RFC 3318
Framework Policy Information Base
Pages: 70
Historic
Historic
Part 3 of 3 – Pages 50 to 70
frwkIpFilterProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..255)
STATUS current
DESCRIPTION
"The layer-4 protocol Id to match against the IPv4 protocol
number or the IPv6 Next-Header number in the packet. A value
of 255 means match all. Note the protocol number of 255 is
reserved by IANA, and Next-Header number of 0 is used in
IPv6."
DEFVAL { 255 }
::= { frwkIpFilterEntry 8 }
frwkIpFilterDstL4PortMin OBJECT-TYPE
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The minimum value that the packet's layer 4 destination
port number can have and match this filter. This value must
be equal to or lesser that the value specified for this
filter in frwkIpFilterDstL4PortMax.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterSrcL4PortMin is greater than
frwkIpFilterSrcL4PortMax"
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084, error
codes section 4.5."
DEFVAL { 0 }
::= { frwkIpFilterEntry 9 }
frwkIpFilterDstL4PortMax OBJECT-TYPE
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 destination
port number can have and match this filter. This value must
be equal to or greater that the value specified for this
filter in frwkIpFilterDstL4PortMin.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterDstL4PortMax is less than
frwkIpFilterDstL4PortMin"
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084, error
codes section 4.5."
DEFVAL { 65535 }
::= { frwkIpFilterEntry 10 }
frwkIpFilterSrcL4PortMin OBJECT-TYPE
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The minimum value that the packet's layer 4 source port
number can have and match this filter. This value must
be equal to or lesser that the value specified for this
filter in frwkIpFilterSrcL4PortMax.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterSrcL4PortMin is greated than
frwkIpFilterSrcL4PortMax"
REFERENCE
"COPS Usage for Policy Provisioning. RFC 3084, error
codes section 4.5."
DEFVAL { 0 }
::= { frwkIpFilterEntry 11 }
frwkIpFilterSrcL4PortMax OBJECT-TYPE
SYNTAX InetPortNumber
STATUS current
DESCRIPTION
"The maximum value that the packet's layer 4 source port
number can have and match this filter. This value must be
equal to or greater that the value specified for this filter
in frwkIpFilterSrcL4PortMin.
COPS-PR error code 'attrValueInvalid' must be returned if
the frwkIpFilterSrcL4PortMax is less than
frwkIpFilterSrcL4PortMin"
REFERENCE
"COPS Usage for Policy Provisioning. RFC error codes
section 4.5."
DEFVAL { 65535 }
::= { frwkIpFilterEntry 12 }
--
-- The IEEE 802 Filter Table
--
frwk802FilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF Frwk802FilterEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"IEEE 802-based filter definitions. A class that contains
attributes of IEEE 802 (e.g., 802.3) traffic that form
filters that are used to perform traffic classification."
REFERENCE
"IEEE Standards for Local and Metropolitan Area Networks.
Overview and Architecture, ANSI/IEEE Std 802, 1990."
::= { frwkClassifierClasses 3 }
frwk802FilterEntry OBJECT-TYPE
SYNTAX Frwk802FilterEntry
STATUS current
DESCRIPTION
"IEEE 802-based filter definitions. An entry specifies
(potentially) several distinct matching components. Each
component is tested against the data in a frame
individually. An overall match occurs when all of the
individual components match the data they are compared
against in the frame being processed. A failure of any
one test causes the overall match to fail.
Wildcards may be specified for those fields that are not
relevant."
