tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 3318

 
 
 

Framework Policy Information Base

Part 3 of 3, p. 50 to 70
Prev RFC Part

 


prevText      Top      Up      ToC       Page 50 
  frwkIpFilterProtocol OBJECT-TYPE
      SYNTAX         Unsigned32 (0..255)
      STATUS         current
      DESCRIPTION
          "The layer-4 protocol Id to match against the IPv4 protocol
          number or the IPv6 Next-Header number in the packet. A value
          of 255 means match all. Note the protocol number of 255 is
          reserved by IANA, and Next-Header number of 0 is used in
          IPv6."
      DEFVAL { 255 }

      ::= { frwkIpFilterEntry 8 }

  frwkIpFilterDstL4PortMin OBJECT-TYPE
      SYNTAX         InetPortNumber
      STATUS         current
      DESCRIPTION
          "The minimum value that the packet's layer 4 destination
          port number can have and match this filter. This value must
          be equal to or lesser that the value specified for this
          filter in frwkIpFilterDstL4PortMax.

          COPS-PR error code 'attrValueInvalid' must be returned if
          the frwkIpFilterSrcL4PortMin is greater than
          frwkIpFilterSrcL4PortMax"
      REFERENCE
          "COPS Usage for Policy Provisioning.  RFC 3084, error
          codes section 4.5."
      DEFVAL { 0 }

     ::= { frwkIpFilterEntry 9 }

  frwkIpFilterDstL4PortMax OBJECT-TYPE
      SYNTAX         InetPortNumber
      STATUS         current
      DESCRIPTION
          "The maximum value that the packet's layer 4 destination
          port number can have and match this filter. This value must
          be equal to or greater that the value specified for this
          filter in frwkIpFilterDstL4PortMin.

          COPS-PR error code 'attrValueInvalid' must be returned if
          the frwkIpFilterDstL4PortMax is less than
          frwkIpFilterDstL4PortMin"
      REFERENCE
          "COPS Usage for Policy Provisioning.  RFC 3084, error
          codes section 4.5."

Top      Up      ToC       Page 51 
      DEFVAL { 65535 }

      ::= { frwkIpFilterEntry 10 }

  frwkIpFilterSrcL4PortMin OBJECT-TYPE
      SYNTAX         InetPortNumber
      STATUS         current
      DESCRIPTION
          "The minimum value that the packet's layer 4 source port
          number can have and match this filter. This value must
          be equal to or lesser that the value specified for this
          filter in frwkIpFilterSrcL4PortMax.

          COPS-PR error code 'attrValueInvalid' must be returned if
          the frwkIpFilterSrcL4PortMin is greated than
          frwkIpFilterSrcL4PortMax"
      REFERENCE
          "COPS Usage for Policy Provisioning.  RFC 3084, error
          codes section 4.5."
      DEFVAL { 0 }

      ::= { frwkIpFilterEntry 11 }

  frwkIpFilterSrcL4PortMax OBJECT-TYPE
      SYNTAX         InetPortNumber
      STATUS         current
      DESCRIPTION
          "The maximum value that the packet's layer 4 source port
          number can have and match this filter.  This value must be
          equal to or greater that the value specified for this filter
          in frwkIpFilterSrcL4PortMin.

          COPS-PR error code 'attrValueInvalid' must be returned if
          the frwkIpFilterSrcL4PortMax is less than
          frwkIpFilterSrcL4PortMin"
      REFERENCE
          "COPS Usage for Policy Provisioning.  RFC error codes
          section 4.5."
      DEFVAL { 65535 }

      ::= { frwkIpFilterEntry 12 }

  --
  -- The IEEE 802 Filter Table
  --

  frwk802FilterTable OBJECT-TYPE
      SYNTAX         SEQUENCE OF Frwk802FilterEntry

Top      Up      ToC       Page 52 
      PIB-ACCESS     install
      STATUS         current
      DESCRIPTION
          "IEEE 802-based filter definitions. A class that contains
          attributes of IEEE 802 (e.g., 802.3) traffic that form
          filters that are used to perform traffic classification."
      REFERENCE
          "IEEE Standards for Local and Metropolitan Area Networks.
          Overview and Architecture, ANSI/IEEE Std 802, 1990."
      ::= { frwkClassifierClasses 3 }

  frwk802FilterEntry OBJECT-TYPE
      SYNTAX         Frwk802FilterEntry
      STATUS         current
      DESCRIPTION
          "IEEE 802-based filter definitions.  An entry specifies
          (potentially) several distinct matching components. Each
          component is tested against the data in a frame
          individually. An overall match occurs when all of the
          individual components match the data they are compared
          against in the frame being processed. A failure of any
          one test causes the overall match to fail.

