draft-ietf-rap-pr-05.txt   rfc3084.txt 
Internet Draft Kwok Ho Chan Network Working Group K. Chan
Expiration: March 2001 Nortel Networks Request for Comments: 3084 J. Seligson
File: draft-ietf-rap-pr-05.txt David Durham Category: Standards Track Nortel Networks
Intel D. Durham
Silvano Gai Intel
Cisco S. Gai
Shai Herzog K. McCloghrie
IPHighway Cisco
Keith McCloghrie S. Herzog
Cisco IPHighway
Francis Reichmeyer F. Reichmeyer
PFN PFN
John Seligson R. Yavatkar
Nortel Networks Intel
Andrew Smith A. Smith
No Affiliation Allegro Networks
Raj Yavatkar March 2001
Intel
COPS Usage for Policy Provisioning (COPS-PR) COPS Usage for Policy Provisioning (COPS-PR)
October 30, 2000
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document specifies an Internet standards track protocol for the
all provisions of Section 10 of RFC2026. Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Internet-Drafts are working documents of the Internet Engineering Official Protocol Standards" (STD 1) for the standardization state
Task Force (IETF), its areas, and its working groups. Note that and status of this protocol. Distribution of this memo is unlimited.
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
Abstract Abstract
This document describes the use of the COPS protocol [COPS] for This document describes the use of the Common Open Policy Service
support of policy provisioning (COPS-PR). This specification is (COPS) protocol for support of policy provisioning (COPS-PR). This
independent of the type of policy being provisioned (QoS, Security, specification is independent of the type of policy being provisioned
etc.) but focuses on the mechanisms and conventions used to (QoS, Security, etc.) but focuses on the mechanisms and conventions
communicate provisioned information between PDPs and PEPs. The used to communicate provisioned information between PDPs and PEPs.
protocol extensions described in this document do not make any The protocol extensions described in this document do not make any
assumptions about the policy data model being communicated, but assumptions about the policy data model being communicated, but
describe the message formats and objects that carry the modeled describe the message formats and objects that carry the modeled
policy data. policy data.
Conventions used in this document Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in [RFC-2119].
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC-2119].
Table of Contents Table of Contents
Abstract............................................................2 Glossary........................................................... 3
Conventions used in this document...................................2 1. Introduction.................................................... 3
Table of Contents...................................................3 1.1. Why COPS for Provisioning?.................................... 5
Glossary............................................................4 1.2. Interaction between the PEP and PDP........................... 5
1. Introduction.....................................................4 2. Policy Information Base (PIB)................................... 6
1.1. Why COPS for Provisioning?.....................................5 2.1. Rules for Modifying and Extending PIBs........................ 7
1.2. Interaction between the PEP and PDP............................6 2.2. Adding PRCs to, or deprecating from, a PIB.................... 7
2. Policy Information Base (PIB)....................................7 2.2.1. Adding or Deprecating Attributes of a BER Encoded PRC....... 8
2.1. Rules for Modifying and Extending PIBs.........................8 2.3. COPS Operations Supported for a Provisioning Instance......... 8
2.2. Adding PRCs to, or deprecating from, a PIB.....................8 3. Message Content................................................. 9
2.2.1. Adding or Deprecating Attributes of a BER Encoded PRC........9 3.1. Request (REQ) PEP -> PDP..................................... 9
2.3. COPS Operations Supported for a Provisioning Instance..........9 3.2. Decision (DEC) PDP -> PEP....................................10
3. Message Content.................................................10 3.3. Report State (RPT) PEP -> PDP................................12
3.1. Request (REQ) PEP -> PDP.....................................10 4. COPS-PR Protocol Objects........................................13
3.2. Decision (DEC) PDP -> PEP....................................11 4.1. Complete Provisioning Instance Identifier (PRID)..............14
3.3. Report State (RPT) PEP -> PDP................................13 4.2. Prefix PRID (PPRID)...........................................15
4. COPS-PR Protocol Objects........................................14 4.3. Encoded Provisioning Instance Data (EPD)......................16
4.1. Complete Provisioning Instance Identifier (PRID)..............15 4.4. Global Provisioning Error Object (GPERR)......................21
4.2. Prefix PRID (PPRID)...........................................15 4.5. PRC Class Provisioning Error Object (CPERR)...................22
4.3. Encoded Provisioning Instance Data (EPD)......................16 4.6. Error PRID Object (ErrorPRID).................................23
4.4. Global Provisioning Error Object (GPERR)......................21 5. COPS-PR Client-Specific Data Formats............................23
4.5. PRC Class Provisioning Error Object (CPERR)...................22 5.1. Named Decision Data...........................................23
4.6. Error PRID Object (ErrorPRID).................................23 5.2. ClientSI Request Data.........................................24
5. COPS-PR Client-Specific Data Formats............................23 5.3. Policy Provisioning Report Data...............................24
5.1. Named Decision Data...........................................23 5.3.1. Success and Failure Report-Type Data Format.................24
5.2. ClientSI Request Data.........................................24 5.3.2. Accounting Report-Type Data Format..........................25
5.3. Policy Provisioning Report Data...............................24 6. Common Operation................................................26
5.3.1. Success and Failure Report-Type Data Format.................24 7. Fault Tolerance.................................................28
5.3.2. Accounting Report-Type Data Format..........................25 8. Security Considerations.........................................29
6. Common Operation................................................26 9. IANA Considerations.............................................29
7. Fault Tolerance.................................................28 10. Acknowledgements...............................................30
8. Security Considerations.........................................29 11. References.....................................................30
9. IANA Considerations.............................................29 12. Authors' Addresses.............................................32
10. Acknowledgements...............................................29 13. Full Copyright Statement.......................................34
11. References.....................................................30
12. Author Information.............................................31
13. Full Copyright Notice..........................................32
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
Glossary Glossary
PRC Provisioning Class. A type of policy data. PRC Provisioning Class. A type of policy data.
PRI Provisioning Instance. An instance of a PRC. PRI Provisioning Instance. An instance of a PRC.
PIB Policy Information Base. The database of policy PIB Policy Information Base. The database of policy
information. information.
PDP Policy Decision Point. See [RAP]. PDP Policy Decision Point. See [RAP].
PEP Policy Enforcement Point. See [RAP]. PEP Policy Enforcement Point. See [RAP].
PRID Provisioning Instance Identifier. Uniquely identifies an PRID Provisioning Instance Identifier. Uniquely identifies an
instance of a PRC. instance of a PRC.
1. Introduction 1. Introduction
The IETF Resource Allocation Protocol (RAP) WG has defined the The IETF Resource Allocation Protocol (RAP) WG has defined the COPS
COPS (Common Open Policy Service) protocol [COPS] as a scalable (Common Open Policy Service) protocol [COPS] as a scalable protocol
protocol that allows policy servers (PDPs) to communicate policy that allows policy servers (PDPs) to communicate policy decisions to
decisions to network devices (PEPs). COPS was designed to support network devices (PEPs). COPS was designed to support multiple types
multiple types of policy clients. of policy clients.
COPS is a query/response protocol that supports two common models COPS is a query/response protocol that supports two common models for
for policy control: Outsourcing and Configuration. policy control: Outsourcing and Configuration.
The Outsourcing model addresses the kind of events at the PEP that The Outsourcing model addresses the kind of events at the PEP that
require an instantaneous policy decision (authorization). In the require an instantaneous policy decision (authorization). In the
outsourcing scenario, the PEP delegates responsibility to an outsourcing scenario, the PEP delegates responsibility to an external
external policy server (PDP) to make decisions on its behalf. For policy server (PDP) to make decisions on its behalf. For example, in
example, in COPS Usage for RSVP [COPRSVP] when a RSVP reservation COPS Usage for RSVP [COPRSVP] when a RSVP reservation message
message arrives, the PEP must decide whether to admit or reject arrives, the PEP must decide whether to admit or reject the request.
the request. It can outsource this decision by sending a specific It can outsource this decision by sending a specific query to its
query to its PDP, waiting for its decision before admitting the PDP, waiting for its decision before admitting the outstanding
outstanding reservation. reservation.
The COPS Configuration model (herein described as the Provisioning The COPS Configuration model (herein described as the Provisioning
model), on the other hand, makes no assumptions of such direct 1:1 model), on the other hand, makes no assumptions of such direct 1:1
correlation between PEP events and PDP decisions. The PDP may correlation between PEP events and PDP decisions. The PDP may
proactively provision the PEP reacting to external events (such as proactively provision the PEP reacting to external events (such as
user input), PEP events, and any combination thereof (N:M user input), PEP events, and any combination thereof (N:M
correlation). Provisioning may be performed in bulk (e.g., entire correlation). Provisioning may be performed in bulk (e.g., entire
router QoS configuration) or in portions (e.g., updating a router QoS configuration) or in portions (e.g., updating a DiffServ
DiffServ marking filter). marking filter).
Network resources are often provisioned based on relatively static Network resources are often provisioned based on relatively static
SLAs (Service Level Agreements) at network boundaries. While the SLAs (Service Level Agreements) at network boundaries. While the
Outsourcing model is dynamically paced by the PEP in real-time, Outsourcing model is dynamically paced by the PEP in real-time, the
the Provisioning model is paced by the PDP in somewhat flexible Provisioning model is paced by the PDP in somewhat flexible timing
timing over a wide range of configurable aspects of the PEP. over a wide range of configurable aspects of the PEP.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
Edge Device Policy Server Edge Device Policy Server
+--------------+ +-----------+ +-----------+ +--------------+ +-----------+ +-----------+
| | | | | External | | | | | | External |
| | COPS | | | Events | | | COPS | | | Events |
| +-----+ | REQ() | +-----+ | +---+-------+ | +-----+ | REQ() | +-----+ | +---+-------+
| | |----|----------|->| | | | | | |----|----------|->| | | |
| | PEP | | | | PDP |<-|---------+ | | PEP | | | | PDP |<-|---------+
| | |<---|----------|--| | | | | |<---|----------|--| | |
| +-----+ | COPS | +-----+ | | +-----+ | COPS | +-----+ |
| | DEC() | | | | DEC() | |
+--------------+ +-----------+ +--------------+ +-----------+
Figure 1: COPS Provisioning Model Figure 1: COPS Provisioning Model
In COPS-PR, policy requests describe the PEP and its configurable In COPS-PR, policy requests describe the PEP and its configurable
parameters (rather than an operational event). If a change occurs parameters (rather than an operational event). If a change occurs
in these basic parameters, an updated request is sent. Hence, in these basic parameters, an updated request is sent. Hence,
requests are issued quite infrequently. Decisions are not requests are issued quite infrequently. Decisions are not
necessarily mapped directly to requests, and are issued mostly necessarily mapped directly to requests, and are issued mostly
when the PDP responds to external events or PDP events (policy/SLA when the PDP responds to external events or PDP events (policy/SLA
updates). updates).
This draft describes the use of the COPS protocol [COPS] for This document describes the use of the COPS protocol [COPS] for
support of policy provisioning. This specification is independent support of policy provisioning. This specification is independent
of the type of policy being provisioned (QoS, Security, etc.). of the type of policy being provisioned (QoS, Security, etc.).
Rather, it focuses on the mechanisms and conventions used to Rather, it focuses on the mechanisms and conventions used to
communicate provisioned information between PDPs and PEPs. The communicate provisioned information between PDPs and PEPs. The
data model assumed in this document is based on the concept of data model assumed in this document is based on the concept of
Policy Information Bases (PIBs) that define the policy data. There Policy Information Bases (PIBs) that define the policy data. There
may be one or more PIBs for given area of policy and different may be one or more PIBs for given area of policy and different
areas of policy may have different sets of PIBs. areas of policy may have different sets of PIBs.
In order to support a model that includes multiple PDPs In order to support a model that includes multiple PDPs
controlling non-overlapping areas of policy on a single PEP, the controlling non-overlapping areas of policy on a single PEP, the
client-type specified by the PEP to the PDP is unique for the area client-type specified by the PEP to the PDP is unique for the area
of policy being managed. A single client-type for a given area of of policy being managed. A single client-type for a given area of
policy (eg. QoS) will be used for all PIBs that exist in that policy (e.g., QoS) will be used for all PIBs that exist in that
area. The client should treat all the COPS-PR client-types it area. The client should treat all the COPS-PR client-types it
supports as non-overlapping and independent namespaces where supports as non-overlapping and independent namespaces where
instances MUST NOT be shared. instances MUST NOT be shared.
The examples used in this document are biased toward QoS Policy The examples used in this document are biased toward QoS Policy
Provisioning in a Differentiated Services (DiffServ) environment. Provisioning in a Differentiated Services (DiffServ) environment.
However, COPS-PR can be used for other types of provisioning However, COPS-PR can be used for other types of provisioning
policies under the same framework. policies under the same framework.
