RFC 4011
Policy Based Management MIB
Pages: 121
Proposed Standard
Proposed Standard
Part 4 of 4 – Pages 90 to 121
pmRoleEntry OBJECT-TYPE
SYNTAX PmRoleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A role string entry associates a role string with an
individual element.
Note that some combinations of index values may result in an
instance name that exceeds a length of 128 sub-identifiers,
which exceeds the maximum for the SNMP
protocol. Implementations should take care to avoid such
combinations."
INDEX { pmRoleElement, pmRoleContextName,
pmRoleContextEngineID, pmRoleString }
::= { pmRoleTable 1 }
PmRoleEntry ::= SEQUENCE {
pmRoleElement RowPointer,
pmRoleContextName SnmpAdminString,
pmRoleContextEngineID OCTET STRING,
pmRoleString PmUTF8String,
pmRoleStatus RowStatus
}
pmRoleElement OBJECT-TYPE
SYNTAX RowPointer
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The element with which this role string is associated.
For example, if the element is interface 3, then this object
will contain the OID for 'ifIndex.3'.
If the agent assigns new indexes in the MIB table to
represent the same underlying element (re-indexing), the
agent will modify this value to contain the new index for the
underlying element.
As this object is used in the index for the pmRoleTable,
users of this table should be careful not to create entries
that would result in instance names with more than 128
sub-identifiers."
::= { pmRoleEntry 1 }
pmRoleContextName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is not in the default SNMP context
for the target system, this object is used to identify the
context. If the element is in the default context, this object
is equal to the empty string."
::= { pmRoleEntry 2 }
pmRoleContextEngineID OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0 | 5..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is on a remote system, this object
is used to identify the remote system. This object contains
the contextEngineID of the system for which this role string
assignment is valid. If the element is on the local system
this object will be the empty string."
::= { pmRoleEntry 3 }
pmRoleString OBJECT-TYPE
SYNTAX PmUTF8String (SIZE (0..64))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The role string that is associated with an element through
this table. All role strings must have been successfully
transformed by Stringprep RFC 3454. Management stations
must perform this translation and must only set this object
to string values that have been transformed.
A role string is an administratively specified characteristic
of a managed element (for example, an interface). It is a
selector for policy rules, that determines the applicability of
the rule to a particular managed element."
::= { pmRoleEntry 4 }
pmRoleStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this role string.
If the value of this object is active, no object in this row
may be modified."
::= { pmRoleEntry 5 }
-- Capabilities table
pmCapabilitiesTable OBJECT-TYPE
SYNTAX SEQUENCE OF PmCapabilitiesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The pmCapabilitiesTable contains a description of
the inherent capabilities of the system so that
management stations can learn of an agent's capabilities and
differentially install policies based on the capabilities.
Capabilities are expressed at the system level. There can be
variation in how capabilities are realized from one vendor or
model to the next. Management systems should consider these
differences before selecting which policy to install in a
system."
::= { pmMib 5 }
pmCapabilitiesEntry OBJECT-TYPE
SYNTAX PmCapabilitiesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A capabilities entry holds an OID indicating support for a
particular capability. Capabilities may include hardware and
software functions and the implementation of MIB
Modules. The semantics of the OID are defined in the
description of pmCapabilitiesType.
Entries appear in this table if any element in the system has
a specific capability. A capability should appear in this
table only once, regardless of the number of elements in the
system with that capability. An entry is removed from this
table when the last element in the system that has the
capability is removed. In some cases, capabilities are
dynamic and exist only in software. This table should have an
entry for the capability even if there are no current
instances. Examples include systems with database or WEB
services. While the system has the ability to create new
databases or WEB services, the entry should exist. In these
cases, the ability to create these services could come from
other processes that are running in the system, even though
there are no currently open databases or WEB servers running.
Capabilities may include the implementation of MIB Modules
but need not be limited to those that represent MIB Modules
with one or more configurable objects. It may also be
valuable to include entries for capabilities that do not
include configuration objects, as that information, in
combination with other entries in this table, might be used
by the management software to determine whether to
install a policy.
Vendor software may also add entries in this table to express
capabilities from their private branch.
Note that some values of this table's index may result in an
instance name that exceeds a length of 128 sub-identifiers,
which exceeds the maximum for the SNMP
protocol. Implementations should take care to avoid such
values."
INDEX { pmCapabilitiesType }
::= { pmCapabilitiesTable 1 }
PmCapabilitiesEntry ::= SEQUENCE {
pmCapabilitiesType OBJECT IDENTIFIER
}
pmCapabilitiesType OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"There are three types of OIDs that may be present in the
pmCapabilitiesType object:
1) The OID of a MODULE-COMPLIANCE macro that represents the
highest level of compliance realized by the agent for that
MIB Module. For example, an agent that implements the OSPF
MIB Module at the highest level of compliance would have the
value of '1.3.6.1.2.1.14.15.2' in the pmCapabilitiesType
object. For software that realizes standard MIB
Modules that do not have compliance statements, the base OID
of the MIB Module should be used instead. If the OSPF MIB
Module had not been created with a compliance statement, then
the correct value of the pmCapabilitiesType would be
'1.3.6.1.2.1.14'. In the cases where multiple compliance
statements in a MIB Module are supported by the agent, and
where one compliance statement does not by definition include
the other, each of the compliance OIDs would have entries in
this table.