          Wildcards may be specified for those fields that are not
          relevant."

      EXTENDS { frwkBaseFilterEntry }
      UNIQUENESS { frwkBaseFilterNegation,
                   frwk802FilterDstAddr,
                   frwk802FilterDstAddrMask,
                   frwk802FilterSrcAddr,
                   frwk802FilterSrcAddrMask,
                   frwk802FilterVlanId,
                   frwk802FilterVlanTagRequired,
                   frwk802FilterEtherType,
                   frwk802FilterUserPriority }

      ::= { frwk802FilterTable 1 }

  Frwk802FilterEntry ::= SEQUENCE {
          frwk802FilterDstAddr         PhysAddress,
          frwk802FilterDstAddrMask     PhysAddress,
          frwk802FilterSrcAddr         PhysAddress,
          frwk802FilterSrcAddrMask     PhysAddress,
          frwk802FilterVlanId          Integer32,
          frwk802FilterVlanTagRequired INTEGER,
          frwk802FilterEtherType       Integer32,
          frwk802FilterUserPriority    BITS

Top      Up      ToC       Page 53 
  }

  frwk802FilterDstAddr OBJECT-TYPE
      SYNTAX         PhysAddress
      STATUS         current
      DESCRIPTION
          "The 802 address against which the 802 DA of incoming
          traffic streams will be compared. Frames whose 802 DA
          matches the physical address specified by this object,
          taking into account address wildcarding as specified by the
          frwk802FilterDstAddrMask object, are potentially subject to
          the processing guidelines that are associated with this
          entry through the related action class."
      REFERENCE
          "Textual Conventions for SMIv2, RFC 2579."

      ::= { frwk802FilterEntry 1 }

  frwk802FilterDstAddrMask OBJECT-TYPE
      SYNTAX         PhysAddress
      STATUS         current
      DESCRIPTION
          "This object specifies the bits in a 802 destination address
          that should be considered when performing a 802 DA
          comparison against the address specified in the
          frwk802FilterDstAddr object.

          The value of this object represents a mask that is logically
          and'ed with the 802 DA in received frames to derive the
          value to be compared against the frwk802FilterDstAddr
          address. A zero bit in the mask thus means that the
          corresponding bit in the address always matches. The
          frwk802FilterDstAddr value must also be masked using this
          value prior to any comparisons.

          The length of this object in octets must equal the length in
          octets of the frwk802FilterDstAddr. Note that a mask with no
          bits set (i.e., all zeroes) effectively wildcards the
          frwk802FilterDstAddr object."

      ::= { frwk802FilterEntry 2 }

  frwk802FilterSrcAddr OBJECT-TYPE
      SYNTAX         PhysAddress
      STATUS         current
      DESCRIPTION
          "The 802 MAC address against which the 802 MAC SA of
          incoming traffic streams will be compared. Frames whose 802

Top      Up      ToC       Page 54 
          MAC SA matches the physical address specified by this
          object, taking into account address wildcarding as specified
          by the frwk802FilterSrcAddrMask object, are potentially
          subject to the processing guidelines that are associated
          with this entry through the related action class."

      ::= { frwk802FilterEntry 3 }

  frwk802FilterSrcAddrMask OBJECT-TYPE
      SYNTAX         PhysAddress
      STATUS         current
      DESCRIPTION
          "This object specifies the bits in a 802 MAC source address
          that should be considered when performing a 802 MAC SA
          comparison against the address specified in the
          frwk802FilterSrcAddr object.

          The value of this object represents a mask that is logically
          and'ed with the 802 MAC SA in received frames to derive the
          value to be compared against the frwk802FilterSrcAddr
          address. A zero bit in the mask thus means that the
          corresponding bit in the address always matches. The
          frwk802FilterSrcAddr value must also be masked using this
          value prior to any comparisons.

