6. Class Definitions
The following definitions supplement those in PCIM itself. PCIM definitions that are not DEPRECATED here are still current parts of the overall Policy Core Information Model.6.1. The Abstract Class "PolicySet"
PolicySet is an abstract class that may group policies into a structured set of policies. NAME PolicySet DESCRIPTION An abstract class that represents a set of policies that form a coherent set. The set of contained policies has a common decision strategy and a common set of policy roles. Subclasses include PolicyGroup and PolicyRule. DERIVED FROM Policy ABSTRACT TRUE PROPERTIES PolicyDecisionStrategy PolicyRoles The PolicyDecisionStrategy property specifies the evaluation method for policy groups and rules contained within the policy set. NAME PolicyDecisionStrategy DESCRIPTION The evaluation method used for policies contained in the PolicySet. FirstMatching enforces the actions of the first rule that evaluates to TRUE; All Matching enforces the actions of all rules that evaluate to TRUE. SYNTAX uint16 VALUES 1 [FirstMatching], 2 [AllMatching] DEFAULT VALUE 1 [FirstMatching] The definition of PolicyRoles is unchanged from PCIM. It is, however, moved from the class Policy up to the superclass PolicySet.
6.2. Update PCIM's Class "PolicyGroup"
The PolicyGroup class is moved, so that it is now derived from PolicySet. NAME PolicyGroup DESCRIPTION A container for a set of related PolicyRules and PolicyGroups. DERIVED FROM PolicySet ABSTRACT FALSE PROPERTIES (none)6.3. Update PCIM's Class "PolicyRule"
The PolicyRule class is moved, so that it is now derived from PolicySet. The Priority property is also deprecated in PolicyRule, and PolicyRoles is now inherited from the parent class PolicySet. Finally, a new property ExecutionStrategy is introduced, paralleling the property of the same name in the class CompoundPolicyAction. NAME PolicyRule DESCRIPTION The central class for representing the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicySet ABSTRACT FALSE PROPERTIES Enabled ConditionListType RuleUsage Priority DEPRECATED FOR PolicySetComponent.Priority AND FOR PolicySetInSystem.Priority Mandatory SequencedActions ExecutionStrategy The property ExecutionStrategy defines the execution strategy to be used upon the sequenced actions aggregated by this PolicyRule. (An equivalent ExecutionStrategy property is also defined for the CompoundPolicyAction class, to provide the same indication for the sequenced actions aggregated by a CompoundPolicyAction.) This document defines three execution strategies: Do Until Success - execute actions according to predefined order, until successful execution of a single action. Do All - execute ALL actions which are part of the modeled set, according to their predefined order. Continue doing this, even if one or more of the actions fails.
Do Until Failure - execute actions according to predefined order, until the first failure in execution of a single sub-action. The property definition is as follows: NAME ExecutionStrategy DESCRIPTION An enumeration indicating how to interpret the action ordering for the actions aggregated by this PolicyRule. SYNTAX uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do Until Failure} ) DEFAULT VALUE Do All (2)6.4. The Class "SimplePolicyCondition"
A simple policy condition is composed of an ordered triplet: <Variable> MATCH <Value> No formal modeling of the MATCH operator is provided. The 'match' relationship is implied. Such simple conditions are evaluated by answering the question: Does <variable> match <value>? The 'match' relationship is to be interpreted by analyzing the variable and value instances associated with the simple condition. Simple conditions are building blocks for more complex Boolean Conditions, modeled by the CompoundPolicyCondition class. The SimplePolicyCondition class is derived from the PolicyCondition class defined in PCIM. A variable and a value must be associated with a simple condition to make it a meaningful condition, using, respectively, the aggregations PolicyVariableInSimplePolicyCondition and PolicyValueInSimplePolicyCondition. The class definition is as follows: NAME SimplePolicyCondition DERIVED FROM PolicyCondition ABSTRACT False PROPERTIES (none)
6.5. The Class "CompoundPolicyCondition"
This class represents a compound policy condition, formed by aggregation of simpler policy conditions. NAME CompoundPolicyCondition DESCRIPTION A subclass of PolicyCondition that introduces the ConditionListType property, used for assigning DNF / CNF semantics to subordinate policy conditions. DERIVED FROM PolicyCondition ABSTRACT FALSE PROPERTIES ConditionListType The ConditionListType property is used to specify whether the list of policy conditions associated with this compound policy condition is in disjunctive normal form (DNF) or conjunctive normal form (CNF). If this property is not present, the list type defaults to DNF. The property definition is as follows: NAME ConditionListType DESCRIPTION Indicates whether the list of policy conditions associated with this policy rule is in disjunctive normal form (DNF) or conjunctive normal form (CNF). SYNTAX uint16 VALUES DNF(1), CNF(2) DEFAULT VALUE DNF(1)6.6. The Class "CompoundFilterCondition"
This subclass of CompoundPolicyCondition introduces one additional property, the boolean IsMirrored. This property turns on or off the "flipping" of corresponding source and destination fields in a filter specification. NAME CompoundFilterCondition DESCRIPTION A subclass of CompoundPolicyCondition that introduces the IsMirrored property. DERIVED FROM CompoundPolicyCondition ABSTRACT FALSE PROPERTIES IsMirrored The IsMirrored property indicates whether packets that "mirror" a compound filter condition should be treated as matching the filter. The property definition is as follows:
NAME IsMirrored DESCRIPTION Indicates whether packets that mirror the specified filter are to be treated as matching the filter. SYNTAX boolean DEFAULT VALUE FALSE6.7. The Class "SimplePolicyAction"
The SimplePolicyAction class models the elementary set operation. "SET <variable> TO <value>". The set operator MUST overwrite an old value of the variable. Two aggregations are used in order to create the pair <variable> <value>. The aggregation PolicyVariableInSimplePolicyAction relates a SimplePolicyAction to a single variable instance. Similarly, the aggregation PolicyValueInSimplePolicyAction relates a SimplePolicyAction to a single value instance. Both aggregations are defined in this document. NAME SimplePolicyAction DESCRIPTION A subclass of PolicyAction that introduces the notion of "SET variable TO value". DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES (none)6.8. The Class "CompoundPolicyAction"
The CompoundPolicyAction class is used to represent an expression consisting of an ordered sequence of action terms. Each action term is represented as a subclass of the PolicyAction class, defined in [PCIM]. Compound actions are constructed by associating dependent action terms together using the PolicyActionInPolicyAction aggregation. The class definition is as follows: NAME CompoundPolicyAction DESCRIPTION A class for representing sequenced action terms. Each action term is defined to be a subclass of the PolicyAction class. DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES SequencedActions ExecutionStrategy This is a concrete class, and is therefore directly instantiable.