1.1. Why COPS for Provisioning? 1.1. Why COPS for Provisioning?
COPS-PR has been designed within a framework that is optimized for COPS-PR has been designed within a framework that is optimized for
efficiently provisioning policies across devices, based on the efficiently provisioning policies across devices, based on the
requirements defined in [RAP]. First, COPS-PR allows for efficient
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
requirements defined in [RAP]. First, COPS-PR allows for efficient
transport of attributes, large atomic transactions of data, and transport of attributes, large atomic transactions of data, and
efficient and flexible error reporting. Second, as it has a single efficient and flexible error reporting. Second, as it has a single
connection between the policy client and server per area of policy connection between the policy client and server per area of policy
control identified by a COPS Client-Type, it guarantees only one control identified by a COPS Client-Type, it guarantees only one
server updates a particular policy configuration at any given server updates a particular policy configuration at any given
time. Such a policy configuration is effectively locked, even from time. Such a policy configuration is effectively locked, even from
local console configuration, while the PEP is connected to a PDP local console configuration, while the PEP is connected to a PDP
via COPS. COPS uses reliable TCP transport and, thus, uses a state via COPS. COPS uses reliable TCP transport and, thus, uses a state
sharing/synchronization mechanism and exchanges differential sharing/synchronization mechanism and exchanges differential
updates only. If either the server or client are rebooted (or updates only. If either the server or client are rebooted (or
restarted) the other would know about it quickly. Last, it is restarted) the other would know about it quickly. Last, it is
defined as a real-time event-driven communications mechanism, defined as a real-time event-driven communications mechanism,
never requiring polling between the PEP and PDP. never requiring polling between the PEP and PDP.
Additionally, the COPS protocol is already used for policy control 1.2. Interaction between the PEP and PDP
by outsourcing signaling protocols such as RSVP. It is highly
desirable to use a single policy control protocol for Quality of
Service (QoS) mechanisms, rather than invent a new one for each
type of policy problem.
At the same time, useful mechanisms from SNMP were adopted. COPS-
PR uses a named Policy Information Base (PIB), which can be
described using the SPPI [SPPI], an extension of the SMI [V2SMI],
and encoded using BER [BER] data encoding. This allows reuse of
experience, knowledge, tools, data models, and some code from the
SNMP community. In particular, this document describes the
mechanisms used to transport data modeled with the underlying SMI
over COPS-PR.
1.2. Interaction between the PEP and PDP
When a device boots, it opens a COPS connection to its Primary When a device boots, it opens a COPS connection to its Primary
PDP. When the connection is established, the PEP sends information PDP. When the connection is established, the PEP sends information
about itself to the PDP in the form of a configuration request. about itself to the PDP in the form of a configuration request.
This information includes client specific information (e.g., This information includes client specific information (e.g.,
hardware type, software release, configuration information). hardware type, software release, configuration information).
During this phase the client may also specify the maximum COPS-PR During this phase the client may also specify the maximum COPS-PR
message size supported. message size supported.
In response, the PDP downloads all provisioned policies that are In response, the PDP downloads all provisioned policies that are
currently relevant to that device. On receiving the provisioned currently relevant to that device. On receiving the provisioned
policies, the device maps them into its local QoS mechanisms, and policies, the device maps them into its local QoS mechanisms, and
installs them. If conditions change at the PDP such that the PDP installs them. If conditions change at the PDP such that the PDP
detects that changes are required in the provisioned policies detects that changes are required in the provisioned policies
currently in effect, then the PDP sends the changes (installs, currently in effect, then the PDP sends the changes (installs,
updates, and/or deletes) in policy to the PEP, and the PEP updates updates, and/or deletes) in policy to the PEP, and the PEP updates
its local configuration appropriately. its local configuration appropriately.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
If, subsequently, the configuration of the device changes (board If, subsequently, the configuration of the device changes (board
removed, board added, new software installed, etc.) in ways not removed, board added, new software installed, etc.) in ways not
covered by policies already known to the PEP, then the PEP covered by policies already known to the PEP, then the PEP
asynchronously sends this unsolicited new information to the PDP asynchronously sends this unsolicited new information to the PDP
in an updated configuration request. On receiving this new in an updated configuration request. On receiving this new
information, the PDP sends to the PEP any additional provisioned information, the PDP sends to the PEP any additional provisioned
policies now needed by the PEP, or removes those policies that are policies now needed by the PEP, or removes those policies that are
no longer required. no longer required.
2. Policy Information Base (PIB) 2. Policy Information Base (PIB)
The data carried by COPS-PR is a set of policy data. The protocol The data carried by COPS-PR is a set of policy data. The protocol
assumes a named data structure, known as a Policy Information Base assumes a named data structure, known as a Policy Information Base
(PIB), to identify the type and purpose of unsolicited policy (PIB), to identify the type and purpose of unsolicited policy
information that is "pushed" from the PDP to the PEP for information that is "pushed" from the PDP to the PEP for
provisioning policy or sent to the PDP from the PEP as a provisioning policy or sent to the PDP from the PEP as a
notification. The PIB name space is common to both the PEP and the notification. The PIB name space is common to both the PEP and the
PDP and data instances within this space are unique within the PDP and data instances within this space are unique within the
scope of a given Client-Type and Request-State per TCP connection scope of a given Client-Type and Request-State per TCP connection
between a PEP and PDP. Note that given a device might implement between a PEP and PDP. Note that given a device might implement
multiple COPS Client-Types, a unique instance space is to be multiple COPS Client-Types, a unique instance space is to be
provided for each separate Client-Type. There is no sharing of provided for each separate Client-Type. There is no sharing of
instance data across the Client-Types implemented by a PEP, even instance data across the Client-Types implemented by a PEP, even
if the classes being instantiated are of the same type and share if the classes being instantiated are of the same type and share
the same instance identifier. the same instance identifier.
The PIB can be described as a conceptual tree namespace where the The PIB can be described as a conceptual tree namespace where the
branches of the tree represent structures of data or Provisioning branches of the tree represent structures of data or Provisioning
Classes (PRCs), while the leaves represent various instantiations Classes (PRCs), while the leaves represent various instantiations
of Provisioning Instances (PRIs). There may be multiple data of Provisioning Instances (PRIs). There may be multiple data
instances (PRIs) for any given data structure (PRC). For example, instances (PRIs) for any given data structure (PRC). For example,
if one wanted to install multiple access control filters, the PRC if one wanted to install multiple access control filters, the PRC
might represent a generic access control filter type and each PRI might represent a generic access control filter type and each PRI
might represent an individual access control filter to be applied. might represent an individual access control filter to be applied.
The tree might be represented as follows: The tree might be represented as follows:
-------+-------+----------+---PRC--+--PRI -------+-------+----------+---PRC--+--PRI
| | | +--PRI | | | +--PRI
| | | | | |
| | +---PRC-----PRI | | +---PRC-----PRI
| | | |
| +---PRC--+--PRI | +---PRC--+--PRI
| +--PRI | +--PRI
| +--PRI | +--PRI
| +--PRI | +--PRI
| +--PRI | +--PRI
| |
+---PRC---PRI +---PRC---PRI
Figure 2: The PIB Tree Figure 2: The PIB Tree
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
Instances of the policy classes (PRIs) are each identified by a Instances of the policy classes (PRIs) are each identified by a
Provisioning Instance Identifier (PRID). A PRID is a name, carried Provisioning Instance Identifier (PRID). A PRID is a name, carried
in a COPS <Named ClientSI> or <Named Decision Data> object, which in a COPS <Named ClientSI> or <Named Decision Data> object, which
identifies a particular instance of a class. identifies a particular instance of a class.
2.1. Rules for Modifying and Extending PIBs 2.1. Rules for Modifying and Extending PIBs
As experience is gained with policy based management, and as new As experience is gained with policy based management, and as new
requirements arise, it will be necessary to make changes to PIBs. requirements arise, it will be necessary to make changes to PIBs.
Changes to an existing PIB can be made in several ways. Changes to an existing PIB can be made in several ways.
(1) Additional PRCs can be added to a PIB or an existing one (1) Additional PRCs can be added to a PIB or an existing one
deprecated. deprecated.
(2) Attributes can be added to, or deprecated from, an existing (2) Attributes can be added to, or deprecated from, an existing
PRC. PRC.
(3) An existing PRC can be extended or augmented with a new PRC (3) An existing PRC can be extended or augmented with a new PRC
defined in another (perhaps enterprise specific) PIB. defined in another (perhaps enterprise specific) PIB.
The rules for each of these extension mechanisms is described in The rules for each of these extension mechanisms is described in this
this sub-section. All of these mechanisms for modifying a PIB sub-section. All of these mechanisms for modifying a PIB allow for
allow for interoperability between PDPs and PEPs even when one interoperability between PDPs and PEPs even when one party is using a
party is using a new version of the PIB while the other is using new version of the PIB while the other is using an old version.
an old version.
Note that the SPPI [SPPI] provides the authoritative rules for Note that the SPPI [SPPI] provides the authoritative rules for
updating BER encoded PIBs. It is the purpose of the following updating BER encoded PIBs. It is the purpose of the following
section to explain how such changes affect senders and receivers section to explain how such changes affect senders and receivers of
of COPS messages. COPS messages.
2.2. Adding PRCs to, or deprecating from, a PIB
A published PIB can be extended with new PRCs by simply revising 2.2. Adding PRCs to, or deprecating from, a PIB
the document and adding additional PRCs. These additional PRCs
are easily identified with new PRIDs under the module's PRID
Prefix.
In the event that a PEP implementing the new PIB is being A published PIB can be extended with new PRCs by simply revising the
configured by a PDP implementing the old PIB, the PEP will simply document and adding additional PRCs. These additional PRCs are
not receive any instances of the new PRC. In the event that the easily identified with new PRIDs under the module's PRID Prefix.
PEP is implementing the old PIB and the PDP the new one, the PEP
may receive PRIs for the new PRC. Under such conditions, the PEP
MUST return an error to the PDP, and rollback to its previous
(good) state.
Similarly, existing PRCs can be deprecated from a PIB. In this In the event that a PEP implementing the new PIB is being configured
case, the PEP ignores any PRIs sent to it by a PDP implementing by a PDP implementing the old PIB, the PEP will simply not receive
the old (non-deprecated) version of the PIB. A PDP implementing any instances of the new PRC. In the event that the PEP is
implementing the old PIB and the PDP the new one, the PEP may receive
PRIs for the new PRC. Under such conditions, the PEP MUST return an
error to the PDP, and rollback to its previous (good) state.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 Similarly, existing PRCs can be deprecated from a PIB. In this case,
the new version of the PIB simply does not send any instances of the PEP ignores any PRIs sent to it by a PDP implementing the old
the deprecated class. (non-deprecated) version of the PIB. A PDP implementing the new
version of the PIB simply does not send any instances of the
deprecated class.
2.2.1. Adding or Deprecating Attributes of a BER Encoded PRC 2.2.1. Adding or Deprecating Attributes of a BER Encoded PRC
A PIB can be modified to deprecate existing attributes of a PRC or A PIB can be modified to deprecate existing attributes of a PRC or
add new ones. add new ones.
When deprecating the attributes of a PRC, it must be remembered When deprecating the attributes of a PRC, it must be remembered that,
that, with the COPS-PR protocol, the attributes of the PRC are with the COPS-PR protocol, the attributes of the PRC are identified
identified by their order in the sequence rather than an explicit by their order in the sequence rather than an explicit label (or
label (or attribute OID). Consequently, an ASN.1 value MUST be attribute OID). Consequently, an ASN.1 value MUST be sent even for
sent even for deprecated attributes so that a PDP and PEP deprecated attributes so that a PDP and PEP implementing different
implementing different versions of the PIB are inter-operable. versions of the PIB are inter-operable.
For a deprecated attribute, if the PDP is using a BER encoded PIB, For a deprecated attribute, if the PDP is using a BER encoded PIB,
the PDP MUST send either an ASN.1 value of the correct type, or it the PDP MUST send either an ASN.1 value of the correct type, or it
may send an ASN.1 NULL value. A PEP that receives an ASN.1 NULL may send an ASN.1 NULL value. A PEP that receives an ASN.1 NULL for
for an attribute that is not deprecated SHOULD substitute a an attribute that is not deprecated SHOULD substitute a default
default value. If it has no default value to substitute it MUST value. If it has no default value to substitute it MUST return an
return an error to the PDP. error to the PDP.
When adding new attributes to a PIB, these new attributes must be When adding new attributes to a PIB, these new attributes must be
added in sequence after the existing ones. A PEP that receives a added in sequence after the existing ones. A PEP that receives a PRI
PRI with more attributes than it is expecting MUST ignore the with more attributes than it is expecting MUST ignore the additional
additional attributes and send a warning back to the PDP. attributes and send a warning back to the PDP.
