idnits 2.17.1 draft-ietf-snmpconf-pm-03.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 6 instances of too long lines in the document, the longest one being 3 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 1261: '...SIZE restriction MUST be specified so ...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 824 has weird spacing: '...ions on multi...' == Line 2199 has weird spacing: '...imed to perta...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 11, 2000) is 8597 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'RFC2279' on line 1226 -- Looks like a reference, but probably isn't: 'RFC1905' on line 1264 == Unused Reference: '16' is defined on line 2175, but no explicit reference was found in the text == Unused Reference: '17' is defined on line 2180, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2571 (ref. '1') (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 (ref. '4') ** Downref: Normative reference to an Historic RFC: RFC 1157 (ref. '8') ** Downref: Normative reference to an Historic RFC: RFC 1901 (ref. '9') ** Obsolete normative reference: RFC 1906 (ref. '10') (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2572 (ref. '11') (Obsoleted by RFC 3412) ** Obsolete normative reference: RFC 2574 (ref. '12') (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 1905 (ref. '13') (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2573 (ref. '14') (Obsoleted by RFC 3413) ** Obsolete normative reference: RFC 2575 (ref. '15') (Obsoleted by RFC 3415) ** Obsolete normative reference: RFC 2233 (ref. '17') (Obsoleted by RFC 2863) ** Obsolete normative reference: RFC 2570 (ref. '18') (Obsoleted by RFC 3410) -- Possible downref: Non-RFC (?) normative reference: ref. '19' ** Obsolete normative reference: RFC 2591 (ref. '20') (Obsoleted by RFC 3231) Summary: 20 errors (**), 0 flaws (~~), 6 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Policy-Based Management MIB October 11, 2000 4 Policy Based Management MIB 5 draft-ietf-snmpconf-pm-03.txt 6 October 11, 2000 8 Steve Waldbusser 9 Jon Saperia 10 Thippanna Hongal 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance 15 with all provisions of Section 10 of RFC2026. 17 Internet-Drafts are working documents of the Internet 18 Engineering Task Force (IETF), its areas, and its working 19 groups. Note that other groups may also distribute working 20 documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six 23 months and may be updated, replaced, or obsoleted by other 24 documents at any time. It is inappropriate to use Internet- 25 Drafts as reference material or to cite them other than as 26 "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed 32 at http://www.ietf.org/shadow.html. 34 Copyright Notice 36 Copyright (C) The Internet Society (2000). All Rights Reserved. 38 1. Abstract 40 This memo defines a portion of the Management Information Base 41 (MIB) for use with network management protocols in TCP/IP- 42 based internets. In particular, this MIB defines objects that 43 enable policy-based configuration management of SNMP 44 infrastructures. 46 2. The SNMP Management Framework 48 The SNMP Management Framework presently consists of five 49 major components: 51 o An overall architecture, described in RFC 2571 [1]. 53 o Mechanisms for describing and naming objects and 54 events for the purpose of management. The first 55 version of this Structure of Management Information 56 (SMI) is called SMIv1 and described in STD 16, RFC 57 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The 58 second version, called SMIv2, is described in STD 58, 59 RFC 2578 [5], RFC 2579 [6] and RFC 2580 [7]. 61 o Message protocols for transferring management 62 information. The first version of the SNMP message 63 protocol is called SNMPv1 and described in STD 15, RFC 64 1157 [8]. A second version of the SNMP message 65 protocol, which is not an Internet standards track 66 protocol, is called SNMPv2c and described in RFC 1901 67 [9] and RFC 1906 [10]. The third version of the 68 message protocol is called SNMPv3 and described in RFC 69 1906 [10], RFC 2572 [11] and RFC 2574 [12]. 71 o Protocol operations for accessing management 72 information. The first set of protocol operations and 73 associated PDU formats is described in STD 15, RFC 74 1157 [8]. A second set of protocol operations and 75 associated PDU formats is described in RFC 1905 [13]. 77 o A set of fundamental applications described in RFC 78 2573 [14] and the view-based access control mechanism 79 described in RFC 2575 [15]. 81 A more detailed introduction to the current SNMP Management 82 Framework can be found in RFC 2570 [18]. 84 Managed objects are accessed via a virtual information 85 store, termed the Management Information Base or MIB. 86 Objects in the MIB are defined using the mechanisms defined 87 in the SMI. 89 This memo specifies a MIB module that is compliant to the 90 SMIv2. A MIB conforming to the SMIv1 can be produced 91 through the appropriate translations. The resulting 92 translated MIB must be semantically equivalent, except 93 where objects or events are omitted because no translation 94 is possible (use of Counter64). Some machine readable 95 information in SMIv2 will be converted into textual 96 descriptions in SMIv1 during the translation process. 97 However, this loss of machine readable information is not 98 considered to change the semantics of the MIB. 100 3. Overview 102 Large IT organizations have developed management strategies to cope 103 with the extraordinarily large scale inherent in large networks. In 104 particular, they try to configure the network as a whole by describing 105 and implementing high-level business policies, rather than managing 106 device by device, where orders of magnitude more decisions (and 107 mistakes) may be made. 109 Following this management practice results in the following benefits: 110 - Reduced training needs (fewer details to learn) 111 - Reduced documentation costs (fewer details to document) 112 - Reduced impact of turnover (less ad-hoc knowledge goes out the door) 113 - Greater testability (a greater percentage of fielded 114 configurations may be tested in the lab) 115 - Higher reliability (combination of factors above) 116 - Lower cost of changes (changes can be simpler and operate over a 117 wider extent) 118 - Lower cost of corporate mergers (less knowledge to transfer; fewer 119 policies to integrate) 120 - Lower cost of ownership (combination of factors above) 122 To illustrate the concept of "business policies", some examples are: 123 - All routers will run code version 6.2 124 - On-site contracters will all have special security restrictions on 125 their ports 126 - All voice over cable ports in California must provide free local 127 calling 128 - Apply special forwarding to all ports whose customers have paid 129 for premium service. 131 Each of these policies could represent an action applied to hundreds 132 of thousands of configuration variables. 134 In order to automate this practice, customers need software tools that 135 will implement business policies across their network, as well as 136 a standard protocol that will ensure that it can be applied to all of 137 their devices, regardless of the vendor. 139 This practice is called Policy-Based Network Management. This document 140 defines standard managed objects for the Simple Network Management 141 Protocol that are used to distribute policies in a standard form 142 throughout the network. 144 4. Policy-Based Management Architecture 146 Policy-based network management is the practice of applying management 147 operations globally on all managed objects that share certain 148 attributes. 150 Policies always express a notion of: 151 if (an object has certain characteristics) then (apply operation to 152 that object) 154 Policies take the following normal form: 156 if (policyFilter) then (policyAction) 158 A policyFilter is an expression which results in a boolean 159 to determine whether or not an object is a member of a set of 160 objects upon which an action is to be performed. 162 A policyAction is an operation performed on a set of objects. 164 These policies are executed on or near managed devices, where the 165 objects live (and thus their characteristics may be easily inspected), 166 and where operations on those objects will be performed. 168 A management station is responsible for distributing an organization's 169 policies to all of the managed devices in the infrastructure. The 170 pmPolicyTable provides managed objects for sending a policy to a 171 managed device. 173 In this architecture, the objects that policies act on are called 174 elements. An element is a group of related MIB variables such as all 175 the variables for interface #7. This enables policies to be expressed 176 more efficiently and concisely. Elements can also model circuits, 177 CPUs, queues, processes, systems, etc. 179 The execution model for policies on a managed device is: 181 foreach element for which policyFilter returns true 182 execute policyAction on that element 184 For example: 186 If (interface is fast ethernet) then (apply full-duplex mode) 187 If (interface is access) then (apply security filters) 188 If (gold service paid for on circuit) then (apply special queueing) 190 PolicyFilters have the capability of performing comparison operations 191 on SNMP variables, logical expressions, and other functions. Many 192 device characteristics are already defined in MIBs and are 193 easy to include in policyFilter expressions (ifType == ethernet, 194 frCircuitCommittedBurst < 128K, etc). However, there are 195 important characteristics that aren't currently in MIB objects, and 196 worse, it is not current practice to store this information on managed 197 devices. Therefore, this document defines MIB objects for this 198 information. To meet today's needs there are three missing areas: 199 roles, capabilities and time. 201 Roles 203 A role is an administratively specified characteristic of a managed 204 element (for example, an interface). It is a selector for 205 policy rules, to determine the applicability of the rule to 206 a particular managed element. 208 Some examples of roles are political, financial, legal, 209 geographical, or architectural characteristic, typically not directly 210 derivable from information stored on the managed system. For example, 211 "paid for premium service" or "is plugged into a UPS" are examples of 212 roles, whereas the percent utilization of a link would not be. 214 The types of information one would put into a role are: 216 political - describes the role of a person or group of people, or of 217 a service that a group of people use. Examples: 218 executive, sales, outside-contracter, customer. 219 If (attached user is executive) then (apply higher bandwidth) 220 If (attached user is outside-contracter) then (restrict access) 222 financial/legal - describes what financial consideration was 223 received. Could also include contractual or legal 224 considerations. Examples: 225 paid, gold, free, trial, demo, lifeline 226 (The lifeline example is supposed to model the 227 RBOC's legal obligation to provide dial tone to 228 elderly/poor). 