POLICY-FRAMEWORK-PIB DEFINITIONS ::= BEGIN IMPORTS Unsigned32, Integer32, MODULE-IDENTITY, OBJECT-TYPE FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF TruthValue, TEXTUAL-CONVENTION FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB policy FROM SYNOPTICS-ROOT-MIB; policyFrameworkPib MODULE-IDENTITY LAST-UPDATED "200407200000Z" ORGANIZATION "IETF RAP WG" CONTACT-INFO " Michael Fine Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA Phone: +1 408 527 8218 Email: mfine@cisco.com Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive, San Jose, CA 95134-1706 USA Phone: +1 408 526 5260 Email: kzm@cisco.com John Seligson Nortel Networks, Inc. 4401 Great America Parkway Santa Clara, CA 95054 USA Phone: +1 408 495 2992 Email: jseligso@nortelnetworks.com" DESCRIPTION "A PIB module containing the base set of policy rule classes that are required for support of all policies." REVISION "200407200000Z" -- 20 July 2004 DESCRIPTION "Version 3: Added version info" ::= { policy 1 } policyBasePibClass OBJECT IDENTIFIER ::= { policyFrameworkPib 1 } -- -- Textual Conventions -- -- -- Interface Role and Role Combination -- Role ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A role represents a functionality characteristic or capability of a resource to which policies are applied. The only valid character set is US-ASCII. Valid characters are a-z, A-Z, 0-9, period, hyphen and underscore. A role must always start with a letter (a-z or A-Z)." SYNTAX OCTET STRING (SIZE (1..32)) RoleCombination ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An octet string containing concatenated Roles. For the format specification of roles, refer to the 'Role' TEXTUAL- CONVENTION. A valid Role Combination must be formed by a set of valid Roles, concatenated by the US-ASCII character '+', where the roles are in lexicographic order from minimum to maximum. For example, 'a+b' and 'b+a' are NOT different role-combinations; rather, they are different formatting of the same (one) role-combination. Notice the roles within a role-combination are in Lexicographic order from minimum to maximum, hence, we declare: 'a+b' is the valid formatting of the role-combination, 'b+a' is an invalid formatting of the role-combination. Notice the need of zero-length role-combination as the role- combination of interfaces to which no roles have been assigned. This role-combination is also known as the 'null' role-combination. (Note the deliberate use of lower case letters to avoid confusion with the US-ASCII NULL character which has a value of zero but length of one)." SYNTAX OCTET STRING (SIZE (0..255)) -- -- Policy Instance Index (from RAP SPPI) -- PolicyInstanceId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The textual convention for use by an attribute which is used as the instance-identifying index of a PRC, i.e., an attribute named in an INDEX clause. The value of an attribute with this syntax is always greater than zero. PRIs of the same PRC need not have contiguous values for their instance-identifying attribute." SYNTAX Unsigned32 (1..4294967295) -- -- PRC Support Table -- policyPrcSupportTable OBJECT-TYPE SYNTAX SEQUENCE OF PolicyPrcSupportEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each instance of this class specifies a PRC that the device supports and a bit string to indicate the attributes of the class that are supported. These PRIs are sent to the PDP to indicate to the PDP which PRCs, and which attributes of these PRCs, the device supports. This table can also be downloaded by a network manager when static configuration is used. All install and install-notify PRCs supported by the device must be represented in this table." ::= { policyBasePibClass 1 } policyPrcSupportEntry OBJECT-TYPE SYNTAX PolicyPrcSupportEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An instance of the policyPrcSupport class that identifies a specific policy class and associated attributes as supported by the device." INDEX { policyPrcSupportPrid } ::= { policyPrcSupportTable 1 } PolicyPrcSupportEntry ::= SEQUENCE { policyPrcSupportPrid PolicyInstanceId, policyPrcSupportSupportedPrc OBJECT IDENTIFIER, policyPrcSupportSupportedAttrs OCTET STRING, policyPrcSupportMaxPris Unsigned32 } policyPrcSupportPrid OBJECT-TYPE SYNTAX PolicyInstanceId MAX-ACCESS not-accessible STATUS current DESCRIPTION "An arbitrary integer index that uniquely identifies an instance of the policyPrcSupport class." ::= { policyPrcSupportEntry 1 } policyPrcSupportSupportedPrc OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The object identifier of a supported PRC. There may not be more than one instance of the policyPrcSupport