From majordomo@raleigh.ibm.com Tue Feb 1 02:03:59 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA05238 for ; Tue, 1 Feb 2000 02:03:58 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id BAA16054; Tue, 1 Feb 2000 01:58:31 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id BAA28746; Tue, 1 Feb 2000 01:58:32 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA61252; Tue, 1 Feb 2000 01:34:55 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA40252; Tue, 1 Feb 2000 01:34:52 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id BAA35588 for ; Tue, 1 Feb 2000 01:34:57 -0500 Received: from mumm.ibr.cs.tu-bs.de (root@mumm.ibr.cs.tu-bs.de [134.169.34.190]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id BAA07674 for ; Tue, 1 Feb 2000 01:34:54 -0500 Received: from henkell.ibr.cs.tu-bs.de (schoenw@henkell [134.169.34.191]) by mumm.ibr.cs.tu-bs.de (8.9.3/8.9.3) with ESMTP id HAA15635; Tue, 1 Feb 2000 07:34:22 +0100 (MET) Received: from schoenw@localhost by henkell.ibr.cs.tu-bs.de (8.7.6/tubsibr) id HAA00525; Tue, 1 Feb 2000 07:34:05 +0100 Date: Tue, 1 Feb 2000 07:34:05 +0100 Message-Id: <200002010634.HAA00525@henkell.ibr.cs.tu-bs.de> From: Juergen Schoenwaelder To: FranR@iphighway.com Cc: snmpconf@snmp.com, policy@raleigh.ibm.com, polterm@ops.ietf.org In-Reply-To: <6399122981E1D211AB490090271E0AA33C9C66@BMAILNJ> (message from Francis Reichmeyer -NJ on Mon, 31 Jan 2000 23:21:13 -0500) Subject: Re: snmpconf RE: Policy issues: definition of Roles References: <6399122981E1D211AB490090271E0AA33C9C66@BMAILNJ> Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Juergen Schoenwaelder >>>>> Francis Reichmeyer -NJ writes: Francis> It may be too late for this thread, but I've copied the Francis> polterm list. Future discussions of this sort might benefit Francis> from including polterm as well. Can we please do the opposite and use just one mailing list? /js -- Juergen Schoenwaelder Technical University Braunschweig Dept. Operating Systems & Computer Networks Phone: +49 531 391 3289 Bueltenweg 74/75, 38106 Braunschweig, Germany Fax: +49 531 391 5936 From majordomo@raleigh.ibm.com Tue Feb 1 04:36:03 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA09084 for ; Tue, 1 Feb 2000 04:36:03 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id EAA20732; Tue, 1 Feb 2000 04:32:21 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id EAA33182; Tue, 1 Feb 2000 04:32:19 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55516; Tue, 1 Feb 2000 04:09:15 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35966; Tue, 1 Feb 2000 03:39:51 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id DAA12546 for ; Tue, 1 Feb 2000 03:39:53 -0500 Received: from foxhound.cisco.com (foxhound.cisco.com [171.69.192.161]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id DAA23816 for ; Tue, 1 Feb 2000 03:39:51 -0500 Received: (from kzm@localhost) by foxhound.cisco.com (8.8.8/2.5.1/Cisco List Logging/8.8.8) id AAA02696; Tue, 1 Feb 2000 00:39:08 -0800 (PST) From: Keith McCloghrie Message-Id: <200002010839.AAA02696@foxhound.cisco.com> Subject: Re: Policy issues: definition of Roles To: jstrassn@cisco.com Date: Tue, 1 Feb 2000 00:39:07 -0800 (PST) Cc: bnatale@acecomm.com (Bob Natale), policy@raleigh.ibm.com In-Reply-To: <4.2.0.58.20000130125958.00bc02f0@omega.cisco.com> from "John C. Strassner" at Jan 30, 2000 01:04:08 PM X-Mailer: ELM [version 2.5 PL1] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Keith McCloghrie Content-Transfer-Encoding: 7bit > [js] A role-combination is a set of attribute that are used > to select one or more policies for a set of entities > and/or components from among a much larger set of > available policies. The selection process is equivalent > to a logical ANDing of each attribute, such that the > set of policies that are selected are defined by the > intersection of all roles in the role-combination. > > Note that you and Glenn are questioning the use of the logical AND as the > selection process, and that in a previous message I've said that I'm ok in > defining other types of selection processes, but want to hear from Keith, > Michael and Shai (at least) first. If we did want to do that, then we > probably need at least an associated attribute that defines how the > selection process for the role combination is done. I believe conflict detection is hard, and I believe that operator input is required to resolve detected conflicts. Therefore, conflicts need to be detected as early as possible. Consider four types of scenarios where roles are specified: 1. policies entered by an operator are associated with roles. 2. policies stored in a repository are associated with roles, and valid role-combinations are stored in a repository, 3. a PEP communicates with a PDP to obtain policies based on its role-combinations, 4. a device/entity needs to be configured with the roles that it has, and the roles that its components have. Any or no use of role-combination in #4 is OK by me. It's #3 where requiring the role-combination to be the logical AND of all a component's roles provides the ability to detect conflicts prior to downloading the policies into a PEP. A PEP may not be able to detect all conflicts, and those that it does detect are harder to get resolved because they are detected at run-time when there's no convenient operator around to supply the resolution. We are not standardizing #1, and so anybody can do what they like there. If Bob/Glenn are asking for more flexibility in how policies are associated with roles in #2, that's fine with me providing the valid role-combinations are also specified. For example, suppose four roles are defined: A, B, C and D, and three valid role-combinations are defined: A+C, A+B+C and A+B+D; then I have no problem with a policy being defined for A+B; thereby, that policy is not associated with A+C, but is associated with A+B+C and A+B+D. In this example, I don't consider A+B to be a "role-combination", although perhaps that is what Bob has been suggesting ?? Keith. From majordomo@raleigh.ibm.com Tue Feb 1 05:51:00 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA10820 for ; Tue, 1 Feb 2000 05:50:59 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id FAA19950; Tue, 1 Feb 2000 05:44:59 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id FAA04242; Tue, 1 Feb 2000 05:44:41 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35250; Tue, 1 Feb 2000 05:23:05 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA59816; Tue, 1 Feb 2000 05:23:02 -0500 Received: from nlvm1.emea.ibm.com (nlvm1.emea.ibm.com [9.165.3.73]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id FAA30438 for ; Tue, 1 Feb 2000 05:23:02 -0500 Message-Id: <200002011023.FAA30438@rtpmail03.raleigh.ibm.com> Received: from UITVM1 by nlvm1.emea.ibm.com (IBM VM SMTP V2R4) with BSMTP id 3756; Tue, 01 Feb 00 11:23:05 CET Date: Tue, 1 Feb 00 11:23:05 CET From: "Bert Wijnen" To: policy@raleigh.ibm.com Subject: Re: Policy issues: definition of Roles Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Bert Wijnen" Let me suggest a procedure so we do not get all these cross postings. As you can see, I post to one list at a time, so that the REPLY button that some people use do not automatically cross post too. As you can see from the subject line, this topic (I think) should be discussed on the POLICY wg mailing list and not be cross posted to a set of other lists. The issue there has to do with the defenition of that term in the core info model document that is currently in WG last call in the Policy WG. If you want to join the discussion, then you should subscribe and post to the policy wg mailing list: policy@raleigh.ibm.com, normal majordomo subscription mechanism I believe. After the POLICY wg list has agreed on how they want to define the term, then they might want to post their viewpoint to polterm mailing list so that any other viewpoints that were not yet considered can be discussed as well. After that, it may be a term that the Polterm DT (Design Team) may include in their terminology document. Bert From majordomo@raleigh.ibm.com Tue Feb 1 09:17:08 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA18138 for ; Tue, 1 Feb 2000 09:17:07 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA18402; Tue, 1 Feb 2000 09:10:57 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id JAA04448; Tue, 1 Feb 2000 09:10:56 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA53832; Tue, 1 Feb 2000 08:47:57 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA32832; Tue, 1 Feb 2000 08:47:54 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id IAA33810 for ; Tue, 1 Feb 2000 08:47:55 -0500 Received: from relay1.acec.com ([38.249.211.2]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id IAA22094 for ; Tue, 1 Feb 2000 08:47:53 -0500 Received: from bnatale (ppp9.acec.com [38.249.211.62]) by relay1.acec.com (8.9.3/8.9.3) with ESMTP id IAA08748; Tue, 1 Feb 2000 08:46:33 -0500 (EST) Message-Id: <4.2.2.20000201084640.00b0a308@plymouth.acec.com> X-Sender: bnatale@plymouth.acec.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 01 Feb 2000 08:50:56 -0500 To: Keith McCloghrie From: Bob Natale Subject: Re: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com In-Reply-To: <200002010839.AAA02696@foxhound.cisco.com> References: <4.2.0.58.20000130125958.00bc02f0@omega.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Bob Natale At 2/1/2000:03:39 AM, Keith McCloghrie wrote: Hi Keith, ><...> >If Bob/Glenn are asking for more flexibility in how policies are >associated with roles in #2, that's fine with me providing the valid >role-combinations are also specified. For example, suppose four roles >are defined: A, B, C and D, and three valid role-combinations are >defined: A+C, A+B+C and A+B+D; Note that you refer to them here as "three valid role-combinations". >then I have no problem with a policy being defined for A+B; Excellent...that is what I was trying to understand. >thereby, that policy is not associated with A+C, but is associated >with A+B+C and A+B+D. Exactly. >In this example, I don't consider A+B to be a "role-combination", You did refer to it as such (above)...in any case, what term would you use to refer to it then? >although perhaps that is what Bob has been suggesting ?? Yes, precisely that. Cordially, BobN ------------ ISO 9001 Registered Quality Supplier ----------- Bob Natale | ACE*COMM | 301-721-3000 [v] Dir, Net Mgmt Prod | 704 Quince Orchard Rd | 301-721-3001 [f] bnatale@acecomm.com| Gaithersburg MD 20878 | www.acecomm.com ------------- Free downloads at www.winsnmp.com ------------- From majordomo@raleigh.ibm.com Tue Feb 1 17:56:11 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA08779 for ; Tue, 1 Feb 2000 17:56:11 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id RAA17132; Tue, 1 Feb 2000 17:51:12 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id RAA26832; Tue, 1 Feb 2000 17:51:14 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA43524; Tue, 1 Feb 2000 17:29:55 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA43768; Tue, 1 Feb 2000 17:29:52 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id RAA34350 for ; Tue, 1 Feb 2000 17:29:55 -0500 Received: from smtprch1.nortel.com (smtprch1.nortelnetworks.com [192.135.215.14]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id RAA25288 for ; Tue, 1 Feb 2000 17:29:51 -0500 Received: from zcard00m.ca.nortel.com (actually zcard00m) by smtprch1.nortel.com; Tue, 1 Feb 2000 16:28:44 -0600 Received: from zcard00b.ca.nortel.com ([47.128.208.105]) by zcard00m.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D0AWWQXG; Tue, 1 Feb 2000 17:28:35 -0500 Received: from netgww (141.251.80.117 [141.251.80.117]) by zcard00b.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id CY2DLDFV; Tue, 1 Feb 2000 17:28:34 -0500 From: "Glenn Waters" To: Keith McCloghrie , jstrassn Cc: Bob Natale , policy Subject: RE: Policy issues: definition of Roles Date: Tue, 1 Feb 2000 17:30:36 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200002010839.AAA02696@foxhound.cisco.com> X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Glenn Waters" Content-Transfer-Encoding: 7bit Keith, thanks for the reply. However I am still confused about the intent of roles and role-combinations. First, let me say that at this point I am not asking for more flexibility - I am still trying to understand the intent of all this stuff. Why don't I try an example or two and see if I can point out where the confusions still lie. Let's assume we have three policies, P1, P2, and P3 and that we have four roles Ethernet, TokenRing, Engineering, and John (cause we all know that John gets gold :) ). I believe that I can associate one or more roles to a policy, so for example: P1 <-- Ethernet, TokenRing; P2 <-- Engineering; P3 <-- John So, first I am assuming that you associate roles with policies. Correct? Second, I am assuming that you can associate more than one role with a policy. Correct? Third, none of the above examples has anything to do with role combinations at this point. Correct? Fourth, can you associate a role-combination with a policy? I don't know. I have heard both yes and no on this thread. Now, on the fourth point you (Keith) suggest that we should model the role-combinations but not associate the role-combinations with a policy. You say "2. policies stored in a repository are associated with roles, and valid role-combinations are stored in a repository," which implies to me that role-combinations are only stored and are not associated with policies. So far I have just shown what is in the repository. Now to continue on with the example let's add a COPS-PR client and policy server to the picture. Let's say the COPS-PR client connects to the server and reports the following role-combinations: Ethernet+Engineering, TokenRing+Engineering, and Ethernet+John One could say that for each role-combination you send any policy that contains any one of the roles in the role-combination. So for example the following would be sent for the three role-combinations: A+B sends P1, P2 since P1 contains A/B and P2 contains B B+C sends P1, P2 since P1 contains B and P2 contains B/C A+D sends P1, P3 since P1 contains A and P3 contains D Now, one problem with this (as Keith says, and I agree) is that conflict detection is done in the policy server and an operator is not there to correct a conflict when it occurs. The advantage of the above approach is that the administrator does not need to know a priori what all the role combinations will be. Further, to the above, Keith suggests that we model the role combinations in the repository so that we can combine the policies and the administrator can look for the conflicts before an attempt is made to send the combined policies to the COPS-PR client. Now I have seen on this list alternative interpretations of role-combination. I don't think I have seen consensus. So, what did I get right and what did I get wrong in this scenario. Thanks in advance! Cheers, /gww --- Glenn Waters, Nortel Networks, Ottawa ON, Canada -----Original Message----- From: policy-owner@raleigh.ibm.com [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Keith McCloghrie Sent: February 1, 2000 03:39 To: jstrassn@cisco.com Cc: Bob Natale; policy@raleigh.ibm.com Subject: Re: Policy issues: definition of Roles > [js] A role-combination is a set of attribute that are used > to select one or more policies for a set of entities > and/or components from among a much larger set of > available policies. The selection process is equivalent > to a logical ANDing of each attribute, such that the > set of policies that are selected are defined by the > intersection of all roles in the role-combination. > > Note that you and Glenn are questioning the use of the logical AND as the > selection process, and that in a previous message I've said that I'm ok in > defining other types of selection processes, but want to hear from Keith, > Michael and Shai (at least) first. If we did want to do that, then we > probably need at least an associated attribute that defines how the > selection process for the role combination is done. I believe conflict detection is hard, and I believe that operator input is required to resolve detected conflicts. Therefore, conflicts need to be detected as early as possible. Consider four types of scenarios where roles are specified: 1. policies entered by an operator are associated with roles. 2. policies stored in a repository are associated with roles, and valid role-combinations are stored in a repository, 3. a PEP communicates with a PDP to obtain policies based on its role-combinations, 4. a device/entity needs to be configured with the roles that it has, and the roles that its components have. Any or no use of role-combination in #4 is OK by me. It's #3 where requiring the role-combination to be the logical AND of all a component's roles provides the ability to detect conflicts prior to downloading the policies into a PEP. A PEP may not be able to detect all conflicts, and those that it does detect are harder to get resolved because they are detected at run-time when there's no convenient operator around to supply the resolution. We are not standardizing #1, and so anybody can do what they like there. If Bob/Glenn are asking for more flexibility in how policies are associated with roles in #2, that's fine with me providing the valid role-combinations are also specified. For example, suppose four roles are defined: A, B, C and D, and three valid role-combinations are defined: A+C, A+B+C and A+B+D; then I have no problem with a policy being defined for A+B; thereby, that policy is not associated with A+C, but is associated with A+B+C and A+B+D. In this example, I don't consider A+B to be a "role-combination", although perhaps that is what Bob has been suggesting ?? Keith. From majordomo@raleigh.ibm.com Wed Feb 2 04:27:17 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA01970 for ; Wed, 2 Feb 2000 04:27:16 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id EAA23818; Wed, 2 Feb 2000 04:23:42 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id EAA27814; Wed, 2 Feb 2000 04:23:42 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA26356; Wed, 2 Feb 2000 04:03:19 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38572; Wed, 2 Feb 2000 04:03:12 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id EAA27694 for ; Wed, 2 Feb 2000 04:03:14 -0500 Received: from foxhound.cisco.com (foxhound.cisco.com [171.69.192.161]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id EAA23164 for ; Wed, 2 Feb 2000 04:03:10 -0500 Received: (from kzm@localhost) by foxhound.cisco.com (8.8.8/2.5.1/Cisco List Logging/8.8.8) id BAA27872; Wed, 2 Feb 2000 01:01:44 -0800 (PST) From: Keith McCloghrie Message-Id: <200002020901.BAA27872@foxhound.cisco.com> Subject: Re: Policy issues: definition of Roles To: gww@nortelnetworks.com (Glenn Waters) Date: Wed, 2 Feb 2000 01:01:43 -0800 (PST) Cc: kzm@cisco.com (Keith McCloghrie), jstrassn@cisco.com (jstrassn), bnatale@acecomm.com (Bob Natale), policy@raleigh.ibm.com (policy) In-Reply-To: from "Glenn Waters" at Feb 01, 2000 05:30:36 PM X-Mailer: ELM [version 2.5 PL1] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Keith McCloghrie Content-Transfer-Encoding: 7bit Glenn, > Keith, thanks for the reply. However I am still confused about the intent of > roles and role-combinations. First, let me say that at this point I am not > asking for more flexibility - I am still trying to understand the intent of > all this stuff. Why don't I try an example or two and see if I can point > out where the confusions still lie. > > Let's assume we have three policies, P1, P2, and P3 and that we have four > roles Ethernet, TokenRing, Engineering, and John (cause we all know that > John gets gold :) ). > > I believe that I can associate one or more roles to a policy, so for > example: > > P1 <-- Ethernet, TokenRing; > P2 <-- Engineering; > P3 <-- John > > So, first I am assuming that you associate roles with policies. Correct? Right. > Second, I am assuming that you can associate more than one role with a > policy. Correct? I'll agree with this. (Note there is an alternate view of having multiple identical policies, each of which is associated with a different role). Also note that you can associate a role with more than one policy, and so, given your statement ("associate more than one role with a policy"), the relationship between role and policy is many-to-many, and thus, it cannot be stated that "a policy contains a role", as you do later. > Third, none of the above examples has anything to do with role combinations > at this point. Correct? Right. > Fourth, can you associate a role-combination with a policy? I don't know. I > have heard both yes and no on this thread. In my view: not directly; only indirectly through the roles contained within the role combination. > Now, on the fourth point you (Keith) suggest that we should model the > role-combinations but not associate the role-combinations with a policy. You > say "2. policies stored in a repository are associated with roles, and > valid role-combinations are stored in a repository," which implies to me > that role-combinations are only stored and are not associated with policies. Not directly; only indirectly through the roles contained within the role combination. > So far I have just shown what is in the repository. Now to continue on with > the example let's add a COPS-PR client and policy server to the picture. > Let's say the COPS-PR client connects to the server and reports the > following role-combinations: > > Ethernet+Engineering, TokenRing+Engineering, and Ethernet+John > > One could say that for each role-combination you send any policy that > contains any one of the roles in the role-combination. So for example the > following would be sent for the three role-combinations: > > A+B sends P1, P2 since P1 contains A/B and P2 contains B > B+C sends P1, P2 since P1 contains B and P2 contains B/C > A+D sends P1, P3 since P1 contains A and P3 contains D While this looks OK, I cannot say for sure because I'm not certain how you define A, B, C and D. > Now, one problem with this (as Keith says, and I agree) is that conflict > detection is done in the policy server and an operator is not there to Do you mean "... in the policy server, rather than in the PEP where an operator ..." ? > correct a conflict when it occurs. The advantage of the above approach is > that the administrator does not need to know a priori what all the role > combinations will be. > > Further, to the above, Keith suggests that we model the role combinations in > the repository so that we can combine the policies and the administrator can > look for the conflicts before an attempt is made to send the combined > policies to the COPS-PR client. > > Now I have seen on this list alternative interpretations of > role-combination. I don't think I have seen consensus. > > So, what did I get right and what did I get wrong in this scenario. Just about everything, in my view :-). Keith. From majordomo@raleigh.ibm.com Wed Feb 2 04:58:01 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA02257 for ; Wed, 2 Feb 