EXTENDS { frwkBaseFilterEntry }
UNIQUENESS { frwkBaseFilterNegation,
frwk802FilterDstAddr,
frwk802FilterDstAddrMask,
frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask,
frwk802FilterVlanId,
frwk802FilterVlanTagRequired,
frwk802FilterEtherType,
frwk802FilterUserPriority }
::= { frwk802FilterTable 1 }
Frwk802FilterEntry ::= SEQUENCE {
frwk802FilterDstAddr PhysAddress,
frwk802FilterDstAddrMask PhysAddress,
frwk802FilterSrcAddr PhysAddress,
frwk802FilterSrcAddrMask PhysAddress,
frwk802FilterVlanId Integer32,
frwk802FilterVlanTagRequired INTEGER,
frwk802FilterEtherType Integer32,
frwk802FilterUserPriority BITS
}
frwk802FilterDstAddr OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"The 802 address against which the 802 DA of incoming
traffic streams will be compared. Frames whose 802 DA
matches the physical address specified by this object,
taking into account address wildcarding as specified by the
frwk802FilterDstAddrMask object, are potentially subject to
the processing guidelines that are associated with this
entry through the related action class."
REFERENCE
"Textual Conventions for SMIv2, RFC 2579."
::= { frwk802FilterEntry 1 }
frwk802FilterDstAddrMask OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"This object specifies the bits in a 802 destination address
that should be considered when performing a 802 DA
comparison against the address specified in the
frwk802FilterDstAddr object.
The value of this object represents a mask that is logically
and'ed with the 802 DA in received frames to derive the
value to be compared against the frwk802FilterDstAddr
address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The
frwk802FilterDstAddr value must also be masked using this
value prior to any comparisons.
The length of this object in octets must equal the length in
octets of the frwk802FilterDstAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterDstAddr object."
::= { frwk802FilterEntry 2 }
frwk802FilterSrcAddr OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"The 802 MAC address against which the 802 MAC SA of
incoming traffic streams will be compared. Frames whose 802
MAC SA matches the physical address specified by this
object, taking into account address wildcarding as specified
by the frwk802FilterSrcAddrMask object, are potentially
subject to the processing guidelines that are associated
with this entry through the related action class."
::= { frwk802FilterEntry 3 }
frwk802FilterSrcAddrMask OBJECT-TYPE
SYNTAX PhysAddress
STATUS current
DESCRIPTION
"This object specifies the bits in a 802 MAC source address
that should be considered when performing a 802 MAC SA
comparison against the address specified in the
frwk802FilterSrcAddr object.
The value of this object represents a mask that is logically
and'ed with the 802 MAC SA in received frames to derive the
value to be compared against the frwk802FilterSrcAddr
address. A zero bit in the mask thus means that the
corresponding bit in the address always matches. The
frwk802FilterSrcAddr value must also be masked using this
value prior to any comparisons.
The length of this object in octets must equal the length in
octets of the frwk802FilterSrcAddr. Note that a mask with no
bits set (i.e., all zeroes) effectively wildcards the
frwk802FilterSrcAddr object."
::= { frwk802FilterEntry 4 }
frwk802FilterVlanId OBJECT-TYPE
SYNTAX Integer32 (-1 | 1..4094)
STATUS current
DESCRIPTION
"The VLAN ID (VID) that uniquely identifies a VLAN
within the device. This VLAN may be known or unknown
(i.e., traffic associated with this VID has not yet
been seen by the device) at the time this entry
is instantiated.
Setting the frwk802FilterVlanId object to -1 indicates that
VLAN data should not be considered during traffic
classification."
::= { frwk802FilterEntry 5 }
frwk802FilterVlanTagRequired OBJECT-TYPE
SYNTAX INTEGER {
taggedOnly(1),
priorityTaggedPlus(2),
untaggedOnly(3),
ignoreTag(4)
}
STATUS current
DESCRIPTION
"This object indicates whether the presence of an
IEEE 802.1Q VLAN tag in data link layer frames must
be considered when determining if a given frame
matches this 802 filter entry.
A value of 'taggedOnly(1)' means that only frames
containing a VLAN tag with a non-Null VID (i.e., a
VID in the range 1..4094) will be considered a match.
A value of 'priorityTaggedPlus(2)' means that only
frames containing a VLAN tag, regardless of the value
of the VID, will be considered a match.
