tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 3060

Proposed STD
Pages: 100
Top     in Index     Prev     Next
in Group Index     No Prev: Lowest Number in Group     Next in Group     Group: POLICY

Policy Core Information Model -- Version 1 Specification

Part 1 of 5, p. 1 to 10
None       Next RFC Part

Updated by:    3460


Top       ToC       Page 1 
Network Working Group                                           B. Moore
Request for Comments: 3060                                           IBM
Category: Standards Track                                    E. Ellesson
                                                         LongBoard, Inc.
                                                            J. Strassner
                                                           A. Westerinen
                                                           Cisco Systems
                                                           February 2001


        Policy Core Information Model -- Version 1 Specification

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This document presents the object-oriented information model for
   representing policy information developed jointly in the IETF Policy
   Framework WG and as extensions to the Common Information Model (CIM)
   activity in the Distributed Management Task Force (DMTF).  This model
   defines two hierarchies of object classes:  structural classes
   representing policy information and control of policies, and
   association classes that indicate how instances of the structural
   classes are related to each other. Subsequent documents will define
   mappings of this information model to various concrete
   implementations, for example, to a directory that uses LDAPv3 as its
   access protocol.

Table of Contents

   1. Introduction.................................................... 4
   2. Modeling Policies............................................... 5
      2.1. Policy Scope............................................... 8
      2.2. Declarative versus Procedural Model........................ 8
   3. Overview of the Policy Core Information Model.................. 10
   4. Inheritance Hierarchies for the Policy Core Information Model.. 13
      4.1. Implications of CIM Inheritance........................... 15
   5. Details of the Model........................................... 15

Top      ToC       Page 2 
      5.1. Reusable versus Rule-Specific Conditions and Actions...... 15
      5.2. Roles..................................................... 17
      5.2.1. Roles and Role Combinations............................. 17
      5.2.2. The PolicyRoles Property................................ 21
      5.3. Local Time and UTC Time in PolicyTimePeriodConditions..... 21
      5.4. CIM Data Types............................................ 23
      5.5. Comparison between CIM and LDAP Class Specifications...... 24
   6. Class Definitions.............................................. 25
      6.1. The Abstract Class "Policy"............................... 25
      6.1.1. The Property "CommonName (CN)".......................... 26
      6.1.2. The Multi-valued Property "PolicyKeywords".............. 26
      6.1.3. The Property "Caption" (Inherited from ManagedElement).. 27
      6.1.4. The Property "Description" (Inherited from
             ManagedElement)......................................... 27
      6.2. The Class "PolicyGroup"................................... 27
      6.3. The Class "PolicyRule".................................... 29
      6.3.1. The Property "Enabled".................................. 31
      6.3.2. The Property "ConditionListType"........................ 31
      6.3.3. The Property "RuleUsage"................................ 31
      6.3.4. The Property "Priority"................................. 32
      6.3.5. The Property "Mandatory"................................ 32
      6.3.6. The Property "SequencedActions"......................... 33
      6.3.7. The Multi-valued Property "PolicyRoles"................. 33
      6.4. The Abstract Class "PolicyCondition"...................... 34
      6.5. The Class "PolicyTimePeriodCondition"..................... 36
      6.5.1. The Property "TimePeriod"............................... 38
      6.5.2. The Property "MonthOfYearMask".......................... 39
      6.5.3. The Property "DayOfMonthMask"........................... 39
      6.5.4. The Property "DayOfWeekMask"............................ 40
      6.5.5. The Property "TimeOfDayMask"............................ 41
      6.5.6. The Property "LocalOrUtcTime"........................... 42
      6.6. The Class "VendorPolicyCondition"......................... 42
      6.6.1. The Multi-valued Property "Constraint".................. 43
      6.6.2. The Property "ConstraintEncoding"....................... 43
      6.7. The Abstract Class "PolicyAction"......................... 44
      6.8. The Class "VendorPolicyAction"............................ 45
      6.8.1. The Multi-valued Property "ActionData".................. 45
      6.8.2. The Property "ActionEncoding"........................... 46
      6.9. The Class "PolicyRepository".............................. 46
   7. Association and Aggregation Definitions........................ 46
      7.1. Associations.............................................. 47
      7.2. Aggregations.............................................. 47
      7.3. The Abstract Aggregation "PolicyComponent................. 47
      7.4. The Aggregation "PolicyGroupInPolicyGroup"................ 47
      7.4.1. The Reference "GroupComponent".......................... 48
      7.4.2. The Reference "PartComponent"........................... 48
      7.5. The Aggregation "PolicyRuleInPolicyGroup"................. 48
      7.5.1. The Reference "GroupComponent".......................... 49

