Internet Engineering Task Force Authors INTERNET DRAFT R. Rajan/J. C. Martin IBM/Sun Microsystems S. Kamat/M. See/ R. Chaudhury IBM/Xylan/ Telstra D. Verma/ G. Powers/ R. Yavatkar IBM/ Packeteer/ Intel 23/ October/1998 Schema for Differentiated Services and Integrated Services in Networks draft-rajan-policy-qosschema-00.txt Status of Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Abstract This document describes the structure of a directory schema to enable and support administration of differentiated services and/or integrated services within and among Internet domains, intranets, and extranets. This draft replaces draft-ellesson-sla-schema-00.txt. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page i] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 1. Overview Integrated services with RSVP [2] signaling approach seeks to provide per-flow QoS assurances with dynamic resource reservation. A flow is defined by the 5-tuple (source address, destination address, protocol, source port, destination port). In this context, there is a need to provide policy control of individual flows, and regulate their ability to reserve network resources. (See [8] for a discussion of policy based admission control framework and sample policies). Differentiated services[6], on the other hand, are aimed at traffic aggregates that may not correspond to fine grained flows. This approach may rely more on administrative control of bandwidth, delay or dropping preferences, rather than per-flow signaling protocols to communicate the service level information to network elements. For such services we wish to enable flexible definition of class-based packet handling behaviors and class-based policy control. (See [6] for a discussion of DiffServ framework and sample behavior/service descriptions). In either of these environments, network administrators need the ability to define and administer different types of services for customers. Administrative policies tend to change infrequently, and can be conveniently stored in a directory based repository which may be distributed across multiple physical servers, but is administered as a single entity by the network administrator. Furthermore, this information must be propagated to network elements such as hosts, proxies and routers, that actually implement the policies and preferences by classifying traffic to identify its level of service, and apportioning resources according to defined resource regulation policies. This document describes a common language for describing administrative policies for integrated services and differentiated services in terms of an LDAP schema. Currently, LDAP [4] is a widely deployed industry standard for accessing directory information, and hence LDAP based administration of these customer service level preferences and the associated resource regulation policies seems a natural approach. We envision that policies embodied as LDAP schema will be stored on directories and downloaded to devices such as hosts, routers, policy servers, proxies, etc., that implement the policies. The use of LDAP assures a standard, widely deployed and simple protocol for directory access. The details of the architecture within which this schema will be deployed, is presented in a seperate draft (citation TBDs). This architecture for network resource control involves a management tool, a policy repository, a policy decision point and a policy enforcement entity. The network administrator uses the management tool to rajan, martin, kamat, see Expires 23/ April/ 1999 [Page ii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 populate the policy repository with a number of policy rules that regulate access/use of network resources. These rules could specify for instance, the service category to be employed for a particular application, how much bandwidth is allocated to a particular flow or TOS category, the maximum number of flows to be supported between two subnets, etc. In any case, the administrator-specified rules are stored in the policy repository in a well understood format or schema. The decision entity downloads the policy rules. The enforcement entity is the host or router which encounters (data or signaling) packet flowing across the network. It queries the decision entity for specific actions that are to be applied in conditioning the packet stream. The next section describes the scope of the schema, following which we discuss policy rule matching and present the detailed schema. The draft concludes with a section on examples. For an explanation of terminology employed to describe network policy and services in this document, please refer to [13]. 1.1. Objectives and Scope This document aims to support QoS policies for differentiated and integrated services networks that fall within the following three scenarios: - Integrated services secured through the use of RSVP signaling, within or across domains. The use of policy in such an environment allows enterprises to be able to police QoS requests on a per-flow, per-user or per-application basis. Directory schema are meant to be used in conjunction with the use of the policy elements in RSVP signaling messages, to enable routers to identify users and applications to which policy must be applied. - Differentiated services secured through provisioning within a domain, and, in an inter-domain scenario, bilateral agreements across peer network boundaries. In such cases, policies are used to map across the two domain specific semantics, and enforce access control restrictions, such as ensuring that the amount of in-profile traffic is within the specified contractual limits. - Integrated services secured within a domain, being mapped onto differentiated services across domains. In such cases, policies are needed at the domain boundary to translate between Integrated and Differentiated service semantics, to enforce traffic monitoring and to provide access control to network resources. Two important scenarios, not explicitly supported by the schema in this draft, but which may be covered by extensions to it are: rajan, martin, kamat, see Expires 23/ April/ 1999 [Page iii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 - RSVP aggregation, i.e., the mapping of several RSVP flows into pre-configured RSVP tunnels, - Support of differentiated services using RSVP tunnels. We have the following objectives in defining this schema. 1. The directory provides a convenient repository of the resource regulation policies, which may be used by a wide variety of clients that actually enforce the resource regulation rules. As illustrated before, there are at least three such potential clients for the near term: 1) an edge device that marks/drops/buffers/schedules certain packets to enforce a service differentiation policy, 2) an RSVP capable router that accepts/denies resource reservation requests based on allowed policies, and 3) hosts capable of packet marking and traffic conditioning. We would like the schema definition to be generic enough to support a wide range of resource control environments including the clients mentioned above. 2. When viewed in the context of resource control policies, the associated schema can be considered to provide a ``language'' for defining these policies. From this perspective, we desire that the schema should facilitate definition of a wide range of policies varying in their complexity. Simple policies (the common case) should be easy to specify, and there should be sufficient hooks to define sophisticated policies within the schema. Using the language analogy, an administrator's ability to define sophisticated resource regulation policies should not be limited by the structure of the schema, although it may be limited by the available implementation of the policy enforcement environment. 