The Property SequencedActions is identical to the SequencedActions property defined in PCIM for the class PolicyRule. The property ExecutionStrategy defines the execution strategy to be used upon the sequenced actions associated with this compound action. (An equivalent ExecutionStrategy property is also defined for the PolicyRule class, to provide the same indication for the sequenced actions associated with a PolicyRule.) This document defines three execution strategies: Do Until Success - execute actions according to predefined order, until successful execution of a single sub-action. Do All - execute ALL actions which are part of the modeled set, according to their predefined order. Continue doing this, even if one or more of the sub-actions fails. Do Until Failure - execute actions according to predefined order, until the first failure in execution of a single sub-action. Since a CompoundPolicyAction may itself be aggregated either by a PolicyRule or by another CompoundPolicyAction, its success or failure will be an input to the aggregating entity's execution strategy. Consequently, the following rules are specified, for determining whether a CompoundPolicyAction succeeds or fails: If the CompoundPolicyAction's ExecutionStrategy is Do Until Success, then: o If one component action succeeds, then the CompoundPolicyAction succeeds. o If all component actions fail, then the CompoundPolicyAction fails. If the CompoundPolicyAction's ExecutionStrategy is Do All, then: o If all component actions succeed, then the CompoundPolicyAction succeeds. o If at least one component action fails, then the CompoundPolicyAction fails. If the CompoundPolicyAction's ExecutionStrategy is Do Until Failure, then: o If all component actions succeed, then the CompoundPolicyAction succeeds. o If at least one component action fails, then the CompoundPolicyAction fails.
The definition of the ExecutionStrategy property is as follows: NAME ExecutionStrategy DESCRIPTION An enumeration indicating how to interpret the action ordering for the actions aggregated by this CompoundPolicyAction. SYNTAX uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do Until Failure} ) DEFAULT VALUE Do All (2)6.9. The Abstract Class "PolicyVariable"
Variables are used for building individual conditions. The variable specifies the property of a flow or an event that should be matched when evaluating the condition. However, not every combination of a variable and a value creates a meaningful condition. For example, a source IP address variable can not be matched against a value that specifies a port number. A given variable selects the set of matchable value types. A variable can have constraints that limit the set of values within a particular value type that can be matched against it in a condition. For example, a source-port variable limits the set of values to represent integers to the range of 0-65535. Integers outside this range cannot be matched to the source-port variable, even though they are of the correct data type. Constraints for a given variable are indicated through the ExpectedPolicyValuesForVariable association. The PolicyVariable is an abstract class. Implicit and explicit context variable classes are defined as sub classes of the PolicyVariable class. A set of implicit variables is defined in this document as well. The class definition is as follows: NAME PolicyVariable DERIVED FROM Policy ABSTRACT TRUE PROPERTIES (none)6.10. The Class "PolicyExplicitVariable"
Explicitly defined policy variables are evaluated within the context of the CIM Schema and its modeling constructs. The PolicyExplicitVariable class indicates the exact model property to be evaluated or manipulated. See Section 5.8.6 for a complete discussion of what happens when the values of the ModelClass and
ModelProperty properties in an instance of this class do not correspond to the characteristics of the model construct being evaluated or updated. The class definition is as follows: NAME PolicyExplicitVariable DERIVED FROM PolicyVariable ABSTRACT False PROPERTIES ModelClass, ModelProperty6.10.1. The Single-Valued Property "ModelClass"
This property is a string specifying the class name whose property is evaluated or set as a PolicyVariable. The property is defined as follows: NAME ModelClass SYNTAX String6.10.2. The Single-Valued Property ModelProperty
This property is a string specifying the property name, within the ModelClass, which is evaluated or set as a PolicyVariable. The property is defined as follows: NAME ModelProperty SYNTAX String6.11. The Abstract Class "PolicyImplicitVariable"
