COPS Usage for Differentiated Services                     December 1998
      
      
      
      Network Working Group                             Francis Reichmeyer
      Internet Draft                                    Kwok Chan
      draft-ietf-rap-cops-ds-01.txt                     Bay Networks, Inc.
      Expiration Date: May 1999                         David Durham
                                                        Raj Yavatkar
                                                        Intel
                                                        Silvano Gai
                                                        Keith McCloghrie
                                                        Cisco Systems, Inc.
                                                        Shai Herzog
                                                        IPHighway
                                                        December 1998
      
      
                        COPS Usage for Differentiated Services
      
      
      
      Status of this Memo
      
        This document is an Internet-Draft. Internet-Drafts are working
        documents of the Internet Engineering Task Force (IETF), its areas,
        and its working groups. Note that other groups may also distribute
        working documents as Internet-Drafts.
      
        Internet-Drafts are draft documents valid for a maximum of six months
        and may be updated, replaced, or obsoleted by other documents at any
        time. It is inappropriate to use Internet-Drafts as reference
        material or to cite them other than as "work in progress."
      
        To learn the current status of any Internet-Draft, please check the
        "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
        Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
        munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
        ftp.isi.edu (US West Coast).
      
      
      Abstract
      
        There is a clear need for relatively simple and coarse methods of
        providing differentiated classes of service for Internet traffic, to
        support various types of services, and specific business
        requirements. The IETF has chartered the Differentiated Service WG to
        define the differentiated services architecture and a common language
        for differentiated services.
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 1]


      COPS Usage for Differentiated Services                     December 1998
      
      
        In parallel, the IETF RSVP Admission Policy (RAP) WG has defined the
        COPS (Common Open Policy Service) protocol [COPS].
      
        This document describes enhancements to the Common Open Policy
        Service (COPS) protocol to support policy services in a
        Differentiated Services (DiffServ) environment. Further modifications
        to COPS for DiffServ may be proposed in the future, but what is
        presented here is thought to be the minimum necessary additions.
      
      
      Table of contents
      
        1. Terminology ......................................................3
        2. Introduction .....................................................4
           2.1 Basic Model...................................................6
           2.2 Interaction between the PDP and the PEP.......................8
        3. The definition of the Policy Tree ................................8
           3.1 Description of the Policy Tree................................9
           3.2 Operations Supported On a PRI................................10
           3.3 PIB general information......................................10
           3.4 An example of a PIB..........................................10
        4. COPS DiffServ Client Data .......................................13
           4.1 Policy Identifier (PRID).....................................13
           4.2 BER encoded Policy instance Data (BPD).......................14
           4.3 DiffServ Decision Data.......................................14
           4.4 DiffServ Request Data........................................15
           4.5 DiffServ Report Data.........................................15
             4.5.1 Successfully Installed/Removed Data .....................15
             4.5.2 Unsuccessfully Installed/Removed Data ...................15
             4.5.3 Accounting Data .........................................16
        5. Message Content .................................................16
           5.1 Request (REQ)   PEP -> PDP...................................16
           5.2 Decision (DEC)   PDP -> PEP..................................17
           5.3 Report State (RPT)   PEP -> PDP..............................18
        6. Common Operation ................................................18
        7. Fault Tolerance .................................................20
        8. Security ........................................................21
        9. References ......................................................21
        10. Author Information .............................................22
      
      
      
      
      
      
      
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 2]


      COPS Usage for Differentiated Services                     December 1998
      
      
      1. Terminology
      
        o  ACL: Access Control List.
      
        o  ClientSI: Client Specific Information Object.
      
        o  COPS (Common Open Policy Service): client/server model for
           supporting policy control [COPS];
      
        o  Object: this term is used in the same sense as in COPS
           specification. An object is identified by its C-num and C-type.
      
        o  PDP (Policy Decision Point): a network entity where policy
           decisions are made.
      
        o  PEP (Policy Enforcement Point): network device where policy
           decisions are enforced.
      
        o  Policy Rule: policy information specified by the PDP to be enforced
           at the PEP.
      
        o  PRC (Policy Rule Class): a type of policy rule data item. In object
           oriented terminology this is equivalent to a class. It inherits
           from PRC. A PRC defines a vector of attributes. Each attribute has
           a syntax type that is either primitive or refined. It also
           overrides the READ and WRITE methods and defines new error sub-
           codes.
      
        o  PRI (Policy Rule Instance): an instance of a PRC. Potentially there
           are multiple instances of the same PRC. The value of a PRI consist
           of a vector of values, one value for each attribute in the PRC's
           vector of attributes.
      
        o  PII (Policy Instance Identifier): one or more of the PRC attributes
           the values of which are used as part of the identification of a
           PRI.
      
        o  PIB (Policy Information Base): policy objects are accessed via a
           virtual information store, termed the Policy Information Base or
           PIB.  Objects in the PIB are defined using a subset of Abstract
           Syntax Notation One (ASN.1) [ASN1].
      
        o  PRID (Policy Rule IDentifier): the name which identifies a
           particular PRI or PRC. It has a hierarchical structure of the form
           1.3.4.2.7, where the first part identifies the PRC (i.e., 1.3.4)
           and the last part is the value of the PII (Policy Instance
           Identifier), which identifies the instance (i.e. 2.7). The PII is
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 3]


      COPS Usage for Differentiated Services                     December 1998
      
      
           null in the case of a PRC. PRIDs are represented as a BER encoded
           oids (Object Identifiers).
      
        o  BPD: BER (ASN.1 [ASN1] Basic Encoding Rule [BER]) encoded Policy
           Instance Data.
      
