NE 25th Ave.
Framework Policy Information Base June 7, 2002 Hillsboro, OR 97124 USA
Phone: +1 503 712 1554
Email: ravi.sahita@intel.com
SYNTAX SEQUENCE OF FrwkDeviceIdEntry RAP WG Mailing list: rap@ops.ietf.org"
PIB-ACCESS notify
STATUS current
DESCRIPTION
"This PRC contains a single PRovisioning Instance that
contains general purpose device-specific information that is
used to facilitate efficient policy communication by a PDP.
The instance of this PRC is reported to the PDP in a COPS
request message so that the PDP can take into account
certain device characteristics during policy installation."
::= { frwkBasePibClasses 3 } DESCRIPTION
"A PIB module containing the base set of PRCs that
provide support for management of multiple PIB contexts,
association of roles to device capabilities and other
reusable PRCs. PEPs are required for to implement this
PIB if the above features are desired. This PIB defines
PRCs applicable to 'all' subject-categories.
frwkDeviceIdEntry OBJECT-TYPE Copyright (C) The Internet Society (2003). This version
SYNTAX FrwkDeviceIdEntry of this PIB module is part of RFC 3318; see the RFC
STATUS current itself for full legal notices."
DESCRIPTION REVISION "200302130000Z" -- 13 Feb 2003
"An instance of the frwkDeviceId class. Only one instance of DESCRIPTION
this PRC is ever instantiated." "Initial version, published in RFC 3318."
PIB-INDEX { frwkDeviceIdPrid } ::= { pib 2 }
::= { frwkDeviceIdTable 1 } --
-- The root OID for PRCs in the Framework PIB
--
FrwkDeviceIdEntry ::= SEQUENCE { frwkBasePibClasses
frwkDeviceIdPrid InstanceId, OBJECT IDENTIFIER ::= { frameworkPib 1 }
frwkDeviceIdDescr SnmpAdminString,
frwkDeviceIdMaxMsg Unsigned32,
frwkDeviceIdMaxContexts Unsigned32
}
frwkDeviceIdPrid OBJECT-TYPE --
SYNTAX InstanceId -- PRC Support Table
STATUS current --
DESCRIPTION frwkPrcSupportTable OBJECT-TYPE
"An index to uniquely identify an instance of this PRC." SYNTAX SEQUENCE OF FrwkPrcSupportEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
"Each instance of this PRC specifies a PRC that the device
supports and a bit string to indicate the attributes of the
class that are supported. These PRIs are sent to the PDP to
indicate to the PDP which PRCs, and which attributes of
these PRCs, the device supports.
::= { frwkDeviceIdEntry 1 } All install and install-notify PRCs supported by the device
must be represented in this PRC. Notify PRCs may be
represented for informational purposes."
frwkDeviceIdDescr OBJECT-TYPE ::= { frwkBasePibClasses 1 }
SYNTAX SnmpAdminString (SIZE (1..255))
STATUS current
DESCRIPTION
"A textual description of the PEP. This value should include
the name and version identification of the PEP's hardware
and software."
::= { frwkDeviceIdEntry 2 } frwkPrcSupportEntry OBJECT-TYPE
SYNTAX FrwkPrcSupportEntry
STATUS current
DESCRIPTION
"An instance of the frwkPrcSupport class that identifies a
specific PRC and associated attributes as supported
by the device."
Framework Policy Information Base June 7, 2002 PIB-INDEX { frwkPrcSupportPrid }
UNIQUENESS { frwkPrcSupportSupportedPrc }
frwkDeviceIdMaxMsg OBJECT-TYPE ::= { frwkPrcSupportTable 1 }
SYNTAX Unsigned32 (64..4294967295)
UNITS "octets"
STATUS current
DESCRIPTION
"The maximum COPS-PR message size, in octets, that the
device is capable of processing. Received messages with a
size in excess of this value must cause the PEP to return an
error to the PDP containing the global error code
'maxMsgSizeExceeded'. This is an additional error-avoidance
mechanism to allow the administrator to know the maximum
message size supported so that they have the ability to
control the message size of messages sent to the device.
This attribute must have a non-zero value. The device should
send the MAX value for Unsigned32 for this attribute if it
not defined."
DEFVAL { 4294967295 }
::= { frwkDeviceIdEntry 3 } FrwkPrcSupportEntry ::= SEQUENCE {
frwkPrcSupportPrid InstanceId,
frwkPrcSupportSupportedPrc PrcIdentifierOid,
frwkPrcSupportSupportedAttrs OCTET STRING
}
frwkDeviceIdMaxContexts OBJECT-TYPE frwkPrcSupportPrid OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX InstanceId
UNITS "contexts"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The maximum number of unique contexts supported by "An arbitrary integer index that uniquely identifies an
the device. This is an additional error-avoidance mechanism instance of the frwkPrcSupport class."
to allow the administrators to have the ability to know the
maximum number of contexts supported so that they can
control the number of configuration contexts they install on
the device. This attribute must have a non-zero value. The
device should send the MAX value for Unsigned32 for this
attribute if it not defined."
DEFVAL { 4294967295 }
::= { frwkDeviceIdEntry 4 }
-- ::= { frwkPrcSupportEntry 1 }
-- Component Limitations Table
--
frwkCompLimitsTable OBJECT-TYPE frwkPrcSupportSupportedPrc OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkCompLimitsEntry SYNTAX PrcIdentifierOid
PIB-ACCESS notify STATUS current
STATUS current DESCRIPTION
DESCRIPTION "The object identifier of a supported PRC. The value is the
"This PRC supports the ability to export information OID of the Entry object of the PRC definition. The Entry
detailing PRC/attribute implementation limitations to the Object definition of a PRC has an OID with value XxxTable.1
policy management system. Instances of this PRC apply only Where, XxxTable is the OID assigned to the PRC Table
for PRCs with access type 'install' or 'install-notify'. Object definition. There may not be more than one instance
of the frwkPrcSupport class with the same value of
frwkPrcSupportSupportedPrc."
Each instance of this PRC identifies a PRovisioning Class ::= { frwkPrcSupportEntry 2 }
Framework Policy Information Base June 7, 2002 frwkPrcSupportSupportedAttrs OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"A bit string representing the supported attributes of the
class that is identified by the frwkPrcSupportSupportedPrc
object.
or attribute and a limitation related to the implementation Each bit of this bit string corresponds to a class
of the class/attribute in the device. Additional information attribute, with the most significant bit of the i-th octet
providing guidance related to the limitation may also be of this octet string corresponding to the (8*i - 7)-th
present. These PRIs are sent to the PDP to indicate which attribute, and the least significant bit of the i-th octet
PRCs or PRC attributes the device supports in a restricted corresponding to the (8*i)-th class attribute. Each bit
manner." specifies whether or not the corresponding class attribute
is currently supported, with a '1' indicating support and a
'0' indicating no support.
::= { frwkBasePibClasses 4 } If the value of this bit string is N bits long and there are
more than N class attributes then the bit string is
logically extended with 0's to the required length.
On the other hand, If the PDP receives a bit string of
length N and there are less that N class attributes then the
PDP should ignore the extra bits in the bit string, i.e.,
assume those attributes are unsupported."
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084, section
2.2.1."
frwkCompLimitsEntry OBJECT-TYPE ::= { frwkPrcSupportEntry 3 }
SYNTAX FrwkCompLimitsEntry
STATUS current
DESCRIPTION
"An instance of the frwkCompLimits class that identifies
a PRC or PRC attribute and a limitation related to the PRC
or PRC attribute implementation supported by the device.
COPS-PR lists the error codes that MUST be returned (if
applicable)for policy installation that don't abide by the
restrictions indicated by the limitations exported. [SPPI]
defines an INSTALL-ERRORS clause that allows PIB designers
to define PRC specific error codes that can be returned for
policy installation. This allows efficient debugging of PIB
implementations."
REFERENCE
"COPS Usage for Policy Provisioning. [COPS-PR]."
PIB-INDEX { frwkCompLimitsPrid } --
UNIQUENESS { frwkCompLimitsComponent, -- PIB Incarnation Table
frwkCompLimitsAttrPos, --
frwkCompLimitsNegation, frwkPibIncarnationTable OBJECT-TYPE
frwkCompLimitsType, SYNTAX SEQUENCE OF FrwkPibIncarnationEntry
frwkCompLimitsSubType, PIB-ACCESS install-notify
frwkCompLimitsGuidance } STATUS current
DESCRIPTION
"This PRC contains a single PRovisioning Instance per
installed context that identifies the current incarnation
of the PIB and the PDP or network manager that installed
this incarnation. The instance of this PRC is reported to
the PDP in the REQ message so that the PDP can (attempt to)
ascertain the current state of the PIB. A network manager
may use the instance to determine the state of the device."
::= { frwkCompLimitsTable 1 } ::= { frwkBasePibClasses 2 }
FrwkCompLimitsEntry ::= SEQUENCE { frwkPibIncarnationEntry OBJECT-TYPE
frwkCompLimitsPrid InstanceId, SYNTAX FrwkPibIncarnationEntry
frwkCompLimitsComponent PrcIdentifierOid, STATUS current
frwkCompLimitsAttrPos AttrIdentifier, DESCRIPTION
frwkCompLimitsNegation TruthValue, "An instance of the frwkPibIncarnation class. Only
frwkCompLimitsType INTEGER, one instance of this PRC is ever instantiated per context"
frwkCompLimitsSubType INTEGER,
frwkCompLimitsGuidance OCTET STRING
}
frwkCompLimitsPrid OBJECT-TYPE PIB-INDEX { frwkPibIncarnationPrid }
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies an
instance of the frwkCompLimits class."
::= { frwkCompLimitsEntry 1 } ::= { frwkPibIncarnationTable 1 }
Framework Policy Information Base June 7, 2002 FrwkPibIncarnationEntry ::= SEQUENCE {
frwkPibIncarnationPrid InstanceId,
frwkPibIncarnationName SnmpAdminString,
frwkPibIncarnationId OCTET STRING,
frwkPibIncarnationLongevity INTEGER,
frwkPibIncarnationTtl Unsigned32,
frwkPibIncarnationInCtxtSet TruthValue,
frwkPibIncarnationActive TruthValue,
frwkPibIncarnationFullState TruthValue
}
frwkCompLimitsComponent OBJECT-TYPE frwkPibIncarnationPrid OBJECT-TYPE
SYNTAX PrcIdentifierOid SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value is the OID of a PRC (the table entry) which is "An index to uniquely identify an instance of this PRC."
supported in some limited fashion or contains an attribute
that is supported in some limited fashion with regard to
it's definition in the associated PIB module. The same OID
may appear in the table several times, once for each
implementation limitation acknowledged by the device."
::= { frwkCompLimitsEntry 2 } ::= { frwkPibIncarnationEntry 1 }
frwkCompLimitsAttrPos OBJECT-TYPE frwkPibIncarnationName OBJECT-TYPE
SYNTAX AttrIdentifier SYNTAX SnmpAdminString (SIZE (0..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The relative position of the attribute within the PRC "The name of the PDP that installed the current incarnation
specified by the frwkCompLimitsComponent. A value of 1 would of the PIB into the device. A zero-length string value for
represent the first columnar object in the PRC and a value this type implies the PDP has not assigned this type any
of N would represent the Nth columnar object in the PRC. A value. By default, it is the zero length string."
value of zero (0) indicates that the limit applies to the
PRC itself and not to a specific attribute."
::= { frwkCompLimitsEntry 3 } ::= { frwkPibIncarnationEntry 2 }
frwkCompLimitsNegation OBJECT-TYPE frwkPibIncarnationId OBJECT-TYPE
SYNTAX TruthValue SYNTAX OCTET STRING (SIZE (0..255))
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A boolean value ,if 'true', negates the component limit "An ID to identify the current incarnation. It has meaning
exported." to the PDP/manager that installed the PIB and perhaps its
standby PDPs/managers. A zero-length string value for
this type implies the PDP has not assigned this type any
value. By default, it is the zero-length string."
::= { frwkCompLimitsEntry 4 } ::= { frwkPibIncarnationEntry 3 }
frwkCompLimitsType OBJECT-TYPE frwkPibIncarnationLongevity OBJECT-TYPE
SYNTAX INTEGER { SYNTAX INTEGER {
priSpaceLimited(1), expireNever(1),
attrValueSupLimited(2), expireImmediate(2),
attrEnumSupLimited(3), expireOnTimeout(3)
attrLengthLimited(4), }
prcLimitedNotify(5) STATUS current
} DESCRIPTION
STATUS current "This attribute controls what the PEP does with the
DESCRIPTION downloaded policy on a Client Close message or a loss of
"A value describing an implementation limitation for the connection to the PDP.
device related to the PRC or PRC attribute identified by
the frwkCompLimitsComponent and the frwkCompLimitsAttrPos
attributes.
Framework Policy Information Base June 7, 2002 If set to expireNever, the PEP continues to operate with the
installed policy indefinitely. If set to expireImmediate,
the PEP immediately expires the policy obtained from the PDP
and installs policy from local configuration. If set to
expireOnTimeout, the PEP continues to operate with the
policy installed by the PDP for a period of time specified
by frwkPibIncarnationTtl. After this time (and it has not
reconnected to the original or new PDP) the PEP expires this
policy and reverts to local configuration.
Values for this object are one of the following: For all cases, it is the responsibility of the PDP to check
the incarnation and download new policy, if necessary, on a
reconnect. On receiving a Remove-State for the active
context, this attribute value MUST be ignored and the PEP
should expire the policy in that active context immediately.
Policy enforcement timing only applies to policies that have
been installed dynamically (e.g., by a PDP via COPS)."
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084."
priSpaceLimited(1) - No more instances than that specified ::= { frwkPibIncarnationEntry 4 }
by the guidance value may be installed in the given class.
The component identified MUST be a valid PRC. The SubType
used MUST be valueOnly(9).
attrValueSupLimited(2) - Limited values are acceptable for frwkPibIncarnationTtl OBJECT-TYPE
the identified component. The component identified MUST be a SYNTAX Unsigned32
valid PRC attribute. The guidance OCTET STRING will be UNITS "seconds"
decoded according to the attribute type. STATUS current
DESCRIPTION
"The number of seconds after a Client Close or TCP timeout
for which the PEP continues to enforce the policy in the
PIB. After this interval, the PIB is considered expired and
the device no longer enforces the policy installed in the
PIB.
attrEnumSupLimited(3) - Limited enumeration values are legal This attribute is only meaningful if
for the identified component. The attribute identified MUST frwkPibIncarnationLongevity is set to expireOnTimeout."
be a valid enum type.
attrLengthLimited(4) - The length of the specified ::= { frwkPibIncarnationEntry 5 }
value for the identified component is limited. The component
identified MUST be a valid PRC attribute of base-type OCTET
STRING.
prcLimitedNotify (5) - The component is currently limited frwkPibIncarnationInCtxtSet OBJECT-TYPE
for use by request or report messages prohibiting decision SYNTAX TruthValue
installation. The component identified must be a valid PRC." STATUS current
DESCRIPTION
"When the PDP installs a PRI with this flag set to 'true' it
implies this context belongs to the set of contexts out of
which at the most one context can be active at a given time.