          The length of this object in octets must equal the length in
          octets of the frwk802FilterSrcAddr. Note that a mask with no
          bits set (i.e., all zeroes) effectively wildcards the
          frwk802FilterSrcAddr object."

      ::= { frwk802FilterEntry 4 }

  frwk802FilterVlanId OBJECT-TYPE
      SYNTAX         Integer32 (-1 | 1..4094)
      STATUS         current
      DESCRIPTION
          "The VLAN ID (VID) that uniquely identifies a VLAN
          within the device. This VLAN may be known or unknown
          (i.e., traffic associated with this VID has not yet
          been seen by the device) at the time this entry
          is instantiated.

          Setting the frwk802FilterVlanId object to -1 indicates that
          VLAN data should not be considered during traffic
          classification."

      ::= { frwk802FilterEntry 5 }

Top      Up      ToC       Page 55 
  frwk802FilterVlanTagRequired OBJECT-TYPE
      SYNTAX         INTEGER {
                         taggedOnly(1),
                         priorityTaggedPlus(2),
                         untaggedOnly(3),
                         ignoreTag(4)
                     }
      STATUS         current
      DESCRIPTION
          "This object indicates whether the presence of an
          IEEE 802.1Q VLAN tag in data link layer frames must
          be considered when determining if a given frame
          matches this 802 filter entry.

          A value of 'taggedOnly(1)' means that only frames
          containing a VLAN tag with a non-Null VID (i.e., a
          VID in the range 1..4094) will be considered a match.

          A value of 'priorityTaggedPlus(2)' means that only
          frames containing a VLAN tag, regardless of the value
          of the VID, will be considered a match.

          A value of 'untaggedOnly(3)' indicates that only
          untagged frames will match this filter component.

          The presence of a VLAN tag is not taken into
          consideration in terms of a match if the value is
          'ignoreTag(4)'."

      ::= { frwk802FilterEntry 6 }

  frwk802FilterEtherType OBJECT-TYPE
      SYNTAX         Integer32 (-1 | 0..'ffff'h)
      STATUS         current
      DESCRIPTION
          "This object specifies the value that will be compared
          against the value contained in the EtherType field of an
          IEEE 802 frame. Example settings would include 'IP'
          (0x0800), 'ARP' (0x0806) and 'IPX' (0x8137).

          Setting the frwk802FilterEtherTypeMin object to -1 indicates
          that EtherType data should not be considered during traffic
          classification.

          Note that the position of the EtherType field depends on
          the underlying frame format. For Ethernet-II encapsulation,
          the EtherType field follows the 802 MAC source address. For
          802.2 LLC/SNAP encapsulation, the EtherType value follows

Top      Up      ToC       Page 56 
          the Organization Code field in the 802.2 SNAP header. The
        value that is tested with regard to this filter component
        therefore depends on the data link layer frame format being
        used. If this 802 filter component is active when there is
        no EtherType field in a frame (e.g., 802.2 LLC), a match is
        implied."

    ::= { frwk802FilterEntry 7 }

frwk802FilterUserPriority OBJECT-TYPE
    SYNTAX         BITS {
                        matchPriority0(0),
                        matchPriority1(1),
                        matchPriority2(2),
                        matchPriority3(3),
                        matchPriority4(4),
                        matchPriority5(5),
                        matchPriority6(6),
                        matchPriority7(7)
                   }
    STATUS         current
    DESCRIPTION
        "The set of values, representing the potential range
        of user priority values, against which the value contained
        in the user priority field of a tagged 802.1 frame is
        compared. A test for equality is performed when determining
        if a match exists between the data in a data link layer
        frame and the value of this 802 filter component. Multiple
        values may be set at one time such that potentially several
        different user priority values may match this 802 filter
        component.

        Setting all of the bits that are associated with this
        object causes all user priority values to match this
        attribute. This essentially makes any comparisons
        with regard to user priority values unnecessary. Untagged
        frames are treated as an implicit match."