A value of 'untaggedOnly(3)' indicates that only
untagged frames will match this filter component.
The presence of a VLAN tag is not taken into
consideration in terms of a match if the value is
'ignoreTag(4)'."
::= { frwk802FilterEntry 6 }
frwk802FilterEtherType OBJECT-TYPE
SYNTAX Integer32 (-1 | 0..'ffff'h)
STATUS current
DESCRIPTION
"This object specifies the value that will be compared
against the value contained in the EtherType field of an
IEEE 802 frame. Example settings would include 'IP'
(0x0800), 'ARP' (0x0806) and 'IPX' (0x8137).
Setting the frwk802FilterEtherTypeMin object to -1 indicates
that EtherType data should not be considered during traffic
classification.
Note that the position of the EtherType field depends on
the underlying frame format. For Ethernet-II encapsulation,
the EtherType field follows the 802 MAC source address. For
802.2 LLC/SNAP encapsulation, the EtherType value follows
the Organization Code field in the 802.2 SNAP header. The
value that is tested with regard to this filter component
therefore depends on the data link layer frame format being
used. If this 802 filter component is active when there is
no EtherType field in a frame (e.g., 802.2 LLC), a match is
implied."
::= { frwk802FilterEntry 7 }
frwk802FilterUserPriority OBJECT-TYPE
SYNTAX BITS {
matchPriority0(0),
matchPriority1(1),
matchPriority2(2),
matchPriority3(3),
matchPriority4(4),
matchPriority5(5),
matchPriority6(6),
matchPriority7(7)
}
STATUS current
DESCRIPTION
"The set of values, representing the potential range
of user priority values, against which the value contained
in the user priority field of a tagged 802.1 frame is
compared. A test for equality is performed when determining
if a match exists between the data in a data link layer
frame and the value of this 802 filter component. Multiple
values may be set at one time such that potentially several
different user priority values may match this 802 filter
component.
Setting all of the bits that are associated with this
object causes all user priority values to match this
attribute. This essentially makes any comparisons
with regard to user priority values unnecessary. Untagged
frames are treated as an implicit match."
::= { frwk802FilterEntry 8 }
--
-- The Internal label filter extension
--
frwkILabelFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkILabelFilterEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"Internal label filter Table. This PRC is used to achieve
classification based on the internal flow label set by the
PEP possibly after ingress classification to avoid
re-classification at the egress interface on the same PEP."
::= { frwkClassifierClasses 4 }
frwkILabelFilterEntry OBJECT-TYPE
SYNTAX FrwkILabelFilterEntry
STATUS current
DESCRIPTION
"Internal label filter entry definition."
EXTENDS { frwkBaseFilterEntry }
UNIQUENESS { frwkBaseFilterNegation,
frwkILabelFilterILabel }
::= { frwkILabelFilterTable 1 }
FrwkILabelFilterEntry ::= SEQUENCE {
frwkILabelFilterILabel OCTET STRING
}
frwkILabelFilterILabel OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"The Label that this flow uses for differentiating traffic
flows. The flow labeling is meant for network device
internal usage. A value of zero length string matches all
internal labels."
::= { frwkILabelFilterEntry 1 }
--
-- The Marker classes group
--
frwkMarkerClasses
OBJECT IDENTIFIER ::= { frameworkPib 4 }
--
-- The 802 Marker Table
--
frwk802MarkerTable OBJECT-TYPE
SYNTAX SEQUENCE OF Frwk802MarkerEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"The 802 Marker class. An 802 packet can be marked with the
specified VLAN id, priority level."
::= { frwkMarkerClasses 1 }
frwk802MarkerEntry OBJECT-TYPE
SYNTAX Frwk802MarkerEntry
STATUS current
DESCRIPTION
"frwk802Marker entry definition."