If this attribute is set to 'false' this context is one of
the outsourcing (simultaneous active) contexts on the PEP.
::= { frwkCompLimitsEntry 5 } This attribute is 'true' for all contexts belong to the set
of configuration contexts. Within the configuration context
set, one context can be active identified by the
frwkPibIncarnationActive attribute."
REFERENCE
"TruthValue Textual Convention, defined in RFC 2579."
::= { frwkPibIncarnationEntry 6 }
frwkCompLimitsSubType OBJECT-TYPE frwkPibIncarnationActive OBJECT-TYPE
SYNTAX INTEGER { SYNTAX TruthValue
none(1), STATUS current
lengthMin(2), DESCRIPTION
lengthMax(3), "When the PDP installs a PRI on the PEP with this attribute
rangeMin(4), set to 'true' and if this context belongs to the
rangeMax(5), 'configuration contexts' set, i.e., the
enumMin(6), frwkPibIncarnationInCtxtSet is set to 'true', then the PIB
enumMax(7), instance to which this PRI belongs must become the active
enumOnly(8), PIB instance. In this case, the previous active instance
valueOnly(9), from this set MUST become inactive and the
bitMask(10) frwkPibIncarnationActive attribute in that PIB instance MUST
} be set to 'false'.
STATUS current
DESCRIPTION
"This object indicates the type of guidance related
to the noted limitation (as indicated by the
frwkCompLimitsType attribute) that is provided
in the frwkCompLimitsGuidance attribute.
A value of 'none(1)' means that no additional When the PDP installs an attribute frwkPibIncarnationActive
guidance is provided for the noted limitation type. on the PEP that is 'true' in one PIB instance and if the
context belongs to the 'configuration contexts' set, the PEP
must ensure, re-setting the attribute if necessary, that the
frwkPibIncarnationActive attribute is 'false' in all other
contexts which belong to the 'configuration contexts' set."
A value of 'lengthMin(2)' means that the guidance ::= { frwkPibIncarnationEntry 7 }
attribute provides data related to the minimum
Framework Policy Information Base June 7, 2002 frwkPibIncarnationFullState OBJECT-TYPE
SYNTAX TruthValue
STATUS current
DESCRIPTION
"This attribute is interpreted only when sent in a COPS
request message from the PEP to the PDP. It does not have
any meaning when sent from the PDP to the PEP.
acceptable length for the value of the identified If this attribute is set to 'true' by the PEP, then the
component. A corresponding class instance request that the PEP sends to the PDP must be interpreted as
specifying the 'lengthMax(3)' value is required the complete configuration request for the PEP. The PDP must
in conjunction with this sub-type. in this case refresh the request information for the
handle that the request containing this PRI was received on.
If this attribute is set to 'false', then the
request PRIs sent in the request must be interpreted as
updates to the previous request PRIs sent using that handle.
See section 3.3 for details on updating request state
information."
REFERENCE
"RFC 3318 Section 2.3"
A value of 'lengthMax(3)' means that the guidance ::= { frwkPibIncarnationEntry 8 }
attribute provides data related to the maximum
acceptable length for the value of the identified
component. A corresponding class instance
specifying the 'lengthMin(2)' value is required
in conjunction with this sub-type.
A value of 'rangeMin(4)' means that the guidance --
attribute provides data related to the lower bound -- Device Identification Table
of the range for the value of the identified --
component. A corresponding class instance
specifying the 'rangeMax(5)' value is required
in conjunction with this sub-type.
A value of 'rangeMax(5)' means that the guidance frwkDeviceIdTable OBJECT-TYPE
attribute provides data related to the upper bound
of the range for the value of the identified
component. A corresponding class instance
specifying the 'rangeMin(4)' value is required
in conjunction with this sub-type.
A value of 'enumMin(6)' means that the guidance SYNTAX SEQUENCE OF FrwkDeviceIdEntry
attribute provides data related to the lowest PIB-ACCESS notify
enumeration acceptable for the value of the STATUS current
identified component. A corresponding DESCRIPTION
class instance specifying the 'enumMax(7)' "This PRC contains a single PRovisioning Instance that
value is required in conjunction with this sub-type. contains general purpose device-specific information that is
used to facilitate efficient policy communication by a PDP.
The instance of this PRC is reported to the PDP in a COPS
request message so that the PDP can take into account
certain device characteristics during policy installation."
A value of 'enumMax(7)' means that the guidance ::= { frwkBasePibClasses 3 }
attribute provides data related to the largest
enumeration acceptable for the value of the
identified component. A corresponding
class instance specifying the 'enumMin(6)'
value is required in conjunction with this sub-type.
A value of 'enumOnly(8)' means that the guidance frwkDeviceIdEntry OBJECT-TYPE
attribute provides data related to a single SYNTAX FrwkDeviceIdEntry
enumeration acceptable for the value of the STATUS current
identified component. DESCRIPTION
"An instance of the frwkDeviceId class. Only one instance of
this PRC is ever instantiated."
A value of 'valueOnly(9)' means that the guidance PIB-INDEX { frwkDeviceIdPrid }
attribute provides data related to a single
value that is acceptable for the identified
component.
A value of 'bitMask(10)' means that the guidance ::= { frwkDeviceIdTable 1 }
attribute is a bit mask such that all the combinations of
bits set in the bitmask are acceptable values for the
identified component which should be an attribute of type
Framework Policy Information Base June 7, 2002 FrwkDeviceIdEntry ::= SEQUENCE {
frwkDeviceIdPrid InstanceId,
frwkDeviceIdDescr SnmpAdminString,
frwkDeviceIdMaxMsg Unsigned32,
frwkDeviceIdMaxContexts Unsigned32
}
'BITS'. frwkDeviceIdPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this PRC."
For example, an implementation of the frwkIpFilter class may ::= { frwkDeviceIdEntry 1 }
be limited in several ways, such as address mask, protocol
and Layer 4 port options. These limitations could be
exported using this PRC with the following instances:
Component Type Sub-Type Guidance frwkDeviceIdDescr OBJECT-TYPE
------------------------------------------------------------ SYNTAX SnmpAdminString (SIZE (1..255))
DstPrefixLength attrValueSupLimited valueOnly 24 STATUS current
SrcPrefixLength attrValueSupLimited valueOnly 24 DESCRIPTION
Protocol attrValueSupLimited rangeMin 10 "A textual description of the PEP. This value should include
Protocol attrValueSupLimited rangeMax 20 the name and version identification of the PEP's hardware
and software."
The above entries describe a number of limitations that ::= { frwkDeviceIdEntry 2 }
may be in effect for the frwkIpFilter class on a given
device. The limitations include restrictions on acceptable
values for certain attributes.
Also, an implementation of a PRC may be limited in the ways frwkDeviceIdMaxMsg OBJECT-TYPE
it can be accessed. For instance, for a fictitious PRC SYNTAX Unsigned32 (64..4294967295)
dscpMapEntry, which has a PIB-ACCESS of 'install-notify': UNITS "octets"
STATUS current
DESCRIPTION
"The maximum COPS-PR message size, in octets, that the
device is capable of processing. Received messages with a
size in excess of this value must cause the PEP to return an
error to the PDP containing the global error code
'maxMsgSizeExceeded'. This is an additional error-avoidance
mechanism to allow the administrator to know the maximum
message size supported so that they have the ability to
control the message size of messages sent to the device.
This attribute must have a non-zero value. The device should
send the MAX value for Unsigned32 for this attribute if it
not defined."
DEFVAL { 4294967295 }
Component Type SubType Guidance ::= { frwkDeviceIdEntry 3 }
------------------------------------------------------------
dscpMapEntry prcLimitedNotify none zero-length string."
::= { frwkCompLimitsEntry 6 } frwkDeviceIdMaxContexts OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
UNITS "contexts"
STATUS current
DESCRIPTION
"The maximum number of unique contexts supported by
the device. This is an additional error-avoidance mechanism
to allow the administrators to have the ability to know the
maximum number of contexts supported so that they can
control the number of configuration contexts they install on
the device. This attribute must have a non-zero value. The
device should send the MAX value for Unsigned32 for this
attribute if it not defined."
DEFVAL { 4294967295 }
frwkCompLimitsGuidance OBJECT-TYPE ::= { frwkDeviceIdEntry 4 }
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"A value used to convey additional information related
to the implementation limitation. Note that a guidance
value will not necessarily be provided for all exported
limitations. If a guidance value is not provided, the
value must be a zero-length string.
The format of the guidance value, if one is present as --
indicated by the frwkCompLimitsSubType attribute, -- Component Limitations Table
is described by the following table. Note that the --
format of guidance value is dictated by the base-type of
the component whose limitation is being exported,
interpreted in the context of the frwkCompLimitsType and
frwkCompLimitsSubType values. Any other restrictions
(such as size/range/enumerated value) on the guidance
value MUST be complied with according to the definition
of the component for which guidance is being specified.
Note that numbers are encoded in network byte order. frwkCompLimitsTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkCompLimitsEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
"This PRC supports the ability to export information
detailing PRC/attribute implementation limitations to the
policy management system. Instances of this PRC apply only
for PRCs with access type 'install' or 'install-notify'.
Base Type Value Each instance of this PRC identifies a PRovisioning Class
--------- ----- or attribute and a limitation related to the implementation
of the class/attribute in the device. Additional information
providing guidance related to the limitation may also be
present. These PRIs are sent to the PDP to indicate which
PRCs or PRC attributes the device supports in a restricted
manner."
Framework Policy Information Base June 7, 2002 ::= { frwkBasePibClasses 4 }
Unsigned32/Integer32/INTEGER 32-bit value. frwkCompLimitsEntry OBJECT-TYPE
Unsigned64/Integer64 64-bit Value. SYNTAX FrwkCompLimitsEntry
OCTET STRING octets of data. STATUS current
OID 32-bit OID components. DESCRIPTION
BITS Binary octets of length "An instance of the frwkCompLimits class that identifies
same as Component specified." a PRC or PRC attribute and a limitation related to the PRC
or PRC attribute implementation supported by the device.
COPS-PR lists the error codes that MUST be returned (if
applicable)for policy installation that don't abide by the
restrictions indicated by the limitations exported. [SPPI]
defines an INSTALL-ERRORS clause that allows PIB designers
to define PRC specific error codes that can be returned for
policy installation. This allows efficient debugging of PIB
implementations."
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084."
::= { frwkCompLimitsEntry 7 } PIB-INDEX { frwkCompLimitsPrid }
UNIQUENESS { frwkCompLimitsComponent,
frwkCompLimitsAttrPos,
frwkCompLimitsNegation,
frwkCompLimitsType,
frwkCompLimitsSubType,
frwkCompLimitsGuidance }
-- ::= { frwkCompLimitsTable 1 }
-- Complete Reference specification table
--
frwkReferenceTable OBJECT-TYPE FrwkCompLimitsEntry ::= SEQUENCE {
SYNTAX SEQUENCE OF FrwkReferenceEntry frwkCompLimitsPrid InstanceId,
PIB-ACCESS install-notify frwkCompLimitsComponent PrcIdentifierOid,
STATUS current frwkCompLimitsAttrPos AttrIdentifierOrZero,
DESCRIPTION frwkCompLimitsNegation TruthValue,
"Each instance of this PRC specifies a reference to a PRI frwkCompLimitsType INTEGER,
in a specific PIB context (handle) for a specific client- frwkCompLimitsSubType INTEGER,
type. This table gives the PDP the ability to set up frwkCompLimitsGuidance OCTET STRING
policies that span installed contexts and the PEP the }
ability to reference instances in another, perhaps
configured context. The PEP must send a
'attrReferenceUnknown' COPS-PR error to the PDP if it
encounters an invalid reference. "
REFERENCE "[COPS-PR] error codes section 4.5."
::= { frwkBasePibClasses 5 } frwkCompLimitsPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies an
instance of the frwkCompLimits class."
frwkReferenceEntry OBJECT-TYPE ::= { frwkCompLimitsEntry 1 }
SYNTAX FrwkReferenceEntry
STATUS current
DESCRIPTION
"Entry specification for the frwkReferenceTable."
PIB-INDEX { frwkReferencePrid } frwkCompLimitsComponent OBJECT-TYPE
UNIQUENESS { } SYNTAX PrcIdentifierOid
STATUS current
DESCRIPTION
"The value is the OID of a PRC (the table entry) which is
supported in some limited fashion or contains an attribute
that is supported in some limited fashion with regard to
it's definition in the associated PIB module. The same OID
may appear in the table several times, once for each
implementation limitation acknowledged by the device."
::= { frwkReferenceTable 1 } ::= { frwkCompLimitsEntry 2 }
FrwkReferenceEntry ::= SEQUENCE { frwkCompLimitsAttrPos OBJECT-TYPE
frwkReferencePrid InstanceId, SYNTAX AttrIdentifierOrZero
frwkReferenceClientType ClientType, STATUS current
frwkReferenceClientHandle ClientHandle, DESCRIPTION
frwkReferenceInstance Prid "The relative position of the attribute within the PRC
} specified by the frwkCompLimitsComponent. A value of 1 would
represent the first columnar object in the PRC and a value
of N would represent the Nth columnar object in the PRC. A
value of zero (0) indicates that the limit applies to the
PRC itself and not to a specific attribute."
Framework Policy Information Base June 7, 2002 ::= { frwkCompLimitsEntry 3 }
frwkReferencePrid OBJECT-TYPE frwkCompLimitsNegation OBJECT-TYPE
SYNTAX InstanceId SYNTAX TruthValue
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies an "A boolean value ,if 'true', negates the component limit
instance of the frwkReference class." exported."
::= { frwkReferenceEntry 1 } ::= { frwkCompLimitsEntry 4 }
frwkReferenceClientType OBJECT-TYPE frwkCompLimitsType OBJECT-TYPE
SYNTAX ClientType SYNTAX INTEGER {
STATUS current priSpaceLimited(1),
DESCRIPTION attrValueSupLimited(2),
"Is unused if set to zero else specifies a client-type for attrEnumSupLimited(3),
which the reference is to be interpreted. This non-zero attrLengthLimited(4),
client-type must be activated explicitly via a separate prcLimitedNotify(5)
COPS client-open else this attribute is not valid." }
STATUS current
DESCRIPTION
"A value describing an implementation limitation for the
device related to the PRC or PRC attribute identified by
the frwkCompLimitsComponent and the frwkCompLimitsAttrPos
attributes.
::= { frwkReferenceEntry 2 } Values for this object are one of the following:
frwkReferenceClientHandle OBJECT-TYPE priSpaceLimited(1) - No more instances than that specified
SYNTAX ClientHandle by the guidance value may be installed in the given class.
STATUS current The component identified MUST be a valid PRC. The SubType
DESCRIPTION used MUST be valueOnly(9).
"Must be set to specify a valid client-handle in the scope
of the client-type specified."
::= { frwkReferenceEntry 3 } attrValueSupLimited(2) - Limited values are acceptable for
the identified component. The component identified MUST be a
valid PRC attribute. The guidance OCTET STRING will be
decoded according to the attribute type.
frwkReferenceInstance OBJECT-TYPE attrEnumSupLimited(3) - Limited enumeration values are legal
SYNTAX Prid for the identified component. The attribute identified MUST
STATUS current be a valid enum type.
