tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search

RFC 3460

 
 
 

Policy Core Information Model (PCIM) Extensions

Part 3 of 4, p. 44 to 75
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 44 
6. Class Definitions

   The following definitions supplement those in PCIM itself.  PCIM
   definitions that are not DEPRECATED here are still current parts of
   the overall Policy Core Information Model.

6.1. The Abstract Class "PolicySet"

   PolicySet is an abstract class that may group policies into a
   structured set of policies.

   NAME             PolicySet
   DESCRIPTION      An abstract class that represents a set of policies
                    that form a coherent set.  The set of contained
                    policies has a common decision strategy and a
                    common set of policy roles.  Subclasses include
                    PolicyGroup and PolicyRule.
   DERIVED FROM     Policy
   ABSTRACT         TRUE
   PROPERTIES       PolicyDecisionStrategy
                    PolicyRoles

   The PolicyDecisionStrategy property specifies the evaluation method
   for policy groups and rules contained within the policy set.

   NAME             PolicyDecisionStrategy
   DESCRIPTION      The evaluation method used for policies contained in
                    the PolicySet.  FirstMatching enforces the actions
                    of the first rule that evaluates to TRUE;
                    All Matching enforces the actions of all rules
                    that evaluate to TRUE.
   SYNTAX           uint16
   VALUES           1 [FirstMatching], 2 [AllMatching]
   DEFAULT VALUE    1 [FirstMatching]

   The definition of PolicyRoles is unchanged from PCIM.  It is,
   however, moved from the class Policy up to the superclass PolicySet.

Top      Up      ToC       Page 45 
6.2. Update PCIM's Class "PolicyGroup"

   The PolicyGroup class is moved, so that it is now derived from
   PolicySet.

   NAME             PolicyGroup
   DESCRIPTION      A container for a set of related PolicyRules and
                    PolicyGroups.
   DERIVED FROM     PolicySet
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.3. Update PCIM's Class "PolicyRule"

   The PolicyRule class is moved, so that it is now derived from
   PolicySet.  The Priority property is also deprecated in PolicyRule,
   and PolicyRoles is now inherited from the parent class PolicySet.
   Finally, a new property ExecutionStrategy is introduced, paralleling
   the property of the same name in the class CompoundPolicyAction.

   NAME             PolicyRule
   DESCRIPTION      The central class for representing the "If Condition
                    then Action" semantics associated with a policy
                    rule.
   DERIVED FROM     PolicySet
   ABSTRACT         FALSE
   PROPERTIES       Enabled
                    ConditionListType
                    RuleUsage
                    Priority DEPRECATED FOR PolicySetComponent.Priority
                                  AND FOR PolicySetInSystem.Priority
                    Mandatory
                    SequencedActions
                    ExecutionStrategy

   The property ExecutionStrategy defines the execution strategy to be
   used upon the sequenced actions aggregated by this PolicyRule. (An
   equivalent ExecutionStrategy property is also defined for the
   CompoundPolicyAction class, to provide the same indication for the
   sequenced actions aggregated by a CompoundPolicyAction.)  This
   document defines three execution strategies:

   Do Until Success - execute actions according to predefined order,
                      until successful execution of a single action.
   Do All -           execute ALL actions which are part of the modeled
                      set, according to their predefined order.
                      Continue doing this, even if one or more of the
                      actions fails.

Top      Up      ToC       Page 46 
   Do Until Failure - execute actions according to predefined order,
                      until the first failure in execution of a single
                      sub-action.

   The property definition is as follows:

   NAME             ExecutionStrategy
   DESCRIPTION      An enumeration indicating how to interpret the
                    action ordering for the actions aggregated by this
                    PolicyRule.
   SYNTAX           uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do
                    Until Failure} )
   DEFAULT VALUE    Do All (2)

6.4. The Class "SimplePolicyCondition"

   A simple policy condition is composed of an ordered triplet:

      <Variable>  MATCH  <Value>

   No formal modeling of the MATCH operator is provided.  The 'match'
   relationship is implied.  Such simple conditions are evaluated by
   answering the question:

      Does <variable> match <value>?

   The 'match' relationship is to be interpreted by analyzing the
   variable and value instances associated with the simple condition.

   Simple conditions are building blocks for more complex Boolean
   Conditions, modeled by the CompoundPolicyCondition class.

   The SimplePolicyCondition class is derived from the PolicyCondition
   class defined in PCIM.

   A variable and a value must be associated with a simple condition to
   make it a meaningful condition, using, respectively, the aggregations
   PolicyVariableInSimplePolicyCondition and
   PolicyValueInSimplePolicyCondition.

   The class definition is as follows:

   NAME             SimplePolicyCondition
   DERIVED FROM     PolicyCondition
   ABSTRACT         False
   PROPERTIES       (none)

Top      Up      ToC       Page 47 
6.5. The Class "CompoundPolicyCondition"

   This class represents a compound policy condition, formed by
   aggregation of simpler policy conditions.

   NAME             CompoundPolicyCondition
   DESCRIPTION      A subclass of PolicyCondition that introduces the
                    ConditionListType property, used for assigning DNF /
                    CNF semantics to subordinate policy conditions.
   DERIVED FROM     PolicyCondition
   ABSTRACT         FALSE
   PROPERTIES       ConditionListType

   The ConditionListType property is used to specify whether the list of
   policy conditions associated with this compound policy condition is
   in disjunctive normal form (DNF) or conjunctive normal form (CNF).
   If this property is not present, the list type defaults to DNF.  The
   property definition is as follows:

   NAME             ConditionListType
   DESCRIPTION      Indicates whether the list of policy conditions
                    associated with this policy rule is in disjunctive
                    normal form (DNF) or conjunctive normal form (CNF).
   SYNTAX           uint16
   VALUES           DNF(1), CNF(2)
   DEFAULT VALUE    DNF(1)

6.6. The Class "CompoundFilterCondition"

   This subclass of CompoundPolicyCondition introduces one additional
   property, the boolean IsMirrored.  This property turns on or off the
   "flipping" of corresponding source and destination fields in a filter
   specification.