class with the same value of policyPrcSupportSupportedPrc." ::= { policyPrcSupportEntry 2 } policyPrcSupportSupportedAttrs OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "A bit string representing the supported attributes of the class that is identified by the policyPrcSupportSupportedPrc object. Each bit of this bit mask corresponds to a class attribute, with the most significant bit of the i-th octet of this octet string corresponding to the (8*i - 7)-th attribute, and the least significant bit of the i-th octet corresponding to the (8*i)-th class attribute. Each bit of this bit mask specifies whether or not the corresponding class attribute is currently supported, with a '1' indicating support and a '0' indicating no support. If the value of this bit mask is N bits long and there are more than N class attributes then the bit mask is logically extended with 0's to the required length." ::= { policyPrcSupportEntry 3 } policyPrcSupportMaxPris OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "A non-negative value indicating the maximum numbers of policy rule instances that can be installed in the identified policy rule class. Note that actual number of PRIs that can be installed in a PRC at any given time may be less than this value based on the current operational state (e.g., resources currently consumed) of the device." ::= { policyPrcSupportEntry 4 } -- -- PIB Incarnation Table -- policyPibIncarnationTable OBJECT-TYPE SYNTAX SEQUENCE OF PolicyPibIncarnationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This class contains a single policy rule instance that identifies the current incarnation of the PIB and the PDP or network manager that installed this incarnation. The instance of this class is reported to the PDP at client connect time so that the PDP can (attempt to) ascertain the current state of the PIB. A network manager may use the instance to determine the state of the device with regard to existing NMS interactions." ::= { policyBasePibClass 2 } policyPibIncarnationEntry OBJECT-TYPE SYNTAX PolicyPibIncarnationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An instance of the policyPibIncarnation class. Only one instance of this policy class is ever instantiated." INDEX { policyPibIncarnationPrid } ::= { policyPibIncarnationTable 1 } PolicyPibIncarnationEntry ::= SEQUENCE { policyPibIncarnationPrid PolicyInstanceId, policyPibIncarnationName SnmpAdminString, policyPibIncarnationId OCTET STRING, policyPibIncarnationLongevity INTEGER, policyPibIncarnationTtl Unsigned32, policyPibIncarnationActive TruthValue } policyPibIncarnationPrid OBJECT-TYPE SYNTAX PolicyInstanceId MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { policyPibIncarnationEntry 1 } policyPibIncarnationName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-write STATUS current DESCRIPTION "The name of the entity that installed the current incarnation of the PIB into the device. The name may reference a PDP when dynamic configuration is being used or a network manager when static configuration is being used. By default, it is the zero length string." ::= { policyPibIncarnationEntry 2 } policyPibIncarnationId OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-write STATUS current DESCRIPTION "An ID to identify the current incarnation. It has meaning to the PDP/manager that installed the PIB and perhaps its standby PDPs/managers. By default, it is the zero-length string." ::= { policyPibIncarnationEntry 3 } policyPibIncarnationLongevity OBJECT-TYPE SYNTAX INTEGER { expireNever(1), expireImmediate(2), expireOnTimeout(3) } MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute controls what the PEP does with the downloaded policy on receipt of a Client Close message or a loss of connection to the PDP. If set to expireNever, the PEP continues to operate with the installed policy indefinitely. If set to expireImmediate, the PEP immediately expires the policy obtained from the PDP and installs policy from local configuration. If set to expireOnTimeout, the PEP continues to operate with the policy installed by the PDP for a period of time specified by policyPibIncarnationTtl. After this time (and it has not reconnected to the original or new PDP) the PEP expires this policy and reverts to local configuration. For all cases, it is the responsibility of the PDP to check the incarnation and download new policy, if necessary, on a reconnect. Policy enforcement timing only applies to policies that have been installed dynamically (e.g., by a PDP via COPS)." ::= { policyPibIncarnationEntry 4 } policyPibIncarnationTtl OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The number of