Top      ToC       Page 3 
      7.5.2. The Reference "PartComponent"........................... 49
      7.6. The Aggregation "PolicyConditionInPolicyRule"............. 49
      7.6.1. The Reference "GroupComponent".......................... 50
      7.6.2. The Reference "PartComponent"........................... 50
      7.6.3. The Property "GroupNumber".............................. 50
      7.6.4. The Property "ConditionNegated"......................... 51
      7.7. The Aggregation "PolicyRuleValidityPeriod"................ 51
      7.7.1. The Reference "GroupComponent".......................... 52
      7.7.2. The Reference "PartComponent"........................... 52
      7.8. The Aggregation "PolicyActionInPolicyRule"................ 52
      7.8.1. The Reference "GroupComponent".......................... 53
      7.8.2. The Reference "PartComponent"........................... 53
      7.8.3. The Property "ActionOrder".............................. 53
      7.9. The Abstract Association "PolicyInSystem"................. 54
      7.10. The Weak Association "PolicyGroupInSystem"............... 55
      7.10.1. The Reference "Antecedent"............................. 55
      7.10.2. The Reference "Dependent".............................. 55
      7.11. The Weak Association "PolicyRuleInSystem"................ 56
      7.11.1. The Reference "Antecedent"............................. 56
      7.11.2. The Reference "Dependent".............................. 56
      7.12. The Association "PolicyConditionInPolicyRepository"...... 56
      7.12.1. The Reference "Antecedent"............................. 57
      7.12.2. The Reference "Dependent".............................. 57
      7.13. The Association "PolicyActionInPolicyRepository"......... 57
      7.13.1. The Reference "Antecedent"............................. 58
      7.13.2. The Reference "Dependent".............................. 58
      7.14. The Aggregation "PolicyRepositoryInPolicyRepository"..... 58
      7.14.1. The Reference "GroupComponent"......................... 58
      7.14.2. The Reference "PartComponent".......................... 59
   8. Intellectual Property.......................................... 59
   9. Acknowledgements............................................... 59
   10. Security Considerations....................................... 60
   11. References.................................................... 62
   12. Authors' Addresses............................................ 64
   13. Appendix A:  Class Identification in a Native CIM
       Implementation................................................ 65
      13.1. Naming Instances of PolicyGroup and PolicyRule........... 65
      13.1.1. PolicyGroup's CIM Keys................................. 65
      13.1.2. PolicyRule's CIM Keys.................................. 66
      13.2. Naming Instances of PolicyCondition and Its Subclasses... 67
      13.2.1. PolicyCondition's CIM Keys............................. 69
      13.3. Naming Instances of PolicyAction and Its Subclasses...... 71
      13.4. Naming Instances of PolicyRepository..................... 72
      13.5. Role of the CreationClassName Property in Naming......... 73
      13.6. Object References........................................ 73
   14. Appendix B:  The Core Policy MOF.............................. 75
   15. Full Copyright Statement..................................... 100

Top      ToC       Page 4 
1. Introduction

   This document presents the object-oriented information model for
   representing policy information currently under joint development in
   the IETF Policy Framework WG and as extensions to the Common
   Information Model (CIM) activity in the Distributed Management Task
   Force (DMTF).  This model defines two hierarchies of object classes:
   structural classes representing policy information and control of
   policies, and association classes that indicate how instances of the
   structural classes are related to each other.  Subsequent documents
   will define mappings of this information model to various concrete
   implementations, for example, to a directory that uses LDAPv3 as its
   access protocol.  The components of the CIM schema are available via
   the following URL: http://www.dmtf.org/spec/cims.html [1].