    ::= { frwk802FilterEntry 8 }

--
-- The Internal label filter extension
--

frwkILabelFilterTable OBJECT-TYPE
    SYNTAX         SEQUENCE OF FrwkILabelFilterEntry
    PIB-ACCESS     install
    STATUS         current

Top      Up      ToC       Page 57 
    DESCRIPTION
        "Internal label filter Table. This PRC is used to achieve
         classification based on the internal flow label set by the
         PEP possibly after ingress classification to avoid
         re-classification at the egress interface on the same PEP."

    ::= { frwkClassifierClasses 4 }

frwkILabelFilterEntry OBJECT-TYPE
    SYNTAX         FrwkILabelFilterEntry
    STATUS         current
    DESCRIPTION
        "Internal label filter entry definition."

    EXTENDS { frwkBaseFilterEntry }
    UNIQUENESS { frwkBaseFilterNegation,
                 frwkILabelFilterILabel }

    ::= { frwkILabelFilterTable 1 }

FrwkILabelFilterEntry ::= SEQUENCE {
   frwkILabelFilterILabel      OCTET STRING
}

frwkILabelFilterILabel      OBJECT-TYPE
    SYNTAX       OCTET STRING
    STATUS       current
    DESCRIPTION
       "The Label that this flow uses for differentiating traffic
        flows.  The flow labeling is meant for network device
       internal usage. A value of zero length string matches all
       internal labels."
    ::= { frwkILabelFilterEntry 1 }

--
-- The Marker classes group
--

frwkMarkerClasses
           OBJECT IDENTIFIER ::= { frameworkPib 4 }
--
-- The 802 Marker Table
--

frwk802MarkerTable OBJECT-TYPE
    SYNTAX         SEQUENCE OF Frwk802MarkerEntry
    PIB-ACCESS     install
    STATUS         current

Top      Up      ToC       Page 58 
    DESCRIPTION
        "The 802 Marker class. An 802 packet can be marked with the
         specified VLAN id, priority level."

    ::= { frwkMarkerClasses 1 }

frwk802MarkerEntry OBJECT-TYPE
    SYNTAX         Frwk802MarkerEntry
    STATUS         current
    DESCRIPTION
        "frwk802Marker entry definition."

    PIB-INDEX { frwk802MarkerPrid }
    UNIQUENESS { frwk802MarkerVlanId,
                 frwk802MarkerPriority }

    ::= { frwk802MarkerTable 1 }

Frwk802MarkerEntry::= SEQUENCE {
        frwk802MarkerPrid          InstanceId,
        frwk802MarkerVlanId        Unsigned32,
        frwk802MarkerPriority      Unsigned32
}

frwk802MarkerPrid  OBJECT-TYPE
    SYNTAX         InstanceId
    STATUS         current
    DESCRIPTION
        "An integer index to uniquely identify this 802 Marker."

    ::= { frwk802MarkerEntry 1 }

frwk802MarkerVlanId  OBJECT-TYPE
    SYNTAX         Unsigned32 (1..4094)
    STATUS         current
    DESCRIPTION
        "The VLAN ID (VID) that uniquely identifies a VLAN within
         the device."

    ::= { frwk802MarkerEntry 2 }

frwk802MarkerPriority  OBJECT-TYPE
    SYNTAX         Unsigned32 (0..7)
    STATUS         current
    DESCRIPTION
        "The user priority field of a tagged 802.1 frame."

    ::= { frwk802MarkerEntry 3 }

Top      Up      ToC       Page 59 
--
-- The Internal Label Marker Table
--

frwkILabelMarkerTable OBJECT-TYPE
    SYNTAX         SEQUENCE OF FrwkILabelMarkerEntry
    PIB-ACCESS     install
    STATUS         current
    DESCRIPTION
        "The Internal Label Marker class. A flow in a PEP can be
        marked with an internal label using this PRC."

    ::= { frwkMarkerClasses 2 }

frwkILabelMarkerEntry OBJECT-TYPE
    SYNTAX         FrwkILabelMarkerEntry
    STATUS         current
    DESCRIPTION
        "frwkILabelkMarker entry definition."

