[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

snmpconf RE: Policy issues: definition of Roles



At 08:18 AM 02/09/2000, John C. Strassner wrote:

<js>
Well, we're getting very close here. Let me propose a summary to see if we can agree. Roles have three fundamentally different uses:

  1) to directly influence device configuration - let's
     call this PEP ROLES for now
  2) to translate from a high-level description of policy
     into one that configures the device either directly
     or indirectly - let's call this PDP ROLES for now
  3) to be used as a selector to retrieve a subset of
     applicable policies from a larger set of available
     policies - let's call this SELECTOR ROLES for now

Note that the second use is subtlely different than the third. The second uses roles as a means to translate between expressing policy in general terms and in configuring the device to implement or support that policy. So in Shai's example, the PDP has two inputs. One input is the definition of the policy from the administrator's point-of-view, which probably can not be used in its current form to configure devices. The other is from the devices that it controls. They announce their capabilities in terms of roles. The PDP then uses roles to translate policy from a business expression (Gold service, or don't allow more than 30% of my core bandwidth to be devoted to a certain type of traffic, or...) to a form that is used to ultimately configure the devices that it controls.

The third use is not focused on translation. Rather, it is a way of selecting policies and/or policy information to be retrieved for further processing.

The #1 is agreed upon, but I fail to see the #2 & #3 being separate
and I have a hard time with "PDP" roles given that PDP is a translation
machine and doe not have its own definition or determination of policy
(or roles for that matter). It takes two types of input, one from above
(schema) and one from bellow (device). Those inputs may have roles in
them, but those are different "role types".


PEP Roles <-----------> PDP <---------------> Schema Roles

The job of the PDP is to bridge between PEPs and Schema, but it doesn't
have roles or policy per se.

Shai


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006