MIB Documents can contain more than one MIB Module. In the
case of OSPF, there is a second MIB Module
that describes notifications for the OSPF Version 2 Protocol.
If the agent also realizes these functions, an entry will
also exist for those capabilities in this table.
2) Vendors should install OIDs in this table that represent
vendor-specific capabilities. These capabilities can be
expressed just as those described above for MIB Modules on
the standards track. In addition, vendors may install any
OID they desire from their registered branch. The OIDs may be
at any level of granularity, from the root of their entire
branch to an instance of a single OID. There is no
restriction on the number of registrations they may make,
though care should be taken to avoid unnecessary entries.
3) OIDs that represent one capability or a collection of
capabilities that could be any collection of MIB Objects or
hardware or software functions may be created in working
groups and registered in a MIB Module. Other entities (e.g.,
vendors) may also make registrations. Software will register
these standard capability OIDs, as well as vendor specific
OIDs.
If the OID for a known capability is not present in the
table, then it should be assumed that the capability is not
implemented.
As this object is used in the index for the
pmCapabilitiesTable, users of this table should be careful
not to create entries that would result in instance names
with more than 128 sub-identifiers."
::= { pmCapabilitiesEntry 1 }
-- Capabilities override table
pmCapabilitiesOverrideTable OBJECT-TYPE
SYNTAX SEQUENCE OF PmCapabilitiesOverrideEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The pmCapabilitiesOverrideTable allows management stations
to override pmCapabilitiesTable entries that have been
registered by the agent. This facility can be used to avoid
situations in which managers in the network send policies to
a system that has advertised a capability in the
pmCapabilitiesTable but that should not be installed on this
particular system. One example could be newly deployed
equipment that is still in a trial state in a trial state or
resources reserved for some other administrative reason.
This table can also be used to override entries in the
pmCapabilitiesTable through the use of the
pmCapabilitiesOverrideState object. Capabilities can also be
declared available in this table that were not registered in
the pmCapabilitiesTable. A management application can make
an entry in this table for any valid OID and declare the
capability available by setting the
pmCapabilitiesOverrideState for that row to valid(1)."
::= { pmMib 6 }
pmCapabilitiesOverrideEntry OBJECT-TYPE
SYNTAX PmCapabilitiesOverrideEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in this table indicates whether a particular
capability is valid or invalid.
Note that some values of this table's index may result in an
instance name that exceeds a length of 128 sub-identifiers,
which exceeds the maximum for the SNMP
protocol. Implementations should take care to avoid such
values."
INDEX { pmCapabilitiesOverrideType }
::= { pmCapabilitiesOverrideTable 1 }
PmCapabilitiesOverrideEntry ::= SEQUENCE {
pmCapabilitiesOverrideType OBJECT IDENTIFIER,
pmCapabilitiesOverrideState INTEGER,
pmCapabilitiesOverrideRowStatus RowStatus
}
pmCapabilitiesOverrideType OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This is the OID of the capability that is declared valid or
invalid by the pmCapabilitiesOverrideState value for this
row. Any valid OID, as described in the pmCapabilitiesTable,
is permitted in the pmCapabilitiesOverrideType object. This
means that capabilities can be expressed at any level, from a
specific instance of an object to a table or entire module.
There are no restrictions on whether these objects are from
standards track MIB documents or in the private branch of the
MIB.
If an entry exists in this table for which there is a
corresponding entry in the pmCapabilitiesTable, then this entry
shall have precedence over the entry in the
pmCapabilitiesTable. All entries in this table must be
preserved across reboots.
As this object is used in the index for the
pmCapabilitiesOverrideTable, users of this table should be
careful not to create entries that would result in instance
names with more than 128 sub-identifiers."
::= { pmCapabilitiesOverrideEntry 1 }
pmCapabilitiesOverrideState OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
valid(2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A pmCapabilitiesOverrideState of invalid indicates that
management software should not send policies to this system
for the capability identified in the
pmCapabilitiesOverrideType for this row of the table. This
behavior is the same whether the capability represented by
the pmCapabilitiesOverrideType exists only in this table
(that is, it was installed by an external management
application) or exists in this table as well as the
pmCapabilitiesTable. This would be the case when a manager
wanted to disable a capability that the native management
system found and registered in the pmCapabilitiesTable.
An entry in this table that has a pmCapabilitiesOverrideState
of valid should be treated as though it appeared in the
pmCapabilitiesTable. If the entry also exists in the
pmCapabilitiesTable in the pmCapabilitiesType object, and if
the value of this object is valid, then the system shall
operate as though this entry did not exist and policy
installations and executions will continue in a normal
fashion."
::= { pmCapabilitiesOverrideEntry 2 }
pmCapabilitiesOverrideRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The row status of this pmCapabilitiesOverrideEntry.
If the value of this object is active, no object in this row
may be modified."
::= { pmCapabilitiesOverrideEntry 3 }
-- The Schedule Group
pmSchedLocalTime OBJECT-TYPE
SYNTAX DateAndTime (SIZE (11))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time used by the scheduler. Schedules that
refer to calendar time will use the local time indicated
by this object. An implementation MUST return all 11 bytes
of the DateAndTime textual-convention so that a manager
may retrieve the offset from GMT time."