PIB-INDEX { frwk802MarkerPrid }
UNIQUENESS { frwk802MarkerVlanId,
frwk802MarkerPriority }
::= { frwk802MarkerTable 1 }
Frwk802MarkerEntry::= SEQUENCE {
frwk802MarkerPrid InstanceId,
frwk802MarkerVlanId Unsigned32,
frwk802MarkerPriority Unsigned32
}
frwk802MarkerPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify this 802 Marker."
::= { frwk802MarkerEntry 1 }
frwk802MarkerVlanId OBJECT-TYPE
SYNTAX Unsigned32 (1..4094)
STATUS current
DESCRIPTION
"The VLAN ID (VID) that uniquely identifies a VLAN within
the device."
::= { frwk802MarkerEntry 2 }
frwk802MarkerPriority OBJECT-TYPE
SYNTAX Unsigned32 (0..7)
STATUS current
DESCRIPTION
"The user priority field of a tagged 802.1 frame."
::= { frwk802MarkerEntry 3 }
--
-- The Internal Label Marker Table
--
frwkILabelMarkerTable OBJECT-TYPE
SYNTAX SEQUENCE OF FrwkILabelMarkerEntry
PIB-ACCESS install
STATUS current
DESCRIPTION
"The Internal Label Marker class. A flow in a PEP can be
marked with an internal label using this PRC."
::= { frwkMarkerClasses 2 }
frwkILabelMarkerEntry OBJECT-TYPE
SYNTAX FrwkILabelMarkerEntry
STATUS current
DESCRIPTION
"frwkILabelkMarker entry definition."
PIB-INDEX { frwkILabelMarkerPrid }
UNIQUENESS { frwkILabelMarkerILabel }
::= { frwkILabelMarkerTable 1 }
FrwkILabelMarkerEntry::= SEQUENCE {
frwkILabelMarkerPrid InstanceId,
frwkILabelMarkerILabel OCTET STRING
}
frwkILabelMarkerPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An integer index to uniquely identify this Label Marker."
::= { frwkILabelMarkerEntry 1 }
frwkILabelMarkerILabel OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This internal label is implementation specific and may be
used for other policy related functions like flow
accounting purposes and/or other data path treatments."
::= { frwkILabelMarkerEntry 2 }
--
-- Conformance Section
--
frwkBasePibConformance
OBJECT IDENTIFIER ::= { frameworkPib 5 }
frwkBasePibCompliances
OBJECT IDENTIFIER ::= { frwkBasePibConformance 1 }
frwkBasePibGroups
OBJECT IDENTIFIER ::= { frwkBasePibConformance 2 }
frwkBasePibCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Describes the requirements for conformance to the
Framework PIB."
MODULE -- this module
MANDATORY-GROUPS { frwkPrcSupportGroup,
frwkPibIncarnationGroup,
frwkDeviceIdGroup,
frwkCompLimitsGroup,
frwkCapabilitySetGroup,
frwkRoleComboGroup,
frwkIfRoleComboGroup }
OBJECT frwkPibIncarnationLongevity
PIB-MIN-ACCESS notify
DESCRIPTION
"Install support is required if policy expiration is to
be supported."
OBJECT frwkPibIncarnationTtl
PIB-MIN-ACCESS notify
DESCRIPTION
"Install support is required if policy expiration is to
be supported."
OBJECT frwkPibIncarnationInCtxtSet
PIB-MIN-ACCESS notify
DESCRIPTION
"Install support is required if configuration contexts
and outsourcing contexts are both to be supported."
OBJECT frwkPibIncarnationFullState
PIB-MIN-ACCESS notify
DESCRIPTION
"Install support is required if incremental updates to
request states is to be supported."
GROUP frwkReferenceGroup
DESCRIPTION
"The frwkReferenceGroup is mandatory if referencing
across PIB contexts for specific client-types is to be
supported."
GROUP frwkErrorGroup
DESCRIPTION
"The frwkErrorGroup is mandatory sending errors in
decisions is to be supported."
GROUP frwkBaseFilterGroup
DESCRIPTION
"The frwkBaseFilterGroup is mandatory if filtering
based on traffic components is to be supported."