2000 04:57:58 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id EAA20276; Wed, 2 Feb 2000 04:54:36 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id EAA19372; Wed, 2 Feb 2000 04:54:35 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA22076; Wed, 2 Feb 2000 04:29:12 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA22268; Wed, 2 Feb 2000 04:29:06 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id EAA27768 for ; Wed, 2 Feb 2000 04:29:09 -0500 Received: from foxhound.cisco.com (foxhound.cisco.com [171.69.192.161]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id EAA20304 for ; Wed, 2 Feb 2000 04:29:05 -0500 Received: (from kzm@localhost) by foxhound.cisco.com (8.8.8/2.5.1/Cisco List Logging/8.8.8) id BAA28149; Wed, 2 Feb 2000 01:28:22 -0800 (PST) From: Keith McCloghrie Message-Id: <200002020928.BAA28149@foxhound.cisco.com> Subject: Re: Policy issues: definition of Roles To: bnatale@acecomm.com (Bob Natale) Date: Wed, 2 Feb 2000 01:28:22 -0800 (PST) Cc: kzm@cisco.com (Keith McCloghrie), policy@raleigh.ibm.com In-Reply-To: <4.2.2.20000201084640.00b0a308@plymouth.acec.com> from "Bob Natale" at Feb 01, 2000 08:50:56 AM X-Mailer: ELM [version 2.5 PL1] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Keith McCloghrie Content-Transfer-Encoding: 7bit So, we agree on the concepts, but not on their names. I agree that A+B is a combination of roles. What you want to call "role-combination" is a superset of my definition. Perhaps, what I call a role-combination could be called a "PEP role-combination", whereas A+B is only a "PDP role-combination", where the set of "PDP role-combinations" is a superset of the set of "PEP role-combinations". Keith. > >If Bob/Glenn are asking for more flexibility in how policies are > >associated with roles in #2, that's fine with me providing the valid > >role-combinations are also specified. For example, suppose four roles > >are defined: A, B, C and D, and three valid role-combinations are > >defined: A+C, A+B+C and A+B+D; > > Note that you refer to them here as "three valid role-combinations". Yes, and note that A+B is not one of them. > >then I have no problem with a policy being defined for A+B; > > Excellent...that is what I was trying to understand. > > >thereby, that policy is not associated with A+C, but is associated > >with A+B+C and A+B+D. > > Exactly. > > >In this example, I don't consider A+B to be a "role-combination", > > You did refer to it as such (above)...in any case, what term > would you use to refer to it then? > > >although perhaps that is what Bob has been suggesting ?? > > Yes, precisely that. > > Cordially, > > BobN > ------------ ISO 9001 Registered Quality Supplier ----------- > Bob Natale | ACE*COMM | 301-721-3000 [v] > Dir, Net Mgmt Prod | 704 Quince Orchard Rd | 301-721-3001 [f] > bnatale@acecomm.com| Gaithersburg MD 20878 | www.acecomm.com > ------------- Free downloads at www.winsnmp.com ------------- > > > From majordomo@raleigh.ibm.com Wed Feb 2 07:37:00 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA04652 for ; Wed, 2 Feb 2000 07:37:00 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id HAA26228; Wed, 2 Feb 2000 07:31:58 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id HAA29506; Wed, 2 Feb 2000 07:31:58 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38252; Wed, 2 Feb 2000 07:10:59 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA59236; Wed, 2 Feb 2000 07:10:56 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id HAA21984 for ; Wed, 2 Feb 2000 07:10:57 -0500 Received: from mail.toplayer.com ([199.103.238.97]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id HAA24306 for ; Wed, 2 Feb 2000 07:10:54 -0500 Received: from jsjobergnt (dyn146.TopLayer.com [199.103.238.146]) by mail.toplayer.com (8.8.7/8.8.7) with SMTP id HAA30239; Wed, 2 Feb 2000 07:09:40 -0500 From: "Jon Sjoberg" To: "Glenn Waters" , "Keith McCloghrie" , "jstrassn" Cc: "Bob Natale" , "policy" Subject: RE: Policy issues: definition of Roles Date: Wed, 2 Feb 2000 07:07:28 -0500 Message-Id: <001101bf6d76$130868f0$92ee67c7@blazenet.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2232.26 Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Jon Sjoberg" Content-Transfer-Encoding: 7bit Glenn, > Let's say the COPS-PR client connects to the server and reports the > following role-combinations: > LABELS: A B C B A D > Ethernet+Engineering, TokenRing+Engineering, and Ethernet+John > > One could say that for each role-combination you send any policy that > contains any one of the roles in the role-combination. So for example the > following would be sent for the three role-combinations: > > A+B sends P1, P2 since P1 contains A/B and P2 contains B > B+C sends P1, P2 since P1 contains B and P2 contains B/C > A+D sends P1, P3 since P1 contains A and P3 contains D > I think for a role combination, the way I understand it :), the policy goes to only those policy targets for which the role combination is a proper subset to the set of all roles that the target participates in. So for the example above: A+B sends to P1 B+C sends to P2 A+D sends to P3 A sends to P1 and P3 B sends to P1 and P2 C sends to P2 D sends to P3 A+C sends to nobody This would be using the + as an AND symbol, as Andrew had suggested. Am I way off base here? If not: The following definitions come to mind: - A policy target is defined by a set of roles*. - A role combination is a set of roles, which in combination, define the policy target(s) for a policy rule. - Each policy rule, therefore, must be associated to at least one role combination. (In the comments made by Bob and Andrew it seems like there is wisdom in keeping this a one-to-one association for now and expanding as needed). - A policy target, T, is a target of a specific policy rule, P, iff the role combination, C, associated with P has the following relationship with the set of ALL roles supported by T, called Tr: C is a proper subset of Tr. *What is a role then, that it defines a policy target? Perhaps a combination (in the discrete math sense) of any standard roles (Ethernet, Diff-Serv_Interface, etc.) and customer specified roles (Engineering, Sales, etc.). So one can posit a set of standard roles that define general functionality and a set of customer or vender roles that define partitioning of a network or vendor differentiator functionality. This all seems well within the specification put forth by the PCIM draft. Jon From majordomo@raleigh.ibm.com Wed Feb 2 08:10:17 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA06321 for ; Wed, 2 Feb 2000 08:10:17 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id IAA19778; Wed, 2 Feb 2000 08:06:34 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id IAA31882; Wed, 2 Feb 2000 08:06:34 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA56386; Wed, 2 Feb 2000 07:45:46 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA60470; Wed, 2 Feb 2000 07:45:43 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id HAA25786 for ; Wed, 2 Feb 2000 07:45:45 -0500 Received: from relay1.acec.com ([38.249.211.2]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id HAA26880 for ; Wed, 2 Feb 2000 07:45:42 -0500 Received: from bnatale (ppp10.acec.com [38.249.211.63]) by relay1.acec.com (8.9.3/8.9.3) with ESMTP id HAA15400; Wed, 2 Feb 2000 07:43:55 -0500 (EST) Message-Id: <4.2.2.20000202074455.00b125f8@plymouth.acec.com> X-Sender: bnatale@plymouth.acec.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 02 Feb 2000 07:48:26 -0500 To: "Jon Sjoberg" From: Bob Natale Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com In-Reply-To: <001101bf6d76$130868f0$92ee67c7@blazenet.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Bob Natale At 2/2/2000:07:07 AM, Jon Sjoberg wrote: Hi John, >I think for a role combination, the way I understand it :), the policy goes >to only those policy targets for which the role combination is a proper >subset to the set of all roles that the target participates in. Yes, that's the way I have understood it too. ><...> >Am I way off base here? > >If not: > >The following definitions come to mind: >- A policy target is defined by a set of roles*. >- A role combination is a set of roles, which in combination, define the >policy target(s) for a policy rule. >- Each policy rule, therefore, must be associated to at least one role >combination. (In the comments made by Bob and Andrew it seems like there is >wisdom in keeping this a one-to-one association for now and expanding as >needed). >- A policy target, T, is a target of a specific policy rule, P, iff the role >combination, C, associated with P has the following relationship with the >set of ALL roles supported by T, called Tr: C is a proper subset of Tr. I like that set of defs. >*What is a role then, that it defines a policy target? That's good. >Perhaps a combination (in the discrete math sense) of any standard roles (Ethernet, >Diff-Serv_Interface, etc.) and customer specified roles (Engineering, Sales, >etc.). So one can posit a set of standard roles that define general >functionality and a set of customer or vender roles that define partitioning >of a network or vendor differentiator functionality. Sounds promising. >This all seems well within the specification put forth by the PCIM draft. Excellent...I agree. Cordially, BobN ------------ ISO 9001 Registered Quality Supplier ----------- Bob Natale | ACE*COMM | 301-721-3000 [v] Dir, Net Mgmt Prod | 704 Quince Orchard Rd | 301-721-3001 [f] bnatale@acecomm.com| Gaithersburg MD 20878 | www.acecomm.com ------------- Free downloads at www.winsnmp.com ------------- From majordomo@raleigh.ibm.com Wed Feb 2 08:26:31 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA07279 for ; Wed, 2 Feb 2000 08:26:31 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id IAA27146; Wed, 2 Feb 2000 08:22:05 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id IAA35654; Wed, 2 Feb 2000 08:22:03 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38212; Wed, 2 Feb 2000 08:01:24 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA59196; Wed, 2 Feb 2000 08:01:21 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id IAA29016 for ; Wed, 2 Feb 2000 08:01:22 -0500 Received: from relay1.acec.com ([38.249.211.2]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id IAA28310 for ; Wed, 2 Feb 2000 08:01:19 -0500 Received: from bnatale (ppp10.acec.com [38.249.211.63]) by relay1.acec.com (8.9.3/8.9.3) with ESMTP id HAA15454; Wed, 2 Feb 2000 07:59:54 -0500 (EST) Message-Id: <4.2.2.20000202075136.00b19eb0@plymouth.acec.com> X-Sender: bnatale@plymouth.acec.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 02 Feb 2000 08:04:25 -0500 To: Keith McCloghrie From: Bob Natale Subject: Re: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com In-Reply-To: <200002020928.BAA28149@foxhound.cisco.com> References: <4.2.2.20000201084640.00b0a308@plymouth.acec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Bob Natale At 2/2/2000:04:28 AM, Keith McCloghrie wrote: Hi Keith, >So, we agree on the concepts, but not on their names. The remaining (slight) "disagreement" here is not important, from my view. >I agree that A+B is a combination of roles. Good. But, yes, I should have gone with "A+C" in my earlier response to your example...while any one such subset combination establishes the point I was trying to make (namely, that a role- combination may be a valid *subset* of all roles supported by a policy target...e.g., "A+C" in your example), I also agree with your point that some subsets might not make a valid role- coombination...e.g., "A+B" in your example). >What you want to call "role-combination" is a superset of my >definition. I don't see any significant difference from my perspective... I feel that that your explanations, plus the latest rounds from Glenn, Andrew, John, and Jon, have made the point quite clearly that a valid role-combination may be a subset of the set of roles supported by a policy target. >Perhaps, what I call a role-combination could be called a "PEP >role-combination", whereas A+B is only a "PDP role-combination", >where the set of "PDP role-combinations" is a superset of the >set of "PEP role-combinations". I am not asking that any new terms be introduced. Thanks. Cordially, BobN ------------ ISO 9001 Registered Quality Supplier ----------- Bob Natale | ACE*COMM | 301-721-3000 [v] Dir, Net Mgmt Prod | 704 Quince Orchard Rd | 301-721-3001 [f] bnatale@acecomm.com| Gaithersburg MD 20878 | www.acecomm.com ------------- Free downloads at www.winsnmp.com ------------- From majordomo@raleigh.ibm.com Wed Feb 2 12:04:40 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15381 for ; Wed, 2 Feb 2000 12:04:40 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA32912; Wed, 2 Feb 2000 11:58:36 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id LAA20210; Wed, 2 Feb 2000 11:58:37 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA61728; Wed, 2 Feb 2000 11:34:58 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA58134; Wed, 2 Feb 2000 11:34:52 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA30286 for ; Wed, 2 Feb 2000 11:34:55 -0500 Received: from smtprch1.nortel.com (smtprch1.nortelnetworks.com [192.135.215.14]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA27482 for ; Wed, 2 Feb 2000 11:34:51 -0500 Received: from zcard00n.ca.nortel.com (actually zcard00n) by smtprch1.nortel.com; Wed, 2 Feb 2000 10:34:14 -0600 Received: from zcard00b.ca.nortel.com ([47.128.208.105]) by zcard00n.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id 1DZKZ8GG; Wed, 2 Feb 2000 11:34:08 -0500 Received: from netgww (141.251.80.117 [141.251.80.117]) by zcard00b.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id CY2DLDWC; Wed, 2 Feb 2000 11:34:03 -0500 From: "Glenn Waters" To: Keith McCloghrie Cc: policy Subject: RE: Policy issues: definition of Roles Date: Wed, 2 Feb 2000 11:36:06 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200002020901.BAA27872@foxhound.cisco.com> Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Glenn Waters" Content-Transfer-Encoding: 7bit > P1 <-- Ethernet, TokenRing; > P2 <-- Engineering; > P3 <-- John > Fourth, can you associate a role-combination with a policy? I don't know. I > have heard both yes and no on this thread. In my view: not directly; only indirectly through the roles contained within the role combination. [gww] I'm not sure how to interpret the word indirectly, does it mean that the way a role-combination is stored is by referencing a set of roles? [...] > So far I have just shown what is in the repository. Now to continue on with > the example let's add a COPS-PR client and policy server to the picture. > Let's say the COPS-PR client connects to the server and reports the > following role-combinations: > > Ethernet+Engineering, TokenRing+Engineering, and Ethernet+John > > One could say that for each role-combination you send any policy that > contains any one of the roles in the role-combination. So for example the > following would be sent for the three role-combinations: > > A+B sends P1, P2 since P1 contains A/B and P2 contains B > B+C sends P1, P2 since P1 contains B and P2 contains B/C > A+D sends P1, P3 since P1 contains A and P3 contains D While this looks OK, I cannot say for sure because I'm not certain how you define A, B, C and D. [gww] Ooops. I changed labels at the last minute and missed these A, B... They should be: A = Ethernet, B = TokenRing, C = Engineering, and D = John Thus: Ethernet+Engineering sends P1, P2 since P1 contains Ethernet and P2 contains Engineering TokenRing+Engineering sends P1, P2 since P1 contains TokenRing and P2 contains Engineering Ethernet+John sends P1, P3 since P1 contains Ethernet and P3 contains John > Now, one problem with this (as Keith says, and I agree) is that conflict > detection is done in the policy server and an operator is not there to Do you mean "... in the policy server, rather than in the PEP where an operator ..." ? [gww] I am saying that, assuming that role-combinations are not stored in the repository, then conflict detection cannot be performed when the policy is entered into the repository since there is no notion of the role-combinations at that point. If the role-combinations were modeled/stored then an operator could look for conflicts. If you model the role-combination then what should happen when a role-combination is reported from a COPS-PR client that has not been modeled. Two things could happen: you put together the policies in the way described above and send them out or you could say that there are no policies modeled against that requested role-combination. > correct a conflict when it occurs. The advantage of the above approach is > that the administrator does not need to know a priori what all the role > combinations will be. > > Further, to the above, Keith suggests that we model the role combinations in > the repository so that we can combine the policies and the administrator can > look for the conflicts before an attempt is made to send the combined > policies to the COPS-PR client. > > Now I have seen on this list alternative interpretations of > role-combination. I don't think I have seen consensus. > > So, what did I get right and what did I get wrong in this scenario. Just about everything, in my view :-). [gww] I guess I understand better than I thought if I got everything right :) Keith. Thanks, /gww From majordomo@raleigh.ibm.com Thu Feb 3 09:23:30 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA18748 for ; Thu, 3 Feb 2000 09:23:30 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA23516; Thu, 3 Feb 2000 09:20:53 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id JAA33054; Thu, 3 Feb 2000 09:20:52 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38216; Thu, 3 Feb 2000 09:01:59 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35900; Thu, 3 Feb 2000 09:01:57 -0500 Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id JAA03518 for ; Thu, 3 Feb 2000 09:01:59 -0500 From: remoore@us.ibm.com Received: from d54mta04.raleigh.ibm.com (d54mta04.raleigh.ibm.com [9.67.228.36]) by southrelay02.raleigh.ibm.com (8.8.8m2/NCO v2.06) with SMTP id JAA55348 for ; Thu, 3 Feb 2000 09:01:57 -0500 Received: by d54mta04.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 8525687A.004D14CC ; Thu, 3 Feb 2000 09:01:55 -0500 X-Lotus-Fromdomain: IBMUS To: policy@raleigh.ibm.com Message-Id: <8525687A.004D0BA1.00@d54mta04.raleigh.ibm.com> Date: Thu, 3 Feb 2000 08:58:30 -0500 Subject: RE: Policy issues: definition of Roles Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: remoore@us.ibm.com It's occurred to me as I've watched the *lengthy* series of notes on this topic, that PolicyKeywords may be just a bit too lean to capture all that we want to capture about roles and role combinations. Recall that PolicyKeywords is already doing two (really, three) jobs in the PCIM: - returning architected values representing the policy categories listed in section 2 of the document; - returning the special architected value "POLICY" for the benefit of those implementations that don't return class information correctly - this is the third job I alluded to; - returning installation-specific keywords that an administrator might define to help get the right policies to the right PDPs. For all of these uses, there are implicit OR semantics: policies are flagged with individual keywords, and a policy qualifies as flagged so long as the flagging keyword appears somewhere in its PolicyKeywords list. Given these semantics, we're going to need something other than PolicyKeywords to represent roles / role combinations *if* we want role combinations to work the same way on the "hop" between the Policy Repository and the PDP as they do on the "hop" between the PDP and the PEP. Here's a possible solution: 1. Define a new multivalued property PolicyRoles, either in the abstract class Policy, or in its subclass PolicyRule. 2. The semantics for this property would state that each value identifies a role combination, i.e., a set of one or more role names that are ANDed together to form a single selector. This could be accomplished with a string syntax of the form [&&]* where the individual role names must appear in alphabetical order (according to whatever collating sequence the IETF would like us to use) to make the string matches work correctly. 3. The multiple values for PolicyRoles would be logically ORed, to allow a policy to be associated with multiple independent roles / role combinations. 4. Individual role names would be installation-specific, i.e., assigned by an administrator. It's tempting to try to define a "starter set" of role names in the PCIM, but I think we'll always have to leave the door open for installation-specific ones as well. Given that this is the case, it's simpler just to say that they're all installation-specific. What do people think? Since we're attaching so much significance to them, I like the idea of moving roles out of the generic PolicyKeywords bucket. Does this sound like something we should add to the PCIM? Regards, Bob Bob Moore IBM Networking Software +1-919-254-4436 remoore@us.ibm.com From majordomo@raleigh.ibm.com Thu Feb 3 23:37:43 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA07412 for ; Thu, 3 Feb 2000 23:37:43 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id XAA28600; Thu, 3 Feb 2000 23:34:16 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id XAA25864; Thu, 3 Feb 2000 23:34:16 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA22224; Thu, 3 Feb 2000 23:18:18 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA61358; Thu, 3 Feb 2000 23:18:09 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id XAA27804 for ; Thu, 3 Feb 2000 23:18:09 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id XAA28026 for ; Thu, 3 Feb 2000 23:18:00 -0500 Received: from jstrassn-lt ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id UAA17736; Thu, 3 Feb 2000 20:16:57 -0800 (PST) Message-Id: <4.2.0.58.20000130222033.00a1e700@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 30 Jan 2000 23:21:59 -0800 To: John Schnizlein , Ed_Ellesson@tivoli.com, policy@raleigh.ibm.com From: "John C. Strassner" Subject: Re: WG Last Call: draft-ietf-policy-core-info-model-03.txt Cc: johns@cisco.com In-Reply-To: <4.1.20000127143233.00b4be00@diablo.cisco.com> References: <8625686C.0062EFE6.00@tivmta4.tivoli.