Network Working Group B. Moore, Ed. Request for Comments: 3460 IBM Updates: 3060 January 2003 Category: Standards Track
Network Working Group B. Moore, Ed. Request for Comments: 3460 IBM Updates: 3060 January 2003 Category: Standards Track
Policy Core Information Model (PCIM) Extensions
策略核心信息模型(PCIM)扩展
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
Abstract
摘要
This document specifies a number of changes to the Policy Core Information Model (PCIM, RFC 3060). Two types of changes are included. First, several completely new elements are introduced, for example, classes for header filtering, that extend PCIM into areas that it did not previously cover. Second, there are cases where elements of PCIM (for example, policy rule priorities) are deprecated, and replacement elements are defined (in this case, priorities tied to associations that refer to policy rules). Both types of changes are done in such a way that, to the extent possible, interoperability with implementations of the original PCIM model is preserved. This document updates RFC 3060.
本文档指定了对策略核心信息模型(PCIM,RFC 3060)的一些更改。包括两种类型的更改。首先,引入了几个全新的元素,例如,用于头过滤的类,这些类将PCIM扩展到以前未涉及的领域。其次,在某些情况下,PCIM的元素(例如,策略规则优先级)被弃用,而替换元素被定义(在本例中,优先级与引用策略规则的关联相关联)。这两种类型的更改都是以这样一种方式进行的,即尽可能保留与原始PCIM模型实现的互操作性。本文档更新了RFC 3060。
Table of Contents
目录
1. Introduction....................................................5 2. Changes since RFC 3060..........................................5 3. Overview of the Changes.........................................6 3.1. How to Change an Information Model.........................6 3.2. List of Changes to the Model...............................6 3.2.1. Changes to PolicyRepository.........................6 3.2.2. Additional Associations and Additional Reusable Elements............................................7 3.2.3. Priorities and Decision Strategies..................7 3.2.4. Policy Roles........................................8 3.2.5. CompoundPolicyConditions and CompoundPolicyActions...............................8
1. Introduction....................................................5 2. Changes since RFC 3060..........................................5 3. Overview of the Changes.........................................6 3.1. How to Change an Information Model.........................6 3.2. List of Changes to the Model...............................6 3.2.1. Changes to PolicyRepository.........................6 3.2.2. Additional Associations and Additional Reusable Elements............................................7 3.2.3. Priorities and Decision Strategies..................7 3.2.4. Policy Roles........................................8 3.2.5. CompoundPolicyConditions and CompoundPolicyActions...............................8
3.2.6. Variables and Values................................9 3.2.7. Domain-Level Packet Filtering.......................9 3.2.8. Device-Level Packet Filtering.......................9 4. The Updated Class and Association Class Hierarchies............10 5. Areas of Extension to PCIM.....................................13 5.1. Policy Scope..............................................13 5.1.1. Levels of Abstraction: Domain- and Device-Level Policies...........................................13 5.1.2. Administrative and Functional Scopes...............14 5.2. Reusable Policy Elements..................................15 5.3. Policy Sets...............................................16 5.4. Nested Policy Rules.......................................16 5.4.1. Usage Rules for Nested Rules.......................17 5.4.2. Motivation.........................................17 5.5. Priorities and Decision Strategies........................18 5.5.1. Structuring Decision Strategies....................19 5.5.2. Side Effects.......................................21 5.5.3. Multiple PolicySet Trees For a Resource............21 5.5.4. Deterministic Decisions............................22 5.6. Policy Roles..............................................23 5.6.1. Comparison of Roles in PCIM with Roles in snmpconf...........................................23 5.6.2. Addition of PolicyRoleCollection to PCIMe..........24 5.6.3. Roles for PolicyGroups.............................25 5.7. Compound Policy Conditions and Compound Policy Actions....27 5.7.1. Compound Policy Conditions.........................27 5.7.2. Compound Policy Actions............................27 5.8. Variables and Values......................................28 5.8.1. Simple Policy Conditions...........................29 5.8.2. Using Simple Policy Conditions.....................29 5.8.3. The Simple Condition Operator......................31 5.8.4. SimplePolicyActions................................33 5.8.5. Policy Variables...................................35 5.8.6. Explicitly Bound Policy Variables..................36 5.8.7. Implicitly Bound Policy Variables..................37 5.8.8. Structure and Usage of Pre-Defined Variables.......38 5.8.9. Rationale for Modeling Implicit Variables as Classes.........................................39 5.8.10. Policy Values.....................................40 5.9. Packet Filtering..........................................41 5.9.1. Domain-Level Packet Filters........................41 5.9.2. Device-Level Packet Filters........................42 5.10. Conformance to PCIM and PCIMe............................43 6. Class Definitions..............................................44 6.1. The Abstract Class "PolicySet"............................44 6.2. Update PCIM's Class "PolicyGroup".........................45 6.3. Update PCIM's Class "PolicyRule"..........................45 6.4. The Class "SimplePolicyCondition".........................46
3.2.6. Variables and Values................................9 3.2.7. Domain-Level Packet Filtering.......................9 3.2.8. Device-Level Packet Filtering.......................9 4. The Updated Class and Association Class Hierarchies............10 5. Areas of Extension to PCIM.....................................13 5.1. Policy Scope..............................................13 5.1.1. Levels of Abstraction: Domain- and Device-Level Policies...........................................13 5.1.2. Administrative and Functional Scopes...............14 5.2. Reusable Policy Elements..................................15 5.3. Policy Sets...............................................16 5.4. Nested Policy Rules.......................................16 5.4.1. Usage Rules for Nested Rules.......................17 5.4.2. Motivation.........................................17 5.5. Priorities and Decision Strategies........................18 5.5.1. Structuring Decision Strategies....................19 5.5.2. Side Effects.......................................21 5.5.3. Multiple PolicySet Trees For a Resource............21 5.5.4. Deterministic Decisions............................22 5.6. Policy Roles..............................................23 5.6.1. Comparison of Roles in PCIM with Roles in snmpconf...........................................23 5.6.2. Addition of PolicyRoleCollection to PCIMe..........24 5.6.3. Roles for PolicyGroups.............................25 5.7. Compound Policy Conditions and Compound Policy Actions....27 5.7.1. Compound Policy Conditions.........................27 5.7.2. Compound Policy Actions............................27 5.8. Variables and Values......................................28 5.8.1. Simple Policy Conditions...........................29 5.8.2. Using Simple Policy Conditions.....................29 5.8.3. The Simple Condition Operator......................31 5.8.4. SimplePolicyActions................................33 5.8.5. Policy Variables...................................35 5.8.6. Explicitly Bound Policy Variables..................36 5.8.7. Implicitly Bound Policy Variables..................37 5.8.8. Structure and Usage of Pre-Defined Variables.......38 5.8.9. Rationale for Modeling Implicit Variables as Classes.........................................39 5.8.10. Policy Values.....................................40 5.9. Packet Filtering..........................................41 5.9.1. Domain-Level Packet Filters........................41 5.9.2. Device-Level Packet Filters........................42 5.10. Conformance to PCIM and PCIMe............................43 6. Class Definitions..............................................44 6.1. The Abstract Class "PolicySet"............................44 6.2. Update PCIM's Class "PolicyGroup".........................45 6.3. Update PCIM's Class "PolicyRule"..........................45 6.4. The Class "SimplePolicyCondition".........................46
6.5. The Class "CompoundPolicyCondition".......................47 6.6. The Class "CompoundFilterCondition".......................47 6.7. The Class "SimplePolicyAction"............................48 6.8. The Class "CompoundPolicyAction"..........................48 6.9. The Abstract Class "PolicyVariable".......................50 6.10. The Class "PolicyExplicitVariable".......................50 6.10.1. The Single-Valued Property "ModelClass"...........51 6.10.2. The Single-Valued Property ModelProperty..........51 6.11. The Abstract Class "PolicyImplicitVariable"..............51 6.11.1. The Multi-Valued Property "ValueTypes"............52 6.12. Subclasses of "PolicyImplicitVariable" Specified in PCIMe.................................................52 6.12.1. The Class "PolicySourceIPv4Variable"..............52 6.12.2. The Class "PolicySourceIPv6Variable"..............52 6.12.3. The Class "PolicyDestinationIPv4Variable".........53 6.12.4. The Class "PolicyDestinationIPv6Variable".........53 6.12.5. The Class "PolicySourcePortVariable"..............54 6.12.6. The Class "PolicyDestinationPortVariable".........54 6.12.7. The Class "PolicyIPProtocolVariable"..............54 6.12.8. The Class "PolicyIPVersionVariable"...............55 6.12.9. The Class "PolicyIPToSVariable"...................55 6.12.10. The Class "PolicyDSCPVariable"...................55 6.12.11. The Class "PolicyFlowIdVariable".................56 6.12.12. The Class "PolicySourceMACVariable"..............56 6.12.13. The Class "PolicyDestinationMACVariable".........56 6.12.14. The Class "PolicyVLANVariable"...................56 6.12.15. The Class "PolicyCoSVariable"....................57 6.12.16. The Class "PolicyEthertypeVariable"..............57 6.12.17. The Class "PolicySourceSAPVariable"..............57 6.12.18. The Class "PolicyDestinationSAPVariable".........58 6.12.19. The Class "PolicySNAPOUIVariable"................58 6.12.20. The Class "PolicySNAPTypeVariable"...............59 6.12.21. The Class "PolicyFlowDirectionVariable"..........59 6.13. The Abstract Class "PolicyValue".........................59 6.14. Subclasses of "PolicyValue" Specified in PCIMe...........60 6.14.1. The Class "PolicyIPv4AddrValue"...................60 6.14.2. The Class "PolicyIPv6AddrValue....................61 6.14.3. The Class "PolicyMACAddrValue"....................62 6.14.4. The Class "PolicyStringValue".....................63 6.14.5. The Class "PolicyBitStringValue"..................63 6.14.6. The Class "PolicyIntegerValue"....................64 6.14.7. The Class "PolicyBooleanValue"....................65 6.15. The Class "PolicyRoleCollection".........................65 6.15.1. The Single-Valued Property "PolicyRole"...........66 6.16. The Class "ReusablePolicyContainer".................66 6.17. Deprecate PCIM's Class "PolicyRepository"................66 6.18. The Abstract Class "FilterEntryBase".....................67 6.19. The Class "IpHeadersFilter"..............................67
6.5. The Class "CompoundPolicyCondition".......................47 6.6. The Class "CompoundFilterCondition".......................47 6.7. The Class "SimplePolicyAction"............................48 6.8. The Class "CompoundPolicyAction"..........................48 6.9. The Abstract Class "PolicyVariable".......................50 6.10. The Class "PolicyExplicitVariable".......................50 6.10.1. The Single-Valued Property "ModelClass"...........51 6.10.2. The Single-Valued Property ModelProperty..........51 6.11. The Abstract Class "PolicyImplicitVariable"..............51 6.11.1. The Multi-Valued Property "ValueTypes"............52 6.12. Subclasses of "PolicyImplicitVariable" Specified in PCIMe.................................................52 6.12.1. The Class "PolicySourceIPv4Variable"..............52 6.12.2. The Class "PolicySourceIPv6Variable"..............52 6.12.3. The Class "PolicyDestinationIPv4Variable".........53 6.12.4. The Class "PolicyDestinationIPv6Variable".........53 6.12.5. The Class "PolicySourcePortVariable"..............54 6.12.6. The Class "PolicyDestinationPortVariable".........54 6.12.7. The Class "PolicyIPProtocolVariable"..............54 6.12.8. The Class "PolicyIPVersionVariable"...............55 6.12.9. The Class "PolicyIPToSVariable"...................55 6.12.10. The Class "PolicyDSCPVariable"...................55 6.12.11. The Class "PolicyFlowIdVariable".................56 6.12.12. The Class "PolicySourceMACVariable"..............56 6.12.13. The Class "PolicyDestinationMACVariable".........56 6.12.14. The Class "PolicyVLANVariable"...................56 6.12.15. The Class "PolicyCoSVariable"....................57 6.12.16. The Class "PolicyEthertypeVariable"..............57 6.12.17. The Class "PolicySourceSAPVariable"..............57 6.12.18. The Class "PolicyDestinationSAPVariable".........58 6.12.19. The Class "PolicySNAPOUIVariable"................58 6.12.20. The Class "PolicySNAPTypeVariable"...............59 6.12.21. The Class "PolicyFlowDirectionVariable"..........59 6.13. The Abstract Class "PolicyValue".........................59 6.14. Subclasses of "PolicyValue" Specified in PCIMe...........60 6.14.1. The Class "PolicyIPv4AddrValue"...................60 6.14.2. The Class "PolicyIPv6AddrValue....................61 6.14.3. The Class "PolicyMACAddrValue"....................62 6.14.4. The Class "PolicyStringValue".....................63 6.14.5. The Class "PolicyBitStringValue"..................63 6.14.6. The Class "PolicyIntegerValue"....................64 6.14.7. The Class "PolicyBooleanValue"....................65 6.15. The Class "PolicyRoleCollection".........................65 6.15.1. The Single-Valued Property "PolicyRole"...........66 6.16. The Class "ReusablePolicyContainer".................66 6.17. Deprecate PCIM's Class "PolicyRepository"................66 6.18. The Abstract Class "FilterEntryBase".....................67 6.19. The Class "IpHeadersFilter"..............................67
6.19.1. The Property HdrIpVersion.........................68 6.19.2. The Property HdrSrcAddress........................68 6.19.3. The Property HdrSrcAddressEndOfRange..............68 6.19.4. The Property HdrSrcMask...........................69 6.19.5. The Property HdrDestAddress.......................69 6.19.6. The Property HdrDestAddressEndOfRange.............69 6.19.7. The Property HdrDestMask..........................70 6.19.8. The Property HdrProtocolID........................70 6.19.9. The Property HdrSrcPortStart......................70 6.19.10. The Property HdrSrcPortEnd.......................70 6.19.11. The Property HdrDestPortStart....................71 6.19.12. The Property HdrDestPortEnd......................71 6.19.13. The Property HdrDSCP.............................72 6.19.14. The Property HdrFlowLabel.................... ...72 6.20. The Class "8021Filter"...................................72 6.20.1. The Property 8021HdrSrcMACAddr....................73 6.20.2. The Property 8021HdrSrcMACMask....................73 6.20.3. The Property 8021HdrDestMACAddr...................73 6.20.4. The Property 8021HdrDestMACMask...................73 6.20.5. The Property 8021HdrProtocolID....................74 6.20.6. The Property 8021HdrPriorityValue.................74 6.20.7. The Property 8021HdrVLANID........................74 6.21. The Class FilterList.....................................74 6.21.1. The Property Direction............................75 7. Association and Aggregation Definitions........................75 7.1. The Aggregation "PolicySetComponent"......................75 7.2. Deprecate PCIM's Aggregation "PolicyGroupInPolicyGroup"...76 7.3. Deprecate PCIM's Aggregation "PolicyRuleInPolicyGroup"....76 7.4. The Abstract Association "PolicySetInSystem"..............77 7.5. Update PCIM's Weak Association "PolicyGroupInSystem"......77 7.6. Update PCIM's Weak Association "PolicyRuleInSystem".......78 7.7. The Abstract Aggregation "PolicyConditionStructure".......79 7.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule"...79 7.9. The Aggregation "PolicyConditionInPolicyCondition"........79 7.10. The Abstract Aggregation "PolicyActionStructure".........80 7.11. Update PCIM's Aggregation "PolicyActionInPolicyRule".....80 7.12. The Aggregation "PolicyActionInPolicyAction".............80 7.13. The Aggregation "PolicyVariableInSimplePolicyCondition"..80 7.14. The Aggregation "PolicyValueInSimplePolicyCondition".....81 7.15. The Aggregation "PolicyVariableInSimplePolicyAction".....82 7.16. The Aggregation "PolicyValueInSimplePolicyAction"........83 7.17. The Association "ReusablePolicy".........................83 7.18. Deprecate PCIM's "PolicyConditionInPolicyRepository".....84 7.19. Deprecate PCIM's "PolicyActionInPolicyRepository"........84 7.20. The Association ExpectedPolicyValuesForVariable..........84 7.21. The Aggregation "ContainedDomain"........................85 7.22. Deprecate PCIM's "PolicyRepositoryInPolicyRepository"....86 7.23. The Aggregation "EntriesInFilterList"....................86
6.19.1. The Property HdrIpVersion.........................68 6.19.2. The Property HdrSrcAddress........................68 6.19.3. The Property HdrSrcAddressEndOfRange..............68 6.19.4. The Property HdrSrcMask...........................69 6.19.5. The Property HdrDestAddress.......................69 6.19.6. The Property HdrDestAddressEndOfRange.............69 6.19.7. The Property HdrDestMask..........................70 6.19.8. The Property HdrProtocolID........................70 6.19.9. The Property HdrSrcPortStart......................70 6.19.10. The Property HdrSrcPortEnd.......................70 6.19.11. The Property HdrDestPortStart....................71 6.19.12. The Property HdrDestPortEnd......................71 6.19.13. The Property HdrDSCP.............................72 6.19.14. The Property HdrFlowLabel.................... ...72 6.20. The Class "8021Filter"...................................72 6.20.1. The Property 8021HdrSrcMACAddr....................73 6.20.2. The Property 8021HdrSrcMACMask....................73 6.20.3. The Property 8021HdrDestMACAddr...................73 6.20.4. The Property 8021HdrDestMACMask...................73 6.20.5. The Property 8021HdrProtocolID....................74 6.20.6. The Property 8021HdrPriorityValue.................74 6.20.7. The Property 8021HdrVLANID........................74 6.21. The Class FilterList.....................................74 6.21.1. The Property Direction............................75 7. Association and Aggregation Definitions........................75 7.1. The Aggregation "PolicySetComponent"......................75 7.2. Deprecate PCIM's Aggregation "PolicyGroupInPolicyGroup"...76 7.3. Deprecate PCIM's Aggregation "PolicyRuleInPolicyGroup"....76 7.4. The Abstract Association "PolicySetInSystem"..............77 7.5. Update PCIM's Weak Association "PolicyGroupInSystem"......77 7.6. Update PCIM's Weak Association "PolicyRuleInSystem".......78 7.7. The Abstract Aggregation "PolicyConditionStructure".......79 7.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule"...79 7.9. The Aggregation "PolicyConditionInPolicyCondition"........79 7.10. The Abstract Aggregation "PolicyActionStructure".........80 7.11. Update PCIM's Aggregation "PolicyActionInPolicyRule".....80 7.12. The Aggregation "PolicyActionInPolicyAction".............80 7.13. The Aggregation "PolicyVariableInSimplePolicyCondition"..80 7.14. The Aggregation "PolicyValueInSimplePolicyCondition".....81 7.15. The Aggregation "PolicyVariableInSimplePolicyAction".....82 7.16. The Aggregation "PolicyValueInSimplePolicyAction"........83 7.17. The Association "ReusablePolicy".........................83 7.18. Deprecate PCIM's "PolicyConditionInPolicyRepository".....84 7.19. Deprecate PCIM's "PolicyActionInPolicyRepository"........84 7.20. The Association ExpectedPolicyValuesForVariable..........84 7.21. The Aggregation "ContainedDomain"........................85 7.22. Deprecate PCIM's "PolicyRepositoryInPolicyRepository"....86 7.23. The Aggregation "EntriesInFilterList"....................86
7.23.1. The Reference GroupComponent......................86 7.23.2. The Reference PartComponent.......................87 7.23.3. The Property EntrySequence........................87 7.24. The Aggregation "ElementInPolicyRoleCollection"..........87 7.25. The Weak Association "PolicyRoleCollectionInSystem"......87 8. Intellectual Property..........................................88 9. Acknowledgements..............................................89 10. Contributors..................................................89 11. Security Considerations.......................................91 12. Normative References..........................................91 13. Informative References........................................91 Author's Address..................................................92 Full Copyright Statement..........................................93
7.23.1. The Reference GroupComponent......................86 7.23.2. The Reference PartComponent.......................87 7.23.3. The Property EntrySequence........................87 7.24. The Aggregation "ElementInPolicyRoleCollection"..........87 7.25. The Weak Association "PolicyRoleCollectionInSystem"......87 8. Intellectual Property..........................................88 9. Acknowledgements..............................................89 10. Contributors..................................................89 11. Security Considerations.......................................91 12. Normative References..........................................91 13. Informative References........................................91 Author's Address..................................................92 Full Copyright Statement..........................................93
This document specifies a number of changes to the Policy Core Information Model (PCIM), RFC 3060 [1]. Two types of changes are included. First, several completely new elements are introduced, for example, classes for header filtering, that extend PCIM into areas that it did not previously cover. Second, there are cases where elements of PCIM (for example, policy rule priorities) are deprecated, and replacement elements are defined (in this case, priorities tied to associations that refer to policy rules). Both types of changes are done in such a way that, to the extent possible, interoperability with implementations of the original PCIM model is preserved.
本文档指定了对策略核心信息模型(PCIM)RFC 3060[1]的一些更改。包括两种类型的更改。首先,引入了几个全新的元素,例如,用于头过滤的类,这些类将PCIM扩展到以前未涉及的领域。其次,在某些情况下,PCIM的元素(例如,策略规则优先级)被弃用,而替换元素被定义(在本例中,优先级与引用策略规则的关联相关联)。这两种类型的更改都是以这样一种方式进行的,即尽可能保留与原始PCIM模型实现的互操作性。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [8].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[8]中的描述进行解释。
Section 3.2 contains a short discussion of the changes that this document makes to the RFC 3060 information model. Here is a very brief list of the changes:
第3.2节简要讨论了本文件对RFC 3060信息模型所做的更改。下面是一个非常简短的更改列表:
1. Deprecate and replace PolicyRepository and its associations. 2. Clarify and expand the ways that PolicyRules and PolicyGroups are aggregated. 3. Change how prioritization for PolicyRules is represented, and introduce administrator-specified decision strategies for rule evaluation. 4. Expand the role of PolicyRoles, and introduce a means of associating a PolicyRole with a resource. 5. Introduce compound policy conditions and compound policy actions into the model.
1. 弃用并替换PolicyRepository及其关联。2.阐明并扩展聚合策略规则和策略组的方式。3.更改PolicyRules的优先级表示方式,并为规则评估引入管理员指定的决策策略。4.展开PolicyRoles的角色,并介绍将PolicyRole与资源关联的方法。5.在模型中引入复合策略条件和复合策略操作。
6. Introduce variables and values into the model. 7. Introduce variable and value subclasses for packet-header filtering. 8. Introduce classes for device-level packet-header filtering.
6. 在模型中引入变量和值。7.为包头过滤引入变量和值子类。8.介绍用于设备级数据包头过滤的类。
The Policy Core Information Model is closely aligned with the DMTF's CIM Core Policy model. Since there is no separately documented set of rules for specifying IETF information models such as PCIM, it is reasonable to look to the CIM specifications for guidance on how to modify and extend the model. Among the CIM rules for changing an information model are the following. Note that everything said here about "classes" applies to association classes (including aggregations) as well as to non- association classes.
策略核心信息模型与DMTF的CIM核心策略模型密切相关。由于没有单独记录的用于指定IETF信息模型(如PCIM)的规则集,因此有理由参考CIM规范以获得关于如何修改和扩展模型的指导。更改信息模型的CIM规则如下所示。注意,这里所说的关于“类”的所有内容都适用于关联类(包括聚合)以及非关联类。
o Properties may be added to existing classes. o Classes, and individual properties, may be marked as DEPRECATED. If there is a replacement feature for the deprecated class or property, it is identified explicitly. Otherwise the notation "No value" is used. In this document, the notation "DEPRECATED FOR <feature-name>" is used to indicate that a feature has been deprecated, and to identify its replacement feature. o Classes may be inserted into the inheritance hierarchy above existing classes, and properties from the existing classes may then be "pulled up" into the new classes. The net effect is that the existing classes have exactly the same properties they had before, but the properties are inherited rather than defined explicitly in the classes. o New subclasses may be defined below existing classes.
o 属性可以添加到现有类中。o类和单个属性可能被标记为已弃用。如果不推荐使用的类或属性有替换功能,则会显式标识它。否则,使用符号“无值”。在本文档中,注释“已弃用于<功能名称>”用于表示功能已弃用,并标识其替换功能。o类可以插入到现有类之上的继承层次结构中,然后可以将现有类的属性“拉入”到新类中。最终的效果是,现有类具有与以前完全相同的属性,但这些属性是继承的,而不是在类中显式定义的。o新的子类可在现有类下定义。
The following subsections provide a very brief overview of the changes to PCIM defined in PCIMe. In several cases, the origin of the change is noted, as QPIM [11], ICPM [12], or QDDIM [15].
以下小节简要概述了PCIMe中定义的对PCIM的更改。在一些情况下,变更的来源被注明,如QPIM[11]、ICPM[12]或QDDIM[15]。
Because of the potential for confusion with the Policy Framework component Policy Repository (from the four-box picture: Policy Management Tool, Policy Repository, PDP, PEP), "PolicyRepository" is a bad name for the PCIM class representing a container of reusable policy elements. Thus the class PolicyRepository is being replaced with the class ReusablePolicyContainer. To accomplish this change, it is necessary to deprecate the PCIM class PolicyRepository and its
由于可能会与策略框架组件策略存储库(来自四框图片:策略管理工具、策略存储库、PDP、PEP)混淆,“PolicyRepository”对于表示可重用策略元素容器的PCIM类来说是个坏名字。因此,类PolicyRepository将被类ReusablePolicyContainer替换。要完成此更改,必须弃用PCIM类PolicyRepository及其
three associations, and replace them with a new class ReusablePolicyContainer and new associations. As a separate change, the associations for ReusablePolicyContainer are being broadened, to allow a ReusablePolicyContainer to contain any reusable policy elements. In PCIM, the only associations defined for a PolicyRepository were for it to contain reusable policy conditions and policy actions.
三个关联,并用新的类ReusablePolicyContainer和新关联替换它们。作为一个单独的更改,ReusablePolicyContainer的关联正在扩展,以允许ReusablePolicyContainer包含任何可重用的策略元素。在PCIM中,为PolicyRepository定义的唯一关联是它包含可重用的策略条件和策略操作。
The PolicyRuleInPolicyRule and PolicyGroupInPolicyRule aggregations have, in effect, been imported from QPIM. ("In effect" because these two aggregations, as well as PCIM's two aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, are all being combined into a single aggregation PolicySetComponent.) These aggregations make it possible to define larger "chunks" of reusable policy to place in a ReusablePolicyContainer. These aggregations also introduce new semantics representing the contextual implications of having one PolicyRule executing within the scope of another PolicyRule.
PolicyRuleInPolicyRule和PolicyGroupInPolicyRule聚合实际上是从QPIM导入的。(“实际上”是因为这两个聚合以及PCIM的两个聚合PolicyGroupInPolicyGroup和PolicyRuleInPolicyGroup都被合并到一个聚合PolicySetComponent中。)这些聚合使得可以定义更大的可重用策略“块”以放置在可重用的PolicyContainer中。这些聚合还引入了新的语义,表示在另一个PolicyRule的范围内执行一个PolicyRule的上下文含义。
Drawing from both QPIM and ICPM, the Priority property has been deprecated in PolicyRule, and placed instead on the aggregation PolicySetComponent. The QPIM rules for resolving relative priorities across nested PolicyGroups and PolicyRules have been incorporated into PCIMe as well. With the removal of the Priority property from PolicyRule, a new modeling dependency is introduced. In order to prioritize a PolicyRule/PolicyGroup relative to other PolicyRules/PolicyGroups, the elements being prioritized must all reside in one of three places: in a common PolicyGroup, in a common PolicyRule, or in a common System.
根据QPIM和ICPM,Priority属性在PolicyRule中已被弃用,并放置在聚合PolicySetComponent上。用于解决嵌套策略组和策略规则之间的相对优先级的QPIM规则也已合并到PCIMe中。从PolicyRule中删除优先级属性后,引入了一种新的建模依赖关系。为了相对于其他PolicyRules/PolicyGroup对PolicyRule/PolicyGroup进行优先级排序,要进行优先级排序的元素必须全部位于三个位置之一:公共PolicyGroup、公共PolicyRule或公共系统。
In the absence of any clear, general criterion for detecting policy conflicts, the PCIM restriction stating that priorities are relevant only in the case of conflicts is being removed. In its place, a PolicyDecisionStrategy property has been added to the PolicyGroup and PolicyRule classes. This property allows policy administrator to select one of two behaviors with respect to rule evaluation: either perform the actions for all PolicyRules whose conditions evaluate to TRUE, or perform the actions only for the highest-priority PolicyRule whose conditions evaluate to TRUE. (This is accomplished by placing the PolicyDecisionStrategy property in an abstract class PolicySet,
在没有任何明确、通用的标准来检测政策冲突的情况下,将取消PCIM限制,即优先级仅在冲突情况下相关。取而代之的是,PolicyDecisionStrategy属性已添加到PolicyGroup和PolicyRule类中。此属性允许策略管理员选择与规则评估相关的两种行为之一:对条件评估为TRUE的所有PolicyRules执行操作,或仅对条件评估为TRUE的最高优先级PolicyRule执行操作。(这是通过将PolicyDecisionStrategy属性放置在抽象类PolicySet中实现的,
from which PolicyGroup and PolicyRule are derived.) The QPIM rules for applying decision strategies to a nested set of PolicyGroups and PolicyRules have also been imported.
还导入了用于将决策策略应用于一组嵌套的策略组和策略规则的QPIM规则。
The concept of policy roles is added to PolicyGroups (being present already in the PolicyRule class). This is accomplished via a new superclass for both PolicyRules and PolicyGroups - PolicySet. For nested PolicyRules and PolicyGroups, any roles associated with the outer rule or group are automatically "inherited" by the nested one. Additional roles may be added at the level of a nested rule or group.
策略角色的概念被添加到PolicyGroup(已经存在于PolicyRule类中)。这是通过PolicyRules和PolicyGroup的一个新超类PolicySet实现的。对于嵌套的PolicyRules和PolicyGroup,与外部规则或组关联的任何角色都会被嵌套的规则或组自动“继承”。可以在嵌套规则或组级别添加其他角色。
It was also observed that there is no mechanism in PCIM for assigning roles to resources. For example, while it is possible in PCIM to associate a PolicyRule with the role "FrameRelay&&WAN", there is no way to indicate which interfaces match this criterion. A new PolicyRoleCollection class has been defined in PCIMe, representing the collection of resources associated with a particular role. The linkage between a PolicyRule or PolicyGroup and a set of resources is then represented by an instance of PolicyRoleCollection. Equivalent values should be defined in the PolicyRoles property of PolicyRules and PolicyGroups, and in the PolicyRole property in PolicyRoleCollection.
还观察到,PCIM中没有为资源分配角色的机制。例如,虽然在PCIM中可以将PolicyRule与角色“FrameRelay&&WAN”关联,但无法指示哪些接口符合此标准。PCIMe中定义了一个新的PolicyRoleCollection类,表示与特定角色关联的资源集合。然后,PolicyRule或PolicyGroup与一组资源之间的链接由PolicyRoleCollection的实例表示。应在PolicyRules和PolicyGroup的PolicyRoles属性以及PolicyRoleCollection的PolicyRole属性中定义等效值。
The concept of a CompoundPolicyCondition has also been imported into PCIMe from QPIM, and broadened to include a parallel CompoundPolicyAction. In both cases the idea is to create reusable "chunks" of policy that can exist as named elements in a ReusablePolicyContainer. The "Compound" classes and their associations incorporate the condition and action semantics that PCIM defined at the PolicyRule level: DNF/CNF for conditions, and ordering for actions.
CompoundPolicyCondition的概念也从QPIM导入到PCIMe中,并扩展到包括并行的CompoundPolicyAction。在这两种情况下,我们的想法都是创建可重用的策略“块”,这些块可以作为命名元素存在于可重用的PolicyContainer中。“复合”类及其关联包含PCIM在PolicyRule级别定义的条件和动作语义:条件的DNF/CNF和动作的顺序。
Compound conditions and actions are defined to work with any component conditions and actions. In other words, while the components may be instances, respectively, of SimplePolicyCondition and SimplePolicyAction (discussed immediately below), they need not be.
复合条件和动作定义为使用任何组件条件和动作。换句话说,虽然组件可能分别是SimplePolicyCondition和SimplePolicyAction的实例(将在下面讨论),但它们不必是。
The SimplePolicyCondition / PolicyVariable / PolicyValue structure has been imported into PCIMe from QPIM. A list of PCIMe-level variables is defined, as well as a list of PCIMe-level values. Other variables and values may, if necessary, be defined in submodels of PCIMe. For example, QPIM defines a set of implicit variables corresponding to fields in RSVP flows.
SimplePolicyCondition/PolicyVariable/PolicyValue结构已从QPIM导入PCIMe。定义了PCIMe级别变量列表和PCIMe级别值列表。如有必要,可在PCIMe的子模型中定义其他变量和值。例如,QPIM定义了一组与RSVP流中的字段相对应的隐式变量。
A corresponding SimplePolicyAction / PolicyVariable / PolicyValue structure is also defined. While the semantics of a SimplePolicyCondition are "variable matches value", a SimplePolicyAction has the semantics "set variable to value".