A PEP that receives a PRI with fewer attributes than it is A PEP that receives a PRI with fewer attributes than it is expecting
expecting SHOULD assume default values for the missing attributes. SHOULD assume default values for the missing attributes. It MAY send
It MAY send a warning back to the PDP. If the missing attributes a warning back to the PDP. If the missing attributes are required
are required and there is no suitable default, the PEP MUST send and there is no suitable default, the PEP MUST send an error back to
an error back to the PDP. In all cases the missing attributes are the PDP. In all cases the missing attributes are assumed to
assumed to correspond to the last attributes of the PRC. correspond to the last attributes of the PRC.
2.3. COPS Operations Supported for a Provisioning Instance 2.3. COPS Operations Supported for a Provisioning Instance
A Provisioning Instance (PRI) typically contains a value for each A Provisioning Instance (PRI) typically contains a value for each
attribute defined for the PRC of which it is an instance and is attribute defined for the PRC of which it is an instance and is
identified uniquely, within the scope of a given COPS Client-Type identified uniquely, within the scope of a given COPS Client-Type and
and Request-State on a PEP, by a Provisioning Instance Identifier Request-State on a PEP, by a Provisioning Instance Identifier (PRID).
(PRID). The following COPS operations are supported on a PRI: The following COPS operations are supported on a PRI:
o Install - This operation creates or updates a named instance of o Install - This operation creates or updates a named instance of a
a PRC. It includes two parameters: a PRID object to name the PRI PRC. It includes two parameters: a PRID object to name the PRI and
and an Encoded Provisioning Instance Data (EPD) object with the an Encoded Provisioning Instance Data (EPD) object with the
new/updated values. The PRID value MUST uniquely identify a new/updated values. The PRID value MUST uniquely identify a single
single PRI (i.e. PRID prefix or PRC values are illegal). Updates PRI (i.e., PRID prefix or PRC values are illegal). Updates to an
to an existing PRI are achieved by simply reinstalling the same existing PRI are achieved by simply reinstalling the same PRID with
PRID with the updated EPD data. the updated EPD data.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 o Remove - This operation is used to delete an instance of a PRC. It
o Remove - This operation is used to delete an instance of a PRC. includes one parameter, a PRID object, which names either the
It includes one parameter, a PRID object, which names either the
individual PRI to be deleted or a PRID prefix naming one or more individual PRI to be deleted or a PRID prefix naming one or more
complete classes of PRIs. Prefix-based deletion supports complete classes of PRIs. Prefix-based deletion supports efficient
efficient bulk policy removal. The removal of an unknown/non- bulk policy removal. The removal of an unknown/non-existent PRID
existent PRID SHOULD result in a warning to the PDP (no error). SHOULD result in a warning to the PDP (no error).
3. Message Content 3. Message Content
The COPS protocol provides for different COPS clients to define The COPS protocol provides for different COPS clients to define their
their own "named", i.e. client-specific, information for various own "named", i.e., client-specific, information for various messages.
messages. This section describes the messages exchanged between a This section describes the messages exchanged between a COPS server
COPS server (PDP) and COPS Policy Provisioning clients (PEP) that (PDP) and COPS Policy Provisioning clients (PEP) that carry client-
carry client-specific data objects. All the COPS messages used by specific data objects. All the COPS messages used by COPS-PR conform
COPS-PR conform to the message specifications defined in the COPS to the message specifications defined in the COPS base protocol
base protocol [COPS]. [COPS].
Note: The use of the '*' character represented throughout this Note: The use of the '*' character represented throughout this
document is consistent with the ABNF [RFC2234] and means 0 or more document is consistent with the ABNF [RFC2234] and means 0 or more of
of the following entities. the following entities.
3.1. Request (REQ) PEP -> PDP 3.1. Request (REQ) PEP -> PDP
The REQ message is sent by policy provisioning clients to issue a The REQ message is sent by policy provisioning clients to issue a
'configuration request' to the PDP as specified in the COPS 'configuration request' to the PDP as specified in the COPS Context
Context Object. The Client Handle associated with the REQ message Object. The Client Handle associated with the REQ message originated
originated by a provisioning client MUST be unique for that by a provisioning client MUST be unique for that client. The Client
client. The Client Handle is used to identify a specific request Handle is used to identify a specific request state. Thus, one
state. Thus, one client can potentially open several configuration client can potentially open several configuration request states,
request states, each uniquely identified by its handle. Different each uniquely identified by its handle. Different request states are
request states are used to isolate similarly named configuration used to isolate similarly named configuration information into non-
information into non-overlapping contexts (or logically isolated overlapping contexts (or logically isolated namespaces). Thus, an
namespaces). Thus, an instance of named information is unique instance of named information is unique relative to a particular
relative to a particular client-type and is unique relative to a client-type and is unique relative to a particular request state for
particular request state for that client-type, even if the that client-type, even if the information was similarly identified in
information was similarly identified in other request states (i.e. other request states (i.e., uses the same PRID). Thus, the Client
uses the same PRID). Thus, the Client Handle is also part of the Handle is also part of the instance identification of the
instance identification of the communicated configuration communicated configuration information.
information.
The configuration request message serves as a request from the PEP
to the PDP for provisioning policy data that the PDP may have for
the PEP, such as access control lists, etc. This includes policy
the PDP may have at the time the REQ is received as well as any
future policy data or updates to this data.
The configuration request message should include provisioning The configuration request message serves as a request from the PEP to
client information to provide the PDP with client-specific the PDP for provisioning policy data that the PDP may have for the
configuration or capability information about the PEP. The PEP, such as access control lists, etc. This includes policy the PDP
information provided by the PEP should include client resources may have at the time the REQ is received as well as any future policy
data or updates to this data.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 The configuration request message should include provisioning client
(e.g. queuing capabilities) and default policy configuration (e.g. information to provide the PDP with client-specific configuration or
default role combinations) information as well as incarnation data capability information about the PEP. The information provided by
on existing policy. This information typically does not include the PEP should include client resources (e.g., queuing capabilities)
all the information previously installed by a PDP but rather and default policy configuration (e.g., default role combinations)
should include checksums or shortened references to previously information as well as incarnation data on existing policy. This
installed information for synchronization purposes. This information typically does not include all the information previously
information from the client assists the server in deciding what installed by a PDP but rather should include checksums or shortened
types of policy the PEP can install and enforce. The format of the references to previously installed information for synchronization
information encapsulated in one or more of the COPS Named ClientSI purposes. This information from the client assists the server in
objects is described in section 5. Note that the configuration deciding what types of policy the PEP can install and enforce. The
request message(s) is generated and sent to the PDP in response to format of the information encapsulated in one or more of the COPS
the receipt of a Synchronize State Request (SSQ) message from the Named ClientSI objects is described in section 5. Note that the
PDP. Likewise, an updated configuration request message (using the configuration request message(s) is generated and sent to the PDP in
same Client Handle value as the original request now being response to the receipt of a Synchronize State Request (SSQ) message
updated) may also be generated by the PEP and sent to the PDP at from the PDP. Likewise, an updated configuration request message
any time due to local modifications of the PEP's internal state. (using the same Client Handle value as the original request now being
In this way, the PDP will be synchronized with the PEP's relevant updated) may also be generated by the PEP and sent to the PDP at any
internal state at all times. time due to local modifications of the PEP's internal state. In this
way, the PDP will be synchronized with the PEP's relevant internal
state at all times.
The policy information supplied by the PDP MUST be consistent with The policy information supplied by the PDP MUST be consistent with
the named decision data defined for the policy provisioning the named decision data defined for the policy provisioning client.
client. The PDP responds to the configuration request with a DEC The PDP responds to the configuration request with a DEC message
message containing any available provisioning policy data. containing any available provisioning policy data.
The REQ message has the following format: The REQ message has the following format:
<Request> ::= <Common Header> <Request> ::= <Common Header>
<Client Handle> <Client Handle>
<Context = config request> <Context = config request>
*(<Named ClientSI>) *(<Named ClientSI>)
[<Integrity>] [<Integrity>]
Note that the COPS objects IN-Int, OUT-Int and LPDPDecisions are Note that the COPS objects IN-Int, OUT-Int and LPDPDecisions are not
not included in a COPS-PR Request. included in a COPS-PR Request.
3.2. Decision (DEC) PDP -> PEP 3.2. Decision (DEC) PDP -> PEP
The DEC message is sent from the PDP to a policy provisioning The DEC message is sent from the PDP to a policy provisioning client
client in response to the REQ message received from the PEP. The in response to the REQ message received from the PEP. The Client
Client Handle MUST be the same Handle that was received in the Handle MUST be the same Handle that was received in the corresponding
corresponding REQ message. REQ message.
The DEC message is sent as an immediate response to a The DEC message is sent as an immediate response to a configuration
configuration request with the solicited message flag set in the request with the solicited message flag set in the COPS message
COPS message header. Subsequent DEC messages may also be sent at header. Subsequent DEC messages may also be sent at any time after
any time after the original DEC message to supply the PEP with the original DEC message to supply the PEP with additional/updated
additional/updated policy information without the solicited policy information without the solicited message flag set in the COPS
message flag set in the COPS message header (as they are message header (as they are unsolicited decisions).
unsolicited decisions).
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 Each DEC message may contain multiple decisions. This means a single
Each DEC message may contain multiple decisions. This means a message can install some policies and delete others. In general a
single message can install some policies and delete others. In single COPS-PR DEC message MUST contain any required remove decisions
general a single COPS-PR DEC message MUST contain any required first, followed by any required install decisions. This is used to
remove decisions first, followed by any required install solve a precedence issue, not a timing issue: the remove decision
decisions. This is used to solve a precedence issue, not a timing deletes what it specifies, except those items that are installed in
issue: the remove decision deletes what it specifies, except those the same message.
items that are installed in the same message.
The DEC message can also be used by the PDP to command the PEP to The DEC message can also be used by the PDP to command the PEP to
open a new Request State or Delete an existing Request-State as open a new Request State or Delete an existing Request-State as
identified by the Client-Handle. To accomplish this, COPS-PR identified by the Client-Handle. To accomplish this, COPS-PR defines
defines a new flag for the COPS Decision Flags object. The flag a new flag for the COPS Decision Flags object. The flag 0x02 is to
0x02 is to be used by COPS-PR client-types and is hereafter be used by COPS-PR client-types and is hereafter referred to as the
referred to as the "Request-State" flag. An Install decision "Request-State" flag. An Install decision (Decision Flags: Command-
(Decision Flags: Command-Code=Install) with the Request-State flag Code=Install) with the Request-State flag set in the COPS Decision
set in the COPS Decision Flags object will cause the PEP to issue Flags object will cause the PEP to issue a new Request with a new
a new Request with a new Client Handle or else specify the Client Handle or else specify the appropriate error in a COPS Report
appropriate error in a COPS Report message. A Remove decision message. A Remove decision (Decision Flags: Command-Code=Remove)
(Decision Flags: Command-Code=Remove) with the Request-State flag with the Request-State flag set in the COPS Decision Flags object
set in the COPS Decision Flags object will cause the PEP to send a will cause the PEP to send a COPS Delete Request State (DRQ) message
COPS Delete Request State (DRQ) message for the Request-State for the Request-State identified by the Client Handle in the DEC
identified by the Client Handle in the DEC message. Whenever the message. Whenever the Request-State flag is set in the COPS Decision
Request-State flag is set in the COPS Decision Flags object in the Flags object in the DEC message, no COPS Named Decision Data object
DEC message, no COPS Named Decision Data object can be included in can be included in the corresponding decision (as it serves no
the corresponding decision (as it serves no purpose for this purpose for this decision flag). Note that only one decision with
decision flag). Note that only one decision with the Request-State the Request-State flag can be present per DEC message, and, if
flag can be present per DEC message, and, if present, this MUST be present, this MUST be the only decision in that message. As
the only decision in that message. described below, the PEP MUST respond to each and every DEC with a
corresponding solicited RPT.
A COPS-PR DEC message MUST be treated as a single "transaction", A COPS-PR DEC message MUST be treated as a single "transaction",
i.e. either all the decisions in a DEC message succeed or they all i.e., either all the decisions in a DEC message succeed or they all
fail. If they fail, the PEP will rollback to its previous good fail. If they fail, the PEP will rollback to its previous good
state, which is the last successful DEC transaction, if any. This state, which is the last successful DEC transaction, if any. This
allows the PDP to delete some policies only if other policies can allows the PDP to delete some policies only if other policies can be
be installed in their place. The DEC message has the following installed in their place. The DEC message has the following format:
format:
<Decision Message> ::= <Common Header> <Decision Message> ::= <Common Header>
<Client Handle> <Client Handle>
*(<Decision>) | <Error> *(<Decision>) | <Error>
[<Integrity>] [<Integrity>]
<Decision> ::= <Context> <Decision> ::= <Context>
<Decision: Flags> <Decision: Flags>
[<Named Decision Data: Provisioning >] [<Named Decision Data: Provisioning >]
Note that the Named Decision Data (Provisioning) object is Note that the Named Decision Data (Provisioning) object is included
included in a COPS-PR Decision when it is an Install or Remove in a COPS-PR Decision when it is an Install or Remove decision with
decision with no Decision Flags set. Other types of COPS decision no Decision Flags set. Other types of COPS decision data objects
data objects (e.g. Stateless, Replacement) are not supported by (e.g., Stateless, Replacement) are not supported by COPS-PR client-
types. The Named Decision Data object MUST NOT be included in the
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 decision if the Decision Flags object Command-Code is NULL (meaning
COPS-PR client-types. The Named Decision Data object MUST NOT be there is no configuration information to install at this time) or if
included in the decision if the Decision Flags object Command-Code the Request-State flag is set in the Decision Flags object.
is NULL (meaning there is no configuration information to install
at this time) or if the Request-State flag is set in the Decision
Flags object.