    PIB-INDEX { frwkILabelMarkerPrid }
    UNIQUENESS { frwkILabelMarkerILabel }

    ::= { frwkILabelMarkerTable 1 }

FrwkILabelMarkerEntry::= SEQUENCE {
        frwkILabelMarkerPrid          InstanceId,
        frwkILabelMarkerILabel        OCTET STRING
}

frwkILabelMarkerPrid  OBJECT-TYPE
    SYNTAX         InstanceId
    STATUS         current
    DESCRIPTION
        "An integer index to uniquely identify this Label Marker."

    ::= { frwkILabelMarkerEntry 1 }

frwkILabelMarkerILabel  OBJECT-TYPE
    SYNTAX         OCTET STRING
    STATUS         current
    DESCRIPTION
        "This internal label is implementation specific and may be
         used for other policy related functions like flow
         accounting purposes and/or other data path treatments."

    ::= { frwkILabelMarkerEntry 2 }

Top      Up      ToC       Page 60 
--
-- Conformance Section
--

frwkBasePibConformance
                OBJECT IDENTIFIER ::= { frameworkPib 5 }

frwkBasePibCompliances
                OBJECT IDENTIFIER ::= { frwkBasePibConformance 1 }

frwkBasePibGroups
                OBJECT IDENTIFIER ::= { frwkBasePibConformance 2 }

frwkBasePibCompliance MODULE-COMPLIANCE
    STATUS  current
    DESCRIPTION
            "Describes the requirements for conformance to the
            Framework PIB."

    MODULE  -- this module
        MANDATORY-GROUPS { frwkPrcSupportGroup,
                           frwkPibIncarnationGroup,
                           frwkDeviceIdGroup,
                           frwkCompLimitsGroup,
                           frwkCapabilitySetGroup,
                           frwkRoleComboGroup,
                           frwkIfRoleComboGroup }

        OBJECT          frwkPibIncarnationLongevity
        PIB-MIN-ACCESS  notify
        DESCRIPTION
           "Install support is required if policy expiration is to
           be supported."

        OBJECT          frwkPibIncarnationTtl
        PIB-MIN-ACCESS  notify
        DESCRIPTION
           "Install support is required if policy expiration is to
           be supported."

        OBJECT          frwkPibIncarnationInCtxtSet
        PIB-MIN-ACCESS  notify
        DESCRIPTION
           "Install support is required if configuration contexts
           and outsourcing contexts are both to be supported."

        OBJECT          frwkPibIncarnationFullState

Top      Up      ToC       Page 61 
        PIB-MIN-ACCESS  notify
        DESCRIPTION
            "Install support is required if incremental updates to
            request states is to be supported."

    GROUP   frwkReferenceGroup
        DESCRIPTION
            "The frwkReferenceGroup is mandatory if referencing
            across PIB contexts for specific client-types is to be
            supported."

    GROUP   frwkErrorGroup
        DESCRIPTION
            "The frwkErrorGroup is mandatory sending errors in
             decisions is to be supported."

    GROUP   frwkBaseFilterGroup
        DESCRIPTION
            "The frwkBaseFilterGroup is mandatory if filtering
             based on traffic components is to be supported."

    GROUP   frwkIpFilterGroup
        DESCRIPTION
            "The frwkIpFilterGroup is mandatory if filtering
             based on IP traffic components is to be supported."

    GROUP   frwk802FilterGroup
        DESCRIPTION
            "The frwk802FilterGroup is mandatory if filtering
            based on 802 traffic criteria is to be supported."

    GROUP   frwkILabelFilterGroup
        DESCRIPTION
            "The frwkILabelFilterGroup is mandatory if filtering
            based on PEP internal label is to be supported."

    GROUP   frwk802MarkerGroup
        DESCRIPTION
            "The frwk802MarkerGroup is mandatory if marking a packet
            with 802 traffic criteria is to be supported."

    GROUP   frwkILabelMarkerGroup
        DESCRIPTION
            "The frwkILabelMarkerGroup is mandatory if marking a
            flow with internal labels is to be supported."

    ::= { frwkBasePibCompliances 1 }

Top      Up      ToC       Page 62 
frwkPrcSupportGroup OBJECT-GROUP
    OBJECTS {
             frwkPrcSupportPrid,
             frwkPrcSupportSupportedPrc,
             frwkPrcSupportSupportedAttrs }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkPrcSupportTable."