3. The schema should facilitate simple addition and deletion of new rules, automated checks for rule ambiguities, and allow for diverse methods (varying in efficiency and ease of implementation) to be employed in the policy decision entity to search through rules. 2. Class Hierarchy In this section, we describe the inheritance hierarchy and the relationship between various classes. We define a structural LDAP object class called Policy as the container for policy rules. An object of this class will ``piece together'' several policy components relating to differentiated services, RSVP and IPSec based VPNs [10]. In this section we largely focus on the rajan, martin, kamat, see Expires 23/ April/ 1999 [Page iv] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 PolicyRules object class itself and not on where it is placed in the organization's existing directory tree. However, the Policy class described here is best understaod within the Common Information Model [11] of the Directory Management Task Force or the directory structure proposed by the Directory Enabled Networks specification [9]. The class hierarchy in the schema is given below. Top |----Policy | |----PolicyCondition | | | |--IPPolicyCondition | |-----UserIDCondition | |----PolicyValidityPeriod | |----PolicyAction | |----RSVPAction | |----DiffServAction | |----TCPAction | |----ISAKMPAction | |----IPSecSecurityAction | |----DiffServResourceGroup |----RSVPResourceGroup |----IPSecProposal |----ISAKMPProposal |----IPSecTransform |----IPSecPrivateDiffieHellmanGroup | |----PolicyContainmentAuxClass The schema described above closely follows the policy class hierarchy described in the document ``Information Model and Base Schema'' version 3.0r5 released by the Directory Enabled Network AdHoc Group. The schema described in this document expands on the DEN specification but differs in a few significant details. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page v] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 3. Policy Rules The Policy object class is instantiated by LDAP entries, where each entry encodes a policy rule that specifies the resources and services that are allowed (or denied) to a stream of packets. An entry is composed of several attributes. Each attribute is of a certain type, and has one or more values. The two principal components of a policy rule are objects of the type PolicyCondition and and PolicyAction. These two objects describe a rule through the relation if then . A PolicyCondition object is defined by the values of a collection of certain attributes that are typically used to determine when a policy rule applies. A typical condition is, for instance, a range of source addresses (or a source address and mask) to which the policy applies. An action is defined by a collection of attributes that detail permissions or additional behaviours that the policy enforcement entity should perform for the given condition. For instance, the value of attribute PolicyConditionRef could be the distinguished name of an object that places restrictions on the source address range of IP packets, while PolicyActionRef could be the distinguished name of a DiffServAction object that fully describes the treatment of a flow with respect to TOS marking and QoS requirements. Conditions and actions may each be of different types. For instance, a PolicyCondition object may place restrictions on, or otherwise refer to information contained in IP header fields such as source addresses, or to information contained inside signalling packets as with RSVP PATH or RESV messages, or may refer to information regarding the layer 2 protocol such as restrictions on MAC addresses. In this draft we take a simple, first cut approach to such issues, covering the most common policy cases, but allowing for future extensions to this draft or to policy standards. We allow the class PolicyCondition to be expanded through an auxillary class IPPolicyAuxCondition which allows for conditions based on IP header fields, or through the class UserIDPolicyAuxCondition which allows for conditions based on user IDs. Similarly, the class PolicyAction is subclassed into a number of protocol or service specific actions -- DiffServAction, RSVPAction, IPSecSecurityAction and IPSecISAKMPAction. Both the PolicyCondition class and the PolicyAction class may be easily extended in future. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page vi] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 4. Ascertaining Applicability of Policy Rules Typically, the policy decision entity needs to ascertain which actions to apply to a particular (data or signalling) packet based on the rules that it has downloaded from the repository. In doing so, it must combine logical information that has been organized through the schema structure where policy rules are made up of condition and action attributes, and these attributes may assume one or more values. We now explain the process of ascertaining whether a packet meets a condition. Consider a PolicyCondition object composed of several attributes attribute1, attribute2, ..., each potentially assuming one or more values (value1-1, value1-2,...), (value2-1,value2-2,...),..., respectively. The packet header has several fields (field1, field2,...). We say that the packet meets the condition if field1 belongs to any of the sets value1-1, value1-2 AND if field2 belongs to any of the sets value 2-1, value2-2, AND so on. Thus, the check of if packet matches condition can be written as if (((field1 belongs to value1-1) OR (field1 belongs to value1-2) OR ...) AND ((field2 belongs to value2-1) OR (field2 belongs to value2-2) OR ...) AND ... ) Most attributes are NOT multi-valued, and exceptions such as Interface (denoting the incoming and outgoing interfaces on which the rule is applicable) or TimeOfDay (denoting the time of day when the rule is applicable) have been introduced only where unavoidable. As an example, consider a packet with source address 8.2.3.1, source port 50, destination address 7.2.3.1, destination port 51, protocol 22 arriving at a router on the interface 3, departing on interface 5 being matched against the following condition. Attribute Values SourceAddressRange 8.0.0.0 : 8.255.255.255 SourcePortRange 50 : 51 DestinationAddressRange 7.2.0.0 : 7.2.255.255 DestinationPortRange 50 : 51 Protocol 0 : 100000 (May be omitted) Interface 1 : 5 (format - incoming:outgoing) 2 : 5 3 : 5 rajan, martin, kamat, see Expires 23/ April/ 1999 [Page vii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 It is easy to check that the packet meets the condition, but another packet destined to the address 9.2.19.250 would not. Now, the policy decision point successively evaluates multiple rules and in order to choose the one that matches. Thus, it checks RULE 1: if (packet meets condition1) then perform (action1-1, action1-2, ...) RULE 2: if (packet meets condition2) then perform (action2-1, action2-1, ...) etc. Here the logical operator that is used to combine the rules is an AND, i.e., RULE 1 AND RULE 2 If the rules are mutually exclusive, i.e., no packet can ever meet both conditions, then the actions corresponding to the one that applies are performed. What does the decision entity do if both conditions are applicable? In some cases, action 1 could