   NAME             CompoundFilterCondition
   DESCRIPTION      A subclass of CompoundPolicyCondition that
                    introduces the IsMirrored property.
   DERIVED FROM     CompoundPolicyCondition
   ABSTRACT         FALSE
   PROPERTIES       IsMirrored

   The IsMirrored property indicates whether packets that "mirror" a
   compound filter condition should be treated as matching the filter.
   The property definition is as follows:

Top      Up      ToC       Page 48 
   NAME             IsMirrored
   DESCRIPTION      Indicates whether packets that mirror the specified
                    filter are to be treated as matching the filter.
   SYNTAX           boolean
   DEFAULT VALUE    FALSE

6.7. The Class "SimplePolicyAction"

   The SimplePolicyAction class models the elementary set operation.
   "SET <variable> TO <value>".  The set operator MUST overwrite an old
   value of the variable.

   Two aggregations are used in order to create the pair <variable>
   <value>.  The aggregation PolicyVariableInSimplePolicyAction relates
   a SimplePolicyAction to a single variable instance.  Similarly, the
   aggregation PolicyValueInSimplePolicyAction relates a
   SimplePolicyAction to a single value instance.  Both aggregations are
   defined in this document.

   NAME             SimplePolicyAction
   DESCRIPTION      A subclass of PolicyAction that introduces the
                    notion of "SET variable TO value".
   DERIVED FROM     PolicyAction
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.8. The Class "CompoundPolicyAction"

   The CompoundPolicyAction class is used to represent an expression
   consisting of an ordered sequence of action terms.  Each action term
   is represented as a subclass of the PolicyAction class, defined in
   [PCIM].  Compound actions are constructed by associating dependent
   action terms together using the PolicyActionInPolicyAction
   aggregation.

   The class definition is as follows:

   NAME             CompoundPolicyAction
   DESCRIPTION      A class for representing sequenced action terms.
                    Each action term is defined to be a subclass of the
                    PolicyAction class.
   DERIVED FROM     PolicyAction
   ABSTRACT         FALSE
   PROPERTIES       SequencedActions
                    ExecutionStrategy

   This is a concrete class, and is therefore directly instantiable.

Top      Up      ToC       Page 49 
   The Property SequencedActions is identical to the SequencedActions
   property defined in PCIM for the class PolicyRule.

   The property ExecutionStrategy defines the execution strategy to be
   used upon the sequenced actions associated with this compound action.
   (An equivalent ExecutionStrategy property is also defined for the
   PolicyRule class, to provide the same indication for the sequenced
   actions associated with a PolicyRule.)  This document defines three
   execution strategies:

   Do Until Success - execute actions according to predefined order,
                      until successful execution of a single sub-action.
   Do All -           execute ALL actions which are part of the modeled
                      set, according to their predefined order.
                      Continue doing this, even if one or more of the
                      sub-actions fails.
   Do Until Failure - execute actions according to predefined order,
                      until the first failure in execution of a single
                      sub-action.

   Since a CompoundPolicyAction may itself be aggregated either by a
   PolicyRule or by another CompoundPolicyAction, its success or failure
   will be an input to the aggregating entity's execution strategy.
   Consequently, the following rules are specified, for determining
   whether a CompoundPolicyAction succeeds or fails:

   If the CompoundPolicyAction's ExecutionStrategy is Do Until Success,
   then:

      o  If one component action succeeds, then the CompoundPolicyAction
         succeeds.
      o  If all component actions fail, then the CompoundPolicyAction
         fails.

   If the CompoundPolicyAction's ExecutionStrategy is Do All, then:

      o  If all component actions succeed, then the CompoundPolicyAction
         succeeds.
      o  If at least one component action fails, then the
         CompoundPolicyAction fails.

   If the CompoundPolicyAction's ExecutionStrategy is Do Until Failure,
   then:

      o  If all component actions succeed, then the CompoundPolicyAction
         succeeds.
      o  If at least one component action fails, then the
         CompoundPolicyAction fails.

Top      Up      ToC       Page 50 
   The definition of the ExecutionStrategy property is as follows:

   NAME             ExecutionStrategy
   DESCRIPTION      An enumeration indicating how to interpret the
                    action ordering for the actions aggregated by this
                    CompoundPolicyAction.
   SYNTAX           uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do
                    Until Failure} )
   DEFAULT VALUE    Do All (2)

6.9. The Abstract Class "PolicyVariable"

   Variables are used for building individual conditions.  The variable
   specifies the property of a flow or an event that should be matched
   when evaluating the condition.  However, not every combination of a
   variable and a value creates a meaningful condition.  For example, a
   source IP address variable can not be matched against a value that
   specifies a port number.  A given variable selects the set of
   matchable value types.

   A variable can have constraints that limit the set of values within a
   particular value type that can be matched against it in a condition.
   For example, a source-port variable limits the set of values to
   represent integers to the range of 0-65535.  Integers outside this
   range cannot be matched to the source-port variable, even though they
   are of the correct data type.  Constraints for a given variable are
   indicated through the ExpectedPolicyValuesForVariable association.

   The PolicyVariable is an abstract class.  Implicit and explicit
   context variable classes are defined as sub classes of the
   PolicyVariable class.  A set of implicit variables is defined in this
   document as well.

   The class definition is as follows:

   NAME             PolicyVariable
   DERIVED FROM     Policy
   ABSTRACT         TRUE
   PROPERTIES       (none)

6.10. The Class "PolicyExplicitVariable"

   Explicitly defined policy variables are evaluated within the context
   of the CIM Schema and its modeling constructs.  The
   PolicyExplicitVariable class indicates the exact model property to be
   evaluated or manipulated.  See Section 5.8.6 for a complete
   discussion of what happens when the values of the ModelClass and

Top      Up      ToC       Page 51 
   ModelProperty properties in an instance of this class do not
   correspond to the characteristics of the model construct being
   evaluated or updated.

   The class definition is as follows:

   NAME             PolicyExplicitVariable
   DERIVED FROM     PolicyVariable
   ABSTRACT         False
   PROPERTIES       ModelClass, ModelProperty

6.10.1. The Single-Valued Property "ModelClass"

   This property is a string specifying the class name whose property is
   evaluated or set as a PolicyVariable.

   The property is defined as follows:

   NAME             ModelClass
   SYNTAX           String

6.10.2. The Single-Valued Property ModelProperty

   This property is a string specifying the property name, within the
   ModelClass, which is evaluated or set as a PolicyVariable.  The
   property is defined as follows:

   NAME             ModelProperty
   SYNTAX           String

6.11. The Abstract Class "PolicyImplicitVariable"

   Implicitly defined policy variables are evaluated outside of the
   context of the CIM Schema and its modeling constructs.  Subclasses
   specify the data type and semantics of the PolicyVariables.