还定义了相应的SimplePolicyAction/PolicyVariable/PolicyValue结构。虽然SimplePolicyCondition的语义是“变量匹配值”,但SimplePolicyAction的语义是“将变量设置为值”。
For packet filtering specified at the domain level, a set of PolicyVariables and PolicyValues are defined, corresponding to the fields in an IP packet header plus the most common Layer 2 frame header fields. It is expected that domain-level policy conditions that filter on these header fields will be expressed in terms of CompoundPolicyConditions built up from SimplePolicyConditions that use these variables and values. An additional PolicyVariable, PacketDirection, is also defined, to indicate whether a packet being filtered is traveling inbound or outbound on an interface.
对于在域级别指定的数据包过滤,定义了一组策略变量和策略值,对应于IP数据包头中的字段加上最常见的第2层帧头字段。预计在这些头字段上筛选的域级策略条件将以使用这些变量和值的SimplePolicyConditions构建的CompoundPolicyConditions表示。还定义了一个额外的策略变量PacketDirection,用于指示正在过滤的数据包是在接口上入站还是出站。
For packet filtering expressed at the device level, including the packet classifier filters modeled in QDDIM, the variables and values discussed in Section 3.2.7 need not be used. Filter classes derived from the CIM FilterEntryBase class hierarchy are available for use in these contexts. These latter classes have two important differences from the domain-level classes:
对于设备级表示的包过滤,包括QDDIM中建模的包分类器过滤器,不需要使用第3.2.7节中讨论的变量和值。从CIM FilterEntryBase类层次结构派生的筛选器类可在这些上下文中使用。后一类与域级类有两个重要区别:
o They support specification of filters for all of the fields in a particular protocol header in a single object instance. With the domain-level classes, separate instances are needed for each header field.
o 它们支持为单个对象实例中特定协议头中的所有字段指定过滤器。对于域级别的类,每个头字段都需要单独的实例。
o They provide native representations for the filter values, as opposed to the string representation used by the domain-level classes.
o 它们为过滤器值提供本机表示,而不是域级类使用的字符串表示。
Device-level filter classes for the IP-related headers (IP, UDP, and TCP) and the 802 MAC headers are defined, respectively, in Sections 6.19 and 6.20.
第6.19节和第6.20节分别定义了与IP相关的报头(IP、UDP和TCP)和802 MAC报头的设备级筛选器类。
The following figure shows the class inheritance hierarchy for PCIMe. Changes from the PCIM hierarchy are noted parenthetically.
下图显示了PCIMe的类继承层次结构。PCIM层次结构中的更改在括号中注明。
ManagedElement (abstract) | +--Policy (abstract) | | | +---PolicySet (abstract -- new - 5.3) | | | | | +---PolicyGroup (moved - 5.3) | | | | | +---PolicyRule (moved - 5.3) | | | +---PolicyCondition (abstract) | | | | | +---PolicyTimePeriodCondition | | | | | +---VendorPolicyCondition | | | | | +---SimplePolicyCondition (new - 5.8.1) | | | | | +---CompoundPolicyCondition (new - 5.7.1) | | | | | +---CompoundFilterCondition (new - 5.9) | | | +---PolicyAction (abstract) | | | | | +---VendorPolicyAction | | | | | +---SimplePolicyAction (new - 5.8.4) | | | | | +---CompoundPolicyAction (new - 5.7.2) | | | +---PolicyVariable (abstract -- new - 5.8.5) | | | | | +---PolicyExplicitVariable (new - 5.8.6) | | | | | +---PolicyImplicitVariable (abstract -- new - 5.8.7) | | | | | +---(subtree of more specific classes -- new - 6.12) | | | +---PolicyValue (abstract -- new - 5.8.10) | | | +---(subtree of more specific classes -- new - 6.14) | +--Collection (abstract -- newly referenced)
ManagedElement (abstract) | +--Policy (abstract) | | | +---PolicySet (abstract -- new - 5.3) | | | | | +---PolicyGroup (moved - 5.3) | | | | | +---PolicyRule (moved - 5.3) | | | +---PolicyCondition (abstract) | | | | | +---PolicyTimePeriodCondition | | | | | +---VendorPolicyCondition | | | | | +---SimplePolicyCondition (new - 5.8.1) | | | | | +---CompoundPolicyCondition (new - 5.7.1) | | | | | +---CompoundFilterCondition (new - 5.9) | | | +---PolicyAction (abstract) | | | | | +---VendorPolicyAction | | | | | +---SimplePolicyAction (new - 5.8.4) | | | | | +---CompoundPolicyAction (new - 5.7.2) | | | +---PolicyVariable (abstract -- new - 5.8.5) | | | | | +---PolicyExplicitVariable (new - 5.8.6) | | | | | +---PolicyImplicitVariable (abstract -- new - 5.8.7) | | | | | +---(subtree of more specific classes -- new - 6.12) | | | +---PolicyValue (abstract -- new - 5.8.10) | | | +---(subtree of more specific classes -- new - 6.14) | +--Collection (abstract -- newly referenced)
| | | +--PolicyRoleCollection (new - 5.6.2) ManagedElement(abstract) | +--ManagedSystemElement (abstract) | +--LogicalElement (abstract) | +--System (abstract) | | | +--AdminDomain (abstract) | | | +---ReusablePolicyContainer (new - 5.2) | | | +---PolicyRepository (deprecated - 5.2) | +--FilterEntryBase (abstract -- new - 6.18) | | | +--IpHeadersFilter (new - 6.19) | | | +--8021Filter (new - 6.20) | +--FilterList (new - 6.21)
| | | +--PolicyRoleCollection (new - 5.6.2) ManagedElement(abstract) | +--ManagedSystemElement (abstract) | +--LogicalElement (abstract) | +--System (abstract) | | | +--AdminDomain (abstract) | | | +---ReusablePolicyContainer (new - 5.2) | | | +---PolicyRepository (deprecated - 5.2) | +--FilterEntryBase (abstract -- new - 6.18) | | | +--IpHeadersFilter (new - 6.19) | | | +--8021Filter (new - 6.20) | +--FilterList (new - 6.21)
Figure 1. Class Inheritance Hierarchy for PCIMe
图1。PCIMe的类继承层次结构
The following figure shows the association class hierarchy for PCIMe. As before, changes from PCIM are noted parenthetically.
下图显示了PCIMe的关联类层次结构。如前所述,PCIM的变化在括号中注明。
[unrooted] | +---PolicyComponent (abstract) | | | +---PolicySetComponent (new - 5.3) | | | +---PolicyGroupInPolicyGroup (deprecated - 5.3) | | | +---PolicyRuleInPolicyGroup (deprecated - 5.3) | | | +---PolicyConditionStructure (abstract -- new - 5.7.1) | | | | | +---PolicyConditionInPolicyRule (moved - 5.7.1) | | | | | +---PolicyConditionInPolicyCondition (new - 5.7.1) | | | +---PolicyRuleValidityPeriod | | | +---PolicyActionStructure (abstract -- new - 5.7.2) | | | | | +---PolicyActionInPolicyRule (moved - 5.7.2) | | | | | +---PolicyActionInPolicyAction (new - 5.7.2) | | | +---PolicyVariableInSimplePolicyCondition (new - 5.8.2) | | | +---PolicyValueInSimplePolicyCondition (new - 5.8.2) | | | +---PolicyVariableInSimplePolicyAction (new - 5.8.4) | | | +---PolicyValueInSimplePolicyAction (new - 5.8.4) [unrooted] | +---Dependency (abstract) | | | +---PolicyInSystem (abstract) | | | | | +---PolicySetInSystem (abstract, new - 5.3) | | | | | | | +---PolicyGroupInSystem | | | | | | | +---PolicyRuleInSystem | | | | | +---ReusablePolicy (new - 5.2) | | |
[unrooted] | +---PolicyComponent (abstract) | | | +---PolicySetComponent (new - 5.3) | | | +---PolicyGroupInPolicyGroup (deprecated - 5.3) | | | +---PolicyRuleInPolicyGroup (deprecated - 5.3) | | | +---PolicyConditionStructure (abstract -- new - 5.7.1) | | | | | +---PolicyConditionInPolicyRule (moved - 5.7.1) | | | | | +---PolicyConditionInPolicyCondition (new - 5.7.1) | | | +---PolicyRuleValidityPeriod | | | +---PolicyActionStructure (abstract -- new - 5.7.2) | | | | | +---PolicyActionInPolicyRule (moved - 5.7.2) | | | | | +---PolicyActionInPolicyAction (new - 5.7.2) | | | +---PolicyVariableInSimplePolicyCondition (new - 5.8.2) | | | +---PolicyValueInSimplePolicyCondition (new - 5.8.2) | | | +---PolicyVariableInSimplePolicyAction (new - 5.8.4) | | | +---PolicyValueInSimplePolicyAction (new - 5.8.4) [unrooted] | +---Dependency (abstract) | | | +---PolicyInSystem (abstract) | | | | | +---PolicySetInSystem (abstract, new - 5.3) | | | | | | | +---PolicyGroupInSystem | | | | | | | +---PolicyRuleInSystem | | | | | +---ReusablePolicy (new - 5.2) | | |
| | +---PolicyConditionInPolicyRepository (deprecated - 5.2) | | | | | +---PolicyActionInPolicyRepository (deprecated - 5.2) | | | +---ExpectedPolicyValuesForVariable (new - 5.8) | | | +---PolicyRoleCollectionInSystem (new - 5.6.2) | +---Component (abstract) | | | +---SystemComponent | | | | | +---ContainedDomain (new - 5.2) | | | | | +---PolicyRepositoryInPolicyRepository (deprecated - 5.2) | | | +---EntriesInFilterList (new - 7.23) | +---MemberOfCollection (newly referenced) | +--- ElementInPolicyRoleCollection (new - 5.6.2)
| | +---PolicyConditionInPolicyRepository (deprecated - 5.2) | | | | | +---PolicyActionInPolicyRepository (deprecated - 5.2) | | | +---ExpectedPolicyValuesForVariable (new - 5.8) | | | +---PolicyRoleCollectionInSystem (new - 5.6.2) | +---Component (abstract) | | | +---SystemComponent | | | | | +---ContainedDomain (new - 5.2) | | | | | +---PolicyRepositoryInPolicyRepository (deprecated - 5.2) | | | +---EntriesInFilterList (new - 7.23) | +---MemberOfCollection (newly referenced) | +--- ElementInPolicyRoleCollection (new - 5.6.2)
Figure 2. Association Class Inheritance Hierarchy for PCIMe
图2。PCIMe的关联类继承层次结构
In addition to these changes that show up at the class and association class level, there are other changes from PCIM involving individual class properties. In some cases new properties are introduced into existing classes, and in other cases existing properties are deprecated (without deprecating the classes that contain them).
除了在类和关联类级别上显示的这些更改外,PCIM中还有其他涉及单个类属性的更改。在某些情况下,新属性被引入到现有类中,而在其他情况下,现有属性被弃用(不弃用包含它们的类)。
The following subsections describe each of the areas for which PCIM extensions are being defined.
以下小节描述了定义PCIM扩展的每个区域。
Policy scopes may be thought of in two dimensions: 1) the level of abstraction of the policy specification and 2) the applicability of policies to a set of managed resources.
策略范围可以从两个维度考虑:1)策略规范的抽象级别和2)策略对一组托管资源的适用性。
Policies vary in level of abstraction, from the business-level expression of service level agreements (SLAs) to the specification of a set of rules that apply to devices in a network. Those latter policies can, themselves, be classified into at least two groups:
策略在抽象级别上有所不同,从服务级别协议(SLA)的业务级别表达到应用于网络中设备的一组规则的规范。后一类政策本身至少可分为两类:
those policies consumed by a Policy Decision Point (PDP) that specify the rules for an administrative and functional domain, and those policies consumed by a Policy Enforcement Point (PEP) that specify the device-specific rules for a functional domain. The higher-level rules consumed by a PDP, called domain-level policies, may have late binding variables unspecified, or specified by a classification, whereas the device-level rules are likely to have fewer unresolved bindings.
指定管理和功能域规则的策略决策点(PDP)使用的那些策略,以及指定功能域的设备特定规则的策略实施点(PEP)使用的那些策略。PDP使用的高级规则(称为域级策略)可能具有未指定的后期绑定变量,或由分类指定,而设备级规则可能具有较少的未解析绑定。
There is a relationship between these levels of policy specification that is out of scope for this standards effort, but that is necessary in the development and deployment of a usable policy-based configuration system. An SLA-level policy transformation to the domain-level policy may be thought of as analogous to a visual builder that takes human input and develops a programmatic rule specification. The relationship between the domain-level policy and the device-level policy may be thought of as analogous to that of a compiler and linkage editor that translates the rules into specific instructions that can be executed on a specific type of platform.
这些级别的策略规范之间存在一种关系,这种关系超出了本标准工作的范围,但在开发和部署可用的基于策略的配置系统时是必要的。SLA级策略到域级策略的转换可以被认为类似于可视构建器,它接受人工输入并开发编程规则规范。域级策略和设备级策略之间的关系可以被认为类似于编译器和链接编辑器的关系,后者将规则转换为可在特定类型的平台上执行的特定指令。
PCIM and PCIMe may be used to specify rules at any and all of these levels of abstraction. However, at different levels of abstraction, different mechanisms may be more or less appropriate.
PCIM和PCIMe可用于指定任何和所有这些抽象级别的规则。然而,在不同的抽象层次上,不同的机制可能或多或少是合适的。
Administrative scopes for policy are represented in PCIM and in these extensions to PCIM as System subclass instances. Typically, a domain-level policy would be scoped by an AdminDomain instance (or by a hierarchy of AdminDomain instances) whereas a device-level policy might be scoped by a System instance that represents the PEP (e.g., an instance of ComputerSystem, see CIM [2]). In addition to collecting policies into an administrative domain, these System classes may also aggregate the resources to which the policies apply.
策略的管理范围在PCIM和PCIM的这些扩展中表示为系统子类实例。通常,域级策略的范围由AdminDomain实例(或AdminDomain实例的层次结构)确定,而设备级策略的范围可能由表示PEP的系统实例确定(例如,ComputerSystem的实例,请参见CIM[2])。除了将策略收集到管理域中之外,这些系统类还可以聚合策略应用到的资源。
Functional scopes (sometimes referred to as functional domains) are generally defined by the submodels derived from PCIM and PCIMe, and correspond to the service or services to which the policies apply. So, for example, Quality of Service may be thought of as a functional scope, or Diffserv and Intserv may each be thought of as functional scopes. These scoping decisions are represented by the structure of the submodels derived from PCIM and PCIMe, and may be reflected in the number and types of PEP policy client(s), services, and the interaction between policies. Policies in different functional scopes are organized into disjoint sets of policy rules. Different functional domains may share some roles, some conditions, and even some actions. The rules from different functional domains may even be enforced at the same managed resource, but for the purposes of
功能范围(有时称为功能域)通常由派生自PCIM和PCIMe的子模型定义,并对应于策略应用的一个或多个服务。因此,例如,服务质量可以被认为是一个功能范围,或者Diffserv和Intserv可以分别被认为是一个功能范围。这些范围界定决策由源自PCIM和PCIMe的子模型的结构表示,并可能反映在政治公众人物政策客户端、服务的数量和类型以及政策之间的交互中。不同功能范围内的策略被组织成不相交的策略规则集。不同的功能域可能共享某些角色、某些条件甚至某些操作。来自不同功能域的规则甚至可以在同一个托管资源上强制执行,但出于以下目的:
policy evaluation they are separate. See section 5.5.3 for more information.
政策评估它们是分开的。详见第5.5.3节。
The functional scopes MAY be reflected in administrative scopes. That is, deployments of policy may have different administrative scopes for different functional scopes, but there is no requirement to do so.
功能范围可以反映在管理范围中。也就是说,策略的部署对于不同的功能范围可能具有不同的管理范围,但不需要这样做。
In PCIM, a distinction was drawn between reusable PolicyConditions and PolicyActions and rule-specific ones. The PolicyRepository class was also defined, to serve as a container for these reusable elements. The name "PolicyRepository" has proven to be an unfortunate choice for the class that serves as a container for reusable policy elements. This term is already used in documents like the Policy Framework, to denote the location from which the PDP retrieves all policy specifications, and into which the Policy Management Tool places all policy specifications. Consequently, the PolicyRepository class is being deprecated, in favor of a new class ReusablePolicyContainer.
在PCIM中,区分了可重用的PolicyConditions和PolicyActions以及特定于规则的PolicyActions。还定义了PolicyRepository类,作为这些可重用元素的容器。对于充当可重用策略元素容器的类来说,“PolicyRepository”这个名称已被证明是一个不幸的选择。此术语已在诸如策略框架之类的文档中使用,用于表示PDP从中检索所有策略规范的位置,以及策略管理工具将所有策略规范放置在其中的位置。因此,PolicyRepository类被弃用,取而代之的是一个新的类ReusablePolicyContainer。
When a class is deprecated, any associations that refer to it must also be deprecated. So replacements are needed for the two associations PolicyConditionInPolicyRepository and PolicyActionInPolicyRepository, as well as for the aggregation PolicyRepositoryInPolicyRepository. In addition to renaming the PolicyRepository class to ReusablePolicyContainer, however, PCIMe is also broadening the types of policy elements that can be reusable. Consequently, rather than providing one-for-one replacements for the two associations, a single higher-level association ReusablePolicy is defined. This new association allows any policy element (that is, an instance of any subclass of the abstract class Policy) to be placed in a ReusablePolicyContainer.
当类被弃用时,引用它的任何关联也必须被弃用。因此,需要对policyRepository和policyRepository中的PolicyConditionInPolicyRepository和PolicyActionInPolicyRepository这两个关联以及聚合PolicyRepository InPolicyRepository进行替换。但是,除了将PolicyRepository类重命名为ReusablePolicyContainer之外,PCIMe还扩展了可重用的策略元素的类型。因此,定义了一个更高级别的关联可重用策略,而不是为两个关联提供一对一的替换。这种新的关联允许将任何策略元素(即抽象类策略的任何子类的实例)放置在可重用的PolicyContainer中。
Summarizing, the following changes in Sections 6 and 7 are the result of this item:
总之,第6节和第7节中的以下更改是本项目的结果:
o The class ReusablePolicyContainer is defined. o PCIM's PolicyRepository class is deprecated. o The association ReusablePolicy is defined. o PCIM's PolicyConditionInPolicyRepository association is deprecated. o PCIM's PolicyActionInPolicyRepository association is deprecated. o The aggregation ContainedDomain is defined. o PCIM's PolicyRepositoryInPolicyRepository aggregation is deprecated.
o 定义了类ReusablePolicyContainer。o PCIM的PolicyRepository类已弃用。o定义了关联可重用策略。o PCIM的PolicyConditionInPolicyRepository关联已弃用。o PCIM的PolicyActionInPolicyRepository关联已弃用。o定义了包含域的聚合。o PCIM的PolicyRepositoryInPolicyRepository聚合已弃用。
A "policy" can be thought of as a coherent set of rules to administer, manage, and control access to network resources ("Policy Terminology", reference [10]). The structuring of these coherent sets of rules into subsets is enhanced in this document. In Section 5.4, we discuss the new options for the nesting of policy rules.
“策略”可以被认为是管理、管理和控制网络资源访问的一组连贯的规则(“策略术语”,参考文献[10])。本文件加强了将这些连贯的规则集构造成子集的功能。在第5.4节中,我们将讨论策略规则嵌套的新选项。
A new abstract class, PolicySet, is introduced to provide an abstraction for a set of rules. It is derived from Policy, and it is inserted into the inheritance hierarchy above both PolicyGroup and PolicyRule. This reflects the additional structural flexibility and semantic capability of both subclasses.
引入了一个新的抽象类PolicySet来为一组规则提供抽象。它派生自策略,并插入到PolicyGroup和PolicyRule之上的继承层次结构中。这反映了这两个子类额外的结构灵活性和语义能力。
Two properties are defined in PolicySet: PolicyDecisionStrategy and PolicyRoles. The PolicyDecisionStrategy property is included in PolicySet to define the evaluation relationship among the rules in the policy set. See Section 5.5 for more information. The PolicyRoles property is included in PolicySet to characterize the resources to which the PolicySet applies. See Section 5.6 for more information.
PolicySet中定义了两个属性:PolicyDecisionStrategy和PolicyRoles。PolicyDecisionStrategy属性包含在PolicySet中,用于定义策略集中规则之间的评估关系。详见第5.5节。PolicyRoles属性包含在PolicySet中,用于描述PolicySet应用到的资源。详见第5.6节。
Along with the definition of the PolicySet class, a new concrete aggregation class is defined that will also be discussed in the following sections. PolicySetComponent is defined as a subclass of PolicyComponent; it provides the containment relationship for a PolicySet in a PolicySet. PolicySetComponent replaces the two PCIM aggregations PolicyGroupInPolicyGroup and PolicyRuleInPolicyGroup, so these two aggregations are deprecated.
在定义PolicySet类的同时,还定义了一个新的具体聚合类,这一类也将在以下部分中讨论。PolicySetComponent定义为PolicyComponent的子类;它为策略集中的策略集提供包含关系。PolicySetComponent替换了两个PCIM聚合PolicyGroupInPolicyGroup和PolicyRuleInPolicyGroup,因此不推荐使用这两个聚合。
A PolicySet's relationship to an AdminDomain or other administrative scoping system (for example, a ComputerSystem) is represented by the PolicySetInSystem abstract association. This new association is derived from PolicyInSystem, and the PolicyGroupInSystem and PolicyRuleInSystem associations are now derived from PolicySetInSystem instead of directly from PolicyInSystem. The PolicySetInSystem.Priority property is discussed in Section 5.5.3.
PolicySet与AdminDomain或其他管理作用域系统(例如ComputerSystem)的关系由PolicySetInSystem抽象关联表示。此新关联源自PolicyInSystem,PolicyGroupInSystem和PolicyRuleInSystem关联现在源自PolicySetInSystem,而不是直接源自PolicyInSystem。第5.5.3节讨论了PolicySetInSystem.Priority属性。
As previously discussed, policy is described by a set of policy rules that may be grouped into subsets. In this section we introduce the notion of nested rules, or the ability to define rules within rules. Nested rules are also called sub-rules, and we use both terms in this document interchangeably. The aggregation PolicySetComponent is used to represent the nesting of a policy rule in another policy rule.
如前所述,策略由一组可分组为子集的策略规则描述。在本节中,我们将介绍嵌套规则的概念,或在规则中定义规则的能力。嵌套规则也称为子规则,我们在本文档中交替使用这两个术语。聚合PolicySetComponent用于表示策略规则在另一个策略规则中的嵌套。
The relationship between rules and sub-rules is defined as follows:
规则和子规则之间的关系定义如下:
o The parent rule's condition clause is a condition for evaluation of all nested rules; that is, the conditions of the parent are logically ANDed to the conditions of the sub-rules. If the parent rule's condition clause evaluates to FALSE, sub-rules MAY be skipped since they also evaluate to FALSE.
o 父规则的条件子句是计算所有嵌套规则的条件;也就是说,父规则的条件在逻辑上与子规则的条件相匹配。如果父规则的condition子句的计算结果为FALSE,则可能会跳过子规则,因为它们的计算结果也为FALSE。
o If the parent rule's condition evaluates to TRUE, the set of sub-rules SHALL BE evaluated according to the decision strategy and priorities as discussed in Section 5.5.
o 如果父规则的条件评估为真,则应根据第5.5节中讨论的决策策略和优先级评估子规则集。
o If the parent rule's condition evaluates to TRUE, the parent rule's set of actions is executed BEFORE execution of the sub-rules actions. The parent rule's actions are not to be confused with default actions. A default action is one that is to be executed only if none of the more specific sub-rules are executed. If a default action needs to be specified, it needs to be defined as an action that is part of a catchall sub-rule associated with the parent rule. The association linking the default action(s) in this special sub-rule should have the lowest priority relative to all other sub-rule associations:
o 如果父规则的条件计算为TRUE,则在执行子规则操作之前执行父规则的操作集。父规则的操作不能与默认操作混淆。默认操作是仅当没有执行更具体的子规则时才执行的操作。如果需要指定默认操作,则需要将其定义为与父规则关联的catchall子规则的一部分。与所有其他子规则关联相比,链接此特殊子规则中默认操作的关联应具有最低优先级:
if parent-condition then parent rule's action if condA then actA if condB then ActB if True then default action
如果为父条件,则为父规则的操作如果为condA,则为actA如果为condB,则为ActB如果为True,则为默认操作
Such a default action functions as a default when FirstMatching decision strategies are in effect (see section 5.5). If AllMatching applies, the "default" action is always performed.
当第一匹配决策策略生效时,此类默认操作作为默认操作发挥作用(见第5.5节)。如果应用AllMatching,则始终执行“默认”操作。
o Policy rules have a context in which they are executed. The rule engine evaluates and applies the policy rules in the context of the managed resource(s) that are identified by the policy roles (or by an explicit association). Submodels MAY add additional context to policy rules based on rule structure; any such additional context is defined by the semantics of the action classes of the submodel.
o 策略规则具有执行它们的上下文。规则引擎在由策略角色(或显式关联)标识的托管资源的上下文中评估和应用策略规则。子模型可以根据规则结构向策略规则添加额外的上下文;任何这样的附加上下文都是由子模型的动作类的语义定义的。
Rule nesting enhances Policy readability, expressiveness and reusability. The ability to nest policy rules and form sub-rules is important for manageability and scalability, as it enables complex policy rules to be constructed from multiple simpler policy rules.
规则嵌套增强了策略的可读性、表达性和可重用性。嵌套策略规则和形成子规则的能力对于可管理性和可伸缩性非常重要,因为它可以从多个简单的策略规则构造复杂的策略规则。
These enhancements ease the policy management tools' task, allowing policy rules to be expressed in a way closer to how humans think.
这些增强简化了策略管理工具的任务,允许以更接近人类思维的方式表达策略规则。
Although rule nesting can be used to suggest optimizations in the way policy rules are evaluated, as discussed in section 5.5.2 "Side Effects," nesting does not specify nor does it require any particular order of evaluation of conditions. Optimization of rule evaluation can be done in the PDP or in the PEP by dedicated code. This is similar to the relation between a high level programming language like C and machine code. An optimizer can create a more efficient machine code than any optimization done by the programmer within the source code. Nevertheless, if the PEP or PDP does not do optimization, the administrator writing the policy may be able to influence the evaluation of the policy rules for execution using rule nesting.
尽管规则嵌套可用于建议优化策略规则的评估方式,如第5.5.2节“副作用”所述,但嵌套并没有规定也不需要任何特定的条件评估顺序。规则评估的优化可以通过专用代码在PDP或PEP中完成。这类似于像C这样的高级编程语言和机器代码之间的关系。优化器可以创建比程序员在源代码中进行的任何优化都更高效的机器代码。然而,如果PEP或PDP未进行优化,则编写策略的管理员可能会使用规则嵌套影响策略规则执行的评估。
Nested rules are not designed for policy repository retrieval optimization. It is assumed that all rules and groups that are assigned to a role are retrieved by the PDP or PEP from the policy repository and enforced. Optimizing the number of rules retrieved should be done by clever selection of roles.
嵌套规则不是为策略存储库检索优化而设计的。假定分配给角色的所有规则和组都由PDP或PEP从策略存储库中检索并强制执行。优化检索到的规则数量应该通过巧妙地选择角色来完成。
A "decision strategy" is used to specify the evaluation method for the policies in a PolicySet. Two decision strategies are defined: "FirstMatching" and "AllMatching." The FirstMatching strategy is used to cause the evaluation of the rules in a set such that the only actions enforced on a given examination of the PolicySet are those for the first rule (that is, the rule with the highest priority) that has its conditions evaluate to TRUE. The AllMatching strategy is used to cause the evaluation of all rules in a set; for all of the rules whose conditions evaluate to TRUE, the actions are enforced. Implementations MUST support the FirstMatching decision strategy; implementations MAY support the AllMatching decision strategy.
“决策策略”用于指定策略集中策略的评估方法。定义了两种决策策略:“FirstMatching”和“AllMatching”。FirstMatching策略用于对集合中的规则进行评估,以便在给定的策略集检查中强制执行的唯一操作是第一个条件评估为TRUE的规则(即具有最高优先级的规则)。AllMatching策略用于对集合中的所有规则进行评估;对于条件评估为TRUE的所有规则,将强制执行这些操作。实施必须支持第一匹配决策策略;实现可能支持AllMatching决策策略。
As previously discussed, the PolicySet subclasses are PolicyGroup and PolicyRule: either subclass may contain PolicySets of either subclass. Loops, including the degenerate case of a PolicySet that contains itself, are not allowed when PolicySets contain other PolicySets. The containment relationship is specified using the PolicySetComponent aggregation.
如前所述,PolicySet子类是PolicyGroup和PolicyRule:任一子类都可能包含任一子类的PolicySet。当策略集包含其他策略集时,不允许循环,包括包含自身的策略集的退化情况。使用PolicySetComponent聚合指定包含关系。
The relative priority within a PolicySet is established by the Priority property of the PolicySetComponent aggregation of the contained PolicyGroup and PolicyRule instances. The use of PCIM's PolicyRule.Priority property is deprecated in favor of this new property. The separation of the priority property from the rule has
PolicySet内的相对优先级由包含的PolicyGroup和PolicyRule实例的PolicySetComponent聚合的priority属性确定。PCIM的PolicyRule.Priority属性的使用已被弃用,取而代之的是此新属性。优先权财产与规则的分离已经实现
two advantages. First, it generalizes the concept of priority, so that it can be used for both groups and rules. Second, it places the priority on the relationship between the parent policy set and the subordinate policy group or rule. The assignment of a priority value then becomes much easier, in that the value is used only in relationship to other priorities in the same set.
两个优点。首先,它概括了优先级的概念,以便它可以用于组和规则。其次,它将优先级放在父策略集与下级策略组或规则之间的关系上。然后,优先级值的分配变得更加容易,因为该值仅用于同一集合中的其他优先级。
Together, the PolicySet.PolicyDecisionStrategy and PolicySetComponent.Priority determine the processing for the rules contained in a PolicySet. As before, the larger priority value represents the higher priority. Unlike the earlier definition, PolicySetComponent.Priority MUST have a unique value when compared with others defined for the same aggregating PolicySet. Thus, the evaluation of rules within a set is deterministically specified.
PolicySet.PolicyDecisionStrategy和PolicySetComponent.Priority共同决定对策略集中包含的规则的处理。与前面一样,优先级值越大表示优先级越高。与前面的定义不同,PolicySetComponent.Priority与为同一聚合策略集定义的其他值相比必须具有唯一的值。因此,集合内规则的评估是确定指定的。
For a FirstMatching decision strategy, the first rule (that is, the one with the highest priority) in the set that evaluates to True, is the only rule whose actions are enforced for a particular evaluation pass through the PolicySet.
对于FirstMatching决策策略,集合中计算结果为True的第一条规则(即具有最高优先级的规则)是其操作在特定计算过程中通过策略集合强制执行的唯一规则。
For an AllMatching decision strategy, all of the matching rules are enforced. The relative priority of the rules is used to determine the order in which the actions are to be executed by the enforcement point: the actions of the higher priority rules are executed first. Since the actions of higher priority rules are executed first, lower priority rules that also match may get the "last word," and thus produce a counter-intuitive result. So, for example, if two rules both evaluate to True, and the higher priority rule sets the DSCP to 3 and the lower priority rule sets the DSCP to 4, the action of the lower priority rule will be executed later and, therefore, will "win," in this example, setting the DSCP to 4. Thus, conflicts between rules are resolved by this execution order.
对于AllMatching决策策略,将强制执行所有匹配规则。规则的相对优先级用于确定执行点执行操作的顺序:首先执行更高优先级规则的操作。由于高优先级规则的操作首先执行,同样匹配的低优先级规则可能会得到“最后一句话”,从而产生违反直觉的结果。因此,例如,如果两个规则的计算结果均为True,且较高优先级规则将DSCP设置为3,较低优先级规则将DSCP设置为4,则较低优先级规则的操作将稍后执行,因此将“赢”,在本例中,将DSCP设置为4。因此,规则之间的冲突由该执行顺序解决。
An implementation of the rule engine need not provide the action sequencing but the actions MUST be sequenced by the PEP or PDP on its behalf. So, for example, the rule engine may provide an ordered list of actions to be executed by the PEP and any required serialization is then provided by the service configured by the rule engine. See Section 5.5.2 for a discussion of side effects.
规则引擎的实现不需要提供动作排序,但动作必须由政治公众人物或PDP代表其进行排序。因此,例如,规则引擎可以提供将由PEP执行的操作的有序列表,然后由规则引擎配置的服务提供任何所需的序列化。有关副作用的讨论,请参见第5.5.2节。
As discussed in Sections 5.3 and 5.4, PolicySet instances may be nested arbitrarily. For a FirstMatching decision strategy on a PolicySet, any contained PolicySet that matches satisfies the termination criteria for the FirstMatching strategy. A PolicySet is considered to match if it is a PolicyRule and its conditions evaluate to True, or if the PolicySet is a PolicyGroup and at least one of its
如第5.3节和第5.4节所述,PolicySet实例可以任意嵌套。对于策略集上的FirstMatching决策策略,匹配的任何包含的策略集都满足FirstMatching策略的终止条件。如果某个策略集是一个PolicyRule且其条件的计算结果为True,或者该策略集是一个PolicyGroup且至少有一个其条件为True,则认为该策略集是匹配的
contained PolicyGroups or PolicyRules match. The priority associated with contained PolicySets, then, determines when to terminate rule evaluation in the structured set of rules.