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" Comments inline. regards, John At 08:42 AM 1/28/00 -0500, John Schnizlein wrote: >At 03:58 PM 01/20/2000 -0500, Ed_Ellesson@tivoli.com wrote: > > > >Unless there are strong objections, we would like to consider > >this draft of the document to be the final one, before moving it > >forward for proposed standard status. > >One problem is that this draft references an expired draft: >draft-strassner-policy-terms-02.txt according to an IETF.org query. That's a goof, we'll remove it. >Page 4: > One way to think of a policy-controlled network is to first model the > network as a state machine and then use policy to control which state > a policy-controlled device should be in or is allowed to be in at any > given time. Given this approach, policy is applied using a set of > policy rules. >The state-machine model was repudiated when questions were asked >as to how the information model relates to the state transition >table. What is the relationship between the "policy rules" and >the states and transitions of a state machine? Please see my response to Ken and Walter. Since the state machine analogy caused confusion, I removed it in the proposed text. >Pages 6 & 7: > Policies represent business goals and objectives. A translation must > be made between these goals and objectives and their realization in > the network. An example of this could be a Service Level Agreement > (SLA), and its objectives and metrics (Service Level Objectives, or > SLOs), that are used to specify services that the network will provide > for a given client [8]. The SLA will usually be written in high-level > business terminology. SLOs address more specific metrics in support of > the SLA. These high-level descriptions of network services and metrics > must be translated into lower-level, but also vendor- and device- > independent specifications. The Policy Core Information Model classes > are intended to serve as the foundation for these vendor- and device- > independent specifications. >This terminology does not reflect the distinction between SLA >and SLS negotiated in the diffserv WG draft-ietf-diffserv-new-terms-01.txt. I don't think it should. That terminology was negotiated specifically for DiffServ, and will undoubtedly be modified for IPSP and other groups that want to use the PFCIM. The PFCIM is, after all, supposed to be general and not tied directly to DiffServ. So what I think is needed here is to keep these general definitions and then show how they can be related to the more specific usage by DiffServ and other groups. Specifically, this document does not use the term SLS, it instead uses the term SLO. So the only conflict is between the definition of SLA. In DiffServ, SLA is defined as "...service contract... that specifies the forwarding service a customer should receive". The only difference is that this definition of SLA says "...usually be written in high-level business terminology." This does not conflict with the DiffServ definition. Thus, all we need to do is to reference the DiffServ definition and tie it into the above. >More significantly, it is still not clear how policy specifications are >translated into device configuration specifications or how the nature of >the network devices or their interconnection interacts with policy in this >translation. This is a valid concern, but one that is not applicable to the PFCIM. This is because the purpose of the PFCIM is to define a general framework of classes that can be used to generically express the structure of a policy rule. The translation into specific device configurations is not the goal of the PFCIM, nor can it be expressed in the PFCIM, since this is by definition specific to a particular type of domain (e.g., DiffServ vs. DHCP). This is instead the goal of other drafts (e.g., the QoS drafts). Therefore, this concern should be addressed when (for example) the QoS drafts go to Last Call. In fact, it should be addressed any time the PFCIM is used in conjunction with other drafts to express policy for a particular domain. >While the distinction between procedural and declarative forms are explored, >compelling justification is not given for the "if (condition) then " >form of rules. Might we be better served by extending the style of rule >already used in Steven Bellovin's Distributed Firewalls paper? >http://www.research.att.com/%7Esmb/papers/distfw.html >Rules like this might ease coordination with the Security Policy WG. >Instead of either procudural or declarative program statements, a form more >analogous to "invariant" statements would reflect the situation that the >policy is intended to maintain. The tradition of invariant statements in >program verification suggests that this form might help with the difficult >task of verifying that a set of rules specifies what is intended. The "if then form of rules has been accepted now for over a year, and it troubles me that we now seek a need to rethink this. That being said, what is important in the PFCIM is the set of building blocks, in the form of classes, attributes and relationships, that can be used to define the structure of a policy. Steve's examples can be represented by the constructs defined by the PFCIM. So perhaps what is called for is NOT to rewrite the PFCIM in terms of Steve's or another person's alternative representation, but rather to show how different representations are equivalent. This way everyone wins. >Page 13: >Why is over a page devoted to the distinction between "rule specific" >and "reusable" policy conditions and actions despite the assertion that > "There is no inherent difference between a rule-specific condition or > action and a reusable one. " I respectfully submit that this statement is being taken out of context. Earlier, the text says: It is important to understand that the difference between a rule- specific condition or action and a reusable one is based on the intent of the policy administrator for the condition or action, rather than on the current associations in which the condition or action participates. The statement that you are referencing was intended to underscore the fact that a condition or action that is initially defined as reusable may be turned into a rule-specific condition or action, and vice-versa. The difference is not one of functionality, but how the rule is stored. This is why text was devoted to explaining this and other differences in using rule-specific vs. reusable conditions and actions. So as a compromise, how about adding text to the problem statement identified above that states this? Would your concern be satisfied by doing this? >Page 15: Roles > The concept of role is central to the design of the entire Policy > Framework. >But, as was pointed out in the Policy Terms BOF in Washington, roles >are associated with principals rather than with resources in much of >the security policy discussion. Roles can be associated with either, and the PFCIM is designed to handle either. I'm sorry, but I'm missing your point here. >The isolation (indirect reference) of "roles" as arbitrary strings >associated with resources (interfaces in many discussions) is presented >as a virtue. But it seems that hiding the particular abilities of policy >enforcement points makes it harder to determine if policy is in effect. >Does this "role" really facilitate building a policy system? Please see my earlier note in reply to Walter and Ken. Roles should not be viewed as "just attributes", but rather as a selector. Therefore, their purpose is not to hide or abstract anything. Rather, their purpose is to select a subset of applicable policies from a larger set of available policies. So in this sense, it very much facilitates building a policy system. >An architectural diagram diagram is included in this draft proposed for >standards track despite the controversy that has delayed progress on a >framework document. Would passing "last call" on this document imply >approval of the archicture we have not agreed on in the framework? I can only assume that you are referring to Figure 4, which everyone has agreed to already. However, we could insert words emphasizing that this is an example only, and is not meant as a standard architecture. Would that satisfy your concerns? >As a related question, what happened to the apparent consensus of the >room that we should agree on terms, policy use cases, and requirements >before progressing a model that supposedly addresses them? Granted, we rushed ahead on the role term. But what other terms does this document define that are controversial? We did have agreement on the policy use cases; the cry was for more, and to separate the requirements from the use cases. No requirements were set against the PFCIM (I'm not sure how any specific requirements COULD be set against it, except to try to ensure its generality). So I'm not sure that we violated anything here... Furthermore, it is the opinion of the co-chairs that we need to progress the core information model in order to put a stake in the ground. Having no stakes in any ground has been one of the reasons that has made it hard to nail things down. So I think that progressing this document is a Good Thing. >Pages 20 - 59: CIM Data Types >No justification is provided for the host of decisions made in CIM, and >reflected in the detailed specification of its classes and attributes. >In particular, why is a different representation of time periods used >than in (standards track) RFC 2445? >This begs the question if (which of) the attribute syntaxes correspond >to syntax already specified as standard in the IETF. > >This line of questions leads to the more general concern that a lot of >detailed specification is proposed for IETF standards track on little >more than the indication that the CIM group of the DMTF developed it. >It is still not clear if this facilitates or hinders mutual support >policy configuration efforts across areas of IETF interest. I honestly don't know how to respond to a rhetorical question like this. CIM represents a general object-oriented information model, and many people from many different standards bodies have spent a lot of time working on it. There are deployed systems using it. If you look at the CIM models, you will see that CIM attributes reference IETF MIB variables when appropriate. It has a special qualifier that is used explicitly for this. CIM is not trying to provide an alternative standard, set of syntaxes, or any other "nefarious" contrivance. It is simply trying to describe a managed domain in an object-oriented way. When appropriate, it will reuse IETF and possibly other standard information to achieve this goal. With respect to your question about 2445, this document uses RFC 2591 as a way to represent some of its data. We thought that that RFC was well suited to expressing what we wanted. Finally, imho, the only way to develop mutual support of policy configuration efforts across different areas of the IETF is to put a stake in the ground and encourage people to use it. The PFWG has been trying to do this for over a year, and imho it's a little late to question the foundation of the class design after we've been working for over a year on it. >John From majordomo@raleigh.ibm.com Thu Feb 3 23:42:19 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA07461 for ; Thu, 3 Feb 2000 23:41:56 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id XAA05046; Thu, 3 Feb 2000 23:34:16 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id XAA22442; Thu, 3 Feb 2000 23:34:15 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA61656; Thu, 3 Feb 2000 23:18:18 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA46002; Thu, 3 Feb 2000 23:18:09 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id XAA23200 for ; Thu, 3 Feb 2000 23:18:09 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id XAA23460 for ; Thu, 3 Feb 2000 23:18:05 -0500 Received: from jstrassn-lt ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id UAA17746; Thu, 3 Feb 2000 20:17:03 -0800 (PST) Message-Id: <4.2.0.58.20000130153819.00bacbb0@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 30 Jan 2000 15:51:03 -0800 To: "Jon Sjoberg" , From: "John C. Strassner" Subject: Re: Policy Framework Core Information Model -- Version 1 In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" Hi Jon, comments inline. regards, John At 05:45 PM 1/25/00 -0800, Jon Sjoberg wrote: >A few comments the draft: "Policy Framework Core Information Model -- >Version 1 Specification". > >1.) >The general view that I get from the draft is that policy (as currently >being focused on by this WG, not in the most general sense) is being made to >apply to the aggregation of a client and some network behavior. Forgive me if I haven't had enough coffee yet ;-) but I fail to see how your examples listed below are different than, as you put it, aggregating a client and some network behavior. For example, if I look at the first example, I see a client (paying_customers), the traffic from that client (HTTP traffic ending up on landsend.com) and network behavior (priority treatment from special_servers). >The following statement, from the draft, sums up the "feeling" that I get: >"Service policies describe services available in the network. Usage policies >describe the particular binding of a client of the network to services >available in the network." > >Often the draft uses examples like "so-and-so gets gold service" or "use >this scheme on this interface." I appreciate these are only examples, but >they also further my opinion that this draft focuses on a simple >aggregation. But that same page defines other types of policies (e.g., Configuration and Installation policies) that have nothing to do with aggregating clients. So if I'm reading you right, you're objecting to the emphasis of examples that focus on binding a client (human or otherwise) to a network service. Is that correct? If so, I'd be happy to add additional examples to balance things out. If not, please explain again. >What I'm looking at is policies such as: >All HTTP traffic from paying_customers for landsend.com gets priority >network treatment from special_servers. >All HTTP traffic from browsing_customers for landsend.com gets priority >network treatment from unwashed_masses_servers.All FTP retr traffic for >landsend.com gets bulk-transfer network treatment >from unwashed_masses_servers. >All FTP stor traffic for landsend.com gets denied network treatment. All of these seem to fit the mold of client binding to network service. As another example, in the last example, the FTP traffic is generated by some person or application operated on behalf of a person (e.g., a client) and the service is, in this case, being denied. >Clearly these can be represented as condition/action policy rules. What I'm >not so clear on is all the other stuff that goes around these policy rules. >What policy keywords or roles are appropriate for these policies? Where >does the definition of HTTP, paying_cutomers, FTP, etc. fit into the >repository or do they (I think I remember one incarnation of this draft or >the LDAP schema that sort of addressed this)? Can some one enlighten me! >Thanks. The policy keywords, roles, etc. that are appropriate for these types of policies will necessarily be different for each application. The PFCIM deignated a small set of keywords and roles to standardize common, high-level concepts. If you look at these (pg 22), you'll see that they correspond to the types of policie that are described on page 6 (with "unknown" being a general catch-all). So, for the above example, if you treat a role as a selector, then you would want to define a set of policies that would select HTTP traffic and at least one other attribute (e.g., the set of IP addresses (for example) that map to landsend.com. Likewise, keywords are used to speed up searches, so you would define a set of keywords that would help you locate policy rules, conditions, actions, etc. >2.) >Usage of the CIM notation seems to add to the complexity of the problem >domain and to the complexity of this draft. A conservative estimate of 15 >percent of the document is devoted to describing CIM work-arounds, CIM >attributes that add no direct value (my opinion) to the problem domain, and >CIM "quarks". Given that our intended protocol is LDAP, is there enough >value to the CIM notation to use it instead of some other more robust OO >representation (UML, Shlear-Mellor, etc.)? I'm not suggesting holding up >last call over this (least I get shot), but perhaps we could re-work the >draft to track tighter to the essential complexity of the problem? Already covered in another email I sent. >Jon From majordomo@raleigh.ibm.com Sun Feb 6 20:04:52 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA14031 for ; Sun, 6 Feb 2000 20:04:48 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id UAA04922; Sun, 6 Feb 2000 20:01:14 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id UAA28730; Sun, 6 Feb 2000 20:01:16 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA34946; Sun, 6 Feb 2000 19:37:36 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA61562; Sun, 6 Feb 2000 19:37:33 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id TAA04236 for ; Sun, 6 Feb 2000 19:37:35 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id TAA24940 for ; Sun, 6 Feb 2000 19:37:31 -0500 Received: from jstrassn-lt ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id QAA16156; Sun, 6 Feb 2000 16:36:21 -0800 (PST) Message-Id: <4.2.0.58.20000206162027.00bea3c0@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 06 Feb 2000 16:37:17 -0800 To: "Jon Sjoberg" , "John C. Strassner" From: "John C. Strassner" Subject: RE: Policy Framework Core Information Model -- Version 1 Cc: In-Reply-To: References: <4.2.0.58.20000129221737.00a6d100@omega.cisco.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_170204821==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" --=====================_170204821==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Comments inline, look for ... regards, John At 06:57 AM 1/31/00 -0800, Jon Sjoberg wrote: >John, > > > So I personally would be happy to help rework the draft to "track > > tighter", > > as you put it, but in order to do that I need specific examples, > > especially > > concerning its not being compliant with UML. SO please supply > > examples, and > > I'll give it a shot. > >Here is a list of differences between CIM and UML. If you need any help >re-working this, let me know. > >1.) We don't use the inheritance of associations, so it is just more words >that add little value to our problem. Lets lop it out of the document. Respectfully, that is incorrect if you look at (especially) the latest release of the UML spec. Associations can be AssociationClasses, which have the combined semantics of associations and classes. From the spec: "The AssociationClass construct can be expressed in a few different ways in the metamodel (e.g., as a subclass of Class, as a subclass of Association, or as a subclass of Classifier)." Furthermore, implementing an association as a class, as is done in both CIM and DEN, is an elegant way to maximize the use of object-oriented design. If you look at CIM or DEN, you'll see the association inheritance is critical in defining specialized associations in the model. Furthermore, since associations have properties and methods (which are essential to being viewed as classes) why wouldn't they also have inheritance? >2.) Associations with attributes is not used in UML and seems un-necessary. I beg to differ. I've seen it used in many applications besides CIM and DEN. Please refer back to the UML spec, where it says that associations can be implemented as classes. >Standard information modeling says: > For one to many associations the key attribute(s) of the association go >to the one. > For the one to one association the key attribute(s) can go to either. > For the many to many associations then there is an associating object >that can hold the key attributes plus any other attributes of the >association (the only case that is somewhat like the current "associations >with attributes"). > >This eliminates a whole nest of sections on associations and provides just >secondary key attributes. Note that where the association keys go is just >an analysis tool and has NO relevance on the implementation. That is implementation-dependent. Look at the CIM and DEN models, which provide precedence for this feature. >3.) CreationClassName: Do we need this? I understand why CIM uses it, but >UML uses the concept of categories to provide name scoping. We have the >category of the base PCIM. All names within in it are scoped to be unique >(PCIM.PolicyGroup). There is a whole paragraph plus a bunch of attribute >descriptions for CreationClassName that are not part of the essential >problem. Perhaps the UML category idea would be lighter weight? Besides, >in all honesty, I don't quite get the whole "weak association" thing but >what I do get leads me to believe it is not intrinsic in the policy problem. It's always nice to know what type of class an instance is. So I think we need this regardless of implementation. If we want backward compatibility to the CIM 2.2 model, we definately need this. And note that PCIM uses CreationClassName as part of its scoping, so your argument is somewhat circular. Finally, weak associations simply mean that the non-weak entity provides scoping for the weak entity. Think of a service running on a system. The service (e.g., BGP) can't simply exist in the ether ;-), it has to be hosted by some entity. In this case, it would be hosted by a router interface, which is part of a system. So, the BGP service is weak to the router system, which means that the keys used to define the service must include keys propagated from the system. Stated another way, the system helps determine the name of the service, so you can identify and distinguish between different instances of the same service. >The above three deviations from UML add, what I would consider, >non-essential complexity to the document. I disagree. There are no deviations from UML (except for the additional concept of a weak relationship). CreationClassName is simply an attribute that has been uniformly used to help distinguish an instance, which is, imho, a Good Thing. > >If, as Ed implied, we are using CIM to play nicely with others, then there >is merit in that. To minimize the impact on us, perhaps we could move some >of the CIM specific text to appendices, just refer to the CIM modeling >language document (if it is publicly available), or a combination of the >two. The CIM meta-model and spec are publically available. >If we are using CIM because it is the modeling tool best known by the >authors, I would assert that it is not the best tool for the job. UML would >be better, Shlear-Mellor would be best. CIM is not a modeling tool, it is an information model. >NON-SEQUITOR: UML is not a bunch of boxes and arrows and therefore the use >of boxes and arrows does not make it UML. UML is an approach to system >architecture, design, and even, to extremes, implementation. CIM is NOT >UML, or even very much like UML. This does not mean CIM is evil, but on >several occasions I have heard the statement the CIM is UML (or so similar >as for there to be no distinction) as a defense. This statement is >inaccurate and should probably not be used. > Of course CIM isn't UML, I completely agree. However, I do assert that CIM uses portions of UML to document its information model. You happen to be in the minority of people that really grok what UML is. Many people do misuse the term UML. I'll try and encourage a more correct usage of the term. >Jon > >P.S. Yes "quark" was supposed to be "quirk". The spell checker was >checking what I typed, not what I meant. --=====================_170204821==_.ALT Content-Type: text/html; charset="us-ascii" Comments inline, look for <js>...</js>

