RFC 3460
Policy Core Information Model (PCIM) Extensions
Network Working Group B. Moore, Ed. Request for Comments: 3460 IBM Updates: 3060 January 2003 Category: Standards Track Policy Core Information Model (PCIM) Extensions Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.Abstract
This document specifies a number of changes to the Policy Core Information Model (PCIM, RFC 3060). Two types of changes are included. First, several completely new elements are introduced, for example, classes for header filtering, that extend PCIM into areas that it did not previously cover. Second, there are cases where elements of PCIM (for example, policy rule priorities) are deprecated, and replacement elements are defined (in this case, priorities tied to associations that refer to policy rules). Both types of changes are done in such a way that, to the extent possible, interoperability with implementations of the original PCIM model is preserved. This document updates RFC 3060.Table of Contents
1. Introduction....................................................5 2. Changes since RFC 3060..........................................5 3. Overview of the Changes.........................................6 3.1. How to Change an Information Model.........................6 3.2. List of Changes to the Model...............................6 3.2.1. Changes to PolicyRepository.........................6 3.2.2. Additional Associations and Additional Reusable Elements............................................7 3.2.3. Priorities and Decision Strategies..................7 3.2.4. Policy Roles........................................8 3.2.5. CompoundPolicyConditions and CompoundPolicyActions...............................8
3.2.6. Variables and Values................................9
3.2.7. Domain-Level Packet Filtering.......................9
3.2.8. Device-Level Packet Filtering.......................9
4. The Updated Class and Association Class Hierarchies............10
5. Areas of Extension to PCIM.....................................13
5.1. Policy Scope..............................................13
5.1.1. Levels of Abstraction: Domain- and Device-Level
Policies...........................................13
5.1.2. Administrative and Functional Scopes...............14
5.2. Reusable Policy Elements..................................15
5.3. Policy Sets...............................................16
5.4. Nested Policy Rules.......................................16
5.4.1. Usage Rules for Nested Rules.......................17
5.4.2. Motivation.........................................17
5.5. Priorities and Decision Strategies........................18
5.5.1. Structuring Decision Strategies....................19
5.5.2. Side Effects.......................................21
5.5.3. Multiple PolicySet Trees For a Resource............21
5.5.4. Deterministic Decisions............................22
5.6. Policy Roles..............................................23
5.6.1. Comparison of Roles in PCIM with Roles in
snmpconf...........................................23
5.6.2. Addition of PolicyRoleCollection to PCIMe..........24
5.6.3. Roles for PolicyGroups.............................25
5.7. Compound Policy Conditions and Compound Policy Actions....27
5.7.1. Compound Policy Conditions.........................27
5.7.2. Compound Policy Actions............................27
5.8. Variables and Values......................................28
5.8.1. Simple Policy Conditions...........................29
5.8.2. Using Simple Policy Conditions.....................29
5.8.3. The Simple Condition Operator......................31
5.8.4. SimplePolicyActions................................33
5.8.5. Policy Variables...................................35
5.8.6. Explicitly Bound Policy Variables..................36
5.8.7. Implicitly Bound Policy Variables..................37
5.8.8. Structure and Usage of Pre-Defined Variables.......38
5.8.9. Rationale for Modeling Implicit Variables
as Classes.........................................39
5.8.10. Policy Values.....................................40
5.9. Packet Filtering..........................................41
5.9.1. Domain-Level Packet Filters........................41
5.9.2. Device-Level Packet Filters........................42
5.10. Conformance to PCIM and PCIMe............................43