::= { pmMib 7 }
--
-- The schedule table that controls the scheduler.
--
pmSchedTable OBJECT-TYPE
SYNTAX SEQUENCE OF PmSchedEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table defines schedules for policies."
::= { pmMib 8 }
pmSchedEntry OBJECT-TYPE
SYNTAX PmSchedEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry describing a particular schedule.
Unless noted otherwise, writable objects of this row can be
modified independently of the current value of pmSchedRowStatus,
pmSchedAdminStatus and pmSchedOperStatus. In particular, it
is legal to modify pmSchedWeekDay, pmSchedMonth, and
pmSchedDay when pmSchedRowStatus is active."
INDEX { pmSchedIndex }
::= { pmSchedTable 1 }
PmSchedEntry ::= SEQUENCE {
pmSchedIndex Unsigned32,
pmSchedGroupIndex Unsigned32,
pmSchedDescr PmUTF8String,
pmSchedTimePeriod PmUTF8String,
pmSchedMonth BITS,
pmSchedDay BITS,
pmSchedWeekDay BITS,
pmSchedTimeOfDay PmUTF8String,
pmSchedLocalOrUtc INTEGER,
pmSchedStorageType StorageType,
pmSchedRowStatus RowStatus
}
pmSchedIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The locally unique, administratively assigned index for this
scheduling entry."
::= { pmSchedEntry 1 }
pmSchedGroupIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The locally unique, administratively assigned index for the
schedule group this scheduling entry belongs to.
To assign multiple schedule entries to the same group, the
pmSchedGroupIndex of each entry in the group will be set to
the same value. This pmSchedGroupIndex value must be equal to
the pmSchedIndex of one of the entries in the group. If the
entry whose pmSchedIndex equals the pmSchedGroupIndex
for the group is deleted, the agent will assign a new
pmSchedGroupIndex to all remaining members of the group.
If an entry is not a member of a group, its pmSchedGroupIndex
must be assigned to the value of its pmSchedIndex.
Policies that are controlled by a group of schedule entries
are active when any schedule in the group is active."
::= { pmSchedEntry 2 }
pmSchedDescr OBJECT-TYPE
SYNTAX PmUTF8String
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The human-readable description of the purpose of this
scheduling entry."
DEFVAL { ''H }
::= { pmSchedEntry 3 }
pmSchedTimePeriod OBJECT-TYPE
SYNTAX PmUTF8String (SIZE (0..31))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The overall range of calendar dates and times over which this
schedule is active. It is stored in a slightly extended version
of the format for a 'period-explicit' defined in RFC 2445.
This format is expressed as a string representing the
starting date and time, in which the character 'T' indicates
the beginning of the time portion, followed by the solidus
character, '/', followed by a similar string representing an
end date and time. The start of the period MUST be before the
end of the period. Date-Time values are expressed as
substrings of the form 'yyyymmddThhmmss'. For example:
20000101T080000/20000131T130000
January 1, 2000, 0800 through January 31, 2000, 1PM
The 'Date with UTC time' format defined in RFC 2445 in which
the Date-Time string ends with the character 'Z' is not
allowed.
This 'period-explicit' format is also extended to allow two
special cases in which one of the Date-Time strings is
replaced with a special string defined in RFC 2445:
1. If the first Date-Time value is replaced with the string
'THISANDPRIOR', then the value indicates that the schedule
is active at any time prior to the Date-Time that appears
after the '/'.
2. If the second Date-Time is replaced with the string
'THISANDFUTURE', then the value indicates that the schedule
is active at any time after the Date-Time that appears
before the '/'.
Note that although RFC 2445 defines these two strings, they are
not specified for use in the 'period-explicit' format. The use
of these strings represents an extension to the
'period-explicit' format."
::= { pmSchedEntry 4 }
pmSchedMonth OBJECT-TYPE
SYNTAX BITS {
january(0),
february(1),
march(2),
april(3),
may(4),
june(5),
july(6),
august(7),
september(8),
october(9),
november(10),
december(11)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Within the overall time period specified in the
pmSchedTimePeriod object, the value of this object specifies
the specific months within that time period when the schedule
is active. Setting all bits will cause the schedule to act
independently of the month."
DEFVAL { { january, february, march, april, may, june, july,
august, september, october, november, december } }
::= { pmSchedEntry 5 }
pmSchedDay OBJECT-TYPE
SYNTAX BITS {
d1(0), d2(1), d3(2), d4(3), d5(4),
d6(5), d7(6), d8(7), d9(8), d10(9),
d11(10), d12(11), d13(12), d14(13), d15(14),
d16(15), d17(16), d18(17), d19(18), d20(19),
d21(20), d22(21), d23(22), d24(23), d25(24),
d26(25), d27(26), d28(27), d29(28), d30(29),
d31(30),
r1(31), r2(32), r3(33), r4(34), r5(35),
r6(36), r7(37), r8(38), r9(39), r10(40),
r11(41), r12(42), r13(43), r14(44), r15(45),
r16(46), r17(47), r18(48), r19(49), r20(50),
r21(51), r22(52), r23(53), r24(54), r25(55),
r26(56), r27(57), r28(58), r29(59), r30(60),
r31(61)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Within the overall time period specified in the
pmSchedTimePeriod object, the value of this object specifies
the specific days of the month within that time period when
the schedule is active.