For each decision in the DEC message, the PEP performs the For each decision in the DEC message, the PEP performs the operation
operation specified in the Command-Code and Flags field in the specified in the Command-Code and Flags field in the Decision Flags
Decision Flags object on the Named Decision Data. For the policy object on the Named Decision Data. For the policy provisioning
provisioning clients, the format for this data is defined in the clients, the format for this data is defined in the context of the
context of the Policy Information Base (see section 5). In Policy Information Base (see section 5). In response to a DEC
response to a DEC message, the policy provisioning client MUST message, the policy provisioning client MUST send a RPT message, with
send a RPT message, with the solicited message flag set, back to the solicited message flag set, back to the PDP to inform the PDP of
the PDP to inform the PDP of the action taken. the action taken.
3.3. Report State (RPT) PEP -> PDP 3.3. Report State (RPT) PEP -> PDP
The RPT message is sent from the policy provisioning clients to The RPT message is sent from the policy provisioning clients to the
the PDP to report accounting information associated with the PDP to report accounting information associated with the provisioned
provisioned policy, or to notify the PDP of changes in the PEP policy, or to notify the PDP of changes in the PEP (Report-Type = '
(Report-Type = 'Accounting') related to the provisioning client. Accounting') related to the provisioning client.
RPT is also used as a mechanism to inform the PDP about the action RPT is also used as a mechanism to inform the PDP about the action
taken at the PEP in response to a DEC message. For example, in taken at the PEP in response to a DEC message. For example, in
response to an 'Install' decision, the PEP informs the PDP if the response to an 'Install' decision, the PEP informs the PDP if the
policy data is installed (Report-Type = 'Success') or not (Report- policy data is installed (Report-Type = 'Success') or not (Report-
Type = 'Failure'). Reports that are in response to a DEC message Type = 'Failure'). Reports that are in response to a DEC message
MUST set the solicited message flag in their COPS message header. MUST set the solicited message flag in their COPS message header.
Each solicited RTP MUST be sent for its corresponding DEC in the Each solicited RTP MUST be sent for its corresponding DEC in the
order the DEC messages were received. In case of a solicited order the DEC messages were received. In case of a solicited
failure, the PEP is expected to rollback to its previous (good) failure, the PEP is expected to rollback to its previous (good) state
state as if the erroneous DEC transaction did not occur. The PEP as if the erroneous DEC transaction did not occur. The PEP MUST
MUST always respond to a DEC with a solicited RPT even in response always respond to a DEC with a solicited RPT even in response to a
to a NULL DEC, in which case the Report-Type will be 'Success'. NULL DEC, in which case the Report-Type will be 'Success'.
Reports can also be unsolicited and all unsolicited Reports MUST
NOT set the solicited message flag in their COPS message header.
Examples of unsolicited reports include 'Accounting' Report-Types,
which were not triggered by a specific DEC messages, or 'Failure'
Report-Types, which indicate a failure in a previously
successfully installed configuration (note that, in the case of
such unsolicited failures, the PEP cannot rollback to a previous
"good" state as it becomes ambiguous under these asynchronous
conditions what the correct state might be).
The RPT message may contain provisioning client information such Reports can also be unsolicited and all unsolicited Reports MUST NOT
as accounting parameters or errors/warnings related to a decision. set the solicited message flag in their COPS message header. Examples
The data format for this information is defined in the context of of unsolicited reports include 'Accounting' Report-Types, which were
the policy information base (see section 5). The RPT message has not triggered by a specific DEC messages, or 'Failure' Report-Types,
the following format: which indicate a failure in a previously successfully installed
configuration (note that, in the case of such unsolicited failures,
the PEP cannot rollback to a previous "good" state as it becomes
ambiguous under these asynchronous conditions what the correct state
might be).
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 The RPT message may contain provisioning client information such as
accounting parameters or errors/warnings related to a decision. The
data format for this information is defined in the context of the
policy information base (see section 5). The RPT message has the
following format:
<Report State> ::= <Common Header> <Report State> ::= <Common Header>
<Client Handle> <Client Handle>
<Report Type> <Report Type>
*(<Named ClientSI>) *(<Named ClientSI>)
[<Integrity>] [<Integrity>]
4. COPS-PR Protocol Objects 4. COPS-PR Protocol Objects
The COPS Policy Provisioning clients encapsulate several new The COPS Policy Provisioning clients encapsulate several new objects
objects within the existing COPS Named Client-specific information within the existing COPS Named Client-specific information object and
object and Named Decision Data object. This section defines the Named Decision Data object. This section defines the format of these
format of these new objects. new objects.
COPS-PR classifies policy data according to "bindings", where a COPS-PR classifies policy data according to "bindings", where a
binding consists of a Provisioning Instance Identifier and the binding consists of a Provisioning Instance Identifier and the
Provisioning Instance data, encoded within the context of the Provisioning Instance data, encoded within the context of the
provisioning policy information base (see section 5). provisioning policy information base (see section 5).
The format for these new objects is as follows: The format for these new objects is as follows:
0 1 2 3 0 1 2 3
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Length | S-Num | S-Type | | Length | S-Num | S-Type |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| 32 bit unsigned integer | | 32 bit unsigned integer |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
S-Num and S-Type are similar to the C-Num and C-Type used in the S-Num and S-Type are similar to the C-Num and C-Type used in the base
base COPS objects. The difference is that S-Num and S-Type are COPS objects. The difference is that S-Num and S-Type are used only
used only for COPS-PR clients and are encapsulated within the for COPS-PR clients and are encapsulated within the existing COPS
existing COPS Named ClientSI or Named Decision Data objects. The Named ClientSI or Named Decision Data objects. The S-Num identifies
S-Num identifies the general purpose of the object, and the S-Type the general purpose of the object, and the S-Type describes the
describes the specific encoding used for the object. All the specific encoding used for the object. All the object descriptions
object descriptions and examples in this document use the Basic and examples in this document use the Basic Encoding Rules as the
Encoding Rules as the encoding type (S-Type = 1). Additional encoding type (S-Type = 1). Additional encodings can be defined for
encodings can be defined for the remaining S-Types in the future the remaining S-Types in the future (for example, an additional S-
(for example, an additional S-Type could be used to carry XML Type could be used to carry XML string based encodings [XML] as an
string based encodings [XML] as an EPD of PRI instance data, where EPD of PRI instance data, where URNs identify PRCs [URN] and
URNs identify PRCs [URN] and XPointers would be used for PRIDs). XPointers would be used for PRIDs).
Length is a two-octet value that describes the number of octets Length is a two-octet value that describes the number of octets
(including the header) that compose the object. If the length in (including the header) that compose the object. If the length in
octets does not fall on a 32-bit word boundary, padding MUST be octets does not fall on a 32-bit word boundary, padding MUST be added
added to the end of the object so that it is aligned to the next to the end of the object so that it is aligned to the next 32-bit
32-bit boundary before the object can be sent on the wire. On the boundary before the object can be sent on the wire. On the receiving
receiving side, a subsequent object boundary can be found by side, a subsequent object boundary can be found by simply rounding up
simply rounding up the stated object length of the current object the stated object length of the current object to the next 32-bit
to the next 32-bit boundary. The values for the padding MUST be boundary. The values for the padding MUST be all zeros.
all zeros.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
4.1. Complete Provisioning Instance Identifier (PRID) 4.1. Complete Provisioning Instance Identifier (PRID)
S-Num = 1 (Complete PRID), S-Type = 1 (BER), Length = variable. S-Num = 1 (Complete PRID), S-Type = 1 (BER), Length = variable.
This object is used to carry the identifier, or PRID, of a This object is used to carry the identifier, or PRID, of a
Provisioning Instance. The identifier is encoded following the Provisioning Instance. The identifier is encoded following the rules
rules that have been defined for encoding SNMP Object Identifier that have been defined for encoding SNMP Object Identifier (OID)
(OID) values. Specifically, PRID values are encoded using the values. Specifically, PRID values are encoded using the
Type/Length/Value (TLV) format and initial sub-identifier packing Type/Length/Value (TLV) format and initial sub-identifier packing
that is specified by the binary encoding rules [BER] used for that is specified by the binary encoding rules [BER] used for Object
Object Identifiers in an SNMP PDU. Identifiers in an SNMP PDU.
0 1 2 3 0 1 2 3
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Length | S-Num = PRID | S-Type = BER | | Length | S-Num = PRID | S-Type = BER |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
... ...
| Instance Identifier | | Instance Identifier |
... ...
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
For example, a (fictitious) PRID equal to 1.3.6.1.2.2.8.1 would be For example, a (fictitious) PRID equal to 1.3.6.1.2.2.8.1 would be
encoded as follows (values in hex): encoded as follows (values in hex):
06 07 2B 06 01 02 02 08 01 06 07 2B 06 01 02 02 08 01
The entire PRID object would be encoded as follows: The entire PRID object would be encoded as follows:
00 0D - Length 00 0D - Length
01 - S-Num 01 - S-Num
01 - S-Type (Complete PRID) 01 - S-Type (Complete PRID)
06 07 2B 06 01 02 02 08 01 - Encoded PRID 06 07 2B 06 01 02 02 08 01 - Encoded PRID
00 00 00 - Padding 00 00 00 - Padding
NOTE: When encoding an xxxTable's xxxEntry Object-Type as defined NOTE: When encoding an xxxTable's xxxEntry Object-Type as defined by
by the SMI [V2SMI] and SPPI [SPPI], the OID will contain all the the SMI [V2SMI] and SPPI [SPPI], the OID will contain all the sub-
sub-identifiers up to and including the xxxEntry OID but not the identifiers up to and including the xxxEntry OID but not the columnar
columnar identifiers for the attributes within the xxxEntry's identifiers for the attributes within the xxxEntry's SEQUENCE. The
SEQUENCE. The last (suffix) identifier is the INDEX of an instance last (suffix) identifier is the INDEX of an instance of an entire
of an entire xxxEntry including its SEQUENCE of attributes encoded xxxEntry including its SEQUENCE of attributes encoded in the EPD
in the EPD (defined below). This constitutes an instance (PRI) of (defined below). This constitutes an instance (PRI) of a class (PRC)
a class (PRC) in terms of the SMI. in terms of the SMI.
A PRID for a scalar (non-columnar) value's OID is encoded directly
as the PRC where the instance identifier suffix is always zero as
there will be only one instance of a scalar value. The EPD will
then be used to convey the scalar value.
4.2. Prefix PRID (PPRID) A PRID for a scalar (non-columnar) value's OID is encoded directly as
the PRC where the instance identifier suffix is always zero as there
will be only one instance of a scalar value. The EPD will then be
used to convey the scalar value.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 4.2. Prefix PRID (PPRID)
Certain operations, such as decision removal, can be optimized by Certain operations, such as decision removal, can be optimized by
specifying a PRID prefix with the intent that the requested specifying a PRID prefix with the intent that the requested operation
operation be applied to all PRIs matching the prefix (for example, be applied to all PRIs matching the prefix (for example, all
all instances of the same PRC). PRID prefix objects MUST only be instances of the same PRC). PRID prefix objects MUST only be used in
used in the COPS protocol <Remove Decision> operation where it may the COPS protocol <Remove Decision> operation where it may be more
be more optimal to perform bulk decision removal using class optimal to perform bulk decision removal using class prefixes instead
prefixes instead of a sequence of individual <Remove Decision> of a sequence of individual <Remove Decision> operations. Other COPS
operations. Other COPS operations, e.g. <Install Decision> operations, e.g., <Install Decision> operations always require
operations always require individual PRID specification. individual PRID specification.
S-Num = 2 (Prefix PRID), S-Type = 1 (BER), Length = variable. S-Num = 2 (Prefix PRID), S-Type = 1 (BER), Length = variable.