   Interpretation and evaluation of a PolicyImplicitVariable can vary,
   depending on the particular context in which it is used.  For
   example, a "SourceIP" address may denote the source address field of
   an IP packet header, or the sender address delivered by an RSVP PATH
   message.

   The class definition is as follows:

   NAME             PolicyImplicitVariable
   DERIVED FROM     PolicyVariable
   ABSTRACT         True
   PROPERTIES       ValueTypes[ ]

Top      Up      ToC       Page 52 
6.11.1. The Multi-Valued Property "ValueTypes"

   This property is a set of strings specifying an unordered list of
   possible value/data types that can be used in simple conditions and
   actions, with this variable.  The value types are specified by their
   class names (subclasses of PolicyValue such as PolicyStringValue).
   The list of class names enables an application to search on a
   specific name, as well as to ensure that the data type of the
   variable is of the correct type.

   The list of default ValueTypes for each subclass of
   PolicyImplicitVariable is specified within that variable's
   definition.

   The property is defined as follows:

   NAME             ValueTypes
   SYNTAX           String

6.12. Subclasses of "PolicyImplicitVariable" Specified in PCIMe

   The following subclasses of PolicyImplicitVariable are defined in
   PCIMe.

6.12.1. The Class "PolicySourceIPv4Variable"

   NAME             PolicySourceIPv4Variable
   DESCRIPTION      The source IPv4 address. of the outermost IP packet
                    header.  "Outermost" here refers to the IP packet as
                    it flows on the wire, before any headers have been
                    stripped from it.

                    ALLOWED VALUE TYPES:
                      - PolicyIPv4AddrValue

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.2. The Class "PolicySourceIPv6Variable"

   NAME             PolicySourceIPv6Variable
   DESCRIPTION      The source IPv6 address of the outermost IP packet
                    header.  "Outermost" here refers to the IP packet as
                    it flows on the wire, before any headers have been
                    stripped from it.

Top      Up      ToC       Page 53 
                    ALLOWED VALUE TYPES:
                      - PolicyIPv6AddrValue

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.3. The Class "PolicyDestinationIPv4Variable"

   NAME             PolicyDestinationIPv4Variable
   DESCRIPTION      The destination IPv4 address of the outermost IP
                    packet header.  "Outermost" here refers to the IP
                    packet as it flows on the wire, before any headers
                    have been stripped from it.

                    ALLOWED VALUE TYPES:
                      - PolicyIPv4AddrValue

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.4. The Class "PolicyDestinationIPv6Variable"

   NAME             PolicyDestinationIPv6Variable
   DESCRIPTION      The destination IPv6 address of the outermost IP
                    packet header.  "Outermost" here refers to the IP
                    packet as it flows on the wire, before any headers
                    have been stripped from it.

                    ALLOWED VALUE TYPES:
                    - PolicyIPv6AddrValue

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

Top      Up      ToC       Page 54 
6.12.5. The Class "PolicySourcePortVariable"

   NAME             PolicySourcePortVariable
   DESCRIPTION      Ports are defined as the abstraction that transport
                    protocols use to distinguish among multiple
                    destinations within a given host computer.  For TCP
                    and UDP flows, the PolicySourcePortVariable is
                    logically bound to the source port field of the
                    outermost UDP or TCP packet header.  "Outermost"
                    here refers to the IP packet as it flows on the
                    wire, before any headers have been stripped from
                    it.
                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..65535)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.6. The Class "PolicyDestinationPortVariable"

   NAME             PolicyDestinationPortVariable
   DESCRIPTION      Ports are defined as the abstraction that transport
                    protocols use to distinguish among multiple
                    destinations within a given host computer.  For TCP
                    and UDP flows, the PolicyDestinationPortVariable is
                    logically bound to the destination port field of the
                    outermost UDP or TCP packet header.  "Outermost"
                    here refers to the IP packet as it flows on the
                    wire, before any headers have been stripped from it.

                   ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..65535)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.7. The Class "PolicyIPProtocolVariable"

   NAME             PolicyIPProtocolVariable
   DESCRIPTION      The IP protocol number.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..255)

Top      Up      ToC       Page 55 
   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.8. The Class "PolicyIPVersionVariable"

   NAME             PolicyIPVersionVariable
   DESCRIPTION      The IP version number.  The well-known values are 4
                    and 6.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..15)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.9. The Class "PolicyIPToSVariable"

   NAME             PolicyIPToSVariable
   DESCRIPTION      The IP TOS octet.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..255)
                      - PolicyBitStringValue (8 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.10. The Class "PolicyDSCPVariable"

   NAME             PolicyDSCPVariable
   DESCRIPTION      The 6 bit Differentiated Service Code Point.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..63)
                      - PolicyBitStringValue (6 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

Top      Up      ToC       Page 56 
6.12.11. The Class "PolicyFlowIdVariable"

   NAME             PolicyFlowIdVariable
   DESCRIPTION      The flow identifier of the outermost IPv6 packet
                    header.  "Outermost" here refers to the IP packet as
                    it flows on the wire, before any headers have been
                    stripped from it.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..1048575
                      - PolicyBitStringValue (20 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.12. The Class "PolicySourceMACVariable"

   NAME             PolicySourceMACVariable
   DESCRIPTION      The source MAC address.

                    ALLOWED VALUE TYPES:
                      - PolicyMACAddrValue

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.13. The Class "PolicyDestinationMACVariable"

   NAME             PolicyDestinationMACVariable
   DESCRIPTION      The destination MAC address.

                    ALLOWED VALUE TYPES:
                      - PolicyMACAddrValue

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.14. The Class "PolicyVLANVariable"

   NAME             PolicyVLANVariable
   DESCRIPTION      The virtual Bridged Local Area Network Identifier, a
                    12-bit field as defined in the IEEE 802.1q standard.