There are two sets of bits one can use to define the day
within a month:
Enumerations starting with the letter 'd' indicate a
day in a month relative to the first day of a month.
The first day of the month can therefore be specified
by setting the bit d1(0), and d31(30) means the last
day of a month with 31 days.
Enumerations starting with the letter 'r' indicate a
day in a month in reverse order, relative to the last
day of a month. The last day in the month can therefore
be specified by setting the bit r1(31), and r31(61) means
the first day of a month with 31 days.
Setting multiple bits will include several days in the set
of possible days for this schedule. Setting all bits starting
with the letter 'd' or all bits starting with the letter 'r'
will cause the schedule to act independently of the day of the
month."
DEFVAL { { d1, d2, d3, d4, d5, d6, d7, d8, d9, d10,
d11, d12, d13, d14, d15, d16, d17, d18, d19, d20,
d21, d22, d23, d24, d25, d26, d27, d28, d29, d30,
d31, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10,
r11, r12, r13, r14, r15, r16, r17, r18, r19, r20,
r21, r22, r23, r24, r25, r26, r27, r28, r29, r30,
r31 } }
::= { pmSchedEntry 6 }
pmSchedWeekDay OBJECT-TYPE
SYNTAX BITS {
sunday(0),
monday(1),
tuesday(2),
wednesday(3),
thursday(4),
friday(5),
saturday(6)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Within the overall time period specified in the
pmSchedTimePeriod object, the value of this object specifies
the specific days of the week within that time period when
the schedule is active. Setting all bits will cause the
schedule to act independently of the day of the week."
DEFVAL { { sunday, monday, tuesday, wednesday, thursday,
friday, saturday } }
::= { pmSchedEntry 7 }
pmSchedTimeOfDay OBJECT-TYPE
SYNTAX PmUTF8String (SIZE (0..15))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Within the overall time period specified in the
pmSchedTimePeriod object, the value of this object specifies
the range of times in a day when the schedule is active.
This value is stored in a format based on the RFC 2445 format
for 'time': The character 'T' followed by a 'time' string,
followed by the solidus character, '/', followed by the
character 'T', followed by a second time string. The first time
indicates the beginning of the range, and the second time
indicates the end. Thus, this value takes the following
form:
'Thhmmss/Thhmmss'.
The second substring always identifies a later time than the
first substring. To allow for ranges that span midnight,
however, the value of the second string may be smaller than
the value of the first substring. Thus, 'T080000/T210000'
identifies the range from 0800 until 2100, whereas
'T210000/T080000' identifies the range from 2100 until 0800 of
the following day.
When a range spans midnight, by definition it includes parts
of two successive days. When one of these days is also
selected by either the MonthOfYearMask, DayOfMonthMask, and/or
DayOfWeekMask, but the other day is not, then the policy is
active only during the portion of the range that falls on the
selected day. For example, if the range extends from 2100
until 0800, and the day of week mask selects Monday and
Tuesday, then the policy is active during the following three
intervals:
From midnight Sunday until 0800 Monday
From 2100 Monday until 0800 Tuesday
From 2100 Tuesday until 23:59:59 Tuesday
Setting this value to 'T000000/T235959' will cause the
schedule to act independently of the time of day."
DEFVAL { '543030303030302F54323335393539'H } -- T000000/T235959
::= { pmSchedEntry 8 }
pmSchedLocalOrUtc OBJECT-TYPE
SYNTAX INTEGER {
localTime(1),
utcTime(2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates whether the times represented in the
TimePeriod object and in the various Mask objects represent
local times or UTC times."
DEFVAL { utcTime }
::= { pmSchedEntry 9 }
pmSchedStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object defines whether this schedule entry is kept
in volatile storage and lost upon reboot or
backed up by non-volatile or permanent storage.
Conceptual rows having the value 'permanent' must allow write
access to the columnar objects pmSchedDescr, pmSchedWeekDay,
pmSchedMonth, and pmSchedDay.
If the value of this object is 'permanent', no values in the
associated row have to be writable."
DEFVAL { volatile }
::= { pmSchedEntry 10 }
pmSchedRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this schedule entry.
If the value of this object is active, no object in this row
may be modified."
::= { pmSchedEntry 11 }
-- Policy Tracking
-- The "policy to element" (PE) table and the "element to policy" (EP)
-- table track the status of execution contexts grouped by policy and
-- element respectively.
pmTrackingPETable OBJECT-TYPE
SYNTAX SEQUENCE OF PmTrackingPEEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The pmTrackingPETable describes what elements
are active (under control of) a policy. This table is indexed
in order to optimize retrieval of the entire status for a
given policy."
::= { pmMib 9 }
pmTrackingPEEntry OBJECT-TYPE
SYNTAX PmTrackingPEEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the pmTrackingPETable. The pmPolicyIndex in
the index specifies the policy tracked by this entry.
Note that some combinations of index values may result in an
instance name that exceeds a length of 128 sub-identifiers,
which exceeds the maximum for the SNMP
protocol. Implementations should take care to avoid such
combinations."