6. Class Definitions..............................................44
6.1. The Abstract Class "PolicySet"............................44
6.2. Update PCIM's Class "PolicyGroup".........................45
6.3. Update PCIM's Class "PolicyRule"..........................45
6.4. The Class "SimplePolicyCondition".........................46
6.5. The Class "CompoundPolicyCondition".......................47
6.6. The Class "CompoundFilterCondition".......................47
6.7. The Class "SimplePolicyAction"............................48
6.8. The Class "CompoundPolicyAction"..........................48
6.9. The Abstract Class "PolicyVariable".......................50
6.10. The Class "PolicyExplicitVariable".......................50
6.10.1. The Single-Valued Property "ModelClass"...........51
6.10.2. The Single-Valued Property ModelProperty..........51
6.11. The Abstract Class "PolicyImplicitVariable"..............51
6.11.1. The Multi-Valued Property "ValueTypes"............52
6.12. Subclasses of "PolicyImplicitVariable" Specified
in PCIMe.................................................52
6.12.1. The Class "PolicySourceIPv4Variable"..............52
6.12.2. The Class "PolicySourceIPv6Variable"..............52
6.12.3. The Class "PolicyDestinationIPv4Variable".........53
6.12.4. The Class "PolicyDestinationIPv6Variable".........53
6.12.5. The Class "PolicySourcePortVariable"..............54
6.12.6. The Class "PolicyDestinationPortVariable".........54
6.12.7. The Class "PolicyIPProtocolVariable"..............54
6.12.8. The Class "PolicyIPVersionVariable"...............55
6.12.9. The Class "PolicyIPToSVariable"...................55
6.12.10. The Class "PolicyDSCPVariable"...................55
6.12.11. The Class "PolicyFlowIdVariable".................56
6.12.12. The Class "PolicySourceMACVariable"..............56
6.12.13. The Class "PolicyDestinationMACVariable".........56
6.12.14. The Class "PolicyVLANVariable"...................56
6.12.15. The Class "PolicyCoSVariable"....................57
6.12.16. The Class "PolicyEthertypeVariable"..............57
6.12.17. The Class "PolicySourceSAPVariable"..............57
6.12.18. The Class "PolicyDestinationSAPVariable".........58
6.12.19. The Class "PolicySNAPOUIVariable"................58
6.12.20. The Class "PolicySNAPTypeVariable"...............59
6.12.21. The Class "PolicyFlowDirectionVariable"..........59
6.13. The Abstract Class "PolicyValue".........................59
6.14. Subclasses of "PolicyValue" Specified in PCIMe...........60
6.14.1. The Class "PolicyIPv4AddrValue"...................60
6.14.2. The Class "PolicyIPv6AddrValue....................61
6.14.3. The Class "PolicyMACAddrValue"....................62
6.14.4. The Class "PolicyStringValue".....................63
6.14.5. The Class "PolicyBitStringValue"..................63
6.14.6. The Class "PolicyIntegerValue"....................64
6.14.7. The Class "PolicyBooleanValue"....................65
6.15. The Class "PolicyRoleCollection".........................65
6.15.1. The Single-Valued Property "PolicyRole"...........66
6.16. The Class "ReusablePolicyContainer".................66
6.17. Deprecate PCIM's Class "PolicyRepository"................66
6.18. The Abstract Class "FilterEntryBase".....................67
6.19. The Class "IpHeadersFilter"..............................67
6.19.1. The Property HdrIpVersion.........................68
6.19.2. The Property HdrSrcAddress........................68
6.19.3. The Property HdrSrcAddressEndOfRange..............68
6.19.4. The Property HdrSrcMask...........................69
6.19.5. The Property HdrDestAddress.......................69
6.19.6. The Property HdrDestAddressEndOfRange.............69
6.19.7. The Property HdrDestMask..........................70
6.19.8. The Property HdrProtocolID........................70
6.19.9. The Property HdrSrcPortStart......................70
6.19.10. The Property HdrSrcPortEnd.......................70
6.19.11. The Property HdrDestPortStart....................71
6.19.12. The Property HdrDestPortEnd......................71
6.19.13. The Property HdrDSCP.............................72
6.19.14. The Property HdrFlowLabel.................... ...72
6.20. The Class "8021Filter"...................................72
6.20.1. The Property 8021HdrSrcMACAddr....................73
6.20.2. The Property 8021HdrSrcMACMask....................73