0 1 2 3 0 1 2 3
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Length | S-Num = PPRID | S-Type = BER | | Length | S-Num = PPRID | S-Type = BER |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
... ... ... ...
| Prefix PRID | | Prefix PRID |
... ... ... ...
skipping to change at page 16, line 41 skipping to change at page 16, line 5
06 05 2B 06 01 02 02 06 05 2B 06 01 02 02
The entire PPRID object would be encoded as follows: The entire PPRID object would be encoded as follows:
00 0B - Length 00 0B - Length
02 - S-Num = Prefix PRID 02 - S-Num = Prefix PRID
01 - S-Type = BER 01 - S-Type = BER
06 05 2B 06 01 02 02 - Encoded Prefix PRID 06 05 2B 06 01 02 02 - Encoded Prefix PRID
00 - Padding 00 - Padding
4.3. Encoded Provisioning Instance Data (EPD) 4.3. Encoded Provisioning Instance Data (EPD)
S-Num = 3 (EPD), S-Type = 1 (BER), Length = variable. S-Num = 3 (EPD), S-Type = 1 (BER), Length = variable.
This object is used to carry the encoded value of a Provisioning This object is used to carry the encoded value of a Provisioning
Instance. The PRI value, which contains all of the individual values Instance. The PRI value, which contains all of the individual values
of the attributes that comprise the class (which corresponds to the of the attributes that comprise the class (which corresponds to the
SMI's xxxEntry Object-Type defining the SEQUENCE of attributes SMI's xxxEntry Object-Type defining the SEQUENCE of attributes
comprising a table [V2SMI][SPPI]), is encoded as a series of TLV comprising a table [V2SMI][SPPI]), is encoded as a series of TLV
sub-components. Each sub-component represents the value of a single sub-components. Each sub-component represents the value of a single
attribute and is encoded following the BER. Note that the ordering attribute and is encoded following the BER. Note that the ordering
of non-scalar (multiple) attributes within the EPD is dictated by of non-scalar (multiple) attributes within the EPD is dictated by
their respective columnar OID suffix when defined in [V2SMI]. Thus, their respective columnar OID suffix when defined in [V2SMI]. Thus,
the attribute with the smallest columnar OID suffix will appear the attribute with the smallest columnar OID suffix will appear first
and the attribute with the highest number columnar OID suffix will be
last.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
first and the attribute with the highest number columnar OID suffix
will be last.
0 1 2 3 0 1 2 3
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Length | S-Num = EPD | S-Type = BER | | Length | S-Num = EPD | S-Type = BER |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
... ...
| BER Encoded PRI Value | | BER Encoded PRI Value |
... ...
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
As an example, a fictional definition of an IPv4 packet filter class As an example, a fictional definition of an IPv4 packet filter class
could be described using the SMI as follows: could be described using the SMI as follows:
ipv4FilterIpFilter OBJECT IDENTIFIER ::= { someExampleOID 1 } ipv4FilterIpFilter OBJECT IDENTIFIER ::= { someExampleOID 1 }
-- The IP Filter Table -- The IP Filter Table
ipv4FilterTable OBJECT-TYPE ipv4FilterTable OBJECT-TYPE
skipping to change at page 18, line 4 skipping to change at page 17, line 18
Ipv4FilterEntry ::= SEQUENCE { Ipv4FilterEntry ::= SEQUENCE {
ipv4FilterIndex Unsigned32, ipv4FilterIndex Unsigned32,
ipv4FilterDstAddr IpAddress, ipv4FilterDstAddr IpAddress,
ipv4FilterDstAddrMask IpAddress, ipv4FilterDstAddrMask IpAddress,
ipv4FilterSrcAddr IpAddress, ipv4FilterSrcAddr IpAddress,
ipv4FilterSrcAddrMask IpAddress, ipv4FilterSrcAddrMask IpAddress,
ipv4FilterDscp Integer32, ipv4FilterDscp Integer32,
ipv4FilterProtocol Integer32, ipv4FilterProtocol Integer32,
ipv4FilterDstL4PortMin Integer32, ipv4FilterDstL4PortMin Integer32,
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
ipv4FilterDstL4PortMax Integer32, ipv4FilterDstL4PortMax Integer32,
ipv4FilterSrcL4PortMin Integer32, ipv4FilterSrcL4PortMin Integer32,
ipv4FilterSrcL4PortMax Integer32, ipv4FilterSrcL4PortMax Integer32,
ipv4FilterPermit TruthValue ipv4FilterPermit TruthValue
} }
ipv4FilterIndex OBJECT-TYPE ipv4FilterIndex OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
skipping to change at page 19, line 4 skipping to change at page 18, line 20
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The IP address to match against the packet's source IP "The IP address to match against the packet's source IP
address." address."
::= { ipv4FilterEntry 4 } ::= { ipv4FilterEntry 4 }
ipv4FilterSrcAddrMask OBJECT-TYPE ipv4FilterSrcAddrMask OBJECT-TYPE
SYNTAX IpAddress SYNTAX IpAddress
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A mask for the matching of the source IP address." "A mask for the matching of the source IP address."
::= { ipv4FilterEntry 5 } ::= { ipv4FilterEntry 5 }
ipv4FilterDscp OBJECT-TYPE ipv4FilterDscp OBJECT-TYPE
SYNTAX Integer32 (-1 | 0..63) SYNTAX Integer32 (-1 | 0..63)
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value that the DSCP in the packet can have and "The value that the DSCP in the packet can have and
match. A value of -1 indicates that a specific match. A value of -1 indicates that a specific
DSCP value has not been defined and thus all DSCP values DSCP value has not been defined and thus all DSCP values
are considered a match." are considered a match."
::= { ipv4FilterEntry 6 } ::= { ipv4FilterEntry 6 }
ipv4FilterProtocol OBJECT-TYPE ipv4FilterProtocol OBJECT-TYPE
SYNTAX Integer32 (0..255) SYNTAX Integer32 (0..255)
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 20, line 4 skipping to change at page 19, line 22
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The maximum value that the packet's layer 4 destination "The maximum value that the packet's layer 4 destination
port number can have and match this filter." port number can have and match this filter."
::= { ipv4FilterEntry 9 } ::= { ipv4FilterEntry 9 }
ipv4FilterSrcL4PortMin OBJECT-TYPE ipv4FilterSrcL4PortMin OBJECT-TYPE
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
SYNTAX Integer32 (0..65535) SYNTAX Integer32 (0..65535)
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The minimum value that the packet's layer 4 source port "The minimum value that the packet's layer 4 source port
number can have and match this filter." number can have and match this filter."
::= { ipv4FilterEntry 10 } ::= { ipv4FilterEntry 10 }
ipv4FilterSrcL4PortMax OBJECT-TYPE ipv4FilterSrcL4PortMax OBJECT-TYPE
skipping to change at page 20, line 30 skipping to change at page 19, line 46
"The maximum value that the packet's layer 4 source port "The maximum value that the packet's layer 4 source port
number can have and match this filter." number can have and match this filter."
::= { ipv4FilterEntry 11 } ::= { ipv4FilterEntry 11 }
ipv4FilterPermit OBJECT-TYPE ipv4FilterPermit OBJECT-TYPE
SYNTAX TruthValue SYNTAX TruthValue
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"If false, the evaluation is negated. That is, a "If false, the evaluation is negated. That is, a
valid match will be evaluated as not a match and vice valid match will be evaluated as not a match and vice
versa." versa."
::= { ipv4FilterEntry 12 } ::= { ipv4FilterEntry 12 }
A fictional instance of the filter class defined above might then A fictional instance of the filter class defined above might then
be encoded as follows: be encoded as follows:
02 01 08 :ipv4FilterIndex/Unsigned32/Value = 8 02 01 08 :ipv4FilterIndex/Unsigned32/Value = 8
40 04 C0 39 01 05 :ipv4FilterDstAddr/IpAddress/Value = 192.57.1.5 40 04 C0 39 01 05 :ipv4FilterDstAddr/IpAddress/Value = 192.57.1.5
skipping to change at page 21, line 5 skipping to change at page 20, line 24
02 01 06 :ipv4FilterProtocol/Integer32/Value = 6 (TCP) 02 01 06 :ipv4FilterProtocol/Integer32/Value = 6 (TCP)
05 00 :ipv4FilterDstL4PortMin/NULL/not supported 05 00 :ipv4FilterDstL4PortMin/NULL/not supported
05 00 :ipv4FilterDstL4PortMax/NULL/not supported 05 00 :ipv4FilterDstL4PortMax/NULL/not supported
05 00 :ipv4FilterSrcL4PortMin/NULL/not supported 05 00 :ipv4FilterSrcL4PortMin/NULL/not supported
05 00 :ipv4FilterSrcL4PortMax/NULL/not supported 05 00 :ipv4FilterSrcL4PortMax/NULL/not supported
02 01 01 :ipv4FilterPermit/TruthValue/Value = 1 (true) 02 01 01 :ipv4FilterPermit/TruthValue/Value = 1 (true)
The entire EPD object for this instance would then be encoded as The entire EPD object for this instance would then be encoded as
follows: follows:
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
00 30 - Length 00 30 - Length
03 - S-Num = EPD 03 - S-Num = EPD
01 - S-Type = BER 01 - S-Type = BER
02 01 08 - ipv4FilterIndex 02 01 08 - ipv4FilterIndex
40 04 C0 39 01 05 - ipv4FilterDstAddr 40 04 C0 39 01 05 - ipv4FilterDstAddr
40 04 FF FF FF FF - ipv4FilterDstMask 40 04 FF FF FF FF - ipv4FilterDstMask
40 04 00 00 00 00 - ipv4FilterSrcAddr 40 04 00 00 00 00 - ipv4FilterSrcAddr
40 04 00 00 00 00 - ipv4FilterSrcMask 40 04 00 00 00 00 - ipv4FilterSrcMask
02 01 FF - ipv4FilterDscp 02 01 FF - ipv4FilterDscp
02 01 06 - ipv4FilterProtocol 02 01 06 - ipv4FilterProtocol
05 00 - ipv4FilterDstL4PortMin 05 00 - ipv4FilterDstL4PortMin
05 00 - ipv4FilterDstL4PortMax 05 00 - ipv4FilterDstL4PortMax
05 00 - ipv4FilterSrcL4PortMin 05 00 - ipv4FilterSrcL4PortMin
05 00 - ipv4FilterSrcL4PortMax 05 00 - ipv4FilterSrcL4PortMax
02 01 01 - ipv4FilterPermit 02 01 01 - ipv4FilterPermit
Note that attributes not supported within a class are still returned Note that attributes not supported within a class are still returned
in the EPD for a PRI. By convention, a NULL value is returned for in the EPD for a PRI. By convention, a NULL value is returned for
attributes that are not supported. In the previous example, source attributes that are not supported. In the previous example, source
and destination port number attributes are not supported. and destination port number attributes are not supported.
4.4. Global Provisioning Error Object (GPERR) 4.4. Global Provisioning Error Object (GPERR)
S-Num = 4 (GPERR), S-Type = 1 (for BER), Length = 8. S-Num = 4 (GPERR), S-Type = 1 (for BER), Length = 8.
0 1 2 3 0 1 2 3
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Length | S-Num = GPERR | S-Type = BER | | Length | S-Num = GPERR | S-Type = BER |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Error-Code | Error Sub-code | | Error-Code | Error Sub-code |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
The global provisioning error object has the same format as the The global provisioning error object has the same format as the Error
Error object in COPS [COPS], except with C-Num and C-Type replaced object in COPS [COPS], except with C-Num and C-Type replaced by the
by the S-Num and S-Type values shown. The global provision error S-Num and S-Type values shown. The global provision error object is
object is used to communicate general errors that do not map to a used to communicate general errors that do not map to a specific PRC.
specific PRC.
The following global error codes are defined: The following global error codes are defined:
availMemLow(1) availMemLow(1)
availMemExhausted(2) availMemExhausted(2)
unknownASN.1Tag(3) - The erroneous tag type SHOULD be unknownASN.1Tag(3) - The erroneous tag type SHOULD be
specified in the Error Sub-Code field. specified in the Error Sub-Code field.
maxMsgSizeExceeded(4) - COPS message (transaction) was too big. maxMsgSizeExceeded(4) - COPS message (transaction) was too big.
unknownError(5) unknownError(5)
maxRequestStatesOpen(6)- No more Request-States can be created maxRequestStatesOpen(6)- No more Request-States can be created
by the PEP (in response to a DEC by the PEP (in response to a DEC
message attempting to open a new message attempting to open a new
Request-State). Request-State).
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
invalidASN.1Length(7) - An ASN.1 object length was incorrect. invalidASN.1Length(7) - An ASN.1 object length was incorrect.
invalidObjectPad(8) - Object was not properly padded. invalidObjectPad(8) - Object was not properly padded.
unknownPIBData(9) - Some of the data supplied by the PDP is unknownPIBData(9) - Some of the data supplied by the PDP is
unknown/unsupported by the PEP (but unknown/unsupported by the PEP (but
otherwise formatted correctly). PRC otherwise formatted correctly). PRC
specific error codes are to be used to specific error codes are to be used to
provide more information. provide more information.
unknownCOPSPRObject(10)- Sub-code (octet 2) contains unknown unknownCOPSPRObject(10)- Sub-code (octet 2) contains unknown
object's S-Num and (octet 3) contains object's S-Num and (octet 3) contains
unknown object's S-Type. unknown object's S-Type.
malformedDecision(11) - Decision could not be parsed. malformedDecision(11) - Decision could not be parsed.