包含的策略组或策略规则匹配。然后,与包含的策略集关联的优先级决定何时终止结构化规则集中的规则评估。
In the example shown in Figure 3, the relative priorities for the nested rules, high to low, are 1A, 1B1, 1X2, 1B3, 1C, 1C1, 1X2 and 1C3. (Note that PolicyRule 1X2 is included in both PolicyGroup 1B and PolicyRule 1C, but with different priorities.) Of course, which rules are enforced is also dependent on which rules, if any, match.
在图3所示的示例中,嵌套规则的相对优先级(从高到低)为1A、1B1、1X2、1B3、1C、1C1、1X2和1C3。(请注意,PolicyRule 1X2包含在PolicyGroup 1B和PolicyRule 1C中,但优先级不同。)当然,执行哪些规则还取决于哪些规则(如果有)匹配。
PolicyGroup 1: FirstMatching | +-- Pri=6 -- PolicyRule 1A | +-- Pri=5 -- PolicyGroup 1B: AllMatching | | | +-- Pri=5 -- PolicyGroup 1B1: AllMatching | | | | | +---- etc. | | | +-- Pri=4 -- PolicyRule 1X2 | | | +-- Pri=3 -- PolicyRule 1B3: FirstMatching | | | +---- etc. | +-- Pri=4 -- PolicyRule 1C: FirstMatching | +-- Pri=4 -- PolicyRule 1C1 | +-- Pri=3 -- PolicyRule 1X2 | +-- Pri=2 -- PolicyRule 1C3
PolicyGroup 1: FirstMatching | +-- Pri=6 -- PolicyRule 1A | +-- Pri=5 -- PolicyGroup 1B: AllMatching | | | +-- Pri=5 -- PolicyGroup 1B1: AllMatching | | | | | +---- etc. | | | +-- Pri=4 -- PolicyRule 1X2 | | | +-- Pri=3 -- PolicyRule 1B3: FirstMatching | | | +---- etc. | +-- Pri=4 -- PolicyRule 1C: FirstMatching | +-- Pri=4 -- PolicyRule 1C1 | +-- Pri=3 -- PolicyRule 1X2 | +-- Pri=2 -- PolicyRule 1C3
Figure 3. Nested PolicySets with Different Decision Strategies
图3。具有不同决策策略的嵌套策略集
o Because PolicyGroup 1 has a FirstMatching decision strategy, if the conditions of PolicyRule 1A match, its actions are enforced and the evaluation stops.
o 由于PolicyGroup 1有一个FirstMatching决策策略,因此如果PolicyRule 1A的条件匹配,则将强制执行其操作并停止评估。
o If it does not match, PolicyGroup 1B is evaluated using an AllMatching strategy. Since PolicyGroup 1B1 also has an AllMatching strategy all of the rules and groups of rules contained in PolicyGroup 1B1 are evaluated and enforced as appropriate. PolicyRule 1X2 and PolicyRule 1B3 are also evaluated and enforced as appropriate. If any of the sub-rules in the
o 如果不匹配,则使用AllMatching策略评估PolicyGroup 1B。由于PolicyGroup 1B1也有一个AllMatching策略,因此PolicyGroup 1B1中包含的所有规则和规则组都会根据需要进行评估和实施。PolicyRule 1X2和PolicyRule 1B3也会根据需要进行评估和实施。如果在
subtrees of PolicyGroup 1B evaluate to True, then PolicyRule 1C is not evaluated because the FirstMatching strategy of PolicyGroup 1 has been satisfied.
PolicyGroup 1B的子树求值为True,则不求值PolicyRule 1C,因为已满足PolicyGroup 1的第一个匹配策略。
o If neither PolicyRule 1A nor PolicyGroup 1B yield a match, then PolicyRule 1C is evaluated. Since it is first matching, rules 1C1, 1X2, and 1C3 are evaluated until the first match, if any.
o 如果PolicyRule 1A和PolicyGroup 1B均未产生匹配,则对PolicyRule 1C进行评估。因为是第一次匹配,所以规则1C1、1X2和1C3将一直计算到第一次匹配(如果有)。
Although evaluation of conditions is sometimes discussed as an ordered set of operations, the rule engine need not be implemented as a procedural language interpreter. Any side effects of condition evaluation or the execution of actions MUST NOT affect the result of the evaluation of other conditions evaluated by the rule engine in the same evaluation pass. That is, an implementation of a rule engine MAY evaluate all conditions in any order before applying the priority and determining which actions are to be executed.
尽管有时将条件的评估作为一组有序的操作进行讨论,但规则引擎不需要作为过程语言解释器来实现。条件评估的任何副作用或操作的执行不得影响规则引擎在同一评估过程中评估的其他条件的评估结果。也就是说,规则引擎的实现可以在应用优先级和确定要执行哪些操作之前以任何顺序评估所有条件。
So, regardless of how a rule engine is implemented, it MUST NOT include any side effects of condition evaluation in the evaluation of conditions for either of the decision strategies. For both the AllMatching decision strategy and for the nesting of rules within rules (either directly or indirectly) where the actions of more than one rule may be enforced, any side effects of the enforcement of actions MUST NOT be included in condition evaluation on the same evaluation pass.
因此,无论规则引擎是如何实现的,它都不能在对任一决策策略的条件进行评估时包含条件评估的任何副作用。对于AllMatching决策策略和规则内的规则嵌套(直接或间接),如果可以执行多个规则的操作,则在同一评估过程中,执行操作的任何副作用都不得包括在条件评估中。
As shown in the example in Figure 3., PolicySet trees are defined by the PolicySet subclass instances and the PolicySetComponent aggregation instances between them. Each PolicySet tree has a defined set of decision strategies and evaluation priorities. In section 5.6 we discuss some improvements in the use of PolicyRoles that cause the parent PolicySet.PolicyRoles to be applied to all contained PolicySet instances. However, a given resource may still have multiple, disjoint PolicySet trees regardless of how they are collected. These top-level PolicySet instances are called "unrooted" relative to the given resource.
如图3中的示例所示,PolicySet树由PolicySet子类实例和它们之间的PolicySetComponent聚合实例定义。每个策略集树都有一组定义的决策策略和评估优先级。在第5.6节中,我们讨论了PolicyRoles使用方面的一些改进,这些改进导致父PolicySet.PolicyRoles应用于所有包含的PolicySet实例。但是,给定的资源可能仍然有多个不相交的策略集树,而不管它们是如何收集的。相对于给定资源,这些顶级策略集实例称为“无根”。
So, a PolicySet instance is defined to be rooted or unrooted in the context of a particular managed element; the relationship to the managed element is usually established by the policy roles of the PolicySet instance and of the managed element (see 5.6 "Policy Roles"). A PolicySet instance is unrooted in that context if and only if there is no PolicySetComponent association to a parent PolicySet that is also related to the same managed element. These
因此,策略集实例被定义为在特定托管元素的上下文中生根或不生根;与托管元素的关系通常由PolicySet实例和托管元素的策略角色建立(请参见5.6“策略角色”)。当且仅当与同样与同一托管元素相关的父PolicySet没有PolicySetComponent关联时,才会在该上下文中取消PolicySet实例的根。这些
PolicySetComponent aggregations are traversed up the tree without regard to how a PolicySet instance came to be related with the ManagedElement. Figure 4. shows an example where instance A has role A, instance B has role B and so on. In this example, in the context of interface X, instances B, and C are unrooted and instances D, E, and F are all rooted. In the context of interface Y, instance A is unrooted and instances B, C, D, E and F are all rooted.
PolicySetComponent聚合在树上遍历,而不考虑PolicySet实例如何与ManagedElement关联。图4。显示了一个示例,其中实例A具有角色A,实例B具有角色B,依此类推。在本例中,在接口X的上下文中,实例B和C是无根的,实例D、E和F都是根的。在接口Y的上下文中,实例A是无根的,实例B、C、D、E和F都是根的。
+---+ +-----------+ +-----------+ | A | | I/F X | | I/F Y | +---+ | has roles | | has roles | / \ | B & C | | A & B | / \ +-----------+ +-----------+ +---+ +---+ | B | | C | +---+ +---+ / \ \ / \ \ +---+ +---+ +---+ | D | | E | | F | +---+ +---+ +---+
+---+ +-----------+ +-----------+ | A | | I/F X | | I/F Y | +---+ | has roles | | has roles | / \ | B & C | | A & B | / \ +-----------+ +-----------+ +---+ +---+ | B | | C | +---+ +---+ / \ \ / \ \ +---+ +---+ +---+ | D | | E | | F | +---+ +---+ +---+
Figure 4. Unrooted PolicySet Instances
图4。无根策略集实例
For those cases where there are multiple unrooted PolicySet instances that apply to the same managed resource (i.e., not in a common PolicySetComponent tree), the decision strategy among these disjoint PolicySet instances is the FirstMatching strategy. The priority used with this FirstMatching strategy is defined in the PolicySetInSystem association. The PolicySetInSystem subclass instances are present for all PolicySet instances (it is a required association) but the priority is only used as a default for unrooted PolicySet instances in a given ManagedElement context.
对于存在多个应用于同一托管资源(即,不在公共PolicySetComponent树中)的无根PolicySet实例的情况,这些不相交的PolicySet实例之间的决策策略是FirstMatching策略。此FirstMatching策略使用的优先级在PolicySetInSystem关联中定义。PolicySetInSystem子类实例适用于所有PolicySet实例(它是一个必需的关联),但优先级仅用作给定ManagedElement上下文中无根PolicySet实例的默认值。
The FirstMatching strategy is used among all unrooted PolicySet instances that apply to a given resource for a given functional domain. So, for example, the PolicySet instances that are used for QoS policy and the instances that are used for IKE policy, although they are disjoint, are not joined in a FirstMatching decision strategy. Instead, they are evaluated independently of one another.
FirstMatching策略用于应用于给定功能域的给定资源的所有无根策略集实例。因此,例如,用于QoS策略的策略集实例和用于IKE策略的实例,尽管它们是不相交的,但不会在FirstMatching决策策略中联接。相反,它们彼此独立地进行评估。
As previously discussed, PolicySetComponent.Priority values MUST be unique within a containing PolicySet and PolicySetInSystem.Priority values MUST be unique for an associated System. Each PolicySet, then, has a deterministic behavior based upon the decision strategy and uniquely defined priority.
如前所述,PolicySetComponent.Priority值在包含PolicySet和PolicySetInSystem的系统中必须是唯一的。对于关联的系统,Priority值必须是唯一的。因此,每个策略集都具有基于决策策略和唯一定义的优先级的确定性行为。
There are certainly cases where rules need not have a unique priority value (i.e., where evaluation and execution priority is not important). However, it is believed that the flexibility gained by this capability is not sufficiently beneficial to justify the possible variations in implementation behavior and the resulting confusion that might occur.
当然,在某些情况下,规则不需要具有唯一的优先级值(即,评估和执行优先级并不重要)。然而,人们认为,这种能力所获得的灵活性不足以证明实现行为的可能变化以及由此产生的混乱是合理的。
A policy role is defined in [10] as "an administratively specified characteristic of a managed element (for example, an interface). It is a selector for policy rules and PRovisioning Classes (PRCs), to determine the applicability of the rule/PRC to a particular managed element."
[10]中将策略角色定义为“受管元素(例如,接口)的管理指定特征。它是策略规则和配置类(PRC)的选择器,用于确定规则/PRC对特定受管元素的适用性。”
In PCIMe, PolicyRoles is defined as a property of PolicySet, which is inherited by both PolicyRules and PolicyGroups. In this document, we also add PolicyRole as the identifying name of a collection of resources (PolicyRoleCollection), where each element in the collection has the specified role characteristic.
在PCIMe中,PolicyRoles定义为PolicySet的一个属性,PolicyRules和PolicyGroup都继承该属性。在本文档中,我们还添加了PolicyRole作为资源集合(PolicyRoleCollection)的标识名,其中集合中的每个元素都具有指定的角色特征。
In the Configuration Management with SNMP (snmpconf) working group's Policy Based Management MIB [14], policy rules are of the form
在SNMP配置管理(snmpconf)工作组的基于策略的管理MIB[14]中,策略规则的形式如下
if <policyFilter> then <policyAction>
if <policyFilter> then <policyAction>
where <policyFilter> is a set of conditions that are used to determine whether or not the policy applies to an object instance. The policy filter can perform comparison operations on SNMP variables already defined in MIBS (e.g., "ifType == ethernet").
其中<policyFilter>是一组条件,用于确定策略是否应用于对象实例。策略筛选器可以对MIB中已定义的SNMP变量执行比较操作(例如,“ifType==ethernet”)。
The policy management MIB defined in [14] defines a Role table that enables one to associate Roles with elements, where roles have the same semantics as in PCIM. Then, since the policyFilter in a policy allows one to define conditions based on the comparison of the values of SNMP variables, one can filter elements based on their roles as defined in the Role group.
[14]中定义的策略管理MIB定义了一个角色表,使人们能够将角色与元素相关联,其中角色的语义与PCIM中的相同。然后,由于策略中的policyFilter允许根据SNMP变量值的比较来定义条件,因此可以根据角色组中定义的角色来筛选元素。
This approach differs from that adopted in PCIM in the following ways. First, in PCIM, a set of role(s) is associated with a policy rule as the values of the PolicyRoles property of a policy rule. The semantics of role(s) are then expected to be implemented by the PDP (i.e., policies are applied to the elements with the appropriate roles). In [14], however, no special processing is required for
该方法与PCIM中采用的方法有以下不同之处。首先,在PCIM中,一组角色作为策略规则的PolicyRoles属性的值与策略规则相关联。然后,预期PDP将实现角色的语义(即,将策略应用于具有适当角色的元素)。然而,在[14]中,不需要对其进行特殊处理
realizing the semantics of roles; roles are treated just as any other SNMP variables and comparisons of role values can be included in the policy filter of a policy rule.
实现角色的语义;角色与任何其他SNMP变量一样,角色值的比较可以包含在策略规则的策略筛选器中。
Secondly, in PCIM, there is no formally defined way of associating a role with an object instance, whereas in [14] this is done via the use of the Role tables (pmRoleESTable and pmRoleSETable). The Role tables associate Role values with elements.
其次,在PCIM中,没有正式定义的将角色与对象实例关联的方式,而在[14]中,这是通过使用角色表(pmRoleESTable和pmRoleSETable)实现的。角色表将角色值与元素相关联。
In order to remedy the latter shortcoming in PCIM (the lack of a way of associating a role with an object instance), PCIMe has a new class PolicyRoleCollection derived from the CIM Collection class. Resources that share a common role are aggregated by a PolicyRoleCollection instance, via the ElementInPolicyRoleCollection aggregation. The role is specified in the PolicyRole property of the aggregating PolicyRoleCollection instance.
为了弥补PCIM中的后一个缺点(缺少将角色与对象实例关联的方法),PCIMe有一个从CIM Collection类派生的新类PolicyRoleCollection。共享公共角色的资源由PolicyRoleCollection实例通过ElementInPolicyRoleCollection聚合进行聚合。该角色在聚合PolicyRoleCollection实例的PolicyRole属性中指定。
A PolicyRoleCollection always exists in the context of a system. As was done in PCIM for PolicyRules and PolicyGroups, an association, PolicyRoleCollectionInSystem, captures this relationship. Remember that in CIM, System is a base class for describing network devices and administrative domains.
PolicyRoleCollection始终存在于系统的上下文中。正如PCIM中针对PolicyRules和PolicyGroups所做的那样,一个名为PolicyRoleCollectionInSystem的关联捕获了这种关系。请记住,在CIM中,System是描述网络设备和管理域的基类。
The association between a PolicyRoleCollection and a system should be consistent with the associations that scope the policy rules/groups that are applied to the resources in that collection. Specifically, a PolicyRoleCollection should be associated with the same System as the applicable PolicyRules and/or PolicyGroups, or to a System higher in the tree formed by the SystemComponent association. When a PEP belongs to multiple Systems (i.e., AdminDomains), and scoping by a single domain is impractical, two alternatives exist. One is to arbitrarily limit domain membership to one System/AdminDomain. The other option is to define a more global AdminDomain that simply includes the others, and/or that spans the business or enterprise.
PolicyRoleCollection与系统之间的关联应与应用于该集合中的资源的策略规则/组范围内的关联一致。具体而言,PolicyRoleCollection应与适用的PolicyRules和/或PolicyGroup所在的同一系统相关联,或与SystemComponent关联形成的树中较高的系统相关联。当一个PEP属于多个系统(即AdminDomains)且单个域的作用域不可行时,存在两种选择。一种是将域成员资格任意限制为一个System/AdminDomain。另一个选项是定义一个更全局的AdminDomain,该AdminDomain只包含其他AdminDomain和/或跨业务或企业。
As an example, suppose that there are 20 traffic trunks in a network, and that an administrator would like to assign three of them to provide "gold" service. Also, the administrator has defined several policy rules which specify how the "gold" service is delivered. For these rules, the PolicyRoles property (inherited from PolicySet) is set to "Gold Service".
例如,假设一个网络中有20个流量中继,管理员希望分配其中三个来提供“黄金”服务。此外,管理员还定义了多个策略规则,用于指定如何提供“黄金”服务。对于这些规则,PolicyRoles属性(从PolicySet继承)设置为“黄金服务”。
In order to associate three traffic trunks with "gold" service, an instance of the PolicyRoleCollection class is created and its PolicyRole property is also set to "Gold Service". Following this, the administrator associates three traffic trunks with the new
为了将三个流量中继与“gold”服务关联,将创建PolicyRoleCollection类的一个实例,并将其PolicyRole属性设置为“gold service”。在此之后,管理员将三个交通干线与新的
instance of PolicyRoleCollection via the ElementInPolicyRoleCollection aggregation. This enables a PDP to determine that the "Gold Service" policy rules apply to the three aggregated traffic trunks.
通过ElementInPolicyRoleCollection聚合的PolicyRoleCollection实例。这使PDP能够确定“黄金服务”策略规则适用于三个聚合流量中继。
Note that roles are used to optimize policy retrieval. It is not mandatory to implement roles or, if they have been implemented, to group elements in a PolicyRoleCollection. However, if roles are used, then either the collection approach should be implemented, or elements should be capable of reporting their "pre-programmed" roles (as is done in COPS).
请注意,角色用于优化策略检索。在PolicyRoleCollection中实现角色或(如果已经实现)对元素进行分组不是强制性的。但是,如果使用了角色,则应实施收集方法,或者元素应能够报告其“预编程”角色(如在COP中所做的)。
In PCIM, role(s) are only associated with policy rules. However, it may be desirable to associate role(s) with groups of policy rules. For example, a network administrator may want to define a group of rules that apply only to Ethernet interfaces. A policy group can be defined with a role-combination="Ethernet", and all the relevant policy rules can be placed in this policy group. (Note that in PCIMe, role(s) are made available to PolicyGroups as well as to PolicyRules by moving PCIM's PolicyRoles property up from PolicyRule to the new abstract class PolicySet. The property is then inherited by both PolicyGroup and PolicyRule.) Then every policy rule in this policy group implicitly inherits this role-combination from the containing policy group. A similar implicit inheritance applies to nested policy groups.
在PCIM中,角色仅与策略规则关联。但是,可能需要将角色与策略规则组相关联。例如,网络管理员可能希望定义一组仅适用于以太网接口的规则。可以使用角色组合=“Ethernet”定义策略组,并且所有相关策略规则都可以放置在此策略组中。(请注意,在PCIMe中,通过将PCIM的PolicyRoles属性从PolicyRule向上移动到新的抽象类PolicySet,PolicyGroup和PolicyRule都可以使用角色。该属性随后由PolicyGroup和PolicyRule继承。)然后,此策略组中的每个策略规则都隐式地从包含的策略组继承此角色组合。类似的隐式继承适用于嵌套策略组。
There is no explicit copying of role(s) from container to contained entity. Obviously, this implicit inheritance of role(s) leads to the possibility of defining inconsistent role(s) (as explained in the example below); the handling of such inconsistencies is beyond the scope of PCIMe.
没有将角色从容器显式复制到包含的实体。显然,角色的这种隐式继承导致定义不一致角色的可能性(如下面的示例所述);此类不一致的处理超出PCIMe的范围。
As an example, suppose that there is a PolicyGroup PG1 that contains three PolicyRules, PR1, PR2, and PR3. Assume that PG1 has the roles "Ethernet" and "Fast". Also, assume that the contained policy rules have the role(s) shown below:
例如,假设有一个PolicyGroup PG1,其中包含三个PolicyRules,即PR1、PR2和PR3。假设PG1的角色是“以太网”和“快速”。另外,假设包含的策略规则具有如下所示的角色:
+------------------------------+ | PolicyGroup PG1 | | PolicyRoles = Ethernet, Fast | +------------------------------+ | | +------------------------+ | | PolicyRule PR1 | |--------| PolicyRoles = Ethernet | | +------------------------+ | | +--------------------------+ | | PolicyRule PR2 | |--------| PolicyRoles = <undefined>| | +--------------------------+ | | +------------------------+ | | PolicyRule PR3 | |--------| PolicyRoles = Slow | +------------------------+
+------------------------------+ | PolicyGroup PG1 | | PolicyRoles = Ethernet, Fast | +------------------------------+ | | +------------------------+ | | PolicyRule PR1 | |--------| PolicyRoles = Ethernet | | +------------------------+ | | +--------------------------+ | | PolicyRule PR2 | |--------| PolicyRoles = <undefined>| | +--------------------------+ | | +------------------------+ | | PolicyRule PR3 | |--------| PolicyRoles = Slow | +------------------------+
Figure 5. Inheritance of Roles
图5。角色继承
In this example, the PolicyRoles property value for PR1 is consistent with the value in PG1, and in fact, did not need to be redefined. The value of PolicyRoles for PR2 is undefined. Its roles are implicitly inherited from PG1. Lastly, the value of PolicyRoles for PR3 is "Slow". This appears to be in conflict with the role, "Fast," defined in PG1. However, whether these roles are actually in conflict is not clear. In one scenario, the policy administrator may have wanted only "Fast"- "Ethernet" rules in the policy group. In another scenario, the administrator may be indicating that PR3 applies to all "Ethernet" interfaces regardless of whether they are "Fast" or "Slow." Only in the former scenario (only "Fast"- "Ethernet" rules in the policy group) is there a role conflict.
在本例中,PR1的PolicyRoles属性值与PG1中的值一致,实际上不需要重新定义。PR2的PolicyRoles值未定义。其角色隐式继承自PG1。最后,PR3的PolicyRoles值为“慢”。这似乎与PG1中定义的“快速”角色相冲突。然而,这些角色是否确实存在冲突尚不清楚。在一种情况下,策略管理员可能只需要策略组中的“快速”-“以太网”规则。在另一个场景中,管理员可能会指示PR3适用于所有“以太网”接口,而不管它们是“快”还是“慢”。只有在前一个场景中(策略组中只有“快”-“以太网”规则)存在角色冲突。
Note that it is possible to override implicitly inherited roles via appropriate conditions on a PolicyRule. For example, suppose that PR3 above had defined the following conditions:
请注意,可以通过PolicyRule上的适当条件覆盖隐式继承的角色。例如,假设上面的PR3定义了以下条件:
(interface is not "Fast") and (interface is "Slow")
(接口不“快”)和(接口“慢”)
This results in unambiguous semantics for PR3.
这使得PR3的语义更加明确。
Compound policy conditions and compound policy actions are introduced to provide additional reusable "chunks" of policy.
引入复合策略条件和复合策略操作,以提供额外的可重用策略“块”。
A CompoundPolicyCondition is a PolicyCondition representing a Boolean combination of simpler conditions. The conditions being combined may be SimplePolicyConditions (discussed below in Section 6.4), but the utility of reusable combinations of policy conditions is not necessarily limited to the case where the component conditions are simple ones.
CompoundPolicyCondition是表示简单条件的布尔组合的PolicyCondition。被组合的条件可以是SimplePolicyConditions(在下面的第6.4节中讨论),但是策略条件的可重用组合的效用不一定局限于组件条件是简单条件的情况。
The PCIM extensions to introduce compound policy conditions are relatively straightforward. Since the purpose of the extension is to apply the DNF / CNF logic from PCIM's PolicyConditionInPolicyRule aggregation to a compound condition that aggregates simpler conditions, the following changes are required:
引入复合政策条件的PCIM扩展相对简单。由于扩展的目的是将PCIM的PolicyConditionInPolicyRule聚合中的DNF/CNF逻辑应用于聚合更简单条件的复合条件,因此需要进行以下更改:
o Create a new aggregation PolicyConditionInPolicyCondition, with the same GroupNumber and ConditionNegated properties as PolicyConditionInPolicyRule. The cleanest way to do this is to move the properties up to a new abstract aggregation superclass PolicyConditionStructure, from which the existing aggregation PolicyConditionInPolicyRule and a new aggregation PolicyConditionInPolicyCondition are derived. For now there is no need to re-document the properties themselves, since they are already documented in PCIM as part of the definition of the PolicyConditionInPolicyRule aggregation.
o 创建一个新的聚合PolicyConditionInPolicyCondition,其GroupNumber和ConditionNegated属性与PolicyConditionInPolicyRule相同。最干净的方法是将属性上移到新的抽象聚合超类PolicyConditionStructure,从中派生现有的聚合PolicyConditionInPolicyRule和新的聚合PolicyConditionInPolicyCondition。目前,不需要重新记录属性本身,因为它们已经作为PolicyConditionInPolicyRule聚合定义的一部分记录在PCIM中。
o It is also necessary to define a concrete subclass CompoundPolicyCondition of PolicyCondition, to introduce the ConditionListType property. This property has the same function, and works in exactly the same way, as the corresponding property currently defined in PCIM for the PolicyRule class.
o 还需要定义PolicyCondition的具体子类CompoundPolicyCondition,以引入ConditionListType属性。此属性的功能和工作方式与PCIM中当前为PolicyRule类定义的相应属性完全相同。
The class and property definitions for representing compound policy conditions are below, in Section 6.
用于表示复合策略条件的类和属性定义见下文第6节。
A compound action is a convenient construct to represent a sequence of actions to be applied as a single atomic action within a policy rule. In many cases, actions are related to each other and should be looked upon as sub-actions of one "logical" action. An example of such a logical action is "shape & mark" (i.e., shape a certain stream to a set of predefined bandwidth characteristics and then mark these
复合操作是一种方便的构造,用于表示要作为策略规则中的单个原子操作应用的操作序列。在许多情况下,动作是相互关联的,应该被视为一个“逻辑”动作的子动作。这种逻辑动作的一个例子是“shape&mark”(即,将某个流塑造成一组预定义的带宽特性,然后标记这些特性)
packets with a certain DSCP value). This logical action is actually composed of two different QoS actions, which should be performed in a well-defined order and as a complete set.
具有特定DSCP值的数据包)。这个逻辑操作实际上由两个不同的QoS操作组成,它们应该以定义良好的顺序作为一个完整的集合来执行。
The CompoundPolicyAction construct allows one to create a logical relationship between a number of actions, and to define the activation logic associated with this logical action.
CompoundPolicyAction构造允许在多个操作之间创建逻辑关系,并定义与此逻辑操作关联的激活逻辑。
The CompoundPolicyAction construct allows the reusability of these complex actions, by storing them in a ReusablePolicyContainer and reusing them in different policy rules. Note that a compound action may also be aggregated by another compound action.
CompoundPolicyAction构造允许这些复杂操作的可重用性,方法是将它们存储在可重用的PolicyContainer中,并在不同的策略规则中重用它们。请注意,一个复合动作也可以由另一个复合动作聚合。
As was the case with CompoundPolicyCondition, the PCIM extensions to introduce compound policy actions are relatively straightforward. This time the goal is to apply the property ActionOrder from PCIM's PolicyActionInPolicyRule aggregation to a compound action that aggregates simpler actions. The following changes are required:
与CompoundPolicyCondition一样,引入复合策略操作的PCIM扩展相对简单。这次的目标是将PCIM的PolicyActionInPolicyRule聚合中的属性ActionOrder应用于聚合更简单操作的复合操作。需要进行以下更改:
o Create a new aggregation PolicyActionInPolicyAction, with the same ActionOrder property as PolicyActionInPolicyRule. The cleanest way to do this is to move the property up to a new abstract aggregation superclass PolicyActionStructure, from which the existing aggregation PolicyActionInPolicyRule and a new aggregation PolicyActionInPolicyAction are derived.
o 使用与PolicyActionInPolicyRule相同的ActionOrder属性创建新的聚合PolicyActionInPolicyAction。最干净的方法是将属性向上移动到新的抽象聚合超类PolicyActionStructure,从中派生现有的聚合PolicyActionInPolicyRule和新的聚合PolicyActionInPolicyAction。
o It is also necessary to define a concrete subclass CompoundPolicyAction of PolicyAction, to introduce the SequencedActions property. This property has the same function, and works in exactly the same way, as the corresponding property currently defined in PCIM for the PolicyRule class.
o 还需要定义PolicyAction的具体子类CompoundPolicyAction,以引入SequencedActions属性。此属性的功能和工作方式与PCIM中当前为PolicyRule类定义的相应属性完全相同。
o Finally, a new property ExecutionStrategy is needed for both the PCIM class PolicyRule and the new class CompoundPolicyAction. This property allows the policy administrator to specify how the PEP should behave in the case where there are multiple actions aggregated by a PolicyRule or by a CompoundPolicyAction.
o 最后,PCIM类PolicyRule和新类CompoundPolicyAction都需要新的属性执行策略。此属性允许策略管理员指定在存在由PolicyRule或CompoundPolicyAction聚合的多个操作的情况下PEP的行为方式。
The class and property definitions for representing compound policy actions are below, in Section 6.
用于表示复合策略操作的类和属性定义见下文第6节。
The following subsections introduce several related concepts, including PolicyVariables and PolicyValues (and their numerous subclasses), SimplePolicyConditions, and SimplePolicyActions.
以下小节将介绍几个相关概念,包括PolicyVariables和PolicyValue(及其众多子类)、SimplePolicyConditions和SimplePolicyActions。
The SimplePolicyCondition class models elementary Boolean expressions of the form: "(<variable> MATCH <value>)". The relationship 'MATCH', which is implicit in the model, is interpreted based on the variable and the value. Section 5.8.3 explains the semantics of the 'MATCH' operator. Arbitrarily complex Boolean expressions can be formed by chaining together any number of simple conditions using relational operators. Individual simple conditions can be negated as well. Arbitrarily complex Boolean expressions are modeled by the class CompoundPolicyCondition (described in Section 5.7.1).
SimplePolicyCondition类对形式为“(<variable>MATCH<value>)”的基本布尔表达式建模。模型中隐含的关系“匹配”基于变量和值进行解释。第5.8.3节解释了“匹配”运算符的语义。通过使用关系运算符将任意数量的简单条件链接在一起,可以形成任意复杂的布尔表达式。个别简单条件也可以被否定。任意复杂的布尔表达式由类CompoundPolicyCondition建模(如第5.7.1节所述)。
For example, the expression "SourcePort == 80" can be modeled by a simple condition. In this example, 'SourcePort' is a variable, '==' is the relational operator denoting the equality relationship (which is generalized by PCIMe to a "MATCH" relationship), and '80' is an integer value. The complete interpretation of a simple condition depends on the binding of the variable. Section 5.8.5 describes variables and their binding rules.
例如,表达式“SourcePort==80”可以通过一个简单的条件进行建模。在本例中,“SourcePort”是一个变量,“==”是表示相等关系的关系运算符(由PCIMe概括为“匹配”关系),而“80”是一个整数值。简单条件的完整解释取决于变量的绑定。第5.8.5节描述了变量及其绑定规则。
The SimplePolicyCondition class refines the basic structure of the PolicyCondition class defined in PCIM by using the pair (<variable>, <value>) to form the condition. Note that the operator between the variable and the value is always implied in PCIMe: it is not a part of the formal notation.
SimplePolicyCondition类通过使用对(<variable>,<value>)来形成条件,从而细化PCIM中定义的PolicyCondition类的基本结构。请注意,变量和值之间的运算符始终隐含在PCIMe中:它不是形式表示法的一部分。
The variable specifies the attribute of an object that should be matched when evaluating the condition. For example, for a QoS model, this object could represent the flow that is being conditioned. A set of predefined variables that cover network attributes commonly used for filtering is introduced in PCIMe, to encourage interoperability. This list covers layer 3 IP attributes such as IP network addresses, protocols and ports, as well as a set of layer 2 attributes (e.g., MAC addresses).
变量指定在计算条件时应匹配的对象属性。例如,对于QoS模型,此对象可以表示正在调节的流。PCIMe中引入了一组预定义变量,这些变量涵盖了通常用于过滤的网络属性,以鼓励互操作性。此列表包括第3层IP属性,例如IP网络地址、协议和端口,以及一组第2层属性(例如MAC地址)。
The bound variable is matched against a value to produce the Boolean result. For example, in the condition "The source IP address of the flow belongs to the 10.1.x.x subnet", a source IP address variable is matched against a 10.1.x.x subnet value.
绑定变量与值匹配以生成布尔结果。例如,在“流的源IP地址属于10.1.x.x子网”的条件下,源IP地址变量与10.1.x.x子网值匹配。
Simple conditions can be used in policy rules directly, or as building blocks for creating compound policy conditions.