6.20.3. The Property 8021HdrDestMACAddr...................73
6.20.4. The Property 8021HdrDestMACMask...................73
6.20.5. The Property 8021HdrProtocolID....................74
6.20.6. The Property 8021HdrPriorityValue.................74
6.20.7. The Property 8021HdrVLANID........................74
6.21. The Class FilterList.....................................74
6.21.1. The Property Direction............................75
7. Association and Aggregation Definitions........................75
7.1. The Aggregation "PolicySetComponent"......................75
7.2. Deprecate PCIM's Aggregation "PolicyGroupInPolicyGroup"...76
7.3. Deprecate PCIM's Aggregation "PolicyRuleInPolicyGroup"....76
7.4. The Abstract Association "PolicySetInSystem"..............77
7.5. Update PCIM's Weak Association "PolicyGroupInSystem"......77
7.6. Update PCIM's Weak Association "PolicyRuleInSystem".......78
7.7. The Abstract Aggregation "PolicyConditionStructure".......79
7.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule"...79
7.9. The Aggregation "PolicyConditionInPolicyCondition"........79
7.10. The Abstract Aggregation "PolicyActionStructure".........80
7.11. Update PCIM's Aggregation "PolicyActionInPolicyRule".....80
7.12. The Aggregation "PolicyActionInPolicyAction".............80
7.13. The Aggregation "PolicyVariableInSimplePolicyCondition"..80
7.14. The Aggregation "PolicyValueInSimplePolicyCondition".....81
7.15. The Aggregation "PolicyVariableInSimplePolicyAction".....82
7.16. The Aggregation "PolicyValueInSimplePolicyAction"........83
7.17. The Association "ReusablePolicy".........................83
7.18. Deprecate PCIM's "PolicyConditionInPolicyRepository".....84
7.19. Deprecate PCIM's "PolicyActionInPolicyRepository"........84
7.20. The Association ExpectedPolicyValuesForVariable..........84
7.21. The Aggregation "ContainedDomain"........................85
7.22. Deprecate PCIM's "PolicyRepositoryInPolicyRepository"....86
7.23. The Aggregation "EntriesInFilterList"....................86
7.23.1. The Reference GroupComponent......................86
7.23.2. The Reference PartComponent.......................87
7.23.3. The Property EntrySequence........................87
7.24. The Aggregation "ElementInPolicyRoleCollection"..........87
7.25. The Weak Association "PolicyRoleCollectionInSystem"......87
8. Intellectual Property..........................................88
9. Acknowledgements..............................................89
10. Contributors..................................................89
11. Security Considerations.......................................91
12. Normative References..........................................91
13. Informative References........................................91
Author's Address..................................................92
Full Copyright Statement..........................................93
1. Introduction
This document specifies a number of changes to the Policy Core
Information Model (PCIM), RFC 3060 [1]. Two types of changes are
included. First, several completely new elements are introduced, for
example, classes for header filtering, that extend PCIM into areas
that it did not previously cover. Second, there are cases where
elements of PCIM (for example, policy rule priorities) are
deprecated, and replacement elements are defined (in this case,
priorities tied to associations that refer to policy rules). Both
types of changes are done in such a way that, to the extent possible,
interoperability with implementations of the original PCIM model is
preserved.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119 [8].
2. Changes since RFC 3060
Section 3.2 contains a short discussion of the changes that this
document makes to the RFC 3060 information model. Here is a very
brief list of the changes:
1. Deprecate and replace PolicyRepository and its associations.
2. Clarify and expand the ways that PolicyRules and PolicyGroups are
aggregated.
3. Change how prioritization for PolicyRules is represented, and
introduce administrator-specified decision strategies for rule
evaluation.
4. Expand the role of PolicyRoles, and introduce a means of
associating a PolicyRole with a resource.
5. Introduce compound policy conditions and compound policy actions
into the model.
6. Introduce variables and values into the model.
7. Introduce variable and value subclasses for packet-header
filtering.