be compatible with action 2, i.e., it may be possible to perform both actions. As an example, if action1 is a directive to encapsulate the packet, and action2 indicates the QoS stream the packet belongs to, then the packet is encapsulated and then given the right QoS. On the other hand, if the actions are incompatible, then the operation of the decision entity could be undefined. Rule consistency is desirable whenever possible. However, for purposes of administrative convenience, it is often useful to introduce temporary rules that override others, without having to remove the overriden rule -- for example, special rules for New Year's day. We allow for this by optionally attaching priorities to rules. Potential ambiguities are thus resolved by assigning a higher priority to the overriding rule. In the earlier example, for instance, if rule 2 has higher priority, then the decision point performs all the actions specified in rule 2, and all the compatible actions specified in rule 1. Hence, the right interpretation of the rule set is: if (packet meets condition2) then perform (action2-1, ...) AND if (packet meets condition1) then if (action1-1) is compatible then perform it if (action1-2) is compatible then perform it ... It is very simple to check for compatibility. Actions correspond a few basic scopes -- RSVP, DiffServ, IPSec, and so on. We need to collect no more than one action of a particular scope. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page viii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 5. The class Policy The Policy object class is the container class for the policy rules. It contains a number of entries, each entry encodes a policy rule that specifies the resources and services that are allowed (or denied) to a stream of packets. An overview of the class Policy is presented below, followed by the detailed sytax and semantics of various attributes. NAME Policy TYPE Structural DERIVED FROM Top MUST CommonName, PolicyScope, PolicyConditionRef, PolicyActionRef, PolicyVersion MAY PolicyRulePriority, PolicyKeyword, PolicyType, PolicyName, PolicyEnabled The syntax and semantics of the attributes of the class Policy are as follows: NAME CommonName DESC The common name for objects of this class. Used as relative distinguished name to identify object within a branch of directory tree. SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED NAME PolicyScope DESC Lists the services that are controlled through this policy SYNTAX IA5String EQUALITY caseExactIA5Match MULTI-VALUED FORMAT The currently defined values for this attribute are: DiffServ RSVP IPSec ISAKMP SEMANTICS This attribute is used by the appropriate directory clients to fetch only those policy rules that are relevant for their rajan, martin, kamat, see Expires 23/ April/ 1999 [Page ix] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 functionality. The value DiffServ' means the policy rule specifies DiffServ packet classification and traffic treatment. The value `RSVP' means specifes an RSVP policy decision point. The value `IPSec' means the policy refers to an IPSec action rule. The value `ISAKMP' means the policy refers to an ISAKMP action rule. Note that this is a multi- valued attribute, and the same rule may regulate multiple services for a packet stream. NAME PolicyConditionRef DESC Absolute Distinguished name of LDAP entry of the objectclass PolicyCondition, that identify the packets that the policy rule applies to. SYNTAX DN EQUALITY distinguishedNameMatch SINGLE-VALUED The following reference attributes specify the treatment of packets that match the condition specified in the policy rule. The value of a reference attribute is the distinguished name of an LDAP entry which is an object corresponding to a prespecified class. For instance, if the value of the attribute PolicyActionRef is the distinguished name of an entry in the class RSVPAction, then the policy rule specifies the policy relating to the handling of RSVP signalling messages. NAME PolicyActionRef DESC Absolute Distinguished name(s) of LDAP entry, of the objectclass PolicyAction, that specifies permissions and restrictions that apply to the packets identified by the policy condition SYNTAX DN EQUALITY distinguishedNameMatch MULTI-VALUED SEMANTICS Multiple values are understood as logical AND; that is, all the actions must be performed NAME PolicyVersion DESC The version of the policy schema embodied by this policy. SYNTAX IA5String EQUALITY caseExactIA5Match FORMAT The current draft specifies version ``1.0'' SINGLE-VALUED NAME PolicyKeyword DESC List of keywords that assist in locating this policy SYNTAX IA5String rajan, martin, kamat, see Expires 23/ April/ 1999 [Page x] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 EQUALITY caseExactIA5Match MULTI-VALUED DEFAULT No Keywords NAME PolicyType DESC Describes the types of a policy SYNTAX IA5String EQUALITY caseExactIA5Match MULTI-VALUED FORMAT The following values are allowed: ISAKMPPhase1 ISAKMPPhase2 IPSecDataLocal IPSecDataRemote RSVPSignalling RSVP-DiffServ DiffServ SEMANTICS ISAKMPPhase1 denotes an ISAKMP Phase 1 policy ISAKMPPhase2 denotes an ISAKMP Phase 2 or Quick Mode policy IPSecDataLocal denotes a policy for securing locally originating data by IPSec. Local means either originating from the same host or from an host for which this host acts as a proxy IPSecDataRemote denotes a policy for securing remotely originating data by IPSec. Remote is the opposite of Local as defined before. RSVPSignalling denotes an RSVP signalling policy RSVP-DiffServ denotes a policy for mapping an RSVP traffic into a DiffServ pipe DiffServ denotes a DiffServ policy DEFAULT Unnamed Type NAME PolicyName DESC A user friendly name of this policy class SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED DEFAULT No Name The following attribute defines relationships among multiple related rules within the policy repository. NAME PolicyRulePriority DESC Priority level for this rule. Used to resolve ambiguity in condition matching when the ranges specified in the Policy conditions overlap. Higher values of this attribute imply higher priority of the rule. SYNTAX INTEGER rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xi] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 EQUALITY integerMatch SINGLE-VALUED DEFAULT The default value is 0 (lowest priority) SEMANTICS Whenever a packet matches two rules of different priority, the rule with the higher value of PolicyRulePriority is applied. NAME PolicyEnabled DESC A flag describing whether the policy is currently enabled or disabled SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED FORMAT The currently defined values for this attribute are: Enabled Disabled DEFAULT Enabled 5.1. PolicyContainmentAuxClass Policy rules may need to be grouped together for a number of different purposes -- organizational, security, ease of administration, or ease of retrieval by a policy decision point. We reproduce the PolicyContainmentAuxClass from the DEN specification [9] that serves the useful purpose of grouping policies together. This auxillary class definition is as follows: NAME PolicyContainmentAuxClass TYPE Auxillary DERIVED FROM Top AUXILIARY CLASS None POSSIBLE SUPERIORS Organization, OrganizationalUnit, Group, GroupOfDevices MUST PoliciesContainedRef MAY The syntax and semantics of its sole attribute are as follows: NAME PoliciesContainedRef DESC Absolute distinguished names of policies grouped together for some (context-dependent) purpose. SYNTAX DN EQUALITY distinguishedNameMatch MULTI-VALUED rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 6. Policy Conditions In this section we define the abstract class PolicyCondition, its subclass IPPolicyCondition, and the class UserIDCondition. These classes list the conditions that must be statisfied by a stream of packets in order for the referring rule to apply to that packet stream. The reason for subclassing PolicyCondition is to allow extensibility to other networking protocols through sub-classes such as ATMPolicyCondition (for instance). NAME PolicyCondition TYPE Abstract DERIVED FROM Top AUXILIARY CLASS None MUST CommonName MAY PolicyConditionName PolicyValidityPeriodRef The detailed syntax and semantics of the attributes is as below: NAME CommonName DESC The common name of the policy condition object. Unique within a limited scope and used to identify the object within the directory tree. SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED NAME PolicyConditionName DESC The user friendly name of this entry.The Name related attributes are only for ease of user administration. EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED The next attribute is a reference to PolicyValdityPeriod object that identifies the entry that limits the temporal scope of the policy to specified periods of time. NAME PolicyValidityPeriodRef DESC Absolute distinguished name(s) of an PolicyValidityPeriod object that specifies the times that the policy is active. SYNTAX DN EQUALITY distinguishedNameMatch MULTI-VALUED DEFAULT Policy applies at all times rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xiii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 6.1. The class IPPolicyCondition The class PolicyCondition is now specialized to deal with IPv4 packet headers in the class IPPolicyCondition. NAME IPPolicyCondition TYPE Structural DERIVED FROM PolicyCondition AUXILIARY CLASSES none MAY Interface, SourceIPAddressRange, DestinationIPAddressRange, SourcePortRange, DestinationPortRange, IPProtocolNumberRange, ReceivedTOSByteCheck HostUserIDRef The first attribute limits the spatial scope of the policy rule by identifying specific router interfaces where the policy is to be applied. NAME Interface DESC An attribute that limits the scope of the policy to packets on specified interface(s) and the direction(s) of traffic on these. SYNTAX IA5String EQUALITY caseExactIA5Match MULTI-VALUED FORMAT Three colon seperated strings. The left-most string is a numeral denoting the type of the specification, followed by the incoming and outgoing interface identifiers. Currently defined type/value formats are 1:: 2:: The IP addresses are in dotted decimal notation. The interface IDs are integers unique to the host device. The first address string specifies a restriction of the rule to traffic inbound on the interface, and the rightmost string specifies a corresponding restriction of the rule to traffic outbound from that interface. An unspecified interface(s) defaults to all interfaces on the device that this rule applies to. DEFAULTS Defaults to traffic inbound on all interfaces, outbound on all interfaces. EXAMPLE 1:9.3.1.52:9.2.1.54 (Applies to traffic inbound on 9.3.1.52 and outbound on 9.3.1.54) rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xiv] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 1:9.3.1.32: (Applies to traffic inbound on 9.3.1.52 outgoing from any interface) 2::3 (Applies to traffic outbound on interface 3 arriving on any interface) NAME SourceIPAddressRange DESC Source IP addresses to which the policy applies SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED FORMAT SourceIPAddressRange is of the following form: three colon (':') separated strings denoting a range of IP addresses. The formats currently defined are: 1:: The IP v4 address is in dotted decimal format. The CIDRPrefixLength is the number of unmasked leading bits. A packet matches the condition if the unmasked bits on the packet are identical to the unmasked bits on the condition. 2:: IP addresses in dotted decimal format. The second address must be no smaller than the first. The first denotes the start of the range, and the second denotes the end of the range. A packet matches the condition if its source address is no smaller than the first IP address in the condition, and no larger than the second. 3 Indicates policy applies to locally generated packets. DEFAULT Defaults to the entire address range, i.e., every packet matches the source address range condition. EXAMPLE 1:83.23.23.1:24 A packet with source address 83.23.23.5 matches. A packet with source address 83.23.24.1 does not. 2:83.23.23.0:83.28.28.0 A packet with source address 83.23.23.5 matches. A packet with source address 83.29.24.1 does not. NAME DestinationIPAddressRange DESC Destination IP addresses to which policy applies SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED FORMAT Identical to that of SourceIPAddressRange above. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xv] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 The value of ``3''indicates a locally destined packet. DEFAULT Defaults to the entire address range, i.e., every packet matches the destination address range condition. NAME SourcePortRange DESC Source Ports to which policy applies SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED FORMAT String consisting of two colon separated positive integers, the second no smaller than the first, or one positive integer. DEFAULT Defaults to the entire port range 0 to 65535, i.e., every packet matches the destination address range condition. EXAMPLE 8000:8080 (ports 8000 to 8080), 8000 (only port 8000) NAME DestinationPortRange DESC Destination Ports to which policy applies SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED FORMAT String consisting of two colon separated positive integers, the second no smaller than the first, or one positive integer. DEFAULT Defaults to the entire port range 0 to 65535, i.e., every packet matches the source address range condition. NAME IPProtocolNumberRange DESC Protocol numbers to which policy applies SYNTAX INTEGER EQUALITY integerMatch SINGLE-VALUED FORMAT String consisting of two colon separated positive integers, the second no smaller than the first, or one positive integer. DEFAULT Defaults to the entire protocol range 0 to 255, i.e., every packet matches the ip protocol range condition. EXAMPLE 50:51 (protocol 50 to 51), 50 (only protocol 50) NAME ReceivedTOSByteCheck DESC A condition attribute used to select traffic based on the contents of the TOS byte of the received packet's IP header SYNTAX IA5String EQUALITY caseExactIA5Match rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xvi] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 SINGLE-VALUED FORMAT String of the form xxxxxxxx:xxxxxxxx, where each of the x's is either 0 or 1. SEMANTICS Each of the substrings is treated as specifying an 8-bit field. The left substring is termed Mask and the right substring Match. The TOS byte of the received packet's IP header is ANDed with Mask and the result is compared against Match. The combination of Mask and Match allows definition of TOS byte based conditions where certain bits in the TOS byte may be ignored for the purpose of comparison. EXAMPLE An incoming packet with TOS byte 11001010 matches the condition specified by a value of 00111100:00001000 for ReceivedTOSByte. NAME UserIDConditionRef DESC Absolute Distinguished name(s) of LDAP entry or entries, of an UserIDCondition object that identify the user or host whose packets that the policy rule applies to. SYNTAX DN