regards,
John

At 06:57 AM 1/31/00 -0800, Jon Sjoberg wrote:
John,

> So I personally would be happy to help rework the draft to "track
> tighter",
> as you put it, but in order to do that I need specific examples,
> especially
> concerning its not being compliant with UML. SO please supply
> examples, and
> I'll give it a shot.

Here is a list of differences between CIM and UML.  If you need any help
re-working this, let me know.

1.) We don't use the inheritance of associations, so it is just more words
that add little value to our problem.   Lets lop it out of the document.

<js> Respectfully, that is incorrect if you look at (especially) the latest release of the UML spec. Associations can be AssociationClasses, which have the combined semantics of associations and classes. From the spec:

   "The AssociationClass construct can be expressed in a few
          different ways in the metamodel (e.g., as a subclass of
          Class, as a subclass of Association, or as a subclass
         of Classifier)."

Furthermore, implementing an association as a class, as is done in both CIM and DEN, is an elegant way to maximize the use of object-oriented design. If you look at CIM or DEN, you'll see the association inheritance is critical in defining specialized associations in the model. Furthermore, since associations have properties and methods (which are essential to being viewed as classes) why wouldn't they also have inheritance?
</jcs>

2.) Associations with attributes is not used in UML and seems un-necessary.

<js>
I beg to differ. I've seen it used in many applications besides CIM and DEN. Please refer back to the UML spec, where it says that associations can be implemented as classes.
</js>

Standard information modeling says:
    For one to many associations the key attribute(s) of the association go
to the one.
    For the one to one association the key attribute(s) can go to either.
    For the many to many associations then there is an associating object
that can hold the key attributes plus any other attributes of the
association (the only case that is somewhat like the current "associations
with attributes").

This eliminates a whole nest of sections on associations and provides just
secondary key attributes.  Note that where the association keys go is just
an analysis tool and has NO relevance on the implementation.

<js>
That is implementation-dependent. Look at the CIM and DEN models, which provide precedence for this feature.
</js>

3.) CreationClassName:  Do we need this?  I understand why CIM uses it, but
UML uses the concept of categories to provide name scoping.  We have the
category of the base PCIM.  All names within in it are scoped to be unique
(PCIM.PolicyGroup).  There is a whole paragraph plus a bunch of attribute
descriptions for CreationClassName that are not part of the essential
problem.  Perhaps the UML category idea would be lighter weight?  Besides,
in all honesty, I don't quite get the whole "weak association" thing but
what I do get leads me to believe it is not intrinsic in the policy problem.

<js>
It's always nice to know what type of class an instance is. So I think we need this regardless of implementation.

If we want backward compatibility to the CIM 2.2 model, we definately need this. And note that PCIM uses CreationClassName as part of its scoping, so your argument is somewhat circular.

Finally, weak associations simply mean that the non-weak entity provides scoping for the weak entity. Think of a service running on a system. The service (e.g., BGP) can't simply exist in the ether ;-), it has to be hosted by some entity. In this case, it would be hosted by a router interface, which is part of a system. So, the BGP service is weak to the router system, which means that the keys used to define the service must include keys propagated from the system. Stated another way, the system helps determine the name of the service, so you can identify and distinguish between different instances of the same service.
</js>

The above three deviations from UML add, what I would consider,
non-essential complexity to the document.

<js> I disagree. There are no deviations from UML (except for the additional concept of a weak relationship). CreationClassName is simply an attribute that has been uniformly used to help distinguish an instance, which is, imho, a Good Thing.
</js>

<soap box>
If, as Ed implied, we are using CIM to play nicely with others, then there
is merit in that.  To minimize the impact on us, perhaps we could move some
of the CIM specific text to appendices, just refer to the CIM modeling
language document (if it is publicly available), or a combination of the
two.

<js> The CIM meta-model and spec are publically available. </js>

If we are using CIM because it is the modeling tool best known by the
authors, I would assert that it is not the best tool for the job.  UML would
be better, Shlear-Mellor would be best.

<js> CIM is not a modeling tool, it is an information model. </js>

NON-SEQUITOR:  UML is not a bunch of boxes and arrows and therefore the use
of boxes and arrows does not make it UML.  UML is an approach to system
architecture, design, and even, to extremes, implementation.  CIM is NOT
UML, or even very much like UML.  This does not mean CIM is evil, but on
several occasions I have heard the statement the CIM is UML (or so similar
as for there to be no distinction) as a defense.  This statement is
inaccurate and should probably not be used.
</soap box>

<js>
Of course CIM isn't UML, I completely agree. However, I do assert that CIM uses portions of UML to document its information model.

You happen to be in the minority of people that really grok what UML is. Many people do misuse the term UML. I'll try and encourage a more correct usage of the term.
</js>


