At 03:07 PM 02/07/2000, Andrew Smith wrote:

In the worst case then, yes, you're right, the PDP has to multiply out the
role combinations and send them all to the PEP. But there will be many cases
where the PDP knows that a policy does not need to distinguish between "T1"
and "Ethernet": then, the PDP can download a policy for role-combination
"Edge". In that case, the ALL in your definition is not applicable. That is
what I was trying to explain in my response to Bob Natale last week (1/31).

I think I am beginning to understand what you mean... ;-)

with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP
normally would send two different configurations such as

"Edge+T1":    Mark DSCP AF21
"Edge+Ether": Mark DSCP AF11

If it turns out that the instructions for these two are the same
(by chance) meaning (Policy1):

"Edge+T1":    Mark DSCP AF11
"Edge+Ether": Mark DSCP AF11

Then perhaps we'd want to have a wildcard that says (Policy2):

"Edge+*":     Mark DSCP AF11

BUT, Policy2 is merely a short hand for Policy1 but they mean the same.
The important distinction in my view is that the PDP cannot send
a policy "T1+*" and expect the PEP to merge the policy
in "Edge+*" with "T1+*" into "Edge+T1".

So, when receiving a policy for "Edge+*" the PEP interprets it

"Replace/override the policy for all role combinations with Edge
in them with the following"...

If a "T1+*" comes later, it will REPLACE (not merge) the configuration
installed on "Edge+T1".

This is why I insist on the "ALL" in the role combination: The PDP
must provide a policy that is clearly for a specific COMPLETE
role combination, and the PEP isn't expected to merge policy
for roles into role combination. BUT as you suggested a shorthand
representation may be made for the purpose of saving bits and overhead
but that has the same meaning as the "ALL".

I am not sure if my description is clear, but I hope ;-)