      
      2. Introduction
      
         The Common Open Policy Service (COPS) protocol is a query response
         protocol used to exchange policy information between a network policy
         server and a set of clients [COPS]. COPS is being developed within
         the RSVP Admission Policy Working Group (RAP WG) of the IETF,
         primarily for use as a mechanism for providing policy-based admission
         control over requests for network resources [RAP].
      
         The underlying assumption in the RAP framework is that applications
         or end systems use the RSVP [RSVP] signaling protocol to communicate
         Integrated Services (IntServ) reservation requests to the network
         nodes along the path of a flow. These reservation requests carry
         necessary flow specifications and requests for a flow to receive one
         of the defined Integrated Services, Controlled Load or Guaranteed. In
         the IntServ model, the RSVP messages themselves contain all the
         necessary information needed at the networking device to classify and
         service the flow [RSVP]. This information includes the session
         identifier (source and destination addresses, port numbers, and
         transmission protocol), flowspec token bucket parameters, and
         requested service.
      
      
                          Edge Device            Policy Server
                       +--------------+          +-----------+
                       |              |          |           |
                       |              |  COPS    |           |
                       |   +-----+    |  REQ()   |  +-----+  |
                RSVP   |   |     |----|----------|->|     |  |
               --------|-->| PEP |    |          |  | PDP |  |
                       |   |     |<---|----------|--|     |  |
                       |   +-----+    |   COPS   |  +-----+  |
                       |              |   DEC()  |           |
                       +--------------+          +-----------+
      
                           Figure 1: COPS with RSVP/IntServ
      
      
         As shown in Figure 1, the network device contacts a Policy Decision
         Point (PDP) to make the policy-based admission control decision. The
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 4]


      COPS Usage for Differentiated Services                     December 1998
      
      
         PDP is simply required to return a Decision, such as "accept" and the
         network device acts as a Policy Enforcement Point (PEP) and uses the
         session information and IntServ service parameters to classify and
         service the packets belonging to the flow.
      
         Providing policy services in a DiffServ environment requires some
         different assumptions about the admission control mechanisms used in
         the network. First, there might be no explicit dynamic signaling from
         sources of traffic requesting a particular service, as in the case of
         an IntServ network. Network resources are provisioned based on static
         SLAs (Service Level Agreements) at network boundaries. Second, where
         requests for allocation of resources to differentiated services are
         used, they may arrive at the PDP from network entities other than the
         PEP. Examples of such sources include attached users requesting
         network services via a web interface into a central management
         application, or H.323 gatekeeper requesting resources on behalf of a
         user for a video conferencing application, as shown in Figure 2.
      
      
                                                          +----------+
                   Edge Device            Policy Server   |   H.323  |
                +--------------+          +-----------+   |Gatekeeper|
                |              |          |           |   |          |
                |              |          |           |   +----------+
                |    -----     |    COPS  |   -----   |        |
                |   |     |    |   DECs() |  |     |  |        |
                |   | PEP |<---|----------|--| PDP |<----------+
                |   |     |    |          |  |     |  |     Service
                |    -----     |          |   -----   |     Request
                |              |          |           |
                +--------------+          +-----------+
      
                         Figure 2: COPS Example with DiffServ
      
      
         Requests of this sort still require some policy decision to be made
         to ensure the requesting user/application has permission to use the
         requested services and that the resources are available. Once the
         decision is made, the PDP must configure one or more PEPs to allocate
         necessary resources for services requested. In addition, the PDP may
         also pass to the PEP provisioning decisions about resources related
         to flows of a more static nature, such as long-term SLAs established
         across boundaries of adjacent ISP networks.
      
         In summary, the interaction between the PDP and PEP is different in
         at least two respects from that in the case of the IntServ
         environment. First, the resource provisioning requests may originate
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 5]


      COPS Usage for Differentiated Services                     December 1998
      
      
         at places other than a PEP. Second, once the PDP makes a policy
         decision to allocate resources for a service class or a flow
         aggregate, it must pass sufficient information (such as packet
         classification filters, traffic shaper parameters) in the decision
         message to the PEPs so that PEPs can enforce policy decisions. This
         draft describes the usage of the COPS protocol for communicating this
         information between DiffServ clients (PEPs) and the policy servers
         (PDPs).
      
      
      2.1 Basic Model
      
         Figure 2 shows a sample network configuration for a DiffServ
         environment. Edge routers and boundary routers are located at the
         boundary of DiffServ domains as described in [Nichols]. The BB/PS is
         responsible for admission control functions and resource
         provisioning.
      