GROUP frwkIpFilterGroup
DESCRIPTION
"The frwkIpFilterGroup is mandatory if filtering
based on IP traffic components is to be supported."
GROUP frwk802FilterGroup
DESCRIPTION
"The frwk802FilterGroup is mandatory if filtering
based on 802 traffic criteria is to be supported."
GROUP frwkILabelFilterGroup
DESCRIPTION
"The frwkILabelFilterGroup is mandatory if filtering
based on PEP internal label is to be supported."
GROUP frwk802MarkerGroup
DESCRIPTION
"The frwk802MarkerGroup is mandatory if marking a packet
with 802 traffic criteria is to be supported."
GROUP frwkILabelMarkerGroup
DESCRIPTION
"The frwkILabelMarkerGroup is mandatory if marking a
flow with internal labels is to be supported."
::= { frwkBasePibCompliances 1 }
frwkPrcSupportGroup OBJECT-GROUP
OBJECTS {
frwkPrcSupportPrid,
frwkPrcSupportSupportedPrc,
frwkPrcSupportSupportedAttrs }
STATUS current
DESCRIPTION
"Objects from the frwkPrcSupportTable."
::= { frwkBasePibGroups 1 }
frwkPibIncarnationGroup OBJECT-GROUP
OBJECTS {
frwkPibIncarnationPrid,
frwkPibIncarnationName,
frwkPibIncarnationId,
frwkPibIncarnationLongevity,
frwkPibIncarnationTtl,
frwkPibIncarnationInCtxtSet,
frwkPibIncarnationActive,
frwkPibIncarnationFullState
}
STATUS current
DESCRIPTION
"Objects from the frwkDevicePibIncarnationTable."
::= { frwkBasePibGroups 2 }
frwkDeviceIdGroup OBJECT-GROUP
OBJECTS {
frwkDeviceIdPrid,
frwkDeviceIdDescr,
frwkDeviceIdMaxMsg,
frwkDeviceIdMaxContexts }
STATUS current
DESCRIPTION
"Objects from the frwkDeviceIdTable."
::= { frwkBasePibGroups 3 }
frwkCompLimitsGroup OBJECT-GROUP
OBJECTS {
frwkCompLimitsPrid,
frwkCompLimitsComponent,
frwkCompLimitsAttrPos,
frwkCompLimitsNegation,
frwkCompLimitsType,
frwkCompLimitsSubType,
frwkCompLimitsGuidance }
STATUS current
DESCRIPTION
"Objects from the frwkCompLimitsTable."
::= { frwkBasePibGroups 4 }
frwkReferenceGroup OBJECT-GROUP
OBJECTS {
frwkReferencePrid,
frwkReferenceClientType,
frwkReferenceClientHandle,
frwkReferenceInstance }
STATUS current
DESCRIPTION
"Objects from the frwkReferenceTable."
::= { frwkBasePibGroups 5 }
frwkErrorGroup OBJECT-GROUP
OBJECTS {
frwkErrorPrid,
frwkErrorCode,
frwkErrorSubCode,
frwkErrorPrc,
frwkErrorInstance }
STATUS current
DESCRIPTION
"Objects from the frwkErrorTable."
::= { frwkBasePibGroups 6 }
frwkCapabilitySetGroup OBJECT-GROUP
OBJECTS {
frwkCapabilitySetPrid,
frwkCapabilitySetName,
frwkCapabilitySetCapability }
STATUS current
DESCRIPTION
"Objects from the frwkCapabilitySetTable."
::= { frwkBasePibGroups 7 }
frwkRoleComboGroup OBJECT-GROUP
OBJECTS {
frwkRoleComboPrid,
frwkRoleComboRoles,
frwkRoleComboCapSetName }
STATUS current
DESCRIPTION
"Objects from the frwkRoleComboTable."