229 If (gold service paid for) then (apply special queueing) 231 geographical - describes the location of an element. Examples: 232 California, Headquarters, insecure conduit. 233 If (interface leaves the building) then (apply special security) 235 architectural - describes the network architects "intent" for an 236 element. For example: backup, trunk. 237 If (interface is backup) then (set ifAdminStatus = down) 239 Collectively, these 4 classes of characteristics are called 240 roles. Roles are human defined strings that can be referenced by 241 a policyFilter. Multiple roles may be assigned to each element. 243 Capabilities 245 Some actions are inappropriate for certain elements or are simply 246 unsupported. PolicyFilter's must be able to be defined so that a 247 policy can be applied only to elements that have the proper 248 capability. The capabilities table provides MIB objects that 249 describe the capabilities of the system. 251 Time 253 Managers may wish to define policies that are true for certain 254 periods of time. This might mean that a policy is downloaded and is 255 dormant for a period of time, becomes active, and then later becomes 256 inactive. Sometimes these time periods will be regular (M-F 9-5) and 257 sometimes ad-hoc. This MIB provides MIB objects that allow 258 policies to be dependent on time. 260 5. Policy Based Management Execution Environment 262 There are several steps performed in order to execute policies 263 in this environment: 265 - Element Discovery 266 - Element Filtering 267 - Policy Enforcement 269 5.1. Element Discovery 271 An element is a uniquely addressable entity on a managed 272 device. Examples of elements include interfaces, circuits, 273 queues, CPUs, and processes. Sometimes various attributes of 274 an entity will be described through tables in several standard 275 and proprietary MIBs - as long as the indexing is consistent 276 between these tables, the entity can be modeled as 1 element. 277 For example, the ifTable and the dot3Stats table both contain 278 attributes of interfaces and share the same index (ifIndex), 279 therefore they can be modeled as one element type. 281 The Element Type Registration table is used for the manager to 282 learn what element types are being managed by the system and 283 to register new types if necessary. An element type is 284 registered by providing the OID of an SNMP object (i.e., 285 without the instance). Each SNMP instance that exists under 286 that object is a distinct element. The address of the element 287 is the index part of the discovered OID. This address will be 288 supplied to policy filters and actions so that these 289 expressions can inspect and configure the element. 291 For each element that is discovered, the policy filter is 292 called with the element address as an argument to see if the 293 element is a member of the set that the policy acts upon. 295 5.1.1. Implementation Notes 297 Note that while the external behavior of this registration 298 process is defined in terms of the walking of MIB tables, 299 implementation strategies may differ. For example, commonly- 300 used element types (like interface) may have purpose-built 301 element discovery capability built-in and advertised to 302 managers through an entry in the pmElementTypeRegTable. 304 Before registering an element type, it is the responsibility 305 of a manager to inspect the table and see if it is already 306 registered (by the agent or another manager). Note that 307 entries that differ only in the last OID (which specifies 308 which object in an entry) are effectively duplicates and 309 should be treated as such by the manager. 311 The system which implements the Policy-Based Management MIB 312 may not have knowledge of the format of object identifiers in 313 other MIBs. Therefore it is inappropriate for it to check 314 these OIDs for errors. It is the responsibility of the 315 management station to register well-formed object-identifiers. 316 For example, if an extra sub-identifier is supplied when 317 registering the ifTable, no elements will be discovered. 318 Similarly, if a sub-identifier is missing, every element will 319 be discovered numerous times (once per column) and none of the 320 element addresses will be well-formed. 322 5.2. Element Filtering 324 The first step in executing a policy is to see which elements 325 match the policy filter. To evaluate a policy, the policy 326 filter is called once for each element and runs to completion. 327 The element address is the only state that is passed to the 328 expression for each invocation (in particular, no state is 329 remembered from the previous invocation of this element nor 330 from the previous invocation of the policy filter). If any 331 syntax or processing error occurs, the expression will 332 terminate immediately for this element. If the expression 333 returns non-zero, the corresponding policy action will be 334 executed for this element. 336 5.2.1. Implementation Notes 338 It is an implementation-dependent matter as to how policy 339 filters are scheduled. Each filter/element combination is 340 conceptually its own process and can be scheduled sequentially 341 or one or more could be run simultaneously. 343 Policy filters have no side-effects. Policy filter 344 interpreters are encouraged to stop processing a filter as 345 soon as it's return value is known. 347 5.3. Policy Enforcement 349 For each element that has returned non-zero from the policy 350 filter, the corresponding policy action is called. The element 351 address is the only state that is passed to the expression for 352 each invocation (in particular, no state is remembered from 353 the policy filter evaluation, nor from the previous 354 filter/action invocation of this element nor from the previous 355 invocation of the policy filter or action). If any syntax or 356 processing error occurs, the expression will terminate 357 immediately for this element. 359 5.3.1. Implementation Notes 361 It is an implementation-dependent matter as to how policy 362 actions are scheduled. Each filter/element combination is 363 conceptually its own process and can be scheduled sequentially 364 or one or more could be run simultaneously. 366 6. Policy Based Management Expression Language 368 Policy filters and policy actions are expressed with the 369 policy expression language. This expression language provides 370 the power to make parenthesized logical and arithmetic 371 comparisons and to call a number of pre-defined functions. 373 The policy expression language is a subset of the C language. 374 Some examples of the features that have been removed are: 375 function definitions, pointers (except for constant pointers 376 used for strings), array, structures, floating point and pre- 377 processor functions. 379 This language is formally defined as a subset of ANSI C [19]. 380 The policy expression language is defined in this standard by 381 reference to ANSI C, but only allows those constructs that may 382 be expressed in the BNF documented here. This is done because 383 while BNF doesn't fully specify syntactical rules (it allows 384 constructs that are invalid) and doesn't specify semantic 385 rules, it can successfully be used to define the subset of 386 ANSI C that is required for conformance to this standard. 388 The use of comments and newlines are allowed and encouraged 389 where they will promote readability of expressions. 391 6.1. Formal Definition 393 The policy expression language follows the syntax and 394 semantics of ANSI C [19], but expressions are limited to those 395 that can be expressed in the following EBNF form: 397 identifier : letter ( letter | digit )* 399 string : '"' char* '"' 401 block : ( declaration )* const_exp ( ';' const_exp )* 403 var_or_array : identifier ( '[' integer ']' )? 405 declaration : 'unsigned'? type var_or_array 406 ( ',' var_or_array )* ';' 408 type : 'int' | 'short' | 'long' | 'char' 409 const_exp : compound_exp | conditional_exp | assignment 410 | 'for' '(' const_exp? ';' const_exp? ';' 411 const_exp? ')' 412 ( const_exp? | '{' block '}' ) 413 | 'while' '(' const_exp? ')' 414 ( const_exp? | '{' block '}' ) 416 assignment : identifier '=' const_exp 418 conditional_exp : const_exp '?' const_exp ':' const_exp 420 binary_operator : '*' | '/' | '%' | '+' | '-' | '<<' | '>>' 421 | '<' | '>' | '<=' | '>=' | '==' | '!=' 422 | '&' | '^' | '|' | '&&' | '||' 424 compound_exp : unary_exp (binary_operator unary_exp)* 426 unary_exp : integer | char_const | string | identifier 427 | functioncall 428 | '(' const_exp ')' 429 | unary_operator unary_exp 430 | '++' identifier | '--' identifier 431 | identifier '++' | identifier '--' 433 unary_operator : '+' | '-' | ' | '!' 435 functioncall : identifier '(' arg_exp_list? ')' 437 arg_exp_list : ( '&' )? const_exp ( ',' ( '&' )? const_exp )* 439 -- For reference 440 letter : Any lower or upper case letter or underscore 442 char : Any character 444 digit : '0' | '1' | '2' | '3' | '4' | 445 '5' | '6' | '7' | '8' | '9' 447 hexdigit : digit | 'A' | 'B' | 'C' | 'D' | 'E' | 'F' | 448 'a' | 'b' | 'c' | 'd' | 'e' | 'f' 450 decimal : digit+ 452 integer : decimal | ( '0' 'x' hexdigit+ ) 453 char_const : ( ''' char ''' ) | 454 ( ''' '' decimal ''' ) 456 7. Accessor Functions 458 Accessor functions are built-in functions available primarily 459 to provide access to information on the local system or to 460 more efficiently manipulate this information. A group of 461 functions is organized into a library, the unit of conformance 462 for function implementation. In order to claim conformance to 463 a library, an implementation must implement all functions in a 464 library. 466 In order for a management station or a script to understand if 467 a certain library of functions is implemented, each library 468 will have a registration OID that it registers in this MIB's 469 capabilities table. Thus, conformance to a library can be 470 tested with the capMatch library function (in the base 471 library) or by inspecting the pmCapabilitiesType objects in 472 the pmCapabilitiesTable. 474 8. Base Accessor Function Library 476 A standard base library of accessor functions is available to 477 all systems that implement this specification. This library is 478 known by the capability OID of: 480 pmBaseFunctionLibrary ::= { policyMgt pmConformance pmGroups 2 } 482 This library contains three types of functions: 484 - SNMP Access functions 485 - Policy Configuration Access functions 486 - Utility functions 487 - Library Functions 489 8.1. SNMP Access Functions 491 Two sets of SNMP Access functions are available with different 492 situations in mind: 494 - Convenience SNMP Functions 495 In an effort to keep simple things simple, these functions are 496 easy to use and promote easy to understand code. These functions 497 will suffice for the majority of situations where a single 498 variable is referenced and the desired error recovery is to simply 499 (and immediately) give up (and move to the next policy-element 500 combination). In more complex cases, the General SNMP Functions 501 can be used at the cost of several times the code complexity. 