Jon

P.S.  Yes "quark" was supposed to be "quirk".  The spell checker was
checking what I typed, not what I meant.
--=====================_170204821==_.ALT-- From majordomo@raleigh.ibm.com Sun Feb 6 21:00:04 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA14239 for ; Sun, 6 Feb 2000 21:00:04 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id UAA19198; Sun, 6 Feb 2000 20:58:11 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id UAA28550; Sun, 6 Feb 2000 20:58:13 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55860; Sun, 6 Feb 2000 20:37:04 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA33804; Sun, 6 Feb 2000 20:36:59 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id UAA22218 for ; Sun, 6 Feb 2000 20:37:01 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id UAA31972 for ; Sun, 6 Feb 2000 20:36:57 -0500 Received: from jstrassn-lt ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id RAA19016; Sun, 6 Feb 2000 17:36:16 -0800 (PST) Message-Id: <4.2.0.58.20000206163947.00ca07f0@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 06 Feb 2000 17:36:51 -0800 To: "Weiss, Walter" , "'Jon Sjoberg'" From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com In-Reply-To: <75ADD7496F0BD211ADC000104B8846CF0191156A@rerun.lucentctc.c om> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" In the original posting, my main concern was that the policy rules, and more precisely the attributes within policy rules, eventually have to be bound to some physical attribute somewhere in order to effect changes in network devices or services. Specifying keywords is not enough. We should also document how an attribute actually maps to given instances of that attribute in an interface, queue or whatever. I would humbly submit that this issue, though important, is orthogonal to roles. See my earlier posting. This is a binding issue, and affects not just roles (which are, after all, attributes) but other types of attributes as well. regards, John At 01:36 PM 1/31/00 -0500, Weiss, Walter wrote: >Jon, > >Since my posting, the intent of Roles (in the form of keywords and keyword >combinations) has become clearer to me. With role combinations, I can create >policies that cross domains. That said, I wanted to draw attention to the >text because it was too vague for me to understand what the intent was. > >It seems that the definition of Roles that PCIM authors had in mind is a bit >more high level then what I was thinking of. I don't have any problem with >grouping policies together based on some keyword. These are fairly abstract >concepts that I could easily see as useful for policy conflicts. However, I >have not seen the rubber hit the road yet. > >In the original posting, my main concern was that the policy rules, and more >precisely the attributes within policy rules, eventually have to be bound to >some physical attribute somewhere in order to effect changes in network >devices or services. Specifying keywords is not enough. We should also >document how an attribute actually maps to given instances of that attribute >in an interface, queue or whatever. We could use the role keyword as a way >of indicating which set of interfaces or queues we would like the policy to >apply to, but then we need a mechanism to bind the keyword to that set. If >that is the approach taken, then we still have attribute qualifiers to deal >with, but at least I know how I can use Role Keys beyond conflict detection. > >As a side note, we are spending a considerable amount of time focused on >device interfaces. I would like to remind folks that the purpose of this >working group is to come up with a framework that can not only be applied to >QoS components in forwarding engines, but also other problem domains. >Security policies, Address management policies, and Routing policies have >little if anything to do with interfaces. While I am comfortable with >focusing on QoS (as per our charter), I would like to make sure that we >don't make assumptions about how and where policy will be used. > >regards, > >-Walter > > > -----Original Message----- > > From: Jon Sjoberg [mailto:jsjoberg@TopLayer.com] > > Sent: Sunday, January 30, 2000 9:08 AM > > To: Weiss, Walter > > Cc: policy@raleigh.ibm.com > > Subject: RE: Policy issues: definition of Roles > > > > > > Walter, > > > > > > > > The Policy Framework is then responsible for configuring > > > each of the resources associated with a role in such a way that it > > > behaves according to the policies specified for that role. > > > > > > > > > First, there is a reference to resources without any context. > > > Second, I find > > > policies that can only operate within the confines of a > > > particular resource > > > unnecessarily restrictive. > > > > > I don't understand where the second point is derived from. I > > guess I read > > the text to say that policies are confined within a specific > > role. It seems > > that policies, in the general sense, can operate across > > resource and role > > boundaries. Each policy rule that enacts a policy must be restricted, > > however, to a role. It would be easier, from a PDP/PEP > > implementation stand > > point, to restrict each policy rule down to a resource (and > > make the policy > > management tool do all the REAL work). > > > > > > > > > > > Roles are represented in the Core Policy Schema by values of the > > > PolicyKeywords property. > > > > > > > > > I found this text to be even more confusing because it > > supported a third > > > concept not defined in either of the two concepts I described: an > > > arbitrary > > > grouping based on a keyword possibly bound to a technology > > like QoS or > > > security, or an organization like engineering, or something else??? > > > > > Actually the possible current values are enumerated in 6.1.2, > > and the values > > fall into the "something else" category. If I read > > correctly, the standard > > possible values are: > > UNKNOWN", "CONFIGURATION", "USAGE", "SECURITY", "SERVICE", > > "MOTIVATIONAL", > > "INSTALLATION", and "EVENT". I am not sure I fully understand many of > > these, though the document does explain them. Anyway, it is > > clearly another > > definition of role not akin to your two or, best I can tell, > > Shai's newest > > proposal. > > > > > > From majordomo@raleigh.ibm.com Sun Feb 6 21:12:57 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA14329 for ; Sun, 6 Feb 2000 21:12:57 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id VAA26322; Sun, 6 Feb 2000 21:10:57 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id VAA27608; Sun, 6 Feb 2000 21:10:58 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA61618; Sun, 6 Feb 2000 20:50:04 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA33962; Sun, 6 Feb 2000 20:50:01 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id UAA04182 for ; Sun, 6 Feb 2000 20:50:02 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id UAA31464 for ; Sun, 6 Feb 2000 20:49:59 -0500 Received: from jstrassn-lt ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id RAA19620; Sun, 6 Feb 2000 17:48:59 -0800 (PST) Message-Id: <4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 06 Feb 2000 17:49:56 -0800 To: Andrew Smith , "'Ken Roberts'" From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" In-Reply-To: <808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" A role is just one of possibly many selectors that is used to download a subset of appropriate policies from a much larger set of availale policies. A role can be specified as part of a policy condition or action, both of which are components of a policy rule as defined in the Policy Core Information Model. HTH, John At 05:23 PM 1/31/00 -0800, Andrew Smith wrote: >e.g. "HTTP traffic gets AF treatment on all Ethernet and FDDI interfaces" is >a policy rule that references two roles: "Ethernet interfaces" and "FDDI >interfaces". You wouldn't bother sending that rule to token-ring devices. > >(I guess I'm really an assembler programmer so I don't understand these >"class" and "subclass" things you talk about). > >Andrew > >P.S. Maybe we should drop the "policy framework" list from this thread since >this appears to be purely a "device" thing. But I did think we were >attempting the (maybe thankless) task of unifying the terminology between >all the WGs. > >-----Original Message----- >From: Ken Roberts [mailto:kjr@nortelnetworks.com] >Sent: Monday, January 31, 2000 4:42 PM >To: Andrew Smith; 'Bob Natale' >Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' >Subject: RE: Policy issues: definition of Roles > > >Gents & others, >I'm a little confused by Andrew's statement of a policy that has multiple >roles. I understood a policy had rules. Rules may be crafted to include the >notion of roles but are they separate rules or sub classes of one rule? >When the statement "A policy that references roles W and X" is made does >this imply there is a matrix relationship that can be established from one >parent policy (/rule)? How is this managed? Why is this required? If >policies have hierarchical structure can this not be done with containment >or another relationship? >I think I had better re-read the thread as maybe I've missed something. >-------------------------------------------------------------------------- >Regards, >Ken Roberts >INM Product Architecture >Nortel Networks >?ESN : 655-7844 ?Direct : 408-565-7844 >? Fax : 408-565-8226 >? email : kjr@nortelnetworks.com > >This message may contain information proprietary to Nortel Networks >Corporation so any >unauthorised disclosure, copying or distribution of its contents is strictly >prohibited. > -----Original Message----- >From: Andrew Smith [mailto:andrew@extremenetworks.com] >Sent: Monday, January 31, 2000 3:36 PM >To: 'Bob Natale' >Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' >Subject: RE: Policy issues: definition of Roles >And, in particular, you only need to tell the device about those roles that >are relevant to it - that is where the big savings are, I think. e.g. >1. Device A has roles W, X and Y. >2. Device B has roles W, X and Z. >3. A policy that references roles W and X should be downloaded to both >devices. >4. A policy that references roles W and Y should be downloaded only to >device A, not device B. >The role combination concept in the PIB was introduced specifically in order > >to do this: you have to be able to list only those roles that are relevant >to the policy, not necessarily ALL roles on the device, in a role >combination. >(Apologies if I'm repeating stuff here). >Andrew > > > > -----Original Message----- > > From: Bob Natale [mailto:bnatale@acecomm.com] > > Sent: Monday, January 31, 2000 3:27 PM > > To: Andrew Smith > > Cc: policy@raleigh.ibm.com > > Subject: RE: Policy issues: definition of Roles >... > > That works fine for me. All I care about on this thread is that a > > "role combination" DOES NOT HAVE to include ALL of the roles supported > > by a network entity/component (although there MAY well be a role > > combination which does incorporate all roles supported by a network > > entity/component). From majordomo@raleigh.ibm.com Mon Feb 7 00:14:10 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA17576 for ; Mon, 7 Feb 2000 00:14:09 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id AAA34416; Mon, 7 Feb 2000 00:11:19 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id AAA33336; Mon, 7 Feb 2000 00:11:18 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA47660; Sun, 6 Feb 2000 23:48:25 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45348; Sun, 6 Feb 2000 23:48:22 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id XAA33432 for ; Sun, 6 Feb 2000 23:48:21 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id XAA11156 for ; Sun, 6 Feb 2000 23:48:19 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS9PK; Sun, 6 Feb 2000 23:45:28 -0500 Message-Id: <4.2.0.58.20000206232138.02f037b0@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 06 Feb 2000 23:48:10 -0500 To: "John C. Strassner" , Andrew Smith , "'Ken Roberts'" From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com In-Reply-To: <4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com> References: <808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog I think that one of the problems is that we're confusing the various levels of "roles". Let me try to make the following observations: 1. Roles and Role Combinations have only meaning (in the definition sense) in the PEP. 2. PDPs and DEN Policy Schemas may or may not take advantage of PEP roles. For example: PEP Roles: Edge+Ethernet, Edge+T1 PDP Policy: If User=Joe, Mark (Traffic Desc) DSCP=AF11. Here the PDP may actually track down the ingress router and mark on ALL of its interfaces, regardless of Roles. It will produce the following instructions: Role = Edge+Ethernet: Mark (Traffic Desc) DSCP AF11 Role = Edge+T1 : Mark (Traffic Desc) DSCP AF11 My point is that we should stop thinking that the policy is bound to roles 1:1. 3. PEPs are not expected to be able to merge policies for Roles in Role combination. Given the previous example, the PDP is not allowed to send the following to the PEP: Role=Edge : Conf1 Role=Ethernet: Conf2 Since the PEP that has an interface with both roles in a role combination (Edge+Ethernet) is now required to merge Conf1+Conf2. This merge is a big NO NO, since the whole point about external policy processing is that the PEP doesn't understand policy implications and complications and needs to receive very specific instructions. 4. PDPs may be smart enough to merge roles (and therefore deal with individual roles within a role combination). This is actually an implication of observation (2) but I though it needs to be clarified. For example, in the PDP, lets assume Ethernets get special treatment (higher precedence rule). Role=Edge : If Service=Gold then Mark DSCP=xxx Role=Ethernet: If Service=Gold then Mark DSCP=yyy This will produce the following configuration (using COPS, or equiv): Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy Role=Edge+T1 : Mark (Traffic Desc) DSCP=xxx So, going back to the definition I gave a while back, the reason for the "ALL" comes from observation 3. PDPs can process policy whatever the hell they wish (within reason) but they have to respond to the PEP with specific policy for each COMPLETE role combination, and cannot respond to partial role combination or a specific role which is only a part of a role combination. Shai At 05:49 PM 02/06/2000, John C. Strassner wrote: >A role is just one of possibly many selectors that is used to download a >subset of appropriate policies from a much larger set of availale policies. > >A role can be specified as part of a policy condition or action, both of >which are components of a policy rule as defined in the Policy Core >Information Model. > >HTH, >John > >At 05:23 PM 1/31/00 -0800, Andrew Smith wrote: >>e.g. "HTTP traffic gets AF treatment on all Ethernet and FDDI interfaces" is >>a policy rule that references two roles: "Ethernet interfaces" and "FDDI >>interfaces". You wouldn't bother sending that rule to token-ring devices. >> >>(I guess I'm really an assembler programmer so I don't understand these >>"class" and "subclass" things you talk about). >> >>Andrew >> >>P.S. Maybe we should drop the "policy framework" list from this thread since >>this appears to be purely a "device" thing. But I did think we were >>attempting the (maybe thankless) task of unifying the terminology between >>all the WGs. >> >>-----Original Message----- >>From: Ken Roberts [mailto:kjr@nortelnetworks.com] >>Sent: Monday, January 31, 2000 4:42 PM >>To: Andrew Smith; 'Bob Natale' >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' >>Subject: RE: Policy issues: definition of Roles >> >> >>Gents & others, >>I'm a little confused by Andrew's statement of a policy that has multiple >>roles. I understood a policy had rules. Rules may be crafted to include the >>notion of roles but are they separate rules or sub classes of one rule? >>When the statement "A policy that references roles W and X" is made does >>this imply there is a matrix relationship that can be established from one >>parent policy (/rule)? How is this managed? Why is this required? If >>policies have hierarchical structure can this not be done with containment >>or another relationship? >>I think I had better re-read the thread as maybe I've missed something. >>-------------------------------------------------------------------------- >>Regards, >>Ken Roberts >>INM Product Architecture >>Nortel Networks >>?ESN : 655-7844 ?Direct : 408-565-7844 >>? Fax : 408-565-8226 >>? email : kjr@nortelnetworks.com >> >>This message may contain information proprietary to Nortel Networks >>Corporation so any >>unauthorised disclosure, copying or distribution of its contents is strictly >>prohibited. >> -----Original Message----- >>From: Andrew Smith [mailto:andrew@extremenetworks.com] >>Sent: Monday, January 31, 2000 3:36 PM >>To: 'Bob Natale' >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' >>Subject: RE: Policy issues: definition of Roles >>And, in particular, you only need to tell the device about those roles that >>are relevant to it - that is where the big savings are, I think. e.g. >>1. Device A has roles W, X and Y. >>2. Device B has roles W, X and Z. >>3. A policy that references roles W and X should be downloaded to both >>devices. >>4. A policy that references roles W and Y should be downloaded only to >>device A, not device B. >>The role combination concept in the PIB was introduced specifically in order >> >>to do this: you have to be able to list only those roles that are relevant >>to the policy, not necessarily ALL roles on the device, in a role >>combination. >>(Apologies if I'm repeating stuff here). >>Andrew >> >> >> > -----Original Message----- >> > From: Bob Natale [mailto:bnatale@acecomm.com] >> > Sent: Monday, January 31, 2000 3:27 PM >> > To: Andrew Smith >> > Cc: policy@raleigh.ibm.com >> > Subject: RE: Policy issues: definition of Roles >>... >> > That works fine for me. All I care about on this thread is that a >> > "role combination" DOES NOT HAVE to include ALL of the roles supported >> > by a network entity/component (although there MAY well be a role >> > combination which does incorporate all roles supported by a network >> > entity/component). __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 From majordomo@raleigh.ibm.com Mon Feb 7 00:18:40 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA17596 for ; Mon, 7 Feb 2000 00:18:39 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id AAA26724; Mon, 7 Feb 2000 00:12:34 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id AAA16278; Mon, 7 Feb 2000 00:12:30 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA50010; Sun, 6 Feb 2000 23:55:42 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35922; Sun, 6 Feb 2000 23:55:39 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id XAA13730 for ; Sun, 6 Feb 2000 23:55:42 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id XAA32746 for ; Sun, 6 Feb 2000 23:55:41 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS9PN; Sun, 6 Feb 2000 23:52:51 -0500 Message-Id: <4.2.0.58.20000206234848.04de1008@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 06 Feb 2000 23:55:52 -0500 To: "John C. Strassner" , Andrew Smith , "'Ken Roberts'" From: Shai Herzog Subject: Mailing lists Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog We really need to create a multi-WG mailing list that combines individuals from RAP, Policy and SNMPConf to prevent folks from receiving triplicates. Either that, or we just declare the policy wg mailing list as the one where all multi-disciplinary (WG) discussions are on. In this case we should notify the other mailing lists that anyone interested in in multi-WG discussions should subscribe to the policy mailing list. For example, this discussion is very relevant to the RAP mailing list folks, but was only conducted on the policy and snmpconf lists. Having three mailing list on one thread is really too much... My 2c. Shai From majordomo@raleigh.ibm.com Mon Feb 7 04:42:26 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA01348 for ; Mon, 7 Feb 2000 04:42:25 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id EAA20706; Mon, 7 Feb 2000 04:40:32 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id EAA26358; Mon, 7 Feb 2000 04:40:30 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA33176; Mon, 7 Feb 2000 04:15:57 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA36734; Mon, 7 Feb 2000 04:15:50 -0500 Received: from nlvm1.emea.ibm.com (nlvm1.emea.ibm.com [9.165.3.73]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id EAA32764 for ; Mon, 7 Feb 2000 04:15:49 -0500 Message-Id: <200002070915.EAA32764@rtpmail03.raleigh.ibm.com> Received: from UITVM1 by nlvm1.emea.ibm.com (IBM VM SMTP V2R4) with BSMTP id 4359; Mon, 07 Feb 00 10:15:52 CET Date: Mon, 7 Feb 00 10:15:52 CET From: "Bert Wijnen" To: jstrassn@cisco.com Cc: policy@raleigh.ibm.com Subject: Policy Framework Core Information Model -- Version 1 Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Bert Wijnen" Ref: Your note of Sun, 06 Feb 2000 16:37:17 -0800 Subject: Re: Policy Framework Core Information Model -- Version 1 John, when you talk about "the latest relase of the UML spec" can you pls tell us the exact release number and where we can get it in case it came out recently? Thanks, Bert From majordomo@raleigh.ibm.com Mon Feb 7 06:10:19 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA01867 for ; Mon, 7 Feb 2000 06:10:18 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id GAA18886; Mon, 7 Feb 2000 06:08:20 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id GAA22546; Mon, 7 Feb 2000 06:08:19 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38608; Mon, 7 Feb 2000 05:44:42 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38584; Mon, 7 Feb 2000 05:44:36 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id FAA24764 for ; Mon, 7 Feb 2000 05:44:35 -0500 Received: from mail.toplayer.com ([199.103.238.97]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id FAA23536 for ; Mon, 7 Feb 2000 05:44:34 -0500 Received: from eh6mq5 ([10.100.1.6]) by mail.toplayer.com (8.8.7/8.8.7) with SMTP id FAA27324; Mon, 7 Feb 2000 05:43:41 -0500 From: "Jon Sjoberg" To: "John C. Strassner" , "Jon Sjoberg" Cc: Subject: RE: Policy Framework Core Information Model -- Version 1 Date: Mon, 7 Feb 2000 05:52:55 -0800 Message-Id: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01BF712F.944EFF70" X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <4.2.0.58.20000206162027.00bea3c0@omega.cisco.com> Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Jon Sjoberg" This is a multi-part message in MIME format. ------=_NextPart_000_0004_01BF712F.944EFF70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit John (Sorry I can't put the comments inline, but I'm having an Outlook problem!), 1.) The important point here is that we don't use the inheritance of associations. How ever associations CAN be modeled, this mechanism is not used by us and so it is just more text in the document. More text makes things more difficult to understand. 2.) There is nothing "implementation dependent" (in the sense of dictating a design) about where you put the attribute in a relationship during analysis. There ARE certainly many ways to model a relationship, I am just trying to think of one that would do what is needed with minimum excess baggage. This is an attempt to get the document to focus tightly on policy issues and not modeling issues. 3.) I'm not saying (nor did I say) that CreationClassName was useless or can't be explained. What I'm saying is there maybe lighter weight solutions to the same problem that adds less bulk to the document, making it easier to understand. If the intent is to say: "the modeling we have chosen is valid", of course I agree. My intent was merely to trim the document down to make it easier for us slow people to understand. What also seems clear is I'm the only one who had a problem with this. I guess it doesn't make sense to make (or suggest) such large changes when the vast majority seem to be content. -----Original Message----- From: John C. Strassner [mailto:jstrassn@cisco.com] Sent: Sunday, February 06, 2000 4:37 PM To: Jon Sjoberg; John C. Strassner Cc: policy@raleigh.ibm.com Subject: RE: Policy Framework Core Information Model -- Version 1 Comments inline, look for ... regards, John At 06:57 AM 1/31/00 -0800, Jon Sjoberg wrote: John, > So I personally would be happy to help rework the draft to "track > tighter", > as you put it, but in order to do that I need specific examples, > especially > concerning its not being compliant with UML. SO please supply > examples, and > I'll give it a shot. Here is a list of differences between CIM and UML. If you need any help re-working this, let me know. 1.) We don't use the inheritance of associations, so it is just more words that add little value to our problem. Lets lop it out of the document. Respectfully, that is incorrect if you look at (especially) the latest release of the UML spec. Associations can be AssociationClasses, which have the combined semantics of associations and classes. From the spec: "The AssociationClass construct can be expressed in a few different ways in the metamodel (e.g., as a subclass of Class, as a subclass of Association, or as a subclass of Classifier)." Furthermore, implementing an association as a class, as is done in both CIM and DEN, is an elegant way to maximize the use of object-oriented design. If you look at CIM or DEN, you'll see the association inheritance is critical in defining specialized associations in the model. Furthermore, since associations have properties and methods (which are essential to being viewed as classes) why wouldn't they also have inheritance? 2.) Associations with attributes is not used in UML and seems un-necessary. I beg to differ. I've seen it used in many applications besides CIM and DEN. Please refer back to the UML spec, where it says that associations can be implemented as classes. Standard information modeling says: For one to many associations the key attribute(s) of the association go to the one. For the one to one association the key attribute(s) can go to either. For the many to many associations then there is an associating object that can hold the key attributes plus any other attributes of the association (the only case that is somewhat like the current "associations with attributes"). This eliminates a whole nest of sections on associations and provides just secondary key attributes. Note that where the association keys go is just an analysis tool and has NO relevance on the implementation. That is implementation-dependent. Look at the CIM and DEN models, which provide precedence for this feature. 3.) CreationClassName: Do we need this? I understand why CIM uses it, but UML uses the concept of categories to provide name scoping. We have the category of the base PCIM. All names within in it are scoped to be unique (PCIM.PolicyGroup). There is a whole paragraph plus a bunch of attribute descriptions for CreationClassName that are not part of the essential problem. Perhaps the UML category idea would be lighter weight? Besides, in all honesty, I don't quite get the whole "weak association" thing but what I do get leads me to believe it is not intrinsic in the policy problem. It's always nice to know what type of class an instance is. So I think we need this regardless of implementation. If we want backward compatibility to the CIM 2.2 model, we definately need this. And note that PCIM uses CreationClassName as part of its scoping, so your argument is somewhat circular. Finally, weak associations simply mean that the non-weak entity provides scoping for the weak entity. Think of a service running on a system. The service (e.g., BGP) can't simply exist in the ether ;-), it has to be hosted by some entity. In this case, it would be hosted by a router interface, which is part of a system. So, the BGP service is weak to the router system, which means that the keys used to define the service must include keys propagated from the system. Stated another way, the system helps determine the name of the service, so you can identify and distinguish between different instances of the same service. The above three deviations from UML add, what I would consider, non-essential complexity to the document. I disagree. There are no deviations from UML (except for the additional concept of a weak relationship). CreationClassName is simply an attribute that has been uniformly used to help distinguish an instance, which is, imho, a Good Thing. If, as Ed implied, we are using CIM to play nicely with others, then there is merit in that. To minimize the impact on us, perhaps we could move some of the CIM specific text to appendices, just refer to the CIM modeling language document (if it is publicly available), or a combination of the two. The CIM meta-model and spec are publically available. If we are using CIM because it is the modeling tool best known by the authors, I would assert that it is not the best tool for the job. UML would be better, Shlear-Mellor would be best. CIM is not a modeling tool, it is an information model. NON-SEQUITOR: UML is not a bunch of boxes and arrows and therefore the use of boxes and arrows does not make it UML. UML is an approach to system architecture, design, and even, to extremes, implementation. CIM is NOT UML, or even very much like UML. This does not mean CIM is evil, but on several occasions I have heard the statement the CIM is UML (or so similar as for there to be no distinction) as a defense. This statement is inaccurate and should probably not be used. Of course CIM isn't UML, I completely agree. However, I do assert that CIM uses portions of UML to document its information model. You happen to be in the minority of people that really grok what UML is. Many people do misuse the term UML. I'll try and encourage a more correct usage of the term. Jon P.S. Yes "quark" was supposed to be "quirk". The spell checker was checking what I typed, not what I meant. ------=_NextPart_000_0004_01BF712F.944EFF70 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
John=20 (Sorry I can't put the comments inline, but I'm having an Outlook=20 problem!),
 
1.)  The important point here is that we = don't use=20 the inheritance of associations.  How ever associations CAN be = modeled,=20 this mechanism is not used by us and so it is just more text in the=20 document.  More text makes things more difficult to=20 understand.
 
2.)  There is nothing "implementation = dependent"=20 (in the sense of dictating a design) about where you put the attribute = in a=20 relationship during analysis.  There ARE certainly many ways to = model a=20 relationship, I am just trying to think of one that would do = what is=20 needed with minimum excess baggage.  This is an attempt to get = the=20 document to focus tightly on policy issues and not modeling=20 issues.
 
3.)  I'm not saying (nor did I say) that = CreationClassName was useless or can't be explained.  What I'm = saying is=20 there maybe lighter weight solutions to the same problem that adds = less=20 bulk to the document, making it easier to = understand.
 
If the=20 intent is to say:  "the modeling we have chosen is valid", of = course I=20 agree.  My intent was merely to trim the document down to make it = easier=20 for us slow people to understand.
 
What=20 also seems clear is I'm the only one who had a problem with this. I = guess it=20 doesn't make sense to make (or suggest) such large changes when the vast = majority seem to be content.
 