简单条件可以直接用于策略规则,也可以用作创建复合策略条件的构建块。
Simple condition composition MUST enforce the following data-type conformance rule: The ValueTypes property of the variable must be compatible with the type of the value class used. The simplest (and
简单条件组合必须强制执行以下数据类型一致性规则:变量的ValueTypes属性必须与所使用的值类的类型兼容。最简单的(和
friendliest, from a user point-of-view) way to do this is to equate the type of the value class with the name of the class. By ensuring that the ValueTypes property of the variable matches the name of the value class used, we know that the variable and value instance values are compatible with each other.
从用户的角度来看,最友好的方法是将value类的类型与类的名称等同起来。通过确保变量的ValueTypes属性与所使用的值类的名称匹配,我们知道变量和值实例值彼此兼容。
Composing a simple condition requires that an instance of the class SimplePolicyCondition be created, and that instances of the variable and value classes that it uses also exist. Note that the variable and/or value instances may already exist as reusable objects in an appropriate ReusablePolicyContainer.
组成简单条件需要创建SimplePolicyCondition类的实例,并且它使用的变量和值类的实例也存在。请注意,变量和/或值实例可能已经作为可重用对象存在于适当的可重用PolicyContainer中。
Two aggregations are used in order to create the pair (<variable>, <value>). The aggregation PolicyVariableInSimplePolicyCondition relates a SimplePolicyCondition to a single variable instance. Similarly, the aggregation PolicyValueInSimplePolicyCondition relates a SimplePolicyCondition to a single value instance. Both aggregations are defined in this document.
使用两个聚合来创建对(<variable>,<value>)。聚合PolicyVariableInSimplePolicyCondition将SimplePolicyCondition与单个变量实例关联。类似地,聚合PolicyValueInSimplePolicyCondition将SimplePolicyCondition与单个值实例关联。这两个聚合都在本文档中定义。
Figure 6. depicts a SimplePolicyCondition with its associated variable and value. Also shown are two PolicyValue instances that identify the values that the variable can assume.
图6。描述SimplePolicyCondition及其关联的变量和值。还显示了两个PolicyValue实例,它们标识变量可以假定的值。
+-----------------------+ | SimplePolicyCondition | +-----------------------+ * @ * @ +------------------+ * @ +---------------+ | (PolicyVariable) |*** @@@| (PolicyValue) | +------------------+ +---------------+ # # # ooo # # # +---------------+ +---------------+ | (PolicyValue) | ooo | (PolicyValue) | +---------------+ +---------------+
+-----------------------+ | SimplePolicyCondition | +-----------------------+ * @ * @ +------------------+ * @ +---------------+ | (PolicyVariable) |*** @@@| (PolicyValue) | +------------------+ +---------------+ # # # ooo # # # +---------------+ +---------------+ | (PolicyValue) | ooo | (PolicyValue) | +---------------+ +---------------+
Aggregation Legend: **** PolicyVariableInSimplePolicyCondition @@@@ PolicyValueInSimplePolicyCondition #### ExpectedPolicyValuesForVariable
Aggregation Legend: **** PolicyVariableInSimplePolicyCondition @@@@ PolicyValueInSimplePolicyCondition #### ExpectedPolicyValuesForVariable
Figure 6. SimplePolicyCondition
图6。简单政治条件
Note: The class names in parenthesis denote subclasses. The classes named in the figure are abstract, and thus cannot themselves be instantiated.
注意:括号中的类名表示子类。图中命名的类是抽象的,因此不能实例化它们自己。
A simple condition models an elementary Boolean expression of the form "variable MATCHes value". However, the formal notation of the SimplePolicyCondition, together with its associations, models only a pair, (<variable>, <value>). The 'MATCH' operator is not directly modeled -- it is implied. Furthermore, this implied 'MATCH' operator carries overloaded semantics.
一个简单的条件为“变量匹配值”形式的基本布尔表达式建模。但是,SimplePolicyCondition的形式表示法及其关联仅对一对(<variable>,<value>)建模。“MATCH”运算符不是直接建模的,而是隐含的。此外,这个隐含的“MATCH”操作符带有重载语义。
For example, in the simple condition "DestinationPort MATCH '80'", the interpretation of the 'MATCH' operator is equality (the 'equal' operator). Clearly, a different interpretation is needed in the following cases:
例如,在简单条件“DestinationPort MATCH‘80’”中,“MATCH”运算符的解释为相等(“相等”运算符)。显然,在以下情况下需要不同的解释:
o "DestinationPort MATCH {'80', '8080'}" -- operator is 'IS SET MEMBER'
o “DestinationPort匹配{'80','8080'}”--运算符为“is SET成员”
o "DestinationPort MATCH {'1 to 255'}" -- operator is 'IN INTEGER RANGE'
o “DestinationPort匹配{'1到255'}”--运算符为“在整数范围内”
o "SourceIPAddress MATCH 'MyCompany.com'" -- operator is 'IP ADDRESS AS RESOLVED BY DNS'
o “SourceIPAddress匹配'MyCompany.com'--运算符为'DNS解析的IP地址'
The examples above illustrate the implicit, context-dependent nature of the 'MATCH' operator. The interpretation depends on the actual variable and value instances in the simple condition. The interpretation is always derived from the bound variable and the value instance associated with the simple condition. Text accompanying the value class and implicit variable definition is used for interpreting the semantics of the 'MATCH' relationship. In the following list, we define generic (type-independent) matching.
上面的示例说明了“MATCH”运算符的隐式、上下文相关性质。解释取决于简单条件下的实际变量和值实例。解释总是从绑定变量和与简单条件关联的值实例导出。值类和隐式变量定义附带的文本用于解释“匹配”关系的语义。在下面的列表中,我们定义了泛型(独立于类型)匹配。
PolicyValues may be multi-fielded, where each field may contain a range of values. The same equally holds for PolicyVariables. Basically, we have to deal with single values (singleton), ranges ([lower bound .. upper bound]), and sets (a,b,c). So independent of the variable and value type, the following set of generic matching rules for the 'MATCH' operator are defined.
PolicyValue可以是多字段的,其中每个字段可能包含一系列值。政策变量也是如此。基本上,我们必须处理单值(单例)、范围([下限..上限])和集合(a、b、c)。因此,独立于变量和值类型,为“MATCH”运算符定义了以下一组通用匹配规则。
o singleton matches singleton -> the matching rule is defined in the type
o singleton匹配singleton->匹配规则在类型中定义
o singleton matches range [lower bound .. upper bound] -> the matching evaluates to true, if the singleton matches the lower bound or the upper bound or a value in between
o 单例匹配范围[lower bound..upper bound]->如果单例匹配下限或上限或介于两者之间的值,则匹配计算结果为true
o singleton matches set -> the matching evaluates to true, if the value of the singleton matches one of the components in the set, where a component may be a singleton or range again
o singleton matches set->如果singleton的值与集合中的一个组件匹配,则匹配计算结果为true,其中组件可能再次是singleton或range
o ranges [A..B] matches singleton -> is true if A matches B matches singleton
o 范围[A..B]匹配单例->如果A匹配B匹配单例,则为真
o range [A..B] matches range [X..Y] -> the matching evaluates to true, if all values of the range [A..B] are also in the range [X..Y]. For instance, [3..5] match [1..6] evaluates to true, whereas [3..5] match [4..6] evaluates to false.
o 范围[A..B]匹配范围[X..Y]->如果范围[A..B]的所有值也在范围[X..Y]内,则匹配计算结果为真。例如,[3..5]匹配[1..6]的计算结果为true,而[3..5]匹配[4..6]的计算结果为false。
o range [A..B] matches set (a,b,c, ...) -> the matching evaluates to true, if all values in the range [A..B] are part of the set. For instance, range [2..3] match set ([1..2],3) evaluates to true, as well as range [2..3] match set (2,3), and range [2..3] match set ([1..2],[3..5]).
o 范围[A..B]匹配集合(A,B,c,…)->如果范围[A..B]中的所有值都是集合的一部分,则匹配计算结果为true。例如,范围[2..3]匹配集([1..2],3)的计算结果为true,范围[2..3]匹配集(2,3)和范围[2..3]匹配集([1..2],[3..5])。
o set (a,b,c, ...) match singleton -> is true if a match b match c match ... match singleton
o 如果a匹配b匹配c匹配,则设置(a,b,c,…)匹配单例->为真。。。单打比赛
o set match range -> the matching evaluates to true, if all values in the set are part of the range. For example, set (2,3) match range [1..4] evaluates to true.
o 设置匹配范围->如果集合中的所有值都是范围的一部分,则匹配计算结果为true。例如,set(2,3)匹配范围[1..4]的计算结果为true。
o set (a,b,c,...) match set (x,y,z,...) -> the matching evaluates to true, if all values in the set (a,b,c,...) are part of the set (x,y,z,...). For example, set (1,2,3) match set (1,2,3,4) evaluates to true. Set (1,2,3) match set (1,2) evaluates to false.
o 集合(a,b,c,…)匹配集合(x,y,z,…)->如果集合(a,b,c,…)中的所有值都是集合(x,y,z,…)的一部分,则匹配计算结果为真。例如,集合(1,2,3)匹配集合(1,2,3,4)的计算结果为true。集合(1,2,3)匹配集合(1,2)的计算结果为false。
Variables may contain various types (Section 6.11.1). When not stated otherwise, the type of the value bound to the variable at condition evaluation time and the value type of the PolicyValue instance need to be of the same type. If they differ, then the condition evaluates to FALSE.
变量可能包含各种类型(第6.11.1节)。如果没有另外说明,则在条件评估时绑定到变量的值的类型和PolicyValue实例的值类型需要是相同的类型。如果它们不同,则条件的计算结果为FALSE。
The ExpectedPolicyValuesForVariable association specifies an expected set of values that can be matched with a variable within a simple condition. Using this association, a source or destination port can be limited to the range 0-200, a source or destination IP address can be limited to a specified list of IPv4 address values, etc.
ExpectedPolicyValuesForVariable关联指定可在简单条件下与变量匹配的预期值集。使用此关联,源或目标端口可以限制在0-200范围内,源或目标IP地址可以限制在指定的IPv4地址值列表内,等等。
+-----------------------+ | SimplePolicyCondition | +-----------------------+ * @ * @ * @ +-----------------------------------+ +--------------------------+ | Name=SmallSourcePorts | | Name=Port300 | | Class=PolicySourcePortVariable | | Class=PolicyIntegerValue | | ValueTypes=[PolicyIntegerValue] | | IntegerList = [300] | +-----------------------------------+ +--------------------------+ # # # +-------------------------+ |Name=SmallPortsValues | |Class=PolicyIntegerValue | |IntegerList=[1..200] | +-------------------------+
+-----------------------+ | SimplePolicyCondition | +-----------------------+ * @ * @ * @ +-----------------------------------+ +--------------------------+ | Name=SmallSourcePorts | | Name=Port300 | | Class=PolicySourcePortVariable | | Class=PolicyIntegerValue | | ValueTypes=[PolicyIntegerValue] | | IntegerList = [300] | +-----------------------------------+ +--------------------------+ # # # +-------------------------+ |Name=SmallPortsValues | |Class=PolicyIntegerValue | |IntegerList=[1..200] | +-------------------------+
Aggregation Legend: **** PolicyVariableInSimplePolicyCondition @@@@ PolicyValueInSimplePolicyCondition #### ExpectedPolicyValuesForVariable
Aggregation Legend: **** PolicyVariableInSimplePolicyCondition @@@@ PolicyValueInSimplePolicyCondition #### ExpectedPolicyValuesForVariable
Figure 7. An Invalid SimplePolicyCondition
图7。无效的SimplePolicy条件
The ability to express these limitations appears in the model to support validation of a SimplePolicyCondition prior to its deployment to an enforcement point. A Policy Management Tool, for example SHOULD NOT accept the SimplePolicyCondition shown in Figure 7. If, however, a policy rule containing this condition does appear at an enforcement point, the expected values play no role in the determination of whether the condition evaluates to True or False. Thus in this example, the SimplePolicyCondition evaluates to True if the source port for the packet under consideration is 300, and it evaluates to False otherwise.
表达这些限制的能力出现在模型中,以支持在将SimplePolicy条件部署到实施点之前对其进行验证。例如,策略管理工具不应接受图7所示的SimplePolicyCondition。但是,如果包含此条件的策略规则确实出现在强制点,则预期值在确定条件的计算结果是否为True或False时不起作用。因此,在此示例中,如果所考虑的数据包的源端口为300,则SimplePolicyCondition的计算结果为True,否则它的计算结果为False。
The SimplePolicyAction class models the elementary set operation. "SET <variable> TO <value>". The set operator MUST overwrite an old value of the variable. In the case where the variable to be updated is multi- valued, the only update operation defined is a complete replacement of all previous values with a new set. In other words, there are no Add or Remove [to/from the set of values] operations defined for SimplePolicyActions.
SimplePolicyAction类为基本集操作建模。“将<variable>设置为<value>”。set运算符必须覆盖变量的旧值。在要更新的变量是多值的情况下,唯一定义的更新操作是用新的集合完全替换所有以前的值。换句话说,没有为SimplePolicyActions定义的添加或删除[到/从值集合]操作。
For example, the action "set DSCP to EF" can be modeled by a simple action. In this example, 'DSCP' is an implicit variable referring to the IP packet header DSCP field. 'EF' is an integer or bit string value (6 bits). The complete interpretation of a simple action depends on the binding of the variable.
例如,“将DSCP设置为EF”操作可以由一个简单的操作建模。在本例中,“DSCP”是一个隐式变量,表示IP数据包头DSCP字段EF'是一个整数或位字符串值(6位)。简单动作的完整解释取决于变量的绑定。
The SimplePolicyAction class refines the basic structure of the PolicyAction class defined in PCIM, by specifying the contents of the action using the (<variable>, <value>) pair to form the action. The variable specifies the attribute of an object. The value of this attribute is set to the value specified in <value>. Selection of the object is a function of the type of variable involved. See Sections 5.8.6 and 5.8.7, respectively, for details on object selection for explicitly bound and implicitly bound policy variables.
SimplePolicyAction类通过使用(<variable>,<value>)对指定操作的内容来形成操作,从而细化PCIM中定义的PolicyAction类的基本结构。该变量指定对象的属性。此属性的值设置为<value>中指定的值。对象的选择是所涉及变量类型的函数。有关显式绑定和隐式绑定策略变量的对象选择的详细信息,请分别参见第5.8.6节和第5.8.7节。
SimplePolicyActions can be used in policy rules directly, or as building blocks for creating CompoundPolicyActions.
SimplePolicyActions可以直接在策略规则中使用,也可以用作创建CompoundPolicyActions的构建块。
The set operation is only valid if the list of types of the variable (ValueTypes property of PolicyImplicitVariable) includes the specified type of the value. Conversion of values from one representation into another is not defined. For example, a variable of IPv4Address type may not be set to a string containing a DNS name. Conversions are part of an implementation-specific mapping of the model.
仅当变量类型列表(PolicyImplicitVariable的ValueTypes属性)包含指定类型的值时,set操作才有效。未定义将值从一种表示形式转换为另一种表示形式。例如,IPv4Address类型的变量不能设置为包含DNS名称的字符串。转换是特定于实现的模型映射的一部分。
As was the case with SimplePolicyConditions, the role of expected values for the variables that appear in SimplePolicyActions is for validation, prior to the time when an action is executed. Expected values play no role in action execution.
与SimplePolicyConditions的情况一样,SimplePolicyActions中出现的变量的预期值的作用是在执行操作之前进行验证。预期值在操作执行中不起作用。
Composing a simple action requires that an instance of the class SimplePolicyAction be created, and that instances of the variable and value classes that it uses also exist. Note that the variable and/or value instances may already exist as reusable objects in an appropriate ReusablePolicyContainer.
编写简单操作需要创建SimplePolicyAction类的实例,并且它使用的变量和值类的实例也存在。请注意,变量和/或值实例可能已经作为可重用对象存在于适当的可重用PolicyContainer中。
Two aggregations are used in order to create the pair (<variable>, <value>). The aggregation PolicyVariableInSimplePolicyAction relates a SimplePolicyAction to a single variable instance. Similarly, the aggregation PolicyValueInSimplePolicyAction relates a SimplePolicyAction to a single value instance. Both aggregations are defined in this document.
使用两个聚合来创建对(<variable>,<value>)。聚合PolicyVariableInSimplePolicyAction将SimplePolicyAction与单个变量实例关联。类似地,聚合PolicyValueInSimplePolicyAction将SimplePolicyAction与单个值实例关联。这两个聚合都在本文档中定义。
Figure 8. depicts a SimplePolicyAction with its associated variable and value.
图8。描述SimplePolicyAction及其关联变量和值。
+-----------------------+ | SimplePolicyAction | | | +-----------------------+ * @ * @ +------------------+ * @ +---------------+ | (PolicyVariable) |*** @@@| (PolicyValue) | +------------------+ +---------------+ # # # ooo # # # +---------------+ +---------------+ | (PolicyValue) | ooo | (PolicyValue) | +---------------+ +---------------+
+-----------------------+ | SimplePolicyAction | | | +-----------------------+ * @ * @ +------------------+ * @ +---------------+ | (PolicyVariable) |*** @@@| (PolicyValue) | +------------------+ +---------------+ # # # ooo # # # +---------------+ +---------------+ | (PolicyValue) | ooo | (PolicyValue) | +---------------+ +---------------+
Aggregation Legend: **** PolicyVariableInSimplePolicyAction @@@@ PolicyValueInSimplePolicyAction #### ExpectedPolicyValuesForVariable
Aggregation Legend: **** PolicyVariableInSimplePolicyAction @@@@ PolicyValueInSimplePolicyAction #### ExpectedPolicyValuesForVariable
Figure 8. SimplePolicyAction
图8。简单政策
A variable generically represents information that changes (or "varies"), and that is set or evaluated by software. In policy, conditions and actions can abstract information as "policy variables" to be evaluated in logical expressions, or set by actions.
变量一般表示变化(或“变化”)的信息,由软件设置或评估。在策略中,条件和操作可以将信息抽象为“策略变量”,以逻辑表达式计算,或由操作设置。
PCIMe defines two types of PolicyVariables, PolicyImplicitVariables and PolicyExplicitVariables. The semantic difference between these classes is based on modeling context. Explicit variables are bound to exact model constructs, while implicit variables are defined and evaluated outside of a model. For example, one can imagine a PolicyCondition testing whether a CIM ManagedSystemElement's Status property has the value "Error." The Status property is an explicitly defined PolicyVariable (i.e., it is defined in the context of the CIM Schema, and evaluated in the context of a specific instance). On the other hand, network packets are not explicitly modeled or instantiated, since there is no perceived value (at this time) in managing at the packet level. Therefore, a PolicyCondition can make no explicit reference to a model construct that represents a network packet's source address. In this case, an implicit PolicyVariable is defined, to allow evaluation or modification of a packet's source address.
PCIMe定义了两种类型的策略变量,PolicyImplicitVariables和PolicyExplicitVariables。这些类之间的语义差异基于建模上下文。显式变量绑定到精确的模型构造,而隐式变量在模型外部定义和计算。例如,可以想象一个PolicyCondition测试CIM ManagedSystemElement的Status属性是否具有值“Error”。Status属性是一个显式定义的PolicyVariable(即,它在CIM架构的上下文中定义,并在特定实例的上下文中进行评估)。另一方面,网络数据包没有被显式地建模或实例化,因为在数据包级别的管理中没有可感知的价值(此时)。因此,PolicyCondition不能显式引用表示网络数据包源地址的模型构造。在这种情况下,定义了一个隐式PolicyVariable,以允许计算或修改数据包的源地址。
Explicitly bound policy variables indicate the class and property names of the model construct to be evaluated or set. The CIM Schema defines and constrains "appropriate" values for the variable (i.e., model property) using data types and other information such as class/property qualifiers.
显式绑定的策略变量表示要计算或设置的模型构造的类和属性名称。CIM模式使用数据类型和其他信息(如类/属性限定符)定义和约束变量的“适当”值(即模型属性)。
A PolicyExplicitVariable is "explicit" because its model semantics are exactly defined. It is NOT explicit due to an exact binding to a particular object instance. If PolicyExplicitVariables were tied to instances (either via associations or by an object identification property in the class itself), then we would be forcing element-specific rules. On the other hand, if we only specify the object's model context (class and property name), but leave the binding to the policy framework (for example, using policy roles), then greater flexibility results for either general or element-specific rules.
PolicyExplicitVariable是“显式”的,因为它的模型语义是精确定义的。由于与特定对象实例的精确绑定,它不是显式的。如果PolicyExplicitVariables绑定到实例(通过关联或通过类本身中的对象标识属性),那么我们将强制执行特定于元素的规则。另一方面,如果我们只指定对象的模型上下文(类和属性名),而将绑定保留给策略框架(例如,使用策略角色),那么对于一般规则或特定于元素的规则,将产生更大的灵活性。
For example, an element-specific rule is obtained by a condition ((<variable>, <value>) pair) that defines CIM LogicalDevice DeviceID="12345". Alternately, if a PolicyRule's PolicyRoles is "edge device" and the condition ((<variable>, <value>) pair) is Status="Error", then a general rule results for all edge devices in error.
例如,特定于元素的规则是通过定义CIM LogicalDeviceID=“12345”的条件(<variable>,<value>)对获得的。或者,如果PolicyRule的PolicyRoles为“边缘设备”,且条件(<variable>,<value>)对为Status=“Error”,则会为所有出错的边缘设备生成一般规则。
Currently, the only binding for a PolicyExplicitVariable defined in PCIMe is to the instances selected by policy roles. For each such instance, a SimplePolicyCondition that aggregates the PolicyExplicitVariable evaluates to True if and only if ALL of the following are true:
目前,PCIMe中定义的PolicyExplicitVariable的唯一绑定是到策略角色选择的实例。对于每个这样的实例,聚合PolicyExplicitVariable的SimplePolicyCondition在且仅在以下所有条件均为真时计算为真:
o The instance selected is of the class identified by the variable's ModelClass property, or of a subclass of this class. o The instance selected has the property identified by the variable's ModelProperty property. o The value of this property in the instance matches the value specified in the PolicyValue aggregated by the condition.
o 所选实例属于由变量的ModelClass属性标识的类,或者属于该类的子类。o所选实例的属性由变量的ModelProperty属性标识。o实例中此属性的值与条件聚合的PolicyValue中指定的值匹配。
In all other cases, the SimplePolicyCondition evaluates to False.
在所有其他情况下,SimplePolicyCondition的计算结果为False。
For the case where a SimplePolicyAction aggregates a PolicyExplicitVariable, the indicated property in the selected instance is set to the value represented by the PolicyValue that the SimplePolicyAction also aggregates. However, if the selected instance is not of the class identified by the variable's ModelClass property, or of a subclass of this class, then the action is not performed. In this case the SimplePolicyAction is not treated either as a successfully executed action (for the execution strategy Do
对于SimplePolicyAction聚合PolicyExplicitVariable的情况,所选实例中指示的属性设置为SimplePolicyAction也聚合的PolicyValue表示的值。但是,如果所选实例不是由变量的ModelClass属性标识的类或该类的子类,则不会执行该操作。在这种情况下,SimplePolicyAction也不会被视为成功执行的操作(对于执行策略)
Until Success) or as a failed action (for the execution strategy Do Until Failure). Instead, the remaining actions for the policy rule, if any, are executed as if this SimplePolicyAction were not present at all in the list of actions aggregated by the rule.
直到成功)或作为失败的操作(对于执行策略,直到失败)。相反,策略规则的其余操作(如果有)将被执行,就像此SimplePolicyAction在规则聚合的操作列表中根本不存在一样。
Explicit variables would be more powerful if they could reach beyond the instances selected by policy roles, to related instances. However, to represent a policy rule involving such variables in any kind of general way requires something that starts to resemble very much a complete policy language. Clearly such a language is outside the scope of PCIMe, although it might be the subject of a future document.
如果显式变量能够超出策略角色选择的实例,到达相关实例,则显式变量将更强大。然而,要以任何一种通用的方式来表示包含这些变量的策略规则,需要一些非常类似于完整策略语言的东西。显然,这种语言不在PCIMe的范围之内,尽管它可能是未来文档的主题。
By restricting much of the generality, it would be possible for explicit variables in PCIMe to reach slightly beyond a selected instance. For example, if a selected instance were related to exactly one instance of another class via a particular association class, and if the goal of the policy rule were both to test a property of this related instance and to set a property of that same instance, then it would be possible to represent the condition and action of the rule using PolicyExplicitVariables. Rather than handling this one specific case with explicit variables, though, it was decided to lump them with the more general case, and deal with them if and when a policy language is defined.
通过限制大部分通用性,PCIMe中的显式变量可以稍微超出选定实例。例如,如果选定实例通过特定关联类恰好与另一个类的一个实例相关,并且如果策略规则的目标是测试此相关实例的属性并设置同一实例的属性,然后可以使用PolicyExplicitVariables表示规则的条件和操作。不过,我们没有用显式变量处理这一特定情况,而是决定将它们与更一般的情况合并,并在定义策略语言时处理它们。
Refer to Section 6.10 for the formal definition of the class PolicyExplicitVariable.
有关PolicyExplicitVariable类的正式定义,请参阅第6.10节。
Implicitly bound policy variables define the data type and semantics of a variable. This determines how the variable is bound to a value in a condition or an action. Further instructions are provided for specifying data type and/or value constraints for implicitly bound variables.
隐式绑定策略变量定义变量的数据类型和语义。这决定了变量如何绑定到条件或操作中的值。提供了用于为隐式绑定变量指定数据类型和/或值约束的进一步说明。
PCIMe introduces an abstract class, PolicyImplicitVariable, to model implicitly bound variables. This class is derived from the abstract class PolicyVariable also defined in PCIMe. Each of the implicitly bound variables introduced by PCIMe (and those that are introduced by domain- specific sub-models) MUST be derived from the PolicyImplicitVariable class. The rationale for using this mechanism for modeling is explained below in Section 5.8.9.
PCIMe引入了一个抽象类PolicyImplicitVariable来对隐式绑定的变量进行建模。此类派生自PCIMe中定义的抽象类PolicyVariable。PCIMe引入的每个隐式绑定变量(以及特定于域的子模型引入的变量)都必须从PolicyImplicitVariable类派生。第5.8.9节解释了使用该机制进行建模的基本原理。
A domain-specific policy information model that extends PCIMe may define additional implicitly bound variables either by deriving them directly from the class PolicyImplicitVariable, or by further
扩展PCIMe的特定于域的策略信息模型可以通过直接从类PolicyImplicitVariable派生其他隐式绑定变量,或者通过进一步
refining an existing variable class such as SourcePort. When refining a class such as SourcePort, existing binding rules, type or value constraints may be narrowed.
细化现有变量类,如SourcePort。在细化诸如SourcePort之类的类时,现有的绑定规则、类型或值约束可能会缩小。
A class derived from PolicyImplicitVariable to model a particular implicitly bound variable SHOULD be constructed so that its name depicts the meaning of the variable. For example, a class defined to model the source port of a TCP/UDP flow SHOULD have 'SourcePort' in its name.
应构造从PolicyImplicitVariable派生的类,以对特定隐式绑定变量进行建模,以便其名称描述变量的含义。例如,定义用于对TCP/UDP流的源端口建模的类的名称中应包含“SourcePort”。
PCIMe defines one association and one general-purpose mechanism that together characterize each of the implicitly bound variables that it introduces:
PCIMe定义了一个关联和一个通用机制,共同描述了它引入的每个隐式绑定变量:
1. The ExpectedPolicyValuesForVariable association defines the set of value classes that could be matched to this variable.
1. ExpectedPolicyValuesForVariable关联定义了可与此变量匹配的值类集。
2. The list of constraints on the values that the PolicyVariable can hold (i.e., values that the variable must match) are defined by the appropriate properties of an associated PolicyValue class.
2. PolicyVariable可以保存的值(即变量必须匹配的值)的约束列表由关联PolicyValue类的相应属性定义。
In the example presented above, a PolicyImplicitVariable represents the SourcePort of incoming traffic. The ValueTypes property of an instance of this class will hold the class name PolicyIntegerValue. This by itself constrains the data type of the SourcePort instance to be an integer. However, we can further constrain the particular values that the SourcePort variable can hold by entering valid ranges in the IntegerList property of the PolicyIntegerValue instance (0 - 65535 in this document).
在上面的示例中,PolicyImplicitVariable表示传入流量的源端口。此类实例的ValueTypes属性将保存类名PolicyIntegerValue。这本身将SourcePort实例的数据类型限制为整数。但是,我们可以通过在PolicyIntegerValue实例的IntegerList属性(本文档中为0-65535)中输入有效范围来进一步约束SourcePort变量可以持有的特定值。
The combination of the VariableName and the ExpectedPolicyValuesForVariable association provide a consistent and extensible set of metadata that define the semantics of variables that are used to form policy conditions. Since the ExpectedPolicyValuesForVariable association points to a PolicyValue instance, any of the values expressible in the PolicyValue class can be used to constrain values that the PolicyImplicitVariable can hold. For example:
VariableName和ExpectedPolicyValuesForVariable关联的组合提供了一组一致且可扩展的元数据,这些元数据定义了用于形成策略条件的变量的语义。由于ExpectedPolicyValuesForVariable关联指向PolicyValue实例,因此PolicyValue类中可表达的任何值都可用于约束PolicyImplicitVariable可以持有的值。例如:
o The ValueTypes property can be used to ensure that only proper classes are used in the expression. For example, the SourcePort variable will not be allowed to ever be of type PolicyIPv4AddrValue, since source ports have different semantics than IP addresses and may not be matched. However, integer value types are allowed as the property ValueTypes holds the string "PolicyIntegerValue", which is the class name for integer values.
o ValueTypes属性可用于确保表达式中仅使用正确的类。例如,不允许SourcePort变量的类型为PolicyIPv4AddrValue,因为源端口的语义与IP地址不同,并且可能不匹配。但是,允许使用整数值类型,因为属性ValueTypes包含字符串“PolicyIntegerValue”,这是整数值的类名。
o The ExpectedPolicyValuesForVariable association also ensures that variable-specific semantics are enforced (e.g., the SourcePort variable may include a constraint association to a value object defining a specific integer range that should be matched).
o ExpectedPolicyValuesForVariable关联还可确保强制执行特定于变量的语义(例如,SourcePort变量可能包括与定义应匹配的特定整数范围的值对象的约束关联)。
An implicitly bound variable can be modeled in one of several ways, including a single class with an enumerator for each individual implicitly bound variable and an abstract class extended for each individual variable. The reasons for using a class inheritance mechanism for specifying individual implicitly bound variables are these:
隐式绑定变量可以通过多种方式之一建模,包括为每个隐式绑定变量使用枚举器的单个类和为每个变量扩展的抽象类。使用类继承机制指定单个隐式绑定变量的原因如下:
1. It is easy to extend. A domain-specific information model can easily extend the PolicyImplicitVariable class or its subclasses to define domain-specific and context-specific variables. For example, a domain-specific QoS policy information model may introduce an implicitly bound variable class to model applications by deriving a qosApplicationVariable class from the PolicyImplicitVariable abstract class.
1. 它很容易扩展。特定于域的信息模型可以轻松扩展PolicyImplicitVariable类或其子类,以定义特定于域和特定于上下文的变量。例如,特定于域的QoS策略信息模型可以通过从PolicyImplicitVariable抽象类派生qosApplicationVariable类,将隐式绑定的变量类引入应用程序模型。
2. Introduction of a single structural class for implicitly bound variables would have to include an enumerator property that contains all possible individual implicitly bound variables. This means that a domain-specific information model wishing to introduce an implicitly bound variable must extend the enumerator itself. This results in multiple definitions of the same class, differing in the values available in the enumerator class. One definition, in this document, would include the common implicitly bound variables' names, while a second definition, in the domain-specific information model document, may include additional values ('qosApplicationVariable' in the example above). It wouldn't even be obvious to the application developer that multiple class definitions existed. It would be harder still for the application developer to actually find the correct class to use.
2. 为隐式绑定变量引入单个结构类必须包含包含所有可能的单个隐式绑定变量的枚举器属性。这意味着,希望引入隐式绑定变量的特定于域的信息模型必须扩展枚举器本身。这将导致同一类的多个定义,枚举器类中可用的值不同。本文档中的一个定义将包括公共隐式绑定变量的名称,而特定于域的信息模型文档中的第二个定义可能包括附加值(“上述示例中的qosApplicationVariable”)。对于应用程序开发人员来说,存在多个类定义甚至都不明显。对于应用程序开发人员来说,要真正找到要使用的正确类将更加困难。
3. In addition, an enumerator-based definition would require each additional value to be registered with IANA to ascertain adherence to standards. This would make the process cumbersome.
3. 此外,基于枚举数的定义将要求向IANA登记每个附加值,以确定是否符合标准。这将使该过程变得繁琐。
4. A possible argument against the inheritance mechanism would cite the fact that this approach results in an explosion of class definitions compared to an enumerator class, which only introduces a single class. While, by itself, this is not a strike against the approach, it may be argued that data models derived from this information model may be more difficult to optimize for applications. This argument is rejected on the grounds that
4. 反对继承机制的一个可能的论点是,与只引入单个类的枚举器类相比,这种方法会导致类定义激增。虽然就其本身而言,这并不是对该方法的打击,但可以认为,从该信息模型派生的数据模型可能更难针对应用程序进行优化。这一论点被驳回,理由是:
application optimization is of lesser value for an information model than clarity and ease of extension. In addition, it is hard to claim that the inheritance model places an absolute burden on the optimization. For example, a data model may still use enumeration to denote instances of pre-defined variables and claim PCIMe compliance, as long as the data model can be mapped correctly to the definitions specified in this document.
