[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

snmpconf RE: Policy issues: definition of Roles



At 08:22 AM 02/08/2000, John C. Strassner wrote:
Hi Shai, comments inline.

regards,
John

At 11:48 PM 2/6/00 -0500, Shai Herzog wrote:
I think that one of the problems is that we're confusing the
various levels of "roles". Let me try to make the following
observations:

<js>
Levels of roles? If a role is indeed an attribute used as a selector, this translates to levels of attributes. My head is hurting. ;-) More to the point, I don't know what you mean by "levels" of roles...

Sorry, didn't mean to hurt anyone ;-)
I meant: Roles at PEP, Roles at PDP, Roles in the Schema, Roles in our
head, etc....


I humbly submit that you're making this too complicated. Instead, thinking of roles as a means to select from among a larger subset is appealing because it always means the same thing each time it is used.
</js>

I think the two of us have been discussing this for perhaps years ;-)
I believe that the input to the PDP (schema, GUI, whatever) isn't
necessarily mapped 1:1 with PEP configuration (In fact, it better
not be). This means that the PDP may have as input an E-2-E definition
w/o roles ( this user gets gold service (low delay, drop) ) The PDP
gets this non-role info and converts it into COPS commands to
configure the PEP based on roles:

Role=Edge, DS GOLD Service -> Mark DSCP AF11

So, the schema didn't have roles, but roles were used in configuring the
edge router.

So, the role isn't a selector in the schema (although simple schema may
use it) it is also not a selector at the PDP, but only a selector
for the PEP to advertise the kind of roles it has, and receive policy
for each one of its roles.
...

<js>
Seems to me that you want to differentiate between roles as used to influence device configuration on the PEP level vs. roles as used to build policy statements at the PDP level. Is this what you meant by "levels" of roles?

If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith suggested earlier) vs. roles as a selector (to make me happy ;-) )
</js>

YES YES YES, you hit it bulls eye! I was talking about PEP roles only
and was trying (clumsily) to express myself, thanks!

So, lets call it "PEP ROLES"

As for the other one, I believe PDP is merely an interpreter (in comes
abstract policy, out goes device policy) so it doesn't really have
roles. So, we should find another name for the second type that you
described, perhaps "Profile" (as in "user profile, application
profile,...)? or "Usage Roles".

Shai




__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006