INDEX { pmPolicyIndex, pmTrackingPEElement,
pmTrackingPEContextName, pmTrackingPEContextEngineID }
::= { pmTrackingPETable 1 }
PmTrackingPEEntry ::= SEQUENCE {
pmTrackingPEElement RowPointer,
pmTrackingPEContextName SnmpAdminString,
pmTrackingPEContextEngineID OCTET STRING,
pmTrackingPEInfo BITS
}
pmTrackingPEElement OBJECT-TYPE
SYNTAX RowPointer
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The element that is acted upon by the associated policy.
As this object is used in the index for the
pmTrackingPETable, users of this table should be careful not
to create entries that would result in instance names with
more than 128 sub-identifiers."
::= { pmTrackingPEEntry 1 }
pmTrackingPEContextName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is not in the default SNMP context
for the target system, this object is used to identify the
context. If the element is in the default context, this object
is equal to the empty string."
::= { pmTrackingPEEntry 2 }
pmTrackingPEContextEngineID OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0 | 5..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is on a remote system, this object
is used to identify the remote system. This object contains
the contextEngineID of the system on which the associated
element resides. If the element is on the local system,
this object will be the empty string."
::= { pmTrackingPEEntry 3 }
pmTrackingPEInfo OBJECT-TYPE
SYNTAX BITS {
actionSkippedDueToPrecedence(0),
conditionRunTimeException(1),
conditionUserSignal(2),
actionRunTimeException(3),
actionUserSignal(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This object returns information about the previous policy
script executions.
If the actionSkippedDueToPrecedence(1) bit is set, the last
execution of the associated policy condition returned non-zero,
but the action is not active, because it was trumped by a
matching policy condition in the same precedence group with a
higher precedence value.
If the conditionRunTimeException(2) bit is set, the last
execution of the associated policy condition encountered a
run-time exception and aborted.
If the conditionUserSignal(3) bit is set, the last
execution of the associated policy condition called the
signalError() function.
If the actionRunTimeException(4) bit is set, the last
execution of the associated policy action encountered a
run-time exception and aborted.
If the actionUserSignal(5) bit is set, the last
execution of the associated policy action called the
signalError() function.
Entries will only exist in this table of one or more bits are
set. In particular, if an entry does not exist for a
particular policy/element combination, it can be assumed that
the policy's condition did not match 'this element'."
::= { pmTrackingPEEntry 4 }
-- Element to Policy Table
pmTrackingEPTable OBJECT-TYPE
SYNTAX SEQUENCE OF PmTrackingEPEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The pmTrackingEPTable describes what policies
are controlling an element. This table is indexed in
order to optimize retrieval of the status of all policies
active for a given element."
::= { pmMib 10 }
pmTrackingEPEntry OBJECT-TYPE
SYNTAX PmTrackingEPEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the pmTrackingEPTable. Entries exist for all
element/policy combinations for which the policy's condition
matches and only if the schedule for the policy is active.
The pmPolicyIndex in the index specifies the policy
tracked by this entry.
Note that some combinations of index values may result in an
instance name that exceeds a length of 128 sub-identifiers,
which exceeds the maximum for the SNMP protocol.
Implementations should take care to avoid such combinations."
INDEX { pmTrackingEPElement, pmTrackingEPContextName,
pmTrackingEPContextEngineID, pmPolicyIndex }
::= { pmTrackingEPTable 1 }
PmTrackingEPEntry ::= SEQUENCE {
pmTrackingEPElement RowPointer,
pmTrackingEPContextName SnmpAdminString,
pmTrackingEPContextEngineID OCTET STRING,
pmTrackingEPStatus INTEGER
}
pmTrackingEPElement OBJECT-TYPE
SYNTAX RowPointer
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The element acted upon by the associated policy.
As this object is used in the index for the
pmTrackingEPTable, users of this table should be careful
not to create entries that would result in instance names
with more than 128 sub-identifiers."
::= { pmTrackingEPEntry 1 }
pmTrackingEPContextName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is not in the default SNMP context
for the target system, this object is used to identify the
context. If the element is in the default context, this object
is equal to the empty string."
::= { pmTrackingEPEntry 2 }
pmTrackingEPContextEngineID OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0 | 5..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is on a remote system, this object
is used to identify the remote system. This object contains
the contextEngineID of the system on which the associated
element resides. If the element is on the local system,
this object will be the empty string."
::= { pmTrackingEPEntry 3 }
pmTrackingEPStatus OBJECT-TYPE
SYNTAX INTEGER {
on(1),
forceOff(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This entry will only exist if the calendar for the policy is
active and if the associated policyCondition returned 1 for
'this element'.
A policy can be forcibly disabled on a particular element
by setting this value to forceOff(2). The agent should then
act as though the policyCondition failed for 'this element'.
The forceOff(2) state will persist (even across reboots) until
this value is set to on(1) by a management request. The
forceOff(2) state may be set even if the entry does not
previously exist so that future policy invocations can be
avoided.
Unless forcibly disabled, if this entry exists, its value
will be on(1)."
::= { pmTrackingEPEntry 4 }
-- Policy Debugging Table
pmDebuggingTable OBJECT-TYPE
SYNTAX SEQUENCE OF PmDebuggingEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Policies that have debugging turned on will generate a log
entry in the policy debugging table for every runtime
exception that occurs in either the condition or action
code.