对于信息模型来说,应用程序优化的价值不如清晰和易于扩展。此外,很难说继承模型会给优化带来绝对负担。例如,只要数据模型能够正确映射到本文档中指定的定义,数据模型仍然可以使用枚举来表示预定义变量的实例并声明PCIMe符合性。
The abstract class PolicyValue is used for modeling values and constants used in policy conditions. Different value types are derived from this class, to represent the various attributes required. Extensions of the abstract class PolicyValue, defined in this document, provide a list of values for basic network attributes. Values can be used to represent constants as named values. Named values can be kept in a reusable policy container to be reused by multiple conditions. Examples of constants include well-known ports, well-known protocols, server addresses, and other similar concepts.
抽象类PolicyValue用于对策略条件中使用的值和常量进行建模。从该类派生不同的值类型,以表示所需的各种属性。本文中定义的抽象类PolicyValue的扩展提供了基本网络属性的值列表。值可用于将常量表示为命名值。命名值可以保存在可重用策略容器中,以供多个条件重用。常数的示例包括已知端口、已知协议、服务器地址和其他类似概念。
The PolicyValue subclasses define three basic types of values: scalars, ranges and sets. For example, a well-known port number could be defined using the PolicyIntegerValue class, defining a single value (80 for HTTP), a range (80-88), or a set (80, 82, 8080) of ports, respectively. For details, please see the class definition for each value type in Section 6.14 of this document.
PolicyValue子类定义了三种基本类型的值:标量、范围和集。例如,可以使用PolicyIntegerValue类定义已知的端口号,分别定义单个值(HTTP为80)、范围(80-88)或一组端口(80、82、8080)。有关详细信息,请参见本文件第6.14节中每个值类型的类定义。
PCIMe defines the following subclasses of the abstract class PolicyValue:
PCIMe定义抽象类PolicyValue的以下子类:
Classes for general use:
通用类:
- PolicyStringValue, - PolicyIntegerValue, - PolicyBitStringValue - PolicyBooleanValue.
- PolicyStringValue,-PolicyIntegerValue,-PolicyBitStringValue-PolicyBooleanValue。
Classes for layer 3 Network values:
第3层网络值的类别:
- PolicyIPv4AddrValue, - PolicyIPv6AddrValue.
- PolicyIPv4AddrValue,-PolicyIPv6AddressValue。
Classes for layer 2 Network values:
第2层网络值的类别:
- PolicyMACAddrValue.
- 政策价值。
For details, please see the class definition section of each class in Section 6.14 of this document.
有关详细信息,请参阅本文件第6.14节中每个类别的类别定义部分。
PCIMe contains two mechanisms for representing packet filters. The more general of these, termed here the domain-level model, expresses packet filters in terms of policy variables and policy values. The other mechanism, termed here the device-level model, expresses packet filters in a way that maps more directly to the packet fields to which the filters are being applied. While it is possible to map between these two representations of packet filters, no mapping is provided in PCIMe itself.
PCIMe包含两种表示数据包筛选器的机制。其中更一般的,在这里称为域级模型,用策略变量和策略值表示数据包过滤器。另一种机制,这里称为设备级模型,以一种更直接映射到应用过滤器的数据包字段的方式表示数据包过滤器。虽然可以在包过滤器的这两种表示形式之间进行映射,但PCIMe本身没有提供映射。
In addition to filling in the holes in the overall Policy infrastructure, PCIMe proposes a single mechanism for expressing domain-level packet filters in policy conditions. This is being done in response to concerns that even though the initial "wave" of submodels derived from PCIM were all filtering on IP packets, each was doing it in a slightly different way. PCIMe proposes a common way to express IP packet filters. The following figure illustrates how packet-filtering conditions are expressed in PCIMe.
除了填补整个策略基础结构中的漏洞外,PCIMe还提出了一种在策略条件下表示域级数据包过滤器的单一机制。这是为了回应这样的担忧,即尽管从PCIM派生的子模型的初始“波”都是对IP数据包进行过滤的,但每个子模型都以稍微不同的方式进行过滤。PCIMe提出了一种表示IP包过滤器的通用方法。下图说明了如何用PCIMe表示数据包过滤条件。
+---------------------------------+ | CompoundFilterCondition | | - IsMirrored boolean | | - ConditionListType (DNF|CNF) | +---------------------------------+ + + + + + + + + + SimplePC SimplePC SimplePC * @ * @ * @ * @ * @ * @ * @ * @ * @ FlowDirection "In" SrcIP <addr1> DstIP <addr2>
+---------------------------------+ | CompoundFilterCondition | | - IsMirrored boolean | | - ConditionListType (DNF|CNF) | +---------------------------------+ + + + + + + + + + SimplePC SimplePC SimplePC * @ * @ * @ * @ * @ * @ * @ * @ * @ FlowDirection "In" SrcIP <addr1> DstIP <addr2>
Aggregation Legend: ++++ PolicyConditionInPolicyCondition **** PolicyVariableInSimplePolicyCondition @@@@ PolicyValueInSimplePolicyCondition
Aggregation Legend: ++++ PolicyConditionInPolicyCondition **** PolicyVariableInSimplePolicyCondition @@@@ PolicyValueInSimplePolicyCondition
Figure 9. Packet Filtering in Policy Conditions
图9。策略条件下的包过滤
In Figure 9., each SimplePolicyCondition represents a single field to be filtered on: Source IP address, Destination IP address, Source port, etc. An additional SimplePolicyCondition indicates the direction that a packet is traveling on an interface: inbound or outbound. Because of the FlowDirection condition, care must be taken
在图9中,每个SimplePolicyCondition表示要过滤的单个字段:源IP地址、目标IP地址、源端口等。另一个SimplePolicyCondition表示数据包在接口上的移动方向:入站或出站。由于流向条件,必须小心
in aggregating a set of SimplePolicyConditions into a CompoundFilterCondition. Otherwise, the resulting CompoundPolicyCondition may match all inbound packets, or all outbound packets, when this is probably not what was intended.
将一组SimplePolicyCondition聚合为CompoundFilterCondition。否则,结果CompoundPolicyCondition可能会匹配所有入站数据包或所有出站数据包,而这可能不是预期的结果。
Individual SimplePolicyConditions may be negated when they are aggregated by a CompoundFilterCondition.
当单个SimplePolicy条件由CompoundFilterCondition聚合时,它们可能会被否定。
CompoundFilterCondition is a subclass of CompoundPolicyCondition. It introduces one additional property, the Boolean property IsMirrored. The purpose of this property is to allow a single CompoundFilterCondition to match packets traveling in both directions on a higher-level connection such as a TCP session. When this property is TRUE, additional packets match a filter, beyond those that would ordinarily match it. An example will illustrate how this property works.
CompoundFilterCondition是CompoundPolicyCondition的一个子类。它引入了一个附加属性,即布尔属性IsMirrored。此属性的目的是允许单个CompoundFilterCondition匹配在更高级别连接(如TCP会话)上双向传输的数据包。当此属性为TRUE时,除了通常与筛选器匹配的数据包外,还会有其他数据包与筛选器匹配。一个示例将说明此属性是如何工作的。
Suppose we have a CompoundFilterCondition that aggregates the following three filters, which are ANDed together:
假设我们有一个CompoundFilterCondition,它聚合了以下三个过滤器,它们被和在一起:
o FlowDirection = "In" o Source IP = 9.1.1.1 o Source Port = 80
o FlowDirection=“In”o源IP=9.1.1.1 o源端口=80
Regardless of whether IsMirrored is TRUE or FALSE, inbound packets will match this CompoundFilterCondition if their Source IP address = 9.1.1.1 and their Source port = 80. If IsMirrored is TRUE, however, an outbound packet will also match the CompoundFilterCondition if its Destination IP address = 9.1.1.1 and its Destination port = 80.
无论IsMirrored是TRUE还是FALSE,如果入站数据包的源IP地址=9.1.1.1且源端口=80,则入站数据包将匹配此CompoundFilterCondition。但是,如果IsMirrored为TRUE,则如果出站数据包的目标IP地址=9.1.1.1且目标端口=80,则出站数据包也将匹配CompoundFilterCondition。
IsMirrored "flips" the following Source/Destination packet header fields:
IsMirrored“翻转”以下源/目标数据包头字段:
o FlowDirection "In" / FlowDirection "Out" o Source IP address / Destination IP address o Source port / Destination port o Source MAC address / Destination MAC address o Source [layer-2] SAP / Destination [layer-2] SAP.
o FlowDirection“In”/FlowDirection“Out”o源IP地址/目标IP地址o源端口/目标端口o源MAC地址/目标MAC地址o源[第2层]SAP/目标[第2层]SAP。
At the device level, packet header filters are represented by two subclasses of the abstract class FilterEntryBase: IpHeadersFilter and 8021Filter. Submodels of PCIMe may define other subclasses of FilterEntryBase in addition to these two; ICPM [12], for example, defines subclasses for IPsec-specific filters.
在设备级别,包头过滤器由抽象类FilterEntryBase的两个子类表示:iPhonedersFilter和8021Filter。PCIMe的子模型可以定义除这两个子类之外的FilterEntryBase的其他子类;例如,ICPM[12]定义了IPsec特定筛选器的子类。
Instances of the subclasses of FilterEntryBase are not used directly as filters. They are always aggregated into a FilterList, by the aggregation EntriesInFilterList. For PCIMe and its submodels, the EntrySequence property in this aggregation always takes its default value '0', indicating that the aggregated filter entries are ANDed together.
FilterEntryBase子类的实例不直接用作筛选器。它们总是通过聚合中心infilterlist聚合到过滤器列表中。对于PCIMe及其子模型,此聚合中的EntrySequence属性始终采用其默认值“0”,这表示聚合的筛选器项是“和”在一起的。
The FilterList class includes an enumeration property Direction, representing the direction of the traffic flow to which the FilterList is to be applied. The value Mirrored(4) for Direction represents exactly the same thing as the IsMirrored boolean does in CompoundFilterCondition. See Section 5.9.1 for details.
FilterList类包括一个枚举属性Direction,表示将应用FilterList的交通流的方向。方向的镜像值(4)表示与IsMirrored布尔值在CompoundFilterCondition中所做的完全相同。详见第5.9.1节。
Because PCIM and PCIMe provide the core classes for modeling policies, they are not in general sufficient by themselves for representing actual policy rules. Submodels, such as QPIM and ICPM, provide the means for expressing policy rules, by defining subclasses of the classes defined in PCIM and PCIMe, and/or by indicating how the PolicyVariables and PolicyValues defined in PCIMe can be used to express conditions and actions applicable to the submodel.
因为PCIM和PCIMe为策略建模提供了核心类,所以它们本身通常不足以表示实际的策略规则。子模型,如QPIM和ICPM,通过定义PCIM和PCIMe中定义的类的子类,和/或指示如何使用PCIMe中定义的策略变量和策略值来表示适用于子模型的条件和操作,提供了表示策略规则的方法。
A particular submodel will not, in general, need to use every element defined in PCIM and PCIMe. For the elements it does not use, a submodel SHOULD remain silent on whether its implementations must support the element, must not support the element, should support the element, etc. For the elements it does use, a submodel SHOULD indicate which elements its implementations must support, which elements they should support, and which elements they may support.
通常,特定的子模型不需要使用PCIM和PCIMe中定义的每个元素。对于不使用的元素,子模型应该对其实现是否必须支持元素、不支持元素、是否应该支持元素等保持沉默。对于确实使用的元素,子模型应该指出其实现必须支持哪些元素,它们应该支持哪些元素,以及他们可能支持哪些元素。
PCIM and PCIMe themselves simply define elements that may be of use to submodels. These documents remain silent on whether implementations are required to support an element, should support it, etc.
PCIM和PCIMe本身只是定义可能用于子模型的元素。这些文档对于是否需要实现来支持某个元素、是否应该支持该元素等保持沉默。
This model (and derived submodels) defines conditions and actions that are used by policy rules. While the conditions and actions defined herein are straightforward and may be presumed to be widely supported, as submodels are developed it is likely that situations will arise in which specific conditions or actions are not supported by some part of the policy execution system. Similarly, situations may also occur where rules contain syntactic or semantic errors.
此模型(和派生子模型)定义策略规则使用的条件和操作。虽然本文中定义的条件和操作简单明了,并且可以假定得到广泛支持,但随着子模型的开发,可能会出现特定条件或操作不受策略执行系统某些部分支持的情况。同样,规则包含语法或语义错误的情况也可能发生。
It should be understood that the behavior and effect of undefined or incorrectly defined conditions or actions is not prescribed by this information model. While it would be helpful if it were prescribed, the variations in implementation restrict the ability for this
应该理解的是,未定义或错误定义的条件或操作的行为和影响不在此信息模型中规定。虽然如果规定它会有所帮助,但实施中的变化限制了这方面的能力
information model to control the effect. For example, if an implementation only detected that a PEP could not enforce a given action on that PEP, it would be very difficult to declare that such a failure should affect other PEPs, or the PDP process. On the other hand, if the PDP determines that it cannot properly evaluate a condition, that failure may well affect all applications of the containing rules.
信息模型控制效果。例如,如果实施仅检测到政治公众人物无法对该政治公众人物强制执行给定操作,则很难宣布此类故障会影响其他政治公众人物或PDP流程。另一方面,如果PDP确定其无法正确评估条件,则该故障可能会影响包含规则的所有应用程序。
The following definitions supplement those in PCIM itself. PCIM definitions that are not DEPRECATED here are still current parts of the overall Policy Core Information Model.
以下定义补充了PCIM本身的定义。此处未弃用的PCIM定义仍然是整个策略核心信息模型的当前部分。
PolicySet is an abstract class that may group policies into a structured set of policies.
PolicySet是一个抽象类,可以将策略分组为一组结构化策略。
NAME PolicySet DESCRIPTION An abstract class that represents a set of policies that form a coherent set. The set of contained policies has a common decision strategy and a common set of policy roles. Subclasses include PolicyGroup and PolicyRule. DERIVED FROM Policy ABSTRACT TRUE PROPERTIES PolicyDecisionStrategy PolicyRoles
NAME PolicySet DESCRIPTION表示形成一致集的一组策略的抽象类。包含的策略集有一个通用决策策略和一组通用策略角色。子类包括PolicyGroup和PolicyRule。源自策略抽象真实属性PolicyDecisionStrategy PolicyRoles
The PolicyDecisionStrategy property specifies the evaluation method for policy groups and rules contained within the policy set.
PolicyDecisionStrategy属性指定策略集中包含的策略组和规则的评估方法。
NAME PolicyDecisionStrategy DESCRIPTION The evaluation method used for policies contained in the PolicySet. FirstMatching enforces the actions of the first rule that evaluates to TRUE; All Matching enforces the actions of all rules that evaluate to TRUE. SYNTAX uint16 VALUES 1 [FirstMatching], 2 [AllMatching] DEFAULT VALUE 1 [FirstMatching]
名称PolicyDecisionStrategy描述用于策略集中包含的策略的评估方法。FirstMatching强制执行计算结果为TRUE的第一个规则的操作;“所有匹配”强制执行所有计算为TRUE的规则的操作。语法uint16值1[FirstMatching],2[AllMatching]默认值1[FirstMatching]
The definition of PolicyRoles is unchanged from PCIM. It is, however, moved from the class Policy up to the superclass PolicySet.
政策角色的定义与PCIM相同。但是,它从类策略移到了超类策略集。
The PolicyGroup class is moved, so that it is now derived from PolicySet.
PolicyGroup类将被移动,因此它现在是从PolicySet派生的。
NAME PolicyGroup DESCRIPTION A container for a set of related PolicyRules and PolicyGroups. DERIVED FROM PolicySet ABSTRACT FALSE PROPERTIES (none)
名称PolicyGroup描述一组相关PolicyRules和PolicyGroup的容器。从PolicySet抽象假属性派生(无)
The PolicyRule class is moved, so that it is now derived from PolicySet. The Priority property is also deprecated in PolicyRule, and PolicyRoles is now inherited from the parent class PolicySet. Finally, a new property ExecutionStrategy is introduced, paralleling the property of the same name in the class CompoundPolicyAction.
PolicyRule类将被移动,因此它现在是从PolicySet派生的。Priority属性在PolicyRule中也被弃用,PolicyRoles现在从父类PolicySet继承。最后,介绍了一种新的属性执行策略,该策略将在CompoundPolicyAction类中并行同名的属性。
NAME PolicyRule DESCRIPTION The central class for representing the "If Condition then Action" semantics associated with a policy rule. DERIVED FROM PolicySet ABSTRACT FALSE PROPERTIES Enabled ConditionListType RuleUsage Priority DEPRECATED FOR PolicySetComponent.Priority AND FOR PolicySetInSystem.Priority Mandatory SequencedActions ExecutionStrategy
NAME PolicyRule DESCRIPTION用于表示与策略规则关联的“If Condition then Action”语义的中心类。派生自PolicySet抽象属性启用的ConditionListType RuleUsage Priority不推荐用于PolicySetComponent.Priority和PolicySetInSystem.Priority强制序列执行策略
The property ExecutionStrategy defines the execution strategy to be used upon the sequenced actions aggregated by this PolicyRule. (An equivalent ExecutionStrategy property is also defined for the CompoundPolicyAction class, to provide the same indication for the sequenced actions aggregated by a CompoundPolicyAction.) This document defines three execution strategies:
属性ExecutionStrategy定义了在此PolicyRule聚合的顺序操作上使用的执行策略。(还为CompoundPolicyAction类定义了等效的ExecutionStrategy属性,为CompoundPolicyAction聚合的顺序操作提供相同的指示。)本文档定义了三种执行策略:
Do Until Success - execute actions according to predefined order, until successful execution of a single action. Do All - execute ALL actions which are part of the modeled set, according to their predefined order. Continue doing this, even if one or more of the actions fails.
直到成功-根据预定义的顺序执行操作,直到成功执行单个操作。全部执行-根据预定义顺序执行作为建模集一部分的所有操作。即使一个或多个操作失败,也要继续执行此操作。
Do Until Failure - execute actions according to predefined order, until the first failure in execution of a single sub-action.
直到失败为止-根据预定义的顺序执行操作,直到执行单个子操作的第一次失败为止。
The property definition is as follows:
物业定义如下:
NAME ExecutionStrategy DESCRIPTION An enumeration indicating how to interpret the action ordering for the actions aggregated by this PolicyRule. SYNTAX uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do Until Failure} ) DEFAULT VALUE Do All (2)
NAME ExecutionStrategy DESCRIPTION枚举,指示如何解释此PolicyRule聚合的操作的操作顺序。语法uint16(枚举,{1=Do直到成功,2=Do All,3=Do直到失败})默认值Do All(2)
A simple policy condition is composed of an ordered triplet:
简单策略条件由有序三元组组成:
<Variable> MATCH <Value>
<Variable> MATCH <Value>
No formal modeling of the MATCH operator is provided. The 'match' relationship is implied. Such simple conditions are evaluated by answering the question:
未提供匹配运算符的正式建模。“匹配”关系是隐含的。通过回答以下问题来评估这些简单条件:
Does <variable> match <value>?
Does <variable> match <value>?
The 'match' relationship is to be interpreted by analyzing the variable and value instances associated with the simple condition.
通过分析与简单条件关联的变量和值实例来解释“匹配”关系。
Simple conditions are building blocks for more complex Boolean Conditions, modeled by the CompoundPolicyCondition class.
简单条件是由CompoundPolicyCondition类建模的更复杂布尔条件的构建块。
The SimplePolicyCondition class is derived from the PolicyCondition class defined in PCIM.
SimplePolicyCondition类派生自PCIM中定义的PolicyCondition类。
A variable and a value must be associated with a simple condition to make it a meaningful condition, using, respectively, the aggregations PolicyVariableInSimplePolicyCondition and PolicyValueInSimplePolicyCondition.
变量和值必须分别使用聚合PolicyVariableInSimplePolicyCondition和PolicyValueInSimplePolicyCondition与简单条件关联,以使其成为有意义的条件。
The class definition is as follows:
类别定义如下:
NAME SimplePolicyCondition DERIVED FROM PolicyCondition ABSTRACT False PROPERTIES (none)
从PolicyCondition抽象假属性派生的名称SimplePolicyCondition(无)
This class represents a compound policy condition, formed by aggregation of simpler policy conditions.
此类表示一个复合策略条件,该条件由较简单的策略条件聚合而成。
NAME CompoundPolicyCondition DESCRIPTION A subclass of PolicyCondition that introduces the ConditionListType property, used for assigning DNF / CNF semantics to subordinate policy conditions. DERIVED FROM PolicyCondition ABSTRACT FALSE PROPERTIES ConditionListType
NAME CompoundPolicyCondition描述PolicyCondition的子类,它引入ConditionListType属性,用于将DNF/CNF语义分配给下级策略条件。派生自PolicyCondition抽象假属性ConditionListType
The ConditionListType property is used to specify whether the list of policy conditions associated with this compound policy condition is in disjunctive normal form (DNF) or conjunctive normal form (CNF). If this property is not present, the list type defaults to DNF. The property definition is as follows:
ConditionListType属性用于指定与此复合策略条件关联的策略条件列表是析取范式(DNF)还是合取范式(CNF)。如果此属性不存在,则列表类型默认为DNF。物业定义如下:
NAME ConditionListType DESCRIPTION Indicates whether the list of policy conditions associated with this policy rule is in disjunctive normal form (DNF) or conjunctive normal form (CNF). SYNTAX uint16 VALUES DNF(1), CNF(2) DEFAULT VALUE DNF(1)
NAME ConditionListType DESCRIPTION指示与此策略规则关联的策略条件列表是析取范式(DNF)还是合取范式(CNF)。语法uint16值DNF(1),CNF(2)默认值DNF(1)
This subclass of CompoundPolicyCondition introduces one additional property, the boolean IsMirrored. This property turns on or off the "flipping" of corresponding source and destination fields in a filter specification.
CompoundPolicyCondition的这个子类引入了一个额外的属性,即布尔IsMirrored。此属性打开或关闭过滤器规范中相应源和目标字段的“翻转”。
NAME CompoundFilterCondition DESCRIPTION A subclass of CompoundPolicyCondition that introduces the IsMirrored property. DERIVED FROM CompoundPolicyCondition ABSTRACT FALSE PROPERTIES IsMirrored
名称CompoundFilterCondition描述引入IsMirrored属性的CompoundPolicyCondition的子类。从CompoundPolicyCondition派生的抽象假属性被反射
The IsMirrored property indicates whether packets that "mirror" a compound filter condition should be treated as matching the filter. The property definition is as follows:
IsMirrored属性指示是否应将“镜像”复合筛选器条件的数据包视为与筛选器匹配。物业定义如下:
NAME IsMirrored DESCRIPTION Indicates whether packets that mirror the specified filter are to be treated as matching the filter. SYNTAX boolean DEFAULT VALUE FALSE
NAME IsMirrored DESCRIPTION指示是否将镜像指定筛选器的数据包视为与筛选器匹配。语法布尔默认值FALSE
The SimplePolicyAction class models the elementary set operation. "SET <variable> TO <value>". The set operator MUST overwrite an old value of the variable.
SimplePolicyAction类为基本集操作建模。“将<variable>设置为<value>”。set运算符必须覆盖变量的旧值。
Two aggregations are used in order to create the pair <variable> <value>. The aggregation PolicyVariableInSimplePolicyAction relates a SimplePolicyAction to a single variable instance. Similarly, the aggregation PolicyValueInSimplePolicyAction relates a SimplePolicyAction to a single value instance. Both aggregations are defined in this document.
使用两个聚合来创建对<variable><value>。聚合PolicyVariableInSimplePolicyAction将SimplePolicyAction与单个变量实例关联。类似地,聚合PolicyValueInSimplePolicyAction将SimplePolicyAction与单个值实例关联。这两个聚合都在本文档中定义。
NAME SimplePolicyAction DESCRIPTION A subclass of PolicyAction that introduces the notion of "SET variable TO value". DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES (none)
名称SimplePolicyAction DESCRIPTION是PolicyAction的一个子类,它引入了“将变量设置为值”的概念。从PolicyAction抽象错误属性派生(无)
The CompoundPolicyAction class is used to represent an expression consisting of an ordered sequence of action terms. Each action term is represented as a subclass of the PolicyAction class, defined in [PCIM]. Compound actions are constructed by associating dependent action terms together using the PolicyActionInPolicyAction aggregation.
CompoundPolicyAction类用于表示由操作项的有序序列组成的表达式。每个操作术语都表示为PolicyAction类的一个子类,在[PCIM]中定义。复合动作是通过使用PolicyActionInPolicyAction聚合将依赖动作项关联在一起构建的。
The class definition is as follows:
类别定义如下:
NAME CompoundPolicyAction DESCRIPTION A class for representing sequenced action terms. Each action term is defined to be a subclass of the PolicyAction class. DERIVED FROM PolicyAction ABSTRACT FALSE PROPERTIES SequencedActions ExecutionStrategy
NAME CompoundPolicyAction DESCRIPTION用于表示顺序操作术语的类。每个操作术语都定义为PolicyAction类的一个子类。派生自PolicyAction抽象假属性SequencedActions ExecutionStrategy
This is a concrete class, and is therefore directly instantiable.
这是一个具体的类,因此可以直接实例化。
The Property SequencedActions is identical to the SequencedActions property defined in PCIM for the class PolicyRule.
属性SequencedActions与PCIM中为类PolicyRule定义的SequencedActions属性相同。
The property ExecutionStrategy defines the execution strategy to be used upon the sequenced actions associated with this compound action. (An equivalent ExecutionStrategy property is also defined for the PolicyRule class, to provide the same indication for the sequenced actions associated with a PolicyRule.) This document defines three execution strategies:
属性ExecutionStrategy定义了在与此复合动作关联的顺序动作上使用的执行策略。(还为PolicyRule类定义了等效的ExecutionStrategy属性,以便为与PolicyRule关联的顺序操作提供相同的指示。)本文档定义了三种执行策略:
Do Until Success - execute actions according to predefined order, until successful execution of a single sub-action. Do All - execute ALL actions which are part of the modeled set, according to their predefined order. Continue doing this, even if one or more of the sub-actions fails. Do Until Failure - execute actions according to predefined order, until the first failure in execution of a single sub-action.
直到成功-根据预定义的顺序执行操作,直到成功执行单个子操作。全部执行-根据预定义顺序执行作为建模集一部分的所有操作。即使一个或多个子操作失败,也要继续执行此操作。直到失败为止-根据预定义的顺序执行操作,直到执行单个子操作的第一次失败为止。
Since a CompoundPolicyAction may itself be aggregated either by a PolicyRule or by another CompoundPolicyAction, its success or failure will be an input to the aggregating entity's execution strategy. Consequently, the following rules are specified, for determining whether a CompoundPolicyAction succeeds or fails:
由于CompoundPolicyAction本身可以通过PolicyRule或其他CompoundPolicyAction进行聚合,因此其成功或失败将成为聚合实体执行策略的输入。因此,为确定CompoundPolicyAction是成功还是失败,指定了以下规则:
If the CompoundPolicyAction's ExecutionStrategy is Do Until Success, then:
如果CompoundPolicyAction的执行策略是“直到成功”,则:
o If one component action succeeds, then the CompoundPolicyAction succeeds. o If all component actions fail, then the CompoundPolicyAction fails.
o 如果一个组件操作成功,则CompoundPolicyAction成功。o如果所有组件操作都失败,则CompoundPolicyAction失败。
If the CompoundPolicyAction's ExecutionStrategy is Do All, then:
如果CompoundPolicyAction的执行策略是Do All,则:
o If all component actions succeed, then the CompoundPolicyAction succeeds. o If at least one component action fails, then the CompoundPolicyAction fails.
o 如果所有组件操作都成功,则CompoundPolicyAction成功。o如果至少有一个组件操作失败,则CompoundPolicyAction失败。
If the CompoundPolicyAction's ExecutionStrategy is Do Until Failure, then:
如果CompoundPolicyAction的执行策略是Do To Failure,则:
o If all component actions succeed, then the CompoundPolicyAction succeeds. o If at least one component action fails, then the CompoundPolicyAction fails.
o 如果所有组件操作都成功,则CompoundPolicyAction成功。o如果至少有一个组件操作失败,则CompoundPolicyAction失败。
The definition of the ExecutionStrategy property is as follows:
ExecutionStrategy属性的定义如下:
NAME ExecutionStrategy DESCRIPTION An enumeration indicating how to interpret the action ordering for the actions aggregated by this CompoundPolicyAction. SYNTAX uint16 (ENUM, {1=Do Until Success, 2=Do All, 3=Do Until Failure} ) DEFAULT VALUE Do All (2)
NAME ExecutionStrategy DESCRIPTION枚举,指示如何解释此CompoundPolicyAction聚合的操作的操作顺序。语法uint16(枚举,{1=Do直到成功,2=Do All,3=Do直到失败})默认值Do All(2)
Variables are used for building individual conditions. The variable specifies the property of a flow or an event that should be matched when evaluating the condition. However, not every combination of a variable and a value creates a meaningful condition. For example, a source IP address variable can not be matched against a value that specifies a port number. A given variable selects the set of matchable value types.
变量用于构建单个条件。该变量指定在评估条件时应匹配的流或事件的属性。但是,并不是每个变量和值的组合都会创建有意义的条件。例如,源IP地址变量不能与指定端口号的值匹配。给定变量选择一组可匹配的值类型。
A variable can have constraints that limit the set of values within a particular value type that can be matched against it in a condition. For example, a source-port variable limits the set of values to represent integers to the range of 0-65535. Integers outside this range cannot be matched to the source-port variable, even though they are of the correct data type. Constraints for a given variable are indicated through the ExpectedPolicyValuesForVariable association.
变量可以具有限制特定值类型中的值集的约束,该值类型可以在条件中与其匹配。例如,源端口变量将表示整数的值集限制在0-65535的范围内。此范围之外的整数无法与源端口变量匹配,即使它们的数据类型正确。给定变量的约束通过ExpectedPolicyValuesForVariable关联表示。
The PolicyVariable is an abstract class. Implicit and explicit context variable classes are defined as sub classes of the PolicyVariable class. A set of implicit variables is defined in this document as well.
PolicyVariable是一个抽象类。隐式和显式上下文变量类定义为PolicyVariable类的子类。本文档中还定义了一组隐式变量。
The class definition is as follows:
类别定义如下:
NAME PolicyVariable DERIVED FROM Policy ABSTRACT TRUE PROPERTIES (none)
从策略抽象真属性派生的名称PolicyVariable(无)
Explicitly defined policy variables are evaluated within the context of the CIM Schema and its modeling constructs. The PolicyExplicitVariable class indicates the exact model property to be evaluated or manipulated. See Section 5.8.6 for a complete discussion of what happens when the values of the ModelClass and
显式定义的策略变量在CIM模式及其建模构造的上下文中进行评估。PolicyExplicitVariable类指示要评估或操作的确切模型属性。有关ModelClass和
ModelProperty properties in an instance of this class do not correspond to the characteristics of the model construct being evaluated or updated.
此类实例中的ModelProperty属性与正在评估或更新的模型构造的特征不对应。
The class definition is as follows:
类别定义如下:
NAME PolicyExplicitVariable DERIVED FROM PolicyVariable ABSTRACT False PROPERTIES ModelClass, ModelProperty
名称PolicyExplicitVariable派生自PolicyVariable抽象假属性ModelClass,ModelProperty
This property is a string specifying the class name whose property is evaluated or set as a PolicyVariable.
此属性是一个字符串,指定其属性被计算或设置为PolicyVariable的类名。
The property is defined as follows:
该属性的定义如下:
NAME ModelClass SYNTAX String
名称模型类语法字符串
This property is a string specifying the property name, within the ModelClass, which is evaluated or set as a PolicyVariable. The property is defined as follows:
此属性是一个字符串,指定ModelClass中的属性名称,该属性将作为PolicyVariable进行计算或设置。该属性的定义如下:
NAME ModelProperty SYNTAX String
名称ModelProperty语法字符串
Implicitly defined policy variables are evaluated outside of the context of the CIM Schema and its modeling constructs. Subclasses specify the data type and semantics of the PolicyVariables.
隐式定义的策略变量在CIM模式及其建模构造的上下文之外进行评估。子类指定PolicyVariables的数据类型和语义。
Interpretation and evaluation of a PolicyImplicitVariable can vary, depending on the particular context in which it is used. For example, a "SourceIP" address may denote the source address field of an IP packet header, or the sender address delivered by an RSVP PATH message.
PolicyImplicitVariable的解释和评估可能会有所不同,具体取决于使用它的特定上下文。例如,“SourceIP”地址可以表示IP分组报头的源地址字段,或者表示由RSVP路径消息传递的发送方地址。
The class definition is as follows:
类别定义如下:
NAME PolicyImplicitVariable DERIVED FROM PolicyVariable ABSTRACT True PROPERTIES ValueTypes[ ]
名称PolicyImplicitVariable派生自PolicyVariable抽象真实属性ValueTypes[]
This property is a set of strings specifying an unordered list of possible value/data types that can be used in simple conditions and actions, with this variable. The value types are specified by their class names (subclasses of PolicyValue such as PolicyStringValue). The list of class names enables an application to search on a specific name, as well as to ensure that the data type of the variable is of the correct type.