Implicitly defined policy variables are evaluated outside of the context of the CIM Schema and its modeling constructs. Subclasses specify the data type and semantics of the PolicyVariables. Interpretation and evaluation of a PolicyImplicitVariable can vary, depending on the particular context in which it is used. For example, a "SourceIP" address may denote the source address field of an IP packet header, or the sender address delivered by an RSVP PATH message. The class definition is as follows: NAME PolicyImplicitVariable DERIVED FROM PolicyVariable ABSTRACT True PROPERTIES ValueTypes[ ]
6.11.1. The Multi-Valued Property "ValueTypes"
This property is a set of strings specifying an unordered list of possible value/data types that can be used in simple conditions and actions, with this variable. The value types are specified by their class names (subclasses of PolicyValue such as PolicyStringValue). The list of class names enables an application to search on a specific name, as well as to ensure that the data type of the variable is of the correct type. The list of default ValueTypes for each subclass of PolicyImplicitVariable is specified within that variable's definition. The property is defined as follows: NAME ValueTypes SYNTAX String6.12. Subclasses of "PolicyImplicitVariable" Specified in PCIMe
The following subclasses of PolicyImplicitVariable are defined in PCIMe.6.12.1. The Class "PolicySourceIPv4Variable"
NAME PolicySourceIPv4Variable DESCRIPTION The source IPv4 address. of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it. ALLOWED VALUE TYPES: - PolicyIPv4AddrValue DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.2. The Class "PolicySourceIPv6Variable"
NAME PolicySourceIPv6Variable DESCRIPTION The source IPv6 address of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it.
ALLOWED VALUE TYPES: - PolicyIPv6AddrValue DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.3. The Class "PolicyDestinationIPv4Variable"
NAME PolicyDestinationIPv4Variable DESCRIPTION The destination IPv4 address of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it. ALLOWED VALUE TYPES: - PolicyIPv4AddrValue DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.4. The Class "PolicyDestinationIPv6Variable"
NAME PolicyDestinationIPv6Variable DESCRIPTION The destination IPv6 address of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it. ALLOWED VALUE TYPES: - PolicyIPv6AddrValue DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
6.12.5. The Class "PolicySourcePortVariable"
NAME PolicySourcePortVariable DESCRIPTION Ports are defined as the abstraction that transport protocols use to distinguish among multiple destinations within a given host computer. For TCP and UDP flows, the PolicySourcePortVariable is logically bound to the source port field of the outermost UDP or TCP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.6. The Class "PolicyDestinationPortVariable"
NAME PolicyDestinationPortVariable DESCRIPTION Ports are defined as the abstraction that transport protocols use to distinguish among multiple destinations within a given host computer. For TCP and UDP flows, the PolicyDestinationPortVariable is logically bound to the destination port field of the outermost UDP or TCP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.7. The Class "PolicyIPProtocolVariable"
NAME PolicyIPProtocolVariable DESCRIPTION The IP protocol number. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.8. The Class "PolicyIPVersionVariable"
NAME PolicyIPVersionVariable DESCRIPTION The IP version number. The well-known values are 4 and 6. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..15) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.9. The Class "PolicyIPToSVariable"
NAME PolicyIPToSVariable DESCRIPTION The IP TOS octet. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255) - PolicyBitStringValue (8 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.10. The Class "PolicyDSCPVariable"
NAME PolicyDSCPVariable DESCRIPTION The 6 bit Differentiated Service Code Point. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..63) - PolicyBitStringValue (6 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
6.12.11. The Class "PolicyFlowIdVariable"
NAME PolicyFlowIdVariable DESCRIPTION The flow identifier of the outermost IPv6 packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..1048575 - PolicyBitStringValue (20 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.12. The Class "PolicySourceMACVariable"
NAME PolicySourceMACVariable DESCRIPTION The source MAC address. ALLOWED VALUE TYPES: - PolicyMACAddrValue DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.13. The Class "PolicyDestinationMACVariable"
NAME PolicyDestinationMACVariable DESCRIPTION The destination MAC address. ALLOWED VALUE TYPES: - PolicyMACAddrValue DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.14. The Class "PolicyVLANVariable"
NAME PolicyVLANVariable DESCRIPTION The virtual Bridged Local Area Network Identifier, a 12-bit field as defined in the IEEE 802.1q standard.