seconds after a Client Close or TCP timeout for which the PEP continues to enforce the policy in the PIB. After this interval, the PIB is considered expired and the device no longer enforces the policy installed in the PIB. This attribute is only meaningful if policyPibIncarnationLongevity is set to expireOnTimeout." ::= { policyPibIncarnationEntry 5 } policyPibIncarnationActive OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "If this attribute is set to TRUE, then the PIB instance to which this PRI belongs becomes the active PIB instance. The previous active instance becomes inactive and the policyPibIncarnationActive attribute in that PIB instance is automatically set to false." ::= { policyPibIncarnationEntry 6 } -- -- Device Identification Table -- -- This table supports the ability to export general -- purpose device information to facilitate efficient -- communication between the device and a PDP -- policyDeviceIdentificationTable OBJECT-TYPE SYNTAX SEQUENCE OF PolicyDeviceIdentificationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This class contains a single policy rule instance that contains device-specific information that is used to facilitate efficient policy installation by a PDP. The instance of this class is reported to the PDP at client connect time so that the PDP can take into account certain device characteristics during policy installation." ::= { policyBasePibClass 3 } policyDeviceIdentificationEntry OBJECT-TYPE SYNTAX PolicyDeviceIdentificationEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An instance of the policyDeviceIdentification class. Only one instance of this policy class is ever instantiated." INDEX { policyDeviceIdentificationPrid } ::= { policyDeviceIdentificationTable 1 } PolicyDeviceIdentificationEntry ::= SEQUENCE { policyDeviceIdentificationPrid PolicyInstanceId, policyDeviceIdentificationDescr SnmpAdminString, policyDeviceIdentificationMaxMsg Unsigned32 } policyDeviceIdentificationPrid OBJECT-TYPE SYNTAX PolicyInstanceId MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { policyDeviceIdentificationEntry 1 } policyDeviceIdentificationDescr OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "A textual description of the PEP. This value should include the name and version identification of the PEP's hardware and software." ::= { policyDeviceIdentificationEntry 2 } policyDeviceIdentificationMaxMsg OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION "The maximum message size, in octets, that the device is capable of processing. Received messages with a size in excess of this value must cause the PEP to return an error to the PDP containing the global error code 'maxMsgSizeExceeded'." ::= { policyDeviceIdentificationEntry 3 } -- -- Policy Component Limitations Table -- -- This table supports the ability to export information -- detailing policy class/attribute implementation limitations -- to the policy management system. -- policyCompLimitsTable OBJECT-TYPE SYNTAX SEQUENCE OF PolicyCompLimitsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each instance of this class identifies a policy class or attribute and a limitation related to the implementaion of the class/attribute in the device. Additional information providing guidance related to the limitation may also be present. These PRIs are sent to the PDP to indicate which PRCs or PRC attributes the device supports in a restricted manner." ::= { policyBasePibClass 4 } policyCompLimitsEntry OBJECT-TYPE SYNTAX PolicyCompLimitsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An instance of the policyCompLimits class that identifies a PRC or PRC attribute and a limitation related to the PRC or PRC attribute implementation supported by the device. All PRIs of this class represent errors that would be returned in relation to the identified component for policy installation requests that don't abide by the restrictions indicated by the error code and, possibly, a provided guidance value." INDEX { policyCompLimitsPrid } ::= { policyCompLimitsTable 1 } PolicyCompLimitsEntry ::= SEQUENCE { policyCompLimitsPrid PolicyInstanceId, policyCompLimitsComponent OBJECT IDENTIFIER, policyCompLimitsType Integer32, policyCompLimitsGuidance OCTET STRING } policyCompLimitsPrid OBJECT-TYPE SYNTAX PolicyInstanceId MAX-ACCESS not-accessible STATUS current DESCRIPTION "An arbitrary integer index that uniquely identifies an instance of the policyCompLimits class." ::= { policyCompLimitsEntry 1 } policyCompLimitsComponent OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The object identifier of a PRC or PRC attribute that is supported in some limited fashion with regard to it's