   The policy classes and associations defined in this model are
   sufficiently generic to allow them to represent policies related to
   anything.  However, it is expected that their initial application in
   the IETF will be for representing policies related to QoS (DiffServ
   and IntServ) and to IPSec.  Policy models for application-specific
   areas such as these may extend the Core Model in several ways.  The
   preferred way is to use the PolicyGroup, PolicyRule, and
   PolicyTimePeriodCondition classes directly, as a foundation for
   representing and communicating policy information.  Then, specific
   subclasses derived from PolicyCondition and PolicyAction can capture
   application-specific definitions of conditions and actions of
   policies.

   Two subclasses, VendorPolicyCondition and VendorPolicyAction, are
   also included in this document, to provide a standard extension
   mechanism for vendor-specific extensions to the Policy Core
   Information Model.

   This document fits into the overall framework for representing,
   deploying, and managing policies being developed by the Policy
   Framework Working Group.  It traces its origins to work that was
   originally done for the Directory-enabled Networks (DEN)
   specification, reference [5].  Work on the DEN specification by the
   DEN Ad-Hoc Working Group itself has been completed.  Further work to
   standardize the models contained in it will be the responsibility of
   selected working groups of the CIM effort in the Distributed
   Management Task Force (DMTF).  DMTF standardization of the core
   policy model is the responsibility of the SLA Policy working group in
   the DMTF.

Top      ToC       Page 5 
   This document is organized in the following manner:

   o  Section 2 provides a general overview of policies and how they are
      modeled.

   o  Section 3 presents a high-level overview of the classes and
      associations comprising the Policy Core Information Model.

   o  The remainder of the document presents the detailed specifications
      for each of the classes and associations.

   o  Appendix A overviews naming for native CIM implementations.  Other
      mappings, such as LDAPv3, will have their own naming mechanisms.

   o  Appendix B reproduces the DMTF's Core Policy MOF specification.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119, reference
   [3].

2. Modeling Policies

   The classes comprising the Policy Core Information Model are intended
   to serve as an extensible class hierarchy (through specialization)
   for defining policy objects that enable application developers,
   network administrators, and policy administrators to represent
   policies of different types.

   One way to think of a policy-controlled network is to first model the
   network as a state machine and then use policy to control which state
   a policy-controlled device should be in or is allowed to be in at any
   given time.  Given this approach, policy is applied using a set of
   policy rules.  Each policy rule consists of a set of conditions and a
   set of actions.  Policy rules may be aggregated into policy groups.
   These groups may be nested, to represent a hierarchy of policies.

   The set of conditions associated with a policy rule specifies when
   the policy rule is applicable.  The set of conditions can be
   expressed as either an ORed set of ANDed sets of condition statements
   or an ANDed set of ORed sets of statements.  Individual condition
   statements can also be negated.  These combinations are termed,
   respectively, Disjunctive Normal Form (DNF) and Conjunctive Normal
   Form (CNF) for the conditions.

   If the set of conditions associated with a policy rule evaluates to
   TRUE, then a set of actions that either maintain the current state of
   the object or transition the object to a new state may be executed.

Top      ToC       Page 6 
   For the set of actions associated with a policy rule, it is possible
   to specify an order of execution, as well as an indication of whether
   the order is required or merely recommended.  It is also possible to
   indicate that the order in which the actions are executed does not
   matter.

   Policy rules themselves can be prioritized.  One common reason for
   doing this is to express an overall policy that has a general case
   with a few specific exceptions.

   For example, a general QoS policy rule might specify that traffic
   originating from members of the engineering group is to get Bronze
   Service.  A second policy rule might express an exception: traffic
   originating from John, a specific member of the engineering group, is
   to get Gold Service.  Since traffic originating from John satisfies
   the conditions of both policy rules, and since the actions associated
   with the two rules are incompatible, a priority needs to be
   established.  By giving the second rule (the exception) a higher
   priority than the first rule (the general case), a policy
   administrator can get the desired effect: traffic originating from
   John gets Gold Service, and traffic originating from all the other
   members of the engineering group gets Bronze Service.