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..4095) - PolicyBitStringValue (12 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.15. The Class "PolicyCoSVariable"
NAME PolicyCoSVariable DESCRIPTION Class of Service, a 3-bit field, used in the layer 2 header to select the forwarding treatment. Bound to the IEEE 802.1q user-priority field. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..7) - PolicyBitStringValue (3 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.16. The Class "PolicyEthertypeVariable"
NAME PolicyEthertypeVariable DESCRIPTION The Ethertype protocol number of Ethernet frames. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535) - PolicyBitStringValue (16 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.17. The Class "PolicySourceSAPVariable"
NAME PolicySourceSAPVariable DESCRIPTION The Source Service Access Point (SAP) number of the IEEE 802.2 LLC header. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255) - PolicyBitStringValue (8 bits)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.18. The Class "PolicyDestinationSAPVariable"
NAME PolicyDestinationSAPVariable DESCRIPTION The Destination Service Access Point (SAP) number of the IEEE 802.2 LLC header. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255) - PolicyBitStringValue (8 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.19. The Class "PolicySNAPOUIVariable"
NAME PolicySNAPOUIVariable DESCRIPTION The value of the first three octets of the Sub- Network Access Protocol (SNAP) Protocol Identifier field for 802.2 SNAP encapsulation, containing an Organizationally Unique Identifier (OUI). The value 00-00-00 indicates the encapsulation of Ethernet frames (RFC 1042). OUI value 00-00-F8 indicates the special encapsulation of Ethernet frames by certain types of bridges (IEEE 802.1H). Other values are supported, but are not further defined here. These OUI values are to be interpreted according to the endian-notation conventions of IEEE 802. For either of the two Ethernet encapsulations, the remainder of the Protocol Identifier field is represented by the PolicySNAPTypeVariable. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..16777215) - PolicyBitStringValue (24 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
6.12.20. The Class "PolicySNAPTypeVariable"
NAME PolicySNAPTypeVariable DESCRIPTION The value of the 4th and 5th octets of the Sub- Network Access Protocol (SNAP) Protocol Identifier field for IEEE 802 SNAP encapsulation when the PolicySNAPOUIVariable indicates one of the two Encapsulated Ethernet frame formats. This value is undefined for other values of PolicySNAPOUIVariable. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535) - PolicyBitStringValue (16 bits) DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)6.12.21. The Class "PolicyFlowDirectionVariable"
NAME PolicyFlowDirectionVariable DESCRIPTION The direction of a flow relative to a network element. Direction may be "IN" and/or "OUT". ALLOWED VALUE TYPES: - PolicyStringValue ('IN", "OUT") DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none) To match on both inbound and outbound flows, the associated PolicyStringValue object has two entries in its StringList property: "IN" and "OUT".6.13. The Abstract Class "PolicyValue"
This is an abstract class that serves as the base class for all subclasses that are used to define value objects in the PCIMe. It is used for defining values and constants used in policy conditions. The class definition is as follows: NAME PolicyValue DERIVED FROM Policy ABSTRACT True PROPERTIES (none)
6.14. Subclasses of "PolicyValue" Specified in PCIMe
The following subsections contain the PolicyValue subclasses defined in PCIMe. Additional subclasses may be defined in models derived from PCIMe.6.14.1. The Class "PolicyIPv4AddrValue"
This class is used to provide a list of IPv4Addresses, hostnames and address range values to be matched against in a policy condition. The class definition is as follows: NAME PolicyIPv4AddrValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES IPv4AddrList[ ] The IPv4AddrList property provides an unordered list of strings, each specifying a single IPv4 address, a hostname, or a range of IPv4 addresses, according to the ABNF definition [6] of an IPv4 address, as specified below: IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT IPv4prefix = IPv4address "/" 1*2DIGIT IPv4range = IPv4address"-"IPv4address IPv4maskedaddress = IPv4address","IPv4address Hostname (as defined in [4]) In the above definition, each string entry is either: 1. A single IPv4address in dot notation, as defined above. Example: 121.1.1.2 2. An IPv4prefix address range, as defined above, specified by an address and a prefix length, separated by "/". Example: 2.3.128.0/15 3. An IPv4range address range defined above, specified by a starting address in dot notation and an ending address in dot notation, separated by "-". The range includes all addresses between the range's starting and ending addresses, including these two addresses. Example: 1.1.22.1-1.1.22.5 4. An IPv4maskedaddress address range, as defined above, specified by an address and mask. The address and mask are represented in dot notation, separated by a comma ",". The masked address appears before the comma, and the mask appears after the comma. Example: 2.3.128.0,255.255.248.0.
5. A single Hostname. The Hostname format follows the guidelines and restrictions specified in [4]. Example: www.bigcompany.com. Conditions matching IPv4AddrValues evaluate to true according to the generic matching rules. Additionally, a hostname is matched against another valid IPv4address representation by resolving the hostname into an IPv4 address first, and then comparing the addresses afterwards. Matching hostnames against each other is done using a string comparison of the two names. The property definition is as follows: NAME IPv4AddrList SYNTAX String FORMAT IPv4address | IPv4prefix | IPv4range | IPv4maskedaddress | hostname6.14.2. The Class "PolicyIPv6AddrValue
This class is used to define a list of IPv6 addresses, hostnames, and address range values. The class definition is as follows: NAME PolicyIPv6AddrValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES IPv6AddrList[ ] The property IPv6AddrList provides an unordered list of strings, each specifying an IPv6 address, a hostname, or a range of IPv6 addresses. IPv6 address format definition uses the standard address format defined in [7]. The ABNF definition [6] as specified in [7] is: IPv6address = hexpart [ ":" IPv4address ] IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT IPv6prefix = hexpart "/" 1*2DIGIT hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ] hexseq = hex4 *( ":" hex4) hex4 = 1*4HEXDIG IPv6range = IPv6address"-"IPv6address IPv6maskedaddress = IPv6address","IPv6address Hostname (as defines in [NAMES]) Each string entry is either: 1. A single IPv6address as defined above. 2. A single Hostname. Hostname format follows guidelines and restrictions specified in [4].