DESCRIPTION
"References a PRI in the context identified by
frwkReferenceClientHandle for client-type identified by
frwkReferenceClientType."
::= { frwkReferenceEntry 4 } attrLengthLimited(4) - The length of the specified
value for the identified component is limited. The component
identified MUST be a valid PRC attribute of base-type OCTET
STRING.
-- prcLimitedNotify (5) - The component is currently limited
-- Error specification table for use by request or report messages prohibiting decision
-- installation. The component identified must be a valid PRC."
frwkErrorTable OBJECT-TYPE ::= { frwkCompLimitsEntry 5 }
SYNTAX SEQUENCE OF FrwkErrorEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Each instance of this PRC specifies a class specific
Framework Policy Information Base June 7, 2002 frwkCompLimitsSubType OBJECT-TYPE
SYNTAX INTEGER {
none(1),
lengthMin(2),
lengthMax(3),
rangeMin(4),
rangeMax(5),
enumMin(6),
enumMax(7),
enumOnly(8),
valueOnly(9),
bitMask(10)
}
STATUS current
DESCRIPTION
"This object indicates the type of guidance related
to the noted limitation (as indicated by the
frwkCompLimitsType attribute) that is provided
in the frwkCompLimitsGuidance attribute.
error object. Instances of this PRC are transient, i.e., A value of 'none(1)' means that no additional
instances received in a COPS decision message must not to be guidance is provided for the noted limitation type.
maintained by the PEP in its copy of the PIB instances. This
PRC allows a PDP to send error information to the PEP if the
PDP cannot process updates to a Request successfully."
::= { frwkBasePibClasses 6 } A value of 'lengthMin(2)' means that the guidance
attribute provides data related to the minimum
acceptable length for the value of the identified
component. A corresponding class instance
specifying the 'lengthMax(3)' value is required
in conjunction with this sub-type.
frwkErrorEntry OBJECT-TYPE A value of 'lengthMax(3)' means that the guidance
SYNTAX FrwkErrorEntry attribute provides data related to the maximum
STATUS current acceptable length for the value of the identified
DESCRIPTION component. A corresponding class instance
"Entry specification for the frwkErrorTable." specifying the 'lengthMin(2)' value is required
in conjunction with this sub-type.
PIB-INDEX { frwkErrorPrid } A value of 'rangeMin(4)' means that the guidance
UNIQUENESS { attribute provides data related to the lower bound
frwkErrorCode, of the range for the value of the identified
frwkErrorSubCode, component. A corresponding class instance
frwkErrorPrc, specifying the 'rangeMax(5)' value is required
frwkErrorInstance in conjunction with this sub-type.
}
::= { frwkErrorTable 1 } A value of 'rangeMax(5)' means that the guidance
attribute provides data related to the upper bound
of the range for the value of the identified
component. A corresponding class instance
specifying the 'rangeMin(4)' value is required
in conjunction with this sub-type.
FrwkErrorEntry ::= SEQUENCE { A value of 'enumMin(6)' means that the guidance
frwkErrorPrid InstanceId, attribute provides data related to the lowest
frwkErrorCode Unsigned32, enumeration acceptable for the value of the
frwkErrorSubCode Unsigned32, identified component. A corresponding
frwkErrorPrc PrcIdentifierOid, class instance specifying the 'enumMax(7)'
frwkErrorInstance InstanceId value is required in conjunction with this sub-type.
}
frwkErrorPrid OBJECT-TYPE A value of 'enumMax(7)' means that the guidance
SYNTAX InstanceId attribute provides data related to the largest
STATUS current enumeration acceptable for the value of the
DESCRIPTION identified component. A corresponding
"An arbitrary integer index that uniquely identifies an class instance specifying the 'enumMin(6)'
instance of the frwkError class." value is required in conjunction with this sub-type.
::= { frwkErrorEntry 1 } A value of 'enumOnly(8)' means that the guidance
attribute provides data related to a single
enumeration acceptable for the value of the
identified component.
frwkErrorCode OBJECT-TYPE A value of 'valueOnly(9)' means that the guidance
SYNTAX Unsigned32 (0..65535) attribute provides data related to a single
STATUS current value that is acceptable for the identified
DESCRIPTION component.
"Error code defined in COPS-PR CPERR object."
REFERENCE
"COPS Usage for Policy Provisioning. [COPS-PR]."
::= { frwkErrorEntry 2 } A value of 'bitMask(10)' means that the guidance
attribute is a bit mask such that all the combinations of
bits set in the bitmask are acceptable values for the
identified component which should be an attribute of type
Framework Policy Information Base June 7, 2002 'BITS'.
frwkErrorSubCode OBJECT-TYPE For example, an implementation of the frwkIpFilter class may
SYNTAX Unsigned32 (0..65535) be limited in several ways, such as address mask, protocol
STATUS current and Layer 4 port options. These limitations could be
DESCRIPTION exported using this PRC with the following instances:
"The class-specific error object is used to communicate
errors relating to specific PRCs."
::= { frwkErrorEntry 3 } Component Type Sub-Type Guidance
------------------------------------------------------------
DstPrefixLength attrValueSupLimited valueOnly 24
SrcPrefixLength attrValueSupLimited valueOnly 24
Protocol attrValueSupLimited rangeMin 10
Protocol attrValueSupLimited rangeMax 20
The above entries describe a number of limitations that
may be in effect for the frwkIpFilter class on a given
device. The limitations include restrictions on acceptable
values for certain attributes.
frwkErrorPrc OBJECT-TYPE Also, an implementation of a PRC may be limited in the ways
SYNTAX PrcIdentifierOid it can be accessed. For instance, for a fictitious PRC
STATUS current dscpMapEntry, which has a PIB-ACCESS of 'install-notify':
DESCRIPTION
"The PRC due to which the error specified by codes
(frwkErrorCode , frwkErrorSubCode) occurred."
::= { frwkErrorEntry 4 } Component Type SubType Guidance
------------------------------------------------------------
dscpMapEntry prcLimitedNotify none zero-length string."
frwkErrorInstance OBJECT-TYPE ::= { frwkCompLimitsEntry 6 }
SYNTAX InstanceId
STATUS current
DESCRIPTION
"The PRI of the identified PRC (frwkErrorPrc) due to which
the error specified by codes (frwkErrorCode ,
frwkErrorSubCode) occurred. Must be set to zero if unused."
::= { frwkErrorEntry 5 } frwkCompLimitsGuidance OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"A value used to convey additional information related
to the implementation limitation. Note that a guidance
value will not necessarily be provided for all exported
limitations. If a guidance value is not provided, the
value must be a zero-length string.
-- The format of the guidance value, if one is present as
-- The device capabilities and role combo classes group indicated by the frwkCompLimitsSubType attribute,
-- is described by the following table. Note that the
format of guidance value is dictated by the base-type of
the component whose limitation is being exported,
interpreted in the context of the frwkCompLimitsType and
frwkCompLimitsSubType values. Any other restrictions
(such as size/range/enumerated value) on the guidance
value MUST be complied with according to the definition
of the component for which guidance is being specified.
frwkDeviceCapClasses Note that numbers are encoded in network byte order.
OBJECT IDENTIFIER ::= { frameworkPib 2 }
-- Base Type Value
-- Capability Set Table --------- -----
-- Unsigned32/Integer32/INTEGER 32-bit value.
Unsigned64/Integer64 64-bit Value.
OCTET STRING octets of data.
OID 32-bit OID components.
BITS Binary octets of length
same as Component specified."
frwkCapabilitySetTable OBJECT-TYPE ::= { frwkCompLimitsEntry 7 }
SYNTAX SEQUENCE OF FrwkCapabilitySetEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
Framework Policy Information Base June 7, 2002 --
-- Complete Reference specification table
--
"This PRC describes the capability sets that exist on the frwkReferenceTable OBJECT-TYPE
interfaces on the device. The capability set is given a SYNTAX SEQUENCE OF FrwkReferenceEntry
unique name that identifies a set. These capability set PIB-ACCESS install-notify
names are used by the PDP to determine policy information to STATUS current
be associated with interfaces that possess similar sets of DESCRIPTION
capabilities." "Each instance of this PRC specifies a reference to a PRI
in a specific PIB context (handle) for a specific client-
type. This table gives the PDP the ability to set up
policies that span installed contexts and the PEP the
ability to reference instances in another, perhaps
configured context. The PEP must send a
'attrReferenceUnknown' COPS-PR error to the PDP if it
encounters an invalid reference. "
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084, error
codes section 4.5."
::= { frwkDeviceCapClasses 1 } ::= { frwkBasePibClasses 5 }
frwkCapabilitySetEntry OBJECT-TYPE frwkReferenceEntry OBJECT-TYPE
SYNTAX FrwkCapabilitySetEntry SYNTAX FrwkReferenceEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of this PRC describes a particular set of "Entry specification for the frwkReferenceTable."
capabilities and associates a unique name with the set."
PIB-INDEX { frwkCapabilitySetPrid } PIB-INDEX { frwkReferencePrid }
UNIQUENESS { frwkCapabilitySetName, UNIQUENESS { }
frwkCapabilitySetCapability }
::= { frwkCapabilitySetTable 1 } ::= { frwkReferenceTable 1 }
FrwkCapabilitySetEntry ::= SEQUENCE { FrwkReferenceEntry ::= SEQUENCE {
frwkCapabilitySetPrid InstanceId, frwkReferencePrid InstanceId,
frwkCapabilitySetName SnmpAdminString, frwkReferenceClientType ClientType,
frwkCapabilitySetCapability Prid frwkReferenceClientHandle ClientHandle,
} frwkReferenceInstance Prid
}
frwkCapabilitySetPrid OBJECT-TYPE frwkReferencePrid OBJECT-TYPE
SYNTAX InstanceId SYNTAX InstanceId
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer index that uniquely identifies a "An arbitrary integer index that uniquely identifies an
instance of the class." instance of the frwkReference class."
::= { frwkCapabilitySetEntry 1 } ::= { frwkReferenceEntry 1 }
frwkCapabilitySetName OBJECT-TYPE frwkReferenceClientType OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (1..255)) SYNTAX ClientType
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The name for the capability set. This name is the unique "Is unused if set to zero else specifies a client-type for
identifier of a set of capabilities. This attribute must not which the reference is to be interpreted. This non-zero
be assigned a zero-length string." client-type must be activated explicitly via a separate
COPS client-open else this attribute is not valid."
::= { frwkCapabilitySetEntry 2 } ::= { frwkReferenceEntry 2 }
frwkCapabilitySetCapability OBJECT-TYPE frwkReferenceClientHandle OBJECT-TYPE
SYNTAX Prid SYNTAX ClientHandle
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Must be set to specify a valid client-handle in the scope
of the client-type specified."
Framework Policy Information Base June 7, 2002 ::= { frwkReferenceEntry 3 }
"The complete PRC OID and instance identifier specifying the frwkReferenceInstance OBJECT-TYPE
capability PRC instance for the interface. This attribute SYNTAX Prid
references a specific instance of a capability table. The STATUS current
capability table whose instance is referenced must be DESCRIPTION
defined in the client type specific PIB that this PIB is "References a PRI in the context identified by
used with. The referenced capability instance becomes a part frwkReferenceClientHandle for client-type identified by
of the set of capabilities associated with the specified frwkReferenceClientType."
frwkCapabilitySetName."
::= { frwkCapabilitySetEntry 3 } ::= { frwkReferenceEntry 4 }
-- --
-- Interface and Role Combination Tables -- Error specification table
-- --
frwkRoleComboTable OBJECT-TYPE frwkErrorTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkRoleComboEntry SYNTAX SEQUENCE OF FrwkErrorEntry
PIB-ACCESS install-notify PIB-ACCESS install
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This is an abstract PRC that may be extended or referenced "Each instance of this PRC specifies a class specific
to enumerate the role combinations, capability set names error object. Instances of this PRC are transient, i.e.,
assigned to any interface on a PEP. The identification of instances received in a COPS decision message must not be
the interface is to be defined by its extensions or maintained by the PEP in its copy of the PIB instances. This
referencing PRCs." PRC allows a PDP to send error information to the PEP if the
PDP cannot process updates to a Request successfully."
::= { frwkDeviceCapClasses 2 } ::= { frwkBasePibClasses 6 }
frwkRoleComboEntry OBJECT-TYPE frwkErrorEntry OBJECT-TYPE
SYNTAX FrwkRoleComboEntry SYNTAX FrwkErrorEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of this PRC describes one association of an "Entry specification for the frwkErrorTable."
interface to a role-combination and capability set name .
Note that an interface can have multiple associations. This
constraint is controlled by the extending or referencing
PRC's uniqueness clause."
PIB-INDEX { frwkRoleComboPrid } PIB-INDEX { frwkErrorPrid }
UNIQUENESS { } UNIQUENESS {
frwkErrorCode,
frwkErrorSubCode,
frwkErrorPrc,
frwkErrorInstance
}
::= { frwkRoleComboTable 1 } ::= { frwkErrorTable 1 }
FrwkRoleComboEntry ::= SEQUENCE { FrwkErrorEntry ::= SEQUENCE {
frwkRoleComboPrid InstanceId, frwkErrorPrid InstanceId,
frwkRoleComboRoles RoleCombination, frwkErrorCode Unsigned32,
frwkRoleComboCapSetName SnmpAdminString frwkErrorSubCode Unsigned32,
} frwkErrorPrc PrcIdentifierOid,
frwkErrorInstance InstanceId
}
Framework Policy Information Base June 7, 2002 frwkErrorPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies an
instance of the frwkError class."
frwkRoleComboPrid OBJECT-TYPE ::= { frwkErrorEntry 1 }
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies an
instance of the class."
::= { frwkRoleComboEntry 1 } frwkErrorCode OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
STATUS current
DESCRIPTION
"Error code defined in COPS-PR CPERR object."
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084."
frwkRoleComboRoles OBJECT-TYPE ::= { frwkErrorEntry 2 }
SYNTAX RoleCombination
STATUS current
DESCRIPTION
"The role combination assigned to a specific interface."
::= { frwkRoleComboEntry 2 } frwkErrorSubCode OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
STATUS current
DESCRIPTION
"The class-specific error object is used to communicate
errors relating to specific PRCs."
frwkRoleComboCapSetName OBJECT-TYPE ::= { frwkErrorEntry 3 }
SYNTAX SnmpAdminString (SIZE (0..255))
STATUS current
DESCRIPTION
"The name of the capability set associated with
the Role Combination specified in frwkRoleComboRoles. If
this is a zero length string it implies the PEP is not
exporting any capability set information for this
RoleCombination. The PDP must then use the RoleCombinations
provided as the only means of assigning policies
If a non-zero length string is specified, the name must
exist in frwkCapabilitySetTable."
::= { frwkRoleComboEntry 3 } frwkErrorPrc OBJECT-TYPE
SYNTAX PrcIdentifierOid
STATUS current
DESCRIPTION
"The PRC due to which the error specified by codes
(frwkErrorCode , frwkErrorSubCode) occurred."