503 The convenience SNMP functions are getint, getvar, exists, 504 setint, setvar, setRowStatus, and searchcolumn. 506 - General SNMP Functions 508 The General SNMP functions allow nearly any legal SNMP Message to 509 be generated, including those with multiple varbinds, getNext 510 operations, notifications, and messages with explicit addressing 511 or security specifications. 513 The general SNMP functions are writeVarbind, readVarbind, 514 snmpsend, and trapsend. 516 Many of the accessor functions use a character string encoding 517 of a value that may be one of many SMI data types as input or 518 output parameters. The actual type is not encoded in the 519 value, but rather is specified elsewhere, possibly by nature 520 of the context in which it is used. The encodings are: 522 Any Integer value 523 (INTEGER, Integer32, Counter32, Counter64, Gauge32, Unsigned32, 524 TimeTicks, Counter64): 526 Ascii-encoded integer in ascii, 527 range: -2147483648 .. 18446744073709551615 529 Note that getint and setint encode integers as C integer values 530 and do not use this character string encoding. 532 Octet String 533 The character string contains the unencoded value of the octet 534 string. 536 When an accessor function is encoding this value it often won't 537 know if it is a null-terminated display string so it will 538 null-terminate the string AND return the length of the string, 539 allowing the expression to treat it as a null-terminated string 540 only if appropriate. This is not an issue for utility accessor 541 functions like itoa, where the type is known. 543 [note: Is the above text understandable? I'm 544 open to suggestions as to wording. What we want to allow is: 546 if (!strcmp("eth0", getvar("ifDescr.1", ...))) 547 ... -- we know it's a null terminated string 549 even though for other contexts we can't depend on null termination: 551 getvar("ifPhysAddr.1", physAddr, physAddrLen); 552 if (!memcmp(physAddr, " 08 00 89", 3)) 553 ... 555 Also remember that the policy agent doesn't have a MIB compiler so it 556 doesn't know if the OCTET STRING varbind is a DisplayString. 557 ] 559 Object Identifier 560 A decimal ascii encoded object identifier stored in a 561 null-terminated string. 563 subid: decimal 564 oid: subid | subid '.' oid 566 Note that ascii descriptors (e.g. "ifIndex") are ever used in these 567 encodings "over the wire". They are never returned from accessor 568 functions nor are they ever accepted by them. NMS user 569 interfaces are encouraged to allow humans to view object 570 identifiers with ascii descriptors, but they must translate those 571 descriptors to dotted-decimal format before sending them in MIB 572 objects to policy agents. 574 8.1.1. Convenience SNMP Functions 576 8.1.1.1. getint() 578 The getint() function is used to retrieve the value of an SNMP 579 MIB instance when it is known to be of a 32 bit integer type. 581 int getint(char *oid) 582 Oid is a NULL terminated string containing an 583 ASCII dotted-decimal representation of an object identifier 584 (e.g. "1.3.6.1.2.1.1.1.0"). 586 The 2-character token "$n" ('$' followed by an integer) can be 587 used in place of any decimal sub-identifier. This token is 588 expanded by the agent at execution time to contain the n'th 589 subid of the index for the current element. For example, 590 if the element is interface #7, and the objectIdentifier is 591 "1.3.6.1.2.1.2.2.1.3.$1", it will be expanded to 592 "1.3.6.1.2.1.2.2.1.3.7". 594 The agent will retrieve the instance in the same SNMP context 595 in which the element resides. Note that no actual SNMP PDU 596 needs to be generated and parsed when the policy MIB module 597 resides on the same system as the managed elements. 599 If the queried object identifier value does not exist or is 600 not an 32-bit integer-valued object, execution of the 601 containing expression on the current element will immediately 602 terminate and the associated policyAction will not be executed 603 on the current element. 605 This function returns the value of the integer-valued MIB 606 instance. 608 It is recommended that NMS user interfaces display and allow 609 input of MIB object names by their descriptor values followed 610 by the index in dotted-decimal form (e.g., "ifType.7). 612 8.1.1.2. getvar() 614 The getvar() function is used to retrieve the value of an SNMP 615 MIB instance. 617 u_char * getvar(char *oid, u_char *value, u_char *length) 618 Oid is a NULL terminated string containing an 619 ASCII dotted-decimal representation of an object identifier 620 (e.g. "1.3.6.1.2.1.1.1.0"). 622 The 2-character token "$n" ('$' followed by an integer) can be 623 used in place of any decimal sub-identifier. This token is 624 expanded by the agent at execution time to contain the n'th 625 subid of the index for the current element. For example, 626 if the element is interface #7, and the objectIdentifier is 627 "1.3.6.1.2.1.2.2.1.3.$1", it will be expanded to 628 "1.3.6.1.2.1.2.2.1.3.7". 630 The agent will retrieve the instance in the same SNMP context 631 in which the element resides. Note that no actual SNMP PDU 632 needs to be generated and parsed when the policy MIB module 633 resides on the same system as the managed elements. 635 If the queried object identifier value does not exist 636 execution of the containing expression on the current 637 element will immediately terminate and the associated 638 policyAction will not be executed on the current element. 640 This function returns a string containing the returned value, 641 encoded according to the returned type. 643 The optional arguments value and length will be filled in with 644 the returned type and length if supplied. If the variable 645 being retrieved is not a null-terminated type, it will be 646 necessary to retrieve the length argument. 648 It is recommended that NMS user interfaces display and allow 649 input of MIB object names by their descriptor values followed 650 by the index in dotted-decimal form (e.g., "ifType.7). 652 8.1.1.3. exists() 654 The exists() function is used to verify the existence of an 655 SNMP MIB instance. 657 int exists(char *oid) 659 oid is a NULL terminated string containing an 660 ASCII dotted-decimal representation of an object identifier 661 (e.g. "1.3.6.1.2.1.1.1.0"). 663 The 2-character token "$n" ('$' followed by an integer) can be 664 used in place of any decimal sub-identifier. This token is 665 expanded by the agent at execution time to contain the n'th 666 subid of the index for the current element. For example, 667 if the element is interface #7, and the objectIdentifier is 668 "1.3.6.1.2.1.2.2.1.3.$1", it will be expanded to 669 "1.3.6.1.2.1.2.2.1.3.7". 671 The agent will retrieve the instance in the same SNMP context 672 in which the element resides. Note that no actual SNMP PDU 673 needs to be generated and parsed when the policy MIB module 674 resides on the same system as the managed elements. 676 This function returns the value 1 if the SNMP instance exists 677 and 0 if it doesn't exist. 679 It is recommended that NMS user interfaces display and allow 680 input of MIB object names by their descriptor values followed 681 by the index in dotted-decimal form (e.g., "ifType.7). 683 8.1.1.4. setint() 685 The setint() function is used to set a MIB instance to a 686 certain integer value. The setint() function is only valid in 687 policyActions. If when executing a policyFilter, the agent 688 encounters a call to the setint() function, execution of the 689 policyFilter for the current element will immediately 690 terminate and the associated policyAction will not be executed 691 on the current element. 693 int setint(char *oid, int value) 695 oid is a NULL terminated string containing an 696 ASCII dotted-decimal representation of an object identifier 697 (e.g. "1.3.6.1.2.1.1.1.0"). 699 The 2-character token "$n" ('$' followed by an integer) can be 700 used in place of any decimal sub-identifier. This token is 701 expanded by the agent at execution time to contain the n'th 702 subid of the index for the current element. For example, 703 if the element is interface #7, and the objectIdentifier is 704 "1.3.6.1.2.1.2.2.1.3.$1", it will be expanded to 705 "1.3.6.1.2.1.2.2.1.3.7". 707 The agent will set the variable specified by oid 708 to the integer value specified by value. 710 The agent will set the instance in the same SNMP context 711 in which the element resides. Note that no actual SNMP PDU 712 needs to be generated and parsed when the policy MIB module 713 resides on the same system as the managed elements. 715 If the set encounters any error, 0 is returned. If sucessful, 716 1 is returned. 718 It is recommended that NMS user interfaces display and allow 719 input of MIB object names by their descriptor values followed 720 by the index in dotted-decimal form (e.g., "ifType.7). 722 8.1.1.5. setvar() 724 The setvar() function is used to set a MIB instance to a 725 certain value. The setvar() function is only valid in 726 policyActions. If when executing a policyFilter, the agent 727 encounters a call to the setvar() function, execution of the 728 policyFilter for the current element will immediately 729 terminate and the associated policyAction will not be executed 730 on the current element. 732 int setvar(char *oid, u_char *value, int length, int type) 734 oid is a NULL terminated string containing an 735 ASCII dotted-decimal representation of an object identifier 736 (e.g. "1.3.6.1.2.1.1.1.0"). 738 The 2-character token "$n" ('$' followed by an integer) can be 739 used in place of any decimal sub-identifier. This token is 740 expanded by the agent at execution time to contain the n'th 741 subid of the index for the current element. For example, 742 if the element is interface #7, and the objectIdentifier is 743 "1.3.6.1.2.1.2.2.1.3.$1", it will be expanded to 744 "1.3.6.1.2.1.2.2.1.3.7". 746 value is a string encoded in the format appropriate to the 747 type parameter. The agent will set the variable specified by 748 oid to the value specified by value. 750 length is the length in octets of the value parameter. 752 type is the type of the value parameter and will be one of the 753 DataType Constants. 755 The agent will set the instance in the same SNMP context 756 in which the element resides. Note that no actual SNMP PDU 757 needs to be generated and parsed when the policy MIB module 758 resides on the same system as the managed elements. 760 If the set encounters any error, 0 is returned. If sucessful, 761 1 is returned. 763 It is recommended that NMS user interfaces display and allow 764 input of MIB object names by their descriptor values followed 765 by the index in dotted-decimal form (e.g., "ifType.7). 767 8.1.1.6. searchcolumn() 769 char *searchcolumn(char *columnoid, char *startoid, 770 u_char *value, int type) 772 searchcolumn performs an SNMP walk on a portion of the MIB 773 searching for objects that who's values match value. 