3. An IPv6range address range, specified by a starting address in dot notation and an ending address in dot notation, separated by "-". The range includes all addresses between the range's starting and ending addresses, including these two addresses. 4. An IPv4maskedaddress address range defined above specified by an address and mask. The address and mask are represented in dot notation separated by a comma ",". 5. A single IPv6prefix as defined above. Conditions matching IPv6AddrValues evaluate to true according to the generic matching rules. Additionally, a hostname is matched against another valid IPv6address representation by resolving the hostname into an IPv6 address first, and then comparing the addresses afterwards. Matching hostnames against each other is done using a string comparison of the two names.6.14.3. The Class "PolicyMACAddrValue"
This class is used to define a list of MAC addresses and MAC address range values. The class definition is as follows: NAME PolicyMACAddrValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES MACAddrList[ ] The property MACAddrList provides an unordered list of strings, each specifying a MAC address or a range of MAC addresses. The 802 MAC address canonical format is used. The ABNF definition [6] is: MACaddress = 1*4HEXDIG ":" 1*4HEXDIG ":" 1*4HEXDIG MACmaskedaddress = MACaddress","MACaddress Each string entry is either: 1. A single MAC address. Example: 0000:00A5:0000 2. A MACmaskedaddress address range defined specified by an address and mask. The mask specifies the relevant bits in the address. Example: 0000:00A5:0000,FFFF:FFFF:0000 defines a range of MAC addresses in which the first four octets are equal to 0000:00A5.
The property definition is as follows: NAME MACAddrList SYNTAX String FORMAT MACaddress | MACmaskedaddress6.14.4. The Class "PolicyStringValue"
This class is used to represent a single string value, or a set of string values. Each value can have wildcards. The class definition is as follows: NAME PolicyStringValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES StringList[ ] The property StringList provides an unordered list of strings, each representing a single string with wildcards. The asterisk character "*" is used as a wildcard, and represents an arbitrary substring replacement. For example, the value "abc*def" matches the string "abcxyzdef", and the value "abc*def*" matches the string "abcxxxdefyyyzzz". The syntax definition is identical to the substring assertion syntax defined in [5]. If the asterisk character is required as part of the string value itself, it MUST be quoted as described in Section 4.3 of [5]. The property definition is as follows: NAME StringList SYNTAX String6.14.5. The Class "PolicyBitStringValue"
This class is used to represent a single bit string value, or a set of bit string values. The class definition is as follows: NAME PolicyBitStringValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES BitStringList[ ] The property BitStringList provides an unordered list of strings, each representing a single bit string or a set of bit strings. The number of bits specified SHOULD equal the number of bits of the expected variable. For example, for a one-octet variable, 8 bits
should be specified. If the variable does not have a fixed length, the bit string should be matched against the variable's most significant bit string. The formal definition of a bit string is: binary-digit = "0" / "1" bitString = 1*binary-digit maskedBitString = bitString","bitString Each string entry is either: 1. A single bit string. Example: 00111010 2. A range of bit strings specified using a bit string and a bit mask. The bit string and mask fields have the same number of bits specified. The mask bit string specifies the significant bits in the bit string value. For example, 110110, 100110 and 110111 would match the maskedBitString 100110,101110 but 100100 would not. The property definition is as follows: NAME BitStringList SYNTAX String FORMAT bitString | maskedBitString6.14.6. The Class "PolicyIntegerValue"
This class provides a list of integer and integer range values. Integers of arbitrary sizes can be represented. The class definition is as follows: NAME PolicyIntegerValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES IntegerList[ ] The property IntegerList provides an unordered list of integers and integer range values, represented as strings. The format of this property takes one of the following forms: 1. An integer value. 2. A range of integers. The range is specified by a starting integer and an ending integer, separated by '..'. The starting integer MUST be less than or equal to the ending integer. The range includes all integers between the starting and ending integers, including these two integers.
To represent a range of integers that is not bounded, the reserved words -INFINITY and/or INFINITY can be used in place of the starting and ending integers. In addition to ordinary integer matches, INFINITY matches INFINITY and -INFINITY matches -INFINITY. The ABNF definition [6] is: integer = [-]1*DIGIT | "INFINITY" | "-INFINITY" integerrange = integer".."integer Using ranges, the operators greater-than, greater-than-or-equal-to, less- than, and less-than-or-equal-to can be expressed. For example, "X is- greater-than 5" (where X is an integer) can be translated to "X matches 6-INFINITY". This enables the match condition semantics of the operator for the SimplePolicyCondition class to be kept simple (i.e., just the value "match"). The property definition is as follows: NAME IntegerList SYNTAX String FORMAT integer | integerrange6.14.7. The Class "PolicyBooleanValue"
This class is used to represent a Boolean (TRUE/FALSE) value. The class definition is as follows: NAME PolicyBooleanValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES BooleanValue The property definition is as follows: NAME BooleanValue SYNTAX boolean6.15. The Class "PolicyRoleCollection"
This class represents a collection of managed elements that share a common role. The PolicyRoleCollection always exists in the context of a system, specified using the PolicyRoleCollectionInSystem association. The value of the PolicyRole property in this class specifies the role, and can be matched with the value(s) in the PolicyRoles array in PolicyRules and PolicyGroups. ManagedElements that share the role defined in this collection are aggregated into the collection via the association ElementInPolicyRoleCollection.
