RFC 4104
Policy Core Extension Lightweight Directory Access Protocol Schema (PCELS)
Network Working Group M. Pana, Ed. Request for Comments: 4104 MetaSolv Updates: 3703 A. Reyes Category: Standards Track Computer Architecture, UPC A. Barba D. Moron Technical University of Catalonia M. Brunner NEC June 2005 Policy Core Extension Lightweight Directory Access Protocol Schema (PCELS) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005).Abstract
This document defines a number of changes and extensions to the Policy Core Lightweight Directory Access Protocol (LDAP) Schema (RFC 3703) based on the model extensions defined by the Policy Core Information Model (PCIM) Extensions (RFC 3460). These changes and extensions consist of new LDAP object classes and attribute types. Some of the schema items defined in this document re-implement existing concepts in accordance with their new semantics introduced by RFC 3460. The other schema items implement new concepts, not covered by RFC 3703. This document updates RFC 3703.Table of Contents
1. Introduction ....................................................3 1.1. Specification of Requirements ..............................3 2. Relationship to Other Policy Framework Documents ................3 3. Inheritance Hierarchy for PCELS .................................4
4. General Discussion of Mapping the Policy Core Information Model ...............................................8 4.1. Summary of Class Mappings ..................................8 4.2. Summary of Association Mappings ...........................11 4.3. Summary of Changes since PCLS .............................13 4.4. Relationship to PCLS Classes ..............................15 4.5. Impact on Existing Implementations of the Policy Core LDAP Schema ..........................................16 4.6. The Association of PolicyVariable and PolicyValues ........16 4.7. The Aggregation of PolicyRules and PolicyGroups in PolicySets ................................................17 4.8. The Aggregation of Actions/Conditions in PolicyRules and CompoundActions/CompoundConditions ........................20 5. Class Definitions ..............................................25 5.1. The Abstract Class pcelsPolicySet .........................26 5.2. The Structural Class pcelsPolicySetAssociation ............29 5.3. The Three Policy Group Classes ............................30 5.4. The Three Policy Rule Classes .............................31 5.5. The Structural Class pcelsConditionAssociation ............36 5.6. The Structural Class pcelsActionAssociation ...............37 5.7. The Auxiliary Class pcelsSimpleConditionAuxClass ..........38 5.8. The Auxiliary Class pcelsCompoundConditionAuxClass ........39 5.9. The Auxiliary Class pcelsCompoundFilterConditionAuxClass ..40 5.10. The Auxiliary Class pcelsSimpleActionAuxClass ............41 5.11. The Auxiliary Class pcelsCompoundActionAuxClass ..........42 5.12. The Abstract Class pcelsVariable .........................43 5.13. The Auxiliary Class pcelsExplicitVariableAuxClass ........44 5.14. The Auxiliary Class pcelsImplicitVariableAuxClass ........46 5.15. The Subclasses of pcelsImplicitVariableAuxClass ..........47 5.16. The Auxiliary Class pcelsValueAuxClass. ..................54 5.17. The Subclasses of pcelsValueAuxClass. ....................55 5.18. The Three Reusable Policy Container Classes ..............60 5.19. The Structural Class pcelsRoleCollection. ................62 5.20. The Abstract Class pcelsFilterEntryBase ..................64 5.21. The Structural Class pcelsIPHeadersFilter ................65 5.22. The Structural Class pcels8021Filter .....................73 5.23. The Auxiliary Class pcelsFilterListAuxClass ..............77 5.24. The Auxiliary Class pcelsVendorVariableAuxClass ..........79 5.25. The Auxiliary Class pcelsVendorValueAuxClass .............80 6. Security Considerations ........................................81 7. IANA Considerations ............................................82 7.1. Object Identifiers ........................................82 7.2. Object Identifier Descriptors .............................82 8. Acknowledgements ...............................................85 9. Normative References ...........................................85 10. Informative References ........................................86