::= { frwkBasePibGroups 8 }
frwkIfRoleComboGroup OBJECT-GROUP
OBJECTS { frwkIfRoleComboIfIndex }
STATUS current
DESCRIPTION
"Objects from the frwkIfRoleComboTable."
::= { frwkBasePibGroups 9 }
frwkBaseFilterGroup OBJECT-GROUP
OBJECTS {
frwkBaseFilterPrid,
frwkBaseFilterNegation }
STATUS current
DESCRIPTION
"Objects from the frwkBaseFilterTable."
::= { frwkBasePibGroups 10 }
frwkIpFilterGroup OBJECT-GROUP
OBJECTS {
frwkIpFilterAddrType,
frwkIpFilterDstAddr,
frwkIpFilterDstPrefixLength,
frwkIpFilterSrcAddr,
frwkIpFilterSrcPrefixLength,
frwkIpFilterDscp,
frwkIpFilterFlowId,
frwkIpFilterProtocol,
frwkIpFilterDstL4PortMin,
frwkIpFilterDstL4PortMax,
frwkIpFilterSrcL4PortMin,
frwkIpFilterSrcL4PortMax }
STATUS current
DESCRIPTION
"Objects from the frwkIpFilterTable."
::= { frwkBasePibGroups 11 }
frwk802FilterGroup OBJECT-GROUP
OBJECTS {
frwk802FilterDstAddr,
frwk802FilterDstAddrMask,
frwk802FilterSrcAddr,
frwk802FilterSrcAddrMask,
frwk802FilterVlanId,
frwk802FilterVlanTagRequired,
frwk802FilterEtherType,
frwk802FilterUserPriority }
STATUS current
DESCRIPTION
"Objects from the frwk802FilterTable."
::= { frwkBasePibGroups 12 }
frwkILabelFilterGroup OBJECT-GROUP
OBJECTS { frwkILabelFilterILabel }
STATUS current
DESCRIPTION
"Objects from the frwkILabelFilterTable."
::= { frwkBasePibGroups 13 }
frwk802MarkerGroup OBJECT-GROUP
OBJECTS {
frwk802MarkerPrid,
frwk802MarkerVlanId,
frwk802MarkerPriority }
STATUS current
DESCRIPTION
"Objects from the frwk802MarkerTable."
::= { frwkBasePibGroups 14 }
frwkILabelMarkerGroup OBJECT-GROUP
OBJECTS {
frwkILabelMarkerPrid,
frwkILabelMarkerILabel }
STATUS current
DESCRIPTION
"Objects from the frwkILabelMarkerTable."
::= { frwkBasePibGroups 15 }
END
6. Security Considerations
It is clear that this PIB is used for configuration using [COPS-PR], and anything that can be configured can be misconfigured, with a potentially disastrous effect. At this writing, no security holes have been identified beyond those that the COPS base protocol security is itself intended to address. These relate primarily to controlled access to sensitive information and the ability to configure a device - or which might result from operator error, which is beyond the scope of any security architecture. There are a number of PRovisioning Classes defined in this PIB that have a PIB-ACCESS clause of install and install-notify (read-create). These are: frwkPibIncarnationTable: Malicious access of this PRC can cause the PEP to use an incorrect context of policies. frwkReferenceTable: Malicious access of this PRC can cause the PEP to interpret the installed policy in an incorrect manner. frwkErrorTable: Malicious access of this PRC can cause the PEP to incorrectly assume that the PDP could not process its messages. FrwkCapabilitySetTable, frwkRoleComboTable and frwkIfRoleComboTable: Malicious access of these PRCs can cause the PEP to apply policies to the wrong interfaces. FrwkBaseFilterTable, frwkIpFilterTable, frwk802FilterTable and frwkILabelFilterTable: Malicious access of these PRCs can cause unintended classification of traffic on the PEP potentially leading to incorrect policies being applied. frwk802MarkerTable, frwkILabelMarkerTable: Malicious access of these PRCs can cause unintended marking of traffic on the PEP potentially leading to incorrect policies being applied. Such objects may be considered sensitive or vulnerable in some network environments. The support for "Install" or "Install-Notify" decisions sent over [COPS-PR] in a non-secure environment without proper protection can have a negative effect on network operations. There are a number of PRovisioning Classes in this PIB that may contain information that may be sensitive from a business perspective, in that they may represent a customer's service contract or the filters that the service provider chooses to apply to a customer's ingress or egress traffic. There are no PRCs that are sensitive in their own right, such as passwords or monetary amounts. It may be important to control even "Notify"(read-only) access to