-----Original Message-----
From: John C. Strassner=20 [mailto:jstrassn@cisco.com]
Sent: Sunday, February 06, 2000 = 4:37=20 PM
To: Jon Sjoberg; John C. Strassner
Cc:=20 policy@raleigh.ibm.com
Subject: RE: Policy Framework Core=20 Information Model -- Version 1

Comments inline, = look for=20 <js>...</js>

regards,
John

At 06:57 AM = 1/31/00=20 -0800, Jon Sjoberg wrote:
John,

> So I personally would = be=20 happy to help rework the draft to "track
> tighter",
> = as you=20 put it, but in order to do that I need specific examples,
>=20 especially
> concerning its not being compliant with UML. SO = please=20 supply
> examples, and
> I'll give it a = shot.

Here is a=20 list of differences between CIM and UML.  If you need any=20 help
re-working this, let me know.

1.) We don't use the=20 inheritance of associations, so it is just more words
that add = little=20 value to our problem.   Lets lop it out of the=20 document.

<js> Respectfully, that is incorrect = if you=20 look at (especially) the latest release of the UML spec. Associations = can be=20 AssociationClasses, which have the combined semantics of associations = and=20 classes. From the spec:

   "The AssociationClass construct can be = expressed=20 in a few
          = different=20 ways in the metamodel (e.g., as a subclass=20 of
          Class, as = a=20 subclass of Association, or as a=20 subclass
         of=20 Classifier)."

Furthermore, implementing an association = as a=20 class, as is done in both CIM and DEN, is an elegant way to maximize = the use=20 of object-oriented design. If you look at CIM or DEN, you'll see the=20 association inheritance is critical in defining specialized = associations in=20 the model. Furthermore, since associations have properties and methods = (which=20 are essential to being viewed as classes) why wouldn't they also have=20 inheritance?
</jcs>

2.) Associations with attributes is not = used in=20 UML and seems un-necessary.

<js>
I beg to = differ.=20 I've seen it used in many applications besides CIM and DEN. Please = refer back=20 to the UML spec, where it says that associations can be implemented as = classes.
</js>

Standard information modeling=20 says:
    For one to many associations the key=20 attribute(s) of the association go
to the = one.
    For=20 the one to one association the key attribute(s) can go to=20 either.
    For the many to many associations then = there=20 is an associating object
that can hold the key attributes plus = any other=20 attributes of the
association (the only case that is somewhat = like the=20 current "associations
with attributes").

This eliminates a = whole=20 nest of sections on associations and provides just
secondary key=20 attributes.  Note that where the association keys go is = just
an=20 analysis tool and has NO relevance on the=20 implementation.

<js>
That is=20 implementation-dependent. Look at the CIM and DEN models, which = provide=20 precedence for this feature.
</js>

3.) CreationClassName:  Do we need = this?  I understand why CIM uses it, but
UML uses the = concept of=20 categories to provide name scoping.  We have the
category of = the=20 base PCIM.  All names within in it are scoped to be=20 unique
(PCIM.PolicyGroup).  There is a whole paragraph plus = a bunch=20 of attribute
descriptions for CreationClassName that are not part = of the=20 essential
problem.  Perhaps the UML category idea would be = lighter=20 weight?  Besides,
in all honesty, I don't quite get the = whole "weak=20 association" thing but
what I do get leads me to believe it is = not=20 intrinsic in the policy problem.

<js>
It's = always=20 nice to know what type of class an instance is. So I think we need = this=20 regardless of implementation.

If we want backward compatibility = to the=20 CIM 2.2 model, we definately need this. And note that PCIM uses=20 CreationClassName as part of its scoping, so your argument is somewhat = circular.

Finally, weak associations simply mean that the = non-weak=20 entity provides scoping for the weak entity. Think of a service = running on a=20 system. The service (e.g., BGP) can't simply exist in the ether ;-), = it has to=20 be hosted by some entity. In this case, it would be hosted by a router = interface, which is part of a system. So, the BGP service is weak to = the=20 router system, which means that the keys used to define the service = must=20 include keys propagated from the system. Stated another way, the = system helps=20 determine the name of the service, so you can identify and distinguish = between=20 different instances of the same service.
</js>

The above three deviations from UML = add, what I=20 would consider,
non-essential complexity to the=20 document.

<js> I disagree. There are no = deviations from=20 UML (except for the additional concept of a weak relationship).=20 CreationClassName is simply an attribute that has been uniformly used = to help=20 distinguish an instance, which is, imho, a Good = Thing.
</js>

<soap box>
If, as Ed implied, = we are=20 using CIM to play nicely with others, then there
is merit in = that. =20 To minimize the impact on us, perhaps we could move some
of the = CIM=20 specific text to appendices, just refer to the CIM = modeling
language=20 document (if it is publicly available), or a combination of=20 the
two.

<js> The CIM meta-model and spec are = publically available. </js>

If we are using CIM because it is the = modeling=20 tool best known by the
authors, I would assert that it is not the = best=20 tool for the job.  UML would
be better, Shlear-Mellor would = be=20 best.

<js> CIM is not a modeling tool, it is an=20 information model. </js>

NON-SEQUITOR:  UML is not a bunch = of boxes=20 and arrows and therefore the use
of boxes and arrows does not = make it=20 UML.  UML is an approach to system
architecture, design, and = even,=20 to extremes, implementation.  CIM is NOT
UML, or even very = much like=20 UML.  This does not mean CIM is evil, but on
several = occasions I=20 have heard the statement the CIM is UML (or so similar
as for = there to be=20 no distinction) as a defense.  This statement is
inaccurate = and=20 should probably not be used.
</soap=20 box>

<js>
Of course CIM isn't UML, I = completely=20 agree. However, I do assert that CIM uses portions of UML to document = its=20 information model.

You happen to be in the minority of people = that=20 really grok what UML is. Many people do misuse the term UML. I'll try = and=20 encourage a more correct usage of the term.
</js>


Jon

P.S.  Yes "quark" was = supposed=20 to be "quirk".  The spell checker was
checking what I typed, = not=20 what I meant.
------=_NextPart_000_0004_01BF712F.944EFF70-- From majordomo@raleigh.ibm.com Mon Feb 7 07:44:31 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA04398 for ; Mon, 7 Feb 2000 07:44:30 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id HAA26224; Mon, 7 Feb 2000 07:42:14 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id HAA33016; Mon, 7 Feb 2000 07:42:14 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA47286; Mon, 7 Feb 2000 07:18:51 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA25262; Mon, 7 Feb 2000 07:18:48 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id HAA28874 for ; Mon, 7 Feb 2000 07:18:47 -0500 Received: from csi-admin1.cisco.com (csi-admin1.cisco.com [144.254.91.12]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id HAA23316 for ; Mon, 7 Feb 2000 07:18:40 -0500 Received: from ysnir8000 (telaviv3-dhcp73.cisco.com [144.254.93.201]) by csi-admin1.cisco.com (8.8.4-Cisco.1/8.6.5) with SMTP id OAA29928; Mon, 7 Feb 2000 14:19:34 +0200 (IST) From: "Yoram Snir" To: "'Shai Herzog'" , "'John C. Strassner'" , "'Andrew Smith'" , "'Ken Roberts'" Cc: , , Subject: RE: Policy issues: definition of Roles Date: Mon, 7 Feb 2000 14:13:36 +0200 Message-Id: <001e01bf7164$c43773e0$c95dfe90@cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <4.2.0.58.20000206232138.02f037b0@209.3.6.76> X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Yoram Snir" Content-Transfer-Encoding: 7bit Following this thread, I think that another problem is that there is a confusion between a group of policies and the definition of role which is defined in the context of the PEP, Shai's first observation. Policies, via policy groups, are associated to specific roles and role combination. For example, Policy Group P1 may be associated with Role R1, policy group P2 may be associated with Role 2. If a device reports R1 he will be the subject of the rules contained in P1, if he reports R1+R2 (combination), he may be the subject of the combined policy set constructed by P1 & P2 policy rules, according to their built-in priorities. Mapping specific policy rules to specific roles, directly, is also possible, and we may look at that as a policy group containing a single rule, but it would create a problem when we look at the ability to conduct a consistent decision process, i.e., synchronize the priorities of the policies for a specific role combination. Other than that I agree with all of Shai's observations. Yoram Snir Cisco Systems Tel. 972-9-9700085 Mobile 972-54-970085 > -----Original Message----- > From: policy-owner@raleigh.ibm.com > [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog > Sent: Monday, February 07, 2000 6:48 AM > To: John C. Strassner; Andrew Smith; 'Ken Roberts' > Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com > Subject: RE: Policy issues: definition of Roles > > > I think that one of the problems is that we're confusing the > various levels of "roles". Let me try to make the following > observations: > > 1. Roles and Role Combinations have only meaning (in the > definition sense) in the PEP. > > 2. PDPs and DEN Policy Schemas may or may not take advantage of PEP > roles. > > For example: > > PEP Roles: Edge+Ethernet, Edge+T1 > PDP Policy: If User=Joe, Mark (Traffic Desc) DSCP=AF11. > > Here the PDP may actually track down the ingress router and > mark on ALL of its interfaces, regardless of Roles. It will > produce the following instructions: > > Role = Edge+Ethernet: Mark (Traffic Desc) DSCP AF11 > Role = Edge+T1 : Mark (Traffic Desc) DSCP AF11 > > My point is that we should stop thinking that the policy is bound > to roles 1:1. > > 3. PEPs are not expected to be able to merge policies for Roles in > Role combination. > > Given the previous example, the PDP is not allowed to send the > following to the PEP: > > Role=Edge : Conf1 > Role=Ethernet: Conf2 > > Since the PEP that has an interface with both roles in a role > combination (Edge+Ethernet) is now required to merge Conf1+Conf2. > This merge is a big NO NO, since the whole point about external > policy processing is that the PEP doesn't understand policy > implications and complications and needs to receive very specific > instructions. > > 4. PDPs may be smart enough to merge roles (and therefore deal with > individual roles within a role combination). This is actually > an implication of observation (2) but I though it needs to be > clarified. > > For example, in the PDP, lets assume Ethernets get special > treatment (higher precedence rule). > > Role=Edge : If Service=Gold then Mark DSCP=xxx > Role=Ethernet: If Service=Gold then Mark DSCP=yyy > > This will produce the following configuration (using > COPS, or equiv): > > Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy > Role=Edge+T1 : Mark (Traffic Desc) DSCP=xxx > > So, going back to the definition I gave a while back, the reason for > the "ALL" comes from observation 3. > > PDPs can process policy whatever the hell they wish (within reason) > but they have to respond to the PEP with specific policy for each > COMPLETE role combination, and cannot respond to partial role > combination or a specific role which is only a part of a role > combination. > > Shai > > At 05:49 PM 02/06/2000, John C. Strassner wrote: > >A role is just one of possibly many selectors that is used > to download a > >subset of appropriate policies from a much larger set of > availale policies. > > > >A role can be specified as part of a policy condition or > action, both of > >which are components of a policy rule as defined in the Policy Core > >Information Model. > > > >HTH, > >John > > > >At 05:23 PM 1/31/00 -0800, Andrew Smith wrote: > >>e.g. "HTTP traffic gets AF treatment on all Ethernet and > FDDI interfaces" is > >>a policy rule that references two roles: "Ethernet > interfaces" and "FDDI > >>interfaces". You wouldn't bother sending that rule to > token-ring devices. > >> > >>(I guess I'm really an assembler programmer so I don't > understand these > >>"class" and "subclass" things you talk about). > >> > >>Andrew > >> > >>P.S. Maybe we should drop the "policy framework" list from > this thread since > >>this appears to be purely a "device" thing. But I did think we were > >>attempting the (maybe thankless) task of unifying the > terminology between > >>all the WGs. > >> > >>-----Original Message----- > >>From: Ken Roberts [mailto:kjr@nortelnetworks.com] > >>Sent: Monday, January 31, 2000 4:42 PM > >>To: Andrew Smith; 'Bob Natale' > >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' > >>Subject: RE: Policy issues: definition of Roles > >> > >> > >>Gents & others, > >>I'm a little confused by Andrew's statement of a policy > that has multiple > >>roles. I understood a policy had rules. Rules may be > crafted to include the > >>notion of roles but are they separate rules or sub classes > of one rule? > >>When the statement "A policy that references roles W and X" > is made does > >>this imply there is a matrix relationship that can be > established from one > >>parent policy (/rule)? How is this managed? Why is this required? If > >>policies have hierarchical structure can this not be done > with containment > >>or another relationship? > >>I think I had better re-read the thread as maybe I've > missed something. > >>------------------------------------------------------------ > -------------- > >>Regards, > >>Ken Roberts > >>INM Product Architecture > >>Nortel Networks > >>?ESN : 655-7844 ?Direct : > 408-565-7844 > >>? Fax : 408-565-8226 > >>? email : kjr@nortelnetworks.com > >> > >>This message may contain information proprietary to Nortel Networks > >>Corporation so any > >>unauthorised disclosure, copying or distribution of its > contents is strictly > >>prohibited. > >> -----Original Message----- > >>From: Andrew Smith [mailto:andrew@extremenetworks.com] > >>Sent: Monday, January 31, 2000 3:36 PM > >>To: 'Bob Natale' > >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' > >>Subject: RE: Policy issues: definition of Roles > >>And, in particular, you only need to tell the device about > those roles that > >>are relevant to it - that is where the big savings are, I > think. e.g. > >>1. Device A has roles W, X and Y. > >>2. Device B has roles W, X and Z. > >>3. A policy that references roles W and X should be > downloaded to both > >>devices. > >>4. A policy that references roles W and Y should be > downloaded only to > >>device A, not device B. > >>The role combination concept in the PIB was introduced > specifically in order > >> > >>to do this: you have to be able to list only those roles > that are relevant > >>to the policy, not necessarily ALL roles on the device, in a role > >>combination. > >>(Apologies if I'm repeating stuff here). > >>Andrew > >> > >> > >> > -----Original Message----- > >> > From: Bob Natale [mailto:bnatale@acecomm.com] > >> > Sent: Monday, January 31, 2000 3:27 PM > >> > To: Andrew Smith > >> > Cc: policy@raleigh.ibm.com > >> > Subject: RE: Policy issues: definition of Roles > >>... > >> > That works fine for me. All I care about on this thread > is that a > >> > "role combination" DOES NOT HAVE to include ALL of the > roles supported > >> > by a network entity/component (although there MAY well be a role > >> > combination which does incorporate all roles supported > by a network > >> > entity/component). > > > __________________________________________________________________ > Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 > 55 New York Avenue Main: (508) 620-1141 > Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > > From majordomo@raleigh.ibm.com Mon Feb 7 09:49:46 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA11288 for ; Mon, 7 Feb 2000 09:49:39 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA12030; Mon, 7 Feb 2000 09:46:53 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id JAA29078; Mon, 7 Feb 2000 09:46:52 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA48432; Mon, 7 Feb 2000 09:20:46 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA43816; Mon, 7 Feb 2000 09:20:42 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id JAA02166 for ; Mon, 7 Feb 2000 09:20:43 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA11880 for ; Mon, 7 Feb 2000 09:20:41 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS9SL; Mon, 7 Feb 2000 09:17:50 -0500 Message-Id: <4.2.0.58.20000207091746.02e907a0@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 07 Feb 2000 09:20:31 -0500 To: , "'John C. Strassner'" , "'Andrew Smith'" , "'Ken Roberts'" From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: , , In-Reply-To: <001e01bf7164$c43773e0$c95dfe90@cisco.com> References: <4.2.0.58.20000206232138.02f037b0@209.3.6.76> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_247920300==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog --=====================_247920300==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 02:13 PM 02/07/2000, Yoram Snir wrote: >Following this thread, I think that another problem is that there is a >confusion between a group of policies and the definition of role which is >defined in the context of the PEP, Shai's first observation. >Policies, via policy groups, are associated to specific roles and role >combination. For example, Policy Group P1 may be associated with Role R1, >policy group P2 may be associated with Role 2. >If a device reports R1 he will be the subject of the rules contained in P1, >if he reports R1+R2 (combination), he may be the subject of the combined >policy set constructed by P1 & P2 policy rules, according to their built-in >priorities. But you must agree that the PEP won't be the one to merge them, but that it is the job of the PDP, right? >Mapping specific policy rules to specific roles, directly, is also possible, >and we may look at that as a policy group containing a single rule, but it >would create a problem when we look at the ability to conduct a consistent >decision process, i.e., synchronize the priorities of the policies for a >specific role combination. Exactly. Imagine how complicated that is to the PDP, and therefore quite impossible for the PEP. What I think the early policy systems would do is define policy for a COMPLETE role combination in the PDP as well such that the PDP won't have to do merging either (humans would be doing the merging). Only more advanced, later policy systems may start putting logic to merge policies from individual roles into a role combination policy. >Other than that I agree with all of Shai's observations. Great. >Yoram Snir >Cisco Systems >Tel. 972-9-9700085 >Mobile 972-54-970085 > > > -----Original Message----- > > From: policy-owner@raleigh.ibm.com > > [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog > > Sent: Monday, February 07, 2000 6:48 AM > > To: John C. Strassner; Andrew Smith; 'Ken Roberts' > > Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com > > Subject: RE: Policy issues: definition of Roles > > > > > > I think that one of the problems is that we're confusing the > > various levels of "roles". Let me try to make the following > > observations: > > > > 1. Roles and Role Combinations have only meaning (in the > > definition sense) in the PEP. > > > > 2. PDPs and DEN Policy Schemas may or may not take advantage of PEP > > roles. > > > > For example: > > > > PEP Roles: Edge+Ethernet, Edge+T1 > > PDP Policy: If User=Joe, Mark (Traffic Desc) DSCP=AF11. > > > > Here the PDP may actually track down the ingress router and > > mark on ALL of its interfaces, regardless of Roles. It will > > produce the following instructions: > > > > Role = Edge+Ethernet: Mark (Traffic Desc) DSCP AF11 > > Role = Edge+T1 : Mark (Traffic Desc) DSCP AF11 > > > > My point is that we should stop thinking that the policy is bound > > to roles 1:1. > > > > 3. PEPs are not expected to be able to merge policies for Roles in > > Role combination. > > > > Given the previous example, the PDP is not allowed to send the > > following to the PEP: > > > > Role=Edge : Conf1 > > Role=Ethernet: Conf2 > > > > Since the PEP that has an interface with both roles in a role > > combination (Edge+Ethernet) is now required to merge Conf1+Conf2. > > This merge is a big NO NO, since the whole point about external > > policy processing is that the PEP doesn't understand policy > > implications and complications and needs to receive very specific > > instructions. > > > > 4. PDPs may be smart enough to merge roles (and therefore deal with > > individual roles within a role combination). This is actually > > an implication of observation (2) but I though it needs to be > > clarified. > > > > For example, in the PDP, lets assume Ethernets get special > > treatment (higher precedence rule). > > > > Role=Edge : If Service=Gold then Mark DSCP=xxx > > Role=Ethernet: If Service=Gold then Mark DSCP=yyy > > > > This will produce the following configuration (using > > COPS, or equiv): > > > > Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy > > Role=Edge+T1 : Mark (Traffic Desc) DSCP=xxx > > > > So, going back to the definition I gave a while back, the reason for > > the "ALL" comes from observation 3. > > > > PDPs can process policy whatever the hell they wish (within reason) > > but they have to respond to the PEP with specific policy for each > > COMPLETE role combination, and cannot respond to partial role > > combination or a specific role which is only a part of a role > > combination. > > > > Shai > > > > At 05:49 PM 02/06/2000, John C. Strassner wrote: > > >A role is just one of possibly many selectors that is used > > to download a > > >subset of appropriate policies from a much larger set of > > availale policies. > > > > > >A role can be specified as part of a policy condition or > > action, both of > > >which are components of a policy rule as defined in the Policy Core > > >Information Model. > > > > > >HTH, > > >John > > > > > >At 05:23 PM 1/31/00 -0800, Andrew Smith wrote: > > >>e.g. "HTTP traffic gets AF treatment on all Ethernet and > > FDDI interfaces" is > > >>a policy rule that references two roles: "Ethernet > > interfaces" and "FDDI > > >>interfaces". You wouldn't bother sending that rule to > > token-ring devices. > > >> > > >>(I guess I'm really an assembler programmer so I don't > > understand these > > >>"class" and "subclass" things you talk about). > > >> > > >>Andrew > > >> > > >>P.S. Maybe we should drop the "policy framework" list from > > this thread since > > >>this appears to be purely a "device" thing. But I did think we were > > >>attempting the (maybe thankless) task of unifying the > > terminology between > > >>all the WGs. > > >> > > >>-----Original Message----- > > >>From: Ken Roberts [mailto:kjr@nortelnetworks.com] > > >>Sent: Monday, January 31, 2000 4:42 PM > > >>To: Andrew Smith; 'Bob Natale' > > >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' > > >>Subject: RE: Policy issues: definition of Roles > > >> > > >> > > >>Gents & others, > > >>I'm a little confused by Andrew's statement of a policy > > that has multiple > > >>roles. I understood a policy had rules. Rules may be > > crafted to include the > > >>notion of roles but are they separate rules or sub classes > > of one rule? > > >>When the statement "A policy that references roles W and X" > > is made does > > >>this imply there is a matrix relationship that can be > > established from one > > >>parent policy (/rule)? How is this managed? Why is this required? If > > >>policies have hierarchical structure can this not be done > > with containment > > >>or another relationship? > > >>I think I had better re-read the thread as maybe I've > > missed something. > > >>------------------------------------------------------------ > > -------------- > > >>Regards, > > >>Ken Roberts > > >>INM Product Architecture > > >>Nortel Networks > > >>?ESN : 655-7844 ?Direct : > > 408-565-7844 > > >>? Fax : 408-565-8226 > > >>? email : kjr@nortelnetworks.com > > >> > > >>This message may contain information proprietary to Nortel Networks > > >>Corporation so any > > >>unauthorised disclosure, copying or distribution of its > > contents is strictly > > >>prohibited. > > >> -----Original Message----- > > >>From: Andrew Smith [mailto:andrew@extremenetworks.com] > > >>Sent: Monday, January 31, 2000 3:36 PM > > >>To: 'Bob Natale' > > >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' > > >>Subject: RE: Policy issues: definition of Roles > > >>And, in particular, you only need to tell the device about > > those roles that > > >>are relevant to it - that is where the big savings are, I > > think. e.g. > > >>1. Device A has roles W, X and Y. > > >>2. Device B has roles W, X and Z. > > >>3. A policy that references roles W and X should be > > downloaded to both > > >>devices. > > >>4. A policy that references roles W and Y should be > > downloaded only to > > >>device A, not device B. > > >>The role combination concept in the PIB was introduced > > specifically in order > > >> > > >>to do this: you have to be able to list only those roles > > that are relevant > > >>to the policy, not necessarily ALL roles on the device, in a role > > >>combination. > > >>(Apologies if I'm repeating stuff here). > > >>Andrew > > >> > > >> > > >> > -----Original Message----- > > >> > From: Bob Natale [mailto:bnatale@acecomm.com] > > >> > Sent: Monday, January 31, 2000 3:27 PM > > >> > To: Andrew Smith > > >> > Cc: policy@raleigh.ibm.com > > >> > Subject: RE: Policy issues: definition of Roles > > >>... > > >> > That works fine for me. All I care about on this thread > > is that a > > >> > "role combination" DOES NOT HAVE to include ALL of the > > roles supported > > >> > by a network entity/component (although there MAY well be a role > > >> > combination which does incorporate all roles supported > > by a network > > >> > entity/component). > > > > > > __________________________________________________________________ > > Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 > > 55 New York Avenue Main: (508) 620-1141 > > Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > > > > > > > > > __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 --=====================_247920300==_.ALT Content-Type: text/html; charset="us-ascii" At 02:13 PM 02/07/2000, Yoram Snir wrote:
Following this thread, I think that another problem is that there is a
confusion between a group of policies and the definition of role which is
defined in the context of the PEP,  Shai's first observation.
Policies, via policy groups, are associated to specific roles and role
combination. For example, Policy Group P1 may be associated with Role R1,
policy group P2 may be associated with Role 2.
If a device reports R1 he will be the subject of the rules contained in P1,
if he reports R1+R2 (combination), he may be the subject of the combined
policy set constructed by P1 & P2 policy rules, according to their built-in
priorities.