8. Introduce classes for device-level packet-header filtering.
3. Overview of the Changes
3.1. How to Change an Information Model
The Policy Core Information Model is closely aligned with the DMTF's
CIM Core Policy model. Since there is no separately documented set
of rules for specifying IETF information models such as PCIM, it is
reasonable to look to the CIM specifications for guidance on how to
modify and extend the model. Among the CIM rules for changing an
information model are the following. Note that everything said here
about "classes" applies to association classes (including
aggregations) as well as to non- association classes.
o Properties may be added to existing classes.
o Classes, and individual properties, may be marked as DEPRECATED.
If there is a replacement feature for the deprecated class or
property, it is identified explicitly. Otherwise the notation "No
value" is used. In this document, the notation "DEPRECATED FOR
<feature-name>" is used to indicate that a feature has been
deprecated, and to identify its replacement feature.
o Classes may be inserted into the inheritance hierarchy above
existing classes, and properties from the existing classes may
then be "pulled up" into the new classes. The net effect is that
the existing classes have exactly the same properties they had
before, but the properties are inherited rather than defined
explicitly in the classes.
o New subclasses may be defined below existing classes.
3.2. List of Changes to the Model
The following subsections provide a very brief overview of the
changes to PCIM defined in PCIMe. In several cases, the origin of
the change is noted, as QPIM [11], ICPM [12], or QDDIM [15].
3.2.1. Changes to PolicyRepository
Because of the potential for confusion with the Policy Framework
component Policy Repository (from the four-box picture: Policy
Management Tool, Policy Repository, PDP, PEP), "PolicyRepository" is
a bad name for the PCIM class representing a container of reusable
policy elements. Thus the class PolicyRepository is being replaced
with the class ReusablePolicyContainer. To accomplish this change,
it is necessary to deprecate the PCIM class PolicyRepository and its
three associations, and replace them with a new class ReusablePolicyContainer and new associations. As a separate change, the associations for ReusablePolicyContainer are being broadened, to allow a ReusablePolicyContainer to contain any reusable policy elements. In PCIM, the only associations defined for a PolicyRepository were for it to contain reusable policy conditions and policy actions.3.2.2. Additional Associations and Additional Reusable Elements
The PolicyRuleInPolicyRule and PolicyGroupInPolicyRule aggregations have, in effect, been imported from QPIM. ("In effect" because these two aggregations, as well as PCIM's two aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, are all being combined into a single aggregation PolicySetComponent.) These aggregations make it possible to define larger "chunks" of reusable policy to place in a ReusablePolicyContainer. These aggregations also introduce new semantics representing the contextual implications of having one PolicyRule executing within the scope of another PolicyRule.3.2.3. Priorities and Decision Strategies
Drawing from both QPIM and ICPM, the Priority property has been deprecated in PolicyRule, and placed instead on the aggregation PolicySetComponent. The QPIM rules for resolving relative priorities across nested PolicyGroups and PolicyRules have been incorporated into PCIMe as well. With the removal of the Priority property from PolicyRule, a new modeling dependency is introduced. In order to prioritize a PolicyRule/PolicyGroup relative to other PolicyRules/PolicyGroups, the elements being prioritized must all reside in one of three places: in a common PolicyGroup, in a common PolicyRule, or in a common System. In the absence of any clear, general criterion for detecting policy conflicts, the PCIM restriction stating that priorities are relevant only in the case of conflicts is being removed. In its place, a PolicyDecisionStrategy property has been added to the PolicyGroup and PolicyRule classes. This property allows policy administrator to select one of two behaviors with respect to rule evaluation: either perform the actions for all PolicyRules whose conditions evaluate to TRUE, or perform the actions only for the highest-priority PolicyRule whose conditions evaluate to TRUE. (This is accomplished by placing the PolicyDecisionStrategy property in an abstract class PolicySet,