-- ::= { frwkErrorEntry 4 }
-- Interface, Role Combination association via IfIndex
--
frwkIfRoleComboTable OBJECT-TYPE frwkErrorInstance OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIfRoleComboEntry SYNTAX InstanceId
PIB-ACCESS install-notify STATUS current
STATUS current DESCRIPTION
DESCRIPTION "The PRI of the identified PRC (frwkErrorPrc) due to which
"This PRC enumerates the interface to role combination and the error specified by codes (frwkErrorCode ,
frwkRoleComboCapSetName mapping for all policy managed frwkErrorSubCode) occurred. Must be set to zero if unused."
interfaces of a device. Policy for an interface depends not
only on the capability set of an interface but also on its
roles. This table specifies all the <interface index,
interface capability set name, role combination> tuples
currently on the device"
::= { frwkDeviceCapClasses 3 } ::= { frwkErrorEntry 5 }
Framework Policy Information Base June 7, 2002 --
-- The device capabilities and role combo classes group
--
frwkIfRoleComboEntry OBJECT-TYPE frwkDeviceCapClasses
SYNTAX FrwkIfRoleComboEntry OBJECT IDENTIFIER ::= { frameworkPib 2 }
STATUS current --
DESCRIPTION -- Capability Set Table
"An instance of this PRC describes the association of --
a interface to an capability set name and a role
combination.
Note that a capability set name can have multiple role
combinations assigned to it, but an IfIndex can have only
one role combination associated."
EXTENDS { frwkRoleComboEntry } frwkCapabilitySetTable OBJECT-TYPE
UNIQUENESS { frwkIfRoleComboIfIndex, SYNTAX SEQUENCE OF FrwkCapabilitySetEntry
frwkRoleComboCapSetName } PIB-ACCESS notify
STATUS current
DESCRIPTION
::= { frwkIfRoleComboTable 1 } "This PRC describes the capability sets that exist on the
interfaces on the device. The capability set is given a
unique name that identifies a set. These capability set
names are used by the PDP to determine policy information to
be associated with interfaces that possess similar sets of
capabilities."
FrwkIfRoleComboEntry ::= SEQUENCE { ::= { frwkDeviceCapClasses 1 }
frwkIfRoleComboIfIndex InterfaceIndex
}
frwkIfRoleComboIfIndex OBJECT-TYPE frwkCapabilitySetEntry OBJECT-TYPE
SYNTAX InterfaceIndex SYNTAX FrwkCapabilitySetEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of this attribute is the ifIndex which is "An instance of this PRC describes a particular set of
associated with the specified RoleCombination and interface capabilities and associates a unique name with the set."
capability set name."
::= { frwkIfRoleComboEntry 1 } PIB-INDEX { frwkCapabilitySetPrid }
UNIQUENESS { frwkCapabilitySetName,
frwkCapabilitySetCapability }
-- ::= { frwkCapabilitySetTable 1 }
-- The Classification classes group
--
frwkClassifierClasses FrwkCapabilitySetEntry ::= SEQUENCE {
OBJECT IDENTIFIER ::= { frameworkPib 3 } frwkCapabilitySetPrid InstanceId,
-- frwkCapabilitySetName SnmpAdminString,
-- The Base Filter Table frwkCapabilitySetCapability Prid
-- }
frwkBaseFilterTable OBJECT-TYPE frwkCapabilitySetPrid OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkBaseFilterEntry SYNTAX InstanceId
PIB-ACCESS install STATUS current
STATUS current DESCRIPTION
"An arbitrary integer index that uniquely identifies a
instance of the class."
Framework Policy Information Base June 7, 2002 ::= { frwkCapabilitySetEntry 1 }
DESCRIPTION frwkCapabilitySetName OBJECT-TYPE
"The Base Filter class. A packet has to match all SYNTAX SnmpAdminString (SIZE (1..255))
fields in an Filter. Wildcards may be specified for those STATUS current
fields that are not relevant." DESCRIPTION
"The name for the capability set. This name is the unique
identifier of a set of capabilities. This attribute must not
be assigned a zero-length string."
::= { frwkClassifierClasses 1 } ::= { frwkCapabilitySetEntry 2 }
frwkBaseFilterEntry OBJECT-TYPE frwkCapabilitySetCapability OBJECT-TYPE
SYNTAX FrwkBaseFilterEntry SYNTAX Prid
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An instance of the frwkBaseFilter class."
PIB-INDEX { frwkBaseFilterPrid } "The complete PRC OID and instance identifier specifying the
capability PRC instance for the interface. This attribute
references a specific instance of a capability table. The
capability table whose instance is referenced must be
defined in the client type specific PIB that this PIB is
used with. The referenced capability instance becomes a part
of the set of capabilities associated with the specified
frwkCapabilitySetName."
::= { frwkBaseFilterTable 1 } ::= { frwkCapabilitySetEntry 3 }
FrwkBaseFilterEntry ::= SEQUENCE { --
frwkBaseFilterPrid InstanceId, -- Interface and Role Combination Tables
frwkBaseFilterNegation TruthValue --
}
frwkBaseFilterPrid OBJECT-TYPE frwkRoleComboTable OBJECT-TYPE
SYNTAX InstanceId SYNTAX SEQUENCE OF FrwkRoleComboEntry
STATUS current PIB-ACCESS install-notify
DESCRIPTION STATUS current
"An integer index to uniquely identify this Filter among all DESCRIPTION
the Filters." "This is an abstract PRC that may be extended or referenced
to enumerate the role combinations, capability set names
assigned to any interface on a PEP. The identification of
the interface is to be defined by its extensions or
referencing PRCs."
::= { frwkBaseFilterEntry 1 } ::= { frwkDeviceCapClasses 2 }
frwkBaseFilterNegation OBJECT-TYPE frwkRoleComboEntry OBJECT-TYPE
SYNTAX TruthValue SYNTAX FrwkRoleComboEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This attribute behaves like a logical NOT for the filter. "An instance of this PRC describes one association of an
If the packet matches this filter and the value of this interface to a role-combination and capability set name .
attribute is 'true', the action associated with this filter Note that an interface can have multiple associations. This
is not applied to the packet. If the value of this constraint is controlled by the extending or referencing
attribute is 'false', then the action is applied to the PRC's uniqueness clause."
packet."
::= { frwkBaseFilterEntry 2 } PIB-INDEX { frwkRoleComboPrid }
UNIQUENESS { }
-- ::= { frwkRoleComboTable 1 }
-- The IP Filter Table
--
frwkIpFilterTable OBJECT-TYPE FrwkRoleComboEntry ::= SEQUENCE {
SYNTAX SEQUENCE OF FrwkIpFilterEntry frwkRoleComboPrid InstanceId,
frwkRoleComboRoles RoleCombination,
frwkRoleComboCapSetName SnmpAdminString
}
Framework Policy Information Base June 7, 2002 frwkRoleComboPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An arbitrary integer index that uniquely identifies an
instance of the class."
PIB-ACCESS install ::= { frwkRoleComboEntry 1 }
STATUS current
DESCRIPTION
"Filter definitions. A packet has to match all fields in a
filter. Wildcards may be specified for those fields that
are not relevant."
INSTALL-ERRORS { frwkRoleComboRoles OBJECT-TYPE
invalidDstL4PortData(1), SYNTAX RoleCombination
invalidSrcL4PortData(2) STATUS current
} DESCRIPTION
::= { frwkClassifierClasses 2 } "The role combination assigned to a specific interface."
frwkIpFilterEntry OBJECT-TYPE ::= { frwkRoleComboEntry 2 }
SYNTAX FrwkIpFilterEntry
STATUS current
DESCRIPTION
"An instance of the frwkIpFilter class."
EXTENDS { frwkBaseFilterEntry } frwkRoleComboCapSetName OBJECT-TYPE
UNIQUENESS { frwkBaseFilterNegation, SYNTAX SnmpAdminString (SIZE (0..255))
frwkIpFilterAddrType, STATUS current
frwkIpFilterDstAddr, DESCRIPTION
frwkIpFilterDstPrefixLength, "The name of the capability set associated with
frwkIpFilterSrcAddr, the Role Combination specified in frwkRoleComboRoles. If
frwkIpFilterSrcPrefixLength, this is a zero length string it implies the PEP is not
frwkIpFilterDscp, exporting any capability set information for this
frwkIpFilterFlowId, RoleCombination. The PDP must then use the RoleCombinations
frwkIpFilterProtocol, provided as the only means of assigning policies
frwkIpFilterDstL4PortMin, If a non-zero length string is specified, the name must
frwkIpFilterDstL4PortMax, exist in frwkCapabilitySetTable."
frwkIpFilterSrcL4PortMin,
frwkIpFilterSrcL4PortMax }
::= { frwkIpFilterTable 1 } ::= { frwkRoleComboEntry 3 }
FrwkIpFilterEntry ::= SEQUENCE { --
frwkIpFilterAddrType InetAddressType, -- Interface, Role Combination association via IfIndex
frwkIpFilterDstAddr InetAddress, --
frwkIpFilterDstPrefixLength InetAddressPrefixLength,
frwkIpFilterSrcAddr InetAddress,
frwkIpFilterSrcPrefixLength InetAddressPrefixLength,
frwkIpFilterDscp DscpOrAny,
frwkIpFilterFlowId Unsigned32,
frwkIpFilterProtocol Unsigned32,
frwkIpFilterDstL4PortMin InetPortNumber,
frwkIpFilterDstL4PortMax InetPortNumber,
frwkIpFilterSrcL4PortMin InetPortNumber,
frwkIpFilterSrcL4PortMax InetPortNumber
}
frwkIpFilterAddrType OBJECT-TYPE frwkIfRoleComboTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkIfRoleComboEntry
PIB-ACCESS install-notify
STATUS current
DESCRIPTION
"This PRC enumerates the interface to role combination and
frwkRoleComboCapSetName mapping for all policy managed
interfaces of a device. Policy for an interface depends not
only on the capability set of an interface but also on its
roles. This table specifies all the <interface index,
interface capability set name, role combination> tuples
currently on the device"
Framework Policy Information Base June 7, 2002 ::= { frwkDeviceCapClasses 3 }
SYNTAX InetAddressType frwkIfRoleComboEntry OBJECT-TYPE
STATUS current SYNTAX FrwkIfRoleComboEntry
DESCRIPTION STATUS current
"The address type enumeration value to specify the type of DESCRIPTION
the packet's IP address. "An instance of this PRC describes the association of
a interface to an capability set name and a role
combination.
Note that a capability set name can have multiple role
combinations assigned to it, but an IfIndex can have only
one role combination associated."
While other types of addresses are defined in the EXTENDS { frwkRoleComboEntry }
InetAddressType textual convention, an IP filter can only UNIQUENESS { frwkIfRoleComboIfIndex,
use IPv4 and IPv6 addresses directly to classify traffic. frwkRoleComboCapSetName }
All other InetAddressTypes require mapping to the
corresponding Ipv4 or IPv6 address before being used to
classify traffic. Therefore, this object as such is not
limited to IPv4 and IPv6 addresses, i.e., it can be assigned
any of the valid values defined in the InetAddressType TC,
but the mapping of the address values to IPv4 or IPv6
addresses for the address attributes (frwkIpFilterDstAddr
and frwkIpFilterSrcAddr) must be done by the PEP. For
example when dns (16) is used, the PEP must resolve
the address to IPv4 or IPv6 at install time."
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
::= { frwkIpFilterEntry 1 } ::= { frwkIfRoleComboTable 1 }
frwkIpFilterDstAddr OBJECT-TYPE FrwkIfRoleComboEntry ::= SEQUENCE {
frwkIfRoleComboIfIndex InterfaceIndex
}
SYNTAX InetAddress frwkIfRoleComboIfIndex OBJECT-TYPE
STATUS current SYNTAX InterfaceIndex
DESCRIPTION STATUS current
"The IP address to match against the packet's DESCRIPTION
destination IP address. If the address type is 'ipv4', "The value of this attribute is the ifIndex which is
'ipv6', 'ipv4z' or 'ipv6z' then, the attribute associated with the specified RoleCombination and interface
frwkIpFilterDstPrefixLength indicates the number of bits capability set name."
that are relevant. "
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
::= { frwkIpFilterEntry 2 } ::= { frwkIfRoleComboEntry 1 }
frwkIpFilterDstPrefixLength OBJECT-TYPE --
SYNTAX InetAddressPrefixLength -- The Classification classes group
STATUS current --
DESCRIPTION
"The length of a mask for the matching of the destination
IP address. This attribute is interpreted only if the
InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the
most-significant bit downwards for
frwkIpFilterDstPrefixLength bits length. All other bits in
the mask, up to the number needed to fill the length of
Framework Policy Information Base June 7, 2002 frwkClassifierClasses
OBJECT IDENTIFIER ::= { frameworkPib 3 }
--
-- The Base Filter Table
--
the address frwkIpFilterDstAddr are cleared to zero. A zero frwkBaseFilterTable OBJECT-TYPE
bit in the mask then means that the corresponding bit in SYNTAX SEQUENCE OF FrwkBaseFilterEntry
the address always matches. PIB-ACCESS install
STATUS current
DESCRIPTION
"The Base Filter class. A packet has to match all
fields in an Filter. Wildcards may be specified for those
fields that are not relevant."
In IPv4 addresses, a length of 0 indicates a match of any ::= { frwkClassifierClasses 1 }
address; a length of 32 indicates a match of a single host
address, and a length between 0 and 32 indicates the use of
a CIDR Prefix. IPv6 is similar, except that prefix lengths
range from 0..128."
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
DEFVAL { 0 }
::= { frwkIpFilterEntry 3 } frwkBaseFilterEntry OBJECT-TYPE
SYNTAX FrwkBaseFilterEntry
STATUS current
DESCRIPTION
"An instance of the frwkBaseFilter class."
frwkIpFilterSrcAddr OBJECT-TYPE PIB-INDEX { frwkBaseFilterPrid }
SYNTAX InetAddress
STATUS current
DESCRIPTION
"The IP address to match against the packet's source IP
address. If the address type is 'ipv4', 'ipv6', 'ipv4z' or
'ipv6z' then, the attribute frwkIpFilterSrcPrefixLength
indicates the number of bits that are relevant."
REFERENCE
"Textual Conventions for Internet Network Addresses.
[INETADDR]"
::= { frwkIpFilterEntry 4 } ::= { frwkBaseFilterTable 1 }
frwkIpFilterSrcPrefixLength OBJECT-TYPE FrwkBaseFilterEntry ::= SEQUENCE {
SYNTAX InetAddressPrefixLength frwkBaseFilterPrid InstanceId,
UNITS "bits" frwkBaseFilterNegation TruthValue
STATUS current }
DESCRIPTION
"The length of a mask for the matching of the source IP
address. This attribute is interpreted only if the
InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the
most-significant bit downwards for
frwkIpFilterSrcPrefixLength bits length. All other bits in
the mask, up to the number needed to fill the length of
the address frwkIpFilterSrcAddr are cleared to zero. A
zero bit in the mask then means that the corresponding bit
in the address always matches.