The pmDebuggingTable logs debugging messages when
policies experience run-time exceptions in either the condition
or action code and the associated pmPolicyDebugging object
has been turned on.
The maximum number of debugging entries that will be stored
and the maximum length of time an entry will be kept are an
implementation-dependent manner. If entries must
be discarded to make room for new entries, the oldest entries
must be discarded first.
If the system restarts, all debugging entries may be deleted."
::= { pmMib 11 }
pmDebuggingEntry OBJECT-TYPE
SYNTAX PmDebuggingEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the pmDebuggingTable. The pmPolicyIndex in the
index specifies the policy that encountered the exception
that led to this log entry.
Note that some combinations of index values may result in an
instance name that exceeds a length of 128 sub-identifiers,
which exceeds the maximum for the SNMP protocol.
Implementations should take care to avoid such combinations."
INDEX { pmPolicyIndex, pmDebuggingElement,
pmDebuggingContextName, pmDebuggingContextEngineID,
pmDebuggingLogIndex }
::= { pmDebuggingTable 1 }
PmDebuggingEntry ::= SEQUENCE {
pmDebuggingElement RowPointer,
pmDebuggingContextName SnmpAdminString,
pmDebuggingContextEngineID OCTET STRING,
pmDebuggingLogIndex Unsigned32,
pmDebuggingMessage PmUTF8String
}
pmDebuggingElement OBJECT-TYPE
SYNTAX RowPointer
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The element the policy was executing on when it encountered
the error that led to this log entry.
For example, if the element is interface 3, then this object
will contain the OID for 'ifIndex.3'.
As this object is used in the index for the
pmDebuggingTable, users of this table should be careful
not to create entries that would result in instance names
with more than 128 sub-identifiers."
::= { pmDebuggingEntry 1 }
pmDebuggingContextName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is not in the default SNMP context
for the target system, this object is used to identify the
context. If the element is in the default context, this object
is equal to the empty string."
::= { pmDebuggingEntry 2 }
pmDebuggingContextEngineID OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0 | 5..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"If the associated element is on a remote system, this object
is used to identify the remote system. This object contains
the contextEngineID of the system on which the associated
element resides. If the element is on the local system,
this object will be the empty string."
::= { pmDebuggingEntry 3 }
pmDebuggingLogIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A unique index for this log entry among other log entries
for this policy/element combination."
::= { pmDebuggingEntry 4 }
pmDebuggingMessage OBJECT-TYPE
SYNTAX PmUTF8String (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An error message generated by the policy execution
environment. It is recommended that this message include the
time of day when the message was generated, if known."
::= { pmDebuggingEntry 5 }
-- Notifications
pmNotifications OBJECT IDENTIFIER ::= { pmMib 0 }
pmNewRoleNotification NOTIFICATION-TYPE
OBJECTS { pmRoleStatus }
STATUS current
DESCRIPTION
"The pmNewRoleNotification is sent when an agent is configured
with its first instance of a previously unused role string
(not every time a new element is given a particular role).
An instance of the pmRoleStatus object is sent containing
the new roleString in its index. In the event that two or
more elements are given the same role simultaneously, it is an
implementation-dependent matter as to which pmRoleTable
instance will be included in the notification."
::= { pmNotifications 1 }
pmNewCapabilityNotification NOTIFICATION-TYPE
OBJECTS { pmCapabilitiesType }
STATUS current
DESCRIPTION
"The pmNewCapabilityNotification is sent when an agent
gains a new capability that did not previously exist in any
element on the system (not every time an element gains a
particular capability).
An instance of the pmCapabilitiesType object is sent containing
the identity of the new capability. In the event that two or
more elements gain the same capability simultaneously, it is an
implementation-dependent matter as to which pmCapabilitiesType
instance will be included in the notification."
::= { pmNotifications 2 }
pmAbnormalTermNotification NOTIFICATION-TYPE
OBJECTS { pmTrackingPEInfo }
STATUS current
DESCRIPTION
"The pmAbnormalTermNotification is sent when a policy's
pmPolicyAbnormalTerminations gauge value changes from zero to
any value greater than zero and no such notification has been
sent for that policy in the last 5 minutes.
The notification contains an instance of the pmTrackingPEInfo
object where the pmPolicyIndex component of the index
identifies the associated policy and the rest of the index
identifies an element on which the policy failed."