NAME PolicyRoleCollection DESCRIPTION A subclass of the CIM Collection class used to group together managed elements that share a role. DERIVED FROM Collection ABSTRACT FALSE PROPERTIES PolicyRole6.15.1. The Single-Valued Property "PolicyRole"
This property represents the role associated with a PolicyRoleCollection. The property definition is as follows: NAME PolicyRole DESCRIPTION A string representing the role associated with a PolicyRoleCollection. SYNTAX string6.16. The Class "ReusablePolicyContainer"
The new class ReusablePolicyContainer is defined as follows: NAME ReusablePolicyContainer DESCRIPTION A class representing an administratively defined container for reusable policy-related information. This class does not introduce any additional properties beyond those in its superclass AdminDomain. It does, however, participate in a number of unique associations. DERIVED FROM AdminDomain ABSTRACT FALSE PROPERTIES (none)6.17. Deprecate PCIM's Class "PolicyRepository"
The class definition of PolicyRepository (from PCIM) is updated as follows, with an indication that the class has been deprecated. Note that when an element of the model is deprecated, its replacement element is identified explicitly. NAME PolicyRepository DEPRECATED FOR ReusablePolicyContainer DESCRIPTION A class representing an administratively defined container for reusable policy-related information. This class does not introduce any additional properties beyond those in its superclass AdminDomain. It does, however, participate in a number of unique associations.
DERIVED FROM AdminDomain ABSTRACT FALSE PROPERTIES (none)6.18. The Abstract Class "FilterEntryBase"
FilterEntryBase is the abstract base class from which all filter entry classes are derived. It serves as the endpoint for the EntriesInFilterList aggregation, which groups filter entries into filter lists. Its properties include CIM naming attributes and an IsNegated boolean property (to easily "NOT" the match information specified in an instance of one of its subclasses). The class definition is as follows: NAME FilterEntryBase DESCRIPTION An abstract class representing a single filter that is aggregated into a FilterList via the aggregation EntriesInFilterList. DERIVED FROM LogicalElement TYPE Abstract PROPERTIES IsNegated6.19. The Class "IpHeadersFilter"
This concrete class contains the most commonly required properties for performing filtering on IP, TCP or UDP headers. Properties not present in an instance of IPHeadersFilter are treated as 'all values'. A property HdrIpVersion identifies whether the IP addresses in an instance are IPv4 or IPv6 addresses. Since the source and destination IP addresses come from the same packet header, they will always be of the same type. The class definition is as follows: NAME IpHeadersFilter DESCRIPTION A class representing an entire IP header filter, or any subset of one. DERIVED FROM FilterEntryBase TYPE Concrete PROPERTIES HdrIpVersion, HdrSrcAddress, HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, HdrDestMask, HdrProtocolID, HdrSrcPortStart, HdrSrcPortEnd, HdrDestPortStart, HdrDestPortEnd, HdrDSCP[ ], HdrFlowLabel
6.19.1. The Property HdrIpVersion
This property is an 8-bit unsigned integer, identifying the version of the IP addresses to be filtered on. IP versions are identified as they are in the Version field of the IP packet header - IPv4 = 4, IPv6 = 6. These two values are the only ones defined for this property. The value of this property determines the sizes of the OctetStrings in the six properties HdrSrcAddress, HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, and HdrDestMask, as follows: o IPv4: OctetString(SIZE (4)) o IPv6: OctetString(SIZE (16|20)), depending on whether a scope identifier is present If a value for this property is not provided, then the filter does not consider IP version in selecting matching packets, i.e., IP version matches for all values. In this case, the HdrSrcAddress, HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, and HdrDestMask must also not be present.6.19.2. The Property HdrSrcAddress
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a source IP address. When there is no HdrSrcAddressEndOfRange value, this value is compared to the source address in the IP header, subject to the mask represented in the HdrSrcMask property. (Note that the mask is ANDed with the address.) When there is a HdrSrcAddressEndOfRange value, this value is the start of the specified range (i.e., the HdrSrcAddress is lower than the HdrSrcAddressEndOfRange) that is compared to the source address in the IP header and matches on any value in the range. If a value for this property is not provided, then the filter does not consider HdrSrcAddress in selecting matching packets, i.e., HdrSrcAddress matches for all values.6.19.3. The Property HdrSrcAddressEndOfRange
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing the end of a range of source IP addresses (inclusive), where the start of the range is the HdrSrcAddress property value.