    ::= { frwkBasePibGroups 1 }

frwkPibIncarnationGroup OBJECT-GROUP
    OBJECTS {
             frwkPibIncarnationPrid,
             frwkPibIncarnationName,
             frwkPibIncarnationId,
             frwkPibIncarnationLongevity,
             frwkPibIncarnationTtl,
             frwkPibIncarnationInCtxtSet,
             frwkPibIncarnationActive,
             frwkPibIncarnationFullState
            }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkDevicePibIncarnationTable."

    ::= { frwkBasePibGroups 2 }

frwkDeviceIdGroup OBJECT-GROUP
    OBJECTS {
             frwkDeviceIdPrid,
             frwkDeviceIdDescr,
             frwkDeviceIdMaxMsg,
             frwkDeviceIdMaxContexts }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkDeviceIdTable."

    ::= { frwkBasePibGroups 3 }

frwkCompLimitsGroup OBJECT-GROUP
    OBJECTS {
             frwkCompLimitsPrid,
             frwkCompLimitsComponent,
             frwkCompLimitsAttrPos,
             frwkCompLimitsNegation,
             frwkCompLimitsType,
             frwkCompLimitsSubType,

Top      Up      ToC       Page 63 
             frwkCompLimitsGuidance }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkCompLimitsTable."

    ::= { frwkBasePibGroups 4 }

frwkReferenceGroup OBJECT-GROUP
    OBJECTS {
             frwkReferencePrid,
             frwkReferenceClientType,
             frwkReferenceClientHandle,
             frwkReferenceInstance }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkReferenceTable."

    ::= { frwkBasePibGroups 5 }

frwkErrorGroup OBJECT-GROUP
    OBJECTS {
             frwkErrorPrid,
             frwkErrorCode,
             frwkErrorSubCode,
             frwkErrorPrc,
             frwkErrorInstance }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkErrorTable."

    ::= { frwkBasePibGroups 6 }

frwkCapabilitySetGroup OBJECT-GROUP
    OBJECTS {
             frwkCapabilitySetPrid,
             frwkCapabilitySetName,
             frwkCapabilitySetCapability }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkCapabilitySetTable."

    ::= { frwkBasePibGroups 7 }

frwkRoleComboGroup OBJECT-GROUP
    OBJECTS {
             frwkRoleComboPrid,
             frwkRoleComboRoles,
             frwkRoleComboCapSetName }

Top      Up      ToC       Page 64 
    STATUS  current
    DESCRIPTION
            "Objects from the frwkRoleComboTable."

    ::= { frwkBasePibGroups 8 }

frwkIfRoleComboGroup OBJECT-GROUP
    OBJECTS { frwkIfRoleComboIfIndex }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkIfRoleComboTable."

    ::= { frwkBasePibGroups 9 }

frwkBaseFilterGroup OBJECT-GROUP
    OBJECTS {
             frwkBaseFilterPrid,
             frwkBaseFilterNegation }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkBaseFilterTable."

    ::= { frwkBasePibGroups 10 }

frwkIpFilterGroup OBJECT-GROUP
    OBJECTS {
             frwkIpFilterAddrType,
             frwkIpFilterDstAddr,
             frwkIpFilterDstPrefixLength,
             frwkIpFilterSrcAddr,
             frwkIpFilterSrcPrefixLength,
             frwkIpFilterDscp,
             frwkIpFilterFlowId,
             frwkIpFilterProtocol,
             frwkIpFilterDstL4PortMin,
             frwkIpFilterDstL4PortMax,
             frwkIpFilterSrcL4PortMin,
             frwkIpFilterSrcL4PortMax }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkIpFilterTable."

    ::= { frwkBasePibGroups 11 }

frwk802FilterGroup OBJECT-GROUP
    OBJECTS {
             frwk802FilterDstAddr,
             frwk802FilterDstAddrMask,

Top      Up      ToC       Page 65 
             frwk802FilterSrcAddr,
             frwk802FilterSrcAddrMask,
             frwk802FilterVlanId,
             frwk802FilterVlanTagRequired,
             frwk802FilterEtherType,
             frwk802FilterUserPriority }
    STATUS  current
    DESCRIPTION
            "Objects from the frwk802FilterTable."