In IPv4 addresses, a length of 0 indicates a match of any frwkBaseFilterPrid OBJECT-TYPE
address; a length of 32 indicates a match of a single host SYNTAX InstanceId
address, and a length between 0 and 32 indicates the use of STATUS current
a CIDR Prefix. IPv6 is similar, except that prefix lengths DESCRIPTION
range from 0..128." "An integer index to uniquely identify this Filter among all
REFERENCE the Filters."
Framework Policy Information Base June 7, 2002 ::= { frwkBaseFilterEntry 1 }
"Textual Conventions for Internet Network Addresses. frwkBaseFilterNegation OBJECT-TYPE
[INETADDR]" SYNTAX TruthValue
DEFVAL { 0 } STATUS current
DESCRIPTION
"This attribute behaves like a logical NOT for the filter.
If the packet matches this filter and the value of this
attribute is 'true', the action associated with this filter
is not applied to the packet. If the value of this
attribute is 'false', then the action is applied to the
packet."
::= { frwkIpFilterEntry 5 } ::= { frwkBaseFilterEntry 2 }
frwkIpFilterDscp OBJECT-TYPE --
SYNTAX DscpOrAny -- The IP Filter Table
STATUS current --
DESCRIPTION frwkIpFilterTable OBJECT-TYPE
"The value that the DSCP in the packet can have and SYNTAX SEQUENCE OF FrwkIpFilterEntry
match this filter. A value of -1 indicates that a specific PIB-ACCESS install
DSCP value has not been defined and thus all DSCP values STATUS current
are considered a match." DESCRIPTION
REFERENCE "Filter definitions. A packet has to match all fields in a
"[DS-MIB]." filter. Wildcards may be specified for those fields that
DEFVAL { -1 } are not relevant."
::= { frwkIpFilterEntry 6 } INSTALL-ERRORS {
invalidDstL4PortData(1),
invalidSrcL4PortData(2)
}
::= { frwkClassifierClasses 2 }
frwkIpFilterFlowId OBJECT-TYPE frwkIpFilterEntry OBJECT-TYPE
SYNTAX Unsigned32 (0..1048575) SYNTAX FrwkIpFilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The flow identifier in an IPv6 header." "An instance of the frwkIpFilter class."
::= { frwkIpFilterEntry 7 }
frwkIpFilterProtocol OBJECT-TYPE EXTENDS { frwkBaseFilterEntry }
SYNTAX Unsigned32 (0..255) UNIQUENESS { frwkBaseFilterNegation,
STATUS current frwkIpFilterAddrType,
DESCRIPTION frwkIpFilterDstAddr,
"The layer-4 protocol Id to match against the IPv4 protocol frwkIpFilterDstPrefixLength,
number or the IPv6 Next-Header number in the packet. A value frwkIpFilterSrcAddr,
of 255 means match all. Note the protocol number of 255 is frwkIpFilterSrcPrefixLength,
reserved by IANA, and Next-Header number of 0 is used in frwkIpFilterDscp,
IPv6." frwkIpFilterFlowId,
DEFVAL { 255 } frwkIpFilterProtocol,
frwkIpFilterDstL4PortMin,
frwkIpFilterDstL4PortMax,
frwkIpFilterSrcL4PortMin,
frwkIpFilterSrcL4PortMax }
::= { frwkIpFilterEntry 8 } ::= { frwkIpFilterTable 1 }
frwkIpFilterDstL4PortMin OBJECT-TYPE FrwkIpFilterEntry ::= SEQUENCE {
SYNTAX InetPortNumber frwkIpFilterAddrType InetAddressType,
STATUS current frwkIpFilterDstAddr InetAddress,
DESCRIPTION frwkIpFilterDstPrefixLength InetAddressPrefixLength,
"The minimum value that the packet's layer 4 destination frwkIpFilterSrcAddr InetAddress,
port number can have and match this filter. This value must frwkIpFilterSrcPrefixLength InetAddressPrefixLength,
be equal to or lesser that the value specified for this frwkIpFilterDscp DscpOrAny,
filter in frwkIpFilterDstL4PortMax. frwkIpFilterFlowId Integer32,
frwkIpFilterProtocol Unsigned32,
frwkIpFilterDstL4PortMin InetPortNumber,
frwkIpFilterDstL4PortMax InetPortNumber,
frwkIpFilterSrcL4PortMin InetPortNumber,
frwkIpFilterSrcL4PortMax InetPortNumber
}
COPS-PR error code 'attrValueInvalid' must be returned if frwkIpFilterAddrType OBJECT-TYPE
the frwkIpFilterDstL4PortMin is greater than
frwkIpFilterDstL4PortMax"
REFERENCE "[COPS-PR] error codes section 4.5."
DEFVAL { 0 }
Framework Policy Information Base June 7, 2002 SYNTAX InetAddressType
STATUS current
DESCRIPTION
"The address type enumeration value to specify the type of
the packet's IP address.
::= { frwkIpFilterEntry 9 } While other types of addresses are defined in the
InetAddressType textual convention, an IP filter can only
use IPv4 and IPv6 addresses directly to classify traffic.
All other InetAddressTypes require mapping to the
corresponding Ipv4 or IPv6 address before being used to
classify traffic. Therefore, this object as such is not
limited to IPv4 and IPv6 addresses, i.e., it can be assigned
any of the valid values defined in the InetAddressType TC,
but the mapping of the address values to IPv4 or IPv6
addresses for the address attributes (frwkIpFilterDstAddr
and frwkIpFilterSrcAddr) must be done by the PEP. For
example when dns (16) is used, the PEP must resolve
the address to IPv4 or IPv6 at install time."
REFERENCE
"Textual Conventions for Internet Network Addresses.
RFC 3291."
frwkIpFilterDstL4PortMax OBJECT-TYPE ::= { frwkIpFilterEntry 1 }
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 destination
port number can have and match this filter. This value must
be equal to or greater that the value specified for this
filter in frwkIpFilterDstL4PortMin.
COPS-PR error code 'attrValueInvalid' must be returned if frwkIpFilterDstAddr OBJECT-TYPE
the frwkIpFilterDstL4PortMax is less than
frwkIpFilterDstL4PortMin"
REFERENCE "[COPS-PR] error codes section 4.5."
DEFVAL { 65535 }
::= { frwkIpFilterEntry 10 } SYNTAX InetAddress
STATUS current
DESCRIPTION
"The IP address to match against the packet's
destination IP address. If the address type is 'ipv4',
'ipv6', 'ipv4z' or 'ipv6z' then, the attribute
frwkIpFilterDstPrefixLength indicates the number of bits
that are relevant. "
REFERENCE
"Textual Conventions for Internet Network Addresses.
RFC 3291."
frwkIpFilterSrcL4PortMin OBJECT-TYPE ::= { frwkIpFilterEntry 2 }
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The minimum value that the packet's layer 4 source port
number can have and match this filter. This value must
be equal to or lesser that the value specified for this
filter in frwkIpFilterSrcL4PortMax.
COPS-PR error code 'attrValueInvalid' must be returned if frwkIpFilterDstPrefixLength OBJECT-TYPE
the frwkIpFilterSrcL4PortMin is greated than SYNTAX InetAddressPrefixLength
frwkIpFilterSrcL4PortMax" STATUS current
REFERENCE "[COPS-PR] error codes section 4.5." DESCRIPTION
DEFVAL { 0 } "The length of a mask for the matching of the destination
IP address. This attribute is interpreted only if the
InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the
most-significant bit downwards for
frwkIpFilterDstPrefixLength bits length. All other bits in
the mask, up to the number needed to fill the length of
the address frwkIpFilterDstAddr are cleared to zero. A zero
bit in the mask then means that the corresponding bit in
the address always matches.
::= { frwkIpFilterEntry 11 } In IPv4 addresses, a length of 0 indicates a match of any
address; a length of 32 indicates a match of a single host
address, and a length between 0 and 32 indicates the use of
a CIDR Prefix. IPv6 is similar, except that prefix lengths
range from 0..128."
REFERENCE
"Textual Conventions for Internet Network Addresses.
RFC 3291."
DEFVAL { 0 }
frwkIpFilterSrcL4PortMax OBJECT-TYPE ::= { frwkIpFilterEntry 3 }
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 source port
number can have and match this filter. This value must be
equal to or greater that the value specified for this filter
in frwkIpFilterSrcL4PortMin.
COPS-PR error code 'attrValueInvalid' must be returned if frwkIpFilterSrcAddr OBJECT-TYPE
the frwkIpFilterSrcL4PortMax is less than SYNTAX InetAddress
STATUS current
DESCRIPTION
"The IP address to match against the packet's source IP
address. If the address type is 'ipv4', 'ipv6', 'ipv4z' or
'ipv6z' then, the attribute frwkIpFilterSrcPrefixLength
indicates the number of bits that are relevant."
REFERENCE
"Textual Conventions for Internet Network Addresses.
RFC 3291."
Framework Policy Information Base June 7, 2002 ::= { frwkIpFilterEntry 4 }
frwkIpFilterSrcL4PortMin" frwkIpFilterSrcPrefixLength OBJECT-TYPE
REFERENCE "[COPS-PR] error codes section 4.5." SYNTAX InetAddressPrefixLength
DEFVAL { 65535 } UNITS "bits"
STATUS current
DESCRIPTION
"The length of a mask for the matching of the source IP
address. This attribute is interpreted only if the
InetAddressType is 'ipv4', 'ipv4z', 'ipv6' or 'ipv6z'.
Masks are constructed by setting bits in sequence from the
most-significant bit downwards for
frwkIpFilterSrcPrefixLength bits length. All other bits in
the mask, up to the number needed to fill the length of
the address frwkIpFilterSrcAddr are cleared to zero. A
zero bit in the mask then means that the corresponding bit
in the address always matches.
::= { frwkIpFilterEntry 12 } In IPv4 addresses, a length of 0 indicates a match of any
address; a length of 32 indicates a match of a single host
address, and a length between 0 and 32 indicates the use of
a CIDR Prefix. IPv6 is similar, except that prefix lengths
range from 0..128."
REFERENCE
"Textual Conventions for Internet Network Addresses.
RFC 3291."
DEFVAL { 0 }
-- ::= { frwkIpFilterEntry 5 }
-- The IEEE 802 Filter Table
--
frwk802FilterTable OBJECT-TYPE frwkIpFilterDscp OBJECT-TYPE
SYNTAX SEQUENCE OF Frwk802FilterEntry SYNTAX DscpOrAny
PIB-ACCESS install STATUS current
STATUS current DESCRIPTION
DESCRIPTION "The value that the DSCP in the packet can have and
"IEEE 802-based filter definitions. A class that contains match this filter. A value of -1 indicates that a specific
attributes of IEEE 802 (e.g., 802.3) traffic that form DSCP value has not been defined and thus all DSCP values
filters that are used to perform traffic classification." are considered a match."
REFERENCE REFERENCE
"IEEE Standards for Local and Metropolitan Area Networks. "Management Information Base for the Differentiated Services
[802]" Architecture. RFC 3289."
::= { frwkClassifierClasses 3 } DEFVAL { -1 }
frwk802FilterEntry OBJECT-TYPE ::= { frwkIpFilterEntry 6 }
SYNTAX Frwk802FilterEntry
STATUS current
DESCRIPTION
"IEEE 802-based filter definitions. An entry specifies
(potentially) several distinct matching components. Each
component is tested against the data in a frame
individually. An overall match occurs when all of the
individual components match the data they are compared
against in the frame being processed. A failure of any
one test causes the overall match to fail.
Wildcards may be specified for those fields that are not frwkIpFilterFlowId OBJECT-TYPE
relevant." SYNTAX Integer32 (-1 | 0..1048575)
STATUS current
DESCRIPTION
"The flow label or flow identifier in an IPv6 header
that may be used to discriminate traffic flows.
The value of -1 for this attribute MUST imply that
any flow label value in the IPv6 header will match,
resulting in the flow label field of the IPv6 header
being ignored for matching this filter entry."
EXTENDS { frwkBaseFilterEntry } ::= { frwkIpFilterEntry 7 }
UNIQUENESS { frwkBaseFilterNegation,
frwk802FilterDstAddr,
frwk802FilterDstAddrMask,
frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask,
frwk802FilterVlanId,
frwk802FilterVlanTagRequired,
frwk802FilterEtherType,
frwk802FilterUserPriority }
::= { frwk802FilterTable 1 } frwkIpFilterProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..255)
STATUS current
DESCRIPTION
"The layer-4 protocol Id to match against the IPv4 protocol
number or the IPv6 Next-Header number in the packet. A value
of 255 means match all. Note the protocol number of 255 is
reserved by IANA, and Next-Header number of 0 is used in
IPv6."
DEFVAL { 255 }
Framework Policy Information Base June 7, 2002 ::= { frwkIpFilterEntry 8 }
Frwk802FilterEntry ::= SEQUENCE { frwkIpFilterDstL4PortMin OBJECT-TYPE
frwk802FilterDstAddr PhysAddress, SYNTAX InetPortNumber
frwk802FilterDstAddrMask PhysAddress, STATUS current
frwk802FilterSrcAddr PhysAddress, DESCRIPTION
frwk802FilterSrcAddrMask PhysAddress, "The minimum value that the packet's layer 4 destination
frwk802FilterVlanId Integer32, port number can have and match this filter. This value must
frwk802FilterVlanTagRequired INTEGER, be equal to or lesser that the value specified for this
frwk802FilterEtherType Integer32, filter in frwkIpFilterDstL4PortMax.
frwk802FilterUserPriority BITS
}
frwk802FilterDstAddr OBJECT-TYPE COPS-PR error code 'attrValueInvalid' must be returned if
SYNTAX PhysAddress the frwkIpFilterSrcL4PortMin is greater than
STATUS current frwkIpFilterSrcL4PortMax"
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084, error
codes section 4.5."
DEFVAL { 0 }
DESCRIPTION ::= { frwkIpFilterEntry 9 }
"The 802 address against which the 802 DA of incoming
traffic streams will be compared. Frames whose 802 DA
matches the physical address specified by this object,
taking into account address wildcarding as specified by the
frwk802FilterDstAddrMask object, are potentially subject to
the processing guidelines that are associated with this
entry through the related action class."
REFERENCE
"[SMNPv2TC]."
::= { frwk802FilterEntry 1 } frwkIpFilterDstL4PortMax OBJECT-TYPE
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 destination
port number can have and match this filter. This value must
be equal to or greater that the value specified for this
filter in frwkIpFilterDstL4PortMin.
frwk802FilterDstAddrMask OBJECT-TYPE COPS-PR error code 'attrValueInvalid' must be returned if
SYNTAX PhysAddress the frwkIpFilterDstL4PortMax is less than
STATUS current frwkIpFilterDstL4PortMin"
DESCRIPTION REFERENCE
"This object specifies the bits in a 802 destination address "COPS Usage for Policy Provisioning. RFC 3084, error
that should be considered when performing a 802 DA codes section 4.5."
comparison against the address specified in the
frwk802FilterDstAddr object.
The value of this object represents a mask that is logically DEFVAL { 65535 }
and'ed with the 802 DA in received frames to derive the
value to be compared against the frwk802FilterDstAddr
address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The
frwk802FilterDstAddr value must also be masked using this
value prior to any comparisons.