these PRCs and possibly to even encrypt the values of these PRIs when sending them over the network via COPS-PR. The use of IPSEC between the PDP and the PEP, as described in [COPS], provides the necessary protection against security threats. However, even if the network itself is secure, there is no control as to who on the secure network is allowed to "Install/Notify" (read/change/create/delete) the PRIs in this PIB. It is then a customer/user responsibility to ensure that the PEP/PDP giving access to an instance of this PIB, is properly configured to give access to only the PRIs and principals (users) that have legitimate rights to indeed "Install" or "Notify" (change/create/ delete) them.7. IANA Considerations
This document describes the frameworkPib and frwkTcPib Policy Information Base (PIB) modules for registration under the "pib" branch registered with IANA. The IANA has assigned PIB numbers 2 and 3, respectively. Both these PIBs use "all" in the SUBJECT-CATEGORIES clause, i.e., they apply to all COPS client types. No new COPS client type is to be registered for these two PIB modules.8. References
8.1 Normative References
[COPS] Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan, R. and A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. [COPS-PR] Chan, K., Durham, D., Gai, S., Herzog, S., McCloghrie, K., Reichmeyer, Seligson, J., Smith, A. and R. Yavatkar, "COPS Usage for Policy Provisioning", RFC 3084, March 2001. [SPPI] McCloghrie, K., Fine, M., Seligson, J., Chan, K., Hahn, S., Sahita, R., Smith, A. and F. Reichmeyer, "Structure of Policy Provisioning Information", RFC 3159, August 2001. [SNMP-SMI] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[INETADDR] Daniele, M., Haberman, B., Routhier, S. and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 3291, May 2002. [802] IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture, ANSI/IEEE Std 802, 1990. [SNMPFRWK] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [DS-MIB] Baker, F., Chan, K. and A. Smith, "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002. [SNMPv2TC] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2279] Yergeau, F. "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998. [RFC2119] Bradner, S., "Key words to use in the RFCs", BCP 14, RFC 2119, March 1997.8.2 Informative References
[RAP-FRAMEWORK] Yavatkar, R and D. Pendarakis, "A Framework for Policy-based Admission Control", RFC 2753, January 2000. [POLTERM] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J. and S. Waldbusser, "Terminology for Policy-Based Management", RFC 3198, November 2001.9. Acknowledgments
Early versions of this specification were also co-authored by Michael Fine, Francis Reichmeyer, John Seligson and Andrew Smith.
Special thanks to Carol Bell, David Durham and Bert Wijnen for their many significant comments. Additional useful comments have been made by Diana Rawlins, Martin Bokaemper, Tina Iliff, Pedro Da Silva, Juergen Schoenwaelder, Noisette Yoann and Man Li.10. Authors' Addresses
Ravi Sahita Intel Labs. 2111 NE 25th Avenue Hillsboro, OR 97124 USA Phone: +1 503 712 1554 EMail: ravi.sahita@intel.com Scott Hahn Intel Corp. 2111 NE 25th Avenue Hillsboro, OR 97124 USA Phone: +1 503 264 8231 EMail: scott.hahn@intel.com Kwok Ho Chan Nortel Networks, Inc. 600 Technology Park Drive Billerica, MA 01821 USA Phone: +1 978 288 8175 EMail: khchan@nortelnetworks.com Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA Phone: +1 408 526 5260 EMail: kzm@cisco.com
11. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.