    ::= { frwkBasePibGroups 12 }

frwkILabelFilterGroup OBJECT-GROUP
    OBJECTS { frwkILabelFilterILabel }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkILabelFilterTable."

    ::= { frwkBasePibGroups 13 }

frwk802MarkerGroup OBJECT-GROUP
    OBJECTS {
             frwk802MarkerPrid,
             frwk802MarkerVlanId,
             frwk802MarkerPriority }
    STATUS  current
    DESCRIPTION
            "Objects from the frwk802MarkerTable."

    ::= { frwkBasePibGroups 14 }

frwkILabelMarkerGroup OBJECT-GROUP
    OBJECTS {
             frwkILabelMarkerPrid,
             frwkILabelMarkerILabel }
    STATUS  current
    DESCRIPTION
            "Objects from the frwkILabelMarkerTable."

    ::= { frwkBasePibGroups 15 }

END

Top      Up      ToC       Page 66 
6. Security Considerations

   It is clear that this PIB is used for configuration using [COPS-PR],
   and anything that can be configured can be misconfigured, with a
   potentially disastrous effect.  At this writing, no security holes
   have been identified beyond those that the COPS base protocol
   security is itself intended to address.  These relate primarily to
   controlled access to sensitive information and the ability to
   configure a device - or which might result from operator error, which
   is beyond the scope of any security architecture.

   There are a number of PRovisioning Classes defined in this PIB that
   have a PIB-ACCESS clause of install and install-notify (read-create).
   These are:

   frwkPibIncarnationTable: Malicious access of this PRC can cause the
   PEP to use an incorrect context of policies.

   frwkReferenceTable: Malicious access of this PRC can cause the PEP to
   interpret the installed policy in an incorrect manner.

   frwkErrorTable: Malicious access of this PRC can cause the PEP to
   incorrectly assume that the PDP could not process its messages.

   FrwkCapabilitySetTable, frwkRoleComboTable and frwkIfRoleComboTable:
   Malicious access of these PRCs can cause the PEP to apply policies to
   the wrong interfaces.

   FrwkBaseFilterTable, frwkIpFilterTable, frwk802FilterTable and
   frwkILabelFilterTable: Malicious access of these PRCs can cause
   unintended classification of traffic on the PEP potentially leading
   to incorrect policies being applied.

   frwk802MarkerTable, frwkILabelMarkerTable: Malicious access of these
   PRCs can cause unintended marking of traffic on the PEP potentially
   leading to incorrect policies being applied.

   Such objects may be considered sensitive or vulnerable in some
   network environments.  The support for "Install" or "Install-Notify"
   decisions sent over [COPS-PR] in a non-secure environment without
   proper protection can have a negative effect on network operations.
   There are a number of PRovisioning Classes in this PIB that may
   contain information that may be sensitive from a business
   perspective, in that they may represent a customer's service contract
   or the filters that the service provider chooses to apply to a
   customer's ingress or egress traffic.  There are no PRCs that are
   sensitive in their own right, such as passwords or monetary amounts.
   It may be important to control even "Notify"(read-only) access to

Top      Up      ToC       Page 67 
   these PRCs and possibly to even encrypt the values of these PRIs when
   sending them over the network via COPS-PR.  The use of IPSEC between
   the PDP and the PEP, as described in [COPS], provides the necessary
   protection against security threats.  However, even if the network
   itself is secure, there is no control as to who on the secure network
   is allowed to "Install/Notify" (read/change/create/delete) the PRIs
   in this PIB.

   It is then a customer/user responsibility to ensure that the PEP/PDP
   giving access to an instance of this PIB, is properly configured to
   give access to only the PRIs and principals (users) that have
   legitimate rights to indeed "Install" or "Notify" (change/create/
   delete) them.

7. IANA Considerations

   This document describes the frameworkPib and frwkTcPib Policy
   Information Base (PIB) modules for registration under the "pib"
   branch registered with IANA.  The IANA has assigned PIB numbers 2 and
   3, respectively.

   Both these PIBs use "all" in the SUBJECT-CATEGORIES clause, i.e.,
   they apply to all COPS client types.  No new COPS client type is to
   be registered for these two PIB modules.

