Network Working Group B. Moore Request for Comments: 3060 IBM Category: Standards Track E. Ellesson LongBoard, Inc. J. Strassner A. Westerinen Cisco Systems February 2001 Policy Core Information Model -- Version 1 Specification Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved.Abstract
This document presents the object-oriented information model for representing policy information developed jointly in the IETF Policy Framework WG and as extensions to the Common Information Model (CIM) activity in the Distributed Management Task Force (DMTF). This model defines two hierarchies of object classes: structural classes representing policy information and control of policies, and association classes that indicate how instances of the structural classes are related to each other. Subsequent documents will define mappings of this information model to various concrete implementations, for example, to a directory that uses LDAPv3 as its access protocol.Table of Contents
1. Introduction.................................................... 4 2. Modeling Policies............................................... 5 2.1. Policy Scope............................................... 8 2.2. Declarative versus Procedural Model........................ 8 3. Overview of the Policy Core Information Model.................. 10 4. Inheritance Hierarchies for the Policy Core Information Model.. 13 4.1. Implications of CIM Inheritance........................... 15 5. Details of the Model........................................... 15
5.1. Reusable versus Rule-Specific Conditions and Actions...... 15 5.2. Roles..................................................... 17 5.2.1. Roles and Role Combinations............................. 17 5.2.2. The PolicyRoles Property................................ 21 5.3. Local Time and UTC Time in PolicyTimePeriodConditions..... 21 5.4. CIM Data Types............................................ 23 5.5. Comparison between CIM and LDAP Class Specifications...... 24 6. Class Definitions.............................................. 25 6.1. The Abstract Class "Policy"............................... 25 6.1.1. The Property "CommonName (CN)".......................... 26 6.1.2. The Multi-valued Property "PolicyKeywords".............. 26 6.1.3. The Property "Caption" (Inherited from ManagedElement).. 27 6.1.4. The Property "Description" (Inherited from ManagedElement)......................................... 27 6.2. The Class "PolicyGroup"................................... 27 6.3. The Class "PolicyRule".................................... 29 6.3.1. The Property "Enabled".................................. 31 6.3.2. The Property "ConditionListType"........................ 31 6.3.3. The Property "RuleUsage"................................ 31 6.3.4. The Property "Priority"................................. 32 6.3.5. The Property "Mandatory"................................ 32 6.3.6. The Property "SequencedActions"......................... 33 6.3.7. The Multi-valued Property "PolicyRoles"................. 33 6.4. The Abstract Class "PolicyCondition"...................... 34 6.5. The Class "PolicyTimePeriodCondition"..................... 36 6.5.1. The Property "TimePeriod"............................... 38 6.5.2. The Property "MonthOfYearMask".......................... 39 6.5.3. The Property "DayOfMonthMask"........................... 39 6.5.4. The Property "DayOfWeekMask"............................ 40 6.5.5. The Property "TimeOfDayMask"............................ 41 6.5.6. The Property "LocalOrUtcTime"........................... 42 6.6. The Class "VendorPolicyCondition"......................... 42 6.6.1. The Multi-valued Property "Constraint".................. 43 6.6.2. The Property "ConstraintEncoding"....................... 43 6.7. The Abstract Class "PolicyAction"......................... 44 6.8. The Class "VendorPolicyAction"............................ 45 6.8.1. The Multi-valued Property "ActionData".................. 45 6.8.2. The Property "ActionEncoding"........................... 46 6.9. The Class "PolicyRepository".............................. 46 7. Association and Aggregation Definitions........................ 46 7.1. Associations.............................................. 47 7.2. Aggregations.............................................. 47 7.3. The Abstract Aggregation "PolicyComponent................. 47 7.4. The Aggregation "PolicyGroupInPolicyGroup"................ 47 7.4.1. The Reference "GroupComponent".......................... 48 7.4.2. The Reference "PartComponent"........................... 48 7.5. The Aggregation "PolicyRuleInPolicyGroup"................. 48 7.5.1. The Reference "GroupComponent".......................... 49