   Policies can either be used in a stand-alone fashion or aggregated
   into policy groups to perform more elaborate functions.  Stand-alone
   policies are called policy rules.  Policy groups are aggregations of
   policy rules, or aggregations of policy groups, but not both.  Policy
   groups can model intricate interactions between objects that have
   complex interdependencies.  Examples of this include a sophisticated
   user logon policy that sets up application access, security, and
   reconfigures network connections based on a combination of user
   identity, network location, logon method and time of day.  A policy
   group represents a unit of reusability and manageability in that its
   management is handled by an identifiable group of administrators and
   its policy rules would be consistently applied

   Stand-alone policies are those that can be expressed in a simple
   statement.  They can be represented effectively in schemata or MIBs.
   Examples of this are VLAN assignments, simple YES/NO QoS requests,
   and IP address allocations.  A specific design goal of this model is
   to support both stand-alone and aggregated policies.

   Policy groups and rules can be classified by their purpose and
   intent.  This classification is useful in querying or grouping policy
   rules.  It indicates whether the policy is used to motivate when or
   how an action occurs, or to characterize services (that can then be
   used, for example, to bind clients to network services).  Describing
   each of these concepts in more detail,

Top      ToC       Page 7 
   o  Motivational Policies are solely targeted at whether or how a
      policy's goal is accomplished.  Configuration and Usage Policies
      are specific kinds of Motivational Policies.  Another example is
      the scheduling of file backup based on disk write activity from
      8am to 3pm, M-F.

   o  Configuration Policies define the default (or generic) setup of a
      managed entity (for example, a network service).  Examples of
      Configuration Policies are the setup of a network forwarding
      service or a network-hosted print queue.

   o  Installation Policies define what can and cannot be put on a
      system or component, as well as the configuration of the
      mechanisms that perform the install.  Installation policies
      typically represent specific administrative permissions, and can
      also represent dependencies between different components (e.g., to
      complete the installation of component A, components B and C must
      be previously successfully installed or uninstalled).

   o  Error and Event Policies.  For example, if a device fails between
      8am and 9pm, call the system administrator, otherwise call the
      Help Desk.

   o  Usage Policies control the selection and configuration of entities
      based on specific "usage" data.  Configuration Policies can be
      modified or simply re-applied by Usage Policies.  Examples of
      Usage Policies include upgrading network forwarding services after
      a user is verified to be a member of a "gold" service group, or
      reconfiguring a printer to be able to handle the next job in its
      queue.

   o  Security Policies deal with verifying that the client is actually
      who the client purports to be, permitting or denying access to
      resources, selecting and applying appropriate authentication
      mechanisms, and performing accounting and auditing of resources.

   o  Service Policies characterize network and other services (not use
      them).  For example, all wide-area backbone interfaces shall use a
      specific type of queuing.

      Service policies describe services available in the network.
      Usage policies describe the particular binding of a client of the
      network to services available in the network.

   These categories are represented in the Policy Core Information Model
   by special values defined for the PolicyKeywords property of the
   abstract class Policy.

Top      ToC       Page 8 
2.1. Policy Scope

   Policies represent business goals and objectives.  A translation must
   be made between these goals and objectives and their realization in
   the network.  An example of this could be a Service Level Agreement
   (SLA), and its objectives and metrics (Service Level Objectives, or
   SLOs), that are used to specify services that the network will
   provide for a given client.  The SLA will usually be written in
   high-level business terminology.  SLOs address more specific metrics
   in support of the SLA.  These high-level descriptions of network
   services and metrics must be translated into lower-level, but also
   vendor-and device-independent specifications.  The Policy Core
   Information Model classes are intended to serve as the foundation for
   these lower-level, vendor- and device-independent specifications.

   It is envisioned that the definition of the Policy Core Informational
   Model in this document is generic in nature and is applicable to
   Quality of Service (QoS), to non-QoS networking applications (e.g.,
   DHCP and IPSec), and to non-networking applications (e.g., backup
   policies, auditing access, etc.).

