[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
snmpconf RE: Policy issues: definition of Roles
At 08:22 AM 02/08/2000, John C. Strassner wrote:
Hi Shai, comments inline.
At 11:48 PM 2/6/00 -0500, Shai Herzog wrote:
I think that one of the problems is that we're
various levels of "roles". Let me try to make the
Levels of roles? If a role is indeed an attribute used as a selector,
this translates to levels of attributes. My head is hurting. ;-) More to
the point, I don't know what you mean by "levels" of
Sorry, didn't mean to hurt anyone ;-)
I meant: Roles at PEP, Roles at PDP, Roles in the Schema, Roles in
I humbly submit that you're making this too
complicated. Instead, thinking of roles as a means to select from among a
larger subset is appealing because it always means the same thing each
time it is used.
I think the two of us have been discussing this for perhaps years
I believe that the input to the PDP (schema, GUI, whatever) isn't
necessarily mapped 1:1 with PEP configuration (In fact, it better
not be). This means that the PDP may have as input an E-2-E
w/o roles ( this user gets gold service (low delay, drop) ) The PDP
gets this non-role info and converts it into COPS commands to
configure the PEP based on roles:
Role=Edge, DS GOLD Service -> Mark DSCP AF11
So, the schema didn't have roles, but roles were used in configuring
So, the role isn't a selector in the schema (although simple schema
use it) it is also not a selector at the PDP, but only a selector
for the PEP to advertise the kind of roles it has, and receive
for each one of its roles.
Seems to me that you want to differentiate between roles as used to
influence device configuration on the PEP level vs. roles as used to
build policy statements at the PDP level. Is this what you meant by
"levels" of roles?
If so, then I suggest that we talk about PEP roles vs. PDP roles (as
Keith suggested earlier) vs. roles as a selector (to make me happy ;-)
YES YES YES, you hit it bulls eye! I was talking about PEP roles
and was trying (clumsily) to express myself, thanks!
So, lets call it "PEP ROLES"
As for the other one, I believe PDP is merely an interpreter (in
abstract policy, out goes device policy) so it doesn't really have
roles. So, we should find another name for the second type that you
described, perhaps "Profile" (as in "user profile,
profile,...)? or "Usage Roles".
Shai Herzog, Founder & CTO IPHighway
Inc. Tel : (914) 654-4810
55 New York
Main: (508) 620-1141
Fax : (212) 656-1006