775 columnoid constrains the search to only those variables that 776 are beneath it in the tree. 778 startoid is the first to send in the search 780 value is the value to be searched for. When a value is found 781 that matches exactly, searchcolumn returns with the oid of the 782 variable. 784 type describes the type of the value to be matched. 786 For example: 787 To find an ethernet 788 searchcolumn("ifType", "ifType", 6, TYPE_INTEGER); 790 This sends a getnext request for ifType and continues to walk 791 the tree until a value matching 6 is found or a variable 792 returns that is not in the 'ifType' subtree. 794 To find the next ethernet, assuming interface #3 was 795 discovered to be the first: 796 searchcolumn("ifType", "ifType.3", 6, TYPE_INTEGER); 798 8.1.1.7. setRowStatus() 800 int setRowStatus(char *oid, int maxTries) 802 setRowStatus is used to automate the process of finding an 803 unused row in a read-create table that uses RowStatus. 805 oid is a NULL terminated string containing an 806 ASCII dotted-decimal representation of an object identifier, 807 with one of the subids replaced with a '*' character 808 (e.g. "1.3.6.1.3.1.99.1.2.1.9.*"). The oid must reference an 809 'instance' of the RowStatus object and the '*' must replace 810 any integer index item that may be set to some random value. 812 setRowStatus will come up with a random number for the 813 selected index item and will attempt to create the instance 814 with the createAndWait state. If the attempt fails, it will 815 retry with a different random index value. It will attempt 816 this no more than maxTries times. 818 setRowStatus returns the successful integer value for the 819 index. If unsuccessful after maxTries, -1 will be returned. 821 8.1.2. General SNMP Functions 823 It is desireable for a general SNMP interface have the ability 824 to perform SNMP operations on multiple variables at once and 825 for it to allow multiple varbind lists to be active at once. 826 The readVarbind and writeVarbind functions exist in order to 827 provide these facilities in a language without pointers, 828 arrays and memory allocators. 830 readVarbind and writeVarbind access a data store of variable 831 length varbindlists. The index of the varbindlist and the 832 index of the variable within that varbindlist are specified in 833 every readVarbind and writeVarbind operation. Once a 834 varbindlist has been fully specified by one or more calls to 835 writeVarbind, it is passed to snmpsend (by referencing the 836 varbindlist index) and the number of varbinds to be included 837 in the operation. The results are stored in the same 838 varbindlist (i.e. the same varbindlist index is used) and may 839 be read by one or more calls to readVarbind. 841 Varbinds in this data store are created automatically whenever 842 they are written or read by any writeVarbind, readVarbind, 843 snmpsend, or trapsend operation. It is not a runtime error to 844 read a varbind that has not been previously written, however 845 the values read will be unpredictable. 847 For example: 848 writeVarbind(0, 0, "sysDescr.0", ...); 849 writeVarbind(0, 1, "sysOID.0", ...); 850 writeVarbind(0, 2, "ifNumber.0", ...); 851 snmpsend(0, 3, GET, ...); 852 readVarbind(0, 0, iKnowItsSysDescr, iKnowItsaString, len, value); 853 readVarbind(0, 1, ...) 854 readVarbind(0, 2, ...) 855 ... 857 or, 858 writeVarbind(0, 0, "ifIndex", ...); 859 writeVarbind(0, 1, "ifType", ...); 860 while(!done){ 861 snmpsend(0, 2, GETNEXT, ...); 862 readVarbind(0, 0, oid1, ...); 863 readVarbind(0, 1, oid2, ...); 864 /* leave OIDs alone, now varbindlist #0 is set up for next step 865 in table walk. */ 866 if (!oid_in(oid1, "ifIndex")) 867 done = 0; 868 ... 869 } 871 To be conformant to this specification, implementations must 872 support at least 5 varbindlists with at least 60 varbinds per 873 list. 875 Implementations may, but are not required, to initialize the 876 varbind database when a new expression begins executing. An 877 expression invocation can only depend on the state it has 878 written into this datastore. 880 8.1.2.1. writeVarbind() 882 void writeVarbind(int varbindListIndex, int varBindIndex, 883 char *oid, int *type, u_char *value, int length) 885 writeVarbind will store the oid, the value and it's type and 886 length in the specified varbind. 888 varbindListIndex is a non-negative integer that identifies the 889 varbindList modified by this call. 891 varbindIndex is a non-negative integer that identifies the 892 varbind within the varbindList modified by this call. 894 oid is a NULL terminated string containing an 895 ASCII dotted-decimal representation of an object identifier 896 (e.g. "1.3.6.1.2.1.1.1.0"). 898 The 2-character token "$n" ('$' followed by an integer) can be 899 used in place of any decimal sub-identifier. This token is 900 expanded by the agent at execution time to contain the n'th 901 subid of the index for the current element. For example, 902 if the element is interface #7, and the objectIdentifier is 903 "1.3.6.1.2.1.2.2.1.3.$1", it will be expanded to 904 "1.3.6.1.2.1.2.2.1.3.7". 906 type is the type of the value parameter and should be set to 907 one of the values for DataType Constants. 909 value is a string encoded in the format appropriate to the 910 type parameter. 912 length is the length in octets of the value parameter. 914 8.1.2.2. readVarbind() 916 void readVarbind(int varbindListIndex, int varBindIndex, 917 char *oid, int *type, u_char *value, int *length) 919 writeVarbind will retrieve the oid, the value and it's type 920 and length from the specified varbind. 922 varbindListIndex is a non-negative integer that identifies the 923 varbindList read by this call. 925 varbindIndex is a non-negative integer that identifies the 926 varbind within the varbindList read by this call. 928 oid is a NULL terminated string containing an 929 ASCII dotted-decimal representation of an object identifier 930 (e.g. "1.3.6.1.2.1.1.1.0"). The object identifier value of the 931 referenced varbind will be copied into this string. 933 type is the type of the value parameter and will be set to 934 one of the values for DataType Constants. 936 value is a string encoded in the format appropriate to the 937 type parameter. 939 length is the length in octets of the value parameter. 941 8.1.2.3. snmpsend() 943 int snmpsend(int varbindListIndex, int numVarbinds, int opcode) 945 snmpsend will perform an SNMP operation using the specified 946 varbindlist. Note that no actual SNMP PDU needs to be 947 generated and parsed when the policy MIB module 948 resides on the same system as the managed elements. 950 The results of the operation will be placed in the same 951 varbindList unless an error occurred, in which case no 952 varbinds are modified. 954 This function returns zero unless an error occurs in which 955 case it returns the proper SNMP Error Constant. 957 varbindListIndex is a non-negative integer that identifies the 958 varbindList used by this operation. 960 numVarbinds is a integer greater than zero that specified 961 which varbinds in the varbindList will be used in this 962 operation. The first N varbinds in the varbindList are used. 964 opcode is the type of SNMP operation to perform and must be 965 one of the values for SNMP Operation Constants. 967 8.2. Constants 969 The following constants are defined for use in all SNMP Access 970 Functions. Expressions will be executed in an environment 971 where the following definitions are active. (Note that neither 972 these definitions or the macro replacements they dictate will 973 be visible in the policyFilter or policyAction MIB objects.) 975 -- Datatype Constants 977 #define TYPE_INTEGER 1 978 #define TYPE_OCTET_STRING 2 979 #define TYPE_OBJECT_IDENTIFIER 3 980 #define TYPE_INTEGER32 4 981 #define TYPE_IPADDRESS 5 982 #define TYPE_COUNTER32 6 983 #define TYPE_GAUGE32 7 984 #define TYPE_UNSIGNED32 8 985 #define TYPE_TIMETICKS 9 986 #define TYPE_OPAQUE 10 987 #define TYPE_COUNTER64 11 989 -- SNMP Error Constants 991 #define ERROR_NOSUCHOBJECT 12 992 #define ERROR_NOSUCHINSTANCE 13 993 #define ERROR_ENDOFMIBVIEW 14 994 #define ERROR_NOERROR 15 995 #define ERROR_TOOBIG 16 996 #define ERROR_NOSUCHNAME 17 997 #define ERROR_BADVALUE 18 998 #define ERROR_READONLY 19 999 #define ERROR_GENERR 20 1000 #define ERROR_NOACCESS 21 1001 #define ERROR_WRONGTYPE 22 1002 #define ERROR_WRONGLENGTH 23 1003 #define ERROR_WRONGENCODING 24 1004 #define ERROR_WRONGVALUE 25 1005 #define ERROR_NOCREATION 26 1006 #define ERROR_INCONSISTENTVALUE 27 1007 #define ERROR_RESOURCEUNAVAILABLE 28 1008 #define ERROR_COMMITFAILED 29 1009 #define ERROR_UNDOFAILED 30 1010 #define ERROR_AUTHORIZATIONERROR 31 1011 #define ERROR_NOTWRITABLE 32 1013 #define ERROR_BADPARAMETER 33 1014 #define ERROR_TOOLONG 34 1015 #define ERROR_PARSEERROR 35 1016 #define ERROR_AUTHFAILURE 36 1017 #define ERROR_TIMEOUT 37 1019 -- SNMP Operation Constants 1021 #define OP_GET 0 1022 #define OP_GETNEXT 1 1023 #define OP_SET 3 1024 #define OP_TRAP 4 1025 #define OP_INFORM 6 1026 #define OP_V2TRAP 7 1028 8.3. Policy Configuration Access Functions 1030 Policy Configuration Access Functions provide access to 1031 information specifically related to the execution of policies. 1033 8.3.1. roleMatch() 1035 The roleMatch() function is used to check to see if the 1036 current element has been assigned a particular role. 1038 int roleMatch(u_char *roleString) 1040 Argument roleString is a NULL terminated string. If this 1041 exactly matches (content and length) any role assigned to the 1042 current element, the function returns 1. If no roles match, 1043 the function returns 0. 1045 8.3.2. capMatch() 1047 The capMatch() function is used to check to see if the current 1048 element has a certain capability. 1050 int capMatch(char *capString) 1052 Argument capability is a NULL terminated string containing a 1053 ASCII dotted-decimal representation of an object identifier 1054 that describes a capability as would be found in the 1055 pmCapabilitiesTable. 1057 If the current element has the capability described by 1058 capString, this function returns 1, otherwise it returns 0. 1060 8.3.3. elementName() 1062 The elementName() function is used to determine what the 1063 current element is and can be used to provide information 1064 about the type of element as well as how it is indexed. 1066 char * elementName(void) 1068 elementName returns a NULL terminated string containing an 1069 ASCII dotted-decimal representation of an object identifier 1070 (e.g. 1.3.6.1.2.1.1.1.0). This object identifier identifies an 1071 instance of a MIB object that is an attribute of this 1072 element. 1074 8.3.4. setScratchpad() 1076 setScratchpad(int varIndex, char *value, int length) 1078 Every maxLatency time period, every policy runs once for each 1079 element. The setScratchpad function allows values to be stored 1080 that will live beyond the end of this policy execution so that 1081 they can be retrieved by subsequent invocations of this policy 1082 on "this element". 