EQUALITY distinguishedNameMatch MULTI-VALUED 6.2. The Class UserIDCondition In many scenarios, for instance an end host IPSec, policy needs to be specified for a user or a host ID instead of an IP address. A standard example is a corporate worker connecting from home via an ISP. The policy would be specified by Host FQDN, UserFQDN, X500 DN etc. To accomodate this source and destination ids are required. NAME HostUserID TYPE Structural DERIVED FROM Top AUXILIARY CLASS None MUST CommonName MAY SourceID, DestinationID, NAME SourceID DESC Source Host Identifier SYNTAX IA5String EQUALITY caseExact1A5Match MULTI-VALUED FORMAT Two strings , colon (`:') seperated, the first describing the rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xvii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 ID type and the second the ID value. The valid IdTypes and their corresponding values are defined in [Piper98]. These include: Host-FQDN: User-FQDN: X500-DN: X500-GN: Key-Id: DEFAULT Any ID is considered valid. NAME DestinationID DESC Destination Host Identifier SYNTAX IA5String EQUALITY caseExact1A5Match MULTI-VALUED DEFAULT Any ID is considered valid. FORMAT Same as Source ID. 7. The class PolicyValidityPeriod Objects of this class describe conditions that restrict the validity period of the policy rule. The class definition is as follows: NAME PolicyValidityPeriod TYPE Structural DERIVED FROM Top AUXILIARY CLASSES NONE MUST CommonName MAY PolicyValidityPeriodName, PolicyValidityTime, PolicyValidityMonthMask, PolicyValidityDayOfWeekMask, PolicyValidityTimeOfDayRange The syntax and semantics of various attributes are as given below NAME PolicyValidityPeriodName DESC The user friendly name of this entry. SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED NAME PolicyValidityTime DESC When this policy is valid SYNTAX IA5String EQUALITY caseExactIA5Match MULTI-VALUED rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xviii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 FORMAT String(s) of the form yyyymmddhhmmss:yyyymmddhhmmss: SEMANTICS The first two substrings must be valid times, (year-month-date-hour-minute- second) the second larger than the first. The last substring is optional and describes the time zone. DEFAULT If the time zone is omitted then the time is local time at the policy decision point. If the attribute itself is absent then the policy is always valid. EXAMPLE 19980121060000:19991231133000:GMT (meaning Policy in effect from 6:00 AM on January 21, 1998 to 1:30 PM on December 31, 1999, Greenwich Mean Time). NAME PolicyValidityMonthMask DESC Months during which policy is valid SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED FORMAT String denoting a mask of 12 0s and 1s. SEMANTICS 1's corresponding to months in the January to December range when the policy is valid. EXAMPLE 000111111100 (Valid from April until October) DEFAULT 111111111111, i.e., valid always NAME PolicyValidityDayOfWeekMask DESC days during which policy is valid SYNTAX IA5String EQUALITY caseExactIA5Match SINGLE-VALUED FORMAT String representing a mask of 7 0s and 1s. SEMANTICS 1's correspond to days in the Monday to Sunday range when the policy is valid. EXAMPLE 1111100 (Valid weekdays) DEFAULT 1111111, i.e., valid always NAME PolicyValidityTimeOfDayRange DESC Time(s) of day during which policy is valid SYNTAX IA5String EQUALITY caseExactIA5Match MULTI-VALUED FORMAT String(s) of the form hhmmss:hhmmss SEMANTICS Substrings on either side of the colon must be be valid time of day values. If the second string is not larger than the first, then a wrap around midnight is assumed. DEFAULT 000000:235959 EXAMPLE 090000:170000 (Policy valid from 9 AM to 5 PM) rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xix] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 7.1. The class DiffServAction Each object of type DiffServAction describes a component per-hop behaviour (PHB) in force at a network device. The DiffServAction class does not seek to describe in detail resource reservations, packet treatment and configuration of every possible network device. Instead, it provides a high-level description of QoS services through a simple model that uses the following three descriptors -- traffic descriptors, packet marking descriptors and resource group descriptors. The traffic descriptor assumes a leaky bucket model with three attributes -- a mean rate, a peak rate and a bucket size -- to specify the characteristics of what is to be considered in-profile traffic, with the understanding that the rest is out-of-profile or excess traffic. The traffic descriptor makes sense only with the assumption that a policing device is present at the policy enforcement point; if not the attributes may be omitted or will be ignored. The packet marking descriptor provides an edge device with the ability to mark the DS byte for simple QoS classification at downstream network devices. We allow for differential marking of in and out of profile traffic (which makes sense if policing is present); as well as for the enforcement point to mask certain bits while modifying others. The resource group descriptor describes the treatment expected by packets within a common service group. It is not a description of how the service is to be provided, but simply a high-level view of the service to be accorded to the in-profile traffic, its delay and loss requirements, for instance, as well as the treatment of excess traffic, whether this is to be tolerated, reshaped or dropped. It is important to note that TrafficDescriptor and ResourceGroupDescriptor objects refer to states created in the network device. To understand this better, consider two policy rules, as follows. Rule1: If PolicyCondition1 then PolicyDSAction1 Rule2: If PolicyCondition2 then PolicyDSAction1 PolicyDSAction1: TrafficDescriptor1 PacketMarkingDescriptor1 ResourceGroupDescriptor1 rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xx] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 Now, all packets described either by PolicyCondition1 or by PolicyCondition2 will be policed together, and share the same rate resource reservations. This is different from the case where we have Rule1: If PolicyCondition1 then PolicyDSAction1 Rule2: If PolicyCondition2 then PolicyDSAction2 PolicyDSAction1: TrafficDescriptor1 PacketMarkingDescriptor1 ResourceGroupDescriptor1 PolicyDSAction2: TrafficDescriptor2 PacketMarkingDescriptor2 ResourceGroupDescriptor2 Even if the two traffic descriptors are identical, the two streams will not be policed together by the same policer -- they will be policed by identical policers. Similarly, they will not share the same buffer or bandwidth resources. In fact, the resource requirements for the second example will be twice those of the first (ignoring multiplexing gains). The class description of DiffServAction is as follows: NAME DiffServAction TYPE Structural DERIVED FROM PolicyAction AUXILIARY CLASSES NONE MUST CommonName DiffServPermission MAY DiffServInProfileRate, DiffServInProfilePeakRate, DiffServInProfileTokenBucket, DiffServInProfileTransmittedTOSByte DiffServOutProfileTransmittedTOSByte DiffServResourceGroupRef DiffServActionName The first three MAY attributes describe the traffic, the next two specify the marking, and next is a reference to the resource group. The following set of attributes are currently defined for the DiffServ Policy Directory Clients, namely hosts, edge devices, and routers that do traffic conditioning (packet marking, dropping, shaping, etc). rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxi] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 