                      +-----+    +-----+
                      | BB/ |    | BB/ |
                      | PS  |    | PS  |
                      +-----+    +-----+
                         \          |
                         |         /
                         |        /
                 / Stub   \       /   Transit    \       /  Stub  \
                / Network  \     /    Network     \     /  Network \
         +---+ |        +---\   /---+          +---\   /---+        | +---+
         |Tx |-|        |ER1|---|BR1|          |BR2|---|ER2|        |-|Rx |
         +---+ |        +---/   \---+           ---/   \---+        | +---+
                \          /     \                /     \          /
                 \        /       \              /       \        /
      
      
                   Figure 3: Sample DiffServ Network Configuration
      
      
        In the COPS model, the PDP is part of the bandwidth broker/policy
        server that manages policy information and resources within a
        DiffServ domain. Both edge routers and boundary routers act as PEPs
        and communicate with BB/PS using COPS for exchange of policy
        information. The internal organization of the bandwidth broker
        functionality and policy functionality may vary and the policy server
        and BB may be separate entities. In that case, either the BB or the
        PS may communicate with the edge devices. The BB, upon receiving COPS
        messages from the PEP, would consult the policy server to make its
        final admission control decision. Similarly, if the PS receives COPS
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 6]


      COPS Usage for Differentiated Services                     December 1998
      
      
        messages directly from PEP, the PS would consult the BB to verify
        available resources before making a final admission control decision.
      
        To allow for use of COPS for DiffServ specific communication and to
        distinguish DiffServ usage from other uses of COPS, we have added a
        new client type to COPS  (client type = DiffServ client). It is
        possible for an edge device to contain both a COPS-DS and a COPS-RSVP
        client. Each COPS clients can communicate with different PDPs, or
        they can connect to the same PDP which supports both client types, as
        shown in Figure 4.
      
      
                             Edge Device
                       +-----------------+
                       |                 |                PS/BB
                       |   +---------+   |           +-------------+
                       |   |         |   |           |             |
                 RSVP  |   |COPS-RSVP|   | COPS-RSVP |   +-----+   |
               <-------|-->|  Client |<--|-----------|-->|     |   |
                       |   |         |   |           |   |     |   |
                       |   |---------|   |           |   | PDP |   |
                       |   |         |   |           |   |     |   |
                       |   |COPS-DS  |<--|-----------|-->|     |   |
                       |   | Client  |   |  COPS-DS  |   +-----+   |
                       |   |         |   |           |             |
                       |   +---------+   |           +-------------+
                       |                 |
                       +-----------------+
      
                Figure 4: COPS DS and RSVP Clients in Same Edge Device
      
      
        Allowing multiple COPS client types to co-exist in a single PEP means
        that the same PDP can coordinate policy decisions in an environment
        where, say, both RSVP/IntServ and DiffServ QoS mechanisms need to be
        managed. For example, in a stub network that uses IntServ with RSVP
        signaling internally and is connected to a DiffServ transit network
        externally. In this case, the edge device that connects the stub
        network to the transit network may require policy decisions from the
        same PDP for both RSVP requests as well as for policy rules to
        enforce on the egress (DiffServ is with respect to the ingress)
        interface.
      
        The two decisions may very well need to be coordinated to ensure
        proper provisioning and allocation of network resources. For example,
        the decision of whether to admit an RSVP flow, or not, would depend
        on the provisioning policy in place at the egress interface where the
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 7]


      COPS Usage for Differentiated Services                     December 1998
      
      
        flow is leaving the stub network, and vice versa. The issue of
        combining IntServ and DiffServ to provide an end-to-end QoS solution
        is discussed in the draft [E2E]. Also, the RSVP WG is currently
        planning on addressing the use of RSVP within the differentiated
        services QoS model.
      
      
      2.2 Interaction between the PDP and the PEP
      
        When a device boots, it opens a COPS connection to its Primary PDP.
        When the connection is established, the PEP sends information about
        itself to the PDP in the form of a configuration request. This
        information includes client specific information (hardware type,
        software release, configuration information). During this phase the
        client also specifies the maximum COPS-DS message size supported (see
        Section 3.3).
      
        In response, the PDP downloads all provisioned policies which are
        currently relevant to that device. On receiving the provisioned
        policies, the device maps them into its local QoS mechanisms, and
        installs them. If conditions change at the PDP such that the PDP
        detects that changes are required in the provisioned policies
        currently in effect at the PEP, then the PDP sends the changes
        (installs/deletes) in policy to the PEP, and the PEP updates its
        local QoS mechanisms appropriately.
      
        If, subsequently, the configuration of the device changes (board
        removed, board added, new software installed, etc.) in ways not
        covered by policies already known to the PEP, then the PEP sends this
        new information to the PDP. On receiving this new information, the
        PDP sends to the PEP any additional provisioned policies now needed
        by the PEP.
      
      
      3. The definition of the Policy Tree
      
        This section defines data format for the DiffServ client specific
        information carried in the Decision, Request ClientSI, and Report
        ClientSI objects. DiffServ client specific data may be defined for
        the other objects in the future. COPS-DS data is represented by a
        policy tree containing Policy Rule Classes (PRCs) and Instances of
        those classes (PRIs), as shown in Figure 5.
      