4.5. PRC Class Provisioning Error Object (CPERR) 4.5. PRC Class Provisioning Error Object (CPERR)
S-Num = 5 (CPERR), S-Type = 1 (for BER), Length = 8. S-Num = 5 (CPERR), S-Type = 1 (for BER), Length = 8.
0 1 2 3 0 1 2 3
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Length | S-Num = CPERR | S-Type = BER | | Length | S-Num = CPERR | S-Type = BER |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| Error-Code | Error Sub-code | | Error-Code | Error Sub-code |
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
The class-specific provisioning error object has the same format The class-specific provisioning error object has the same format as
as the Error object in COPS [COPS], except with C-Num and C-Type the Error object in COPS [COPS], except with C-Num and C-Type
replaced by the S-Num and S-Type values shown. The class-specific replaced by the S-Num and S-Type values shown. The class-specific
error object is used to communicate errors relating to specific error object is used to communicate errors relating to specific PRCs
PRCs and MUST have an associated Error PRID Object. and MUST have an associated Error PRID Object.
The following Generic Class-Specific errors are defined: The following Generic Class-Specific errors are defined:
priSpaceExhausted(1) - no more instances may currently be priSpaceExhausted(1) - no more instances may currently be
installed in the given class. installed in the given class.
priInstanceInvalid(2) - the specified class instance is priInstanceInvalid(2) - the specified class instance is
currently invalid prohibiting currently invalid prohibiting
installation or removal. installation or removal.
attrValueInvalid(3) - the specified value for identified attrValueInvalid(3) - the specified value for identified
attribute is illegal. attribute is illegal.
attrValueSupLimited(4) - the specified value for the identified attrValueSupLimited(4) - the specified value for the identified
attribute is legal but not currently attribute is legal but not currently
supported by the device. supported by the device.
attrEnumSupLimited(5) - the specified enumeration for the attrEnumSupLimited(5) - the specified enumeration for the
identified attribute is legal but not identified attribute is legal but not
currently supported by the device. currently supported by the device.
attrMaxLengthExceeded(6) - the overall length of the specified attrMaxLengthExceeded(6) - the overall length of the specified
value for the identified attribute value for the identified attribute
exceeds device limitations. exceeds device limitations.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
attrReferenceUnknown(7) - the class instance specified by the attrReferenceUnknown(7) - the class instance specified by the
policy instance identifier does not policy instance identifier does not
exist. exist.
priNotifyOnly(8) - the class is currently only supported priNotifyOnly(8) - the class is currently only supported
for use by request or report messages for use by request or report messages
prohibiting decision installation. prohibiting decision installation.
unknownPrc(9) - attempt to install a PRI of a class not unknownPrc(9) - attempt to install a PRI of a class not
supported by PEP. supported by PEP.
tooFewAttrs(10) - recvd PRI has fewer attributes than tooFewAttrs(10) - recvd PRI has fewer attributes than
required. required.
skipping to change at page 23, line 18 skipping to change at page 23, line 4
exist. exist.
priNotifyOnly(8) - the class is currently only supported priNotifyOnly(8) - the class is currently only supported
for use by request or report messages for use by request or report messages
prohibiting decision installation. prohibiting decision installation.
unknownPrc(9) - attempt to install a PRI of a class not unknownPrc(9) - attempt to install a PRI of a class not
supported by PEP. supported by PEP.
tooFewAttrs(10) - recvd PRI has fewer attributes than tooFewAttrs(10) - recvd PRI has fewer attributes than
required. required.
invalidAttrType(11) - recvd PRI has an attribute of the wrong invalidAttrType(11) - recvd PRI has an attribute of the wrong
type. type.
deletedInRef(12) - deleted PRI is still referenced by deletedInRef(12) - deleted PRI is still referenced by
other (non) deleted PRIs other (non) deleted PRIs
priSpecificError(13) - the Error Sub-code field contains the priSpecificError(13) - the Error Sub-code field contains the
PRC specific error code PRC specific error code
Where appropriate (errors 3, 4, 5, 6, 7 above) the error sub-code Where appropriate (errors 3, 4, 5, 6, 7 above) the error sub-code
SHOULD identify the OID sub-identifier of the attribute SHOULD identify the OID sub-identifier of the attribute
associated with the error. associated with the error.
4.6. Error PRID Object (ErrorPRID) 4.6. Error PRID Object (ErrorPRID)
S-Num = 6 (ErrorPRID), S-Type = 1 (BER), Length = variable. S-Num = 6 (ErrorPRID), S-Type = 1 (BER), Length = variable.
This object is used to carry the identifier, or PRID, of a This object is used to carry the identifier, or PRID, of a
Provisioning Instance that caused an installation error or could Provisioning Instance that caused an installation error or could not
not be installed or removed. The identifier is encoded and be installed or removed. The identifier is encoded and formatted
formatted exactly as in the PRID object as described in section exactly as in the PRID object as described in section 4.1.
4.1.
5. COPS-PR Client-Specific Data Formats 5. COPS-PR Client-Specific Data Formats
This section describes the format of the named client specific This section describes the format of the named client specific
information for the COPS policy provisioning client. ClientSI information for the COPS policy provisioning client. ClientSI
formats are defined for Decision message's Named Decision Data formats are defined for Decision message's Named Decision Data
object, the Request message's Named ClientSI object and Report object, the Request message's Named ClientSI object and Report
message's Named ClientSI object. The actual content of the data is message's Named ClientSI object. The actual content of the data is
defined by the policy information base for a specific provisioning defined by the policy information base for a specific provisioning
client-type (see below). client-type (see below).
5.1. Named Decision Data 5.1. Named Decision Data
The formats encapsulated by the Named Decision Data object for the The formats encapsulated by the Named Decision Data object for the
policy provisioning client-types depends on the type of decision. policy provisioning client-types depends on the type of decision.
Install and Remove are the two types of decisions that dictate the Install and Remove are the two types of decisions that dictate the
internal format of the COPS Named Decision Data object and require internal format of the COPS Named Decision Data object and require
its presence. Install and Remove refer to the 'Install' and its presence. Install and Remove refer to the 'Install' and 'Remove'
'Remove' Command-Code, respectively, specified in the COPS Command-Code, respectively, specified in the COPS Decision Flags
Object when no Decision Flags are set. The data, in general, is
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 composed of one or more bindings. Each binding associates a PRID
Decision Flags Object when no Decision Flags are set. The data, in object and a EPD object. The PRID object is always present in both
general, is composed of one or more bindings. Each binding install and remove decisions, the EPD object MUST be present in the
associates a PRID object and a EPD object. The PRID object is case of an install decision and MUST NOT be present in the case of a
always present in both install and remove decisions, the EPD remove decision.
object MUST be present in the case of an install decision and MUST
NOT be present in the case of a remove decision.
The format for this data is encapsulated within the COPS Named The format for this data is encapsulated within the COPS Named
Decision Data object as follows: Decision Data object as follows:
<Named Decision Data> ::= <<Install Decision> | <Named Decision Data> ::= <<Install Decision> |
<Remove Decision>> <Remove Decision>>
<Install Decision> ::= *(<PRID> <EPD>) <Install Decision> ::= *(<PRID> <EPD>)
<Remove Decision> ::= *(<PRID>|<PPRID>) <Remove Decision> ::= *(<PRID>|<PPRID>)
Note that PRID objects in a Remove Decision may specify PRID Note that PRID objects in a Remove Decision may specify PRID prefix
prefix values. Explicit and implicit deletion of installed values. Explicit and implicit deletion of installed policies is
policies is supported by a client. Install Decision data MUST be supported by a client. Install Decision data MUST be explicit (i.e.,
explicit (i.e., PRID prefix values are illegal and MUST be PRID prefix values are illegal and MUST be rejected by a client).
rejected by a client).
5.2. ClientSI Request Data 5.2. ClientSI Request Data
The provisioning client request data will use same bindings as The provisioning client request data will use same bindings as
described above. The format for this data is encapsulated in the described above. The format for this data is encapsulated in the
COPS Named ClientSI object as follows: COPS Named ClientSI object as follows:
<Named ClientSI: Request> ::= <*(<PRID> <EPD>)> <Named ClientSI: Request> ::= <*(<PRID> <EPD>)>
5.3. Policy Provisioning Report Data 5.3. Policy Provisioning Report Data
The COPS Named ClientSI object is used in the RPT message in The COPS Named ClientSI object is used in the RPT message in
conjunction with the accompanying COPS Report Type object to conjunction with the accompanying COPS Report Type object to
encapsulate COPS-PR report information from the PEP to the PDP. encapsulate COPS-PR report information from the PEP to the PDP.
Report types can be 'Success' or 'Failure', indicating to the PDP Report types can be 'Success' or 'Failure', indicating to the PDP
that a particular set of provisioning policies has been either that a particular set of provisioning policies has been either
successfully or unsuccessfully installed/removed on the PEP, or successfully or unsuccessfully installed/removed on the PEP, or
'Accounting'. 'Accounting'.
5.3.1. Success and Failure Report-Type Data Format 5.3.1. Success and Failure Report-Type Data Format
Report-types can be 'Success' or 'Failure' indicating to the PDP
that a particular set of provisioning policies has been either
successfully or unsuccessfully installed/removed on the PEP. The
provisioning report data consists of the bindings described above
and global and specific error/warning information.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 Report-types can be 'Success' or 'Failure' indicating to the PDP that
Specific errors are associated with a particular instance. For a a particular set of provisioning policies has been either
'Success' Report-Type, a specific error is an indication of a successfully or unsuccessfully installed/removed on the PEP. The
warning related to a specific policy that has been installed, but provisioning report data consists of the bindings described above and
that is not fully implemented (e.g., its parameters have been global and specific error/warning information. Specific errors are
approximated) as identified by the ErrorPRID object. For a associated with a particular instance. For a 'Success' Report-Type,
'Failure' Report-Type, this is an error code specific to a a specific error is an indication of a warning related to a specific
binding, again, identified by the ErrorPRID object. Specific policy that has been installed, but that is not fully implemented
errors may also include regular <PRID><EPD> bindings to carry (e.g., its parameters have been approximated) as identified by the
additional information in a generic manner so that the specific ErrorPRID object. For a 'Failure' Report-Type, this is an error code
errors/warnings may be more verbosely described and associated specific to a binding, again, identified by the ErrorPRID object.
with the erroneous ErrorPRID object. Specific errors may also include regular <PRID><EPD> bindings to
carry additional information in a generic manner so that the specific
errors/warnings may be more verbosely described and associated with
the erroneous ErrorPRID object.
Global errors are not tied to a specific ErrorPRID. In a 'Success' Global errors are not tied to a specific ErrorPRID. In a 'Success'
RPT message, a global error is an indication of a general warning RPT message, a global error is an indication of a general warning at
at the PEP level (e.g., memory low). In a 'Failure' RPT message, the PEP level (e.g., memory low). In a 'Failure' RPT message, this
this is an indication of a general error at the PEP level (e.g., is an indication of a general error at the PEP level (e.g., memory
memory exhausted). exhausted).
In the case of a 'Failure' Report-Type the PEP MUST report at In the case of a 'Failure' Report-Type the PEP MUST report at least
least the first error and SHOULD report as many errors as the first error and SHOULD report as many errors as possible. In
possible. In this case the PEP MUST roll-back its configuration to this case the PEP MUST roll-back its configuration to the last good
the last good transaction before the erroneous Decision message transaction before the erroneous Decision message was received.
was received.
The format for this data is encapsulated in the COPS Named The format for this data is encapsulated in the COPS Named ClientSI
ClientSI object as follows: object as follows:
<Named ClientSI: Report> ::= <[<GPERR>] *(<report>)> <Named ClientSI: Report> ::= <[<GPERR>] *(<report>)>
<report> ::= <ErrorPRID> <CPERR> *(<PRID><EPD>) <report> ::= <ErrorPRID> <CPERR> *(<PRID><EPD>)
5.3.2. Accounting Report-Type Data Format 5.3.2. Accounting Report-Type Data Format
Additionally, reports can be used to carry accounting information Additionally, reports can be used to carry accounting information
when specifying the 'Accounting' Report-Type. This accounting report when specifying the 'Accounting' Report-Type. This accounting report
message will typically carry statistical or event information message will typically carry statistical or event information related
related to the installed configuration for use at the PDP. This to the installed configuration for use at the PDP. This information
information is encoded as one or more <PRID><EPD> bindings that is encoded as one or more <PRID><EPD> bindings that generally
generally describe the accounting information being reported from describe the accounting information being reported from the PEP to
the PEP to the PDP. the PDP.