NAME DiffServPermission DESC Allow/drop data packets matching the profile EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED FORMAT The currently defined values for this attribute are: Accept Deny With the permission attribute set to ``Accept'', and no other attribute present, the packets matching the PolicyCondition are given the ``Best Effort'' service. NAME DiffServActionName DESC The user friendly name of this entry. EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED DEFAULT No name NAME DiffServInProfileRate DESC Specifies the token rate for the in-profile traffic descriptor in kbps EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED SEMANTICS All packets in the behavior aggregate are measured against a leaky bucket with this token rate. Traffic that passes the leaky bucket check is considered in-profile. DEFAULT All packets considered in-profile, i.e., infinity NAME DiffServInProfilePeakRate DESC Specifies the peak rate for the in-profile traffic descriptor in kbps EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED SEMANTICS All packets in the behaviour aggregate are measured against a leaky bucket with this peak rate. DEFAULT Same value as DiffServInProfileRate NAME DiffServInProfileTokenBucket DESC Specifies the token bucket size for in-profile traffic descriptor kilobits EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 SEMANTICS All packets in the behaviour aggregate are measured against a leaky bucket with this token bucket size. DEFAULT Defaults to the maximum IP packet size. NAME DiffServInProfileTransmittedTOSByte DESC Specifies the outgoing TOS byte for in profile packet marking descriptor EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT String(s) of the form xxxxxxxx:xxxxxxxx, where each of the `x's is either 0 or 1. SINGLE-VALUED SEMANTICS Each of the two substrings is treated as specifying an 8-bit field. The left substring is termed Mask and the right substring Modify. 0's in the Mask specify the bit locations in the TOS byte that must not be changed and 1's specify those that must be changed to match the corresponding ones in the Modify field. The operation involved is: newTOSByte = (Mask' & oldTOSbyte) | (Mask & Modify), where Mask' is the bitwise complement of Mask and '&' and '|' denote the bit-wise AND and OR operations respectively. EXAMPLE Consider a policy rule that specifies 11100000:11001010 as the value for this attribute. The Mask of 11100000 means that when this rule is applied, the 5 least significant bits in the TOS byte must be left unchanged but the 3 most significant bits must be changed to make them identical to the corresponding ones in the Modify field. Thus, if this rule were to be applicable to a packet whose TOS byte is 10101010, then the TOS byte will be changed to 11001010 before transmission. DEFAULT Dont modify any bit, i.e., Mask 00000000 Modify 00000000 NAME DiffServOutProfileTransmittedTOSByte DESC Specifies the outgoing TOS byte for out-of-profile packet marking descriptor EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT same as `DiffServInProfileTransmittedTOSByte' attribute SINGLE-VALUED SEMANTICS same as `DiffServInProfileTransmittedTOSByte' attribute DEFAULT same as `DiffServInProfileTransmittedTOSByte' attribute NAME DiffServResourceGroupRef DESC Absolute distinguished name of LDAP entry, from the objectclass DiffServResourceGroup, that identifies the service category and rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxiii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 resource group descriptors that apply to the traffic. EQUALITY distinguishedNameMatch SINGLE-VALUED SYNTAX DN DEFAULT Best Effort Service 7.1.1. The class DiffServResourceGroup Objects of this class fully specify the treatment accorded to in-profile and out-of-profile traffic, in terms of their access to QoS resources. NAME DiffServResourceGroup TYPE Structural DERIVED FROM Top AUXILIARY CLASSES NONE MUST CommonName MAY DiffServLossParameter, DiffServDelayParameter, DiffServBandwidthShare, DiffServExcessTrafficTreatment DiffServAutoStart DiffServResourceGroupName NAME DiffServResourceGroupName DESC The user friendly name of this entry. EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED DEFAULT No name NAME DiffServLossParameter DESC Packet loss paremeters for in-profile traffic for this class of service EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT Colon seperate numeric strings, A:B, where at most A packets may be dropped for every B packets received. SINGLE-VALUED EXAMPLE 2:1000 implies a maximum loss rate of .002. DEFAULT Best Effort NAME DiffServDelayParameters DESC Packet delay paremeters for out-of-profile traffic for this class of service rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxiv] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT Colon seperated integer:string pair. Currently defined 1: where the absolute delay is expressed in msec 2: where the relative delay is expressed as a priority (1 means best effort) SINGLE-VALUED DEFAULT Best Effort NAME DiffServBandwidthShare DESC Bandwidth share for this class of service EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT Colon seperated integer:string pair. Currently defined 1: where the absolute bw is expressed in kilobits/sec 2: where the bandwidth percent is a number between 0 and 100 expressing the share of the bandwidth allowed to this class SINGLE-VALUED SEMANTICS The bandwidth weight is converted into a bandwidth share at the enforcement entity by adding the weights of all DiffServ classes and then taking the appropriate ratios. The second case is provided for instances where the policy rule is unaware of the link capacity at the enforcement entity. EXAMPLES 1:200 -- This class is allocated a 200kbps 2:40 -- This class is allocated 40% of the link bandwidth DEFAULT 0, i.e., No reserved share NAME DiffServExcessTrafficTreatment DESC Describes how excess traffic is to be treated. EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT The following values are defined `Drop' -- Allow no excess traffic `Best Effort' -- Treat excess traffic as best effort `Reshape'--Reshape excess traffic SINGLE-VALUED SEMANTICS: This field specifes the actions that must be taken if an incoming packet cannot be placed within the reserved buffer allocation of the stream. DEFAULT Best Effort NAME DiffServAutoStart DESC Indicates if the resource allocation for this service should be done at time of enforcement entity startup, or should be packet driven. This attribute is for guidance only, and its rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxv] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 interpretation is implementation specific. EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT The following strings are defined `AutoStart' --- Allocate resources at device startup `NoAutoStart' --- Allocate resources when packets for flow are seen. SINGLE-VALUED DEFAULT Autostart 7.2. The Class RSVPAction The class RSVPAction contains policies to be applied to RSVP signalling packets, i.e., PATH messages and RESV messages, satisfying the conditions specified in the policy conditions. In this draft of the schema we allow for simple forms of policy based control, where administrative restrictions may be placed on the amount of resources that a single RSVP flow, or group of flows, may consume. We also allow for an RSVP reservation to be supported through a mapping into a DiffServ service category. As RSVP policy evolves to support the signalling of richer classes of policy information such as user ids, we may extend schema to provide for restrictions based on this information as well. Currently, there are two kinds of restrictions that we may place on resource usage by RSVP flows -- individual restrictions and group restrictions. NAME RSVPAction TYPE Structural DERIVED FROM PolicyAction AUXILIARY CLASSES NONE MUST CommonName RSVPFlowServiceType, RSVPPermission MAY RSVPActionName RSVPMaxRatePerFlow, RSVPMaxTokenBucketPerFlow, RSVPMinDelay, RSVPMaxFlowDuration, RSVPResourceGroupRef, DiffServActionRef The syntax and semantics of the attributes of an `RSVPAction' entry are described below. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxvi] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 NAME RSVPFlowServiceType DESC IntServ service type that a flow can request EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT: String with allowed values ControlledLoad GuaranteedService MULTI-VALUED Name RSVPPermission DESC Allow/Dissallow RSVP flows EQUALITY caseExactIA5Match SYNTAX IA5String FORMAT: String with allowed values Accept Deny SEMANTICS Accept or deny RSVP sessions of the specified Service Type(s). The remaining attributes make sense only in the case of `Accept' SINGLE-VALUED NAME RSVPActionName DESC The user friendly name of this entry. EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED DEFAULT No Name NAME RSVPMaxRatePerFlow DESC The maximum token rate for any individual flow in kilobits per second EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED SEMANTICS Reservation requests for higher per-flow bandwidth are denied. DEFAULT No limit NAME RSVPMaxPeakRatePerFlow DESC The maximum peak rate for any individual flow in kilobits per second EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED SEMANTICS Reservation requests for higher per-flow peak rate are denied. DEFAULT Assigned the same value as RSVPMaxRatePerFlow. NAME RSVPMaxTokenBucketPerFlow DESC The maximum token bucket size for any individual flow in kilobits EQUALITY integerMatch rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxvii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 SYNTAX INTEGER SINGLE-VALUED SEMANTICS: Reservation requests for higher per-flow token bucket size are denied. DEFAULT Implementation Specific. NAME RSVPMinDelay DESC The minimum delay value an individual flow may request in millisec EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED DEFAULT No limit NAME RSVPMaxFlowDuration DESC Maximum time (in seconds) an RSVP flow matching the profile may last SYNTAX INTEGER EQUALITY integerMatch SINGLE-VALUED DEFAULT No limit NAME RSVPUserAuthPolicy DESC Manner of authentication to be performed to authenticate user EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED FORMAT: String, currently defined values are Plain (Plain text password) Kerberos (Kerberos ticket authentication) Public-Key (Public Key authentication) None (for no authentication) Default None All the policy attributes hitherto described for RSVPAction refer to an individual flow for which a reservation is sought to be made. Often an adminstrator might wish to place group restrictions on flows described as an aggregation of multiple policy condition objects. For instance, the administrator might wish to restrict the total number of active RSVP reservations. To facilitate such group restrictions, we allow the reference attribute RSVPResourceGroupRef. The reason for making this a reference is not difficult to see. The group that the adminstrator wishes to control may not be describable through a single profile, or a single profile might belong to different groups in terms of resource control. In such cases, multiple policy rules ``point'' to the same group. Note that policies described through group rules require that the enforcement rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxviii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 entity maintain some state; in the example suggested above, the enforcement entity would have to track the number of active flows in order to enforce the policy. NAME RSVPResourceGroupRef DESC Absolute distinguished name(s) of LDAP entry, from the objectclass RSVPResourceGroup, which specifies constraints on a group of RSVP flows. EQUALITY distinguishedNameMatch MULTI-VALUED SYNTAX DN DEFAULT No Resource Group The next attribute allows the enforcement entity to map RSVP flows onto DiffServ resource groups. NAME DiffServActionRef DESC Absolute distinguished name of an LDAP entry, from the objectclass DiffServAction, which specifies the class of service that the RSVP flow must be mapped into. EQUALITY distinguishedNameMatch SINGLE-VALUED SYNTAX DN DEFAULT No RSVP to DiffServ Translation 7.2.1. The Class RSVPResourceGroup NAME RSVPResourceGroup TYPE Structural DERIVED FROM Top AUXILIARY CLASSES NONE MUST CommonName MAY RSVPMaxFlows RSVPMaxAggregateRate RSVPMaxAggregateTokenBucket RSVPResourceGroupName NAME RSVPResourceGroupName DESC The user friendly name of this entry. EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED DEFAULT No Name NAME RSVPMaxFlows DESC The maximum allowed number of reserved flows belonging to the rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxix] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 group EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED DEFAULT No limit NAME RSVPMaxAggregateRate DESC The aggregate maximum token rate for all flows in the group EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED SEMANTICS: Reservation requests that result in a higher aggregate bandwidth reservation are denied. Default No limit NAME RSVPMaxAggregateTokenBucket DESC The maximum token bucket size for the aggregate traffic matching the profile in kilobits EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUED DEFAULT No limit 7.3. The class TCPAction End hosts and firewalls often control the number and nature of active TCP connections. Each object of type TCPaction describes policies used to control TCP behaviour. The class description of TCPAction is as follows: NAME TCPAction TYPE Structural DERIVED FROM PolicyAction AUXILIARY CLASSES NONE MUST CommonName, TCPPermission MAY TCPFlag, MaxTCPSessions, MaxRatePerTCPSession NAME TCPPermission DESC Allow/drop data packets matching the profile EQUALITY caseExactIA5Match SYNTAX IA5String rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxx] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 SINGLE-VALUED FORMAT The currently defined values for this attribute are: Accept Deny NAME TCPFlag DESC The types of TCP packets to which the policy action applies. EQUALITY caseExactIA5Match SYNTAX IA5String MULTI-VALUED FORMAT The following strings are recognized: ``SYN'' ``ACK'' ``FIN'' ``All'' DEFAULT ``All'' NAME TCPActionName DESC The user friendly name of this entry. EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUED DEFAULT No name NAME MaxTCPSessions DESC The maximum number of simultaneously open TCP sessions. EQUALITY integerMatch SYNTAX integer SINGLE-VALUED DEFAULT No limit NAME MaxRatePerTCPSession DESC The maximum rate in kilobits/sec that is allowed. EQUALITY integerMatch SYNTAX integer SINGLE-VALUED DEFAULT No limit 8. QoS Schema Usage Examples In this section we describe some usage scenarios for QoS using LDIF notation. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxxi] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 8.1. DiffServ PHB The requirements are: - All web traffic originating from two server clusters S1 (1.1.1.0 mask 255.255.255.0) and S2 (2.2.2.0 mask 255.255.255.0) traversing a router must be assigned a low delay, low loss service with a shared reservation of 40Mbps. - This traffic must be marked with the TOS bits set to 10100000. The following rules achieves the above objective dn: cn=S1-Web-Rule, o=XYZ, c=US Objectclass: Policy PolicyScope: DiffServ PolicyType: DiffServ PolicyConditionRef: cn=S1-Web-Condition,o=XYZ, c=US, PolicyActionRef: cn=DSGoldService, o=XYZ, c=US dn: cn=S2-Web-Rule, o=XYZ, c=US Objectclass: Policy PolicyScope: DiffServ PolicyType: DiffServ PolicyConditionRef: cn=S2-Web-Condition,o=XYZ, c=US, PolicyActionRef: cn=DSGoldService, o=XYZ, c=US The conditions and actions referred to in the above rules are: dn: cn=S1-Web-Condition, o=XYZ, c=US Objectclass: IPPolicyCondition SourceAddressRange: 1:1.1.0:24 SourcePortRange: 8000:8080 IPProtocolRange: 4 (TCP) dn: cn=S2-Web-Condition, o=XYZ, c=US Objectclass: IPPolicyCondition SourceAddressRange: 1:2.2.2.0:24 SourcePortRange: 8000:8080 IPProtocolRange: 4 (TCP) dn: cn=DSGoldService, o=XYZ, c=US Objectclass: DiffServAction DiffServPermission: Permit DiffServInProfileTransmittedTOSByte: 11111111:1010000 DiffServResourceGroupRef: cn=S1-S2-WebDSResourceGroup, o=XYZ, c=US rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxxii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 dn: cn=S1-S2-WebDSResourceGroup, o=XYZ, c=US ObjectClass: DiffServResourceGroup DiffServQueuePriority: 1 (implementation specific) DiffServLossParameter: 1:1000000 DiffServDelayParameter: 1:1 DiffServBandwidthShare: 40000 (kbps) DiffServAutoStart: AutoStart 8.2. DiffServ Policing Now, consider a policy rule that allows for no more than an aggregate of 5000 kilobits/second of best effort traffic from sources in subnet S3 (range 139.24.2.12 to 139.24.2.255.) dn: cn=S3-Policing-Rule, o=XYZ, c=US Objectclass: Policy PolicyScope: DiffServ PolicyType: DiffServ PolicyConditionRef: cn=S3-Condition,o=XYZ, c=US, PolicyActionRef: cn=S3-DS-Action, o=XYZ, c=US dn: cn=S3-Condition,o=XYZ, c=US, Objectclass: PolicyCondition SourceAddressRange: 2:139.24.2.12:139.24.2.255 dn: cn=S3-DS-Action, o=XYZ, c=US Objectclass: PolicyAction DiffServInProfileRate: 5000 DiffServInProfileTokenBucket: 1024 DiffServResourceGroupRef: cn=BestEffortPolicing, o=XYZ, c=US dn: cn=BestEffortPolicing, o=XYZ, c=US DiffServQueuePriority: 1 DiffServExcessTrafficTreatment: drop DiffServAutoStart: NoAutoStart Here, we have allocated a nominal token bucket to take care of the maximum packet size. 8.3. Forbidding RSVP Sessions Suppose that non-RSVP datatraffic from a subnet S1 is to be denied access to the network during the working day (9 am to 5 pm). We have the following entry to express this policy. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxxiii] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 dn: cn=S1-RSVP-Rule, o=XYZ, c=US Objectclass: Policy PolicyScope: RSVP PolicyType: RSVP PolicyConditionRef: cn=S1-RSVP-Condition,o=XYZ, c=US, PolicyActionRef: cn=S1-RSVP-Action, o=XYZ, c=US dn: cn=S1-RSVP-Condition,o=XYZ, c=US Objectclass: IPPolicyCondition SourceAddressRange: 1:1.1.0:4 PolicyValidityPeriodRef: cn=workinghrs, o=XYZ, c=US dn: cn=workinghrs, o=XYZ, c=US Objectclass: PolicyValidityPeriod PolicyValidityTimeOfDayRange: 090000:170000 dn: cn=S1-RSVP-Action, o=XYZ, c=US Objectclass: RSVPAction RSVPFlowServiceType: ControlledLoad RSVPFlowServiceType: GuaranteedService (multi-valued) RSVPPermission: Deny 8.4. Controlling RSVP Reservations Consider a policy that specifies that during after hours (5 pm to 9am) each RSVP controlled load reservation for outgoing traffic from subnet S1 have a token rate of no more than 1 Mbps, that there be no more than 100 such reservations active at any time, and that the aggregate reservable amount from that subnet total to no more than 10 Mbps. dn: cn=S1-CL-nw-Rule, o=XYZ, c=US Objectclass: Policy PolicyScope: RSVP PolicyType: RSVP PolicyConditionRef: cn=S1-CL-nw-Condition,o=XYZ, c=US, PolicyActionRef: cn=S1-CL-nw-Action, o=XYZ, c=US dn: cn=S1-CL-Condition,o=XYZ, c=US Objectclass: IPPolicyCondition SourceAddressRange: 1:1.1.0:4 PolicyValidityPeriodRef: cn=non-workinghrs, o=XYZ, c=US dn: cn=non-workinghrs, o=XYZ, c=US Objectclass: PolicyValidityPeriod PolicyValidityTimeOfDayRange: 170000: 090000 rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxxiv] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 dn: cn=S1-RSVP-Action, o=XYZ, c=US Objectclass: RSVPAction RSVPFlowServiceType: ControlledLoad RSVPPermission: Permit RSVPMaxRatePerFlow: 1000 RSVPResourceGroupReference: cn=S1-RSVPGroup, o=XYZ, c=US dn: cn=S1-RSVPGroup, o=XYZ, c=US RSVPMaxFlows: 100 RSVPMaxAggregateRate: 10000 9. Security Considerations There are two potential security considerations, both of which may be addressed through standards compliant mechanisms. The first is the unauthorized access to read or change policy rules and related objects in the directory repository. The schema in this document SHOULD be used in conjunction with an LDAP access control mechanisms, see for instance [12]. The second exposure for violation of security lies in the communication between policy decision point and the directory repository. Such communication SHOULD be secured, with both ends mutually authenticated using SSL/TLS or IPSec. Acknowledgments Thanks to Partha Bhattacharya, Ed Ellesson, Tim Moore, Roch Guerin, Dimitrios Pendarakis and Ellen Stokes for useful discussion and suggestions in this problem space. In addition, we also thank numerous others who have read and commented on this draft in various forms. References [1] L. Wells and R. Bartky, Data Link Switching, Switch to Switch Protocol: AIW DLSW RIG, AIW Closed Pages, DLSW Standard 1.0, RFC1795, April 1995. [2] R. Braden, L. Zhang, S. Berson, S. Herzog, and S. Jamin, Resource ReSerVation Protocol (RSVP) Version 1 Functional Specification. RFC2205, Sept. 1997. [3] S. Herzog, A. Sastry, R. Rajan, R. Cohen, J. Boyle, and D. Durham, The COPS (Common Open Policy Service) Protocol Internet-Draft, draft-ietf-rap-cops-00.txt, Jan. 1998. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxxv] Internet Draft draft-rajan-policy-qosschema-00.txt 23/ October/1998 [4] W. Yeong, T. Howes and S. Kille, Lightweight Directory Access Protocol, RFC1777, Mar. 1995. [5] R. Droms, Dynamic Host Configuration Protocol, RFC1541, Oct. 1993. [6] K. Nichols and S. Blake, Differentiated Services Operational Model and Definitions, Internet-Draft, draft-nichols-dsopdef-00.txt, Feb. 1998. [7] M. Wahl, A. Coulbeck, T. Howes and S. Kille, Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions Internet Draft draft-ietf-asid-ldapv3-attributes-07.txt, August 1997. [8] R. Yavatkar, R. Guerin and D. Pendarakis, A Framework for Policy-based Admission Control Internet Draft, draft-ietf-rap-framework-00.txt, Nov. 1997. [9] S. Judd and J. Strassner, Directory Enabled Networks - Information Model and Base Schema - Draft v3.0c5 DEN Specifications, Sep. 1998. [10] P. Bhattacharya et. al., An LDAP Schema for Configuration and Administration of IPSec-based Virtual Private Networks, Internet Draft, draft-ietf-ipsec-policy-ldapschema-00.txt, Oct. 1998. [11] Desktop Management Task Force, Common Information Model (CIM) Specification, Version 2.0, Mar. 1998. [12] E. Stokes, D. Byrne, B. Blakeley and P. Behera, Access Control Requirements for LDAP, Internet Draft, Sep. 1998. [13] J. Strassner and E. Ellesson, Terminology for describing network policy and services Internet draft, draft-strassner-policy-terms-00.txt, Aug. 1998. rajan, martin, kamat, see Expires 23/ April/ 1999 [Page xxxvi]