Top      Up      ToC       Page 57 
                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..4095)
                      - PolicyBitStringValue (12 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.15. The Class "PolicyCoSVariable"

   NAME             PolicyCoSVariable
   DESCRIPTION      Class of Service, a 3-bit field, used in the layer 2
                    header to select the forwarding treatment.  Bound to
                    the IEEE 802.1q user-priority field.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..7)
                      - PolicyBitStringValue (3 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.16. The Class "PolicyEthertypeVariable"

   NAME             PolicyEthertypeVariable
   DESCRIPTION      The Ethertype protocol number of Ethernet frames.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..65535)
                      - PolicyBitStringValue (16 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.17. The Class "PolicySourceSAPVariable"

   NAME             PolicySourceSAPVariable
   DESCRIPTION      The Source Service Access Point (SAP) number of the
                    IEEE 802.2 LLC header.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..255)
                      - PolicyBitStringValue (8 bits)

Top      Up      ToC       Page 58 
   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.18. The Class "PolicyDestinationSAPVariable"

   NAME             PolicyDestinationSAPVariable
   DESCRIPTION      The Destination Service Access Point (SAP) number of
                    the IEEE 802.2 LLC header.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..255)
                      - PolicyBitStringValue (8 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.19. The Class "PolicySNAPOUIVariable"

   NAME PolicySNAPOUIVariable
   DESCRIPTION      The value of the first three octets of the Sub-
                    Network Access Protocol (SNAP) Protocol Identifier
                    field for 802.2 SNAP encapsulation, containing an
                    Organizationally Unique Identifier (OUI).  The value
                    00-00-00 indicates the encapsulation of Ethernet
                    frames (RFC 1042).  OUI value 00-00-F8 indicates the
                    special encapsulation of Ethernet frames by certain
                    types of bridges (IEEE 802.1H).  Other values are
                    supported, but are not further defined here.  These
                    OUI values are to be interpreted according to the
                    endian-notation conventions of IEEE 802.  For either
                    of the two Ethernet encapsulations, the remainder of
                    the Protocol Identifier field is represented by the
                    PolicySNAPTypeVariable.

                    ALLOWED VALUE TYPES:
                    - PolicyIntegerValue (0..16777215)
                    - PolicyBitStringValue (24 bits)

   DERIVED          FROM PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

Top      Up      ToC       Page 59 
6.12.20. The Class "PolicySNAPTypeVariable"

   NAME             PolicySNAPTypeVariable
   DESCRIPTION      The value of the 4th and 5th octets of the Sub-
                    Network Access Protocol (SNAP) Protocol Identifier
                    field for IEEE 802 SNAP encapsulation when the
                    PolicySNAPOUIVariable indicates one of the two
                    Encapsulated Ethernet frame formats.  This value is
                    undefined for other values of PolicySNAPOUIVariable.

                    ALLOWED VALUE TYPES:
                      - PolicyIntegerValue (0..65535)
                      - PolicyBitStringValue (16 bits)

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.12.21. The Class "PolicyFlowDirectionVariable"

   NAME             PolicyFlowDirectionVariable
   DESCRIPTION      The direction of a flow relative to a network
                    element.  Direction may be "IN" and/or "OUT".

                    ALLOWED VALUE TYPES:
                      - PolicyStringValue ('IN", "OUT")

   DERIVED FROM     PolicyImplicitVariable
   ABSTRACT         FALSE
   PROPERTIES       (none)

   To match on both inbound and outbound flows, the associated
   PolicyStringValue object has two entries in its StringList property:
   "IN" and "OUT".

6.13. The Abstract Class "PolicyValue"

   This is an abstract class that serves as the base class for all
   subclasses that are used to define value objects in the PCIMe.  It is
   used for defining values and constants used in policy conditions.
   The class definition is as follows:

   NAME             PolicyValue
   DERIVED FROM     Policy
   ABSTRACT         True
   PROPERTIES       (none)

Top      Up      ToC       Page 60 
6.14. Subclasses of "PolicyValue" Specified in PCIMe

   The following subsections contain the PolicyValue subclasses defined
   in PCIMe.  Additional subclasses may be defined in models derived
   from PCIMe.

6.14.1. The Class "PolicyIPv4AddrValue"

   This class is used to provide a list of IPv4Addresses, hostnames and
   address range values to be matched against in a policy condition.
   The class definition is as follows:

   NAME             PolicyIPv4AddrValue
   DERIVED FROM     PolicyValue
   ABSTRACT         False
   PROPERTIES       IPv4AddrList[ ]

   The IPv4AddrList property provides an unordered list of strings, each
   specifying a single IPv4 address, a hostname, or a range of IPv4
   addresses, according to the ABNF definition [6] of an IPv4 address,
   as specified below:

   IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
   IPv4prefix  = IPv4address "/" 1*2DIGIT
   IPv4range = IPv4address"-"IPv4address
   IPv4maskedaddress = IPv4address","IPv4address
   Hostname (as defined in [4])

   In the above definition, each string entry is either:

   1. A single IPv4address in dot notation, as defined above.  Example:
      121.1.1.2

   2. An IPv4prefix address range, as defined above, specified by an
      address and a prefix length, separated by "/".  Example:
      2.3.128.0/15

   3. An IPv4range address range defined above, specified by a starting
      address in dot notation and an ending address in dot notation,
      separated by "-".  The range includes all addresses between the
      range's starting and ending addresses, including these two
      addresses.  Example: 1.1.22.1-1.1.22.5

   4. An IPv4maskedaddress address range, as defined above, specified by
      an address and mask.  The address and mask are represented in dot
      notation, separated by a comma ",".  The masked address appears
      before the comma, and the mask appears after the comma.  Example:
      2.3.128.0,255.255.248.0.

Top      Up      ToC       Page 61 
   5. A single Hostname.  The Hostname format follows the guidelines and
      restrictions specified in [4].  Example: www.bigcompany.com.

   Conditions matching IPv4AddrValues evaluate to true according to the
   generic matching rules.  Additionally, a hostname is matched against
   another valid IPv4address representation by resolving the hostname
   into an IPv4 address first, and then comparing the addresses
   afterwards.  Matching hostnames against each other is done using a
   string comparison of the two names.

   The property definition is as follows:

   NAME             IPv4AddrList
   SYNTAX           String
   FORMAT           IPv4address | IPv4prefix | IPv4range |
                    IPv4maskedaddress | hostname

6.14.2. The Class "PolicyIPv6AddrValue

   This class is used to define a list of IPv6 addresses, hostnames, and
   address range values.  The class definition is as follows:

   NAME             PolicyIPv6AddrValue
   DERIVED FROM     PolicyValue
   ABSTRACT         False
   PROPERTIES       IPv6AddrList[ ]

   The property IPv6AddrList provides an unordered list of strings, each
   specifying an IPv6 address, a hostname, or a range of IPv6 addresses.
   IPv6 address format definition uses the standard address format
   defined in [7].  The ABNF definition [6] as specified in [7] is:

   IPv6address = hexpart [ ":" IPv4address ]
   IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
   IPv6prefix  = hexpart "/" 1*2DIGIT
   hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
   hexseq  = hex4 *( ":" hex4)
   hex4    = 1*4HEXDIG
   IPv6range = IPv6address"-"IPv6address
   IPv6maskedaddress = IPv6address","IPv6address
   Hostname (as defines in [NAMES])

   Each string entry is either:

   1. A single IPv6address as defined above.

   2. A single Hostname.  Hostname format follows guidelines and
      restrictions specified in [4].

Top      Up      ToC       Page 62 
   3. An IPv6range address range, specified by a starting address in dot
      notation and an ending address in dot notation, separated by "-".
      The range includes all addresses between the range's starting and
      ending addresses, including these two addresses.