此属性是一组字符串,指定可以在简单条件和操作中使用的可能值/数据类型的无序列表,使用此变量。值类型由它们的类名(PolicyValue的子类,如PolicyStringValue)指定。类名列表使应用程序能够搜索特定名称,并确保变量的数据类型正确。
The list of default ValueTypes for each subclass of PolicyImplicitVariable is specified within that variable's definition.
PolicyImplicitVariable的每个子类的默认值类型列表在该变量的定义中指定。
The property is defined as follows:
该属性的定义如下:
NAME ValueTypes SYNTAX String
NAME ValueTypes语法字符串
The following subclasses of PolicyImplicitVariable are defined in PCIMe.
PCIMe中定义了PolicyImplicitVariable的以下子类。
NAME PolicySourceIPv4Variable DESCRIPTION The source IPv4 address. of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it.
名称PolicySourceIPv4变量描述源IPv4地址。最外层IP数据包头的。这里的“最外层”指的是IP数据包在线路上流动时,在从中剥离任何头之前。
ALLOWED VALUE TYPES: - PolicyIPv4AddrValue
允许的值类型:-PolicyIPv4AddrValue
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicySourceIPv6Variable DESCRIPTION The source IPv6 address of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it.
NAME PolicySourceIPv6变量描述最外层IP数据包标头的源IPv6地址。这里的“最外层”指的是IP数据包在线路上流动时,在从中剥离任何头之前。
ALLOWED VALUE TYPES: - PolicyIPv6AddrValue
允许的值类型:-PolicyIPv6AddrValue
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyDestinationIPv4Variable DESCRIPTION The destination IPv4 address of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it.
NAME policydestinationipv4变量描述最外层IP数据包头的目标IPv4地址。这里的“最外层”指的是IP数据包在线路上流动时,在从中剥离任何头之前。
ALLOWED VALUE TYPES: - PolicyIPv4AddrValue
允许的值类型:-PolicyIPv4AddrValue
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyDestinationIPv6Variable DESCRIPTION The destination IPv6 address of the outermost IP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it.
NAME policydestinationipv6变量描述最外层IP数据包头的目标IPv6地址。这里的“最外层”指的是IP数据包在线路上流动时,在从中剥离任何头之前。
ALLOWED VALUE TYPES: - PolicyIPv6AddrValue
允许的值类型:-PolicyIPv6AddrValue
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicySourcePortVariable DESCRIPTION Ports are defined as the abstraction that transport protocols use to distinguish among multiple destinations within a given host computer. For TCP and UDP flows, the PolicySourcePortVariable is logically bound to the source port field of the outermost UDP or TCP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it. ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535)
名称PolicySourcePortVariable描述端口定义为传输协议用于区分给定主机内多个目标的抽象。对于TCP和UDP流,PolicySourcePortVariable逻辑上绑定到最外层UDP或TCP数据包头的源端口字段。这里的“最外层”指的是IP数据包在线路上流动时,在从中剥离任何头之前。允许的值类型:-PolicyIntegerValue(0..65535)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyDestinationPortVariable DESCRIPTION Ports are defined as the abstraction that transport protocols use to distinguish among multiple destinations within a given host computer. For TCP and UDP flows, the PolicyDestinationPortVariable is logically bound to the destination port field of the outermost UDP or TCP packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it.
名称PolicyDestinationPortVariable描述端口定义为传输协议用于区分给定主机内多个目的地的抽象。对于TCP和UDP流,PolicyDestinationPortVariable逻辑上绑定到最外层UDP或TCP数据包头的目标端口字段。这里的“最外层”指的是IP数据包在线路上流动时,在从中剥离任何头之前。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535)
允许的值类型:-PolicyIntegerValue(0..65535)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyIPProtocolVariable DESCRIPTION The IP protocol number.
名称PolicyIPProtocolVariable描述IP协议编号。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255)
允许的值类型:-PolicyIntegerValue(0..255)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyIPVersionVariable DESCRIPTION The IP version number. The well-known values are 4 and 6.
名称PolicyIPVersionVariable描述IP版本号。众所周知的值是4和6。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..15)
允许的值类型:-PolicyIntegerValue(0..15)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyIPToSVariable DESCRIPTION The IP TOS octet.
名称PolicyIPToSVariable描述IP TOS八位字节。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255) - PolicyBitStringValue (8 bits)
允许的值类型:-PolicyIntegerValue(0..255)-PolicyBitStringValue(8位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyDSCPVariable DESCRIPTION The 6 bit Differentiated Service Code Point.
名称PolicyDSCPVariable描述6位区分服务代码点。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..63) - PolicyBitStringValue (6 bits)
允许的值类型:-PolicyIntegerValue(0..63)-PolicyBitStringValue(6位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyFlowIdVariable DESCRIPTION The flow identifier of the outermost IPv6 packet header. "Outermost" here refers to the IP packet as it flows on the wire, before any headers have been stripped from it.
NAME PolicyFlowIdVariable描述最外层IPv6数据包头的流标识符。这里的“最外层”指的是IP数据包在线路上流动时,在从中剥离任何头之前。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..1048575 - PolicyBitStringValue (20 bits)
允许的值类型:-PolicyIntegerValue(0..1048575-PolicyBitStringValue(20位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicySourceMACVariable DESCRIPTION The source MAC address.
名称PolicySourceMACVariable描述源MAC地址。
ALLOWED VALUE TYPES: - PolicyMACAddrValue
允许的值类型:-PolicyMacAddressValue
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyDestinationMACVariable DESCRIPTION The destination MAC address.
名称PolicyDestinationMACVariable描述目标MAC地址。
ALLOWED VALUE TYPES: - PolicyMACAddrValue
允许的值类型:-PolicyMacAddressValue
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyVLANVariable DESCRIPTION The virtual Bridged Local Area Network Identifier, a 12-bit field as defined in the IEEE 802.1q standard.
NAME PolicyVLAN变量描述虚拟桥接局域网标识符,IEEE 802.1q标准中定义的12位字段。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..4095) - PolicyBitStringValue (12 bits)
允许的值类型:-PolicyIntegerValue(0..4095)-PolicyBitStringValue(12位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyCoSVariable DESCRIPTION Class of Service, a 3-bit field, used in the layer 2 header to select the forwarding treatment. Bound to the IEEE 802.1q user-priority field.
NAME PolicyCoSVariable描述服务类,一个3位字段,用于第2层标头中选择转发处理。绑定到IEEE 802.1q用户优先级字段。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..7) - PolicyBitStringValue (3 bits)
允许的值类型:-PolicyIntegerValue(0..7)-PolicyBitStringValue(3位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyEthertypeVariable DESCRIPTION The Ethertype protocol number of Ethernet frames.
NAME PolicyEthertypeVariable描述以太网帧的Ethertype协议编号。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535) - PolicyBitStringValue (16 bits)
允许的值类型:-PolicyIntegerValue(0..65535)-PolicyBitStringValue(16位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicySourceSAPVariable DESCRIPTION The Source Service Access Point (SAP) number of the IEEE 802.2 LLC header.
名称PolicySourceSAPVariable描述IEEE 802.2 LLC标头的源服务访问点(SAP)编号。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255) - PolicyBitStringValue (8 bits)
允许的值类型:-PolicyIntegerValue(0..255)-PolicyBitStringValue(8位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyDestinationSAPVariable DESCRIPTION The Destination Service Access Point (SAP) number of the IEEE 802.2 LLC header.
名称PolicyDestinationSAPVariable描述IEEE 802.2 LLC标头的目标服务访问点(SAP)编号。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..255) - PolicyBitStringValue (8 bits)
允许的值类型:-PolicyIntegerValue(0..255)-PolicyBitStringValue(8位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicySNAPOUIVariable DESCRIPTION The value of the first three octets of the Sub-Network Access Protocol (SNAP) Protocol Identifier field for 802.2 SNAP encapsulation, containing an Organizationally Unique Identifier (OUI). The value 00-00-00 indicates the encapsulation of Ethernet frames (RFC 1042). OUI value 00-00-F8 indicates the special encapsulation of Ethernet frames by certain types of bridges (IEEE 802.1H). Other values are supported, but are not further defined here. These OUI values are to be interpreted according to the endian-notation conventions of IEEE 802. For either of the two Ethernet encapsulations, the remainder of the Protocol Identifier field is represented by the PolicySNAPTypeVariable.
NAME PolicySNAPOUIVariable DESCRIPTION用于802.2 SNAP封装的子网访问协议(SNAP)协议标识符字段的前三个八位字节的值,其中包含组织唯一标识符(OUI)。值00-00-00表示以太网帧的封装(RFC 1042)。OUI值00-00-F8表示特定类型网桥(IEEE 802.1H)对以太网帧的特殊封装。支持其他值,但此处不作进一步定义。这些OUI值将根据IEEE 802的endian表示法惯例进行解释。对于两个以太网封装中的任何一个,协议标识符字段的其余部分由PolicySNAPTypeVariable表示。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..16777215) - PolicyBitStringValue (24 bits)
允许的值类型:-PolicyIntegerValue(0..16777215)-PolicyBitStringValue(24位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicySNAPTypeVariable DESCRIPTION The value of the 4th and 5th octets of the Sub-Network Access Protocol (SNAP) Protocol Identifier field for IEEE 802 SNAP encapsulation when the PolicySNAPOUIVariable indicates one of the two Encapsulated Ethernet frame formats. This value is undefined for other values of PolicySNAPOUIVariable.
NAME PolicySNAPTypeVariable DESCRIPTION当PolicySNAPOUIVariable指示两种封装的以太网帧格式之一时,IEEE 802 SNAP封装的子网访问协议(SNAP)协议标识符字段的第4和第5个八位字节的值。对于PolicySNAPOUIVariable的其他值,此值未定义。
ALLOWED VALUE TYPES: - PolicyIntegerValue (0..65535) - PolicyBitStringValue (16 bits)
允许的值类型:-PolicyIntegerValue(0..65535)-PolicyBitStringValue(16位)
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
NAME PolicyFlowDirectionVariable DESCRIPTION The direction of a flow relative to a network element. Direction may be "IN" and/or "OUT".
名称PolicyFlowDirectionVariable描述流相对于网络元素的方向。方向可以是“向内”和/或“向外”。
ALLOWED VALUE TYPES: - PolicyStringValue ('IN", "OUT")
允许的值类型:-PolicyStringValue('输入','输出')
DERIVED FROM PolicyImplicitVariable ABSTRACT FALSE PROPERTIES (none)
从PolicyImplicitVariable抽象假属性派生(无)
To match on both inbound and outbound flows, the associated PolicyStringValue object has two entries in its StringList property: "IN" and "OUT".
要在入站和出站流上匹配,关联的PolicyStringValue对象在其StringList属性中有两个条目:“in”和“OUT”。
This is an abstract class that serves as the base class for all subclasses that are used to define value objects in the PCIMe. It is used for defining values and constants used in policy conditions. The class definition is as follows:
这是一个抽象类,用作PCIMe中用于定义值对象的所有子类的基类。它用于定义策略条件中使用的值和常量。类别定义如下:
NAME PolicyValue DERIVED FROM Policy ABSTRACT True PROPERTIES (none)
从策略抽象真实属性派生的名称PolicyValue(无)
The following subsections contain the PolicyValue subclasses defined in PCIMe. Additional subclasses may be defined in models derived from PCIMe.
以下小节包含PCIMe中定义的PolicyValue子类。可以在从PCIMe派生的模型中定义其他子类。
This class is used to provide a list of IPv4Addresses, hostnames and address range values to be matched against in a policy condition. The class definition is as follows:
此类用于提供策略条件中要匹配的IPV4地址、主机名和地址范围值的列表。类别定义如下:
NAME PolicyIPv4AddrValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES IPv4AddrList[ ]
名称PolicyIPv4AddrValue派生自PolicyValue抽象属性IPv4AddrList[]
The IPv4AddrList property provides an unordered list of strings, each specifying a single IPv4 address, a hostname, or a range of IPv4 addresses, according to the ABNF definition [6] of an IPv4 address, as specified below:
IPv4AddrList属性提供一个无序的字符串列表,每个字符串根据IPv4地址的ABNF定义[6]指定单个IPv4地址、主机名或IPv4地址范围,如下所示:
IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT IPv4prefix = IPv4address "/" 1*2DIGIT IPv4range = IPv4address"-"IPv4address IPv4maskedaddress = IPv4address","IPv4address Hostname (as defined in [4])
IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT IPv4prefix = IPv4address "/" 1*2DIGIT IPv4range = IPv4address"-"IPv4address IPv4maskedaddress = IPv4address","IPv4address Hostname (as defined in [4])
In the above definition, each string entry is either:
在上述定义中,每个字符串条目为:
1. A single IPv4address in dot notation, as defined above. Example: 121.1.1.2
1. 如上所述,以点表示法表示的单个IPV4地址。示例:121.1.1.2
2. An IPv4prefix address range, as defined above, specified by an address and a prefix length, separated by "/". Example: 2.3.128.0/15
2. IPV4前缀地址范围,如上所述,由地址和前缀长度指定,以“/”分隔。示例:2.3.128.0/15
3. An IPv4range address range defined above, specified by a starting address in dot notation and an ending address in dot notation, separated by "-". The range includes all addresses between the range's starting and ending addresses, including these two addresses. Example: 1.1.22.1-1.1.22.5
3. 上面定义的一种IPv4range地址范围,由点表示法中的起始地址和点表示法中的结束地址指定,以“-”分隔。范围包括范围起始地址和结束地址之间的所有地址,包括这两个地址。示例:1.1.22.1-1.1.22.5
4. An IPv4maskedaddress address range, as defined above, specified by an address and mask. The address and mask are represented in dot notation, separated by a comma ",". The masked address appears before the comma, and the mask appears after the comma. Example: 2.3.128.0,255.255.248.0.
4. 如上所述,由地址和掩码指定的IPv4maskedaddress地址范围。地址和掩码用点表示法表示,用逗号“,”分隔。掩码地址显示在逗号之前,掩码显示在逗号之后。示例:2.3.128.0255.255.248.0。
5. A single Hostname. The Hostname format follows the guidelines and restrictions specified in [4]. Example: www.bigcompany.com.
5. 单个主机名。主机名格式遵循[4]中指定的准则和限制。示例:www.bigcompany.com。
Conditions matching IPv4AddrValues evaluate to true according to the generic matching rules. Additionally, a hostname is matched against another valid IPv4address representation by resolving the hostname into an IPv4 address first, and then comparing the addresses afterwards. Matching hostnames against each other is done using a string comparison of the two names.
匹配IPV4AddrValue的条件根据通用匹配规则计算为true。此外,通过首先将主机名解析为IPv4地址,然后比较地址,可以将主机名与另一个有效的IPv4address表示形式相匹配。使用两个名称的字符串比较来完成主机名的相互匹配。
The property definition is as follows:
物业定义如下:
NAME IPv4AddrList SYNTAX String FORMAT IPv4address | IPv4prefix | IPv4range | IPv4maskedaddress | hostname
名称IPv4AddrList语法字符串格式IPv4address | IPv4prefix | IPv4range | IPv4maskedaddress |主机名
This class is used to define a list of IPv6 addresses, hostnames, and address range values. The class definition is as follows:
此类用于定义IPv6地址、主机名和地址范围值的列表。类别定义如下:
NAME PolicyIPv6AddrValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES IPv6AddrList[ ]
名称PolicyIPv6AddrValue派生自PolicyValue抽象属性IPv6AddrList[]
The property IPv6AddrList provides an unordered list of strings, each specifying an IPv6 address, a hostname, or a range of IPv6 addresses. IPv6 address format definition uses the standard address format defined in [7]. The ABNF definition [6] as specified in [7] is:
属性IPv6AddrList提供一个无序的字符串列表,每个字符串指定IPv6地址、主机名或IPv6地址范围。IPv6地址格式定义使用[7]中定义的标准地址格式。[7]中规定的ABNF定义[6]为:
IPv6address = hexpart [ ":" IPv4address ] IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT IPv6prefix = hexpart "/" 1*2DIGIT hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ] hexseq = hex4 *( ":" hex4) hex4 = 1*4HEXDIG IPv6range = IPv6address"-"IPv6address IPv6maskedaddress = IPv6address","IPv6address Hostname (as defines in [NAMES])
IPv6address = hexpart [ ":" IPv4address ] IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT IPv6prefix = hexpart "/" 1*2DIGIT hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ] hexseq = hex4 *( ":" hex4) hex4 = 1*4HEXDIG IPv6range = IPv6address"-"IPv6address IPv6maskedaddress = IPv6address","IPv6address Hostname (as defines in [NAMES])
Each string entry is either:
每个字符串条目为:
1. A single IPv6address as defined above.
1. 如上定义的单个IPV6地址。
2. A single Hostname. Hostname format follows guidelines and restrictions specified in [4].
2. 单个主机名。主机名格式遵循[4]中规定的准则和限制。
3. An IPv6range address range, specified by a starting address in dot notation and an ending address in dot notation, separated by "-". The range includes all addresses between the range's starting and ending addresses, including these two addresses.
3. 一种IPv6range地址范围,由点表示法中的起始地址和点表示法中的结束地址指定,以“-”分隔。范围包括范围起始地址和结束地址之间的所有地址,包括这两个地址。
4. An IPv4maskedaddress address range defined above specified by an address and mask. The address and mask are represented in dot notation separated by a comma ",".
4. 上面由地址和掩码指定的IPv4maskedaddress地址范围。地址和掩码用逗号“,”分隔的点表示法表示。
5. A single IPv6prefix as defined above.
5. 如上定义的单个IPV6前缀。
Conditions matching IPv6AddrValues evaluate to true according to the generic matching rules. Additionally, a hostname is matched against another valid IPv6address representation by resolving the hostname into an IPv6 address first, and then comparing the addresses afterwards. Matching hostnames against each other is done using a string comparison of the two names.
与IPv6AddrValues匹配的条件根据通用匹配规则计算为true。此外,通过先将主机名解析为IPv6地址,然后比较地址,可以将主机名与另一个有效的IPv6地址表示形式相匹配。使用两个名称的字符串比较来完成主机名的相互匹配。
This class is used to define a list of MAC addresses and MAC address range values. The class definition is as follows:
此类用于定义MAC地址和MAC地址范围值的列表。类别定义如下:
NAME PolicyMACAddrValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES MACAddrList[ ]
名称PolicyMacAddressValue派生自PolicyValue抽象属性MacAddressList[]
The property MACAddrList provides an unordered list of strings, each specifying a MAC address or a range of MAC addresses. The 802 MAC address canonical format is used. The ABNF definition [6] is:
属性MACAddrList提供一个无序的字符串列表,每个字符串指定一个MAC地址或一个MAC地址范围。使用802 MAC地址规范格式。ABNF定义[6]为:
MACaddress = 1*4HEXDIG ":" 1*4HEXDIG ":" 1*4HEXDIG MACmaskedaddress = MACaddress","MACaddress
MACaddress = 1*4HEXDIG ":" 1*4HEXDIG ":" 1*4HEXDIG MACmaskedaddress = MACaddress","MACaddress
Each string entry is either:
每个字符串条目为:
1. A single MAC address. Example: 0000:00A5:0000
1. 单个MAC地址。示例:0000:00A5:0000
2. A MACmaskedaddress address range defined specified by an address and mask. The mask specifies the relevant bits in the address. Example: 0000:00A5:0000,FFFF:FFFF:0000 defines a range of MAC addresses in which the first four octets are equal to 0000:00A5.
2. 由地址和掩码指定的MACmaskedaddress地址范围。掩码指定地址中的相关位。示例:0000:00A5:0000,FFFF:FFFF:0000定义了一系列MAC地址,其中前四个八位字节等于0000:00A5。
The property definition is as follows:
物业定义如下:
NAME MACAddrList SYNTAX String FORMAT MACaddress | MACmaskedaddress
名称MacAddressList语法字符串格式MACaddress | MACmaskedaddress
This class is used to represent a single string value, or a set of string values. Each value can have wildcards. The class definition is as follows:
此类用于表示单个字符串值或一组字符串值。每个值都可以有通配符。类别定义如下:
NAME PolicyStringValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES StringList[ ]
名称PolicyStringValue派生自PolicyValue抽象属性StringList[]
The property StringList provides an unordered list of strings, each representing a single string with wildcards. The asterisk character "*" is used as a wildcard, and represents an arbitrary substring replacement. For example, the value "abc*def" matches the string "abcxyzdef", and the value "abc*def*" matches the string "abcxxxdefyyyzzz". The syntax definition is identical to the substring assertion syntax defined in [5]. If the asterisk character is required as part of the string value itself, it MUST be quoted as described in Section 4.3 of [5].
属性StringList提供一个无序的字符串列表,每个字符串用通配符表示一个字符串。星号“*”用作通配符,表示任意子字符串替换。例如,值“abc*def”与字符串“abcxyzdef”匹配,值“abc*def*”与字符串“abcxxdefyyyzzz”匹配。语法定义与[5]中定义的子字符串断言语法相同。如果需要星号字符作为字符串值本身的一部分,则必须按照[5]第4.3节所述引用星号字符。
The property definition is as follows:
物业定义如下:
NAME StringList SYNTAX String
名称字符串列表语法字符串
This class is used to represent a single bit string value, or a set of bit string values. The class definition is as follows:
此类用于表示单个位字符串值或一组位字符串值。类别定义如下:
NAME PolicyBitStringValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES BitStringList[ ]
名称PolicyBitStringValue派生自PolicyValue抽象属性BitStringList[]
The property BitStringList provides an unordered list of strings, each representing a single bit string or a set of bit strings. The number of bits specified SHOULD equal the number of bits of the expected variable. For example, for a one-octet variable, 8 bits
属性BitStringList提供一个无序的字符串列表,每个字符串表示一个位字符串或一组位字符串。指定的位数应等于预期变量的位数。例如,对于一个八位字节变量,8位
should be specified. If the variable does not have a fixed length, the bit string should be matched against the variable's most significant bit string. The formal definition of a bit string is:
应指定。如果变量没有固定长度,则应将位字符串与变量的最高有效位字符串匹配。位字符串的形式定义为:
binary-digit = "0" / "1" bitString = 1*binary-digit maskedBitString = bitString","bitString
binary-digit = "0" / "1" bitString = 1*binary-digit maskedBitString = bitString","bitString
Each string entry is either:
每个字符串条目为:
1. A single bit string. Example: 00111010
1. 一个单位字符串。示例:00111010
2. A range of bit strings specified using a bit string and a bit mask. The bit string and mask fields have the same number of bits specified. The mask bit string specifies the significant bits in the bit string value. For example, 110110, 100110 and 110111 would match the maskedBitString 100110,101110 but 100100 would not.
2. 使用位字符串和位掩码指定的位字符串范围。位字符串和掩码字段具有相同的指定位数。掩码位字符串指定位字符串值中的有效位。例如,110110、100110和110111将匹配maskedBitString 100110101110,但100100将不匹配。
The property definition is as follows:
物业定义如下:
NAME BitStringList SYNTAX String FORMAT bitString | maskedBitString
名称BitStringList语法字符串格式bitString | maskedBitString
This class provides a list of integer and integer range values. Integers of arbitrary sizes can be represented. The class definition is as follows:
此类提供整数和整数范围值的列表。可以表示任意大小的整数。类别定义如下:
NAME PolicyIntegerValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES IntegerList[ ]
名称PolicyIntegerValue派生自PolicyValue ABSTRACT False属性IntegerList[]
The property IntegerList provides an unordered list of integers and integer range values, represented as strings. The format of this property takes one of the following forms:
属性IntegerList提供整数和整数范围值的无序列表,以字符串表示。此属性的格式采用以下形式之一:
1. An integer value.
1. 整数值。
2. A range of integers. The range is specified by a starting integer and an ending integer, separated by '..'. The starting integer MUST be less than or equal to the ending integer. The range includes all integers between the starting and ending integers, including these two integers.
2. 整数的范围。范围由起始整数和结束整数指定,以“..”分隔。起始整数必须小于或等于结束整数。范围包括起始整数和结束整数之间的所有整数,包括这两个整数。
To represent a range of integers that is not bounded, the reserved words -INFINITY and/or INFINITY can be used in place of the starting and ending integers. In addition to ordinary integer matches, INFINITY matches INFINITY and -INFINITY matches -INFINITY.
为了表示一个没有边界的整数范围,可以使用保留字-无穷大和/或无穷大来代替起始和结束整数。除了普通的整数匹配外,无穷匹配无穷和-无穷匹配-无穷。
The ABNF definition [6] is:
ABNF定义[6]为:
integer = [-]1*DIGIT | "INFINITY" | "-INFINITY" integerrange = integer".."integer
integer = [-]1*DIGIT | "INFINITY" | "-INFINITY" integerrange = integer".."integer
Using ranges, the operators greater-than, greater-than-or-equal-to, less- than, and less-than-or-equal-to can be expressed. For example, "X is- greater-than 5" (where X is an integer) can be translated to "X matches 6-INFINITY". This enables the match condition semantics of the operator for the SimplePolicyCondition class to be kept simple (i.e., just the value "match").
使用范围,可以表示大于、大于或等于、小于和小于或等于的运算符。例如,“X大于5”(其中X是整数)可以转换为“X匹配6无穷大”。这使得SimplePolicyCondition类的运算符的匹配条件语义保持简单(即,仅值“match”)。
The property definition is as follows:
物业定义如下:
NAME IntegerList SYNTAX String FORMAT integer | integerrange
名称整数列表语法字符串格式整数|整数
This class is used to represent a Boolean (TRUE/FALSE) value. The class definition is as follows:
此类用于表示布尔值(真/假)。类别定义如下:
NAME PolicyBooleanValue DERIVED FROM PolicyValue ABSTRACT False PROPERTIES BooleanValue
名称PolicyBooleanValue派生自PolicyValue抽象属性BooleanValue
The property definition is as follows:
物业定义如下:
NAME BooleanValue SYNTAX boolean
名称布尔值语法布尔值
This class represents a collection of managed elements that share a common role. The PolicyRoleCollection always exists in the context of a system, specified using the PolicyRoleCollectionInSystem association. The value of the PolicyRole property in this class specifies the role, and can be matched with the value(s) in the PolicyRoles array in PolicyRules and PolicyGroups. ManagedElements that share the role defined in this collection are aggregated into the collection via the association ElementInPolicyRoleCollection.
此类表示共享公共角色的托管元素的集合。PolicyRoleCollection始终存在于使用PolicyRoleCollectionInSystem关联指定的系统上下文中。此类中PolicyRole属性的值指定角色,并且可以与PolicyRules和PolicyGroups中PolicyRoles数组中的值匹配。共享此集合中定义的角色的ManagedElement通过association ElementInPolicyRoleCollection聚合到集合中。
NAME PolicyRoleCollection DESCRIPTION A subclass of the CIM Collection class used to group together managed elements that share a role. DERIVED FROM Collection ABSTRACT FALSE
NAME PolicyRoleCollection DESCRIPTION CIM Collection类的子类,用于将共享角色的托管元素组合在一起。源于集合摘要FALSE
PROPERTIES PolicyRole
属性策略角色
This property represents the role associated with a PolicyRoleCollection. The property definition is as follows:
此属性表示与PolicyRoleCollection关联的角色。物业定义如下:
NAME PolicyRole DESCRIPTION A string representing the role associated with a PolicyRoleCollection. SYNTAX string
NAME PolicyRole DESCRIPTION表示与PolicyRoleCollection关联的角色的字符串。语法字符串
The new class ReusablePolicyContainer is defined as follows:
新类ReusablePolicyContainer的定义如下:
NAME ReusablePolicyContainer DESCRIPTION A class representing an administratively defined container for reusable policy-related information. This class does not introduce any additional properties beyond those in its superclass AdminDomain. It does, however, participate in a number of unique associations. DERIVED FROM AdminDomain ABSTRACT FALSE PROPERTIES (none)
名称ReusablePolicyContainer描述表示可重用策略相关信息的管理定义容器的类。此类不会引入超出其超类AdminDomain中的属性之外的任何其他属性。然而,它确实参加了一些独特的协会。从AdminDomain抽象错误属性派生(无)
The class definition of PolicyRepository (from PCIM) is updated as follows, with an indication that the class has been deprecated. Note that when an element of the model is deprecated, its replacement element is identified explicitly.
PolicyRepository(来自PCIM)的类定义更新如下,并指示该类已被弃用。请注意,当模型的某个元素被弃用时,它的替换元素将被显式标识。
NAME PolicyRepository DEPRECATED FOR ReusablePolicyContainer DESCRIPTION A class representing an administratively defined container for reusable policy-related information. This class does not introduce any additional properties beyond those in its superclass AdminDomain. It does, however, participate in a number of unique associations.
NAME PolicyRepository不推荐用于ReusablePolicyContainer描述表示可重用策略相关信息的管理定义容器的类。此类不会引入超出其超类AdminDomain中的属性之外的任何其他属性。然而,它确实参加了一些独特的协会。
DERIVED FROM AdminDomain ABSTRACT FALSE PROPERTIES (none)
从AdminDomain抽象错误属性派生(无)
FilterEntryBase is the abstract base class from which all filter entry classes are derived. It serves as the endpoint for the EntriesInFilterList aggregation, which groups filter entries into filter lists. Its properties include CIM naming attributes and an IsNegated boolean property (to easily "NOT" the match information specified in an instance of one of its subclasses).
FilterEntryBase是从中派生所有筛选器条目类的抽象基类。它充当EntriesInFilterList聚合的端点,该聚合将筛选器条目分组到筛选器列表中。它的属性包括CIM命名属性和IsNegated boolean属性(以便轻松地“不”匹配其子类实例中指定的信息)。
The class definition is as follows:
类别定义如下:
NAME FilterEntryBase DESCRIPTION An abstract class representing a single filter that is aggregated into a FilterList via the aggregation EntriesInFilterList. DERIVED FROM LogicalElement TYPE Abstract PROPERTIES IsNegated
NAME FilterEntryBase DESCRIPTION表示单个筛选器的抽象类,该筛选器通过聚合EntriesInFilterList聚合到筛选器列表中。从LogicalElement类型派生的抽象属性被否定
This concrete class contains the most commonly required properties for performing filtering on IP, TCP or UDP headers. Properties not present in an instance of IPHeadersFilter are treated as 'all values'. A property HdrIpVersion identifies whether the IP addresses in an instance are IPv4 or IPv6 addresses. Since the source and destination IP addresses come from the same packet header, they will always be of the same type.
这个具体的类包含在IP、TCP或UDP头上执行过滤时最常用的属性。IPHeadersFilter实例中不存在的属性将被视为“所有值”。属性HdrIpVersion标识实例中的IP地址是IPv4地址还是IPv6地址。由于源IP地址和目标IP地址来自同一个数据包报头,因此它们总是属于同一类型。
The class definition is as follows:
类别定义如下:
NAME IpHeadersFilter DESCRIPTION A class representing an entire IP header filter, or any subset of one. DERIVED FROM FilterEntryBase TYPE Concrete PROPERTIES HdrIpVersion, HdrSrcAddress, HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, HdrDestMask, HdrProtocolID, HdrSrcPortStart, HdrSrcPortEnd, HdrDestPortStart, HdrDestPortEnd, HdrDSCP[ ], HdrFlowLabel
名称IpHeadersFilter描述表示整个IP头筛选器或其任何子集的类。源于FilterEntryBase类型混凝土属性HdrIpVersion、HdrSrcAddress、HDRSRCAddressEssensDoFrange、HdrSrcMask、HdrDestAddress、HDRDESsensDoFrange、HDRDESTask、HdrProtocolID、HdrSrcPortStart、HdrSrcPortStart、HDRDESPortEnd、HDRDRSSCP[],HdrFlowLabel
This property is an 8-bit unsigned integer, identifying the version of the IP addresses to be filtered on. IP versions are identified as they are in the Version field of the IP packet header - IPv4 = 4, IPv6 = 6. These two values are the only ones defined for this property.
此属性是8位无符号整数,用于标识要筛选的IP地址的版本。IP版本在IP数据包头的版本字段中标识,即IPv4=4,IPv6=6。这两个值是为此属性定义的唯一值。
The value of this property determines the sizes of the OctetStrings in the six properties HdrSrcAddress, HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, and HdrDestMask, as follows:
此属性的值确定六个属性HdrSrcAddress、HDRSRCAddressEssensDoFrange、HdrSrcMask、HdrDestAddress、HDRDestAddressEssensDoFrange和HdrDestMask中八位字符串的大小,如下所示:
o IPv4: OctetString(SIZE (4))
o IPv4:OctetString(大小(4))
o IPv6: OctetString(SIZE (16|20)), depending on whether a scope identifier is present
o IPv6:OctetString(大小(16 | 20)),取决于是否存在作用域标识符
If a value for this property is not provided, then the filter does not consider IP version in selecting matching packets, i.e., IP version matches for all values. In this case, the HdrSrcAddress, HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange, and HdrDestMask must also not be present.