7.5.2. The Reference "PartComponent"........................... 49 7.6. The Aggregation "PolicyConditionInPolicyRule"............. 49 7.6.1. The Reference "GroupComponent".......................... 50 7.6.2. The Reference "PartComponent"........................... 50 7.6.3. The Property "GroupNumber".............................. 50 7.6.4. The Property "ConditionNegated"......................... 51 7.7. The Aggregation "PolicyRuleValidityPeriod"................ 51 7.7.1. The Reference "GroupComponent".......................... 52 7.7.2. The Reference "PartComponent"........................... 52 7.8. The Aggregation "PolicyActionInPolicyRule"................ 52 7.8.1. The Reference "GroupComponent".......................... 53 7.8.2. The Reference "PartComponent"........................... 53 7.8.3. The Property "ActionOrder".............................. 53 7.9. The Abstract Association "PolicyInSystem"................. 54 7.10. The Weak Association "PolicyGroupInSystem"............... 55 7.10.1. The Reference "Antecedent"............................. 55 7.10.2. The Reference "Dependent".............................. 55 7.11. The Weak Association "PolicyRuleInSystem"................ 56 7.11.1. The Reference "Antecedent"............................. 56 7.11.2. The Reference "Dependent".............................. 56 7.12. The Association "PolicyConditionInPolicyRepository"...... 56 7.12.1. The Reference "Antecedent"............................. 57 7.12.2. The Reference "Dependent".............................. 57 7.13. The Association "PolicyActionInPolicyRepository"......... 57 7.13.1. The Reference "Antecedent"............................. 58 7.13.2. The Reference "Dependent".............................. 58 7.14. The Aggregation "PolicyRepositoryInPolicyRepository"..... 58 7.14.1. The Reference "GroupComponent"......................... 58 7.14.2. The Reference "PartComponent".......................... 59 8. Intellectual Property.......................................... 59 9. Acknowledgements............................................... 59 10. Security Considerations....................................... 60 11. References.................................................... 62 12. Authors' Addresses............................................ 64 13. Appendix A: Class Identification in a Native CIM Implementation................................................ 65 13.1. Naming Instances of PolicyGroup and PolicyRule........... 65 13.1.1. PolicyGroup's CIM Keys................................. 65 13.1.2. PolicyRule's CIM Keys.................................. 66 13.2. Naming Instances of PolicyCondition and Its Subclasses... 67 13.2.1. PolicyCondition's CIM Keys............................. 69 13.3. Naming Instances of PolicyAction and Its Subclasses...... 71 13.4. Naming Instances of PolicyRepository..................... 72 13.5. Role of the CreationClassName Property in Naming......... 73 13.6. Object References........................................ 73 14. Appendix B: The Core Policy MOF.............................. 75 15. Full Copyright Statement..................................... 100
1. Introduction
This document presents the object-oriented information model for representing policy information currently under joint development in the IETF Policy Framework WG and as extensions to the Common Information Model (CIM) activity in the Distributed Management Task Force (DMTF). This model defines two hierarchies of object classes: structural classes representing policy information and control of policies, and association classes that indicate how instances of the structural classes are related to each other. Subsequent documents will define mappings of this information model to various concrete implementations, for example, to a directory that uses LDAPv3 as its access protocol. The components of the CIM schema are available via the following URL: http://www.dmtf.org/spec/cims.html [1]. The policy classes and associations defined in this model are sufficiently generic to allow them to represent policies related to anything. However, it is expected that their initial application in the IETF will be for representing policies related to QoS (DiffServ and IntServ) and to IPSec. Policy models for application-specific areas such as these may extend the Core Model in several ways. The preferred way is to use the PolicyGroup, PolicyRule, and PolicyTimePeriodCondition classes directly, as a foundation for representing and communicating policy information. Then, specific subclasses derived from PolicyCondition and PolicyAction can capture application-specific definitions of conditions and actions of policies. Two subclasses, VendorPolicyCondition and VendorPolicyAction, are also included in this document, to provide a standard extension mechanism for vendor-specific extensions to the Policy Core Information Model. This document fits into the overall framework for representing, deploying, and managing policies being developed by the Policy Framework Working Group. It traces its origins to work that was originally done for the Directory-enabled Networks (DEN) specification, reference [5]. Work on the DEN specification by the DEN Ad-Hoc Working Group itself has been completed. Further work to standardize the models contained in it will be the responsibility of selected working groups of the CIM effort in the Distributed Management Task Force (DMTF). DMTF standardization of the core policy model is the responsibility of the SLA Policy working group in the DMTF.