   4. An IPv4maskedaddress address range defined above specified by an
      address and mask.  The address and mask are represented in dot
      notation separated by a comma ",".

   5. A single IPv6prefix as defined above.

   Conditions matching IPv6AddrValues evaluate to true according to the
   generic matching rules.  Additionally, a hostname is matched against
   another valid IPv6address representation by resolving the hostname
   into an IPv6 address first, and then comparing the addresses
   afterwards.  Matching hostnames against each other is done using a
   string comparison of the two names.

6.14.3. The Class "PolicyMACAddrValue"

   This class is used to define a list of MAC addresses and MAC address
   range values.  The class definition is as follows:

   NAME             PolicyMACAddrValue
   DERIVED FROM     PolicyValue
   ABSTRACT         False
   PROPERTIES       MACAddrList[ ]

   The property MACAddrList provides an unordered list of strings, each
   specifying a MAC address or a range of MAC addresses.  The 802 MAC
   address canonical format is used.  The ABNF definition [6] is:

   MACaddress  = 1*4HEXDIG ":" 1*4HEXDIG ":" 1*4HEXDIG
   MACmaskedaddress = MACaddress","MACaddress

   Each string entry is either:

   1. A single MAC address.  Example: 0000:00A5:0000

   2. A MACmaskedaddress address range defined specified by an address
      and mask.  The mask specifies the relevant bits in the address.
      Example: 0000:00A5:0000,FFFF:FFFF:0000 defines a range of MAC
      addresses in which the first four octets are equal to 0000:00A5.

Top      Up      ToC       Page 63 
   The property definition is as follows:

   NAME             MACAddrList
   SYNTAX           String
   FORMAT           MACaddress | MACmaskedaddress

6.14.4. The Class "PolicyStringValue"

   This class is used to represent a single string value, or a set of
   string values.  Each value can have wildcards.  The class definition
   is as follows:

   NAME             PolicyStringValue
   DERIVED FROM     PolicyValue
   ABSTRACT         False
   PROPERTIES       StringList[ ]

   The property StringList provides an unordered list of strings, each
   representing a single string with wildcards.  The asterisk character
   "*" is used as a wildcard, and represents an arbitrary substring
   replacement.  For example, the value "abc*def" matches the string
   "abcxyzdef", and the value "abc*def*" matches the string
   "abcxxxdefyyyzzz".  The syntax definition is identical to the
   substring assertion syntax defined in [5].  If the asterisk character
   is required as part of the string value itself, it MUST be quoted as
   described in Section 4.3 of [5].

   The property definition is as follows:

   NAME                 StringList
   SYNTAX               String

6.14.5. The Class "PolicyBitStringValue"

   This class is used to represent a single bit string value, or a set
   of bit string values.  The class definition is as follows:

   NAME             PolicyBitStringValue
   DERIVED FROM     PolicyValue
   ABSTRACT         False
   PROPERTIES       BitStringList[ ]

   The property BitStringList provides an unordered list of strings,
   each representing a single bit string or a set of bit strings.  The
   number of bits specified SHOULD equal the number of bits of the
   expected variable.  For example, for a one-octet variable, 8 bits

Top      Up      ToC       Page 64 
   should be specified.  If the variable does not have a fixed length,
   the bit string should be matched against the variable's most
   significant bit string.  The formal definition of a bit string is:

   binary-digit = "0" / "1"
   bitString = 1*binary-digit
   maskedBitString = bitString","bitString

   Each string entry is either:

   1. A single bit string. Example: 00111010

   2. A range of bit strings specified using a bit string and a bit
      mask.  The bit string and mask fields have the same number of bits
      specified.  The mask bit string specifies the significant bits in
      the bit string value.  For example, 110110, 100110 and 110111
      would match the maskedBitString 100110,101110 but 100100 would
      not.

   The property definition is as follows:

   NAME             BitStringList
   SYNTAX           String
   FORMAT           bitString | maskedBitString

6.14.6. The Class "PolicyIntegerValue"

   This class provides a list of integer and integer range values.
   Integers of arbitrary sizes can be represented.  The class definition
   is as follows:

   NAME             PolicyIntegerValue
   DERIVED FROM     PolicyValue
   ABSTRACT         False
   PROPERTIES       IntegerList[ ]

   The property IntegerList provides an unordered list of integers and
   integer range values, represented as strings.  The format of this
   property takes one of the following forms:

   1. An integer value.

   2. A range of integers. The range is specified by a starting integer
      and an ending integer, separated by '..'.  The starting integer
      MUST be less than or equal to the ending integer.  The range
      includes all integers between the starting and ending integers,
      including these two integers.

Top      Up      ToC       Page 65 
   To represent a range of integers that is not bounded, the reserved
   words -INFINITY and/or INFINITY can be used in place of the starting
   and ending integers.  In addition to ordinary integer matches,
   INFINITY matches INFINITY and -INFINITY matches -INFINITY.

   The ABNF definition [6] is:

   integer = [-]1*DIGIT | "INFINITY" | "-INFINITY"
   integerrange = integer".."integer

   Using ranges, the operators greater-than, greater-than-or-equal-to,
   less- than, and less-than-or-equal-to can be expressed.  For example,
   "X is- greater-than 5" (where X is an integer) can be translated to
   "X matches 6-INFINITY".  This enables the match condition semantics
   of the operator for the SimplePolicyCondition class to be kept simple
   (i.e., just the value "match").