2.2. Declarative versus Procedural Model

   The design of the Policy Core Information Model is influenced by a
   declarative, not procedural, approach.  More formally, a declarative
   language is used to describe relational and functional languages.
   Declarative languages describe relationships between variables in
   terms of functions or inference rules, to which the interpreter or
   compiler can apply a fixed algorithm in order to produce a result.
   An imperative (or procedural) language specifies an explicit sequence
   of steps to follow in order to produce a result.

   It is important to note that this information model does not rule out
   the use of procedural languages.  Rather, it recognizes that both
   declarative as well as procedural languages can be used to implement
   policy.  This information model is better viewed as being declarative
   because the sequence of steps for doing the processing of declarative
   statements tends to be left to the implementer.  However, we have
   provided the option of expressing the desired order of action
   execution in this policy information model, and for expressing
   whether the order is mandatory or not.  In addition, rather than
   trying to define algorithms or sets of instructions or steps that
   must be followed by a policy rule, we instead define a set of modular
   building blocks and relationships that can be used in a declarative
   or procedural fashion to define policies.

Top      ToC       Page 9 
   Compare this to a strictly procedural model.  Taking such an approach
   would require that we specify the condition testing sequence, and the
   action execution sequence, in the policy repository itself.  This
   would, indeed, constrain the implementer.  This is why the policy
   model is characterized as a declarative one.  That is, the
   information model defines a set of attributes, and a set of entities
   that contain these attributes.  However, it does NOT define either
   the algorithm to produce a result using the attributes or an explicit
   sequence of steps to produce a result.

   There are several design considerations and trade-offs to make in
   this respect.

   1. On the one hand, we would like a policy definition language to be
      reasonably human-friendly for ease of definitions and diagnostics.
      On the other hand, given the diversity of devices (in terms of
      their processing capabilities) which could act as policy decision
      points, we would like to keep the language somewhat machine-
      friendly.  That is, it should be relatively simple to automate the
      parsing and processing of the language in network elements.  The
      approach taken is to provide a set of classes and attributes that
      can be combined in either a declarative or procedural approach to
      express policies that manage network elements and services.  The
      key point is to avoid trying to standardize rules or sets of steps
      to be followed in defining a policy.  These must be left up to an
      implementation.  Interoperability is achieved by standardizing the
      building blocks that are used to represent policy data and
      information.

   2. An important decision to make is the semantic style of the
      representation of the information.

      The declarative approach that we are describing falls short of
      being a "true" declarative model.  Such a model would also specify
      the algorithms used to combine the information and policy rules to
      achieve particular behavior.  We avoid specifying algorithms for
      the same reason that we avoid specifying sets of steps to be
      followed in a policy rule.  However, the design of the information
      model more closely follows that of a declarative language, and may
      be easier to understand if such a conceptual model is used.  This
      leads to our third point, acknowledging a lack of "completeness"
      and instead relying on presenting information that the policy
      processing entity will work with.

   3. It is important to control the complexity of the specification,
      trading off richness of expression of data in the core information
      model for ease of implementation and use.  It is important to
      acknowledge the collective lack of experience in the field

Top      ToC       Page 10 
      regarding policies to control and manage network services and
      hence avoid the temptation of aiming for "completeness".  We
      should instead strive to facilitate definition of a set of common
      policies that customers require today (e.g., VPN and QoS) and
      allow migration paths towards supporting complex policies as
      customer needs and our understanding of these policies evolve with
      experience.  Specifically, in the context of the declarative style
      language discussed above, it is important to avoid having full
      blown predicate calculus as the language, as it would render many
      important problems such as consistency checking and policy
      decision point algorithms intractable.  It is useful to consider a
      reasonably constrained language from these perspectives.

   The Policy Core Information Model strikes a balance between
   complexity and lack of power by using the well understood logical
   concepts of Disjunctive Normal Form and Conjunctive Normal Form for
   combining simple policy conditions into more complex ones.



(page 10 continued on part 2)

Next RFC Part