This document is organized in the following manner: o Section 2 provides a general overview of policies and how they are modeled. o Section 3 presents a high-level overview of the classes and associations comprising the Policy Core Information Model. o The remainder of the document presents the detailed specifications for each of the classes and associations. o Appendix A overviews naming for native CIM implementations. Other mappings, such as LDAPv3, will have their own naming mechanisms. o Appendix B reproduces the DMTF's Core Policy MOF specification. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119, reference [3].2. Modeling Policies
The classes comprising the Policy Core Information Model are intended to serve as an extensible class hierarchy (through specialization) for defining policy objects that enable application developers, network administrators, and policy administrators to represent policies of different types. One way to think of a policy-controlled network is to first model the network as a state machine and then use policy to control which state a policy-controlled device should be in or is allowed to be in at any given time. Given this approach, policy is applied using a set of policy rules. Each policy rule consists of a set of conditions and a set of actions. Policy rules may be aggregated into policy groups. These groups may be nested, to represent a hierarchy of policies. The set of conditions associated with a policy rule specifies when the policy rule is applicable. The set of conditions can be expressed as either an ORed set of ANDed sets of condition statements or an ANDed set of ORed sets of statements. Individual condition statements can also be negated. These combinations are termed, respectively, Disjunctive Normal Form (DNF) and Conjunctive Normal Form (CNF) for the conditions. If the set of conditions associated with a policy rule evaluates to TRUE, then a set of actions that either maintain the current state of the object or transition the object to a new state may be executed.
For the set of actions associated with a policy rule, it is possible to specify an order of execution, as well as an indication of whether the order is required or merely recommended. It is also possible to indicate that the order in which the actions are executed does not matter. Policy rules themselves can be prioritized. One common reason for doing this is to express an overall policy that has a general case with a few specific exceptions. For example, a general QoS policy rule might specify that traffic originating from members of the engineering group is to get Bronze Service. A second policy rule might express an exception: traffic originating from John, a specific member of the engineering group, is to get Gold Service. Since traffic originating from John satisfies the conditions of both policy rules, and since the actions associated with the two rules are incompatible, a priority needs to be established. By giving the second rule (the exception) a higher priority than the first rule (the general case), a policy administrator can get the desired effect: traffic originating from John gets Gold Service, and traffic originating from all the other members of the engineering group gets Bronze Service. Policies can either be used in a stand-alone fashion or aggregated into policy groups to perform more elaborate functions. Stand-alone policies are called policy rules. Policy groups are aggregations of policy rules, or aggregations of policy groups, but not both. Policy groups can model intricate interactions between objects that have complex interdependencies. Examples of this include a sophisticated user logon policy that sets up application access, security, and reconfigures network connections based on a combination of user identity, network location, logon method and time of day. A policy group represents a unit of reusability and manageability in that its management is handled by an identifiable group of administrators and its policy rules would be consistently applied Stand-alone policies are those that can be expressed in a simple statement. They can be represented effectively in schemata or MIBs. Examples of this are VLAN assignments, simple YES/NO QoS requests, and IP address allocations. A specific design goal of this model is to support both stand-alone and aggregated policies. Policy groups and rules can be classified by their purpose and intent. This classification is useful in querying or grouping policy rules. It indicates whether the policy is used to motivate when or how an action occurs, or to characterize services (that can then be used, for example, to bind clients to network services). Describing each of these concepts in more detail,
o Motivational Policies are solely targeted at whether or how a policy's goal is accomplished. Configuration and Usage Policies are specific kinds of Motivational Policies. Another example is the scheduling of file backup based on disk write activity from 8am to 3pm, M-F. o Configuration Policies define the default (or generic) setup of a managed entity (for example, a network service). Examples of Configuration Policies are the setup of a network forwarding service or a network-hosted print queue. o Installation Policies define what can and cannot be put on a system or component, as well as the configuration of the mechanisms that perform the install. Installation policies typically represent specific administrative permissions, and can also represent dependencies between different components (e.g., to complete the installation of component A, components B and C must be previously successfully installed or uninstalled). o Error and Event Policies. For example, if a device fails between 8am and 9pm, call the system administrator, otherwise call the Help Desk. o Usage Policies control the selection and configuration of entities based on specific "usage" data. Configuration Policies can be modified or simply re-applied by Usage Policies. Examples of Usage Policies include upgrading network forwarding services after a user is verified to be a member of a "gold" service group, or reconfiguring a printer to be able to handle the next job in its queue. o Security Policies deal with verifying that the client is actually who the client purports to be, permitting or denying access to resources, selecting and applying appropriate authentication mechanisms, and performing accounting and auditing of resources. o Service Policies characterize network and other services (not use them). For example, all wide-area backbone interfaces shall use a specific type of queuing. Service policies describe services available in the network. Usage policies describe the particular binding of a client of the network to services available in the network. These categories are represented in the Policy Core Information Model by special values defined for the PolicyKeywords property of the abstract class Policy.