      
      
      
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 8]


      COPS Usage for Differentiated Services                     December 1998
      
      
      
      
                  -------+-------+----------+---PRC--+--PRI
                         |       |          |        +--PRI
                         |       |          +---PRC-----PRI
                         |       +---PRC--+--PRI
                         |       |        +--PRI
                         |       |        +--PRI
                         |       |        +--PRI
                         |       |        +--PRI
                         |       +---PRC-----PRI
                         +---PRC---PRI
      
      
                          Figure 5: Example of a Policy Tree
      
      
        The policy tree is based on SMI and MIBs. COPS for RSVP does not need
        a policy tree, since the information exchanged has a simple format
        and is defined by existing RSVP objects. COPS for DiffServ needs much
        more structure, since it needs to represent policies, mappings, ACLs,
        interfaces etc.
      
        PRIs (Policy Rule Instances) and PRCs (Policy Rule Classes) have
        names called PRIDs (Policy Rule IDentifiers). PRIDs have a
        hierarchical structure of the form 1.3.4.2.7, where the first part
        identifies the PRC (e.g., 1.3.4) and the last part identifies the
        instance (e.g. 2.7).
      
        The policy tree names all the policy rule classes and instances and
        this creates a common view of the policy organization between the
        client (PEP) and the server (PDP).  Therefore, when the PEP receives
        data from the PDP, the data itself specifies what a PEP is supposed
        to do with the data. The current granularity of access, i.e., the
        atomicity of replacement, is proposed as a vector of values.
      
        Note that the PRCs/PRIs in the above diagram are each a vector of
        values. This proposal is that the hierarchy of PRCs/PRIs is for
        benefit of human understanding, not for programmatic understanding,
        or inheritance.
      
      
      3.1 Description of the Policy Tree
      
        The Policy Tree is described using SMI and PIBs. SMI and PIBs are
        defined based on the ASN.1 data definition language [ASN1]. To
        simplify the implementation and re-use the SNMP encoding/decoding
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 9]


      COPS Usage for Differentiated Services                     December 1998
      
      
        code, the representation of the policy information on the wire must
        follow BER both for the PRID and for the BPD [BER].
      
      
      3.2 Operations Supported On a PRI
      
        The following operations are supported on a PRI:
      
        o  Install - creates a new instance of a PRC, i.e. a new PRI, or
           modifies an existing instance. The instance is automatically
           enabled. Parameters to this operation are a PRID (see Section 4.1)
           and an "BPD (BER encoded Policy instance Data)" containing the
           value to assign to the new PRI see (Section 4.2). The BPD specifies
           all the attributes of the new PRI.
      
        o  Delete - This operation is used to delete an instance of a PRC. The
           parameter is a PRID (see Section 4.1).
      
      
      3.3 PIB general information
      
        The PIB has a branch that contains general information. Examples of
        information stored in this branch are:
      
        o  TTL (Time To Live): a period of time in seconds. In the event the
           PEP looses the COPS-DS connection with the PDP, it tries to re-
           establish the connection with the primary and secondary PDPs. If
           this fails for a period of time greater than the TTL, the DS
           policies are discarded. The TTL specified in this branch is the
           default TTL and may be overridden by TTLs present in specific
           branches. A TTL = 0 means infinite.
      
        o  MCMS (Maximum COPS-DS Message Size): a message size in bytes. The
           COPS-DS Client-Open ClientSI MUST specify the MCMS supported by the
           client. This value must be in the range 4KB - 64KB.
      
        o  Interface to be provisioned.
      
        o  Capability information: This may include what filters the PEP
           supports, what kind of profiles or dispositions it can perform.
      
      
      3.4 An example of a PIB
      
        This section contains a simple example of a PIB describing a simple
        set of filters for IP packets. Each filter is able to match either
        the source IP address, the destination IP address or both. This
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 10]


      COPS Usage for Differentiated Services                     December 1998
      
      
        example is provided only for the benefit of understanding how a PIB
        is structured. It is not necessarily supposed to describe any actual
        policy data.
      
      
        policyFilterPIB OBJECT IDENTIFIER ::= { policyPIB 1 }
      
        ipHeaderFilterTable OBJECT-TYPE
            SYNTAX      SEQUENCE OF IpHeaderFilterEntry
            MAX-ACCESS  not-accessible
            STATUS      current
            DESCRIPTION "This table contains a simple ACL, i.e. one or
                         more IP filters."
      
        ::= {policyFilterPIB 1}
      
      
        ipHeaderFilterEntry OBJECT-TYPE
            SYNTAX      IpHeaderFilterEntry
            MAX-ACCESS  write-only
            STATUS      current
            DESCRIPTION "Each row of the table has four columns. The
            ipHeaderFilterIndex uniquely identifies a particular IP
            filter. The ipHeaderFilterMatchType specifies the type of
            match (source only, destination only, source and destination).
            The ipHeaderFilterSourceAddress and
            ipHeaderFilterDestinationAddress contain the source and
            destination IP addresses."
      