1084 varIndex is a positive integer used to allows variables to be 1085 stored in one policy/element context. 1087 value the value to be stored. 1089 length is the length of the value. 1091 8.3.5. getScratchpad() 1093 int getScratchpad(int varIndex, char *value, int *length) 1095 The getScratchpad function allows retrieval of values that 1096 were stored in previous executions of this policy on this 1097 element. 1099 varIndex is a positive integer used to allows variables to be 1100 stored in one policy/element context. 1102 On successful return, value will be set to the value that was 1103 previously stored and length will be set to its length. 1105 8.4. Utility Accessor Functions 1107 Utility Accessor Functions are provided to enable more 1108 efficient use of the other accessor functions. 1110 8.4.1. oidlength() 1112 int oidlen(char *oid) 1114 oidlen returns the number of subidentifiers in oid. oid is a 1115 NULL terminated string containing an ASCII dotted-decimal 1116 representation of an object identifier 1117 (e.g. "1.3.6.1.2.1.1.1.0"). 1119 8.4.2. oidncmp() 1121 int oidncmp(char *oid1, char *oid2) 1123 Arguments oid1 and oid2 are NULL terminated strings containing 1124 ASCII dotted-decimal representations of object identifiers 1125 (e.g. "1.3.6.1.2.1.1.1.0"). 1127 Compares the first n subidentifiers of oid1 and oid2 and 1128 returns -1 if oid1 is less than oid2, 0 if they are equal, and 1129 1 if oid1 is greater than oid2. 1131 8.4.3. subid() 1133 int subid(char *oid, int n) 1135 subid returns the value of the n'th (starting at zero) 1136 subidentifier of oid. oid is a NULL terminated string 1137 containing an ASCII dotted-decimal representation of an object 1138 identifier (e.g. "1.3.6.1.2.1.1.1.0"). 1140 If n specifies a subidentifier beyond the length of oid, a 1141 value of -1 is returned. 1143 8.4.4. oidsplice() 1145 char *oidsplice(char *oid1, int m, char *oid2, int n) 1147 oidsplice replaces n subidentifiers in oid1 with those from 1148 oid2, starting at the m'th subidentifier in oid1. The 1149 resulting oid is returned. 1151 8.5. Library Accessor Functions 1153 The following standard library accessor functions are 1154 provided: 1156 strncmp() 1157 strncasecmp() 1158 strncat() 1159 strlen() 1160 strncpy() 1161 atoi() 1162 random() 1163 memcmp() 1164 memmove() 1166 9. Definitions 1168 POLICY-MANAGEMENT-MIB DEFINITIONS ::= BEGIN 1169 IMPORTS 1170 MODULE-IDENTITY, OBJECT-TYPE, 1171 Counter32, Integer32, Gauge32, Unsigned32, 1172 experimental FROM SNMPv2-SMI 1173 RowStatus, RowPointer, TEXTUAL-CONVENTION FROM SNMPv2-TC 1174 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 1176 -- Policy-Based Management MIB 1178 policyMgt MODULE-IDENTITY 1179 LAST-UPDATED "200010111500Z" -- October 11, 2000 1180 ORGANIZATION "IETF SNMP Configuration Working Group" 1181 CONTACT-INFO 1182 "Steve Waldbusser 1184 Phone: +1-650-948-6500 1185 Fax: +1-650-745-0671 1186 Email: waldbusser@nextbeacon.com 1188 Jon Saperia 1189 JDS Consulting, Inc. 1190 174 Chapman St. 1191 Watertown MA 02472-3063 1192 USA 1193 Phone: +1-617-744-1079 1194 Fax: +1-617-249-0874 1195 Email: saperia@jdscons.com 1197 Thippanna Hongal 1198 Riverstone Networks, Inc. 1199 5200 Great America Parkway 1200 Santa Clara, CA, 95054 1201 USA 1203 Phone: +1-408-878-6562 1204 Fax: +1-408-878-6501 1205 Email: hongal@riverstonenet.com" 1206 DESCRIPTION 1207 "The MIB module for rule-based configuration of SNMP 1208 infrastructures." 1210 REVISION "200010111500Z" -- October 11, 2000 1211 DESCRIPTION 1212 "The original version of this MIB, published as RFCXXXX." 1213 ::= { experimental 107 } 1215 UTF8String ::= TEXTUAL-CONVENTION 1216 DISPLAY-HINT "255a" 1217 STATUS current 1218 DESCRIPTION 1219 "An octet string containing information typically in 1220 human-readable form. 1222 To facilitate internationalization, this 1223 information is represented using the ISO/IEC 1224 IS 10646-1 character set, encoded as an octet 1225 string using the UTF-8 transformation format 1226 described in [RFC2279]. 1228 Since additional code points are added by 1229 amendments to the 10646 standard from time 1230 to time, implementations must be prepared to 1231 encounter any code point from 0x00000000 to 1232 0x7fffffff. Byte sequences that do not 1233 correspond to the valid UTF-8 encoding of a 1234 code point or are outside this range are 1235 prohibited. 1237 The use of control codes should be avoided. 1239 When it is necessary to represent a newline, 1240 the control code sequence CR LF should be used. 1242 For code points not directly supported by user 1243 interface hardware or software, an alternative 1244 means of entry and display, such as hexadecimal, 1245 may be provided. 1247 For information encoded in 7-bit US-ASCII, 1248 the UTF-8 encoding is identical to the 1249 US-ASCII encoding. 1251 UTF-8 may require multiple bytes to represent a 1252 single character / code point; thus the length 1253 of this object in octets may be different from 1254 the number of characters encoded. Similarly, 1255 size constraints refer to the number of encoded 1256 octets, not the number of characters represented 1257 by an encoding. 1259 Note that when this TC is used for an object that 1260 is used or envisioned to be used as an index, then 1261 a SIZE restriction MUST be specified so that the 1262 number of sub-identifiers for any object instance 1263 does not exceed the limit of 128, as defined by 1264 [RFC1905]. 1266 Note that the size of an UTF8String object is 1267 measured in octets, not characters." 1268 SYNTAX OCTET STRING 1270 -- The policy group 1272 pmPolicyTable OBJECT-TYPE 1273 SYNTAX SEQUENCE OF PmPolicyEntry 1274 MAX-ACCESS not-accessible 1275 STATUS current 1276 DESCRIPTION 1277 "The policy table. A policy is a pairing of a 1278 policyFilter and a policyAction which is used to apply the 1279 action to a selected set of elements." 1280 ::= { policyMgt 1 } 1282 pmPolicyEntry OBJECT-TYPE 1283 SYNTAX PmPolicyEntry 1284 MAX-ACCESS not-accessible 1285 STATUS current 1286 DESCRIPTION 1287 "An entry in the policy table." 1288 INDEX { pmPolicyIndex } 1289 ::= { pmPolicyTable 1 } 1291 PmPolicyEntry ::= SEQUENCE { 1292 pmPolicyIndex Unsigned32, 1293 pmPolicyFilter UTF8String, 1294 pmPolicyCalendar RowPointer, 1295 pmPolicyAction UTF8String, 1296 pmPolicyFilterMaxLatency Unsigned32, 1297 pmPolicyActionMaxLatency Unsigned32, 1298 pmPolicyPrecedence Unsigned32, 1299 pmPolicyGroup UTF8String, 1300 pmPolicyDescription UTF8String, 1301 pmPolicyMatches Gauge32, 1302 pmPolicyExecutionErrors Counter32, 1303 pmPolicyDebugging INTEGER, 1304 pmPolicyStatus RowStatus 1305 } 1307 pmPolicyIndex OBJECT-TYPE 1308 SYNTAX Unsigned32 1309 MAX-ACCESS not-accessible 1310 STATUS current 1311 DESCRIPTION 1312 "A unique index for this policy entry." 1313 ::= { pmPolicyEntry 1 } 1315 pmPolicyFilter OBJECT-TYPE 1316 SYNTAX UTF8String 1317 MAX-ACCESS read-create 1318 STATUS current 1319 DESCRIPTION 1320 "A policyFilter is an expression which results in a boolean 1321 value which represents whether or not an element is a member 1322 of a set of elements upon which an action is to be 1323 performed. 1325 The format of this expression is the policy expression 1326 language. Filter evaluation stops immediately when any error 1327 is detected without executing the policyAction. 1329 The policyFilter is evaluated for various elements. Any 1330 element for which the policyFilter returns any nonzero value 1331 will match the filter and will have the associated 1332 policyAction executed on that element." 1333 ::= { pmPolicyEntry 2 } 1335 pmPolicyCalendar OBJECT-TYPE 1336 SYNTAX RowPointer 1337 MAX-ACCESS read-create 1338 STATUS current 1339 DESCRIPTION 1340 "A pointer to an entry in the schedTable of the Scheduling 1341 MIB [20]. This policy is active when specified by the 1342 associated schedule entry. 1344 If the value of this object is 0.0, this policy is always 1345 active." 1347 ::= { pmPolicyEntry 3 } 1349 pmPolicyAction OBJECT-TYPE 1350 SYNTAX UTF8String 1351 MAX-ACCESS read-create 1352 STATUS current 1353 DESCRIPTION 1354 "A pmPolicyAction is an operation performed on a set of 1355 elements. The format of this expression is the policy 1356 expression language. 1358 Action evaluation stops immediately when any error is 1359 detected." 1360 ::= { pmPolicyEntry 4 } 1362 pmPolicyFilterMaxLatency OBJECT-TYPE 1363 SYNTAX Unsigned32 1364 UNITS "milliseconds" 1365 MAX-ACCESS read-create 1366 STATUS current 1367 DESCRIPTION 1368 "Every element under the control of this agent is 1369 re-checked periodically to see if it is under control of this 1370 policy by re-running the filter expression for this policy. 1371 This object lets the manager control the maximum amount of 1372 time that may pass before an element is re-checked. 1374 In other words, in any given interval of this duration, all 1375 elements must be re-checked. Note that it is an 1376 implementation-dependent matter as to how the policy agent 1377 schedules the checking of various elements within this 1378 interval." 1379 ::= { pmPolicyEntry 5 } 1381 pmPolicyActionMaxLatency OBJECT-TYPE 1382 SYNTAX Unsigned32 1383 UNITS "milliseconds" 1384 MAX-ACCESS read-create 1385 STATUS current 1386 DESCRIPTION 1387 "Every element that matches this policy's filter and is 1388 therefore under control of this policy will have this policy's 1389 action executed periodically to ensure that the element 1390 remains in the state dictated by the policy. 1391 This object lets the manager control the maximum amount of 1392 time that may pass before an element has the action run on 1393 it. 1395 In other words, in any given interval of this duration, all 1396 elements under control of this policy must have the action run 1397 on them. Note that it is an implementation-dependent matter as 1398 to how the policy agent schedules the policy action on various 1399 elements within this interval." 1400 ::= { pmPolicyEntry 6 } 1402 pmPolicyPrecedence OBJECT-TYPE 1403 SYNTAX Unsigned32 (0..65535) 1404 MAX-ACCESS read-create 1405 STATUS current 1406 DESCRIPTION 1407 "The order in which policies on the local system are 1408 evaluated. A policy with a higher precedence value will 1409 be evaluated after a policy with a lower precedence. For 1410 example, a policy with a precedence value of 999 will be 1411 evaluated after a policy with a precedence value of 998. 1412 These values must be unique on the local policy system 1413 that realizes this module. The value for a particular 1414 policy should be the same across an administrative 1415 domain, though that is not mandatory. 1417 When the local policy system performs the evaluation in the 1418 pmPolicyFilter for the policy identified by this row it will 1419 also read the pmTrackingElementToPolicyStatus object for each 1420 object returned as a result of the policy evaluation. If that 1421 object is set to modified(3), then the pmPolicyAction shall 1422 not be taken on that element. 