The format for this data is encapsulated in the COPS Named ClientSI The format for this data is encapsulated in the COPS Named ClientSI
object as follows: object as follows:
<Named ClientSI: Report> ::= <*(<PRID><EPD>)> <Named ClientSI: Report> ::= <*(<PRID><EPD>)>
NOTE: RFC 2748 defines an optional Accounting-Timer (AcctTimer) NOTE: RFC 2748 defines an optional Accounting-Timer (AcctTimer)
object for use in the COPS Client-Accept message. Periodic object for use in the COPS Client-Accept message. Periodic
accounting reports for COPS-PR clients are also obligated to be accounting reports for COPS-PR clients are also obligated to be paced
paced by this timer. Periodic accounting reports SHOULD NOT be by this timer. Periodic accounting reports SHOULD NOT be generated
by the PEP more frequently than the period specified by the COPS
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 AcctTimer. Thus, the period between new accounting reports SHOULD be
generated by the PEP more frequently than the period specified by greater-than or equal-to the period specified (if specified) in the
the COPS AcctTimer. Thus, the period between new accounting AcctTimer. If no AcctTimer object is specified by the PDP, then
reports SHOULD be greater-than or equal-to the period specified there are no constraints imposed on the PEP's accounting interval.
(if specified) in the AcctTimer. If no AcctTimer object is
specified by the PDP, then there are no constraints imposed on the
PEP's accounting interval.
6. Common Operation 6. Common Operation
This section describes, in general, typical exchanges between a This section describes, in general, typical exchanges between a PDP
PDP and Policy Provisioning COPS client. and Policy Provisioning COPS client.
First, a TCP connection is established between the client and First, a TCP connection is established between the client and server
server and the PEP sends a Client-Open message specifying a COPS- and the PEP sends a Client-Open message specifying a COPS- PR
PR client-type (use of the ClientSI object within the Client-Open client-type (use of the ClientSI object within the Client-Open
message is currently undefined for COPS-PR clients). If the PDP message is currently undefined for COPS-PR clients). If the PDP
supports the specified provisioning client-type, the PDP responds supports the specified provisioning client-type, the PDP responds
with a Client-Accept (CAT) message. If the client-type is not with a Client-Accept (CAT) message. If the client-type is not
supported, a Client-Close (CC) message is returned by the PDP to supported, a Client-Close (CC) message is returned by the PDP to the
the PEP, possibly identifying an alternate server that is known to PEP, possibly identifying an alternate server that is known to
support the policy for the provisioning client-type specified. support the policy for the provisioning client-type specified.
After receiving the CAT message, the PEP can send requests to the After receiving the CAT message, the PEP can send requests to the
server. The REQ from a policy provisioning client contains a COPS server. The REQ from a policy provisioning client contains a COPS
'Configuration Request' context object and, optionally, any 'Configuration Request' context object and, optionally, any relevant
relevant named client specific information from the PEP. The named client specific information from the PEP. The information
information provided by the PEP should include available client provided by the PEP should include available client resources (e.g.,
resources (e.g., supported classes/attributes) and default policy supported classes/attributes) and default policy configuration
configuration information as well as incarnation data on existing information as well as incarnation data on existing policy. The
policy. The configuration request message from a provisioning configuration request message from a provisioning client serves two
client serves two purposes. First, it is a request to the PDP for purposes. First, it is a request to the PDP for any provisioning
any provisioning configuration data which the PDP may currently configuration data which the PDP may currently have that is suitable
have that is suitable for the PEP, such as access control filters, for the PEP, such as access control filters, etc., given the
etc., given the information the PEP specified in its REQ. Also, information the PEP specified in its REQ. Also, the configuration
the configuration request effectively opens a channel that will request effectively opens a channel that will allow the PDP to
allow the PDP to asynchronously send policy data to the PEP, as asynchronously send policy data to the PEP, as the PDP decides is
the PDP decides is necessary, as long as the PEP keeps its request necessary, as long as the PEP keeps its request state open (i.e., as
state open (ie. As long as the PEP does not send a DRQ with the long as the PEP does not send a DRQ with the request state's Client
request state's Client Handle). This asynchronous data may be new Handle). This asynchronous data may be new policy data or an update
policy data or an update to policy data sent previously. Any to policy data sent previously. Any relevant changes to the PEP's
relevant changes to the PEP's internal state can be communicated internal state can be communicated to the PDP by the PEP sending an
to the PDP by the PEP sending an updated REQ message. The PEP is updated REQ message. The PEP is free to send such updated REQ
free to send such updated REQ messages at any time after a CAT messages at any time after a CAT message to communicate changes in
message to communicate changes in its local state. its local state.
After the PEP sends a REQ, if the PDP has Policy Provisioning
policy configuration information for the client, that information
is returned to the client in a DEC message containing the Policy
Provisioning client policy data within the COPS Named Decision
Data object and specifying an "Install" Command-Code in the
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 After the PEP sends a REQ, if the PDP has Policy Provisioning policy
Decision Flags object. If no filters are defined, the DEC message configuration information for the client, that information is
will simply specify that there are no filters using the "NULL returned to the client in a DEC message containing the Policy
Decision" Command-Code in the Decision Flags object. As the PEP Provisioning client policy data within the COPS Named Decision Data
MUST specify a Client Handle in the request message, the PDP MUST object and specifying an "Install" Command-Code in the Decision Flags
process the Client Handle and copy it in the corresponding object. If no filters are defined, the DEC message will simply
decision message. A DEC message MUST be issued by the PDP with the specify that there are no filters using the "NULL Decision" Command-
Solicited Message Flag set in the COPS message header, regardless Code in the Decision Flags object. As the PEP MUST specify a Client
of whether or not the PDP has any configuration information for Handle in the request message, the PDP MUST process the Client Handle
the PEP at the time of the request. This is to prevent the PEP and copy it in the corresponding decision message. A DEC message
from timing out the REQ and deleting the Client Handle. MUST be issued by the PDP with the Solicited Message Flag set in the
COPS message header, regardless of whether or not the PDP has any
configuration information for the PEP at the time of the request.
This is to prevent the PEP from timing out the REQ and deleting the
Client Handle.
The PDP can then add new policy data or update/delete existing The PDP can then add new policy data or update/delete existing
configurations by sending subsequent unsolicited DEC message(s) to configurations by sending subsequent unsolicited DEC message(s) to
the PEP, with the same Client Handle. Previous configurations the PEP, with the same Client Handle. Previous configurations
installed on the PEP are updated by the PDP by simply re- installed on the PEP are updated by the PDP by simply re-installing
installing the same instance of configuration information again the same instance of configuration information again (effectively
(effectively overwriting the old data). The PEP is responsible for overwriting the old data). The PEP is responsible for removing the
removing the Client handle when it is no longer needed, for Client handle when it is no longer needed, for example when an
example when an interface goes down, and informing the PDP that interface goes down, and informing the PDP that the Client Handle is
the Client Handle is to be deleted via the COPS DRQ message. to be deleted via the COPS DRQ message.
For Policy Provisioning purposes, access state, and access
requests to the policy server can be initiated by other sources
besides the PEP. Examples of other sources include attached users
requesting network services via a web interface into a central
management application, or H.323 servers requesting resources on
behalf of a user for a video conferencing application. When such a
request is accepted, the edge device affected by the decision (the
point where the flow is to enter the network) needs to be informed
of the decision. Since the PEP in the edge device did not initiate
the request, the specifics of the request, e.g. flowspec, packet
filter, and PHB to apply, needs to be communicated to the PEP by
the PDP. This information is sent to the PEP using the Decision
message containing Policy Provisioning Named Decision Data objects
in the COPS Decision object as specified. Any updates to the state
information, for example in the case of a policy change or call
tear down, is communicated to the PEP by subsequent unsolicited
DEC messages containing the same Client Handle and the updated
Policy Provisioning request state. Updates can specify that policy
data is to be installed, deleted, or updated (re-installed).
PDPs may also command the PEP to open a new Request State or For Policy Provisioning purposes, access state, and access requests
delete an exiting one by issuing a decision with the Decision to the policy server can be initiated by other sources besides the
Flags object's Request-State flag set. If the command-code is PEP. Examples of other sources include attached users requesting
"install", then the PDP is commanding the PEP to create a new network services via a web interface into a central management
Request State, and therefore issue a new REQ message specifying a application, or H.323 servers requesting resources on behalf of a
new Client Handle or otherwise issue a "Failure" RPT specifying user for a video conferencing application. When such a request is
the appropriate error condition. Each request state represents an accepted, the edge device affected by the decision (the point where
independent and logically non-overlapping namespace, identified by the flow is to enter the network) needs to be informed of the
the Client Handle, on which transactions (a.k.a. configuration decision. Since the PEP in the edge device did not initiate the
request, the specifics of the request, e.g., flowspec, packet filter,
and PHB to apply, needs to be communicated to the PEP by the PDP.
This information is sent to the PEP using the Decision message
containing Policy Provisioning Named Decision Data objects in the
COPS Decision object as specified. Any updates to the state
information, for example in the case of a policy change or call tear
down, is communicated to the PEP by subsequent unsolicited DEC
messages containing the same Client Handle and the updated Policy
Provisioning request state. Updates can specify that policy data is
to be installed, deleted, or updated (re-installed).
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 PDPs may also command the PEP to open a new Request State or delete
installations, deletions, updates) may be performed. Other an exiting one by issuing a decision with the Decision Flags object's
existing Request States will be unaffected by the new request Request-State flag set. If the command-code is "install", then the
state as they are independent (thus, no instances of configuration PDP is commanding the PEP to create a new Request State, and
data within one Request State can be affected by DECs for another therefore issue a new REQ message specifying a new Client Handle or
Request State as identified by the Client Handle). If the command- otherwise issue a "Failure" RPT specifying the appropriate error
code is "Remove", then the PDP is commanding the PEP to delete the condition. Each request state represents an independent and
existing Request-State specified by the DEC message's Client logically non-overlapping namespace, identified by the Client Handle,
Handle, thereby causing the PEP to issue a DRQ message for this on which transactions (a.k.a., configuration installations,
Handle. deletions, updates) may be performed. Other existing Request States
will be unaffected by the new request state as they are independent
(thus, no instances of configuration data within one Request State
can be affected by DECs for another Request State as identified by
the Client Handle). If the command-code is "Remove", then the PDP is
commanding the PEP to delete the existing Request-State specified by
the DEC message's Client Handle, thereby causing the PEP to issue a
DRQ message for this Handle.
The PEP MUST acknowledge a DEC message and specify what action was The PEP MUST acknowledge a DEC message and specify what action was
taken by sending a RPT message with a "Success" or "Failure" taken by sending a RPT message with a "Success" or "Failure" Report-
Report-Type object with the Solicited Message Flag set in the COPS Type object with the Solicited Message Flag set in the COPS message
message header. This serves as an indication to the PDP that the header. This serves as an indication to the PDP that the requestor
requestor (e.g. H.323 server) can be notified whether the request (e.g., H.323 server) can be notified whether the request has been
has been accepted by the network or not. If the PEP needs to accepted by the network or not. If the PEP needs to reject the DEC
reject the DEC operation for any reason, a RPT message is sent operation for any reason, a RPT message is sent with a Report-Type
with a Report-Type with the value "Failure" and optionally a with the value "Failure" and optionally a Client Specific Information
Client Specific Information object specifying the policy data that object specifying the policy data that was rejected. Under such
was rejected. Under such solicited report failure conditions, the solicited report failure conditions, the PEP MUST always rollback to
PEP MUST always rollback to its previously installed (good) state its previously installed (good) state as if the DEC never occurred.
as if the DEC never occurred. The PDP is then free to modify its The PDP is then free to modify its decision and try again.
decision and try again.
The PEP can report to the PDP the current status of any installed The PEP can report to the PDP the current status of any installed
request state when appropriate. This information is sent in a request state when appropriate. This information is sent in a
Report-State (RPT) message with the "Accounting" flag set. The Report-State (RPT) message with the "Accounting" flag set. The
request state that is being reported is identified via the request state that is being reported is identified via the associated
associated Client Handle in the report message. Client Handle in the report message.
Finally, Client-Close (CC) messages are used to cancel the Finally, Client-Close (CC) messages are used to cancel the
corresponding Client-Open message. The CC message informs the corresponding Client-Open message. The CC message informs the other
other side that the client-type specified is no longer supported. side that the client-type specified is no longer supported.
7. Fault Tolerance 7. Fault Tolerance
When communication is lost between PEP and PDP, the PEP attempts When communication is lost between PEP and PDP, the PEP attempts to
to re-establish the TCP connection with the PDP it was last re-establish the TCP connection with the PDP it was last connected
connected to. If that server cannot be reached, then the PEP to. If that server cannot be reached, then the PEP attempts to
attempts to connect to a secondary PDP, assumed to be manually connect to a secondary PDP, assumed to be manually configured (or
configured (or otherwise known) at the PEP. otherwise known) at the PEP.