from which PolicyGroup and PolicyRule are derived.) The QPIM rules for applying decision strategies to a nested set of PolicyGroups and PolicyRules have also been imported.3.2.4. Policy Roles
The concept of policy roles is added to PolicyGroups (being present already in the PolicyRule class). This is accomplished via a new superclass for both PolicyRules and PolicyGroups - PolicySet. For nested PolicyRules and PolicyGroups, any roles associated with the outer rule or group are automatically "inherited" by the nested one. Additional roles may be added at the level of a nested rule or group. It was also observed that there is no mechanism in PCIM for assigning roles to resources. For example, while it is possible in PCIM to associate a PolicyRule with the role "FrameRelay&&WAN", there is no way to indicate which interfaces match this criterion. A new PolicyRoleCollection class has been defined in PCIMe, representing the collection of resources associated with a particular role. The linkage between a PolicyRule or PolicyGroup and a set of resources is then represented by an instance of PolicyRoleCollection. Equivalent values should be defined in the PolicyRoles property of PolicyRules and PolicyGroups, and in the PolicyRole property in PolicyRoleCollection.3.2.5. CompoundPolicyConditions and CompoundPolicyActions
The concept of a CompoundPolicyCondition has also been imported into PCIMe from QPIM, and broadened to include a parallel CompoundPolicyAction. In both cases the idea is to create reusable "chunks" of policy that can exist as named elements in a ReusablePolicyContainer. The "Compound" classes and their associations incorporate the condition and action semantics that PCIM defined at the PolicyRule level: DNF/CNF for conditions, and ordering for actions. Compound conditions and actions are defined to work with any component conditions and actions. In other words, while the components may be instances, respectively, of SimplePolicyCondition and SimplePolicyAction (discussed immediately below), they need not be.
3.2.6. Variables and Values
The SimplePolicyCondition / PolicyVariable / PolicyValue structure has been imported into PCIMe from QPIM. A list of PCIMe-level variables is defined, as well as a list of PCIMe-level values. Other variables and values may, if necessary, be defined in submodels of PCIMe. For example, QPIM defines a set of implicit variables corresponding to fields in RSVP flows. A corresponding SimplePolicyAction / PolicyVariable / PolicyValue structure is also defined. While the semantics of a SimplePolicyCondition are "variable matches value", a SimplePolicyAction has the semantics "set variable to value".3.2.7. Domain-Level Packet Filtering
For packet filtering specified at the domain level, a set of PolicyVariables and PolicyValues are defined, corresponding to the fields in an IP packet header plus the most common Layer 2 frame header fields. It is expected that domain-level policy conditions that filter on these header fields will be expressed in terms of CompoundPolicyConditions built up from SimplePolicyConditions that use these variables and values. An additional PolicyVariable, PacketDirection, is also defined, to indicate whether a packet being filtered is traveling inbound or outbound on an interface.3.2.8. Device-Level Packet Filtering
For packet filtering expressed at the device level, including the packet classifier filters modeled in QDDIM, the variables and values discussed in Section 3.2.7 need not be used. Filter classes derived from the CIM FilterEntryBase class hierarchy are available for use in these contexts. These latter classes have two important differences from the domain-level classes: o They support specification of filters for all of the fields in a particular protocol header in a single object instance. With the domain-level classes, separate instances are needed for each header field. o They provide native representations for the filter values, as opposed to the string representation used by the domain-level classes. Device-level filter classes for the IP-related headers (IP, UDP, and TCP) and the 802 MAC headers are defined, respectively, in Sections 6.19 and 6.20.