            INDEX {ipHeaderFilterIndex}
      
        ::= {ipHeaderFilterTable 1}
      
      
        IpHeaderFilterEntry ::= SEQUENCE {
            ipHeaderFilterIndex              INTEGER,
            ipHeaderFilterMatchType          BITS,
            ipHeaderFilterSourceAddress      IpAddress,
            ipHeaderFilterDestinationAddress IpAddress
        }
      
      
        ipHeaderFilterIndex OBJECT-TYPE
            SYNTAX      INTEGER
            MAX-ACCESS  not-accessible
            STATUS      current
            DESCRIPTION "The index of the table, used to identify each
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 11]


      COPS Usage for Differentiated Services                     December 1998
      
      
            individual IP filter"
      
        ::= {ipHeaderFilterEntry 1}
      
      
        ipHeaderFilterMatchType OBJECT-TYPE
            SYNTAX      BITS {
                            matchSource (0),
                            matchDestination (1)
                        }
            MAX-ACCESS  not-accessible
            STATUS      current
            DESCRIPTION "This field indicates which one or more of the
            addresses are required to match the corresponding addresses
            of the IP packet."
      
        ::= {ipHeaderFilterEntry 2}
      
      
        ipHeaderFilterSourceAddress OBJECT-TYPE
            SYNTAX      IpAddress
            MAX-ACCESS  not-accessible
            STATUS      current
            DESCRIPTION "IP source address to be matched against the
            packet in the event the ipHeaderFilterMatchType has the
            corresponding bit set.
      
        ::= {ipHeaderFilterEntry 3}
      
      
        ipHeaderFilterDestinationAddress OBJECT-TYPE
            SYNTAX      IpAddress
            MAX-ACCESS  not-accessible
            STATUS      current
            DESCRIPTION "IP destination address to be matched against the
            packet in the event the ipHeaderFilterMatchType has the
            corresponding bit set.
      
        ::= {ipHeaderFilterEntry 4}
      
      
      
      
      
      
      
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 12]


      COPS Usage for Differentiated Services                     December 1998
      
      
      4. COPS DiffServ Client Data
      
        The COPS-DS extensions define a new client type:
      
           Client Type = 2; DiffServ Client
      
        DiffServ specific information is sent in a COPS message containing a
        Common Header with the DiffServ Client type specified:
      
                      0                    1                      2
        3
        +----------------+----------------+----------------+----------------+
        | Version| ////  |     Op Code    |      Client Type = 0x02         |
        +----------------+----------------+----------------+----------------+
        |                          Message Length                           |
        +----------------+----------------+----------------+----------------+
      
        The COPS protocol specification defines several objects which may
        carry client specific information between PDP and PEP:
      
        o  Context Object (Context)
        o  Reason code Object (Reason code)
        o  Decision Object (Decision)
        o  Error Object (Error)
        o  Client Specific Info Object (ClientSI) which includes:
           o Request ClientSI
           o Report ClientSI
           o Client-Open ClientSI
      
      
      
      4.1 Policy Identifier (PRID)
      
        This object is used to carry the PRID of the Policy Rule Instance to
        be installed or deleted.
      
                0                1               2                 3
        +----------------+----------------+----------------+----------------+
        |              Length             |          Type = PRID            |
        +----------------+----------------+----------------+----------------+
        |                       Policy Rule Identifier                      |
        +----------------+----------------+----------------+----------------+
      
      
      
      
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 13]


      COPS Usage for Differentiated Services                     December 1998
      
      
      4.2 BER encoded Policy instance Data (BPD)
      
        This object is used to carry the value of a Policy Data Instance to
        be installed, It contains an BER coding of the Policy Data Instance
        [BER].
      
                0                1               2                 3
        +----------------+----------------+----------------+----------------+
        |              Length             |          Type = "BER type"      |
        +----------------+----------------+----------------+----------------+
        |                       BER Encoded PRI Value                       |
        +----------------+----------------+----------------+----------------+
      
      
      4.3 DiffServ Decision Data
      
        The DiffServ Named Decision Data (<Decision: Named Data>, see Section
        5.2) is composed of one or more bindings. Each binding associates a
        PRID object and an BPD object. The PRID object is always present, the
        BPD object MUST be present in the case of an install decision and
        MUST NOT be present in the case of a delete decision.
      
        The BPD object contains the value to be assigned to the PRI that is
        created or updated.
      
        The DiffServ specific decision data uses the following format:
      
        C-Num  = 7
        C-Type = 5
      
             <Decision: Named Data> ::= <Install Decision> |
                                        <Remove Decision>
      
        This depends from the <Decision: Flag>, see Section 5.2.
      
             <Install Decision>    :: = <Binding(s)>
      
             <Binding(s)>          ::= <Binding> <Binding(s)> |
                                       <Binding>
      
             <Binding>             ::= <PRID> <BPD>
      
             <Remove Decision>     ::= <PRID(s)>
      
             <PRID(s)>             ::= <PRID> <PRID(s)> |
                                       <PRID>
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 14]


      COPS Usage for Differentiated Services                     December 1998
      
      
        Please note that the delete has the capability of deleting an entire
        table with a single operation.
      