1424 The value of precedence(4), of pmTrackingElementToPolicyStatus 1425 is an indication that when an evaluation was performed by 1426 another policy, the pmTrackingElementToPolicyStatus was found 1427 to have a value of on(1) and that policy had a higher 1428 precedence value than the policy that initially set the value 1429 of the pmTrackingElementToPolicyStatus to on(1). In this 1430 event, the pmTrackingElementToPolicyPrecedence object shall 1431 have the value of the pmPolicyIndex for the policy with the 1432 higher precedence value entered. If the policy identified by 1433 this row of the pmPolicyTable has a higher precedence value 1434 than the value found in pmTrackingElementToPolicyPrecedence 1435 then the pmPolicyAction should be performed on the element and 1436 the pmTrackingElementToPolicyPrecedence object updated with 1437 the value of the pmPolicyIndex for this policy. The only 1438 exception to these rules is when the policy that has the 1439 higher precedence value in not currently running, i.e., the 1440 schedule is off." 1441 ::= { pmPolicyEntry 7 } 1443 pmPolicyGroup OBJECT-TYPE 1444 SYNTAX UTF8String (SIZE (0..32)) 1445 MAX-ACCESS read-create 1446 STATUS current 1447 DESCRIPTION 1448 "An administratively assigned string that is used to group 1449 policies. Any combination is legal, the pmPolicyGroup object 1450 does not constrain precedence. That is precedence is evaluated 1451 independent of grouping though adminstrators might group 1452 related policies together for clarity." 1453 ::= { pmPolicyEntry 8 } 1455 pmPolicyDescription OBJECT-TYPE 1456 SYNTAX UTF8String (SIZE (0..255)) 1457 MAX-ACCESS read-create 1458 STATUS current 1459 DESCRIPTION 1460 "A description of this rule and its significance, typically 1461 provided by a human." 1462 ::= { pmPolicyEntry 9 } 1464 pmPolicyMatches OBJECT-TYPE 1465 SYNTAX Gauge32 1466 UNITS "elements" 1467 MAX-ACCESS read-create 1468 STATUS current 1469 DESCRIPTION 1470 "The number of elements that are currently matched by the 1471 associated pmPolicyFilter." 1472 ::= { pmPolicyEntry 10 } 1474 pmPolicyExecutionErrors OBJECT-TYPE 1475 SYNTAX Counter32 1476 UNITS "errors" 1477 MAX-ACCESS read-only 1478 STATUS current 1479 DESCRIPTION 1480 "The number of times execution of this policy has been 1481 terminated due to run-time errors." 1483 ::= { pmPolicyEntry 11 } 1485 pmPolicyDebugging OBJECT-TYPE 1486 SYNTAX INTEGER { 1487 off(0), 1488 on(1) 1489 } 1490 MAX-ACCESS read-create 1491 STATUS current 1492 DESCRIPTION 1493 "The status of debugging for this policy. If this is turned 1494 on(1), log entries will be created in the pmDebuggingTable 1495 for each run-time error that is experienced by this policy." 1496 DEFVAL { off } 1497 ::= { pmPolicyEntry 12 } 1499 pmPolicyStatus OBJECT-TYPE 1500 SYNTAX RowStatus 1501 MAX-ACCESS read-create 1502 STATUS current 1503 DESCRIPTION 1504 "The status of this pmPolicyEntry." 1505 ::= { pmPolicyEntry 13 } 1507 -- Element Type Registration Table 1509 -- The Element Type Registration table is used for the manager to 1510 -- learn what element types are being managed by the system and to 1511 -- register new types if necessary. An element type is registered by 1512 -- providing the OID of an SNMP object (i.e., without the 1513 -- instance). Each SNMP instance that exists under that object is a 1514 -- distinct element. The address of the element is the index part of 1515 -- the discovered OID. This address will be supplied to policy filters 1516 -- and actions so that these expressions can inspect and configure the 1517 -- element. 1518 -- 1519 -- Before registering an element type, it is the responsibility of a 1520 -- manager to inspect the table and see if it is already registered 1521 -- (by the agent or another manager). Note that entries that differ 1522 -- only in the last OID (which specifies which object in an entry) are 1523 -- effectively duplicates and should be treated as such by the 1524 -- manager. 1526 pmElementTypeRegTable OBJECT-TYPE 1527 SYNTAX SEQUENCE OF PmElementTypeRegEntry 1528 MAX-ACCESS not-accessible 1529 STATUS current 1530 DESCRIPTION 1531 "A registration table for element types managed by this 1532 system." 1533 ::= { policyMgt 2 } 1535 pmElementTypeRegEntry OBJECT-TYPE 1536 SYNTAX PmElementTypeRegEntry 1537 MAX-ACCESS not-accessible 1538 STATUS current 1539 DESCRIPTION 1540 "A registration of an element type." 1541 INDEX { pmElementTypeRegIndex } 1542 ::= { pmElementTypeRegTable 1 } 1544 PmElementTypeRegEntry ::= SEQUENCE { 1545 pmElementTypeRegIndex Unsigned32, 1546 pmElementTypeRegOIDPrefix OBJECT IDENTIFIER, 1547 pmElementTypeRegName UTF8String, 1548 pmElementTypeRegRowStatus RowStatus 1549 } 1551 pmElementTypeRegIndex OBJECT-TYPE 1552 SYNTAX Unsigned32 1553 MAX-ACCESS not-accessible 1554 STATUS current 1555 DESCRIPTION 1556 "A unique index for this entry." 1557 ::= { pmElementTypeRegEntry 1 } 1559 pmElementTypeRegOIDPrefix OBJECT-TYPE 1560 SYNTAX OBJECT IDENTIFIER 1561 MAX-ACCESS read-create 1562 STATUS current 1563 DESCRIPTION 1564 "An OBJECT IDENTIFIER subtree under which all instances of 1565 this element type may be found. 1567 This OBJECT IDENTIFIER should be specified up to, but not 1568 including, any index objects. The agent will discover all 1569 instances in the system that are members of the specified 1570 subtree. It will then execute policy filters (and potentially 1571 policy actions) for each instance discovered. 1573 Each invocation of the policy filter will be supplied with a 1574 parameter. This is derived by taking the last N 1575 sub-identifiers from the discovered instance, where N is: 1577 X = number of sub-identifiers in pmElementTypeRegOIDPrefix 1578 Y = number of sub-identifiers in discovered instance 1580 N = Y - X 1581 " 1582 ::= { pmElementTypeRegEntry 2 } 1584 pmElementTypeRegName OBJECT-TYPE 1585 SYNTAX UTF8String (SIZE (0..32)) 1586 MAX-ACCESS read-create 1587 STATUS current 1588 DESCRIPTION 1589 "A descriptive label for this registered type." 1590 ::= { pmElementTypeRegEntry 3 } 1592 pmElementTypeRegRowStatus OBJECT-TYPE 1593 SYNTAX RowStatus 1594 MAX-ACCESS read-create 1595 STATUS current 1596 DESCRIPTION 1597 "The status of this registration entry." 1598 ::= { pmElementTypeRegEntry 4 } 1600 -- roleTable 1602 -- The Role Table associates role strings to elements. It is the 1603 -- responsibility of the agent to keep track of any re-indexing of the 1604 -- underlying SNMP variables and to continue to associate role strings 1605 -- with the element with which they were initially configured. 1606 -- 1607 -- The agent must store role string associations in NVRAM. 1608 -- 1609 -- The Role String table is visible through 2 SNMP tables. The 1610 -- pmRoleESTable is a read-create table that organized role strings 1611 -- sorted by element. This table is used to create and modify role 1612 -- strings and their associations. 1613 -- The pmRoleSETable is a read-only table that organizes role strings 1614 -- sorted by string. This table is read-only. 1616 pmRoleESTable OBJECT-TYPE 1617 SYNTAX SEQUENCE OF PmRoleESEntry 1618 MAX-ACCESS not-accessible 1619 STATUS current 1620 DESCRIPTION 1621 "The role string table with element as the major index." 1622 ::= { policyMgt 3 } 1624 pmRoleESEntry OBJECT-TYPE 1625 SYNTAX PmRoleESEntry 1626 MAX-ACCESS not-accessible 1627 STATUS current 1628 DESCRIPTION 1629 "A role string entry associates a role string with an 1630 individual element." 1631 INDEX { pmRoleESElement, pmRoleESString } 1632 ::= { pmRoleESTable 1 } 1634 PmRoleESEntry ::= SEQUENCE { 1635 pmRoleESElement RowPointer, 1636 pmRoleESString UTF8String, 1637 pmRoleESStatus RowStatus 1638 } 1640 pmRoleESElement OBJECT-TYPE 1641 SYNTAX RowPointer 1642 MAX-ACCESS not-accessible 1643 STATUS current 1644 DESCRIPTION 1645 "The element to which this role string is associated. 1647 If the agent assigns new indexes in the MIB table to 1648 represent the same underlying element (re-indexing), the 1649 agent will modify this value to contain the new index for the 1650 underlying element." 1651 ::= { pmRoleESEntry 1 } 1653 pmRoleESString OBJECT-TYPE 1654 SYNTAX UTF8String (SIZE (0..64)) 1655 MAX-ACCESS not-accessible 1656 STATUS current 1657 DESCRIPTION 1658 "The role string that is associated with an element through 1659 this table. 1661 A role string is an administratively specified characteristic 1662 of a managed element (for example, an interface). It is a 1663 selector for policy rules, to determine the applicability of 1664 the rule to a particular managed element." 1665 ::= { pmRoleESEntry 2 } 1667 pmRoleESStatus OBJECT-TYPE 1668 SYNTAX RowStatus 1669 MAX-ACCESS read-create 1670 STATUS current 1671 DESCRIPTION 1672 "The status of this role string." 1673 ::= { pmRoleESEntry 3 } 1675 pmRoleSETable OBJECT-TYPE 1676 SYNTAX SEQUENCE OF PmRoleSEEntry 1677 MAX-ACCESS not-accessible 1678 STATUS current 1679 DESCRIPTION 1680 "A read-only version of the role string table with 1681 roleString as the major index. The purpose of this 1682 table is to make it easy to retrieve all elements that 1683 share a common string." 1684 ::= { policyMgt 4 } 1686 pmRoleSEEntry OBJECT-TYPE 1687 SYNTAX PmRoleSEEntry 1688 MAX-ACCESS not-accessible 1689 STATUS current 1690 DESCRIPTION 1691 "A role string entry associates a role string with an 1692 individual element." 1693 INDEX { pmRoleSEString, pmRoleSEElement } 1694 ::= { pmRoleSETable 1 } 1696 PmRoleSEEntry ::= SEQUENCE { 1697 pmRoleSEString UTF8String, 1698 pmRoleSEElement RowPointer 1699 } 1701 pmRoleSEString OBJECT-TYPE 1702 SYNTAX UTF8String (SIZE (0..64)) 1703 MAX-ACCESS not-accessible 1704 STATUS current 1705 DESCRIPTION 1706 "The role string that is associated with an element through 1707 this table. 1709 A role string is an administratively specified characteristic 1710 of a managed element (for example, an interface). It is a 1711 selector for policy rules, to determine the applicability of 1712 the rule to a particular managed element." 1713 ::= { pmRoleSEEntry 1 } 1715 pmRoleSEElement OBJECT-TYPE 1716 SYNTAX RowPointer 1717 MAX-ACCESS read-only 1718 STATUS current 1719 DESCRIPTION 1720 "The element to which this role string is associated. 1722 If the agent assigns new indexes in the MIB table to 1723 represent the same underlying element (re-indexing), the 1724 agent will modify this value to contain the new index for the 1725 underlying element." 1726 ::= { pmRoleSEEntry 2 } 1728 -- Capabilities table 1730 -- Note that with this table it is not necessary to list all OIDs that 1731 -- a mechanism specific MIB Module supports, just the base OID if 1732 -- the implementation is a fully compliant one. If the implementation 1733 -- is not, then additional rows will exist in the table that list 1734 -- the limitations or enhancements. 1736 pmCapabilitiesTable OBJECT-TYPE 1737 SYNTAX SEQUENCE OF PmCapabilitiesEntry 1738 MAX-ACCESS not-accessible 1739 STATUS current 1740 DESCRIPTION 1741 "The pmCapabilitiesTable contains a description of 1742 the inherent capabilities of the system." 