If a value for HdrSrcAddress is not provided, then this property also MUST NOT be provided. If a value for this property is provided, then HdrSrcMask MUST NOT be provided.6.19.4. The Property HdrSrcMask
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a mask to be used in comparing the source address in the IP header with the value represented in the HdrSrcAddress property. If a value for this property is not provided, then the filter does not consider HdrSrcMask in selecting matching packets, i.e., the value of HdrSrcAddress or the source address range must match the source address in the packet exactly. If a value for this property is provided, then HdrSrcAddressEndOfRange MUST NOT be provided.6.19.5. The Property HdrDestAddress
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a destination IP address. When there is no HdrDestAddressEndOfRange value, this value is compared to the destination address in the IP header, subject to the mask represented in the HdrDestMask property. (Note that the mask is ANDed with the address.) When there is a HdrDestAddressEndOfRange value, this value is the start of the specified range (i.e., the HdrDestAddress is lower than the HdrDestAddressEndOfRange) that is compared to the destination address in the IP header and matches on any value in the range. If a value for this property is not provided, then the filter does not consider HdrDestAddress in selecting matching packets, i.e., HdrDestAddress matches for all values.6.19.6. The Property HdrDestAddressEndOfRange
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing the end of a range of destination IP addresses (inclusive), where the start of the range is the HdrDestAddress property value. If a value for HdrDestAddress is not provided, then this property also MUST NOT be provided. If a value for this property is provided, then HdrDestMask MUST NOT be provided.
6.19.7. The Property HdrDestMask
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a mask to be used in comparing the destination address in the IP header with the value represented in the HdrDestAddress property. If a value for this property is not provided, then the filter does not consider HdrDestMask in selecting matching packets, i.e., the value of HdrDestAddress or the destination address range must match the destination address in the packet exactly. If a value for this property is provided, then HdrDestAddressEndOfRange MUST NOT be provided.6.19.8. The Property HdrProtocolID
This property is an 8-bit unsigned integer, representing an IP protocol type. This value is compared to the Protocol field in the IP header. If a value for this property is not provided, then the filter does not consider HdrProtocolID in selecting matching packets, i.e., HdrProtocolID matches for all values.6.19.9. The Property HdrSrcPortStart
This property is a 16-bit unsigned integer, representing the lower end of a range of UDP or TCP source ports. The upper end of the range is represented by the HdrSrcPortEnd property. The value of HdrSrcPortStart MUST be no greater than the value of HdrSrcPortEnd. A single port is indicated by equal values for HdrSrcPortStart and HdrSrcPortEnd. A source port filter is evaluated by testing whether the source port identified in the IP header falls within the range of values between HdrSrcPortStart and HdrSrcPortEnd, including these two end points. If a value for this property is not provided, then the filter does not consider HdrSrcPortStart in selecting matching packets, i.e., there is no lower bound in matching source port values.6.19.10. The Property HdrSrcPortEnd
This property is a 16-bit unsigned integer, representing the upper end of a range of UDP or TCP source ports. The lower end of the range is represented by the HdrSrcPortStart property. The value of
HdrSrcPortEnd MUST be no less than the value of HdrSrcPortStart. A single port is indicated by equal values for HdrSrcPortStart and HdrSrcPortEnd. A source port filter is evaluated by testing whether the source port identified in the IP header falls within the range of values between HdrSrcPortStart and HdrSrcPortEnd, including these two end points. If a value for this property is not provided, then the filter does not consider HdrSrcPortEnd in selecting matching packets, i.e., there is no upper bound in matching source port values.6.19.11. The Property HdrDestPortStart
This property is a 16-bit unsigned integer, representing the lower end of a range of UDP or TCP destination ports. The upper end of the range is represented by the HdrDestPortEnd property. The value of HdrDestPortStart MUST be no greater than the value of HdrDestPortEnd. A single port is indicated by equal values for HdrDestPortStart and HdrDestPortEnd. A destination port filter is evaluated by testing whether the destination port identified in the IP header falls within the range of values between HdrDestPortStart and HdrDestPortEnd, including these two end points. If a value for this property is not provided, then the filter does not consider HdrDestPortStart in selecting matching packets, i.e., there is no lower bound in matching destination port values.6.19.12. The Property HdrDestPortEnd
This property is a 16-bit unsigned integer, representing the upper end of a range of UDP or TCP destination ports. The lower end of the range is represented by the HdrDestPortStart property. The value of HdrDestPortEnd MUST be no less than the value of HdrDestPortStart. A single port is indicated by equal values for HdrDestPortStart and HdrDestPortEnd. A destination port filter is evaluated by testing whether the destination port identified in the IP header falls within the range of values between HdrDestPortStart and HdrDestPortEnd, including these two end points. If a value for this property is not provided, then the filter does not consider HdrDestPortEnd in selecting matching packets, i.e., there is no upper bound in matching destination port values.