      
      4.4 DiffServ Request Data
      
        The diffServ Configuration request will utilize the COPS Named
        ClientSI (C-Num=10 C-Type=2) object to carry the same bindings as
        described above. The DiffServ request Named ClientSI data has the
        following format:
      
      
        <ClientSI: Named> ::= <DiffServ Request Data>
      
        <DiffServ Request Data (Named ClientSI)> ::= <Binding(s)>
      
      
      
      4.5 DiffServ Report Data
      
        DiffServ specific report data is used in the RPT message. The format
        of the report data is dependant on the value of the accompanying COPS
        Report Type object. Report types can be Installed/Removed or
        NotInstalled/NotRemoved indicating to the PDP that a particular set
        of policies has been either successfully or unsuccessfully
        installed/deleted on the PEP.
      
      
      4.5.1 Successfully Installed/Removed Data
      
        When used with the "Installed" or "Removed" report type, the DiffServ
        Named ClientSI  object in the Report Message has the following
        format:
      
        <ClientSI: Named> ::= <DiffServ Report Data>
      
        <DiffServ report data> ::=  [<PRID(s)>]
      
        where <PRID(s)> is the set of PRID successfully installed/deleted.
      
      
      4.5.2 Unsuccessfully Installed/Removed Data
      
        When used with the "Not Installed" or "Not Removed" report type, the
        DiffServ specific report data has the following format:
      
        <ClientSI: Named> ::= <DiffServ Report Data>
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 15]


      COPS Usage for Differentiated Services                     December 1998
      
      
      
        <DiffServ report data> ::= <no-comit(s)>
      
        <no-commit(s)> ::= <no-commit> | <no-commit(s)> <no-commit>
      
        <no-commit> ::= <PRID> <Error> [<Binding(s)>]
      
        where:
      
        <PRID> is the PRID of the unsuccessful install/delete, <Error> is the
        error code and <Binding(s)> are conflicting bindings that caused the
        error.
      
        The COPS-DS adds also the following two error codes:
        - 12 COPS Client Specific Error Code;
        - 13 Vendor Specific Error Code.
      
        In the case of "no commit" the PEP MUST report at least the first
        error and should report as many errors as possible.
      
      
      4.5.3 Accounting Data
        TBD
      
      
      5. Message Content
      
        This section describes the COPS messages exchanged between a PEP and
        PDP for use with DiffServ policy services.
      
      
      5.1 Request (REQ)   PEP -> PDP
      
        The REQ message is used by COPS DiffServ clients for issuing a config
        request to the PDP, as described in the COPS protocol. The Client
        Handle is associated with request state originated by the PEP and the
        PEP is responsible for notifying the PDP when the Handle is no longer
        in use and can be deleted.
      
        The DiffServ request data, defined above, may be included in the
        config request form PEP to PDP. Currently, the request data is
        defined for carrying configuration/feature negotiation information
        from the PEP. This provides the server with information on the types
        of policy that the interface can enforce and the types of policy data
        the PEP can install.
      
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 16]


      COPS Usage for Differentiated Services                     December 1998
      
      
        The config request message serves as a request from the PEP to the
        PDP for any DiffServ configuration data which the PDP may have pre-
        defined for the PEP device, such as access control lists, etc., and
        any future access data or updates. The pre-configured and any
        asynchronous DiffServ configuration data can then be sent to the PEP
        over time via decisions, as decided by the PDP. The configuration
        information supplied by the PDP is of the consistent client specific
        format defined above. The PDP responds to the config request with a
        DEC message containing any available configuration information.
      
           <Request> ::= <Common Header>
                         <Client Handle>
                         <Context = config request>
                         [ <interface> ]
                         <DiffServ request data>
      
      
      5.2 Decision (DEC)   PDP -> PEP
      
        The DEC message (<Decision Message>) is sent from the PDP to a
        DiffServ client  in response to a config REQ  received from the PEP.
        The Client Handle must be the same Handle that was received in the
        REQ message. The Client Specific Decision Data for DiffServ clients
        (<Decision: ClientSI Data>), to be used in the DEC message, is
        defined in Section 4.3.
      
        The DEC message is sent as an immediate response to a config request
        with the solicited decision flag set, used to carry pre-defined
        configuration information set in the PDP, to the PEP. Subsequent DEC
        messages may also be sent at any time after the original DEC message
        to continue supplying the PEP with additional/updated policy
        information. The state carried in the DEC message is correlated with
        an initial request state by the Client Handle and provides the
        appropriate PRID information.
      
        Each DEC message may contain multiple decisions. This allows with a
        single message to install some policies and delete some others. In
        general a COPS-DS decision message should contain at most one delete
        decision followed by at most one install decision. This is used to
        solve a precedence issue, not a timing issue: the delete decision
        deletes what it specifies, except those items that are installed in
        the same message.
      
        A COPS-DS decision message is also a "transaction", i.e. all the
        bindings in a message either succeed or fail. This allow to delete
        some policies only if other policies can be installed in their place.
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 17]


      COPS Usage for Differentiated Services                     December 1998
      
      
        For each decision (<Decision>), the PEP performs the operation
        specified in the Decision Flags object (<Decision: Flags>) on the
        decision data (<Decision: ClientSI Data>]).
      