4. The Updated Class and Association Class Hierarchies
The following figure shows the class inheritance hierarchy for PCIMe. Changes from the PCIM hierarchy are noted parenthetically. ManagedElement (abstract) | +--Policy (abstract) | | | +---PolicySet (abstract -- new - 5.3) | | | | | +---PolicyGroup (moved - 5.3) | | | | | +---PolicyRule (moved - 5.3) | | | +---PolicyCondition (abstract) | | | | | +---PolicyTimePeriodCondition | | | | | +---VendorPolicyCondition | | | | | +---SimplePolicyCondition (new - 5.8.1) | | | | | +---CompoundPolicyCondition (new - 5.7.1) | | | | | +---CompoundFilterCondition (new - 5.9) | | | +---PolicyAction (abstract) | | | | | +---VendorPolicyAction | | | | | +---SimplePolicyAction (new - 5.8.4) | | | | | +---CompoundPolicyAction (new - 5.7.2) | | | +---PolicyVariable (abstract -- new - 5.8.5) | | | | | +---PolicyExplicitVariable (new - 5.8.6) | | | | | +---PolicyImplicitVariable (abstract -- new - 5.8.7) | | | | | +---(subtree of more specific classes -- new - 6.12) | | | +---PolicyValue (abstract -- new - 5.8.10) | | | +---(subtree of more specific classes -- new - 6.14) | +--Collection (abstract -- newly referenced)
| | | +--PolicyRoleCollection (new - 5.6.2) ManagedElement(abstract) | +--ManagedSystemElement (abstract) | +--LogicalElement (abstract) | +--System (abstract) | | | +--AdminDomain (abstract) | | | +---ReusablePolicyContainer (new - 5.2) | | | +---PolicyRepository (deprecated - 5.2) | +--FilterEntryBase (abstract -- new - 6.18) | | | +--IpHeadersFilter (new - 6.19) | | | +--8021Filter (new - 6.20) | +--FilterList (new - 6.21) Figure 1. Class Inheritance Hierarchy for PCIMe
The following figure shows the association class hierarchy for PCIMe. As before, changes from PCIM are noted parenthetically. [unrooted] | +---PolicyComponent (abstract) | | | +---PolicySetComponent (new - 5.3) | | | +---PolicyGroupInPolicyGroup (deprecated - 5.3) | | | +---PolicyRuleInPolicyGroup (deprecated - 5.3) | | | +---PolicyConditionStructure (abstract -- new - 5.7.1) | | | | | +---PolicyConditionInPolicyRule (moved - 5.7.1) | | | | | +---PolicyConditionInPolicyCondition (new - 5.7.1) | | | +---PolicyRuleValidityPeriod | | | +---PolicyActionStructure (abstract -- new - 5.7.2) | | | | | +---PolicyActionInPolicyRule (moved - 5.7.2) | | | | | +---PolicyActionInPolicyAction (new - 5.7.2) | | | +---PolicyVariableInSimplePolicyCondition (new - 5.8.2) | | | +---PolicyValueInSimplePolicyCondition (new - 5.8.2) | | | +---PolicyVariableInSimplePolicyAction (new - 5.8.4) | | | +---PolicyValueInSimplePolicyAction (new - 5.8.4) [unrooted] | +---Dependency (abstract) | | | +---PolicyInSystem (abstract) | | | | | +---PolicySetInSystem (abstract, new - 5.3) | | | | | | | +---PolicyGroupInSystem | | | | | | | +---PolicyRuleInSystem | | | | | +---ReusablePolicy (new - 5.2) | | |
| | +---PolicyConditionInPolicyRepository (deprecated - 5.2) | | | | | +---PolicyActionInPolicyRepository (deprecated - 5.2) | | | +---ExpectedPolicyValuesForVariable (new - 5.8) | | | +---PolicyRoleCollectionInSystem (new - 5.6.2) | +---Component (abstract) | | | +---SystemComponent | | | | | +---ContainedDomain (new - 5.2) | | | | | +---PolicyRepositoryInPolicyRepository (deprecated - 5.2) | | | +---EntriesInFilterList (new - 7.23) | +---MemberOfCollection (newly referenced) | +--- ElementInPolicyRoleCollection (new - 5.6.2) Figure 2. Association Class Inheritance Hierarchy for PCIMe In addition to these changes that show up at the class and association class level, there are other changes from PCIM involving individual class properties. In some cases new properties are introduced into existing classes, and in other cases existing properties are deprecated (without deprecating the classes that contain them).
(page 13 continued on part 2)