6.19.13. The Property HdrDSCP
The property HdrDSCP is defined as an array of uint8's, restricted to the range 0..63. Since DSCPs are defined as discrete code points, with no inherent structure, there is no semantically significant relationship between different DSCPs. Consequently, there is no provision for specifying a range of DSCPs in this property. However, a list of individual DSCPs, which are ORed together to form a filter, is supported by the array syntax. If a value for this property is not provided, then the filter does not consider HdrDSCP in selecting matching packets, i.e., HdrDSCP matches for all values.6.19.14. The Property HdrFlowLabel
The 20-bit Flow Label field in the IPv6 header may be used by a source to label sequences of packets for which it requests special handling by IPv6 devices, such as non-default quality of service or 'real-time' service. This property is an octet string of size 3 (that is, 24 bits), in which the 20-bit Flow Label appears in the rightmost 20 bits, padded on the left with b'0000'. If a value for this property is not provided, then the filter does not consider HdrFlowLabel in selecting matching packets, i.e., HdrFlowLabel matches for all values.6.20. The Class "8021Filter"
This concrete class allows 802.1.source and destination MAC addresses, as well as the 802.1 protocol ID, priority, and VLAN identifier fields, to be expressed in a single object The class definition is as follows: NAME 8021Filter DESCRIPTION A class that allows 802.1 source and destination MAC address and protocol ID, priority, and VLAN identifier filters to be expressed in a single object. DERIVED FROM FilterEntryBase TYPE Concrete PROPERTIES 8021HdrSrcMACAddr, 8021HdrSrcMACMask, 8021HdrDestMACAddr, 8021HdrDestMACMask, 8021HdrProtocolID, 8021HdrPriorityValue, 8021HDRVLANID
6.20.1. The Property 8021HdrSrcMACAddr
This property is an OctetString of size 6, representing a 48-bit source MAC address in canonical format. This value is compared to the SourceAddress field in the MAC header, subject to the mask represented in the 8021HdrSrcMACMask property. If a value for this property is not provided, then the filter does not consider 8021HdrSrcMACAddr in selecting matching packets, i.e., 8021HdrSrcMACAddr matches for all values.6.20.2. The Property 8021HdrSrcMACMask
This property is an OctetString of size 6, representing a 48-bit mask to be used in comparing the SourceAddress field in the MAC header with the value represented in the 8021HdrSrcMACAddr property. If a value for this property is not provided, then the filter does not consider 8021HdrSrcMACMask in selecting matching packets, i.e., the value of 8021HdrSrcMACAddr must match the source MAC address in the packet exactly.6.20.3. The Property 8021HdrDestMACAddr
This property is an OctetString of size 6, representing a 48-bit destination MAC address in canonical format. This value is compared to the DestinationAddress field in the MAC header, subject to the mask represented in the 8021HdrDestMACMask property. If a value for this property is not provided, then the filter does not consider 8021HdrDestMACAddr in selecting matching packets, i.e., 8021HdrDestMACAddr matches for all values.6.20.4. The Property 8021HdrDestMACMask
This property is an OctetString of size 6, representing a 48-bit mask to be used in comparing the DestinationAddress field in the MAC header with the value represented in the 8021HdrDestMACAddr property. If a value for this property is not provided, then the filter does not consider 8021HdrDestMACMask in selecting matching packets, i.e., the value of 8021HdrDestMACAddr must match the destination MAC address in the packet exactly.
6.20.5. The Property 8021HdrProtocolID
This property is a 16-bit unsigned integer, representing an Ethernet protocol type. This value is compared to the Ethernet Type field in the 802.3 MAC header. If a value for this property is not provided, then the filter does not consider 8021HdrProtocolID in selecting matching packets, i.e., 8021HdrProtocolID matches for all values.6.20.6. The Property 8021HdrPriorityValue
This property is an 8-bit unsigned integer, representing an 802.1Q priority. This value is compared to the Priority field in the 802.1Q header. Since the 802.1Q Priority field consists of 3 bits, the values for this property are limited to the range 0..7. If a value for this property is not provided, then the filter does not consider 8021HdrPriorityValue in selecting matching packets, i.e., 8021HdrPriorityValue matches for all values.6.20.7. The Property 8021HdrVLANID
This property is a 32-bit unsigned integer, representing an 802.1Q VLAN Identifier. This value is compared to the VLAN ID field in the 802.1Q header. Since the 802.1Q VLAN ID field consists of 12 bits, the values for this property are limited to the range 0..4095. If a value for this property is not provided, then the filter does not consider 8021HdrVLANID in selecting matching packets, i.e., 8021HdrVLANID matches for all values.6.21. The Class FilterList
This is a concrete class that aggregates instances of (subclasses of) FilterEntryBase via the aggregation EntriesInFilterList. It is possible to aggregate different types of filters into a single FilterList - for example, packet header filters (represented by the IpHeadersFilter class) and security filters (represented by subclasses of FilterEntryBase defined by IPsec). The aggregation property EntriesInFilterList.EntrySequence is always set to 0, to indicate that the aggregated filter entries are ANDed together to form a selector for a class of traffic.
The class definition is as follows: NAME FilterList DESCRIPTION A concrete class representing the aggregation of multiple filters. DERIVED FROM LogicalElement TYPE Concrete PROPERTIES Direction6.21.1. The Property Direction
This property is a 16-bit unsigned integer enumeration, representing the direction of the traffic flow to which the FilterList is to be applied. Defined enumeration values are o NotApplicable(0) o Input(1) o Output(2) o Both(3) - This value is used to indicate that the direction is immaterial, e.g., to filter on a source subnet regardless of whether the flow is inbound or outbound o Mirrored(4) - This value is also applicable to both inbound and outbound flow processing, but it indicates that the filter criteria are applied asymmetrically to traffic in both directions and, thus, specifies the reversal of source and destination criteria (as opposed to the equality of these criteria as indicated by "Both"). The match conditions in the aggregated FilterEntryBase subclass instances are defined from the perspective of outbound flows and applied to inbound flows as well by reversing the source and destination criteria. So, for example, consider a FilterList with 3 filter entries indicating destination port = 80, and source and destination addresses of a and b, respectively. Then, for the outbound direction, the filter entries match as specified and the 'mirror' (for the inbound direction) matches on source port = 80 and source and destination addresses of b and a, respectively.