But you must agree that the PEP won't be the one to merge them, but
that it is the job of the PDP, right?

Mapping specific policy rules to specific roles, directly, is also possible,
and we may look at that as a policy group containing a single rule, but it
would create a problem when we look at the ability to conduct a consistent
decision process, i.e., synchronize the priorities of the policies for a
specific role combination.

Exactly. Imagine how complicated that is to the PDP, and therefore
quite impossible for the PEP. What I think the early policy systems
would do is define policy for a COMPLETE role combination in the
PDP as well such that the PDP won't have to do merging either (humans
would be doing the merging). Only more advanced, later policy systems
may start putting logic to merge policies from individual roles into
a role combination policy.

Other than that I agree with all of Shai's observations.

Great.


Yoram Snir
Cisco Systems
Tel.   972-9-9700085
Mobile 972-54-970085

> -----Original Message-----
> From: policy-owner@raleigh.ibm.com
> [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog
> Sent: Monday, February 07, 2000 6:48 AM
> To: John C. Strassner; Andrew Smith; 'Ken Roberts'
> Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com
> Subject: RE: Policy issues: definition of Roles
>
>
> I think that one of the problems is that we're confusing the
> various levels of "roles". Let me try to make the following
> observations:
>
> 1. Roles and Role Combinations have only meaning (in the
>     definition sense) in the PEP.
>
> 2. PDPs and DEN Policy Schemas may or may not take advantage of PEP
>     roles.
>
>     For example:
>
>     PEP Roles: Edge+Ethernet, Edge+T1
>     PDP Policy: If User=Joe, Mark (Traffic Desc) DSCP=AF11.
>
>     Here the PDP may actually track down the ingress router and
>     mark on ALL of its interfaces, regardless of Roles. It will
>     produce the following instructions:
>
>     Role = Edge+Ethernet: Mark (Traffic Desc) DSCP AF11
>     Role = Edge+T1      : Mark (Traffic Desc) DSCP AF11
>
>     My point is that we should stop thinking that the policy is bound
>     to roles 1:1.
>
> 3. PEPs are not expected to be able to merge policies for Roles in
>     Role combination.
>
>     Given the previous example, the PDP is not allowed to send the
>     following to the PEP:
>
>     Role=Edge    : Conf1
>     Role=Ethernet: Conf2
>
>     Since the PEP that has an interface with both roles in a role
>     combination (Edge+Ethernet) is now required to merge Conf1+Conf2.
>     This merge is a big NO NO, since the whole point about external
>     policy processing is that the PEP doesn't understand policy
>     implications and complications and needs to receive very specific
>     instructions.
>
> 4. PDPs may be smart enough to merge roles (and therefore deal with
>     individual roles within a role combination). This is actually
>     an implication of observation (2) but I though it needs to be
>     clarified.
>
>     For example, in the PDP, lets assume Ethernets get special
>     treatment (higher precedence rule).
>
>     Role=Edge    : If Service=Gold then Mark DSCP=xxx
>     Role=Ethernet: If Service=Gold then Mark DSCP=yyy
>
>     This will produce the following configuration (using
> COPS, or equiv):
>
>     Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy
>     Role=Edge+T1      : Mark (Traffic Desc) DSCP=xxx
>
> So, going back to the definition I gave a while back, the reason for
> the "ALL" comes from observation 3.
>
> PDPs can process policy whatever the hell they wish (within reason)
> but they have to respond to the PEP with specific policy for each
> COMPLETE role combination, and cannot respond to partial role
> combination or a specific role which is only a part of a role
> combination.
>
> Shai
>
> At 05:49 PM 02/06/2000, John C. Strassner wrote:
> >A role is just one of possibly many selectors that is used
> to download a
> >subset of appropriate policies from a much larger set of
> availale policies.
> >
> >A role can be specified as part of a policy condition or
> action, both of
> >which are components of a policy rule as defined in the Policy Core
> >Information Model.
> >
> >HTH,
> >John
> >
> >At 05:23 PM 1/31/00 -0800, Andrew Smith wrote:
> >>e.g. "HTTP traffic gets AF treatment on all Ethernet and
> FDDI interfaces" is
> >>a policy rule that references two roles: "Ethernet
> interfaces" and "FDDI
> >>interfaces". You wouldn't bother sending that rule to
> token-ring devices.
> >>
> >>(I guess I'm really an assembler programmer so I don't
> understand these
> >>"class" and "subclass" things you talk about).
> >>
> >>Andrew
> >>
> >>P.S. Maybe we should drop the "policy framework" list from
> this thread since
> >>this appears to be purely a "device" thing. But I did think we were
> >>attempting the (maybe thankless) task of unifying the
> terminology between
> >>all the WGs.
> >>
> >>-----Original Message-----
> >>From: Ken Roberts [mailto:kjr@nortelnetworks.com]
> >>Sent: Monday, January 31, 2000 4:42 PM
> >>To: Andrew Smith; 'Bob Natale'
> >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'
> >>Subject: RE: Policy issues: definition of Roles
> >>
> >>
> >>Gents & others,
> >>I'm a little confused by Andrew's statement of a policy
> that has multiple
> >>roles. I understood a policy had rules. Rules may be
> crafted to include the
> >>notion of roles but are they separate rules or sub classes
> of one rule?
> >>When the statement "A policy that references roles W and X"
> is made does
> >>this imply there is a matrix relationship that can be
> established from one
> >>parent policy (/rule)? How is this managed? Why is this required? If
> >>policies have hierarchical structure can this not be done
> with containment
> >>or another relationship?
> >>I think I had better re-read the thread as maybe I've
> missed something.
> >>------------------------------------------------------------
> --------------
> >>Regards,
> >>Ken Roberts
> >>INM Product Architecture
> >>Nortel Networks
> >>?ESN   :        655-7844                        ?Direct  :
> 408-565-7844
> >>?  Fax    :        408-565-8226
> >>? email :      kjr@nortelnetworks.com
> >>
> >>This message may contain information proprietary to Nortel Networks
> >>Corporation so any
> >>unauthorised disclosure, copying or distribution of its
> contents is strictly
> >>prohibited.
> >>  -----Original Message-----
> >>From:   Andrew Smith [mailto:andrew@extremenetworks.com]
> >>Sent:   Monday, January 31, 2000 3:36 PM
> >>To:     'Bob Natale'
> >>Cc:     policy@raleigh.ibm.com; 'snmpconf@snmp.com'
> >>Subject:        RE: Policy issues: definition of Roles
> >>And, in particular, you only need to tell the device about
> those roles that
> >>are relevant to it - that is where the big savings are, I
> think. e.g.
> >>1. Device A has roles W, X and Y.
> >>2. Device B has roles W, X and Z.
> >>3. A policy that references roles W and X should be
> downloaded to both
> >>devices.
> >>4. A policy that references roles W and Y should be
> downloaded only to
> >>device A, not device B.
> >>The role combination concept in the PIB was introduced
> specifically in order
> >>
> >>to do this: you have to be able to list only those roles
> that are relevant
> >>to the policy, not necessarily ALL roles on the device, in a role
> >>combination.
> >>(Apologies if I'm repeating stuff here).
> >>Andrew
> >>
> >>
> >> > -----Original Message-----
> >> > From: Bob Natale [mailto:bnatale@acecomm.com]
> >> > Sent: Monday, January 31, 2000 3:27 PM
> >> > To: Andrew Smith
> >> > Cc: policy@raleigh.ibm.com
> >> > Subject: RE: Policy issues: definition of Roles
> >>...
> >> > That works fine for me.  All I care about on this thread
> is that a
> >> > "role combination" DOES NOT HAVE to include ALL of the
> roles supported
> >> > by a network entity/component (although there MAY well be a role
> >> > combination which does incorporate all roles supported
> by a network
> >> > entity/component).
>
>
> __________________________________________________________________
> Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
> 55 New York Avenue                            Main: (508) 620-1141
> Framingham, MA 01701                          Fax : (212) 656-1006
>
>
>
>
>
>
>