::= { pmNotifications 3 }
-- Compliance Statements
pmConformance OBJECT IDENTIFIER ::= { pmMib 12 }
pmCompliances OBJECT IDENTIFIER ::= { pmConformance 1 }
pmGroups OBJECT IDENTIFIER ::= { pmConformance 2 }
pmCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Describes the requirements for conformance to
the Policy-Based Management MIB"
MODULE -- this module
MANDATORY-GROUPS { pmPolicyManagementGroup, pmSchedGroup,
pmNotificationGroup }
::= { pmCompliances 1 }
pmPolicyManagementGroup OBJECT-GROUP
OBJECTS { pmPolicyPrecedenceGroup, pmPolicyPrecedence,
pmPolicySchedule, pmPolicyElementTypeFilter,
pmPolicyConditionScriptIndex, pmPolicyActionScriptIndex,
pmPolicyParameters,
pmPolicyConditionMaxLatency, pmPolicyActionMaxLatency,
pmPolicyMaxIterations,
pmPolicyDescription, pmPolicyMatches,
pmPolicyAbnormalTerminations,
pmPolicyExecutionErrors, pmPolicyDebugging,
pmPolicyStorageType, pmPolicyAdminStatus,
pmPolicyRowStatus, pmPolicyCodeText, pmPolicyCodeStatus,
pmElementTypeRegMaxLatency, pmElementTypeRegDescription,
pmElementTypeRegStorageType, pmElementTypeRegRowStatus,
pmRoleStatus,
pmCapabilitiesType, pmCapabilitiesOverrideState,
pmCapabilitiesOverrideRowStatus,
pmTrackingPEInfo,
pmTrackingEPStatus,
pmDebuggingMessage }
STATUS current
DESCRIPTION
"Objects that allow for the creation and management of
configuration policies."
::= { pmGroups 1 }
pmSchedGroup OBJECT-GROUP
OBJECTS { pmSchedLocalTime, pmSchedGroupIndex,
pmSchedDescr, pmSchedTimePeriod,
pmSchedMonth, pmSchedDay, pmSchedWeekDay,
pmSchedTimeOfDay, pmSchedLocalOrUtc, pmSchedStorageType,
pmSchedRowStatus
}
STATUS current
DESCRIPTION
"Objects that allow for the scheduling of policies."
::= { pmGroups 2 }
pmNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { pmNewRoleNotification,
pmNewCapabilityNotification,
pmAbnormalTermNotification }
STATUS current
DESCRIPTION
"Notifications sent by an Policy MIB agent."
::= { pmGroups 3 }
pmBaseFunctionLibrary OBJECT IDENTIFIER ::= { pmGroups 4 }
END
12. Relationship to Other MIB Modules
When policy-based management is used specifically for (policy-based)
configuration, the "Configuring Networks and Devices With SNMP" RFC
3512 [19] document describes configuration management practices,
terminology, and an example of a MIB Module that may be helpful to
those developing and using this technology.
The Policy MIB accesses system instrumentation for the purposes of
policy evaluation, control, notification, monitoring, and error
reporting. This information is available to managers in the form of
MIB objects. Information about system configuration is modified by
the Policy MIB through MIB objects defined in other MIB Modules.
Details about the operational or configuration details of a system
are retrieved by the manager via access to the specific MIB objects
available in a network element. As such, the Policy MIB can use any
standard or vendor-defined object that exists on a managed system. In particular, the Policy MIB may access standard or vendor specific objects that are instance-specific such as BGP timeout parameters and specific interface counters.13. Security Considerations
This MIB contains no objects for which read access would disclose sensitive information. There are a number of management objects defined in this MIB that have a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. With the exception of pmPolicyDescription, pmPolicyDebugging, pmElementTypeRegDescription, and pmSchedDescr, EVERY read-create and read-write object in this MIB should be considered sensitive because if an unauthorized user could manipulate these objects, s/he could cause the Policy MIB system to use the stored credentials of an authorized user to perform unauthorized and potentially harmful operations. There are no read-only objects in this MIB that contain sensitive information. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [16], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
An implementation must ensure that access control rules are applied when SNMP operations are performed in policy scripts. To ensure this, an implementation must record and maintain the security credentials of the last entity to modify each policy's pmPolicyAdminStatus object. The credentials to store are the securityModel, securityName, and securityLevel and will be used as input parameters for isAccessAllowed from the Architecture for Describing SNMP Management Frameworks [1]. This mechanism was first introduced in the DISMAN-SCHEDULE-MIB [12]. SNMP requests made when secModel, secName, and secLevel are specified use credentials stored in the local configuration datastore. Access to these credentials depends on the security credentials of the last entity to modify the policy's pmPolicyAdminStatus object. To determine whether the credentials can be accessed, the isAccessAllowed abstract service interface defined in RFC 3411 [1] is called: statusInformation = -- success or errorIndication isAccessAllowed( IN securityModel -- Security Model used IN securityName -- principal who wants to access IN securityLevel -- Level of Security used IN viewType -- write IN contextName -- context containing variableName IN variableName -- OID for an object in the proper -- LCD entry ) The securityModel, securityName, and securityLevel parameters are set to the values that were recorded when the policy was modified. The viewType is set to write, and the contextName and variableName are set to select any read-create object in the appropriate LCD entry. Proper configuration of VACM requires that write access to an LCD entry not be given to entities that aren't authorized to use the credentials therein. Access control for SNMP requests made to the local system where secModel, secName, and secLevel aren't specified depends on the security credentials of the last entity to modify the policy's pmPolicyAdminStatus object. To determine whether the operation should succeed, the isAccessAllowed abstract service interface defined in RFC 3411 [1] is called:
statusInformation = -- success or errorIndication
isAccessAllowed(
IN securityModel -- Security Model in use
IN securityName -- principal who wants to access
IN securityLevel -- Level of Security
IN viewType -- read, write, or notify view
IN contextName -- context as specified
IN variableName -- OID for the managed object
)
The securityModel, securityName, and securityLevel parameters are
set to the values that were recorded when the policy was modified.
