[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: snmpconf pm issue #23 - policy termination



Hi,

I am concerned that for policies which may affect the security of the
network, it may not be acceptable to wait until the next
regularly-scheduled policy evaluation; a more immediate determination of
the policy to apply may be necessary to ensure the viability of the
security environment.

OTOH, I also recognize that forcing a complete evaluation cycle to occur
every time a policy becomes inactive may be problematic. Is there any
way with the existing language and primitives to cause the evaluation to
be done immediately when selected policies become inactive?

dbh

Steve Moulton wrote:
> 
> I agree with the proposed text, but it raises a question.
> When a policy is no longer active on an element, is another
> policy evaluation done to ensure the proper policy
> is in force?  This may have been discussed; but I don't recall the
> resolution.
> 
> My immediate reaction is to say "no, it happens when it happens,
> lets not micromanage this thing".  Some cases:
> 
> 1  A policy goes out of schedule.  At this point, since a
>    "policy evaluation cycle" is taking place, the lower precedence
>    policy will be enforced.
> 
> 2  A policy is removed from service (via pmPolicyAdminStatus or
>    pmPolicyRowStatus).  Since these require positive action
>    by a manager, that manager should be responsible for
>    the state of the elements governed by that policy.
>    I'm not sure how this would be done, when it involves
>    forcing a lower precedence policy evaluation to take place.
>    Perhaps by temporarily changing the pmPolicyFilterMaxLatency
>    for a short period of time on a policy the manager thinks
>    should be in force.
> 
> 3  The element has changed state in such a way as to no longer
>    be managed by a given policy.   Should this just be caught
>    on the next policy evaluation?
> 
>         - Steve
> 
> On Monday, June 4 2001, Steve Waldbusser <waldbusser@nextbeacon.com> wrote:
> 
> >
> >
> >   Issue: Jon writes: "There have been extensive discussions about
> >   what to happen when a policy terminates. My recollection -
> >   with help from David - is that if one wants a policy reset
> >   after termination, a lower precedence policy should be in
> >   the group that will take over. I have no issue with this as
> >   the resolution, only that we need to document that this is
> >   how this behavior is achieved."
> >
> >
> > How's this text?
> >
> > "Note that if it is necessary to take certain actions after a policy is
> > no longer active on an element, these actions should be included in a
> > lower-precedence policy that is in the same policy group."
> >
> 
> ---
> Steve Moulton        SNMP Research, Inc            voice: +1 865 573 1434
> Sr Software Engineer 3001 Kimberlin Heights Rd.    fax: +1 865 573 9197
> moulton@snmp.com     Knoxville, TN 37920-9716 USA  http://www.snmp.com

-- 
---
David Harrington            Network Management Standards Architect
dbh@enterasys.com           Office of the CTO
+1 603 337 2614 - voice     Enterasys Networks
+1 603 332 1524 - fax       Rochester NH, USA