When a connection is finally re-established with a PDP, the PEP
sends a OPN message with a <LastPDPAddr> object providing the
address of the most recent PDP for which it is still caching
decisions. If no decisions are being cached on the PEP (due to
reboot or TTL timeout of state) the PEP MUST NOT include the last
PDP address information. Based on this object, the PDP may request
the PEP to re-synch its current state information (by issuing a
COPS SSQ message). If, after re-connecting, the PDP does not
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 When a connection is finally re-established with a PDP, the PEP sends
request synchronization, the client can assume the server a OPN message with a <LastPDPAddr> object providing the address of
recognizes it and the current state at the PEP is correct, so a the most recent PDP for which it is still caching decisions. If no
REQ message need not be sent. Still, any state changes which decisions are being cached on the PEP (due to reboot or TTL timeout
occurred at the PEP that the PEP could not communicate to the PDP of state) the PEP MUST NOT include the last PDP address information.
due to communication having been lost, MUST be reported to the PDP Based on this object, the PDP may request the PEP to re-synch its
via the PEP sending an updated REQ message. Whenever re- current state information (by issuing a COPS SSQ message). If, after
synchronization is requested, the PEP MUST reissue any REQ re-connecting, the PDP does not request synchronization, the client
messages for all known Request-States and the PDP MUST issue DEC can assume the server recognizes it and the current state at the PEP
messages to delete either individual PRIDs or prefixes as is correct, so a REQ message need not be sent. Still, any state
appropriate to ensure a consistent known state at the PEP. changes which occurred at the PEP that the PEP could not communicate
to the PDP due to communication having been lost, MUST be reported to
the PDP via the PEP sending an updated REQ message. Whenever re-
synchronization is requested, the PEP MUST reissue any REQ messages
for all known Request-States and the PDP MUST issue DEC messages to
delete either individual PRIDs or prefixes as appropriate to ensure a
consistent known state at the PEP.
While the PEP is disconnected from the PDP, the active request- While the PEP is disconnected from the PDP, the active request-state
state at the PEP is to be used for policy decisions. If the PEP at the PEP is to be used for policy decisions. If the PEP cannot
cannot re-connect in some pre-specified period of time, all re-connect in some pre-specified period of time, all installed
installed Request-States are to be deleted and their associated Request-States are to be deleted and their associated Handles
Handles removed. The same holds true for the PDP; upon detecting a removed. The same holds true for the PDP; upon detecting a failed
failed TCP connection, the time-out timer is started for all TCP connection, the time-out timer is started for all Request-States
Request-States associated with the PEP and these states are associated with the PEP and these states are removed after the
removed after the administratively specified period without a administratively specified period without a connection.
connection.
8. Security Considerations 8. Security Considerations
The use of COPS for Policy Provisioning introduces no new security The COPS protocol [COPS], from which this document derives, describes
issues over the base COPS protocol [COPS]. The security mechanisms the mandatory security mechanisms that MUST be supported by all COPS
described in that document will also be deployed in a COPS-PR implementations. These mandatory security mechanisms are used by the
environment. COPS protocol to transfer opaque information from PEP to PDP and vice
versa in an authenticated and secure manner. COPS for Policy
Provisioning simply defines a structure for this opaque information
already carried by the COPS protocol. As such, the security
mechanisms described for the COPS protocol will also be deployed in a
COPS-PR environment, thereby ensuring the integrity of the COPS-PR
information being communicated. Furthermore, in order to fully
describe a practical set of structured data for use with COPS-PR, a
PIB (Policy Information Base) will likely be written in a separate
document. The authors of such a PIB document need to be aware of the
security concerns associated with the specific data they have
defined. These concerns MUST be fully specified in the security
considerations section of the PIB document along with the required
security mechanisms for transporting this newly defined data.
9. IANA Considerations 9. IANA Considerations
COPS for Policy Provisioning follows the same IANA considerations COPS for Policy Provisioning follows the same IANA considerations for
for COPS objects as the base COPS protocol [COPS]. COPS-PR has COPS objects as the base COPS protocol [COPS]. COPS-PR has defined
defined one additional Decision Flag value of 0x02, extending the one additional Decision Flag value of 0x02, extending the COPS base
COPS base protocol only by this one value. protocol only by this one value. No new COPS Client- Types are
defined by this document.
COPS-PR also introduces a new encapsulated object number space in COPS-PR also introduces a new object number space with each object
its S-Num and S-Type. Additional S-Num and S-Types can only be being identified by its S-Num and S-Type value pair. These objects
added using the IETF Consensus rule as defined in [IANA]. This are encapsulated within the existing COPS Named ClientSI or Named
document defines the S-Num values 1-6 and S-Type = 1 (note that Decision Data objects [COPS] and, therefore, do not conflict with any
the S-Type value of 2 is reserved for transport of XML encoded assigned numbers in the COPS base protocol. Additional S-Num and S-
data). Likewise, additional Global Provisioning error codes for Type pairs can only be added to COPS-PR using the IETF Consensus rule
COPS-PR can only be added with IETF Consensus. as defined in [IANA]. These two numbers are always to be treated as
a pair, with one or more S-Types defined per each S-Num. This
document defines the S-Num values 1-6 and the S-Type 1 for each of
these six values (note that the S-Type value of 2 is reserved for
transport of XML encoded data). A listing of all the S-Num and S-
Type pairs defined by this document can be found in sections 4.1-4.6.
Likewise, additional Global Provisioning error codes and Class-
Specific Provisioning error codes defined for COPS-PR can only be
added with IETF Consensus. This document defines the Global
Provisioning error code values 1-11 in section 4.4 for the Global
Provisioning Error Object (GPERR). This document also defines the
Class-Specific error code values 1-13 in section 4.5 for the Class
Provisioning Error Object (CPERR).
10. Acknowledgements 10. Acknowledgements
This document has been developed with active involvement from a This document has been developed with active involvement from a
number of sources. The authors would specifically like to number of sources. The authors would specifically like to
acknowledge the valuable input given by Michael Fine, Scott Hahn, acknowledge the valuable input given by Michael Fine, Scott Hahn, and
and Carol Bell. Carol Bell.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
11. References 11. References
[COPS] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R., [COPS] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and
Sastry, A., "The COPS (Common Open Policy Service) A. Sastry, "The COPS (Common Open Policy Service)
Protocol", IETF RFC 2748, Proposed Standard, January 2000. Protocol", RFC 2748, January 2000.
[RAP] Yavatkar, R., et al., "A Framework for Policy Based [RAP] Yavatkar, R., Pendarakis, D. and R. Guerin, "A Framework
Admission Control", IETF RFC 2753, January 2000. for Policy Based Admission Control", RFC 2753, January
2000.
[COPRSVP] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R., [COPRSVP] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and
Sastry, A., "COPS usage for RSVP", IETF RFC 2749, Proposed A. Sastry, "COPS usage for RSVP", RFC 2749, January 2000.
Standard, January 2000.
[ASN1] Information processing systems - Open Systems [ASN1] Information processing systems - Open Systems
Interconnection, "Specification of Abstract Syntax Notation Interconnection, "Specification of Abstract Syntax Notation
One (ASN.1)", International Organization for One (ASN.1)", International Organization for
Standardization, International Standard 8824, December Standardization, International Standard 8824, December
1987. 1987.
[BER] Information processing systems - Open Systems [BER] Information processing systems - Open Systems
Interconnection - Specification of Basic Encoding Rules for Interconnection - Specification of Basic Encoding Rules for
Abstract Syntax Notation One (ASN.1), International Abstract Syntax Notation One (ASN.1), International
Organization for Standardization. International Standard Organization for Standardization. International Standard
8825, (December, 1987). 8825, (December, 1987).
[RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z. and
Weiss, W., "An Architecture for Differentiated Service," W. Weiss, "An Architecture for Differentiated Service," RFC
RFC 2475, December 1998. 2475, December 1998.
[SPPI] McCloghrie, K., Fine, M., Seligson, J., Chan, K., Hahn, S., [SPPI] McCloghrie, K., Fine, M., Seligson, J., Chan, K., Hahn, S.,
Sahita, R., Smith, A., Reichmeyer, F., "Structure of Policy Sahita, R., Smith, A. and F. Reichmeyer, "Structure of
Provisioning Information SPPI", Internet Draft, September Policy Provisioning Information SPPI", Work in Progress.
2000.
[V2SMI] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., [V2SMI] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M. and Waldbusser, S., "Structure of Management Rose, M. and S. Waldbusser, "Structure of Management
Information Version 2(SMIv2)", STD 58, RFC 2578, April Information Version 2(SMIv2)", STD 58, RFC 2578, April
1999. 1999.
[RFC2234] Crocker, D., Overell, P., " Augmented BNF for Syntax [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997. Specifications: ABNF", RFC 2234, November 1997.
[IANA] Alvestrand, H. and Narten, T., "Guidelines for writing an [IANA] Alvestrand, H. and T. Narten, "Guidelines for writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434, IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998. October 1998.
[URN] Moats, R., "Uniform Resource Names (URN) Syntax", RFC 2141, [URN] Moats, R., "Uniform Resource Names (URN) Syntax", RFC 2141,
May 1997. May 1997.
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00 [XML] World Wide Web Consortium (W3C), "Extensible Markup
[XML] World Wide Web Consortium (W3C), "Extensible Markup Language (XML)," W3C Recommendation, February, 1998,
Language (XML)," W3C Recommendation, February, 1998, http://www.w3.org/TR/1998/REC-xml-19980210.
http://www.w3.org/TR/1998/REC-xml-19980210.
12. Author Information 12. Authors' Addresses
Shai Herzog IPHighway Inc. Kwok Ho Chan
Phone: (201) 585-0800 Parker Plaza, 16th Floor Nortel Networks, Inc.
Email: Herzog@iphighway.com 400 Kelby St. 600 Technology Park Drive
Fort-Lee, NJ 07024 Billerica, MA 01821
Francis Reichmeyer PFN, Inc. Phone: (978) 288-8175
(617) 494 9980 University Park at MIT EMail: khchan@nortelnetworks.com
franr@pfn.com 26 Landsdowne Street
Cambridge, MA 02139
Kwok Ho Chan Nortel Networks, Inc. David Durham
Phone: (978) 288-8175 600 Technology Park Drive Intel
EMail: khchan@nortelnetworks.com Billerica, MA 01821 2111 NE 25th Avenue
Hillsboro, OR 97124
David Durham Intel Phone: (503) 264-6232
Phone: (503) 264-6232 2111 NE 25th Avenue Email: david.durham@intel.com
Email: david.durham@intel.com Hillsboro, OR 97124
Raj Yavatkar Silvano Gai
Phone: (503) 264-9077 Cisco Systems, Inc.
Email: raj.yavatkar@intel.com 170 Tasman Dr.
San Jose, CA 95134-1706
Silvano Gai Cisco Systems, Inc. Phone: (408) 527-2690
Phone: (408) 527-2690 170 Tasman Dr. EMail: sgai@cisco.com
Email: sgai@cisco.com San Jose, CA 95134-1706
Keith McCloghrie Shai Herzog
Phone: (408) 526-5260 IPHighway Inc.
Email: kzm@cisco.com 69 Milk Street, Suite 304
Westborough, MA 01581
Andrew Smith Phone: (914) 654-4810
415 345 1827 fax EMail: Herzog@iphighway.com
ah_smith@pacbell.net
John Seligson Nortel Networks, Inc. Keith McCloghrie
Phone: (408) 495-2992 4401 Great America Parkway
Email:jseligso@nortelnetworks.com Santa Clara, CA 95054
Internet Draft COPS Usage for Policy Provisioning 30-Oct-00
13. Full Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved. Phone: (408) 526-5260
EMail: kzm@cisco.com
Francis Reichmeyer
PFN, Inc.
University Park at MIT
26 Landsdowne Street
Cambridge, MA 02139
This document and translations of it may be copied and furnished to Phone: (617) 494 9980
others, and derivative works that comment on or otherwise explain it EMail: franr@pfn.com
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be John Seligson
revoked by the Internet Society or its successors or assigns. Nortel Networks, Inc.
4401 Great America Parkway
Santa Clara, CA 95054
This document and the information contained herein is provided on an Phone: (408) 495-2992
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING Email: jseligso@nortelnetworks.com
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Raj Yavatkar
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Phone: (503) 264-9077
EMail: raj.yavatkar@intel.com
Andrew Smith
Allegro Networks
6399 San Ignacio Ave.
San Jose, CA 95119, USA
EMail: andrew@allegronetworks.com
13. Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 177 change blocks. 
810 lines changed or deleted 720 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/