1743 ::= { policyMgt 5 } 1745 pmCapabilitiesEntry OBJECT-TYPE 1746 SYNTAX PmCapabilitiesEntry 1747 MAX-ACCESS not-accessible 1748 STATUS current 1749 DESCRIPTION 1750 "The description of a capability or limitation of a 1751 capability of the system. An entry will exist for each 1752 domain and mechanism specific ability the system has. In 1753 the case of a domain specific capability with no mechanism 1754 specific parameters, the pmCapabilitiesSubType and all other 1755 columns may be null. Entries will exist that contain 1756 values for the pmCapabilitiesRestrictOID, 1757 pmCapabilitiesRestrictType, pmCapabilitiesRestrictValue 1758 and pmCapabilitiesRestrictString objects only when 1759 an implementation is reporting a mechanism specific 1760 restriction. Multiple entries are possible when more 1761 than one restriction for a type or subtype are needed." 1762 INDEX { pmCapabilitiesIndex } 1763 ::= { pmCapabilitiesTable 1 } 1765 PmCapabilitiesEntry ::= SEQUENCE { 1766 pmCapabilitiesIndex Unsigned32, 1767 pmCapabilitiesType OBJECT IDENTIFIER, 1768 pmCapabilitiesSubType OBJECT IDENTIFIER, 1769 pmCapabilitiesModificationOID OBJECT IDENTIFIER, 1770 pmCapabilitiesModificationType INTEGER, 1771 pmCapabilitiesModificationValue Integer32, 1772 pmCapabilitiesModificationString OCTET STRING 1773 } 1775 pmCapabilitiesIndex OBJECT-TYPE 1776 SYNTAX Unsigned32 1777 MAX-ACCESS not-accessible 1778 STATUS current 1779 DESCRIPTION 1780 "A unique index for this entry." 1781 ::= { pmCapabilitiesEntry 1 } 1783 pmCapabilitiesType OBJECT-TYPE 1784 SYNTAX OBJECT IDENTIFIER 1785 MAX-ACCESS read-only 1786 STATUS current 1787 DESCRIPTION 1788 "The type of the capability represented by this entry. 1789 The IANA will publish the list of identifiers that are valid 1790 values for this object." 1791 ::= { pmCapabilitiesEntry 2 } 1793 pmCapabilitiesSubType OBJECT-TYPE 1794 SYNTAX OBJECT IDENTIFIER 1795 MAX-ACCESS read-only 1796 STATUS current 1797 DESCRIPTION 1798 "The sub type of capability is a pointer to a mechanism specific 1799 set of capabilities supporting a base technology. In the case of 1800 DIFFSERV, the OID value here would be the base OID of the 1801 Differentiated Services Policy MIB Module." 1802 ::= { pmCapabilitiesEntry 3 } 1804 pmCapabilitiesModificationOID OBJECT-TYPE 1805 SYNTAX OBJECT IDENTIFIER 1806 MAX-ACCESS read-only 1807 STATUS current 1808 DESCRIPTION 1809 "The OID of the object that is either not supported, supported 1810 with one or more limitations, or expanded by an implementation 1811 specific module. If this columnar object is other than null then 1812 there must be at least an entry in pmCapabilitiesModificationType. 1813 Note that this need not be a leaf node or scalar object. If 1814 an entire table is not supported, this value can be the base OID 1815 for the table." 1816 ::= { pmCapabilitiesEntry 4 } 1818 pmCapabilitiesModificationType OBJECT-TYPE 1819 SYNTAX INTEGER { 1820 unsupported(0), 1821 restricted(1), 1822 additional(2), 1823 addvalue(3), 1824 maxlimit(4), 1825 minlimit(5) 1826 } 1827 MAX-ACCESS read-only 1828 STATUS current 1829 DESCRIPTION 1830 "An unsupported value indicates that the OID in 1831 pmCapabilitiesModificationOID is not supported on 1832 this system. A value of 1 indicates that the OID 1833 is supported but with restricted values 1834 These constraints are described in the 1835 pmCapabilitiesModificationValue and 1836 pmCapabilitiesModificationString objects. A value of 1837 2 indicates a vendor specific extension to a standard. 1838 The OID of the new object is pmCapabilitiesModificationOID. 1839 For some implementations, additional functions may be 1840 provided. addvalue indicates that this row of the table 1841 describes an additional value that the object can take. 1842 The specific value is in the pmCapabilitiesModificationValue. 1843 The values of 4 and 5 indicate restrictions or the removal 1844 of restrictions for the object identified." 1845 ::= { pmCapabilitiesEntry 5 } 1847 pmCapabilitiesModificationValue OBJECT-TYPE 1848 SYNTAX Integer32 (0..2147483647) 1849 MAX-ACCESS read-only 1850 STATUS current 1851 DESCRIPTION 1852 "If the value of pmCapabilitiesModificationType is 0, this 1853 object will be null since 0 indicates no support for the 1854 object at all. A value of 1 in the 1855 pmCapabilitiesModificationType will be further modified by a 1856 single integer value in this object that corresponds to 1857 enumerated integer values that are not supported by the 1858 system for the object that is identified in this row. This 1859 value can also represent the limit values in the 1860 pmCapabilitiesModificationType object." 1861 ::= { pmCapabilitiesEntry 6 } 1863 pmCapabilitiesModificationString OBJECT-TYPE 1864 SYNTAX OCTET STRING 1865 MAX-ACCESS read-only 1866 STATUS current 1867 DESCRIPTION 1868 "Any additional details or description or parameters needed." 1869 ::= { pmCapabilitiesEntry 7 } 1871 -- Policy Tracking 1873 pmTrackingPolicyToElementTable OBJECT-TYPE 1874 SYNTAX SEQUENCE OF PmTrackingPolicyToElementEntry 1875 MAX-ACCESS not-accessible 1876 STATUS current 1877 DESCRIPTION 1878 "The pmTrackingPolicyToElementTable describes what elements 1879 are under control of a policy." 1880 ::= { policyMgt 6 } 1882 pmTrackingPolicyToElementEntry OBJECT-TYPE 1883 SYNTAX PmTrackingPolicyToElementEntry 1884 MAX-ACCESS not-accessible 1885 STATUS current 1886 DESCRIPTION 1887 "An entry in the pmTrackingPolicyToElementTable. The 1888 pmPolicyIndex in the index specifies the policy tracked by 1889 this entry." 1890 INDEX { pmPolicyIndex, pmTrackingPolicyToElementElement } 1891 ::= { pmTrackingPolicyToElementTable 1 } 1893 PmTrackingPolicyToElementEntry ::= SEQUENCE { 1894 pmTrackingPolicyToElementElement RowPointer, 1895 pmTrackingPolicyToElementStatus INTEGER 1896 } 1898 pmTrackingPolicyToElementElement OBJECT-TYPE 1899 SYNTAX RowPointer 1900 MAX-ACCESS not-accessible 1901 STATUS current 1902 DESCRIPTION 1903 "The element this policy is configuring." 1904 ::= { pmTrackingPolicyToElementEntry 1 } 1906 pmTrackingPolicyToElementStatus OBJECT-TYPE 1907 SYNTAX INTEGER { 1908 off(0), 1909 on(1) 1910 } 1911 MAX-ACCESS read-only 1912 STATUS current 1913 DESCRIPTION 1914 "The status of this policy-element relationship. This value 1915 will be 1 if the associated policyFilter returned 1 for this 1916 element and if the calendar for the policy is active. 1918 Entries will only exist in this table if their status is 1919 on(1). Thus, on(1) is the only value of this object that can 1920 be retrieved. This object exists so that it can serve as the 1921 'payload' in the varbind instead of the 1922 pmTrackingPolicyToElementElement object which is much longer 1923 and is already in the index (it would otherwise be 1924 duplicated)." 1925 ::= { pmTrackingPolicyToElementEntry 2 } 1927 -- Element to Policy Table 1929 pmTrackingElementToPolicyTable OBJECT-TYPE 1930 SYNTAX SEQUENCE OF PmTrackingElementToPolicyEntry 1931 MAX-ACCESS not-accessible 1932 STATUS current 1933 DESCRIPTION 1934 "The pmTrackingElementToPolicyTable describes what policies 1935 are controlling an element." 1936 ::= { policyMgt 7 } 1938 pmTrackingElementToPolicyEntry OBJECT-TYPE 1939 SYNTAX PmTrackingElementToPolicyEntry 1940 MAX-ACCESS not-accessible 1941 STATUS current 1942 DESCRIPTION 1943 "An entry in the pmTrackingElementToPolicyTable. The 1944 pmPolicyIndex in the index specifies the policy tracked by 1945 this entry." 1946 INDEX { pmTrackingElementToPolicyElement, pmPolicyIndex } 1947 ::= { pmTrackingElementToPolicyTable 1 } 1949 PmTrackingElementToPolicyEntry ::= SEQUENCE { 1950 pmTrackingElementToPolicyElement RowPointer, 1951 pmTrackingElementToPolicyStatus INTEGER 1952 } 1954 pmTrackingElementToPolicyElement OBJECT-TYPE 1955 SYNTAX RowPointer 1956 MAX-ACCESS not-accessible 1957 STATUS current 1958 DESCRIPTION 1959 "The element this policy is configuring." 1960 ::= { pmTrackingElementToPolicyEntry 1 } 1962 pmTrackingElementToPolicyStatus OBJECT-TYPE 1963 SYNTAX INTEGER { 1964 off(0), 1965 on(1), 1966 forceOff(2) 1967 } 1968 MAX-ACCESS read-write 1969 STATUS current 1970 DESCRIPTION 1971 "The status of this policy-element relationship. This value 1972 will be 1 if the associated policyFilter returned 1 for this 1973 element and if the calendar for the policy is active. 1975 Entries will not exist in this table if their status would be 1976 off(0). 1978 A policy can be forcibly disabled on a particular element 1979 by setting this value to forceOff(2). The agent should then 1980 act as if the policyFilter failed for this element. The 1981 forceOff(2) state will persist (even across reboots) until 1982 this value is set to on(1) by a management request. Even if 1983 the policyFilter later fails for this element, this value 1984 will stay in the forceOff(2) state." 1985 ::= { pmTrackingElementToPolicyEntry 2 } 1987 -- Policy Debugging Table 1989 -- Policies that have debugging turned on will generate a log entry in 1990 -- the policy debugging table for every runtine error that occurs in 1991 -- either the filter or action expression. 1993 pmDebuggingTable OBJECT-TYPE 1994 SYNTAX SEQUENCE OF PmDebuggingEntry 1995 MAX-ACCESS not-accessible 1996 STATUS current 1997 DESCRIPTION 1998 "The pmDebuggingPolicyTable logs debugging messages when 1999 policies experience runtime errors." 2000 ::= { policyMgt 8 } 2002 pmDebuggingEntry OBJECT-TYPE 2003 SYNTAX PmDebuggingEntry 2004 MAX-ACCESS not-accessible 2005 STATUS current 2006 DESCRIPTION 2007 "An entry in the pmDebuggingTable. The pmPolicyIndex in the 2008 index specifies the policy that encountered the error that 2009 led to this log entry." 2010 INDEX { pmPolicyIndex, pmDebuggingElement, 2011 pmDebuggingLogIndex } 2012 ::= { pmDebuggingTable 1 } 2014 PmDebuggingEntry ::= SEQUENCE { 2015 pmDebuggingElement RowPointer, 2016 pmDebuggingLogIndex Unsigned32, 2017 pmDebuggingMessage UTF8String 2018 } 2020 pmDebuggingElement OBJECT-TYPE 2021 SYNTAX RowPointer 2022 MAX-ACCESS read-only 2023 STATUS current 2024 DESCRIPTION 2025 "The element the policy was executing on when it encountered 2026 the error that led to this log entry." 2027 ::= { pmDebuggingEntry 1 } 2029 pmDebuggingLogIndex OBJECT-TYPE 2030 SYNTAX Unsigned32 2031 MAX-ACCESS read-only 2032 STATUS current 2033 DESCRIPTION 2034 "A unique index for this log entry amongst other log entries 2035 for this policy/element combination." 2036 ::= { pmDebuggingEntry 2 } 2038 pmDebuggingMessage OBJECT-TYPE 2039 SYNTAX UTF8String (SIZE (0..128)) 2040 MAX-ACCESS read-only 2041 STATUS current 2042 DESCRIPTION 2043 "An error message generated by the expression runtime system." 