如果未提供该属性的值,则过滤器不考虑IP版本来选择匹配的分组,即IP版本匹配所有值。在这种情况下,HdrSrcAddress、HDRSRCAddressEssensDoFrange、HdrSrcMask、HdrDestAddress、HDRDestAddressEssensDoFrange和HdrDestMask也必须不存在。
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a source IP address. When there is no HdrSrcAddressEndOfRange value, this value is compared to the source address in the IP header, subject to the mask represented in the HdrSrcMask property. (Note that the mask is ANDed with the address.) When there is a HdrSrcAddressEndOfRange value, this value is the start of the specified range (i.e., the HdrSrcAddress is lower than the HdrSrcAddressEndOfRange) that is compared to the source address in the IP header and matches on any value in the range.
此属性是一个八进制字符串,其大小由HdrIpVersion属性的值决定,表示源IP地址。当没有HDRSRCAddressEssendoFrange值时,此值将与IP标头中的源地址进行比较,以HdrSrcMask属性中表示的掩码为准。(请注意,掩码与地址为and。)当存在HDRSRCAddressEssendoFrange值时,该值是指定范围(即HdrSrcAddress低于HDRSRCAddressEssendoFrange)的开始,该范围与IP标头中的源地址进行比较,并与范围中的任何值相匹配。
If a value for this property is not provided, then the filter does not consider HdrSrcAddress in selecting matching packets, i.e., HdrSrcAddress matches for all values.
如果未提供该属性的值,则过滤器不考虑HDRSRCdAdter在选择匹配包时,即所有值的HDRSRCdCar匹配。
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing the end of a range of source IP addresses (inclusive), where the start of the range is the HdrSrcAddress property value.
此属性是一个八进制字符串,其大小由HdrIpVersion属性的值确定,表示源IP地址范围(包括)的结束,其中范围的开始是HdrSrcAddress属性值。
If a value for HdrSrcAddress is not provided, then this property also MUST NOT be provided. If a value for this property is provided, then HdrSrcMask MUST NOT be provided.
如果未提供HdrSrcAddress的值,则也不得提供此属性。如果提供了此属性的值,则不得提供HdrSrcMask。
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a mask to be used in comparing the source address in the IP header with the value represented in the HdrSrcAddress property.
此属性是一个八进制字符串,其大小由HdrIpVersion属性的值确定,表示用于将IP标头中的源地址与HdrSrcAddress属性中表示的值进行比较的掩码。
If a value for this property is not provided, then the filter does not consider HdrSrcMask in selecting matching packets, i.e., the value of HdrSrcAddress or the source address range must match the source address in the packet exactly. If a value for this property is provided, then HdrSrcAddressEndOfRange MUST NOT be provided.
如果未提供该属性的值,则该过滤器不考虑HDRSRCMADK选择匹配分组,即,HDRSRCdAdvor或源地址范围的值必须与分组中的源地址完全匹配。如果提供了此属性的值,则不得提供HdrSrcAddressEndOfRange。
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a destination IP address. When there is no HdrDestAddressEndOfRange value, this value is compared to the destination address in the IP header, subject to the mask represented in the HdrDestMask property. (Note that the mask is ANDed with the address.) When there is a HdrDestAddressEndOfRange value, this value is the start of the specified range (i.e., the HdrDestAddress is lower than the HdrDestAddressEndOfRange) that is compared to the destination address in the IP header and matches on any value in the range.
此属性是一个八进制字符串,其大小由HdrIpVersion属性的值决定,表示目标IP地址。如果没有HDRDESTADDRESSENSEDOFRANGE值,则根据HdrDestMask属性中表示的掩码,将此值与IP标头中的目标地址进行比较。(请注意,掩码与地址为and。)当存在HDRDESTADDRESSENSEDOFRANGE值时,该值是指定范围(即HdrDestAddress低于HDRDESTADDRESSENSEDOFRANGE)的开始,该范围与IP标头中的目标地址相比较,并与范围中的任何值匹配。
If a value for this property is not provided, then the filter does not consider HdrDestAddress in selecting matching packets, i.e., HdrDestAddress matches for all values.
如果未提供该属性的值,则过滤器不考虑HDRestDead在选择匹配包时,即所有值的HDRestDeLADE匹配。
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing the end of a range of destination IP addresses (inclusive), where the start of the range is the HdrDestAddress property value.
此属性是一个八进制字符串,其大小由HdrIpVersion属性的值确定,表示目标IP地址范围(包括)的结束,其中范围的开始是HdrDestAddress属性值。
If a value for HdrDestAddress is not provided, then this property also MUST NOT be provided. If a value for this property is provided, then HdrDestMask MUST NOT be provided.
如果未提供HdrDestAddress的值,则也不得提供此属性。如果提供了此属性的值,则不得提供HdrDestMask。
This property is an OctetString, of a size determined by the value of the HdrIpVersion property, representing a mask to be used in comparing the destination address in the IP header with the value represented in the HdrDestAddress property.
此属性是一个八进制字符串,其大小由HdrIpVersion属性的值确定,表示用于将IP标头中的目标地址与HdrDestAddress属性中表示的值进行比较的掩码。
If a value for this property is not provided, then the filter does not consider HdrDestMask in selecting matching packets, i.e., the value of HdrDestAddress or the destination address range must match the destination address in the packet exactly. If a value for this property is provided, then HdrDestAddressEndOfRange MUST NOT be provided.
如果没有提供该属性的值,则过滤器不考虑HDRestDebug选择匹配的分组,即,HDRestDestAdvor或目的地址范围的值必须与分组中的目的地址完全匹配。如果提供了此属性的值,则不得提供HdrDestAddressEndOfRange。
This property is an 8-bit unsigned integer, representing an IP protocol type. This value is compared to the Protocol field in the IP header.
此属性是8位无符号整数,表示IP协议类型。此值与IP标头中的协议字段进行比较。
If a value for this property is not provided, then the filter does not consider HdrProtocolID in selecting matching packets, i.e., HdrProtocolID matches for all values.
如果未提供该属性的值,则过滤器不考虑HDRPROSTOLID在选择匹配分组时,即所有值的HDRPROSTOLID匹配。
This property is a 16-bit unsigned integer, representing the lower end of a range of UDP or TCP source ports. The upper end of the range is represented by the HdrSrcPortEnd property. The value of HdrSrcPortStart MUST be no greater than the value of HdrSrcPortEnd. A single port is indicated by equal values for HdrSrcPortStart and HdrSrcPortEnd.
此属性是一个16位无符号整数,表示UDP或TCP源端口范围的低端。范围的上限由HdrSrcPortEnd属性表示。HdrSrcPortStart的值不得大于HdrSrcPortEnd的值。单个端口由HdrSrcPortStart和HdrSrcPortEnd的相等值表示。
A source port filter is evaluated by testing whether the source port identified in the IP header falls within the range of values between HdrSrcPortStart and HdrSrcPortEnd, including these two end points.
通过测试IP报头中标识的源端口是否在HdrSrcPortStart和HdrSrcPortEnd之间的值范围内(包括这两个端点),评估源端口筛选器。
If a value for this property is not provided, then the filter does not consider HdrSrcPortStart in selecting matching packets, i.e., there is no lower bound in matching source port values.
如果未提供该属性的值,则过滤器不考虑HDRSRCtPARTSTART选择匹配的分组,即,在匹配源端口值时没有下限。
This property is a 16-bit unsigned integer, representing the upper end of a range of UDP or TCP source ports. The lower end of the range is represented by the HdrSrcPortStart property. The value of
此属性是一个16位无符号整数,表示UDP或TCP源端口范围的上限。范围的低端由HdrSrcPortStart属性表示。价值
HdrSrcPortEnd MUST be no less than the value of HdrSrcPortStart. A single port is indicated by equal values for HdrSrcPortStart and HdrSrcPortEnd.
HdrSrcPortEnd必须不小于HdrSrcPortStart的值。单个端口由HdrSrcPortStart和HdrSrcPortEnd的相等值表示。
A source port filter is evaluated by testing whether the source port identified in the IP header falls within the range of values between HdrSrcPortStart and HdrSrcPortEnd, including these two end points.
通过测试IP报头中标识的源端口是否在HdrSrcPortStart和HdrSrcPortEnd之间的值范围内(包括这两个端点),评估源端口筛选器。
If a value for this property is not provided, then the filter does not consider HdrSrcPortEnd in selecting matching packets, i.e., there is no upper bound in matching source port values.
如果未提供该属性的值,则过滤器不考虑HDRSRCPORADIN选择匹配的分组,即,在匹配源端口值时没有上限。
This property is a 16-bit unsigned integer, representing the lower end of a range of UDP or TCP destination ports. The upper end of the range is represented by the HdrDestPortEnd property. The value of HdrDestPortStart MUST be no greater than the value of HdrDestPortEnd. A single port is indicated by equal values for HdrDestPortStart and HdrDestPortEnd.
此属性是一个16位无符号整数,表示UDP或TCP目标端口范围的低端。范围的上限由HdrDestPortEnd属性表示。HdrDestPortStart的值不得大于HdrDestPortEnd的值。单个端口由HdrDestPortStart和HdrDestPortEnd的相等值表示。
A destination port filter is evaluated by testing whether the destination port identified in the IP header falls within the range of values between HdrDestPortStart and HdrDestPortEnd, including these two end points.
通过测试IP报头中标识的目标端口是否在HdrDestPortStart和HdrDestPortEnd之间的值范围内(包括这两个端点),评估目标端口筛选器。
If a value for this property is not provided, then the filter does not consider HdrDestPortStart in selecting matching packets, i.e., there is no lower bound in matching destination port values.
如果未提供此属性的值,则筛选器不考虑HDRestDestPoST选择匹配分组,即在匹配目标端口值时没有下限。
This property is a 16-bit unsigned integer, representing the upper end of a range of UDP or TCP destination ports. The lower end of the range is represented by the HdrDestPortStart property. The value of HdrDestPortEnd MUST be no less than the value of HdrDestPortStart. A single port is indicated by equal values for HdrDestPortStart and HdrDestPortEnd.
此属性是一个16位无符号整数,表示UDP或TCP目标端口范围的上限。范围的低端由HdrDestPortStart属性表示。HdrDestPortEnd的值必须不小于HdrDestPortStart的值。单个端口由HdrDestPortStart和HdrDestPortEnd的相等值表示。
A destination port filter is evaluated by testing whether the destination port identified in the IP header falls within the range of values between HdrDestPortStart and HdrDestPortEnd, including these two end points.
通过测试IP报头中标识的目标端口是否在HdrDestPortStart和HdrDestPortEnd之间的值范围内(包括这两个端点),评估目标端口筛选器。
If a value for this property is not provided, then the filter does not consider HdrDestPortEnd in selecting matching packets, i.e., there is no upper bound in matching destination port values.
如果没有提供该属性的值,则过滤器不考虑HDRestPosiTrad在选择匹配的分组,即,没有匹配目标端口值的上限。
The property HdrDSCP is defined as an array of uint8's, restricted to the range 0..63. Since DSCPs are defined as discrete code points, with no inherent structure, there is no semantically significant relationship between different DSCPs. Consequently, there is no provision for specifying a range of DSCPs in this property. However, a list of individual DSCPs, which are ORed together to form a filter, is supported by the array syntax.
属性HdrDSCP被定义为uint8的数组,限制在0..63的范围内。由于DSCP被定义为离散的代码点,没有固有的结构,因此不同的DSCP之间没有语义上的重要关系。因此,没有规定在该属性中指定DSCP的范围。但是,数组语法支持单个DSCP的列表,这些DSCP被合并在一起形成一个过滤器。
If a value for this property is not provided, then the filter does not consider HdrDSCP in selecting matching packets, i.e., HdrDSCP matches for all values.
如果未提供该属性的值,则过滤器不考虑HDRDSCP在选择匹配分组时,即,HdrDSCP匹配所有值。
The 20-bit Flow Label field in the IPv6 header may be used by a source to label sequences of packets for which it requests special handling by IPv6 devices, such as non-default quality of service or 'real-time' service. This property is an octet string of size 3 (that is, 24 bits), in which the 20-bit Flow Label appears in the rightmost 20 bits, padded on the left with b'0000'.
IPv6报头中的20位流标签字段可由源用于标记其请求IPv6设备对其进行特殊处理的数据包序列,例如非默认服务质量或“实时”服务。此属性是一个大小为3(即24位)的八位字符串,其中20位流标签显示在最右边的20位中,在左边用b'0000'填充。
If a value for this property is not provided, then the filter does not consider HdrFlowLabel in selecting matching packets, i.e., HdrFlowLabel matches for all values.
如果未提供该属性的值,则过滤器不考虑HDReloFrand在选择匹配包时,即所有值的HDReFraseLabor匹配。
This concrete class allows 802.1.source and destination MAC addresses, as well as the 802.1 protocol ID, priority, and VLAN identifier fields, to be expressed in a single object
该具体类允许在单个对象中表示802.1.0源和目标MAC地址,以及802.1协议ID、优先级和VLAN标识符字段
The class definition is as follows:
类别定义如下:
NAME 8021Filter DESCRIPTION A class that allows 802.1 source and destination MAC address and protocol ID, priority, and VLAN identifier filters to be expressed in a single object. DERIVED FROM FilterEntryBase TYPE Concrete PROPERTIES 8021HdrSrcMACAddr, 8021HdrSrcMACMask, 8021HdrDestMACAddr, 8021HdrDestMACMask, 8021HdrProtocolID, 8021HdrPriorityValue, 8021HDRVLANID
名称801Filter描述允许在单个对象中表示802.1源和目标MAC地址、协议ID、优先级和VLAN标识符筛选器的类。源自FilterEntryBase型混凝土属性8021HdrSrcMACAddr、8021HdrSrcMACMask、8021HDRDESTMACDDR、8021HDRDESTMACASK、8021HdrProtocolID、8021HdrPriorityValue、8021HDRVLANID
This property is an OctetString of size 6, representing a 48-bit source MAC address in canonical format. This value is compared to the SourceAddress field in the MAC header, subject to the mask represented in the 8021HdrSrcMACMask property.
此属性是大小为6的八位字符串,表示标准格式的48位源MAC地址。此值与MAC头中的SourceAddress字段进行比较,以8021HdrSrcMACMask属性中表示的掩码为准。
If a value for this property is not provided, then the filter does not consider 8021HdrSrcMACAddr in selecting matching packets, i.e., 8021HdrSrcMACAddr matches for all values.
如果未提供该属性的值,则过滤器不考虑8021HDRSRCMACDADR在选择匹配分组时,即8021HDRSRCMACDADR匹配所有值。
This property is an OctetString of size 6, representing a 48-bit mask to be used in comparing the SourceAddress field in the MAC header with the value represented in the 8021HdrSrcMACAddr property.
此属性是大小为6的八位字符串,表示48位掩码,用于将MAC标头中的SourceAddress字段与8021HdrSrcMACAddr属性中表示的值进行比较。
If a value for this property is not provided, then the filter does not consider 8021HdrSrcMACMask in selecting matching packets, i.e., the value of 8021HdrSrcMACAddr must match the source MAC address in the packet exactly.
如果未提供该属性的值,则在选择匹配分组时,该过滤器不考虑8021HDRSRCMAC掩码,即,8021HDRSRCMACDADR的值必须与分组中的源MAC地址完全匹配。
This property is an OctetString of size 6, representing a 48-bit destination MAC address in canonical format. This value is compared to the DestinationAddress field in the MAC header, subject to the mask represented in the 8021HdrDestMACMask property.
此属性是大小为6的八位字符串,表示标准格式的48位目标MAC地址。此值与MAC标头中的DestinationAddress字段进行比较,以8021HdrDestMACMask属性中表示的掩码为准。
If a value for this property is not provided, then the filter does not consider 8021HdrDestMACAddr in selecting matching packets, i.e., 8021HdrDestMACAddr matches for all values.
如果未提供该属性的值,则过滤器不考虑8021HDRestMyDADDR在选择匹配分组时,即8021HDRestMyAdDR匹配所有值。
This property is an OctetString of size 6, representing a 48-bit mask to be used in comparing the DestinationAddress field in the MAC header with the value represented in the 8021HdrDestMACAddr property.
此属性是大小为6的八位字符串,表示48位掩码,用于将MAC标头中的DestinationAddress字段与8021HdrDestMACAddr属性中表示的值进行比较。
If a value for this property is not provided, then the filter does not consider 8021HdrDestMACMask in selecting matching packets, i.e., the value of 8021HdrDestMACAddr must match the destination MAC address in the packet exactly.
如果没有提供该属性的值,则过滤器在选择匹配分组时不考虑8021HDRestDestMaskM掩,即,8021HDRestMyAdRDR的值必须与分组中的目的地MAC地址完全匹配。
This property is a 16-bit unsigned integer, representing an Ethernet protocol type. This value is compared to the Ethernet Type field in the 802.3 MAC header.
此属性是一个16位无符号整数,表示以太网协议类型。此值与802.3 MAC报头中的Ethernet Type字段进行比较。
If a value for this property is not provided, then the filter does not consider 8021HdrProtocolID in selecting matching packets, i.e., 8021HdrProtocolID matches for all values.
如果未提供该属性的值,则过滤器不考虑8021HDRPROSTOLID在选择匹配分组时,即8021HDRPROSTOLID匹配所有值。
This property is an 8-bit unsigned integer, representing an 802.1Q priority. This value is compared to the Priority field in the 802.1Q header. Since the 802.1Q Priority field consists of 3 bits, the values for this property are limited to the range 0..7.
此属性是8位无符号整数,表示802.1Q优先级。此值与802.1Q报头中的优先级字段进行比较。由于802.1Q优先级字段由3位组成,因此此属性的值限制在0..7的范围内。
If a value for this property is not provided, then the filter does not consider 8021HdrPriorityValue in selecting matching packets, i.e., 8021HdrPriorityValue matches for all values.
如果没有提供这个属性的值,则过滤器不考虑8021HDRPRORITIVITY值来选择匹配的分组,即8021HDRPRORITIVALL值匹配所有值。
This property is a 32-bit unsigned integer, representing an 802.1Q VLAN Identifier. This value is compared to the VLAN ID field in the 802.1Q header. Since the 802.1Q VLAN ID field consists of 12 bits, the values for this property are limited to the range 0..4095.
此属性是32位无符号整数,表示802.1Q VLAN标识符。此值与802.1Q报头中的VLAN ID字段进行比较。由于802.1Q VLAN ID字段由12位组成,因此此属性的值限制在0..4095的范围内。
If a value for this property is not provided, then the filter does not consider 8021HdrVLANID in selecting matching packets, i.e., 8021HdrVLANID matches for all values.
如果没有提供这个属性的值,则过滤器不考虑8021HDRVLANID在选择匹配的分组,即8021HDRVLANID匹配的所有值。
This is a concrete class that aggregates instances of (subclasses of) FilterEntryBase via the aggregation EntriesInFilterList. It is possible to aggregate different types of filters into a single FilterList - for example, packet header filters (represented by the IpHeadersFilter class) and security filters (represented by subclasses of FilterEntryBase defined by IPsec).
这是一个通过aggregation EntriesInFilterList聚合FilterEntryBase(的子类)实例的具体类。可以将不同类型的筛选器聚合到单个筛选器列表中—例如,数据包头筛选器(由IpHeadersFilter类表示)和安全筛选器(由IPsec定义的FilterEntryBase子类表示)。
The aggregation property EntriesInFilterList.EntrySequence is always set to 0, to indicate that the aggregated filter entries are ANDed together to form a selector for a class of traffic.
聚合属性EntriesInFilterList.EntrySequence始终设置为0,以指示聚合的筛选器项被合并在一起以形成一类流量的选择器。
The class definition is as follows:
类别定义如下:
NAME FilterList DESCRIPTION A concrete class representing the aggregation of multiple filters. DERIVED FROM LogicalElement TYPE Concrete PROPERTIES Direction
NAME FilterList DESCRIPTION表示多个筛选器聚合的具体类。从LogicalElement类型混凝土属性方向派生
This property is a 16-bit unsigned integer enumeration, representing the direction of the traffic flow to which the FilterList is to be applied. Defined enumeration values are
此属性是一个16位无符号整数枚举,表示要应用FilterList的交通流方向。定义的枚举值为
o NotApplicable(0) o Input(1) o Output(2) o Both(3) - This value is used to indicate that the direction is immaterial, e.g., to filter on a source subnet regardless of whether the flow is inbound or outbound o Mirrored(4) - This value is also applicable to both inbound and outbound flow processing, but it indicates that the filter criteria are applied asymmetrically to traffic in both directions and, thus, specifies the reversal of source and destination criteria (as opposed to the equality of these criteria as indicated by "Both"). The match conditions in the aggregated FilterEntryBase subclass instances are defined from the perspective of outbound flows and applied to inbound flows as well by reversing the source and destination criteria. So, for example, consider a FilterList with 3 filter entries indicating destination port = 80, and source and destination addresses of a and b, respectively. Then, for the outbound direction, the filter entries match as specified and the 'mirror' (for the inbound direction) matches on source port = 80 and source and destination addresses of b and a, respectively.
o 不适用(0)o输入(1)o输出(2)o两者(3)-此值用于指示方向无关紧要,例如,在源子网上进行过滤,而不管流是入站还是出站o镜像(4)-此值也适用于入站和出站流处理,但它表明过滤标准不对称地应用于两个方向上的交通,因此,指定了源和目的地标准的反转(与“两者”表示的这些标准相等相反)。聚合FilterEntryBase子类实例中的匹配条件是从出站流的角度定义的,并通过反转源和目标条件应用于入站流。因此,例如,考虑具有指示目的端口=80的3个过滤器条目的过滤器列表,以及A和B的源地址和目的地址。然后,对于出站方向,筛选器条目按照指定进行匹配,“镜像”(对于入站方向)分别在源端口=80以及源地址和目标地址b和a上匹配。
The following definitions supplement those in PCIM itself. PCIM definitions that are not DEPRECATED here are still current parts of the overall Policy Core Information Model.
以下定义补充了PCIM本身的定义。此处未弃用的PCIM定义仍然是整个策略核心信息模型的当前部分。
PolicySetComponent is a new aggregation class that collects instances of PolicySet subclasses (PolicyGroups and PolicyRules) into coherent sets of policies.
PolicySetComponent是一个新的聚合类,它将PolicySet子类(PolicyGroups和PolicyRules)的实例收集到一致的策略集中。
NAME PolicySetComponent DESCRIPTION A concrete class representing the components of a policy set that have the same decision strategy, and are prioritized within the set. DERIVED FROM PolicyComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicySet[0..n]] PartComponent[ref PolicySet[0..n]] Priority
NAME PolicySetComponent DESCRIPTION一个具体的类,表示具有相同决策策略的策略集的组件,并且在该策略集中具有优先级。派生自PolicyComponent抽象错误属性GroupComponent[ref PolicySet[0..n]]PartComponent[ref PolicySet[0..n]]优先级
The definition of the Priority property is unchanged from its previous definition in [PCIM].
优先级属性的定义与[PCIM]中以前的定义相同。
NAME Priority DESCRIPTION A non-negative integer for prioritizing this PolicySet component relative to other components of the same PolicySet. A larger value indicates a higher priority. SYNTAX uint16 DEFAULT VALUE 0
名称优先级描述一个非负整数,用于相对于同一策略集的其他组件对该策略集组件进行优先级排序。值越大表示优先级越高。语法uint16默认值0
The new aggregation PolicySetComponent is used directly to represent aggregation of PolicyGroups by a higher-level PolicyGroup. Thus the aggregation PolicyGroupInPolicyGroup is no longer needed, and can be deprecated.
新的聚合PolicySetComponent直接用于表示更高级别的PolicyGroup对PolicyGroup的聚合。因此,不再需要聚合策略组policyGroup,并且可以弃用。
NAME PolicyGroupInPolicyGroup DEPRECATED FOR PolicySetComponent DESCRIPTION A class representing the aggregation of PolicyGroups by a higher-level PolicyGroup. DERIVED FROM PolicyComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyGroup[0..n]] PartComponent[ref PolicyGroup[0..n]]
名称PolicyGroupInPolicyGroup不推荐用于PolicySetComponent描述表示由更高级别的PolicyGroup聚合的PolicyGroup的类。派生自PolicyComponent抽象属性GroupComponent[ref PolicyGroup[0..n]]PartComponent[ref PolicyGroup[0..n]]
The new aggregation PolicySetComponent is used directly to represent aggregation of PolicyRules by a PolicyGroup. Thus the aggregation PolicyRuleInPolicyGroup is no longer needed, and can be deprecated.
新的聚合PolicySetComponent直接用于表示PolicyGroup对PolicyRules的聚合。因此,不再需要聚合PolicyRuleInPolicyGroup,因此可以弃用它。
NAME PolicyRuleInPolicyGroup DEPRECATED FOR PolicySetComponent DESCRIPTION A class representing the aggregation of PolicyRules by a PolicyGroup. DERIVED FROM PolicyComponent
名称PolicyRuleInPolicyGroup不推荐用于PolicySetComponent描述表示PolicyGroup聚合PolicyRules的类。从PolicyComponent派生
ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyGroup[0..n]] PartComponent[ref PolicyRule[0..n]]
抽象错误属性GroupComponent[ref PolicyGroup[0..n]]PartComponent[ref PolicyRule[0..n]]
PolicySetInSystem is a new association that defines a relationship between a System and a PolicySet used in the administrative scope of that system (e.g., AdminDomain, ComputerSystem). The Priority property is used to assign a relative priority to a PolicySet within the administrative scope in contexts where it is not a component of another PolicySet.
PolicySetInSystem是一个新的关联,它定义了系统与该系统管理范围内使用的策略集(例如AdminDomain、ComputerSystem)之间的关系。Priority属性用于在不是另一个策略集的组件的上下文中,为管理范围内的策略集分配相对优先级。
NAME PolicySetInSystem DESCRIPTION An abstract class representing the relationship between a System and a PolicySet that is used in the administrative scope of the System. DERIVED FROM PolicyInSystem ABSTRACT TRUE PROPERTIES Antecedent[ref System[0..1]] Dependent [ref PolicySet[0..n]] Priority
NAME PolicySetInSystem DESCRIPTION一个抽象类,表示系统和在系统管理范围内使用的策略集之间的关系。派生自PolicyInSystem抽象真实属性先行[ref System[0..1]]依赖[ref PolicySet[0..n]]优先级
The Priority property is used to specify the relative priority of the referenced PolicySet when there are more than one PolicySet instances applied to a managed resource that are not PolicySetComponents and, therefore, have no other relative priority defined.
当有多个应用于非PolicySetComponents的托管资源的PolicySet实例,因此没有定义其他相对优先级时,Priority属性用于指定引用的PolicySet的相对优先级。
NAME Priority DESCRIPTION A non-negative integer for prioritizing the referenced PolicySet among other PolicySet instances that are not components of a common PolicySet. A larger value indicates a higher priority. SYNTAX uint16 DEFAULT VALUE 0
NAME Priority DESCRIPTION非负整数,用于在不属于公共策略集组件的其他策略集实例中对引用的策略集进行优先级排序。值越大表示优先级越高。语法uint16默认值0
Regardless of whether it a component of another PolicySet, a PolicyGroup is itself defined within the scope of a System. This association links a PolicyGroup to the System in whose scope the PolicyGroup is defined. It is a subclass of the abstract PolicySetInSystem association. The class definition for the association is as follows:
无论它是否是另一个PolicySet的组件,PolicyGroup本身都是在系统范围内定义的。此关联将策略组链接到在其范围内定义策略组的系统。它是抽象PolicySetInSystem关联的子类。关联的类定义如下所示:
NAME PolicyGroupInSystem DESCRIPTION A class representing the fact that a PolicyGroup is defined within the scope of a System. DERIVED FROM PolicySetInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent [ref PolicyGroup[weak]]
名称PolicyGroupInSystem DESCRIPTION表示在系统范围内定义了PolicyGroup这一事实的类。派生自PolicySetInSystem抽象假属性先行项[ref System[1..1]]依赖[ref PolicyGroup[weak]]
The Reference "Antecedent" is inherited from PolicySetInSystem, and overridden to restrict its cardinality to [1..1]. It serves as an object reference to a System that provides a scope for one or more PolicyGroups. Since this is a weak association, the cardinality for this object reference is always 1, that is, a PolicyGroup is always defined within the scope of exactly one System.
引用“Antecedent”继承自PolicySetInSystem,并被重写以将其基数限制为[1..1]。它用作为一个或多个策略组提供范围的系统的对象引用。由于这是一个弱关联,因此此对象引用的基数始终为1,也就是说,一个PolicyGroup始终在一个系统的范围内定义。
The Reference "Dependent" is inherited from PolicySetInSystem, and overridden to become an object reference to a PolicyGroup defined within the scope of a System. Note that for any single instance of the association class PolicyGroupInSystem, this property (like all reference properties) is single-valued. The [0..n] cardinality indicates that a given System may have 0, 1, or more than one PolicyGroups defined within its scope.
引用“Dependent”继承自PolicySetInSystem,并被重写为对系统范围内定义的PolicyGroup的对象引用。请注意,对于关联类PolicyGroupInSystem的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定系统可能在其范围内定义了0、1或多个策略组。
Regardless of whether it a component of another PolicySet, a PolicyRule is itself defined within the scope of a System. This association links a PolicyRule to the System in whose scope the PolicyRule is defined. It is a subclass of the abstract PolicySetInSystem association. The class definition for the association is as follows:
无论它是否是另一个PolicySet的组件,PolicyRule本身都是在系统范围内定义的。此关联将PolicyRule链接到在其范围内定义PolicyRule的系统。它是抽象PolicySetInSystem关联的子类。关联的类定义如下所示:
NAME PolicyRuleInSystem DESCRIPTION A class representing the fact that a PolicyRule is defined within the scope of a System. DERIVED FROM PolicySetInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref PolicyRule[weak]]
名称PolicyRuleInSystem DESCRIPTION表示PolicyRule是在系统范围内定义的事实的类。派生自PolicySetInSystem抽象假属性先行项[ref System[1..1]]依赖[ref PolicyRule[weak]]
The Reference "Antecedent" is inherited from PolicySetInSystem, and overridden to restrict its cardinality to [1..1]. It serves as an object reference to a System that provides a scope for one or more PolicyRules. Since this is a weak association, the cardinality for this object reference is always 1, that is, a PolicyRule is always defined within the scope of exactly one System.
引用“Antecedent”继承自PolicySetInSystem,并被重写以将其基数限制为[1..1]。它用作系统的对象引用,该系统为一个或多个PolicyRules提供范围。由于这是一个弱关联,因此此对象引用的基数始终为1,也就是说,PolicyRule始终在一个系统的范围内定义。
The Reference "Dependent" is inherited from PolicySetInSystem, and overridden to become an object reference to a PolicyRule defined within the scope of a System. Note that for any single instance of the association class PolicyRuleInSystem, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given System may have 0, 1, or more than one PolicyRules defined within its scope.
引用“Dependent”从PolicySetInSystem继承,并被重写为对系统范围内定义的PolicyRule的对象引用。请注意,对于关联类PolicyRuleInSystem的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定系统可能在其范围内定义了0、1或多个PolicyRules。
NAME PolicyConditionStructure DESCRIPTION A class representing the aggregation of PolicyConditions by an aggregating instance. DERIVED FROM PolicyComponent ABSTRACT TRUE PROPERTIES PartComponent[ref PolicyCondition[0..n]] GroupNumber ConditionNegated 7.8. Update PCIM's Aggregation "PolicyConditionInPolicyRule"
名称PolicyConditionStructure描述表示聚合实例聚合PolicyConditions的类。派生自PolicyComponent抽象真实属性PartComponent[ref PolicyCondition[0..n]]GroupNumber ConditionNegative 7.8。更新PCIM的聚合“PolicyConditionInPolicyRule”
The PCIM aggregation "PolicyConditionInPolicyRule" is updated, to make it a subclass of the new abstract aggregation PolicyConditionStructure. The properties GroupNumber and ConditionNegated are now inherited, rather than specified explicitly as they were in PCIM.
更新PCIM聚合“PolicyConditionInPolicyRule”,使其成为新抽象聚合PolicyConditionStructure的子类。属性GroupNumber和ConditionNegated现在是继承的,而不是像在PCIM中那样显式指定。
NAME PolicyConditionInPolicyRule DESCRIPTION A class representing the aggregation of PolicyConditions by a PolicyRule. DERIVED FROM PolicyConditionStructure ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyRule[0..n]]
名称PolicyConditionInPolicyRule描述表示PolicyRule对PolicyConditions的聚合的类。从PolicyConditionStructure抽象错误属性GroupComponent派生[ref PolicyRule[0..n]]
A second subclass of PolicyConditionStructure is defined, representing the compounding of policy conditions into a higher-level policy condition.
定义了PolicyConditionStructure的第二个子类,表示将策略条件组合成更高级别的策略条件。
NAME PolicyConditionInPolicyCondition DESCRIPTION A class representing the aggregation of PolicyConditions by another PolicyCondition. DERIVED FROM PolicyConditionStructure ABSTRACT FALSE PROPERTIES GroupComponent[ref CompoundPolicyCondition[0..n]]
名称PolicyConditionInPolicyCondition描述表示由另一个PolicyCondition聚合的PolicyConditions类。派生自PolicyConditionStructure抽象错误属性GroupComponent[ref CompoundPolicyCondition[0..n]]
NAME PolicyActionStructure DESCRIPTION A class representing the aggregation of PolicyActions by an aggregating instance. DERIVED FROM PolicyComponent ABSTRACT TRUE PROPERTIES PartComponent[ref PolicyAction[0..n]] ActionOrder
名称PolicyActionStructure描述表示聚合实例聚合PolicyActions的类。派生自PolicyComponent抽象真实属性PartComponent[ref PolicyAction[0..n]]ActionOrder
The definition of the ActionOrder property appears in Section 7.8.3 of PCIM [1].