2.1. Policy Scope
Policies represent business goals and objectives. A translation must be made between these goals and objectives and their realization in the network. An example of this could be a Service Level Agreement (SLA), and its objectives and metrics (Service Level Objectives, or SLOs), that are used to specify services that the network will provide for a given client. The SLA will usually be written in high-level business terminology. SLOs address more specific metrics in support of the SLA. These high-level descriptions of network services and metrics must be translated into lower-level, but also vendor-and device-independent specifications. The Policy Core Information Model classes are intended to serve as the foundation for these lower-level, vendor- and device-independent specifications. It is envisioned that the definition of the Policy Core Informational Model in this document is generic in nature and is applicable to Quality of Service (QoS), to non-QoS networking applications (e.g., DHCP and IPSec), and to non-networking applications (e.g., backup policies, auditing access, etc.).2.2. Declarative versus Procedural Model
The design of the Policy Core Information Model is influenced by a declarative, not procedural, approach. More formally, a declarative language is used to describe relational and functional languages. Declarative languages describe relationships between variables in terms of functions or inference rules, to which the interpreter or compiler can apply a fixed algorithm in order to produce a result. An imperative (or procedural) language specifies an explicit sequence of steps to follow in order to produce a result. It is important to note that this information model does not rule out the use of procedural languages. Rather, it recognizes that both declarative as well as procedural languages can be used to implement policy. This information model is better viewed as being declarative because the sequence of steps for doing the processing of declarative statements tends to be left to the implementer. However, we have provided the option of expressing the desired order of action execution in this policy information model, and for expressing whether the order is mandatory or not. In addition, rather than trying to define algorithms or sets of instructions or steps that must be followed by a policy rule, we instead define a set of modular building blocks and relationships that can be used in a declarative or procedural fashion to define policies.
Compare this to a strictly procedural model. Taking such an approach would require that we specify the condition testing sequence, and the action execution sequence, in the policy repository itself. This would, indeed, constrain the implementer. This is why the policy model is characterized as a declarative one. That is, the information model defines a set of attributes, and a set of entities that contain these attributes. However, it does NOT define either the algorithm to produce a result using the attributes or an explicit sequence of steps to produce a result. There are several design considerations and trade-offs to make in this respect. 1. On the one hand, we would like a policy definition language to be reasonably human-friendly for ease of definitions and diagnostics. On the other hand, given the diversity of devices (in terms of their processing capabilities) which could act as policy decision points, we would like to keep the language somewhat machine- friendly. That is, it should be relatively simple to automate the parsing and processing of the language in network elements. The approach taken is to provide a set of classes and attributes that can be combined in either a declarative or procedural approach to express policies that manage network elements and services. The key point is to avoid trying to standardize rules or sets of steps to be followed in defining a policy. These must be left up to an implementation. Interoperability is achieved by standardizing the building blocks that are used to represent policy data and information. 2. An important decision to make is the semantic style of the representation of the information. The declarative approach that we are describing falls short of being a "true" declarative model. Such a model would also specify the algorithms used to combine the information and policy rules to achieve particular behavior. We avoid specifying algorithms for the same reason that we avoid specifying sets of steps to be followed in a policy rule. However, the design of the information model more closely follows that of a declarative language, and may be easier to understand if such a conceptual model is used. This leads to our third point, acknowledging a lack of "completeness" and instead relying on presenting information that the policy processing entity will work with. 3. It is important to control the complexity of the specification, trading off richness of expression of data in the core information model for ease of implementation and use. It is important to acknowledge the collective lack of experience in the field
regarding policies to control and manage network services and hence avoid the temptation of aiming for "completeness". We should instead strive to facilitate definition of a set of common policies that customers require today (e.g., VPN and QoS) and allow migration paths towards supporting complex policies as customer needs and our understanding of these policies evolve with experience. Specifically, in the context of the declarative style language discussed above, it is important to avoid having full blown predicate calculus as the language, as it would render many important problems such as consistency checking and policy decision point algorithms intractable. It is useful to consider a reasonably constrained language from these perspectives. The Policy Core Information Model strikes a balance between complexity and lack of power by using the well understood logical concepts of Disjunctive Normal Form and Conjunctive Normal Form for combining simple policy conditions into more complex ones.