The length of this object in octets must equal the length in ::= { frwkIpFilterEntry 10 }
octets of the frwk802FilterDstAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterDstAddr object."
Framework Policy Information Base June 7, 2002 frwkIpFilterSrcL4PortMin OBJECT-TYPE
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The minimum value that the packet's layer 4 source port
number can have and match this filter. This value must
be equal to or lesser that the value specified for this
filter in frwkIpFilterSrcL4PortMax.
::= { frwk802FilterEntry 2 } COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterSrcL4PortMin is greated than
frwkIpFilterSrcL4PortMax"
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084, error
codes section 4.5."
DEFVAL { 0 }
frwk802FilterSrcAddr OBJECT-TYPE ::= { frwkIpFilterEntry 11 }
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"The 802 MAC address against which the 802 MAC SA of
incoming traffic streams will be compared. Frames whose 802
MAC SA matches the physical address specified by this
object, taking into account address wildcarding as specified
by the frwk802FilterSrcAddrMask object, are potentially
subject to the processing guidelines that are associated
with this entry through the related action class."
::= { frwk802FilterEntry 3 } frwkIpFilterSrcL4PortMax OBJECT-TYPE
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 source port
number can have and match this filter. This value must be
equal to or greater that the value specified for this filter
in frwkIpFilterSrcL4PortMin.
frwk802FilterSrcAddrMask OBJECT-TYPE COPS-PR error code 'attrValueInvalid' must be returned if
SYNTAX PhysAddress the frwkIpFilterSrcL4PortMax is less than
STATUS current frwkIpFilterSrcL4PortMin"
DESCRIPTION REFERENCE
"This object specifies the bits in a 802 MAC source address "COPS Usage for Policy Provisioning. RFC error codes
that should be considered when performing a 802 MAC SA section 4.5."
comparison against the address specified in the DEFVAL { 65535 }
frwk802FilterSrcAddr object.
The value of this object represents a mask that is logically ::= { frwkIpFilterEntry 12 }
and'ed with the 802 MAC SA in received frames to derive the
value to be compared against the frwk802FilterSrcAddr
address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The
frwk802FilterSrcAddr value must also be masked using this
value prior to any comparisons.
The length of this object in octets must equal the length in --
octets of the frwk802FilterSrcAddr. Note that a mask with no -- The IEEE 802 Filter Table
bits set (i.e., all zeroes) effectively wildcards the --
frwk802FilterSrcAddr object."
::= { frwk802FilterEntry 4 } frwk802FilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF Frwk802FilterEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"IEEE 802-based filter definitions. A class that contains
attributes of IEEE 802 (e.g., 802.3) traffic that form
filters that are used to perform traffic classification."
REFERENCE
"IEEE Standards for Local and Metropolitan Area Networks.
Overview and Architecture, ANSI/IEEE Std 802, 1990."
::= { frwkClassifierClasses 3 }
frwk802FilterVlanId OBJECT-TYPE frwk802FilterEntry OBJECT-TYPE
SYNTAX Integer32 (-1 | 1..4094) SYNTAX Frwk802FilterEntry
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The VLAN ID (VID) that uniquely identifies a VLAN "IEEE 802-based filter definitions. An entry specifies
within the device. This VLAN may be known or unknown (potentially) several distinct matching components. Each
(i.e., traffic associated with this VID has not yet component is tested against the data in a frame
been seen by the device) at the time this entry individually. An overall match occurs when all of the
is instantiated. individual components match the data they are compared
against in the frame being processed. A failure of any
one test causes the overall match to fail.
Setting the frwk802FilterVlanId object to -1 indicates that Wildcards may be specified for those fields that are not
VLAN data should not be considered during traffic relevant."
Framework Policy Information Base June 7, 2002 EXTENDS { frwkBaseFilterEntry }
UNIQUENESS { frwkBaseFilterNegation,
frwk802FilterDstAddr,
frwk802FilterDstAddrMask,
frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask,
frwk802FilterVlanId,
frwk802FilterVlanTagRequired,
frwk802FilterEtherType,
frwk802FilterUserPriority }
classification." ::= { frwk802FilterTable 1 }
::= { frwk802FilterEntry 5 } Frwk802FilterEntry ::= SEQUENCE {
frwk802FilterDstAddr PhysAddress,
frwk802FilterDstAddrMask PhysAddress,
frwk802FilterSrcAddr PhysAddress,
frwk802FilterSrcAddrMask PhysAddress,
frwk802FilterVlanId Integer32,
frwk802FilterVlanTagRequired INTEGER,
frwk802FilterEtherType Integer32,
frwk802FilterUserPriority BITS
frwk802FilterVlanTagRequired OBJECT-TYPE }
SYNTAX INTEGER {
taggedOnly(1),
priorityTaggedPlus(2),
untaggedOnly(3),
ignoreTag(4)
}
STATUS current
DESCRIPTION
"This object indicates whether the presence of an
IEEE 802.1Q VLAN tag in data link layer frames must
be considered when determining if a given frame
matches this 802 filter entry.
A value of 'taggedOnly(1)' means that only frames frwk802FilterDstAddr OBJECT-TYPE
containing a VLAN tag with a non-Null VID (i.e., a SYNTAX PhysAddress
VID in the range 1..4094) will be considered a match. STATUS current
DESCRIPTION
"The 802 address against which the 802 DA of incoming
traffic streams will be compared. Frames whose 802 DA
matches the physical address specified by this object,
taking into account address wildcarding as specified by the
frwk802FilterDstAddrMask object, are potentially subject to
the processing guidelines that are associated with this
entry through the related action class."
REFERENCE
"Textual Conventions for SMIv2, RFC 2579."
A value of 'priorityTaggedPlus(2)' means that only ::= { frwk802FilterEntry 1 }
frames containing a VLAN tag, regardless of the value
of the VID, will be considered a match.
A value of 'untaggedOnly(3)' indicates that only frwk802FilterDstAddrMask OBJECT-TYPE
untagged frames will match this filter component. SYNTAX PhysAddress
STATUS current
DESCRIPTION
"This object specifies the bits in a 802 destination address
that should be considered when performing a 802 DA
comparison against the address specified in the
frwk802FilterDstAddr object.
The presence of a VLAN tag is not taken into The value of this object represents a mask that is logically
consideration in terms of a match if the value is and'ed with the 802 DA in received frames to derive the
'ignoreTag(4)'." value to be compared against the frwk802FilterDstAddr
address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The
frwk802FilterDstAddr value must also be masked using this
value prior to any comparisons.
::= { frwk802FilterEntry 6 } The length of this object in octets must equal the length in
octets of the frwk802FilterDstAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterDstAddr object."
frwk802FilterEtherType OBJECT-TYPE ::= { frwk802FilterEntry 2 }
SYNTAX Integer32 (-1 | 0..'ffff'h)
STATUS current
DESCRIPTION
"This object specifies the value that will be compared
against the value contained in the EtherType field of an
IEEE 802 frame. Example settings would include 'IP'
(0x0800), 'ARP' (0x0806) and 'IPX' (0x8137).
Setting the frwk802FilterEtherTypeMin object to -1 indicates frwk802FilterSrcAddr OBJECT-TYPE
that EtherType data should not be considered during traffic SYNTAX PhysAddress
classification. STATUS current
DESCRIPTION
"The 802 MAC address against which the 802 MAC SA of
incoming traffic streams will be compared. Frames whose 802
MAC SA matches the physical address specified by this
object, taking into account address wildcarding as specified
by the frwk802FilterSrcAddrMask object, are potentially
subject to the processing guidelines that are associated
with this entry through the related action class."
Note that the position of the EtherType field depends on ::= { frwk802FilterEntry 3 }
the underlying frame format. For Ethernet-II encapsulation,
the EtherType field follows the 802 MAC source address. For
802.2 LLC/SNAP encapsulation, the EtherType value follows
the Organization Code field in the 802.2 SNAP header. The
Framework Policy Information Base June 7, 2002 frwk802FilterSrcAddrMask OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"This object specifies the bits in a 802 MAC source address
that should be considered when performing a 802 MAC SA
comparison against the address specified in the
frwk802FilterSrcAddr object.
value that is tested with regard to this filter component The value of this object represents a mask that is logically
therefore depends on the data link layer frame format being and'ed with the 802 MAC SA in received frames to derive the
used. If this 802 filter component is active when there is value to be compared against the frwk802FilterSrcAddr
no EtherType field in a frame (e.g., 802.2 LLC), a match is address. A zero bit in the mask thus means that the
implied." corresponding bit in the address always matches. The
frwk802FilterSrcAddr value must also be masked using this
value prior to any comparisons.
::= { frwk802FilterEntry 7 } The length of this object in octets must equal the length in
octets of the frwk802FilterSrcAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterSrcAddr object."
frwk802FilterUserPriority OBJECT-TYPE ::= { frwk802FilterEntry 4 }
SYNTAX BITS {
matchPriority0(0),
matchPriority1(1),
matchPriority2(2),
matchPriority3(3),
matchPriority4(4),
matchPriority5(5),
matchPriority6(6),
matchPriority7(7)
}
STATUS current
DESCRIPTION
"The set of values, representing the potential range
of user priority values, against which the value contained
in the user priority field of a tagged 802.1 frame is
compared. A test for equality is performed when determining
if a match exists between the data in a data link layer
frame and the value of this 802 filter component. Multiple
values may be set at one time such that potentially several
different user priority values may match this 802 filter
component.
Setting all of the bits that are associated with this frwk802FilterVlanId OBJECT-TYPE
object causes all user priority values to match this SYNTAX Integer32 (-1 | 1..4094)
attribute. This essentially makes any comparisons STATUS current
with regard to user priority values unnecessary. Untagged DESCRIPTION
frames are treated as an implicit match." "The VLAN ID (VID) that uniquely identifies a VLAN
within the device. This VLAN may be known or unknown
(i.e., traffic associated with this VID has not yet
been seen by the device) at the time this entry
is instantiated.
::= { frwk802FilterEntry 8 } Setting the frwk802FilterVlanId object to -1 indicates that
VLAN data should not be considered during traffic
classification."
-- ::= { frwk802FilterEntry 5 }
-- The Internal label filter extension
--
frwkILabelFilterTable OBJECT-TYPE frwk802FilterVlanTagRequired OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkILabelFilterEntry SYNTAX INTEGER {
PIB-ACCESS install taggedOnly(1),
STATUS current priorityTaggedPlus(2),
DESCRIPTION untaggedOnly(3),
"Internal label filter Table. This PRC is used to achieve ignoreTag(4)
classification based on the internal flow label set by the }
PEP possibly after ingress classification to avoid STATUS current
re-classification at the egress interface on the same PEP." DESCRIPTION
"This object indicates whether the presence of an
IEEE 802.1Q VLAN tag in data link layer frames must
be considered when determining if a given frame
matches this 802 filter entry.
Framework Policy Information Base June 7, 2002 A value of 'taggedOnly(1)' means that only frames
containing a VLAN tag with a non-Null VID (i.e., a
VID in the range 1..4094) will be considered a match.
::= { frwkClassifierClasses 4 } A value of 'priorityTaggedPlus(2)' means that only
frames containing a VLAN tag, regardless of the value
of the VID, will be considered a match.
frwkILabelFilterEntry OBJECT-TYPE A value of 'untaggedOnly(3)' indicates that only
SYNTAX FrwkILabelFilterEntry untagged frames will match this filter component.
STATUS current
DESCRIPTION
"Internal label filter entry definition."
EXTENDS { frwkBaseFilterEntry } The presence of a VLAN tag is not taken into
UNIQUENESS { frwkBaseFilterNegation, consideration in terms of a match if the value is
frwkILabelFilterILabel } 'ignoreTag(4)'."
::= { frwkILabelFilterTable 1 } ::= { frwk802FilterEntry 6 }
FrwkILabelFilterEntry ::= SEQUENCE { frwk802FilterEtherType OBJECT-TYPE
frwkILabelFilterILabel OCTET STRING SYNTAX Integer32 (-1 | 0..'ffff'h)
} STATUS current
DESCRIPTION
"This object specifies the value that will be compared
against the value contained in the EtherType field of an
IEEE 802 frame. Example settings would include 'IP'
(0x0800), 'ARP' (0x0806) and 'IPX' (0x8137).
frwkILabelFilterILabel OBJECT-TYPE Setting the frwk802FilterEtherTypeMin object to -1 indicates
SYNTAX OCTET STRING that EtherType data should not be considered during traffic
STATUS current classification.
DESCRIPTION
"The Label that this flow uses for differentiating traffic
flows. The flow labeling is meant for network device
internal usage. A value of zero length string matches all
internal labels."
::= { frwkILabelFilterEntry 1 }
-- Note that the position of the EtherType field depends on
-- The Marker classes group the underlying frame format. For Ethernet-II encapsulation,
-- the EtherType field follows the 802 MAC source address. For
802.2 LLC/SNAP encapsulation, the EtherType value follows
the Organization Code field in the 802.2 SNAP header. The
value that is tested with regard to this filter component
therefore depends on the data link layer frame format being
used. If this 802 filter component is active when there is
no EtherType field in a frame (e.g., 802.2 LLC), a match is
implied."
frwkMarkerClasses ::= { frwk802FilterEntry 7 }
OBJECT IDENTIFIER ::= { frameworkPib 4 }
--
-- The 802 Marker Table
--
frwk802MarkerTable OBJECT-TYPE frwk802FilterUserPriority OBJECT-TYPE
SYNTAX SEQUENCE OF Frwk802MarkerEntry SYNTAX BITS {
PIB-ACCESS install matchPriority0(0),
STATUS current matchPriority1(1),
DESCRIPTION matchPriority2(2),
"The 802 Marker class. An 802 packet can be marked with the matchPriority3(3),
specified VLAN id, priority level." matchPriority4(4),
matchPriority5(5),
matchPriority6(6),
matchPriority7(7)
}
STATUS current
DESCRIPTION
"The set of values, representing the potential range
of user priority values, against which the value contained
in the user priority field of a tagged 802.1 frame is
compared. A test for equality is performed when determining
if a match exists between the data in a data link layer
frame and the value of this 802 filter component. Multiple
values may be set at one time such that potentially several
different user priority values may match this 802 filter
component.
::= { frwkMarkerClasses 1 } Setting all of the bits that are associated with this
object causes all user priority values to match this
attribute. This essentially makes any comparisons
with regard to user priority values unnecessary. Untagged
frames are treated as an implicit match."
Framework Policy Information Base June 7, 2002 ::= { frwk802FilterEntry 8 }
frwk802MarkerEntry OBJECT-TYPE --
SYNTAX Frwk802MarkerEntry -- The Internal label filter extension
STATUS current --
DESCRIPTION
"frwk802Marker entry definition."
PIB-INDEX { frwk802MarkerPrid } frwkILabelFilterTable OBJECT-TYPE
UNIQUENESS { frwk802MarkerVlanId, SYNTAX SEQUENCE OF FrwkILabelFilterEntry
frwk802MarkerPriority } PIB-ACCESS install
STATUS current
DESCRIPTION
"Internal label filter Table. This PRC is used to achieve
classification based on the internal flow label set by the
PEP possibly after ingress classification to avoid
re-classification at the egress interface on the same PEP."