definition in the associated PIB module. The same PRC or PRC attribute identifier may appear in the table several times, once for each implementation limitation acknowledged by the device." ::= { policyCompLimitsEntry 2 } policyCompLimitsType OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "A value describing an implementation limitation for the device related to the PRC or PRC attribute identified by the policyCompLimitsComponent data in this class instance. Values for this object are derived from the defined error values associated with the PRC of the identified attribute or the PRC itself. All genericPrc and specificPrc (defined in a PRC INSTALL-ERRORS clause) error codes represent valid limitation type values. For example, an implementation of the qosIpAce class may be limited in several ways, such as address mask, protocol and Layer 4 port options. These limitations could be exported using this table with the following instances: Prid Component Type Guidance 1 'qosIpAceDstAddrMask' 'valueSupLimited' 0xFFFFFFFF 2 'qosIpAceSrcAddrMask' 'valueSupLimited' 0xFFFFFFFF 3 'qosIpAceProtocol' 'valueSupLimited' 0x06 -- TCP 4 'qosIpAceProtocol' 'valueSupLimited' 0x17 -- UDP 5 'qosIpAceDstL4PortMin' 'invalidDstL4PortData' 6 'qosIpAceDstL4PortMax' 'invalidDstL4PortData' 7 'qosIpAcePermit' 'enumSupLimited' 'true' The above entries describe a number of limitations that may be in effect for the qosIpAce class on a given device. The limitations include restrictions on acceptable values for certain attributes and indications of the relationship between related attributes." ::= { policyCompLimitsEntry 3 } policyCompLimitsGuidance OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..64)) MAX-ACCESS read-only STATUS current DESCRIPTION "A value used to convey additional information related to the implementation limitation noted by the policyCompLimitsType attribute. The value of this attribute must interpreted in the context of the policyCompLimitsType value. Note that a guidance value will not necessarily be provided for all exported limitations. Well-known genericPrc error codes that are applicable to all PRCs, such as 'attrValueSupLimited' and 'attrEnumSupLimited', have guidance value semantics as follows: genericPrc Guidance Semantics attrValueSupLimited Integer32 (4 octets) with supported value attrEnumSupLimited Integer32 (4 octets) with supported enumeration attrMaxLengthExceeded Integer32 (4 octets) with maximum supported length for attribute The specificPrc error codes have the semantics of the associated guidance value specified where the installation error is defined if appropriate. Errors for which the semantics of the guidance value are not specified require this value to be treated in an implementation dependent manner." ::= { policyCompLimitsEntry 4 } -- -- Conformance Section -- policyBasePibConformance OBJECT IDENTIFIER ::= { policyFrameworkPib 2 } policyBasePibCompliances OBJECT IDENTIFIER ::= { policyBasePibConformance 1 } policyBasePibGroups OBJECT IDENTIFIER ::= { policyBasePibConformance 2 } policyBasePibCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "Describes the requirements for conformance to the Policy Framework PIB." MODULE -- this module MANDATORY-GROUPS { policyPrcSupportGroup, policyPibIncarnationGroup, policyDeviceIdentificationGroup, policyCompLimitsGroup } OBJECT policyPibIncarnationLongevity MIN-ACCESS read-only DESCRIPTION "Install support is not required." OBJECT policyPibIncarnationTtl MIN-ACCESS read-only DESCRIPTION "Install support is not required." OBJECT policyPibIncarnationActive MIN-ACCESS read-only DESCRIPTION "Install support is not required." ::= { policyBasePibCompliances 1 } policyPrcSupportGroup OBJECT-GROUP OBJECTS { policyPrcSupportSupportedPrc, policyPrcSupportSupportedAttrs, policyPrcSupportMaxPris } STATUS current DESCRIPTION "Objects from the policyPrcSupportTable." ::= { policyBasePibGroups 1 } policyPibIncarnationGroup OBJECT-GROUP OBJECTS { policyPibIncarnationName, policyPibIncarnationId, policyPibIncarnationLongevity, policyPibIncarnationTtl, policyPibIncarnationActive } STATUS current DESCRIPTION "Objects from the policyPibIncarnationTable." ::= { policyBasePibGroups 2 } policyDeviceIdentificationGroup OBJECT-GROUP OBJECTS { policyDeviceIdentificationDescr, policyDeviceIdentificationMaxMsg } STATUS current DESCRIPTION "Objects from the policyDeviceIdentificationTable." ::= { policyBasePibGroups 3 } policyCompLimitsGroup OBJECT-GROUP OBJECTS { policyCompLimitsComponent, policyCompLimitsType, policyCompLimitsGuidance } STATUS current DESCRIPTION "Objects from the policyCompLimitsTable." ::= { policyBasePibGroups 4 } END