        <Decision Message> ::= <Common Header>
                               <Client Handle>
                               <Decision(s)> | <Error>
      
        <Decision(s)> ::= <Decision> | <Decision(s)> <Decision>
      
        <Decision> ::= <Context>
                       <Decision: Flags>
                      [<Decision: Named Data>]
      
         If no configuration state is available when the config REQ is
         processed by the PDP, a DEC is sent with the "No Configuration Data"
         decision flag set.
      
         In response to a DEC message, the DiffServ client sends a RPT back to
         the PDP to inform the PDP of the actual action taken. For example, in
         response to a DEC with the "Install" flag (only) set, the PEP informs
         the PDP if the decision data can be installed, based on the other
         policy data on the device (are there conflicts, etc.).
      
      
      5.3 Report State (RPT)   PEP -> PDP
      
        The RPT message is sent from the DiffServ client to the PDP to report
        accounting information from PEP to PDP on request state installed at
        the PEP. It is also used as a mechanism to inform the PDP about the
        action taken at the PEP, in response to a DEC message. The DiffServ
        report data format, as defined above, depends on the Report Type
        included in the RPT message.
      
           <Report State> ::= <Common Header>
                        <Client Handle>
                        <Report Type>
                        [<DiffServ report data>]
      
      
      6. Common Operation
      
        This section describes, in general, typical exchanges between a PDP
        and DiffServ COPS client.
      
        First, a connection is established between the PEP and PDP and the
        PEP sends a Client-Open message with the Client-Type = 2, DiffServ
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 18]


      COPS Usage for Differentiated Services                     December 1998
      
      
        client. If the PDP supports the DiffServ client, the PDP responds
        with a Client-Accept (CAT) message. If the client type is not
        supported, a Client-Close (CC) message is returned by the PDP to the
        PEP, possibly identifying an alternate server that is known
        (believed?) to support the policy for the DiffServ client.
      
        Once the CAT message is received, the client can send requests to the
        server. The request a COPS DiffServ client sends to the server is for
        configuration information, that is a REQ with "Configuration Request"
        set in the context object that identifies a specific interface/module
        and any relevant client specific information (see also Section 3.3).
        The config request message serves two purposes in COPS-DS. First, it
        is a request from the PEP to the PDP for any DiffServ configuration
        data which the PDP may have pre-defined for the PEP device, such as
        acces control lists, etc. Also, the config request is a request to
        the PDP to send asynchronous DiffServ configuration data to the PEP,
        as it is received by the PDP. This asynchronous data may be new
        policy data or an update to policy data sent previously.
      
        If the PDP has DiffServ QoS policy configuration information for the
        client, that information is returned to the client in a DEC message
        containing the DiffServ client policy data within the COPS Decision
        object. If no filters are defined, the DEC message will simply
        specify that there are no filters using the "No Configuration"
        Decision Flags object. The PEP MUST specify a client handle (which
        can be zero) in the request message. The PDP MUST process the client
        handle and copy it in the decision message. This is to prevent the
        PEP from timing out the REQ and deleting the Client Handle.
      
        The PDP can then add new policy data or update existing state by
        sending subsequent DEC message(s) to the PEP, with the same Client
        Handle. The PEP is responsible for removing the Client handle when it
        is no longer needed, for example when the interface goes down, and
        informing the PDP that the handle is to be deleted.
      
        For DiffServ purposes, access state, and access requests to the
        policy server can be initiated by other sources besides the PEP.
        Examples of other sources include attached users requesting network
        services via a web interface into a central management application,
        or H.323 servers requesting resources on behalf of a user for a video
        conferencing application. When such a request is accepted, the edge
        device affected by the decision (the point where the flow is to enter
        the network) must be informed of the decision. Since the PEP in the
        edge device did not initiate the request, the specifics of the
        request, e.g. flowspec, packet filter, and PHB to apply, must be
        communicated to the PEP by the PDP. This information is sent to the
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 19]


      COPS Usage for Differentiated Services                     December 1998
      
      
        PEP using the Decision message containing DiffServ client specific
        data objects in the COPS Decision object as specified. Any updates to
        the state information, for example in the case of a policy change or
        call tear down, is communicated to the PEP by subsequent DEC messages
        containing the same Client Handle and the updated DiffServ request
        state. Updates can specify that policy data is to be deleted or
        installed.
      
        The PEP acknowledges the DEC message and action taken by sending a
        RPT message with a "Installed" or "Removed" Report-Type object. This
        serves as an indication to the PDP that the requestor (e.g. H.323
        server) can be notified that the request has been accepted by the
        network. If the PEP needs to reject the DEC operation for any reason,
        a RPT message is sent with a Report-Type of value "Not Installed" or
        "Not Removed" and optionally a Client Specific Information object
        specifying the policy data that was rejected. The PDP can then
        respond to the requestor accordingly.
      
        The PEP can report to the PDP the local status of any installed
        request state when appropriate. This information is sent in a Report-
        State (RPT) message with the "Accounting" flag set. The state being
        reported on is referenced by the Client Handle associated with the
        request state and the client specific data identifier.
        Finally, Client-Close (CC) messages are used to cancel the
        corresponding Client-Open message. The CC message informs the other
        side that the client type specified is no longer supported.
      