::= { frwk802MarkerTable 1 } ::= { frwkClassifierClasses 4 }
Frwk802MarkerEntry::= SEQUENCE { frwkILabelFilterEntry OBJECT-TYPE
frwk802MarkerPrid InstanceId, SYNTAX FrwkILabelFilterEntry
frwk802MarkerVlanId Unsigned32, STATUS current
frwk802MarkerPriority Unsigned32 DESCRIPTION
} "Internal label filter entry definition."
frwk802MarkerPrid OBJECT-TYPE EXTENDS { frwkBaseFilterEntry }
SYNTAX InstanceId UNIQUENESS { frwkBaseFilterNegation,
STATUS current frwkILabelFilterILabel }
DESCRIPTION
"An integer index to uniquely identify this 802 Marker."
::= { frwk802MarkerEntry 1 } ::= { frwkILabelFilterTable 1 }
frwk802MarkerVlanId OBJECT-TYPE FrwkILabelFilterEntry ::= SEQUENCE {
SYNTAX Unsigned32 (1..4094) frwkILabelFilterILabel OCTET STRING
STATUS current }
DESCRIPTION
"The VLAN ID (VID) that uniquely identifies a VLAN within
the device."
::= { frwk802MarkerEntry 2 } frwkILabelFilterILabel OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"The Label that this flow uses for differentiating traffic
flows. The flow labeling is meant for network device
internal usage. A value of zero length string matches all
internal labels."
::= { frwkILabelFilterEntry 1 }
frwk802MarkerPriority OBJECT-TYPE --
SYNTAX Unsigned32 (0..7) -- The Marker classes group
STATUS current --
DESCRIPTION
"The user priority field of a tagged 802.1 frame."
::= { frwk802MarkerEntry 3 } frwkMarkerClasses
OBJECT IDENTIFIER ::= { frameworkPib 4 }
--
-- The 802 Marker Table
--
-- frwk802MarkerTable OBJECT-TYPE
-- The Internal Label Marker Table SYNTAX SEQUENCE OF Frwk802MarkerEntry
-- PIB-ACCESS install
STATUS current
DESCRIPTION
"The 802 Marker class. An 802 packet can be marked with the
specified VLAN id, priority level."
frwkILabelMarkerTable OBJECT-TYPE ::= { frwkMarkerClasses 1 }
SYNTAX SEQUENCE OF FrwkILabelMarkerEntry
PIB-ACCESS install
Framework Policy Information Base June 7, 2002 frwk802MarkerEntry OBJECT-TYPE
SYNTAX Frwk802MarkerEntry
STATUS current
DESCRIPTION
"frwk802Marker entry definition."
STATUS current PIB-INDEX { frwk802MarkerPrid }
DESCRIPTION UNIQUENESS { frwk802MarkerVlanId,
"The Internal Label Marker class. A flow in a PEP can be frwk802MarkerPriority }
marked with an internal label using this PRC."
::= { frwkMarkerClasses 2 } ::= { frwk802MarkerTable 1 }
frwkILabelMarkerEntry OBJECT-TYPE Frwk802MarkerEntry::= SEQUENCE {
SYNTAX FrwkILabelMarkerEntry frwk802MarkerPrid InstanceId,
STATUS current frwk802MarkerVlanId Unsigned32,
DESCRIPTION frwk802MarkerPriority Unsigned32
"frwkILabelkMarker entry definition." }
PIB-INDEX { frwkILabelMarkerPrid } frwk802MarkerPrid OBJECT-TYPE
UNIQUENESS { frwkILabelMarkerILabel } SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify this 802 Marker."
::= { frwkILabelMarkerTable 1 } ::= { frwk802MarkerEntry 1 }
FrwkILabelMarkerEntry::= SEQUENCE { frwk802MarkerVlanId OBJECT-TYPE
frwkILabelMarkerPrid InstanceId, SYNTAX Unsigned32 (1..4094)
frwkILabelMarkerILabel OCTET STRING STATUS current
} DESCRIPTION
"The VLAN ID (VID) that uniquely identifies a VLAN within
the device."
frwkILabelMarkerPrid OBJECT-TYPE ::= { frwk802MarkerEntry 2 }
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify this Label Marker."
::= { frwkILabelMarkerEntry 1 } frwk802MarkerPriority OBJECT-TYPE
SYNTAX Unsigned32 (0..7)
STATUS current
DESCRIPTION
"The user priority field of a tagged 802.1 frame."
frwkILabelMarkerILabel OBJECT-TYPE ::= { frwk802MarkerEntry 3 }
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This internal label is implementation specific and may be
used for other policy related functions like flow
accounting purposes and/or other data path treatments."
::= { frwkILabelMarkerEntry 2 } --
-- The Internal Label Marker Table
--
-- frwkILabelMarkerTable OBJECT-TYPE
-- Conformance Section SYNTAX SEQUENCE OF FrwkILabelMarkerEntry
-- PIB-ACCESS install
STATUS current
DESCRIPTION
"The Internal Label Marker class. A flow in a PEP can be
marked with an internal label using this PRC."
frwkBasePibConformance ::= { frwkMarkerClasses 2 }
OBJECT IDENTIFIER ::= { frameworkPib 5 }
frwkBasePibCompliances frwkILabelMarkerEntry OBJECT-TYPE
SYNTAX FrwkILabelMarkerEntry
STATUS current
DESCRIPTION
"frwkILabelkMarker entry definition."
Framework Policy Information Base June 7, 2002 PIB-INDEX { frwkILabelMarkerPrid }
UNIQUENESS { frwkILabelMarkerILabel }
OBJECT IDENTIFIER ::= { frwkBasePibConformance 1 } ::= { frwkILabelMarkerTable 1 }
frwkBasePibGroups FrwkILabelMarkerEntry::= SEQUENCE {
OBJECT IDENTIFIER ::= { frwkBasePibConformance 2 } frwkILabelMarkerPrid InstanceId,
frwkILabelMarkerILabel OCTET STRING
}
frwkBasePibCompliance MODULE-COMPLIANCE frwkILabelMarkerPrid OBJECT-TYPE
STATUS current SYNTAX InstanceId
DESCRIPTION STATUS current
"Describes the requirements for conformance to the DESCRIPTION
Framework PIB." "An integer index to uniquely identify this Label Marker."
MODULE -- this module ::= { frwkILabelMarkerEntry 1 }
MANDATORY-GROUPS { frwkPrcSupportGroup,
frwkPibIncarnationGroup,
frwkDeviceIdGroup,
frwkCompLimitsGroup,
frwkCapabilitySetGroup,
frwkRoleComboGroup,
frwkIfRoleComboGroup }
OBJECT frwkPibIncarnationLongevity frwkILabelMarkerILabel OBJECT-TYPE
PIB-MIN-ACCESS notify SYNTAX OCTET STRING
DESCRIPTION STATUS current
"Install support is required if policy expiration is to DESCRIPTION
be supported." "This internal label is implementation specific and may be
used for other policy related functions like flow
accounting purposes and/or other data path treatments."
OBJECT frwkPibIncarnationTtl ::= { frwkILabelMarkerEntry 2 }
PIB-MIN-ACCESS notify
DESCRIPTION
"Install support is required if policy expiration is to
be supported."
OBJECT frwkPibIncarnationInCtxtSet --
PIB-MIN-ACCESS notify -- Conformance Section
DESCRIPTION --
"Install support is required if configuration contexts
and outsourcing contexts are both to be supported."
OBJECT frwkPibIncarnationFullState frwkBasePibConformance
PIB-MIN-ACCESS notify OBJECT IDENTIFIER ::= { frameworkPib 5 }
DESCRIPTION
"Install support is required if incremental updates to
request states is to be supported."
GROUP frwkReferenceGroup frwkBasePibCompliances
DESCRIPTION OBJECT IDENTIFIER ::= { frwkBasePibConformance 1 }
"The frwkReferenceGroup is mandatory if referencing
across PIB contexts for specific client-types is to be
supported."
GROUP frwkErrorGroup frwkBasePibGroups
DESCRIPTION OBJECT IDENTIFIER ::= { frwkBasePibConformance 2 }
"The frwkErrorGroup is mandatory sending errors in
Framework Policy Information Base June 7, 2002 frwkBasePibCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Describes the requirements for conformance to the
Framework PIB."
decisions is to be supported." MODULE -- this module
MANDATORY-GROUPS { frwkPrcSupportGroup,
frwkPibIncarnationGroup,
frwkDeviceIdGroup,
frwkCompLimitsGroup,
frwkCapabilitySetGroup,
frwkRoleComboGroup,
frwkIfRoleComboGroup }
GROUP frwkBaseFilterGroup OBJECT frwkPibIncarnationLongevity
DESCRIPTION PIB-MIN-ACCESS notify
"The frwkBaseFilterGroup is mandatory if filtering DESCRIPTION
based on traffic components is to be supported." "Install support is required if policy expiration is to
be supported."
GROUP frwkIpFilterGroup OBJECT frwkPibIncarnationTtl
DESCRIPTION PIB-MIN-ACCESS notify
"The frwkIpFilterGroup is mandatory if filtering DESCRIPTION
based on IP traffic components is to be supported." "Install support is required if policy expiration is to
be supported."
GROUP frwk802FilterGroup OBJECT frwkPibIncarnationInCtxtSet
DESCRIPTION PIB-MIN-ACCESS notify
"The frwk802FilterGroup is mandatory if filtering DESCRIPTION
based on 802 traffic criteria is to be supported." "Install support is required if configuration contexts
and outsourcing contexts are both to be supported."
GROUP frwkILabelFilterGroup OBJECT frwkPibIncarnationFullState
DESCRIPTION PIB-MIN-ACCESS notify
"The frwkILabelFilterGroup is mandatory if filtering DESCRIPTION
based on PEP internal label is to be supported." "Install support is required if incremental updates to
request states is to be supported."
GROUP frwk802MarkerGroup GROUP frwkReferenceGroup
DESCRIPTION DESCRIPTION
"The frwk802MarkerGroup is mandatory if marking a packet "The frwkReferenceGroup is mandatory if referencing
with 802 traffic criteria is to be supported." across PIB contexts for specific client-types is to be
supported."
GROUP frwkILabelMarkerGroup GROUP frwkErrorGroup
DESCRIPTION DESCRIPTION
"The frwkILabelMarkerGroup is mandatory if marking a "The frwkErrorGroup is mandatory sending errors in
flow with internal labels is to be supported." decisions is to be supported."
::= { frwkBasePibCompliances 1 } GROUP frwkBaseFilterGroup
DESCRIPTION
"The frwkBaseFilterGroup is mandatory if filtering
based on traffic components is to be supported."
frwkPrcSupportGroup OBJECT-GROUP GROUP frwkIpFilterGroup
OBJECTS { DESCRIPTION
frwkPrcSupportSupportedPrc, "The frwkIpFilterGroup is mandatory if filtering
frwkPrcSupportSupportedAttrs } based on IP traffic components is to be supported."
STATUS current
DESCRIPTION
"Objects from the frwkPrcSupportTable."
::= { frwkBasePibGroups 1 } GROUP frwk802FilterGroup
DESCRIPTION
"The frwk802FilterGroup is mandatory if filtering
based on 802 traffic criteria is to be supported."
frwkPibIncarnationGroup OBJECT-GROUP GROUP frwkILabelFilterGroup
OBJECTS { DESCRIPTION
frwkPibIncarnationName, "The frwkILabelFilterGroup is mandatory if filtering
frwkPibIncarnationId, based on PEP internal label is to be supported."
frwkPibIncarnationLongevity,
frwkPibIncarnationTtl,
frwkPibIncarnationActive,
frwkPibIncarnationFullState
}
Framework Policy Information Base June 7, 2002 GROUP frwk802MarkerGroup
DESCRIPTION
"The frwk802MarkerGroup is mandatory if marking a packet
with 802 traffic criteria is to be supported."
STATUS current GROUP frwkILabelMarkerGroup
DESCRIPTION DESCRIPTION
"Objects from the frwkDevicePibIncarnationTable." "The frwkILabelMarkerGroup is mandatory if marking a
flow with internal labels is to be supported."
::= { frwkBasePibGroups 2 } ::= { frwkBasePibCompliances 1 }
frwkDeviceIdGroup OBJECT-GROUP frwkPrcSupportGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkDeviceIdDescr, frwkPrcSupportPrid,
frwkDeviceIdMaxMsg, frwkPrcSupportSupportedPrc,
frwkDeviceIdMaxContexts } frwkPrcSupportSupportedAttrs }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Objects from the frwkDeviceIdTable." "Objects from the frwkPrcSupportTable."
::= { frwkBasePibGroups 3 } ::= { frwkBasePibGroups 1 }
frwkCompLimitsGroup OBJECT-GROUP frwkPibIncarnationGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkCompLimitsComponent, frwkPibIncarnationPrid,
frwkCompLimitsAttrPos, frwkPibIncarnationName,
frwkCompLimitsNegation, frwkPibIncarnationId,
frwkCompLimitsType, frwkPibIncarnationLongevity,
frwkCompLimitsSubType, frwkPibIncarnationTtl,
frwkCompLimitsGuidance } frwkPibIncarnationInCtxtSet,
STATUS current frwkPibIncarnationActive,
DESCRIPTION frwkPibIncarnationFullState
"Objects from the frwkCompLimitsTable." }
STATUS current
DESCRIPTION
"Objects from the frwkDevicePibIncarnationTable."
::= { frwkBasePibGroups 4 } ::= { frwkBasePibGroups 2 }
frwkReferenceGroup OBJECT-GROUP frwkDeviceIdGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkReferenceClientType, frwkDeviceIdPrid,
frwkReferenceClientHandle, frwkDeviceIdDescr,
frwkReferencePrid } frwkDeviceIdMaxMsg,
STATUS current frwkDeviceIdMaxContexts }
DESCRIPTION STATUS current
"Objects from the frwkReferenceTable." DESCRIPTION
"Objects from the frwkDeviceIdTable."
::= { frwkBasePibGroups 5 } ::= { frwkBasePibGroups 3 }
frwkErrorGroup OBJECT-GROUP frwkCompLimitsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwkErrorCode, frwkCompLimitsPrid,
frwkErrorSubCode, frwkCompLimitsComponent,
frwkErrorPrc, frwkCompLimitsAttrPos,
frwkErrorInstance } frwkCompLimitsNegation,
STATUS current frwkCompLimitsType,
DESCRIPTION frwkCompLimitsSubType,
"Objects from the frwkErrorTable." frwkCompLimitsGuidance }
STATUS current
DESCRIPTION
"Objects from the frwkCompLimitsTable."
::= { frwkBasePibGroups 6 } ::= { frwkBasePibGroups 4 }
Framework Policy Information Base June 7, 2002 frwkReferenceGroup OBJECT-GROUP
OBJECTS {
frwkReferencePrid,
frwkReferenceClientType,
frwkReferenceClientHandle,
frwkReferenceInstance }
STATUS current
DESCRIPTION
"Objects from the frwkReferenceTable."
frwkCapabilitySetGroup OBJECT-GROUP ::= { frwkBasePibGroups 5 }
OBJECTS {
frwkCapabilitySetName,
frwkCapabilitySetCapability }
STATUS current
DESCRIPTION
"Objects from the frwkCapabilitySetTable."