The viewType, contextName, and variableName parameters are set as
appropriate for the requested SNMP operation.
Unless all users who have write access to the pmPolicyTable and
pmPolicyCodeTable have equivalent access to the managed system,
policy scripts could be used by a user to gain the privileges of
another user. Therefore, when policy users have different access,
access control should be applied so that a user's policies cannot be
modified by another user. To make this more convenient, a user can
place all of his or her policies in the same pmPolicyAdminGroup so
that a single access control view can apply to all of them.
Some policies may be designed to ensure the security of a network.
If these policies have not been installed pending the appearance of a
role or capability, some delay will occur in their activation
policies when the role or capability appears because a responsible
manager must notice the change and install the policy. This delay
may expose the device or the network to unacceptable security
vulnerabilities during this delay. If the role or capability appears
during a time of network stress or when the management station is
unavailable, this delay could be extensive, further increasing the
exposure. It is recommended that management stations install any
security-related policies that might ever be needed on a particular
managed device, even if a nonexistent role or capability suggests
that it is not needed at a given time.
This MIB allows the delegation of access rights so that a user
("Joe") can instruct a Policy MIB agent to execute remote operations
on his behalf that are authorized by keys stored by "Joe" into the
usmUserTable. Care needs to be taken to ensure that unauthorized
users are unable to configure their policies to use Joe's keys.
Although there are theoretically many ways to configure SNMP
security, users are advised to follow the most straightforward way
outlined below to minimize complexity and the resulting opportunity
for errors.
Assume that Joe has credentials that give him authority to manage
agents A, B, and C, as well as the Policy MIB agent "P". Joe will
store credentials for Joe@A, Joe@B, and Joe@C in the usmUserTable
of the Policy MIB agent. Then the following VACM configuration
will be used:
VACM securityToGroupTable
A single entry mapping user Joe@P to group JoesGroup
VACM accessTable
A single entry mapping group JoesGroup to write view JoesView
VACM viewTreeFamilyTable
ViewName Subtree Type
JoesView points to Joe@A in usmUserTable included
JoesView points to Joe@B in usmUserTable included
JoesView points to Joe@C in usmUserTable included
In the preceding examples, the notation Joe@A represents the entry
indexed by usmUserEngineID and usmUserName, where the SnmpEngineID
is that of system A and the usmUserName is "Joe".
14. IANA Considerations
This is a profile of stringprep. It has been registered by the IANA
in the stringprep profile registry located at:
http://www.iana.org/assignments/stringprep-profiles
Name of this profile:
Policy MIB Stringprep.
RFC in which the profile is defined:
This document.
Indicator whether this is the newest version of the profile:
This is the first version of Policy MIB Stringprep.
15. Acknowledgements
The authors gratefully acknowledge the significant contributions to this work made by Jeff Case, Patrik Falstrom, Joel Halpern, Pablo Halpern, Bob Moore, Steve Moulton, David Partain, and Walter Weiss. This MIB uses a security delegation mechanism that was first introduced in the DISMAN-SCHEDULE-MIB [12]. The Schedule table of this MIB borrows heavily from the PolicyTimePeriodCondition of the Policy Core Information Model (PCIM) [18] and from the DISMAN- SCHEDULE-MIB [12].16. References
16.1. Normative References
[1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [2] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [3] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [4] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [5] Presuhn, R., "Transport Mappings for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3417, December 2002. [6] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. [7] Presuhn, R., "Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3416, December 2002. [8] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence between Version 1, Version 2, and Version 3 of the Internet- standard Network Management Framework", BCP 74, RFC 3584, August 2003.
[9] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002. [10] International Standards Organization, "Information Technology - Programming Languages - C++", ISO/IEC 14882-1998 [11] Daniele, M. and J. Schoenwaelder, "Textual Conventions for Transport Addresses", RFC 3419, December 2002. [12] Levi, D. and J. Schoenwaelder, "Definitions of Managed Objects for Scheduling Management Operations", RFC 3231, January 2002. [13] Hoffman, P. and M. Blanchet, "Preparation of Internationalized Strings ("stringprep")", RFC 3454, December 2002. [14] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [15] Dawson, F. and D. Stenerson, "Internet Calendaring and Scheduling Core Object Specification (iCalendar)", RFC 2445, November 1998.16.2. Informative References
[16] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002. [17] ECMA, "ECMAScript Language Specification", ECMA-262, December 1999 [18] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. [19] MacFaden, M., Partain, D., Saperia, J., and W. Tackabury, "Configuring Networks and Devices with Simple Network Management Protocol (SNMP)", RFC 3512, April 2003.
Author's Addresses
Steve Waldbusser Phone: +1-650-948-6500 Fax: +1-650-745-0671 EMail: waldbusser@nextbeacon.com Jon Saperia (WG Co-chair) JDS Consulting, Inc. 84 Kettell Plain Road. Stow MA 01775 USA Phone: +1-978-461--0249 Fax: +1-617-249-0874 EMail: saperia@jdscons.com Thippanna Hongal Riverstone Networks, Inc. 5200 Great America Parkway Santa Clara, CA, 95054 USA Phone: +1-408-878-6562 Fax: +1-408-878-6501 EMail: hongal@riverstonenet.com
Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.