   The property definition is as follows:

   NAME             IntegerList
   SYNTAX           String
   FORMAT           integer | integerrange

6.14.7. The Class "PolicyBooleanValue"

   This class is used to represent a Boolean (TRUE/FALSE) value.  The
   class definition is as follows:

   NAME             PolicyBooleanValue
   DERIVED FROM     PolicyValue
   ABSTRACT         False
   PROPERTIES       BooleanValue

   The property definition is as follows:

   NAME             BooleanValue
   SYNTAX           boolean

6.15. The Class "PolicyRoleCollection"

   This class represents a collection of managed elements that share a
   common role.  The PolicyRoleCollection always exists in the context
   of a system, specified using the PolicyRoleCollectionInSystem
   association.  The value of the PolicyRole property in this class
   specifies the role, and can be matched with the value(s) in the
   PolicyRoles array in PolicyRules and PolicyGroups.  ManagedElements
   that share the role defined in this collection are aggregated into
   the collection via the association ElementInPolicyRoleCollection.

Top      Up      ToC       Page 66 
   NAME             PolicyRoleCollection
   DESCRIPTION      A subclass of the CIM Collection class used to group
                    together managed elements that share a role.
   DERIVED FROM     Collection
   ABSTRACT         FALSE

   PROPERTIES       PolicyRole

6.15.1. The Single-Valued Property "PolicyRole"

   This property represents the role associated with a
   PolicyRoleCollection.  The property definition is as follows:

   NAME             PolicyRole
   DESCRIPTION      A string representing the role associated with a
                    PolicyRoleCollection.
   SYNTAX           string

6.16. The Class "ReusablePolicyContainer"

   The new class ReusablePolicyContainer is defined as follows:

   NAME             ReusablePolicyContainer
   DESCRIPTION      A class representing an administratively defined
                    container for reusable policy-related information.
                    This class does not introduce any additional
                    properties beyond those in its superclass
                    AdminDomain.  It does, however, participate in
                    a number of unique associations.
   DERIVED FROM     AdminDomain
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.17. Deprecate PCIM's Class "PolicyRepository"

   The class definition of PolicyRepository (from PCIM) is updated as
   follows, with an indication that the class has been deprecated.  Note
   that when an element of the model is deprecated, its replacement
   element is identified explicitly.

   NAME             PolicyRepository
   DEPRECATED FOR   ReusablePolicyContainer
   DESCRIPTION      A class representing an administratively defined
                    container for reusable policy-related information.
                    This class does not introduce any additional
                    properties beyond those in its superclass
                    AdminDomain.  It does, however, participate in a
                    number of unique associations.

Top      Up      ToC       Page 67 
   DERIVED FROM     AdminDomain
   ABSTRACT         FALSE
   PROPERTIES       (none)

6.18. The Abstract Class "FilterEntryBase"

   FilterEntryBase is the abstract base class from which all filter
   entry classes are derived.  It serves as the endpoint for the
   EntriesInFilterList aggregation, which groups filter entries into
   filter lists.  Its properties include CIM naming attributes and an
   IsNegated boolean property (to easily "NOT" the match information
   specified in an instance of one of its subclasses).

   The class definition is as follows:

   NAME                FilterEntryBase
   DESCRIPTION         An abstract class representing a single
                       filter that is aggregated into a
                       FilterList via the aggregation
                       EntriesInFilterList.
   DERIVED FROM        LogicalElement
   TYPE                Abstract
   PROPERTIES          IsNegated

6.19. The Class "IpHeadersFilter"

   This concrete class contains the most commonly required properties
   for performing filtering on IP, TCP or UDP headers.  Properties not
   present in an instance of IPHeadersFilter are treated as 'all
   values'.  A property HdrIpVersion identifies whether the IP addresses
   in an instance are IPv4 or IPv6 addresses.  Since the source and
   destination IP addresses come from the same packet header, they will
   always be of the same type.

   The class definition is as follows:

   NAME                IpHeadersFilter
   DESCRIPTION         A class representing an entire IP
                       header filter, or any subset of one.
   DERIVED FROM        FilterEntryBase
   TYPE                Concrete
   PROPERTIES          HdrIpVersion, HdrSrcAddress,
                       HdrSrcAddressEndOfRange, HdrSrcMask,
                       HdrDestAddress, HdrDestAddressEndOfRange,
                       HdrDestMask, HdrProtocolID,
                       HdrSrcPortStart, HdrSrcPortEnd,
                       HdrDestPortStart, HdrDestPortEnd, HdrDSCP[ ],
                       HdrFlowLabel

Top      Up      ToC       Page 68 
6.19.1. The Property HdrIpVersion

   This property is an 8-bit unsigned integer, identifying the version
   of the IP addresses to be filtered on.  IP versions are identified as
   they are in the Version field of the IP packet header - IPv4 = 4,
   IPv6 = 6.  These two values are the only ones defined for this
   property.

   The value of this property determines the sizes of the OctetStrings
   in the six properties HdrSrcAddress, HdrSrcAddressEndOfRange,
   HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, and
   HdrDestMask, as follows:

   o  IPv4:  OctetString(SIZE (4))

   o  IPv6:  OctetString(SIZE (16|20)), depending on whether a scope
      identifier is present

   If a value for this property is not provided, then the filter does
   not consider IP version in selecting matching packets, i.e., IP
   version matches for all values.  In this case, the HdrSrcAddress,
   HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress,
   HdrDestAddressEndOfRange, and HdrDestMask must also not be present.

6.19.2. The Property HdrSrcAddress

   This property is an OctetString, of a size determined by the value of
   the HdrIpVersion property, representing a source IP address.  When
   there is no HdrSrcAddressEndOfRange value, this value is compared to
   the source address in the IP header, subject to the mask represented
   in the HdrSrcMask property.  (Note that the mask is ANDed with the
   address.)  When there is a HdrSrcAddressEndOfRange value, this value
   is the start of the specified range (i.e., the HdrSrcAddress is lower
   than the HdrSrcAddressEndOfRange) that is compared to the source
   address in the IP header and matches on any value in the range.

   If a value for this property is not provided, then the filter does
   not consider HdrSrcAddress in selecting matching packets, i.e.,
   HdrSrcAddress matches for all values.

6.19.3. The Property HdrSrcAddressEndOfRange

   This property is an OctetString, of a size determined by the value of
   the HdrIpVersion property, representing the end of a range of source
   IP addresses (inclusive), where the start of the range is the
   HdrSrcAddress property value.

Top      Up      ToC       Page 69 
   If a value for HdrSrcAddress is not provided, then this property also
   MUST NOT be provided.  If a value for this property is provided, then
   HdrSrcMask MUST NOT be provided.