1. Introduction
This document defines a number of changes and extensions to the Policy Core Lightweight Directory Access Protocol (LDAP) Schema [PCLS] based on the model extensions defined by the Policy Core Information Model (PCIM) Extensions [PCIM_EXT]. These changes and extensions consist of new LDAP object classes and attribute types [LDAP]. Some of the schema items defined in this document re- implement existing concepts in accordance with their new semantics introduced by [PCIM_EXT]. The other schema items implement new concepts, not covered by [PCLS]. This document updates RFC 3703 [PCLS]. In addition to the concepts defined by [PCIM_EXT], this document introduces two new classes: pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass. These classes provide a standard extension mechanism for vendor-specific policy variables and policy values that have not been specifically modeled. Within the context of this document, the term "PCELS" (Policy Core Extension LDAP Schema) is used to refer to the LDAP object class, attribute type definitions and the associated recommendations contained in this document.1.1. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [KEYWORDS].2. Relationship to Other Policy Framework Documents
This document contains an LDAP schema mapping for the classes defined in the "Policy Core Information Model (PCIM) Extensions" [PCIM_EXT]. The LDAP schema defined in this document is an extension to the "Policy Core Lightweight Directory Access Protocol (LDAP) Schema" [PCLS], which defines the mapping of the "Policy Core Information Model -- Version 1 Specification" [PCIM] to an LDAP schema. These three documents ([PCIM], [PCIM_EXT] and [PCLS]) are prerequisites for reading and understanding this document. Other documents may subsequently be produced with mappings of the same model to other storage or transport technologies.
3. Inheritance Hierarchy for PCELS
The object class and attribute type names defined in this document are prefixed 'pcels'. The diagram below illustrates the combined class hierarchy for the LDAP object classes defined in the following documents: - The class names prefixed 'pcels' are defined in this document. - The class names prefixed 'pcim' are defined in [PCLS]. - The class names prefixed 'dlm1' are defined in [CIM_LDAP]. - The class named 'top' is defined in [LDAP_SCHEMA]. All the new object classes except for pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass, are mapped from concepts defined or modified by [PCIM_EXT]. The pcelsVendorVariableAuxClass and pcelsVendorValueAuxClass classes are not mapped from [PCIM_EXT]. They represent concepts introduced in this document. top | +---dlm1ManagedElement (abstract) | | | +---pcimPolicy (abstract) | | | | | +---pcelsPolicySet (abstract new) | | | | | | | +---pcelsGroup (abstract new) | | | | | | | | | +---pcelsGroupAuxClass (auxiliary new) | | | | | | | | | +---pcelsGroupInstance (structural new) | | | | | | | +---pcelsRule (abstract new) | | | | | | | +---pcelsRuleAuxClass (auxiliary new) | | | | | | | +---pcelsRuleInstance (structural new) | | | | | +---pcimGroup (abstract) | | | | | | | +---pcimGroupAuxClass (auxiliary) | | | | | | | +---pcimGroupInstance (structural) | | | | | +---pcimRule (abstract) | | | | | | | +---pcimRuleAuxClass (auxiliary)