8. References

8.1 Normative References

   [COPS]           Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan,
                    R. and A. Sastry, "The COPS (Common Open Policy
                    Service) Protocol", RFC 2748, January 2000.

   [COPS-PR]        Chan, K., Durham, D., Gai, S., Herzog, S.,
                    McCloghrie, K., Reichmeyer, Seligson, J., Smith, A.
                    and R. Yavatkar, "COPS Usage for Policy
                    Provisioning", RFC 3084, March 2001.

   [SPPI]           McCloghrie, K., Fine, M., Seligson, J., Chan, K.,
                    Hahn, S., Sahita, R., Smith, A. and F. Reichmeyer,
                    "Structure of Policy Provisioning Information", RFC
                    3159, August 2001.

   [SNMP-SMI]       McCloghrie, K., Perkins, D., Schoenwaelder, J.,
                    Case, J., Rose, M. and S. Waldbusser, "Structure of
                    Management Information Version 2 (SMIv2)", STD 58,
                    RFC 2578, April 1999.

Top      Up      ToC       Page 68 
   [INETADDR]       Daniele, M., Haberman, B., Routhier, S. and J.
                    Schoenwaelder, "Textual Conventions for Internet
                    Network Addresses", RFC 3291, May 2002.

   [802]            IEEE Standards for Local and Metropolitan Area
                    Networks: Overview and Architecture, ANSI/IEEE Std
                    802, 1990.

   [SNMPFRWK]       Harrington, D., Presuhn, R. and B. Wijnen, "An
                    Architecture for Describing Simple Network
                    Management Protocol (SNMP) Management Frameworks",
                    STD 62, RFC 3411, December 2002.

   [RFC2863]        McCloghrie, K. and F. Kastenholz, "The Interfaces
                    Group MIB", RFC 2863, June 2000.

   [DS-MIB]         Baker, F., Chan, K. and  A. Smith, "Management
                    Information Base for the Differentiated Services
                    Architecture", RFC 3289, May 2002.

   [SNMPv2TC]       McCloghrie, K., Perkins, D., and J. Schoenwaelder,
                    "Textual Conventions for SMIv2", STD 58, RFC 2579,
                    April 1999.

   [RFC2279]        Yergeau, F. "UTF-8, a transformation format of ISO
                    10646", RFC 2279, January 1998.

   [RFC2119]        Bradner, S., "Key words to use in the RFCs", BCP 14,
                    RFC 2119, March 1997.

8.2 Informative References

   [RAP-FRAMEWORK]  Yavatkar, R and D. Pendarakis, "A Framework for
                    Policy-based Admission Control", RFC 2753, January
                    2000.

   [POLTERM]        Westerinen, A., Schnizlein, J., Strassner, J.,
                    Scherling, M., Quinn, B., Herzog, S., Huynh, A.,
                    Carlson, M., Perry, J. and S. Waldbusser,
                    "Terminology for Policy-Based Management", RFC 3198,
                    November 2001.

9. Acknowledgments

   Early versions of this specification were also co-authored by Michael
   Fine, Francis Reichmeyer, John Seligson and Andrew Smith.

Top      Up      ToC       Page 69 
   Special thanks to Carol Bell, David Durham and Bert Wijnen for their
   many significant comments.

   Additional useful comments have been made by Diana Rawlins, Martin
   Bokaemper, Tina Iliff, Pedro Da Silva, Juergen Schoenwaelder,
   Noisette Yoann and Man Li.

10. Authors' Addresses

   Ravi Sahita
   Intel Labs.
   2111 NE 25th Avenue
   Hillsboro, OR 97124 USA

   Phone: +1 503 712 1554
   EMail: ravi.sahita@intel.com


   Scott Hahn
   Intel Corp.
   2111 NE 25th Avenue
   Hillsboro, OR 97124 USA

   Phone: +1 503 264 8231
   EMail: scott.hahn@intel.com


   Kwok Ho Chan
   Nortel Networks, Inc.
   600 Technology Park Drive
   Billerica, MA 01821 USA

   Phone: +1 978 288 8175
   EMail: khchan@nortelnetworks.com


   Keith McCloghrie
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134-1706 USA

   Phone: +1 408 526 5260
   EMail: kzm@cisco.com

Top      Up      ToC       Page 70 
11.  Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.