[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

snmpconf RE: Policy issues: definition of Roles



At 05:59 AM 02/09/2000, Jon Sjoberg wrote:
Shai,
 
Correct me if I'm wrong, but I read the below to say that the "ALL" in your definition means that all the roles in a role combination associated to a policy must be a proper subset of the roles on a PEP for the policy to be loaded.
 
So, for your example:
 
If I had a QoS policy P1 associated with the combination "Edge+Ethernet", and a PEP that supported the roles "Edge+Ethernet+TrustedInterface+Engineering", then P1 would be appropriate for that PEP.  Correct?
 
In this case, a security policy, P2, for all TrustedInterface PEPs would be merged with P1.  Correct?

This is too vague, what do you mean by "associated" so you mean that
it is sent to the PEP with the role "Edge+Ethernet", or do you
mean that it is associated in the policy DB? I must understand the
level your talking about.

 What I'm also understanding that may be wrong is that this position further holds that the association between Edge+Ethernet and P1 is not stored in the schema but the PDP comes up with this out of some learned or intrinsic network knowledge (proprietary).  What is stored in the schema, and associated with a policy in the schema, is some set of identifiers as to the general functionality that a policy pertains to (Configuration, QoS, Security, etc.).
 
Am I close?
 
Jon
-----Original Message-----
From: policy-owner@raleigh.ibm.com [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog
Sent: Tuesday, February 08, 2000 12:32 PM
To: Andrew Smith
Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com
Subject: RE: Policy issues: definition of Roles

At 03:07 PM 02/07/2000, Andrew Smith wrote:
Shai,

In the worst case then, yes, you're right, the PDP has to multiply out the
role combinations and send them all to the PEP. But there will be many cases
where the PDP knows that a policy does not need to distinguish between "T1"
and "Ethernet": then, the PDP can download a policy for role-combination
"Edge". In that case, the ALL in your definition is not applicable. That is
what I was trying to explain in my response to Bob Natale last week (1/31).

I think I am beginning to understand what you mean... ;-)

with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP
normally would send two different configurations such as

"Edge+T1":    Mark DSCP AF21
"Edge+Ether": Mark DSCP AF11

If it turns out that the instructions for these two are the same
(by chance) meaning (Policy1):

"Edge+T1":    Mark DSCP AF11
"Edge+Ether": Mark DSCP AF11

Then perhaps we'd want to have a wildcard that says (Policy2):

"Edge+*":     Mark DSCP AF11

BUT, Policy2 is merely a short hand for Policy1 but they mean the same.
The important distinction in my view is that the PDP cannot send
a policy "T1+*" and expect the PEP to merge the policy
in "Edge+*" with "T1+*" into "Edge+T1".

So, when receiving a policy for "Edge+*" the PEP interprets it
as

"Replace/override the policy for all role combinations with Edge
in them with the following"...

If a "T1+*" comes later, it will REPLACE (not merge) the configuration
installed on "Edge+T1".

This is why I insist on the "ALL" in the role combination: The PDP
must provide a policy that is clearly for a specific COMPLETE
role combination, and the PEP isn't expected to merge policy
for roles into role combination. BUT as you suggested a shorthand
representation may be made for the purpose of saving bits and overhead
but that has the same meaning as the "ALL".

I am not sure if my description is clear, but I hope ;-)

Shai

__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                            


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006