ActionOrder属性的定义见PCIM[1]第7.8.3节。
The PCIM aggregation "PolicyActionInPolicyRule" is updated, to make it a subclass of the new abstract aggregation PolicyActionStructure. The property ActionOrder is now inherited, rather than specified explicitly as it was in PCIM.
更新PCIM聚合“PolicyActionInPolicyRule”,使其成为新抽象聚合PolicyActionStructure的子类。属性ActionOrder现在是继承的,而不是像在PCIM中那样显式指定。
NAME PolicyActionInPolicyRule DESCRIPTION A class representing the aggregation of PolicyActions by a PolicyRule. DERIVED FROM PolicyActionStructure ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyRule[0..n]]
名称PolicyActionInPolicyRule描述表示由PolicyRule聚合的PolicyActions的类。派生自PolicyActionStructure抽象错误属性GroupComponent[ref PolicyRule[0..n]]
A second subclass of PolicyActionStructure is defined, representing the compounding of policy actions into a higher-level policy action.
定义了PolicyActionStructure的第二个子类,表示将策略操作组合为更高级别的策略操作。
NAME PolicyActionInPolicyAction DESCRIPTION A class representing the aggregation of PolicyActions by another PolicyAction. DERIVED FROM PolicyActionStructure ABSTRACT FALSE PROPERTIES GroupComponent[ref CompoundPolicyAction[0..n]]
名称PolicyActionInPolicyAction描述表示由另一个PolicyAction聚合的PolicyActions的类。派生自PolicyActionStructure抽象错误属性GroupComponent[ref CompoundPolicyAction[0..n]]
A simple policy condition is represented as an ordered triplet {variable, operator, value}. This aggregation provides the linkage between a SimplePolicyCondition instance and a single PolicyVariable. The aggregation PolicyValueInSimplePolicyCondition links the SimplePolicyCondition to a single PolicyValue. The Operator property of SimplePolicyCondition represents the third element of the triplet, the operator.
简单的策略条件表示为有序三元组{变量、运算符、值}。此聚合提供SimplePolicyCondition实例和单个PolicyVariable之间的链接。SimplePolicyCondition中的聚合PolicyValue将SimplePolicyCondition链接到单个PolicyValue。SimplePolicyCondition的运算符属性表示三元组的第三个元素,运算符。
The class definition for this aggregation is as follows:
此聚合的类定义如下所示:
NAME PolicyVariableInSimplePolicyCondition DERIVED FROM PolicyComponent ABSTRACT False PROPERTIES GroupComponent[ref SimplePolicyCondition[0..n]] PartComponent[ref PolicyVariable[1..1] ]
名称PolicyVariableInSimplePolicyCondition派生自PolicyComponent抽象假属性GroupComponent[ref SimplePolicyCondition[0..n]]PartComponent[ref PolicyVariable[1..1]]
The reference property "GroupComponent" is inherited from PolicyComponent, and overridden to become an object reference to a SimplePolicyCondition that contains exactly one PolicyVariable. Note that for any single instance of the aggregation class PolicyVariableInSimplePolicyCondition, this property is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more SimplePolicyCondition objects that contain any given policy variable object.
引用属性“GroupComponent”继承自PolicyComponent,并被重写为对仅包含一个PolicyVariable的SimplePolicyCondition的对象引用。请注意,对于聚合类PolicyVariableInSimplePolicyCondition的任何单个实例,此属性都是单值的。[0..n]基数表示可能有0、1或更多SimplePolicyCondition对象包含任何给定的策略变量对象。
The reference property "PartComponent" is inherited from PolicyComponent, and overridden to become an object reference to a PolicyVariable that is defined within the scope of a SimplePolicyCondition. Note that for any single instance of the association class PolicyVariableInSimplePolicyCondition, this property (like all reference properties) is single-valued. The [1..1] cardinality indicates that a SimplePolicyCondition must have exactly one policy variable defined within its scope in order to be meaningful.
引用属性“PartComponent”继承自PolicyComponent,并被重写为对在SimplePolicyCondition范围内定义的PolicyVariable的对象引用。请注意,对于关联类PolicyVariableInSimplePolicyCondition的任何单个实例,此属性(与所有引用属性一样)都是单值的。[1..1]基数表示SimplePolicyCondition必须在其范围内定义一个策略变量才能有意义。
A simple policy condition is represented as an ordered triplet {variable, operator, value}. This aggregation provides the linkage between a SimplePolicyCondition instance and a single PolicyValue. The aggregation PolicyVariableInSimplePolicyCondition links the SimplePolicyCondition to a single PolicyVariable. The Operator property of SimplePolicyCondition represents the third element of the triplet, the operator.
简单的策略条件表示为有序三元组{变量、运算符、值}。此聚合提供SimplePolicyCondition实例和单个PolicyValue之间的链接。聚合PolicyVariableInSimplePolicyCondition将SimplePolicyCondition链接到单个PolicyVariable。SimplePolicyCondition的运算符属性表示三元组的第三个元素,运算符。
The class definition for this aggregation is as follows:
此聚合的类定义如下所示:
NAME PolicyValueInSimplePolicyCondition DERIVED FROM PolicyComponent ABSTRACT False PROPERTIES GroupComponent[ref SimplePolicyCondition[0..n]] PartComponent[ref PolicyValue[1..1] ]
名称PolicyValueInSimplePolicyCondition派生自PolicyComponent抽象属性GroupComponent[ref SimplePolicyCondition[0..n]]PartComponent[ref PolicyValue[1..1]]
The reference property "GroupComponent" is inherited from PolicyComponent, and overridden to become an object reference to a SimplePolicyCondition that contains exactly one PolicyValue. Note
引用属性“GroupComponent”继承自PolicyComponent,并被重写为对仅包含一个PolicyValue的SimplePolicyCondition的对象引用。笔记
that for any single instance of the aggregation class PolicyValueInSimplePolicyCondition, this property is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more SimplePolicyCondition objects that contain any given policy value object.
对于聚合类PolicyValueInSimplePolicyCondition的任何单个实例,此属性都是单值的。[0..n]基数表示可能有0、1或更多SimplePolicyCondition对象包含任何给定的策略值对象。
The reference property "PartComponent" is inherited from PolicyComponent, and overridden to become an object reference to a PolicyValue that is defined within the scope of a SimplePolicyCondition. Note that for any single instance of the association class PolicyValueInSimplePolicyCondition, this property (like all reference properties) is single-valued. The [1..1] cardinality indicates that a SimplePolicyCondition must have exactly one policy value defined within its scope in order to be meaningful.
引用属性“PartComponent”继承自PolicyComponent,并被重写为对在SimplePolicyCondition范围内定义的PolicyValue的对象引用。请注意,对于SimplePolicyCondition中关联类PolicyValues的任何单个实例,此属性(与所有引用属性一样)都是单值的。[1..1]基数表示SimplePolicyCondition必须在其范围内定义一个策略值才能有意义。
A simple policy action is represented as a pair {variable, value}. This aggregation provides the linkage between a SimplePolicyAction instance and a single PolicyVariable. The aggregation PolicyValueInSimplePolicyAction links the SimplePolicyAction to a single PolicyValue.
简单的策略操作表示为一对{变量,值}。此聚合提供SimplePolicyAction实例和单个PolicyVariable之间的链接。SimplePolicyAction中的聚合PolicyValue将SimplePolicyAction链接到单个PolicyValue。
The class definition for this aggregation is as follows:
此聚合的类定义如下所示:
NAME PolicyVariableInSimplePolicyAction DERIVED FROM PolicyComponent ABSTRACT False PROPERTIES GroupComponent[ref SimplePolicyAction[0..n]] PartComponent[ref PolicyVariable[1..1] ]
名称PolicyVariableInSimplePolicyAction派生自PolicyComponent抽象假属性GroupComponent[ref SimplePolicyAction[0..n]]PartComponent[ref PolicyVariable[1..1]]
The reference property "GroupComponent" is inherited from PolicyComponent, and overridden to become an object reference to a SimplePolicyAction that contains exactly one PolicyVariable. Note that for any single instance of the aggregation class PolicyVariableInSimplePolicyAction, this property is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more SimplePolicyAction objects that contain any given policy variable object.
引用属性“GroupComponent”继承自PolicyComponent,并被重写为对仅包含一个PolicyVariable的SimplePolicyAction的对象引用。请注意,对于聚合类PolicyVariableInSimplePolicyAction的任何单个实例,此属性都是单值的。[0..n]基数表示可能有0、1或更多SimplePolicyAction对象包含任何给定的策略变量对象。
The reference property "PartComponent" is inherited from PolicyComponent, and overridden to become an object reference to a PolicyVariable that is defined within the scope of a SimplePolicyAction. Note that for any single instance of the association class PolicyVariableInSimplePolicyAction, this property (like all reference properties) is single-valued. The [1..1] cardinality indicates that a SimplePolicyAction must have exactly one policy variable defined within its scope in order to be meaningful.
引用属性“PartComponent”继承自PolicyComponent,并被重写为对在SimplePolicyAction范围内定义的PolicyVariable的对象引用。请注意,对于关联类PolicyVariableInSimplePolicyAction的任何单个实例,此属性(与所有引用属性一样)都是单值的。[1..1]基数表示SimplePolicyAction必须在其范围内定义一个策略变量才能有意义。
A simple policy action is represented as a pair {variable, value}. This aggregation provides the linkage between a SimplePolicyAction instance and a single PolicyValue. The aggregation PolicyVariableInSimplePolicyAction links the SimplePolicyAction to a single PolicyVariable.
简单的策略操作表示为一对{变量,值}。此聚合提供SimplePolicyAction实例和单个PolicyValue之间的链接。聚合PolicyVariableInSimplePolicyAction将SimplePolicyAction链接到单个PolicyVariable。
The class definition for this aggregation is as follows:
此聚合的类定义如下所示:
NAME PolicyValueInSimplePolicyAction DERIVED FROM PolicyComponent ABSTRACT False PROPERTIES GroupComponent[ref SimplePolicyAction[0..n]] PartComponent[ref PolicyValue[1..1] ]
名称PolicyValueInSimplePolicyAction派生自PolicyComponent抽象错误属性GroupComponent[ref SimplePolicyAction[0..n]]PartComponent[ref PolicyValue[1..1]]
The reference property "GroupComponent" is inherited from PolicyComponent, and overridden to become an object reference to a SimplePolicyAction that contains exactly one PolicyValue. Note that for any single instance of the aggregation class PolicyValueInSimplePolicyAction, this property is single-valued. The [0..n] cardinality indicates that there may be 0, 1, or more SimplePolicyAction objects that contain any given policy value object.
引用属性“GroupComponent”继承自PolicyComponent,并被重写为对仅包含一个PolicyValue的SimplePolicyAction的对象引用。请注意,对于聚合类PolicyValueInSimplePolicyAction的任何单个实例,此属性都是单值的。[0..n]基数表示可能有0、1或更多SimplePolicyAction对象包含任何给定的策略值对象。
The reference property "PartComponent" is inherited from PolicyComponent, and overridden to become an object reference to a PolicyValue that is defined within the scope of a SimplePolicyAction. Note that for any single instance of the association class PolicyValueInSimplePolicyAction, this property (like all reference properties) is single-valued. The [1..1] cardinality indicates that a SimplePolicyAction must have exactly one policy value defined within its scope in order to be meaningful.
引用属性“PartComponent”继承自PolicyComponent,并被重写为对在SimplePolicyAction范围内定义的PolicyValue的对象引用。请注意,对于关联类PolicyValueInSimplePolicyAction的任何单个实例,此属性(与所有引用属性一样)都是单值的。[1..1]基数表示SimplePolicyAction必须在其范围内定义一个策略值才能有意义。
The association ReusablePolicy makes it possible to include any subclass of the abstract class "Policy" in a ReusablePolicyContainer.
关联ReusablePolicy允许在ReusablePolicyContainer中包含抽象类“Policy”的任何子类。
NAME ReusablePolicy DESCRIPTION A class representing the inclusion of a reusable policy element in a ReusablePolicyContainer. Reusable elements may be PolicyGroups, PolicyRules, PolicyConditions, PolicyActions, PolicyVariables, PolicyValues, or instances of any other subclasses of the abstract class Policy.
名称ReusablePolicy描述表示ReusablePolicy容器中包含可重用策略元素的类。可重用元素可以是PolicyGroup、PolicyRules、PolicyConditions、PolicyActions、PolicyVariables、PolicyValue或抽象类Policy的任何其他子类的实例。
DERIVED FROM PolicyInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref ReusablePolicyContainer[0..1]]
派生自PolicyInSystem抽象假属性先行项[ref ReusablePolicyContainer[0..1]]
NAME PolicyConditionInPolicyRepository DEPRECATED FOR ReusablePolicy DESCRIPTION A class representing the inclusion of a reusable PolicyCondition in a PolicyRepository. DERIVED FROM PolicyInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref PolicyRepository[0..1]] Dependent[ref PolicyCondition[0..n]]
NAME PolicyConditionInPolicyRepository不推荐用于可重用策略描述表示在PolicyRepository中包含可重用PolicyCondition的类。派生自PolicyInSystem抽象假属性先行[ref PolicyRepository[0..1]]依赖[ref PolicyCondition[0..n]]
NAME PolicyActionInPolicyRepository DEPRECATED FOR ReusablePolicy DESCRIPTION A class representing the inclusion of a reusable PolicyAction in a PolicyRepository. DERIVED FROM PolicyInSystem ABSTRACT FALSE PROPERTIES Antecedent[ref PolicyRepository[0..1]] Dependent[ref PolicyAction[0..n]]
名称PolicyActionInPolicyRepository不推荐用于可重用策略描述表示在PolicyRepository中包含可重用PolicyAction的类。派生自PolicyInSystem抽象假属性先行[ref PolicyRepository[0..1]]依赖[ref PolicyAction[0..n]]
This association links a PolicyValue object to a PolicyVariable object, modeling the set of expected values for that PolicyVariable. Using this association, a variable (instance) may be constrained to be bound- to/assigned only a set of allowed values. For example, modeling an enumerated source port variable, one creates an instance of the PolicySourcePortVariable class and associates with it the set of values (integers) representing the allowed enumeration, using appropriate number of instances of the ExpectedPolicyValuesForVariable association.
此关联将PolicyValue对象链接到PolicyVariable对象,为该PolicyVariable的预期值集建模。使用此关联,可以将变量(实例)约束为仅绑定/分配到一组允许的值。例如,在对枚举源端口变量建模时,可以创建PolicySourcePortVariable类的实例,并使用ExpectedPolicyValuesForVariable关联的适当数量的实例,将表示允许枚举的一组值(整数)与之关联。
Note that a single variable instance may be constrained by any number of values, and a single value may be used to constrain any number of variables. These relationships are manifested by the n-to-m cardinality of the association.
请注意,单个变量实例可以由任意数量的值约束,单个值可以用于约束任意数量的变量。这些关系表现为关联的n-to-m基数。
The purpose of this association is to support validation of simple policy conditions and simple policy actions, prior to their deployment to an enforcement point. This association, and the
此关联的目的是支持在将简单策略条件和简单策略操作部署到实施点之前对其进行验证。这个协会和
PolicyValue object that it refers to, plays no role when a PDP or a PEP is evaluating a simple policy condition, or executing a simple policy action. See Section 5.8.3 for more details on this point.
当PDP或PEP评估简单策略条件或执行简单策略操作时,它引用的PolicyValue对象不起作用。有关这一点的更多详情,请参见第5.8.3节。
The class definition for the association is as follows:
关联的类定义如下所示:
NAME ExpectedPolicyValuesForVariable DESCRIPTION A class representing the association of a set of expected values to a variable object. DERIVED FROM Dependency ABSTRACT FALSE PROPERTIES Antecedent [ref PolicyVariable[0..n]] Dependent [ref PolicyValue [0..n]]
NAME ExpectedPolicyValues变量描述表示一组期望值与变量对象的关联的类。派生自依赖项抽象假属性先行项[ref PolicyVariable[0..n]]依赖项[ref PolicyValue[0..n]]
The reference property Antecedent is inherited from Dependency. Its type and cardinality are overridden to provide the semantics of a variable optionally having value constraints. The [0..n] cardinality indicates that any number of variables may be constrained by a given value.
引用属性Antecedent是从依赖项继承的。它的类型和基数被重写,以提供可选具有值约束的变量的语义。[0..n]基数表示任何数量的变量都可能受到给定值的约束。
The reference property "Dependent" is inherited from Dependency, and overridden to become an object reference to a PolicyValue representing the values that a particular PolicyVariable can have. The [0..n] cardinality indicates that a given policy variable may have 0, 1 or more than one PolicyValues defined to model the set(s) of values that the policy variable can take.
引用属性“Dependent”继承自Dependency,并被重写为对表示特定PolicyVariable可以具有的值的PolicyValue的对象引用。[0..n]基数表示给定的策略变量可能具有0、1或多个定义的策略值,以对策略变量可以采用的值集进行建模。
The aggregation ContainedDomain provides a means of nesting of one ReusablePolicyContainer inside another one. The aggregation is defined at the level of ReusablePolicyContainer's superclass, AdminDomain, to give it applicability to areas other than Core Policy.
aggregation ContainedDomain提供了一种将一个可重用的PolicyContainer嵌套到另一个容器中的方法。聚合是在ReusablePolicyContainer的超类AdminDomain级别定义的,以使其适用于核心策略以外的领域。
NAME ContainedDomain DESCRIPTION A class representing the aggregation of lower level administrative domains by a higher-level AdminDomain. DERIVED FROM SystemComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref AdminDomain [0..n]] PartComponent[ref AdminDomain [0..n]]
NAME ContainedDomain DESCRIPTION一个类,表示由高级AdminDomain聚合的低级管理域。派生自SystemComponent抽象属性GroupComponent[ref AdminDomain[0..n]]PartComponent[ref AdminDomain[0..n]]
NAME PolicyRepositoryInPolicyRepository DEPRECATED FOR ContainedDomain DESCRIPTION A class representing the aggregation of PolicyRepositories by a higher-level PolicyRepository. DERIVED FROM SystemComponent ABSTRACT FALSE PROPERTIES GroupComponent[ref PolicyRepository[0..n]] PartComponent[ref PolicyRepository[0..n]]
名称PolicyRepositoryInPolicyRepository不推荐用于ContainedDomain描述表示由更高级别的PolicyRepository聚合的PolicyRepository类。派生自SystemComponent抽象错误属性GroupComponent[ref PolicyRepository[0..n]]PartComponent[ref PolicyRepository[0..n]]
This aggregation is a specialization of the Component aggregation; it is used to define a set of filter entries (subclasses of FilterEntryBase) that are aggregated by a FilterList.
此聚合是组件聚合的专门化;它用于定义一组过滤器条目(FilterEntryBase的子类),这些条目由过滤器列表聚合。
The cardinalities of the aggregation itself are 0..1 on the FilterList end, and 0..n on the FilterEntryBase end. Thus in the general case, a filter entry can exist without being aggregated into any FilterList. However, the only way a filter entry can figure in the PCIMe model is by being aggregated into a FilterList by this aggregation.
聚合本身的基数在FilterList端为0..1,在FilterEntryBase端为0..n。因此,在一般情况下,过滤器条目可以存在,而无需聚合到任何过滤器列表中。但是,在PCIMe模型中显示过滤器条目的唯一方法是通过此聚合聚合到过滤器列表中。
The class definition for the aggregation is as follows:
聚合的类定义如下所示:
NAME EntriesInFilterList DESCRIPTION An aggregation used to define a set of filter entries (subclasses of FilterEntryBase) that are aggregated by a particular FilterList. DERIVED FROM Component ABSTRACT False PROPERTIES GroupComponent[ref FilterList[0..1]], PartComponent[ref FilterEntryBase[0..n], EntrySequence
NAME EntriesInFilterList DESCRIPTION用于定义一组由特定过滤器列表聚合的过滤器条目(FilterEntryBase的子类)的聚合。派生自组件抽象属性GroupComponent[ref FilterList[0..1]],PartComponent[ref FilterEntryBase[0..n],EntrySequence
This property is overridden in this aggregation to represent an object reference to a FilterList object (instead of to the more generic ManagedSystemElement object defined in its superclass). It also restricts the cardinality of the aggregate to 0..1 (instead of the more generic 0-or-more), representing the fact that a filter entry always exists within the context of at most one FilterList.
此属性在此聚合中被重写,以表示对FilterList对象(而不是其超类中定义的更通用的ManagedSystemElement对象)的对象引用。它还将聚合的基数限制为0..1(而不是更通用的0或更多),表示过滤器条目始终存在于最多一个过滤器列表的上下文中。
This property is overridden in this aggregation to represent an object reference to a FilterEntryBase object (instead of to the more generic ManagedSystemElement object defined in its superclass). This object represents a single filter entry, which may be aggregated with other filter entries to form the FilterList.
此属性在此聚合中被重写,以表示对FilterEntryBase对象(而不是其超类中定义的更通用的ManagedSystemElement对象)的对象引用。此对象表示单个筛选器条目,可以将其与其他筛选器条目聚合以形成筛选器列表。
An unsigned 16-bit integer indicating the order of the filter entry relative to all others in the FilterList. The default value '0' indicates that order is not significant, because the entries in this FilterList are ANDed together.
一个无符号16位整数,指示筛选器项相对于筛选器列表中所有其他项的顺序。默认值“0”表示顺序不重要,因为此过滤器列表中的条目是“和”在一起的。
The following aggregation is used to associate ManagedElements with a PolicyRoleCollection object that represents a role played by these ManagedElements.
以下聚合用于将ManagedElement与表示这些ManagedElement所扮演角色的PolicyRoleCollection对象关联。
NAME ElementInPolicyRoleCollection DESCRIPTION A class representing the inclusion of a ManagedElement in a collection, specified as having a given role. All the managed elements in the collection share the same role. DERIVED FROM MemberOfCollection ABSTRACT FALSE PROPERTIES Collection[ref PolicyRoleCollection [0..n]] Member[ref ManagedElement [0..n]]
NAME ElementInPolicyRoleCollection描述表示集合中包含ManagedElement的类,指定为具有给定角色。集合中的所有托管元素共享相同的角色。派生自MemberOfCollection抽象属性集合[ref PolicyRoleCollection[0..n]]成员[ref ManagedElement[0..n]]
A PolicyRoleCollection is defined within the scope of a System. This association links a PolicyRoleCollection to the System in whose scope it is defined.
PolicyRoleCollection是在系统范围内定义的。此关联将PolicyRoleCollection链接到其定义范围的系统。
When associating a PolicyRoleCollection with a System, this should be done consistently with the system that scopes the policy rules/groups that are applied to the resources in that collection. A PolicyRoleCollection is associated with the same system as the applicable PolicyRules and/or PolicyGroups, or to a System higher in the tree formed by the SystemComponent association.
将PolicyRoleCollection与系统关联时,应与确定应用于该集合中的资源的策略规则/组范围的系统一致。PolicyRoleCollection与适用的PolicyRules和/或PolicyGroup所在的系统相关联,或与SystemComponent关联形成的树中较高的系统相关联。
The class definition for the association is as follows:
关联的类定义如下所示:
NAME PolicyRoleCollectionInSystem DESCRIPTION A class representing the fact that a PolicyRoleCollection is defined within the scope of a System. DERIVED FROM Dependency ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref PolicyRoleCollection[weak]]
名称PolicyRoleCollectionInSystem DESCRIPTION表示PolicyRoleCollection是在系统范围内定义的事实的类。派生自依赖项抽象假属性先行项[ref System[1..1]]依赖项[ref PolicyRoleCollection[weak]]
The reference property Antecedent is inherited from Dependency, and overridden to become an object reference to a System, and to restrict its cardinality to [1..1]. It serves as an object reference to a System that provides a scope for one or more PolicyRoleCollections. Since this is a weak association, the cardinality for this object reference is always 1, that is, a PolicyRoleCollection is always defined within the scope of exactly one System.
引用属性Antecedent从依赖项继承,并被重写以成为系统的对象引用,并将其基数限制为[1..1]。它用作系统的对象引用,该系统为一个或多个PolicyRoleCollections提供范围。由于这是一个弱关联,因此此对象引用的基数始终为1,也就是说,PolicyRoleCollection始终在一个系统的范围内定义。
The reference property Dependent is inherited from Dependency, and overridden to become an object reference to a PolicyRoleCollection defined within the scope of a System. Note that for any single instance of the association class PolicyRoleCollectionInSystem, this property (like all Reference properties) is single-valued. The [0..n] cardinality indicates that a given System may have 0, 1, or more than one PolicyRoleCollections defined within its scope.
引用属性Dependent从Dependency继承,并被重写为对系统范围内定义的PolicyRoleCollection的对象引用。请注意,对于关联类PolicyRoleCollectionInSystem的任何单个实例,此属性(与所有引用属性一样)都是单值的。[0..n]基数表示给定系统可能在其范围内定义了0、1或多个PolicyRoleCollections。
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。
Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat.
可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。
The starting point for this document was PCIM itself [1], and the first three submodels derived from it [11], [12], [13]. The authors of these documents created the extensions to PCIM, and asked the questions about PCIM, that are reflected in PCIMe.
本文档的起点是PCIM本身[1],前三个子模型由其衍生而来[11]、[12]、[13]。这些文档的作者创建了PCIM的扩展,并询问了有关PCIM的问题,这些问题反映在PCIMe中。
This document includes text written by a number of authors (including the editor), that was subsequently merged by the editor. The following people contributed text to this document:
本文档包括许多作者(包括编辑)编写的文本,这些文本随后被编辑合并。以下人员为本文件提供了文本:
Lee Rafalow IBM Corporation, BRQA/501 4205 S. Miami Blvd. Research Triangle Park, NC 27709
Lee Rafalow IBM公司,迈阿密大道南BRQA/501 4205号。研究三角公园,北卡罗来纳州27709
Phone: +1 919-254-4455 Fax: +1 919-254-6243 EMail: rafalow@us.ibm.com
Phone: +1 919-254-4455 Fax: +1 919-254-6243 EMail: rafalow@us.ibm.com
Yoram Ramberg Cisco Systems 4 Maskit Street Herzliya Pituach, Israel 46766
约拉姆·兰伯格思科系统公司以色列赫兹利亚皮图奇马斯基街4号46766
Phone: +972-9-970-0081 Fax: +972-9-970-0219 EMail: yramberg@cisco.com
Phone: +972-9-970-0081 Fax: +972-9-970-0219 EMail: yramberg@cisco.com
Yoram Snir Cisco Systems 4 Maskit Street Herzliya Pituach, Israel 46766
约拉姆·斯尼尔·思科系统公司以色列赫兹利耶皮图奇马斯基街4号46766
Phone: +972-9-970-0085 Fax: +972-9-970-0366 EMail: ysnir@cisco.com
Phone: +972-9-970-0085 Fax: +972-9-970-0366 EMail: ysnir@cisco.com
Andrea Westerinen Cisco Systems Building 20 725 Alder Drive Milpitas, CA 95035
加利福尼亚州米尔皮塔斯奥尔德大道20725号安德里亚·威斯特林思科系统大楼,邮编95035
Phone: +1-408-853-8294 Fax: +1-408-527-6351 EMail: andreaw@cisco.com
Phone: +1-408-853-8294 Fax: +1-408-527-6351 EMail: andreaw@cisco.com
Ritu Chadha Telcordia Technologies MCC 1J-218R 445 South Street Morristown NJ 07960.
Ritu Chadha Telcordia Technologies MCC 1J-218R 445新泽西州莫里斯镇南街07960号。
Phone: +1-973-829-4869 Fax: +1-973-829-5889 EMail: chadha@research.telcordia.com
Phone: +1-973-829-4869 Fax: +1-973-829-5889 EMail: chadha@research.telcordia.com
Marcus Brunner NEC Europe Ltd. C&C Research Laboratories Adenauerplatz 6 D-69115 Heidelberg, Germany
Marcus Brunner NEC欧洲有限公司C&C研究实验室Adenauerplatz 6 D-69115德国海德堡
Phone: +49 (0)6221 9051129 Fax: +49 (0)6221 9051155 EMail: brunner@ccrle.nec.de
Phone: +49 (0)6221 9051129 Fax: +49 (0)6221 9051155 EMail: brunner@ccrle.nec.de
Ron Cohen Ntear LLC
罗恩科恩泰尔有限责任公司
EMail: ronc@ntear.com
EMail: ronc@ntear.com
John Strassner INTELLIDEN, Inc. 90 South Cascade Avenue Colorado Springs, CO 80903
约翰·斯特拉斯纳·INTELLIDEN,Inc.科罗拉多州斯普林斯市南喀斯喀特大道90号,邮编80903
Phone: +1-719-785-0648 EMail: john.strassner@intelliden.com
Phone: +1-719-785-0648 EMail: john.strassner@intelliden.com
The Policy Core Information Model (PCIM) [1] describes the general security considerations related to the general core policy model. The extensions defined in this document do not introduce any additional considerations related to security.
策略核心信息模型(PCIM)[1]描述了与通用核心策略模型相关的一般安全注意事项。本文档中定义的扩展没有引入任何与安全性相关的附加注意事项。
[1] Moore, B., Ellesson, E., Strassner, J. and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001.
[1] Moore,B.,Ellesson,E.,Strassner,J.和A.Westerinen,“政策核心信息模型——版本1规范”,RFC 3060,2001年2月。
[2] Distributed Management Task Force, Inc., "DMTF Technologies: CIM Standards CIM Schema: Version 2.5", available at http://www.dmtf.org/standards/cim_schema_v25.php.
[2] 分布式管理工作组有限公司,“DMTF技术:CIM标准CIM模式:版本2.5”,可在http://www.dmtf.org/standards/cim_schema_v25.php.
[3] Distributed Management Task Force, Inc., "Common Information Model (CIM) Specification: Version 2.2", June 14, 1999, available at http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf.
[3] 分布式管理工作组,“公共信息模型(CIM)规范:2.2版”,1999年6月14日,可在http://www.dmtf.org/standards/documents/CIM/DSP0004.pdf.
[4] Mockapetris, P., "Domain Names - implementation and specification", STD 13, RFC 1035, November 1987.
[4] Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 10351987年11月。
[5] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.
[5] Wahl,M.,Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。
[6] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.
[6] Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,RFC 2234,1997年11月。
[7] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998.
[7] Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 23731998年7月。
[8] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[8] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[9] Hovey, R. and S. Bradner, "The Organizations Involved in the IETF Standards Process", BCP 11, RFC 2028, October 1996.
[9] Hovey,R.和S.Bradner,“参与IETF标准过程的组织”,BCP 11,RFC 2028,1996年10月。
[10] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J. and Waldbusser, "Terminology for Policy-Based Management", RFC 3198, November 2001.
[10] 威斯特林,A.,施尼兹林,J.,斯特拉斯纳,J.,舍林,M.,奎因,B.,赫尔佐格,S.,休恩,A.,卡尔森,M.,佩里,J.和瓦尔德布瑟,“基于政策的管理术语”,RFC 3198,2001年11月。
[11] Snir, Y., and Y. Ramberg, J. Strassner, R. Cohen, "Policy QoS Information Model", Work in Progress.
[11] Snir,Y.和Y.Ramberg,J.Strassner,R.Cohen,“策略QoS信息模型”,正在进行中。
[12] Jason, J., and L. Rafalow, E. Vyncke, "IPsec Configuration Policy Model", Work in Progress.
[12] Jason,J.和L.Rafalow,E.Vyncke,“IPsec配置策略模型”,正在进行中。
[13] Chadha, R., and M. Brunner, M. Yoshida, J. Quittek, G. Mykoniatis, A. Poylisher, R. Vaidyanathan, A. Kind, F. Reichmeyer, "Policy Framework MPLS Information Model for QoS and TE", Work in Progress.
[13] Chadha,R.和M.Brunner,M.Yoshida,J.Quitek,G.Mykoniatis,A.Poylisher,R.Vaidyanathan,A.Kind,F.Reichmeyer,“QoS和TE的政策框架MPLS信息模型”,正在进行中。
[14] S. Waldbusser, and J. Saperia, T. Hongal, "Policy Based Management MIB", Work in Progress.
[14] S.Waldbusser和J.Saperia,T.Hongal,“基于策略的管理MIB”,工作正在进行中。
[15] B. Moore, and D. Durham, J. Halpern, J. Strassner, A. Westerinen, W. Weiss, "Information Model for Describing Network Device QoS Datapath Mechanisms", Work in Progress.
[15] B.Moore和D.Durham,J.Halpern,J.Strassner,A.Westerinen,W.Weiss,“描述网络设备QoS数据路径机制的信息模型”,正在进行中。
Author's Address
作者地址
Bob Moore IBM Corporation, BRQA/501 4205 S. Miami Blvd. Research Triangle Park, NC 27709
鲍勃·摩尔IBM公司,迈阿密大道南BRQA/501 4205号。研究三角公园,北卡罗来纳州27709
Phone: +1 919-254-4436 Fax: +1 919-254-6243 EMail: remoore@us.ibm.com
Phone: +1 919-254-4436 Fax: +1 919-254-6243 EMail: remoore@us.ibm.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。