2044 ::= { pmDebuggingEntry 3 } 2046 -- Compliance Statements 2048 pmConformance OBJECT IDENTIFIER ::= { policyMgt 20 } 2049 pmCompliances OBJECT IDENTIFIER ::= { pmConformance 1 } 2050 pmGroups OBJECT IDENTIFIER ::= { pmConformance 2 } 2052 pmCompliance MODULE-COMPLIANCE 2053 STATUS current 2054 DESCRIPTION 2055 "Describes the requirements for conformance to 2056 the Policy-Based Management MIB" 2057 MODULE -- this module 2058 MANDATORY-GROUPS { pmPolicyManagementGroup } 2059 ::= { pmCompliances 1 } 2061 pmPolicyManagementGroup OBJECT-GROUP 2062 OBJECTS { pmPolicyFilter, pmPolicyCalendar, pmPolicyAction, 2063 pmPolicyFilterMaxLatency, pmPolicyActionMaxLatency, 2064 pmPolicyPrecedence, pmPolicyGroup, 2065 pmPolicyDescription, pmPolicyMatches, 2066 pmPolicyExecutionErrors, pmPolicyDebugging, 2067 pmPolicyStatus, 2068 pmElementTypeRegOIDPrefix, 2069 pmElementTypeRegName, pmElementTypeRegRowStatus, 2070 pmRoleESStatus, pmRoleSEElement, pmCapabilitiesType, 2071 pmCapabilitiesSubType, pmCapabilitiesModificationOID, 2072 pmCapabilitiesModificationType, 2073 pmCapabilitiesModificationValue, 2074 pmCapabilitiesModificationString, 2075 pmTrackingPolicyToElementStatus, 2076 pmTrackingElementToPolicyStatus, 2077 pmDebuggingElement, pmDebuggingLogIndex, 2078 pmDebuggingMessage } 2079 STATUS current 2080 DESCRIPTION 2081 "Objects that allow for the creation and management of 2082 configuration policies." 2083 ::= { pmGroups 1 } 2085 pmBaseFunctionLibrary OBJECT IDENTIFIER ::= { pmGroups 2 } 2087 END 2088 10. Security Considerations 2090 There are a number of management objects defined in this MIB 2091 that have a MAX-ACCESS clause of read-write and/or read- 2092 create. Such objects may be considered sensitive or 2093 vulnerable in some network environments. The support for SET 2094 operations in a non-secure environment without proper 2095 protection can have a negative effect on network operations. 2097 SNMPv1 by itself is not a secure environment. Even if the 2098 network itself is secure (for example by using IPSec), even 2099 then, there is no control as to who on the secure network is 2100 allowed to access and GET/SET (read/change/create/delete) the 2101 objects in this MIB. 2103 It is recommended that the implementors consider the security 2104 features as provided by the SNMPv3 framework. Specifically, 2105 the use of the User-based Security Model RFC 2574 [12] and the 2106 View-based Access Control Model RFC 2575 [15] is recommended. 2108 It is then a customer/user responsibility to ensure that the 2109 SNMP entity giving access to an instance of this MIB, is 2110 properly configured to give access to the objects only to 2111 those principals (users) that have legitimate rights to indeed 2112 GET or SET (change/create/delete) them. 2114 11. References 2116 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An 2117 Architecture for Describing SNMP Management Frameworks", 2118 RFC 2571, April 1999. 2120 [2] Rose, M., and K. McCloghrie, "Structure and 2121 Identification of Management Information for TCP/IP-based 2122 Internets", STD 16, RFC 1155, May 1990. 2124 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", 2125 STD 16, RFC 1212, March 1991. 2127 [4] Rose, M., "A Convention for Defining Traps for use with 2128 the SNMP", RFC 1215, March 1991. 2130 [5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2131 Rose, M., and S. Waldbusser, "Structure of Management 2132 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 2133 1999. 2135 [6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2136 Rose, M., and S. Waldbusser, "Textual Conventions for 2137 SMIv2", STD 58, RFC 2579, April 1999. 2139 [7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2140 Rose, M., and S. Waldbusser, "Conformance Statements for 2141 SMIv2", STD 58, RFC 2580, April 1999. 2143 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, 2144 "Simple Network Management Protocol", STD 15, RFC 1157, 2145 May 1990. 2147 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 2148 "Introduction to Community-based SNMPv2", RFC 1901, 2149 January 1996. 2151 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 2152 "Transport Mappings for Version 2 of the Simple Network 2153 Management Protocol (SNMPv2)", RFC 1906, January 1996. 2155 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, 2156 "Message Processing and Dispatching for the Simple 2157 Network Management Protocol (SNMP)", RFC 2572, April 2158 1999. 2160 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model 2161 (USM) for version 3 of the Simple Network Management 2162 Protocol (SNMPv3)", RFC 2574, April 1999. 2164 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 2165 "Protocol Operations for Version 2 of the Simple Network 2166 Management Protocol (SNMPv2)", RFC 1905, January 1996. 2168 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 2169 Applications", RFC 2573, April 1999. 2171 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 2172 Access Control Model (VACM) for the Simple Network 2173 Management Protocol (SNMP)", RFC 2575, April 1999. 2175 [16] McCloghrie, K. and M. Rose, Editors, "Management 2176 Information Base for Network Management of TCP/IP-based 2177 internets: MIB-II", STD 17, RFC 1213, Hughes LAN Systems, 2178 Performance Systems International, March 1991. 2180 [17] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 2181 MIB using SMIv2", RFC 2233, Cisco Systems, FTP Software, 2182 November 1997. 2184 [18] Case, J., Mundy, R., Partain, D., and B. Stewart, 2185 "Introduction to Version 3 of the Internet-standard 2186 Network Management Framework", RFC 2570, April 1999. 2188 [19] American National Standards Institute, "C Language 2189 Specification" 2191 [20] Levi, D. and J. Schoenwaelder, "Definitions of Managed 2192 Objects for Scheduling Management Operations", RFC 2591, 2193 May 1999. 2195 12. Intellectual Property 2197 The IETF takes no position regarding the validity or scope of 2198 any intellectual property or other rights that might be 2199 claimed to pertain to the implementation or use of the 2200 technology described in this document or the extent to which 2201 any license under such rights might or might not be available; 2202 neither does it represent that it has made any effort to 2203 identify any such rights. Information on the IETF's 2204 procedures with respect to rights in standards-track and 2205 standards-related documentation can be found in BCP-11. 2206 Copies of claims of rights made available for publication and 2207 any assurances of licenses to be made available, or the result 2208 of an attempt made to obtain a general license or permission 2209 for the use of such proprietary rights by implementors or 2210 users of this specification can be obtained from the IETF 2211 Secretariat. 2213 The IETF invites any interested party to bring to its 2214 attention any copyrights, patents or patent applications, or 2215 other proprietary rights which may cover technology that may 2216 be required to practice this standard. Please address the 2217 information to the IETF Executive Director. 2219 13. Full Copyright Statement 2221 Copyright (C) The Internet Society (2000). All Rights Reserved. 2223 This document and translations of it may be copied and 2224 furnished to others, and derivative works that comment on or 2225 otherwise explain it or assist in its implementation may be 2226 prepared, copied, published and distributed, in whole or in 2227 part, without restriction of any kind, provided that the above 2228 copyright notice and this paragraph are included on all such 2229 copies and derivative works. However, this document itself 2230 may not be modified in any way, such as by removing the 2231 copyright notice or references to the Internet Society or 2232 other Internet organizations, except as needed for the 2233 purpose of developing Internet standards in which case the 2234 procedures for copyrights defined in the Internet Standards 2235 process must be followed, or as required to translate it into 2236 languages other than English. 2238 The limited permissions granted above are perpetual and will 2239 not be revoked by the Internet Society or its successors or 2240 assigns. 2242 This document and the information contained herein is provided 2243 on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET 2244 ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 2245 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE 2246 USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR 2247 ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 2248 PARTICULAR PURPOSE. 2250 Table of Contents 2252 1 Abstract .............................................. 1 2253 2 The SNMP Management Framework ......................... 2 2254 3 Overview .............................................. 4 2255 4 Policy-Based Management Architecture .................. 5 2256 5 Policy Based Management Execution Environment ......... 7 2257 5.1 Element Discovery ................................... 7 2258 5.1.1 Implementation Notes .............................. 8 2259 5.2 Element Filtering ................................... 9 2260 5.2.1 Implementation Notes .............................. 9 2261 5.3 Policy Enforcement .................................. 9 2262 5.3.1 Implementation Notes .............................. 9 2263 6 Policy Based Management Expression Language ........... 11 2264 6.1 Formal Definition ................................... 11 2265 7 Accessor Functions .................................... 13 2266 8 Base Accessor Function Library ........................ 13 2267 8.1 SNMP Access Functions ............................... 13 2268 8.1.1 Convenience SNMP Functions ........................ 15 2269 8.1.1.1 getint() ........................................ 15 2270 8.1.1.2 getvar() ........................................ 16 2271 8.1.1.3 exists() ........................................ 17 2272 8.1.1.4 setint() ........................................ 18 2273 8.1.1.5 setvar() ........................................ 19 2274 8.1.1.6 searchcolumn() .................................. 20 2275 8.1.1.7 setRowStatus() .................................. 20 2276 8.1.2 General SNMP Functions ............................ 21 2277 8.1.2.1 writeVarbind() .................................. 22 2278 8.1.2.2 readVarbind() ................................... 23 2279 8.1.2.3 snmpsend() ...................................... 24 2280 8.2 Constants ........................................... 24 2281 8.3 Policy Configuration Access Functions ............... 26 2282 8.3.1 roleMatch() ....................................... 26 2283 8.3.2 capMatch() ........................................ 26 2284 8.3.3 elementName() ..................................... 26 2285 8.3.4 setScratchpad() ................................... 27 2286 8.3.5 getScratchpad() ................................... 27 2287 8.4 Utility Accessor Functions .......................... 27 2288 8.4.1 oidlength() ....................................... 28 2289 8.4.2 oidncmp() ......................................... 28 2290 8.4.3 subid() ........................................... 28 2291 8.4.4 oidsplice() ....................................... 28 2292 8.5 Library Accessor Functions .......................... 29 2293 9 Definitions ........................................... 30 2294 10 Security Considerations .............................. 51 2295 11 References ........................................... 52 2296 12 Intellectual Property ................................ 53 2297 13 Full Copyright Statement ............................. 54