6.19.4. The Property HdrSrcMask

   This property is an OctetString, of a size determined by the value of
   the HdrIpVersion property, representing a mask to be used in
   comparing the source address in the IP header with the value
   represented in the HdrSrcAddress property.

   If a value for this property is not provided, then the filter does
   not consider HdrSrcMask in selecting matching packets, i.e., the
   value of HdrSrcAddress or the source address range must match the
   source address in the packet exactly.  If a value for this property
   is provided, then HdrSrcAddressEndOfRange MUST NOT be provided.

6.19.5. The Property HdrDestAddress

   This property is an OctetString, of a size determined by the value of
   the HdrIpVersion property, representing a destination IP address.
   When there is no HdrDestAddressEndOfRange value, this value is
   compared to the destination address in the IP header, subject to the
   mask represented in the HdrDestMask property.  (Note that the mask is
   ANDed with the address.)  When there is a HdrDestAddressEndOfRange
   value, this value is the start of the specified range (i.e., the
   HdrDestAddress is lower than the HdrDestAddressEndOfRange) that is
   compared to the destination address in the IP header and matches on
   any value in the range.

   If a value for this property is not provided, then the filter does
   not consider HdrDestAddress in selecting matching packets, i.e.,
   HdrDestAddress matches for all values.

6.19.6. The Property HdrDestAddressEndOfRange

   This property is an OctetString, of a size determined by the value of
   the HdrIpVersion property, representing the end of a range of
   destination IP addresses (inclusive), where the start of the range is
   the HdrDestAddress property value.

   If a value for HdrDestAddress is not provided, then this property
   also MUST NOT be provided.  If a value for this property is provided,
   then HdrDestMask MUST NOT be provided.

Top      Up      ToC       Page 70 
6.19.7. The Property HdrDestMask

   This property is an OctetString, of a size determined by the value of
   the HdrIpVersion property, representing a mask to be used in
   comparing the destination address in the IP header with the value
   represented in the HdrDestAddress property.

   If a value for this property is not provided, then the filter does
   not consider HdrDestMask in selecting matching packets, i.e., the
   value of HdrDestAddress or the destination address range must match
   the destination address in the packet exactly.  If a value for this
   property is provided, then HdrDestAddressEndOfRange MUST NOT be
   provided.

6.19.8. The Property HdrProtocolID

   This property is an 8-bit unsigned integer, representing an IP
   protocol type.  This value is compared to the Protocol field in the
   IP header.

   If a value for this property is not provided, then the filter does
   not consider HdrProtocolID in selecting matching packets, i.e.,
   HdrProtocolID matches for all values.

6.19.9. The Property HdrSrcPortStart

   This property is a 16-bit unsigned integer, representing the lower
   end of a range of UDP or TCP source ports.  The upper end of the
   range is represented by the HdrSrcPortEnd property.  The value of
   HdrSrcPortStart MUST be no greater than the value of HdrSrcPortEnd.
   A single port is indicated by equal values for HdrSrcPortStart and
   HdrSrcPortEnd.

   A source port filter is evaluated by testing whether the source port
   identified in the IP header falls within the range of values between
   HdrSrcPortStart and HdrSrcPortEnd, including these two end points.

   If a value for this property is not provided, then the filter does
   not consider HdrSrcPortStart in selecting matching packets, i.e.,
   there is no lower bound in matching source port values.

6.19.10. The Property HdrSrcPortEnd

   This property is a 16-bit unsigned integer, representing the upper
   end of a range of UDP or TCP source ports.  The lower end of the
   range is represented by the HdrSrcPortStart property.  The value of

Top      Up      ToC       Page 71 
   HdrSrcPortEnd MUST be no less than the value of HdrSrcPortStart.  A
   single port is indicated by equal values for HdrSrcPortStart and
   HdrSrcPortEnd.

   A source port filter is evaluated by testing whether the source port
   identified in the IP header falls within the range of values between
   HdrSrcPortStart and HdrSrcPortEnd, including these two end points.

   If a value for this property is not provided, then the filter does
   not consider HdrSrcPortEnd in selecting matching packets, i.e., there
   is no upper bound in matching source port values.

6.19.11. The Property HdrDestPortStart

   This property is a 16-bit unsigned integer, representing the lower
   end of a range of UDP or TCP destination ports.  The upper end of the
   range is represented by the HdrDestPortEnd property.  The value of
   HdrDestPortStart MUST be no greater than the value of HdrDestPortEnd.
   A single port is indicated by equal values for HdrDestPortStart and
   HdrDestPortEnd.

   A destination port filter is evaluated by testing whether the
   destination port identified in the IP header falls within the range
   of values between HdrDestPortStart and HdrDestPortEnd, including
   these two end points.

   If a value for this property is not provided, then the filter does
   not consider HdrDestPortStart in selecting matching packets, i.e.,
   there is no lower bound in matching destination port values.

6.19.12. The Property HdrDestPortEnd

   This property is a 16-bit unsigned integer, representing the upper
   end of a range of UDP or TCP destination ports.  The lower end of the
   range is represented by the HdrDestPortStart property.  The value of
   HdrDestPortEnd MUST be no less than the value of HdrDestPortStart.  A
   single port is indicated by equal values for HdrDestPortStart and
   HdrDestPortEnd.

   A destination port filter is evaluated by testing whether the
   destination port identified in the IP header falls within the range
   of values between HdrDestPortStart and HdrDestPortEnd, including
   these two end points.

   If a value for this property is not provided, then the filter does
   not consider HdrDestPortEnd in selecting matching packets, i.e.,
   there is no upper bound in matching destination port values.

Top      Up      ToC       Page 72 
6.19.13. The Property HdrDSCP

   The property HdrDSCP is defined as an array of uint8's, restricted to
   the range 0..63.  Since DSCPs are defined as discrete code points,
   with no inherent structure, there is no semantically significant
   relationship between different DSCPs.  Consequently, there is no
   provision for specifying a range of DSCPs in this property.  However,
   a list of individual DSCPs, which are ORed together to form a filter,
   is supported by the array syntax.

   If a value for this property is not provided, then the filter does
   not consider HdrDSCP in selecting matching packets, i.e., HdrDSCP
   matches for all values.