::= { frwkBasePibGroups 7 } frwkErrorGroup OBJECT-GROUP
OBJECTS {
frwkErrorPrid,
frwkErrorCode,
frwkErrorSubCode,
frwkErrorPrc,
frwkErrorInstance }
STATUS current
DESCRIPTION
"Objects from the frwkErrorTable."
frwkRoleComboGroup OBJECT-GROUP ::= { frwkBasePibGroups 6 }
OBJECTS {
frwkRoleComboRoles,
frwkRoleComboCapSetName }
STATUS current
DESCRIPTION
"Objects from the frwkRoleComboTable."
::= { frwkBasePibGroups 8 } frwkCapabilitySetGroup OBJECT-GROUP
OBJECTS {
frwkCapabilitySetPrid,
frwkCapabilitySetName,
frwkCapabilitySetCapability }
STATUS current
DESCRIPTION
"Objects from the frwkCapabilitySetTable."
frwkIfRoleComboGroup OBJECT-GROUP ::= { frwkBasePibGroups 7 }
OBJECTS {
frwkIfRoleComboIfIndex }
STATUS current
DESCRIPTION
"Objects from the frwkIfRoleComboTable."
::= { frwkBasePibGroups 9 } frwkRoleComboGroup OBJECT-GROUP
OBJECTS {
frwkRoleComboPrid,
frwkRoleComboRoles,
frwkRoleComboCapSetName }
frwkBaseFilterGroup OBJECT-GROUP STATUS current
OBJECTS { DESCRIPTION
frwkBaseFilterNegation } "Objects from the frwkRoleComboTable."
STATUS current
DESCRIPTION
"Objects from the frwkBaseFilterTable."
::= { frwkBasePibGroups 10 } ::= { frwkBasePibGroups 8 }
frwkIpFilterGroup OBJECT-GROUP frwkIfRoleComboGroup OBJECT-GROUP
OBJECTS { OBJECTS { frwkIfRoleComboIfIndex }
frwkIpFilterAddrType, STATUS current
frwkIpFilterDstAddr, DESCRIPTION
frwkIpFilterDstPrefixLength, "Objects from the frwkIfRoleComboTable."
frwkIpFilterSrcAddr,
frwkIpFilterSrcPrefixLength,
frwkIpFilterDscp,
frwkIpFilterFlowId,
frwkIpFilterProtocol,
frwkIpFilterDstL4PortMin,
Framework Policy Information Base June 7, 2002 ::= { frwkBasePibGroups 9 }
frwkIpFilterDstL4PortMax, frwkBaseFilterGroup OBJECT-GROUP
frwkIpFilterSrcL4PortMin, OBJECTS {
frwkIpFilterSrcL4PortMax } frwkBaseFilterPrid,
STATUS current frwkBaseFilterNegation }
DESCRIPTION STATUS current
"Objects from the frwkIpFilterTable." DESCRIPTION
"Objects from the frwkBaseFilterTable."
::= { frwkBasePibGroups 11 } ::= { frwkBasePibGroups 10 }
frwk802FilterGroup OBJECT-GROUP frwkIpFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS {
frwk802FilterDstAddr, frwkIpFilterAddrType,
frwk802FilterDstAddrMask, frwkIpFilterDstAddr,
frwk802FilterSrcAddr, frwkIpFilterDstPrefixLength,
frwk802FilterSrcAddrMask, frwkIpFilterSrcAddr,
frwk802FilterVlanId, frwkIpFilterSrcPrefixLength,
frwk802FilterVlanTagRequired, frwkIpFilterDscp,
frwk802FilterEtherType, frwkIpFilterFlowId,
frwk802FilterUserPriority } frwkIpFilterProtocol,
STATUS current frwkIpFilterDstL4PortMin,
DESCRIPTION frwkIpFilterDstL4PortMax,
"Objects from the frwk802FilterTable." frwkIpFilterSrcL4PortMin,
frwkIpFilterSrcL4PortMax }
STATUS current
DESCRIPTION
"Objects from the frwkIpFilterTable."
::= { frwkBasePibGroups 12 } ::= { frwkBasePibGroups 11 }
frwkILabelFilterGroup OBJECT-GROUP frwk802FilterGroup OBJECT-GROUP
OBJECTS { frwkILabelFilterILabel } OBJECTS {
STATUS current frwk802FilterDstAddr,
DESCRIPTION frwk802FilterDstAddrMask,
"Objects from the frwkILabelFilterTable." frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask,
frwk802FilterVlanId,
frwk802FilterVlanTagRequired,
frwk802FilterEtherType,
frwk802FilterUserPriority }
STATUS current
DESCRIPTION
"Objects from the frwk802FilterTable."
::= { frwkBasePibGroups 13 } ::= { frwkBasePibGroups 12 }
frwk802MarkerGroup OBJECT-GROUP frwkILabelFilterGroup OBJECT-GROUP
OBJECTS { OBJECTS { frwkILabelFilterILabel }
frwk802MarkerVlanId, STATUS current
frwk802MarkerPriority } DESCRIPTION
STATUS current "Objects from the frwkILabelFilterTable."
DESCRIPTION
"Objects from the frwk802MarkerTable."
::= { frwkBasePibGroups 14 } ::= { frwkBasePibGroups 13 }
frwkILabelMarkerGroup OBJECT-GROUP frwk802MarkerGroup OBJECT-GROUP
OBJECTS { frwkILabelMarkerILabel } OBJECTS {
STATUS current frwk802MarkerPrid,
DESCRIPTION frwk802MarkerVlanId,
"Objects from the frwkILabelMarkerTable." frwk802MarkerPriority }
STATUS current
DESCRIPTION
"Objects from the frwk802MarkerTable."
::= { frwkBasePibGroups 15 } ::= { frwkBasePibGroups 14 }
END frwkILabelMarkerGroup OBJECT-GROUP
OBJECTS {
frwkILabelMarkerPrid,
frwkILabelMarkerILabel }
STATUS current
DESCRIPTION
"Objects from the frwkILabelMarkerTable."
Framework Policy Information Base June 7, 2002 ::= { frwkBasePibGroups 15 }
END
6. Security Considerations 6. Security Considerations
It is clear that this PIB is used for configuration using [COPS-PR], It is clear that this PIB is used for configuration using [COPS-PR],
and anything that can be configured can be misconfigured, with and anything that can be configured can be misconfigured, with a
potentially disastrous effect. At this writing, no security holes potentially disastrous effect. At this writing, no security holes
have been identified beyond those that the COPS base protocol have been identified beyond those that the COPS base protocol
security is itself intended to address. These relate primarily to security is itself intended to address. These relate primarily to
controlled access to sensitive information and the ability to controlled access to sensitive information and the ability to
configure a device - or which might result from operator error, configure a device - or which might result from operator error, which
which is beyond the scope of any security architecture. is beyond the scope of any security architecture.
There are a number of PRovisioning Classes defined in this PIB that There are a number of PRovisioning Classes defined in this PIB that
have a PIB-ACCESS clause of install and install-notify (read- have a PIB-ACCESS clause of install and install-notify (read-create).
create). These are: These are:
frwkPibIncarnationTable: Malicious access of this PRC can cause the frwkPibIncarnationTable: Malicious access of this PRC can cause the
PEP to use an incorrect context of policies. PEP to use an incorrect context of policies.
frwkReferenceTable: Malicious access of this PRC can cause the PEP
to interpret the installed policy in an incorrect manner. frwkReferenceTable: Malicious access of this PRC can cause the PEP to
interpret the installed policy in an incorrect manner.
frwkErrorTable: Malicious access of this PRC can cause the PEP to frwkErrorTable: Malicious access of this PRC can cause the PEP to
incorrectly assume that the PDP could not process its messages. incorrectly assume that the PDP could not process its messages.
FrwkCapabilitySetTable, frwkRoleComboTable and frwkIfRoleComboTable: FrwkCapabilitySetTable, frwkRoleComboTable and frwkIfRoleComboTable:
Malicious access of these PRCs can cause the PEP to apply policies Malicious access of these PRCs can cause the PEP to apply policies to
to the wrong interfaces. the wrong interfaces.
FrwkBaseFilterTable, frwkIpFilterTable, frwk802FilterTable and FrwkBaseFilterTable, frwkIpFilterTable, frwk802FilterTable and
frwkILabelFilterTable: Malicious access of these PRCs can cause frwkILabelFilterTable: Malicious access of these PRCs can cause
unintended classification of traffic on the PEP potentially leading unintended classification of traffic on the PEP potentially leading
to incorrect policies being applied. to incorrect policies being applied.
frwk802MarkerTable, frwkILabelMarkerTable: Malicious access of these frwk802MarkerTable, frwkILabelMarkerTable: Malicious access of these
PRCs can cause unintended marking of traffic on the PEP potentially PRCs can cause unintended marking of traffic on the PEP potentially
leading to incorrect policies being applied. leading to incorrect policies being applied.
Such objects may be considered sensitive or vulnerable in some Such objects may be considered sensitive or vulnerable in some
network environments. The support for "Install" or "Install-Notify" network environments. The support for "Install" or "Install-Notify"
decisions sent over [COPS-PR] in a non-secure environment without decisions sent over [COPS-PR] in a non-secure environment without
proper protection can have a negative effect on network operations. proper protection can have a negative effect on network operations.
There are a number of PRovisioning Classes in this PIB that may There are a number of PRovisioning Classes in this PIB that may
contain information that may be sensitive from a business contain information that may be sensitive from a business
perspective, in that they may represent a customer's service perspective, in that they may represent a customer's service contract
contract or the filters that the service provider chooses to apply or the filters that the service provider chooses to apply to a
to a customer's ingress or egress traffic. There are no PRCs that customer's ingress or egress traffic. There are no PRCs that are
are sensitive in their own right, such as passwords or monetary sensitive in their own right, such as passwords or monetary amounts.
amounts. It may be important to control even "Notify"(read-only) It may be important to control even "Notify"(read-only) access to
access to these PRCs and possibly to even encrypt the values of these PRCs and possibly to even encrypt the values of these PRIs when
these PRIs when sending them over the network via COPS-PR. The use sending them over the network via COPS-PR. The use of IPSEC between
of IPSEC between the PDP and the PEP, as described in [COPS], the PDP and the PEP, as described in [COPS], provides the necessary
provides the necessary protection against security threats. However, protection against security threats. However, even if the network
even if the network itself is secure, there is no control as to who itself is secure, there is no control as to who on the secure network
on the secure network is allowed to "Install/Notify" is allowed to "Install/Notify" (read/change/create/delete) the PRIs
(read/change/create/delete) the PRIs in this PIB. in this PIB.
It is then a customer/user responsibility to ensure that the PEP/PDP It is then a customer/user responsibility to ensure that the PEP/PDP
giving access to an instance of this PIB, is properly configured to giving access to an instance of this PIB, is properly configured to
give access to only the PRIs and principals (users) that have
Framework Policy Information Base June 7, 2002
give access to the PRIs only to those principals (users) that have
legitimate rights to indeed "Install" or "Notify" (change/create/ legitimate rights to indeed "Install" or "Notify" (change/create/
delete) them. delete) them.
7. RFC Editor Considerations 7. IANA Considerations
This document normatively references [DS-MIB] which is in the IESG
last call stage. Please use the corresponding RFC number prior to
publishing of this document as a RFC.
8. IANA Considerations
This document describes the frameworkPib and frwkTcPib Policy This document describes the frameworkPib and frwkTcPib Policy
Information Base (PIB) modules for standardization under the "pib" Information Base (PIB) modules for registration under the "pib"
branch registered with IANA. An IANA assigned PIB number is branch registered with IANA. The IANA has assigned PIB numbers 2 and
requested for both under the "pib" branch. 3, respectively.
Both these PIBs use "all" in the SUBJECT-CATEGORIES clause, i.e., Both these PIBs use "all" in the SUBJECT-CATEGORIES clause, i.e.,
they apply to all COPS client types. No new COPS client type is to they apply to all COPS client types. No new COPS client type is to
be registered for these two PIB modules. be registered for these two PIB modules.
9. Author Information and Acknowledgments 8. References
Michael Fine
Atheros Communications
529 Almanor Ave
Sunnyvale, CA 94085 USA
Phone: +1 408 773 5324
Email: mfine@atheros.com
Keith McCloghrie 8.1 Normative References
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706 USA
Phone: +1 408 526 5260
Email: kzm@cisco.com
John Seligson [COPS] Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan,
Nortel Networks, Inc. R. and A. Sastry, "The COPS (Common Open Policy
4401 Great America Parkway Service) Protocol", RFC 2748, January 2000.
Santa Clara, CA 95054 USA
Phone: +1 408 495 2992
Email: jseligso@nortelnetworks.com
Kwok Ho Chan [COPS-PR] Chan, K., Durham, D., Gai, S., Herzog, S.,
Nortel Networks, Inc. McCloghrie, K., Reichmeyer, Seligson, J., Smith, A.
600 Technology Park Drive and R. Yavatkar, "COPS Usage for Policy
Billerica, MA 01821 USA Provisioning", RFC 3084, March 2001.
Phone: +1 978 288 8175
Email: khchan@nortelnetworks.com
Framework Policy Information Base June 7, 2002 [SPPI] McCloghrie, K., Fine, M., Seligson, J., Chan, K.,
Hahn, S., Sahita, R., Smith, A. and F. Reichmeyer,
"Structure of Policy Provisioning Information", RFC
3159, August 2001.
Ravi Sahita [SNMP-SMI] McCloghrie, K., Perkins, D., Schoenwaelder, J.,
Intel Labs. Case, J., Rose, M. and S. Waldbusser, "Structure of
2111 NE 25th Avenue Management Information Version 2 (SMIv2)", STD 58,
Hillsboro, OR 97124 USA RFC 2578, April 1999.
Phone: +1 503 712 1554
Email: ravi.sahita@intel.com
Scott Hahn [INETADDR] Daniele, M., Haberman, B., Routhier, S. and J.
Intel Labs. Schoenwaelder, "Textual Conventions for Internet
2111 NE 25th Avenue Network Addresses", RFC 3291, May 2002.
Hillsboro, OR 97124 USA
Phone: +1 503 264 8231
Email: scott.hahn@intel.com
Andrew Smith [802] IEEE Standards for Local and Metropolitan Area
Harbour Networks Networks: Overview and Architecture, ANSI/IEEE Std
Jiuling Building 802, 1990.
21 North Xisanhuan Ave.
Beijing, 100089, PRC
EMail: ah_smith@acm.org
Francis Reichmeyer [SNMPFRWK] Harrington, D., Presuhn, R. and B. Wijnen, "An
PFN, Inc. Architecture for Describing Simple Network
University Park at MIT Management Protocol (SNMP) Management Frameworks",
26 Landsdowne Street STD 62, RFC 3411, December 2002.
Cambridge, MA 02139
Phone: +1 617 494 9980
Email: franr@pfn.com
Special thanks to Carol Bell and David Durham for their many