      
      7. Fault Tolerance
      
        When communication is lost between PEP and PDP, the PEP attempts to
        re-establish the TCP connection with the PDP it was last connected
        to. If that server cannot be reached, then the PEP attempts to
        connect to a secondary PDP, assumed at this time to be manually
        configured at the PEP.
      
        When a connection is finally re-established, either with the primary
        PDP or a secondary PDP, the PEP should provide the last PDP address
        of the PDP for which it is still caching decisions. Based on this
        information, the PDP may request the PEP to re-synch its current
        state information (SSQ message). If no decisions are being cached on
        the PEP (due to reboot or TTL timeout of state) the PEP must not
        included the last PDP address information. If after re-connecting,
        the PDP does not request the synchronization, the client can assume
        the server recognizes it and the current state at the PEP is correct.
        Any changes state changes which occurred at the PEP while connection
        was lost must be reported to the PDP in a RPT message. If re-
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 20]


      COPS Usage for Differentiated Services                     December 1998
      
      
        synchronization is requested, the PEP should reissue its
        configuration requests and the PDP should delete the appropriate PRCs
        on the PEP (thus, removing all previous decisions below the PRC,
        effectively resetting all state).
      
        While the PEP is disconnected from the PDP, the request state at the
        PEP is to be used for policy decisions. If the PEP cannot re-connect
        in some pre-specified period of time (some multiple of the keep-alive
        time? - TBD), the request state is to be deleted and the associated
        Handles removed. The same holds true for the PDP; upon detecting a
        failed TCP connection, the time-out timer is started for the request
        state associated with the PEP and the state is removed after the
        specified period without a connection.
      
      
      8. Security
      
        The use of COPS for DiffServ introduce no new security issues over
        the base COPS protocol. The use of IPSEC between PDP and PEP, as
        described in [COPS] is sufficient.
      
      
      9. References
      
        [COPS]    Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R.,
                  Sastry, A., "The COPS (Common Open Policy Service)
                  Protocol", IETF <draft-ietf-rap-cops-03.txt>, December
                  1998.
      
        [RAP]     Yavatkar, R., et al., "A Framework for Policy Based
                  Admission Control",IETF <draft-ietf-rap-framework-00.txt>,
                  November, 1997.
      
        [E2E]     Bernet, Y., Yavatka,r R., Ford, P., Baker, F., Nichols, K.,
                  Speer, M., "A Framework for End-to-End QoS Combining
                  RSVP/Intserv and Differentiated Services", IETF <draft-
                  ietf-DiffServ-rsvp-00.txt>, March 1998.
      
        [RSVP]    Braden, R., Zhang, L., Berson, S., Herzog, S., and Jamin,
                  S., "Resource Reservation Protocol (RSVP) Version 1
                  Functional Specification", IETF RFC 2205, Proposed
                  Standard, September 1997.
      
        [ASN1]    Information processing systems - Open Systems
                  Interconnection, "Specification of Abstract Syntax Notation
                  One (ASN.1)", International Organization for
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 21]


      COPS Usage for Differentiated Services                     December 1998
      
      
                  Standardization, International Standard 8824, December
                  1987.
      
        [BER]     Information processing systems - Open Systems
                  Interconnection - Specification of Basic Encoding Rules for
                  Abstract Syntax Notation One (ASN.1), International
                  Organization for Standardization. International Standard
                  8825, (December, 1987).
      
        [Nichols] K. Nichols, V. Jacobson, L. Zhang, " A Two-bit
                  Differentiated Services Architecture for the Internet,"
                  draft-nichols-diff-svc-arch-00.txt
      
      
      
      10. Author Information
      
        Francis Reichmeyer
        Bay Networks, Inc.
        3 Federal Street
        Billerica, MA 01821
        Phone: (978) 916-3352
        Email: freichmeyer@baynetworks.com
      
        Kwok Ho Chan
        Bay Networks, Inc.
        600 Technology Park
        Billerica, MA 01821
        Phone: (978) 916-8175
        Email: khchan@baynetworks.com
      
        David Durham
        Intel
        2111 NE 25th Avenue
        Hillsboro, OR 97124
        Phone: (503) 264-6232
        Email: david.durham@intel.com
      
        Raj Yavatkar
        Intel
        2111 NE 25th Avenue
        Hillsboro OR 97124
        Phone: (503) 264-9077
        Email: yavatkar@ibeam.intel.com
      
        Silvano Gai
        Cisco Systems, Inc.
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 22]


      COPS Usage for Differentiated Services                     December 1998
      
      
        170 Tasman Dr.
        San Jose, CA 95134-1706
        Phone: (408) 527-2690
        email: sgai@cisco.com
      
        Keith McCloghrie
        Cisco Systems, Inc.
        170 Tasman Dr.
        San Jose, CA 95134-1706
        Phone: (408) 526-5260
        email: kzm@cisco.com
      
        Shai Herzog
        IPHighway
        400 Kelby St., Suite 1500
        Parker Plaza
        Fort Lee, NJ 07024
        Phone: (201) 585-0800
        Email: herzog@iphighway.com
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
        Reichmeyer, Chan, Durham, Gai, McCloghrie                  [Page 23]