6.19.14. The Property HdrFlowLabel

   The 20-bit Flow Label field in the IPv6 header may be used by a
   source to label sequences of packets for which it requests special
   handling by IPv6 devices, such as non-default quality of service or
   'real-time' service.  This property is an octet string of size 3
   (that is, 24 bits), in which the 20-bit Flow Label appears in the
   rightmost 20 bits, padded on the left with b'0000'.

   If a value for this property is not provided, then the filter does
   not consider HdrFlowLabel in selecting matching packets, i.e.,
   HdrFlowLabel matches for all values.

6.20. The Class "8021Filter"

   This concrete class allows 802.1.source and destination MAC
   addresses, as well as the 802.1 protocol ID, priority, and VLAN
   identifier fields, to be expressed in a single object

   The class definition is as follows:

   NAME                8021Filter
   DESCRIPTION         A class that allows 802.1 source
                       and destination MAC address and
                       protocol ID, priority, and VLAN
                       identifier filters to be
                       expressed in a single object.
   DERIVED FROM        FilterEntryBase
   TYPE                Concrete
   PROPERTIES          8021HdrSrcMACAddr, 8021HdrSrcMACMask,
                       8021HdrDestMACAddr, 8021HdrDestMACMask,
                       8021HdrProtocolID, 8021HdrPriorityValue,
                       8021HDRVLANID

Top      Up      ToC       Page 73 
6.20.1. The Property 8021HdrSrcMACAddr

   This property is an OctetString of size 6, representing a 48-bit
   source MAC address in canonical format.  This value is compared to
   the SourceAddress field in the MAC header, subject to the mask
   represented in the 8021HdrSrcMACMask property.

   If a value for this property is not provided, then the filter does
   not consider 8021HdrSrcMACAddr in selecting matching packets, i.e.,
   8021HdrSrcMACAddr matches for all values.

6.20.2. The Property 8021HdrSrcMACMask

   This property is an OctetString of size 6, representing a 48-bit mask
   to be used in comparing the SourceAddress field in the MAC header
   with the value represented in the 8021HdrSrcMACAddr property.

   If a value for this property is not provided, then the filter does
   not consider 8021HdrSrcMACMask in selecting matching packets, i.e.,
   the value of 8021HdrSrcMACAddr must match the source MAC address in
   the packet exactly.

6.20.3. The Property 8021HdrDestMACAddr

   This property is an OctetString of size 6, representing a 48-bit
   destination MAC address in canonical format.  This value is compared
   to the DestinationAddress field in the MAC header, subject to the
   mask represented in the 8021HdrDestMACMask property.

   If a value for this property is not provided, then the filter does
   not consider 8021HdrDestMACAddr in selecting matching packets, i.e.,
   8021HdrDestMACAddr matches for all values.

6.20.4. The Property 8021HdrDestMACMask

   This property is an OctetString of size 6, representing a 48-bit mask
   to be used in comparing the DestinationAddress field in the MAC
   header with the value represented in the 8021HdrDestMACAddr property.

   If a value for this property is not provided, then the filter does
   not consider 8021HdrDestMACMask in selecting matching packets, i.e.,
   the value of 8021HdrDestMACAddr must match the destination MAC
   address in the packet exactly.

Top      Up      ToC       Page 74 
6.20.5. The Property 8021HdrProtocolID

   This property is a 16-bit unsigned integer, representing an Ethernet
   protocol type.  This value is compared to the Ethernet Type field in
   the 802.3 MAC header.

   If a value for this property is not provided, then the filter does
   not consider 8021HdrProtocolID in selecting matching packets, i.e.,
   8021HdrProtocolID matches for all values.

6.20.6. The Property 8021HdrPriorityValue

   This property is an 8-bit unsigned integer, representing an 802.1Q
   priority.  This value is compared to the Priority field in the 802.1Q
   header.  Since the 802.1Q Priority field consists of 3 bits, the
   values for this property are limited to the range 0..7.

   If a value for this property is not provided, then the filter does
   not consider 8021HdrPriorityValue in selecting matching packets,
   i.e., 8021HdrPriorityValue matches for all values.

6.20.7. The Property 8021HdrVLANID

   This property is a 32-bit unsigned integer, representing an 802.1Q
   VLAN Identifier.  This value is compared to the VLAN ID field in the
   802.1Q header.  Since the 802.1Q VLAN ID field consists of 12 bits,
   the values for this property are limited to the range 0..4095.

   If a value for this property is not provided, then the filter does
   not consider 8021HdrVLANID in selecting matching packets, i.e.,
   8021HdrVLANID matches for all values.

6.21. The Class FilterList

   This is a concrete class that aggregates instances of (subclasses of)
   FilterEntryBase via the aggregation EntriesInFilterList.  It is
   possible to aggregate different types of filters into a single
   FilterList - for example, packet header filters (represented by the
   IpHeadersFilter class) and security filters (represented by
   subclasses of FilterEntryBase defined by IPsec).

   The aggregation property EntriesInFilterList.EntrySequence is always
   set to 0, to indicate that the aggregated filter entries are ANDed
   together to form a selector for a class of traffic.

Top      Up      ToC       Page 75 
   The class definition is as follows:

   NAME                FilterList
   DESCRIPTION         A concrete class representing
                       the aggregation of multiple filters.
   DERIVED FROM        LogicalElement
   TYPE                Concrete
   PROPERTIES          Direction

6.21.1. The Property Direction

   This property is a 16-bit unsigned integer enumeration, representing
   the direction of the traffic flow to which the FilterList is to be
   applied.  Defined enumeration values are

   o  NotApplicable(0)
   o  Input(1)
   o  Output(2)
   o  Both(3) - This value is used to indicate that the direction is
      immaterial, e.g., to filter on a source subnet regardless of
      whether the flow is inbound or outbound
   o  Mirrored(4) - This value is also applicable to both inbound and
      outbound flow processing, but it indicates that the filter
      criteria are applied asymmetrically to traffic in both directions
      and, thus, specifies the reversal of source and destination
      criteria (as opposed to the equality of these criteria as
      indicated by "Both").  The match conditions in the aggregated
      FilterEntryBase subclass instances are defined from the
      perspective of outbound flows and applied to inbound flows as well
      by reversing the source and destination criteria.  So, for
      example, consider a FilterList with 3 filter entries indicating
      destination port = 80, and source and destination addresses of a
      and b, respectively.  Then, for the outbound direction, the filter
      entries match as specified and the 'mirror' (for the inbound
      direction) matches on source port = 80 and source and destination
      addresses of b and a, respectively.



(page 75 continued on part 4)

Next RFC Part