| | | |
| | | +---pcimRuleInstance (structural)
| | |
| | +---pcimRuleConditionAssociation (structural)
| | | |
| | | +---pcelsConditionAssociation (structural new)
| | |
| | +---pcimRuleValidityAssociation (structural)
| | |
| | +---pcimRuleActionAssociation (structural)
| | | |
| | | +---pcelsActionAssociation (structural new)
| | |
| | +---pcelsPolicySetAssociation (structural new)
| | |
| | +---pcimPolicyInstance (structural)
| | |
| | +---pcimElementAuxClass (auxiliary)
| | |
| | +---pcelsRoleCollection (structural new)
| | |
| | +---pcelsFilterEntryBase (abstract new)
| | |
| | +---pcelsIPHeadersFilter (structural new)
| | |
| | +---pcels8021Filter (structural new)
| |
| +---dlm1ManagedSystemElement (abstract)
| |
| +---dlm1LogicalElement (abstract)
| |
| +---dlm1System (abstract)
| |
| +---dlm1AdminDomain (abstract)
| |
| +---pcimRepository (abstract)
| |
| +---pcimRepositoryAuxClass (auxiliary)
| |
| +---pcimRepositoryInstance (structural)
| |
| +---pcelsReusableContainer (abstract new)
| |
| +---pcelsReusableContainerAuxClass
| | (auxiliary new)
| |
| +---pcelsReusableContainerInstance
| (structural new)
|
+---pcimConditionAuxClass (auxiliary)
| |
| +---pcimTPCAuxClass (auxiliary)
| |
| +---pcimConditionVendorAuxClass (auxiliary)
| |
| +---pcelsSimpleConditionAuxClass (auxiliary new)
| |
| +---pcelsCompoundConditionAuxClass (auxiliary new)
| | |
| | +---pcelsCompoundFilterConditionAuxClass (auxiliary new)
| |
| +---pcelsFilterListAuxClass (auxiliary new)
|
+---pcimActionAuxClass (auxiliary)
| |
| +---pcimActionVendorAuxClass (auxiliary)
| |
| +---pcelsSimpleActionAuxClass (auxiliary new)
| |
| +---pcelsCompoundActionAuxClass (auxiliary new)
|
+---pcelsVariable (abstract new)
| |
| +---pcelsVendorVariableAuxClass (auxiliary new)
| |
| +---pcelsExplicitVariableAuxClass (auxiliary new)
| |
| +---pcelsImplicitVariableAuxClass (auxiliary new)
| |
| +---pcelsSourceIPv4VariableAuxClass (auxiliary new)
| |
| +---pcelsSourceIPv6VariableAuxClass (auxiliary new)
| |
| +---pcelsDestinationIPv4VariableAuxClass (auxiliary new)
| |
| +---pcelsDestinationIPv6VariableAuxClass (auxiliary new)
| |
| +---pcelsSourcePortVariableAuxClass (auxiliary new)
| |
| +---pcelsDestinationPortVariableAuxClass (auxiliary new)
| |
| +---pcelsIPProtocolVariableAuxClass (auxiliary new)
| |
| +---pcelsIPVersionVariableAuxClass (auxiliary new)
| |
| +---pcelsIPToSVariableAuxClass (auxiliary new)
| |
| +---pcelsDSCPVariableAuxClass (auxiliary new)
| |
| +---pcelsFlowIdVariableAuxClass (auxiliary new)
| |
| +---pcelsSourceMACVariableAuxClass (auxiliary new)
| |
| +---pcelsDestinationMACVariableAuxClass (auxiliary new)
| |
| +---pcelsVLANVariableAuxClass (auxiliary new)
| |
| +---pcelsCoSVariableAuxClass (auxiliary new)
| |
| +---pcelsEthertypeVariableAuxClass (auxiliary new)
| |
| +---pcelsSourceSAPVariableAuxClass (auxiliary new)
| |
| +---pcelsDestinationSAPVariableAuxClass (auxiliary new)
| |
| +---pcelsSNAPOUIVariableAuxClass (auxiliary new)
| |
| +---pcelsSNAPTypeVariableAuxClass (auxiliary new)
| |
| +---pcelsFlowDirectionVariableAuxClass (auxiliary new)
|
+---pcelsValueAuxClass (auxiliary new)
| |
| +---pcelsVendorValueAuxClass (auxiliary new)
| |
| +---pcelsIPv4AddrValueAuxClass (auxiliary new)
| |
| +---pcelsIPv6AddrValueAuxClass (auxiliary new)
| |
| +---pcelsMACAddrValueAuxClass (auxiliary new)
| |
| +---pcelsStringValueAuxClass (auxiliary new)
| |
| +---pcelsBitStringValueAuxClass (auxiliary new)
| |
| +---pcelsIntegerValueAuxClass (auxiliary new)
| |
| +---pcelsBooleanValueAuxClass (auxiliary new)
| +---pcimSubtreesPtrAuxClass (auxiliary) | +---pcimGroupContainmentAuxClass (auxiliary) | +---pcimRuleContainmentAuxClass (auxiliary) Figure 1. LDAP Class Inheritance Hierarchy for PCELS
(page 8 continued on part 2)