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                             --=====================_247920300==_.ALT-- From majordomo@raleigh.ibm.com Mon Feb 7 10:34:17 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA12768 for ; Mon, 7 Feb 2000 10:34:15 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA20290; Mon, 7 Feb 2000 10:29:05 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id KAA33430; Mon, 7 Feb 2000 10:28:53 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA31550; Mon, 7 Feb 2000 10:01:46 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38198; Mon, 7 Feb 2000 10:01:43 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id KAA28876 for ; Mon, 7 Feb 2000 10:01:44 -0500 Received: from csi-admin1.cisco.com (csi-admin1.cisco.com [144.254.91.12]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA21850 for ; Mon, 7 Feb 2000 10:01:32 -0500 Received: from ysnir8000 (telaviv3-dhcp73.cisco.com [144.254.93.201]) by csi-admin1.cisco.com (8.8.4-Cisco.1/8.6.5) with SMTP id RAA04098; Mon, 7 Feb 2000 17:03:57 +0200 (IST) From: "Yoram Snir" To: "'Shai Herzog'" , "'John C. Strassner'" , "'Andrew Smith'" , "'Ken Roberts'" Cc: , Subject: RE: Policy issues: definition of Roles Date: Mon, 7 Feb 2000 16:58:00 +0200 Message-Id: <002f01bf717b$bab84da0$c95dfe90@cisco.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0030_01BF718C.7E411DA0" X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <4.2.0.58.20000207091746.02e907a0@209.3.6.76> X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Yoram Snir" This is a multi-part message in MIME format. ------=_NextPart_000_0030_01BF718C.7E411DA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit -----Original Message----- From: Shai Herzog [mailto:herzog@iphighway.com] Sent: Monday, February 07, 2000 4:21 PM To: ysnir@cisco.com; 'John C. Strassner'; 'Andrew Smith'; 'Ken Roberts' Cc: policy@raleigh.ibm.com; snmpconf@snmp.com; rap@iphighway.com Subject: RE: Policy issues: definition of Roles At 02:13 PM 02/07/2000, Yoram Snir wrote: Following this thread, I think that another problem is that there is a confusion between a group of policies and the definition of role which is defined in the context of the PEP, Shai's first observation. Policies, via policy groups, are associated to specific roles and role combination. For example, Policy Group P1 may be associated with Role R1, policy group P2 may be associated with Role 2. If a device reports R1 he will be the subject of the rules contained in P1, if he reports R1+R2 (combination), he may be the subject of the combined policy set constructed by P1 & P2 policy rules, according to their built-in priorities. But you must agree that the PEP won't be the one to merge them, but that it is the job of the PDP, right? [Yoram Snir] Yes, I agree with all of your observations, as I wrote below, with the addition of my comment. Mapping specific policy rules to specific roles, directly, is also possible, and we may look at that as a policy group containing a single rule, but it would create a problem when we look at the ability to conduct a consistent decision process, i.e., synchronize the priorities of the policies for a specific role combination. Exactly. Imagine how complicated that is to the PDP, and therefore quite impossible for the PEP. What I think the early policy systems would do is define policy for a COMPLETE role combination in the PDP as well such that the PDP won't have to do merging either (humans would be doing the merging). Only more advanced, later policy systems may start putting logic to merge policies from individual roles into a role combination policy. [Yoram Snir] The QoS policy draft extending the core policy draft deals with this problem, by defining the priorities between groups of policy rules (we call them named policy containers, classes that extend PolicyGroup) and defining the decision strategy to be used by PDPs. Explicitly defining these 2 attributes, creates a consistent and interoperable policy decision process, i.e., different PDPs would reach the same decision for the same role / role combination and policy DB. Other than that I agree with all of Shai's observations. Great. Yoram Snir Cisco Systems Tel. 972-9-9700085 Mobile 972-54-970085 > -----Original Message----- > From: policy-owner@raleigh.ibm.com > [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog > Sent: Monday, February 07, 2000 6:48 AM > To: John C. Strassner; Andrew Smith; 'Ken Roberts' > Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com > Subject: RE: Policy issues: definition of Roles > > > I think that one of the problems is that we're confusing the > various levels of "roles". Let me try to make the following > observations: > > 1. Roles and Role Combinations have only meaning (in the > definition sense) in the PEP. > > 2. PDPs and DEN Policy Schemas may or may not take advantage of PEP > roles. > > For example: > > PEP Roles: Edge+Ethernet, Edge+T1 > PDP Policy: If User=Joe, Mark (Traffic Desc) DSCP=AF11. > > Here the PDP may actually track down the ingress router and > mark on ALL of its interfaces, regardless of Roles. It will > produce the following instructions: > > Role = Edge+Ethernet: Mark (Traffic Desc) DSCP AF11 > Role = Edge+T1 : Mark (Traffic Desc) DSCP AF11 > > My point is that we should stop thinking that the policy is bound > to roles 1:1. > > 3. PEPs are not expected to be able to merge policies for Roles in > Role combination. > > Given the previous example, the PDP is not allowed to send the > following to the PEP: > > Role=Edge : Conf1 > Role=Ethernet: Conf2 > > Since the PEP that has an interface with both roles in a role > combination (Edge+Ethernet) is now required to merge Conf1+Conf2. > This merge is a big NO NO, since the whole point about external > policy processing is that the PEP doesn't understand policy > implications and complications and needs to receive very specific > instructions. > > 4. PDPs may be smart enough to merge roles (and therefore deal with > individual roles within a role combination). This is actually > an implication of observation (2) but I though it needs to be > clarified. > > For example, in the PDP, lets assume Ethernets get special > treatment (higher precedence rule). > > Role=Edge : If Service=Gold then Mark DSCP=xxx > Role=Ethernet: If Service=Gold then Mark DSCP=yyy > > This will produce the following configuration (using > COPS, or equiv): > > Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy > Role=Edge+T1 : Mark (Traffic Desc) DSCP=xxx > > So, going back to the definition I gave a while back, the reason for > the "ALL" comes from observation 3. > > PDPs can process policy whatever the hell they wish (within reason) > but they have to respond to the PEP with specific policy for each > COMPLETE role combination, and cannot respond to partial role > combination or a specific role which is only a part of a role > combination. > > Shai > > At 05:49 PM 02/06/2000, John C. Strassner wrote: > >A role is just one of possibly many selectors that is used > to download a > >subset of appropriate policies from a much larger set of > availale policies. > > > >A role can be specified as part of a policy condition or > action, both of > >which are components of a policy rule as defined in the Policy Core > >Information Model. > > > >HTH, > >John > > > >At 05:23 PM 1/31/00 -0800, Andrew Smith wrote: > >>e.g. "HTTP traffic gets AF treatment on all Ethernet and > FDDI interfaces" is > >>a policy rule that references two roles: "Ethernet > interfaces" and "FDDI > >>interfaces". You wouldn't bother sending that rule to > token-ring devices. > >> > >>(I guess I'm really an assembler programmer so I don't > understand these > >>"class" and "subclass" things you talk about). > >> > >>Andrew > >> > >>P.S. Maybe we should drop the "policy framework" list from > this thread since > >>this appears to be purely a "device" thing. But I did think we were > >>attempting the (maybe thankless) task of unifying the > terminology between > >>all the WGs. > >> > >>-----Original Message----- > >>From: Ken Roberts [mailto:kjr@nortelnetworks.com] > >>Sent: Monday, January 31, 2000 4:42 PM > >>To: Andrew Smith; 'Bob Natale' > >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' > >>Subject: RE: Policy issues: definition of Roles > >> > >> > >>Gents & others, > >>I'm a little confused by Andrew's statement of a policy > that has multiple > >>roles. I understood a policy had rules. Rules may be > crafted to include the > >>notion of roles but are they separate rules or sub classes > of one rule? > >>When the statement "A policy that references roles W and X" > is made does > >>this imply there is a matrix relationship that can be > established from one > >>parent policy (/rule)? How is this managed? Why is this required? If > >>policies have hierarchical structure can this not be done > with containment > >>or another relationship? > >>I think I had better re-read the thread as maybe I've > missed something. > >>------------------------------------------------------------ > -------------- > >>Regards, > >>Ken Roberts > >>INM Product Architecture > >>Nortel Networks > >>?ESN : 655-7844 ?Direct : > 408-565-7844 > >>? Fax : 408-565-8226 > >>? email : kjr@nortelnetworks.com > >> > >>This message may contain information proprietary to Nortel Networks > >>Corporation so any > >>unauthorised disclosure, copying or distribution of its > contents is strictly > >>prohibited. > >> -----Original Message----- > >>From: Andrew Smith [mailto:andrew@extremenetworks.com] > >>Sent: Monday, January 31, 2000 3:36 PM > >>To: 'Bob Natale' > >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' > >>Subject: RE: Policy issues: definition of Roles > >>And, in particular, you only need to tell the device about > those roles that > >>are relevant to it - that is where the big savings are, I > think. e.g. > >>1. Device A has roles W, X and Y. > >>2. Device B has roles W, X and Z. > >>3. A policy that references roles W and X should be > downloaded to both > >>devices. > >>4. A policy that references roles W and Y should be > downloaded only to > >>device A, not device B. > >>The role combination concept in the PIB was introduced > specifically in order > >> > >>to do this: you have to be able to list only those roles > that are relevant > >>to the policy, not necessarily ALL roles on the device, in a role > >>combination. > >>(Apologies if I'm repeating stuff here). > >>Andrew > >> > >> > >> > -----Original Message----- > >> > From: Bob Natale [mailto:bnatale@acecomm.com] > >> > Sent: Monday, January 31, 2000 3:27 PM > >> > To: Andrew Smith > >> > Cc: policy@raleigh.ibm.com > >> > Subject: RE: Policy issues: definition of Roles > >>... > >> > That works fine for me. All I care about on this thread > is that a > >> > "role combination" DOES NOT HAVE to include ALL of the > roles supported > >> > by a network entity/component (although there MAY well be a role > >> > combination which does incorporate all roles supported > by a network > >> > entity/component). > > > __________________________________________________________________ > Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 > 55 New York Avenue Main: (508) 620-1141 > Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > > __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 ------=_NextPart_000_0030_01BF718C.7E411DA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
-----Original Message-----
From: Shai Herzog=20 [mailto:herzog@iphighway.com]
Sent: Monday, February 07, = 2000 4:21=20 PM
To: ysnir@cisco.com; 'John C. Strassner'; 'Andrew Smith'; = 'Ken=20 Roberts'
Cc: policy@raleigh.ibm.com; snmpconf@snmp.com;=20 rap@iphighway.com
Subject: RE: Policy issues: definition of=20 Roles

At 02:13 PM 02/07/2000, Yoram Snir = wrote:
Following this thread, I think that = another=20 problem is that there is a
confusion between a group of policies = and the=20 definition of role which is
defined in the context of the = PEP, =20 Shai's first observation.
Policies, via policy groups, are = associated to=20 specific roles and role
combination. For example, Policy Group P1 = may be=20 associated with Role R1,
policy group P2 may be associated with = Role=20 2.
If a device reports R1 he will be the subject of the rules = contained=20 in P1,
if he reports R1+R2 (combination), he may be the subject = of the=20 combined
policy set constructed by P1 & P2 policy rules, = according to=20 their built-in
priorities.

But you must agree = that the PEP=20 won't be the one to merge them, but
that it is the job of the PDP,=20 right?
[Yoram Snir] Yes, I agree with all of your = observations, as I=20 wrote below, with the addition of my = comment. 

Mapping specific policy rules to = specific=20 roles, directly, is also possible,
and we may look at that as a = policy=20 group containing a single rule, but it
would create a problem = when we=20 look at the ability to conduct a consistent
decision process, = i.e.,=20 synchronize the priorities of the policies for a
specific role=20 combination.

Exactly. Imagine how complicated that = is to the=20 PDP, and therefore
quite impossible for the PEP. What I think the = early=20 policy systems
would do is define policy for a COMPLETE role = combination in=20 the
PDP as well such that the PDP won't have to do merging either=20 (humans
would be doing the merging). Only more advanced, later = policy=20 systems
may start putting logic to merge policies from individual = roles=20 into
a role combination policy.
[Yoram Snir] The QoS policy = draft=20 extending the core policy draft deals with this problem, by = defining the=20 priorities between groups of policy rules (we call them named policy=20 containers, classes that extend PolicyGroup) and defining the decision = strategy to be used by PDPs. Explicitly defining these 2 attributes, = creates a=20 consistent and interoperable policy decision process, i.e., different = PDPs=20 would reach the same decision for the same role / role combination and = policy=20 DB.
Other than that I agree with all of = Shai's=20 observations.

Great.


Yoram Snir
Cisco = Systems
Tel.  =20 972-9-9700085
Mobile 972-54-970085

> -----Original=20 Message-----
> From: policy-owner@raleigh.ibm.com
> [mailto:policy-owner@raleigh.ibm.com]On Behalf = Of Shai=20 Herzog
> Sent: Monday, February 07, 2000 6:48 AM
> To: = John C.=20 Strassner; Andrew Smith; 'Ken Roberts'
> Cc: = policy@raleigh.ibm.com;=20 'snmpconf@snmp.com'; rap@iphighway.com
> Subject: RE: Policy = issues:=20 definition of Roles
>
>
> I think that one of the = problems=20 is that we're confusing the
> various levels of "roles". Let = me try to=20 make the following
> observations:
>
> 1. Roles = and Role=20 Combinations have only meaning (in = the
>    =20 definition sense) in the PEP.
>
> 2. PDPs and DEN Policy = Schemas=20 may or may not take advantage of PEP
>     = roles.
>
>     For=20 example:
>
>     PEP Roles: = Edge+Ethernet,=20 Edge+T1
>     PDP Policy: If User=3DJoe, = Mark=20 (Traffic Desc) DSCP=3DAF11.
>
>     = Here the=20 PDP may actually track down the ingress router=20 and
>     mark on ALL of its interfaces,=20 regardless of Roles. It will
>     produce = the=20 following instructions:
>
>     Role = =3D=20 Edge+Ethernet: Mark (Traffic Desc) DSCP = AF11
>    =20 Role =3D Edge+T1      : Mark (Traffic Desc) = DSCP=20 AF11
>
>     My point is that we = should stop=20 thinking that the policy is bound
>     to = roles=20 1:1.
>
> 3. PEPs are not expected to be able to merge = policies=20 for Roles in
>     Role=20 combination.
>
>     Given the = previous=20 example, the PDP is not allowed to send = the
>    =20 following to the PEP:
>
>    =20 Role=3DEdge    : = Conf1
>    =20 Role=3DEthernet: Conf2
>
>     Since = the PEP=20 that has an interface with both roles in a=20 role
>     combination (Edge+Ethernet) is = now=20 required to merge Conf1+Conf2.
>     This = merge is=20 a big NO NO, since the whole point about=20 external
>     policy processing is that = the PEP=20 doesn't understand policy
>     = implications and=20 complications and needs to receive very=20 specific
>     = instructions.
>
> 4.=20 PDPs may be smart enough to merge roles (and therefore deal=20 with
>     individual roles within a role=20 combination). This is actually
>     an=20 implication of observation (2) but I though it needs to=20 be
>    =20 clarified.
>
>     For example, in = the PDP,=20 lets assume Ethernets get special
>     = treatment=20 (higher precedence rule).
>
>    =20 Role=3DEdge    : If Service=3DGold then Mark=20 DSCP=3Dxxx
>     Role=3DEthernet: If = Service=3DGold then=20 Mark DSCP=3Dyyy
>
>     This will = produce the=20 following configuration (using
> COPS, or=20 equiv):
>
>     = Role=3DEdge+Ethernet: Mark=20 (Traffic Desc) DSCP=3Dyyy
>    =20 Role=3DEdge+T1      : Mark (Traffic Desc)=20 DSCP=3Dxxx
>
> So, going back to the definition I gave a = while=20 back, the reason for
> the "ALL" comes from observation=20 3.
>
> PDPs can process policy whatever the hell they = wish=20 (within reason)
> but they have to respond to the PEP with = specific=20 policy for each
> COMPLETE role combination, and cannot = respond to=20 partial role
> combination or a specific role which is only a = part of=20 a role
> combination.
>
> Shai
>
> At = 05:49 PM=20 02/06/2000, John C. Strassner wrote:
> >A role is just one = of=20 possibly many selectors that is used
> to download a
>=20 >subset of appropriate policies from a much larger set of
> = availale policies.
> >
> >A role can be specified = as part=20 of a policy condition or
> action, both of
> >which = are=20 components of a policy rule as defined in the Policy Core
>=20 >Information Model.
> >
> >HTH,
>=20 >John
> >
> >At 05:23 PM 1/31/00 -0800, Andrew = Smith=20 wrote:
> >>e.g. "HTTP traffic gets AF treatment on all = Ethernet=20 and
> FDDI interfaces" is
> >>a policy rule that=20 references two roles: "Ethernet
> interfaces" and = "FDDI
>=20 >>interfaces". You wouldn't bother sending that rule = to
>=20 token-ring devices.
> >>
> >>(I guess I'm = really an=20 assembler programmer so I don't
> understand these
>=20 >>"class" and "subclass" things you talk about).
>=20 >>
> >>Andrew
> >>
> = >>P.S. Maybe=20 we should drop the "policy framework" list from
> this thread=20 since
> >>this appears to be purely a "device" thing. = But I did=20 think we were
> >>attempting the (maybe thankless) task = of=20 unifying the
> terminology between
> >>all the=20 WGs.
> >>
> >>-----Original = Message-----
>=20 >>From: Ken Roberts [mailto:kjr@nortelnetworks.com]
> = >>Sent:=20 Monday, January 31, 2000 4:42 PM
> >>To: Andrew Smith; = 'Bob=20 Natale'
> >>Cc: policy@raleigh.ibm.com;=20 'snmpconf@snmp.com'
> >>Subject: RE: Policy issues: = definition=20 of Roles
> >>
> >>
> >>Gents = &=20 others,
> >>I'm a little confused by Andrew's statement = of a=20 policy
> that has multiple
> >>roles. I understood = a=20 policy had rules. Rules may be
> crafted to include = the
>=20 >>notion of roles but are they separate rules or sub = classes
>=20 of one rule?
> >>When the statement "A policy that = references=20 roles W and X"
> is made does
> >>this imply there = is a=20 matrix relationship that can be
> established from one
> = >>parent policy (/rule)? How is this managed? Why is this = required?=20 If
> >>policies have hierarchical structure can this not = be=20 done
> with containment
> >>or another=20 relationship?
> >>I think I had better re-read the = thread as=20 maybe I've
> missed something.
>=20 = >>------------------------------------------------------------
&= gt;=20 --------------
> >>Regards,
> >>Ken = Roberts
>=20 >>INM Product Architecture
> >>Nortel = Networks
>=20 >>?ESN   :        = = 655-7844           = ;            = =20 ?Direct  :
> 408-565-7844
> >>? =20 Fax    :       =20 408-565-8226
> >>? email :      = kjr@nortelnetworks.com
> >>
> >>This message = may=20 contain information proprietary to Nortel Networks
>=20 >>Corporation so any
> >>unauthorised disclosure, = copying=20 or distribution of its
> contents is strictly
>=20 >>prohibited.
> >>  -----Original=20 Message-----
> >>From:   Andrew Smith [mailto:andrew@extremenetworks.com]
>=20 >>Sent:   Monday, January 31, 2000 3:36 PM
>=20 >>To:     'Bob Natale'
>=20 >>Cc:     policy@raleigh.ibm.com;=20 'snmpconf@snmp.com'
>=20 >>Subject:        RE: = Policy=20 issues: definition of Roles
> >>And, in particular, you = only=20 need to tell the device about
> those roles that
> = >>are=20 relevant to it - that is where the big savings are, I
> think. = e.g.
> >>1. Device A has roles W, X and Y.
> = >>2.=20 Device B has roles W, X and Z.
> >>3. A policy that = references=20 roles W and X should be
> downloaded to both
>=20 >>devices.
> >>4. A policy that references roles W = and Y=20 should be
> downloaded only to
> >>device A, not = device=20 B.
> >>The role combination concept in the PIB was=20 introduced
> specifically in order
> >>
> = >>to=20 do this: you have to be able to list only those roles
> that = are=20 relevant
> >>to the policy, not necessarily ALL roles on = the=20 device, in a role
> >>combination.
> = >>(Apologies if=20 I'm repeating stuff here).
> >>Andrew
> = >>
>=20 >>
> >> > -----Original Message-----
> = >>=20 > From: Bob Natale [mailto:bnatale@acecomm.com]
> >> = > Sent:=20 Monday, January 31, 2000 3:27 PM
> >> > To: Andrew=20 Smith
> >> > Cc: policy@raleigh.ibm.com
> = >> >=20 Subject: RE: Policy issues: definition of Roles
> = >>...
>=20 >> > That works fine for me.  All I care about on this = thread
> is that a
> >> > "role combination" = DOES NOT=20 HAVE to include ALL of the
> roles supported
> >> = > by=20 a network entity/component (although there MAY well be a = role
>=20 >> > combination which does incorporate all roles = supported
>=20 by a network
> >> >=20 entity/component).
>
>
>=20 = __________________________________________________________________
>= ;=20 Shai Herzog, Founder & CTO   IPHighway = Inc.   Tel :=20 (914) 654-4810
> 55 New York=20 = Avenue           &= nbsp;           &n= bsp;   =20 Main: (508) 620-1141
> Framingham, MA=20 = 01701           &n= bsp;           &nb= sp; =20 Fax : (212) = 656-1006
>
>
>
>
>
>
>=20


=
__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway = Inc.   Tel=20 : (914) 654-4810
55 New York=20 = Avenue           &= nbsp;           &n= bsp;   =20 Main: (508) 620-1141
Framingham, MA=20 = 01701           &n= bsp;           &nb= sp; =20 Fax : (212) 656-1006
=
           &n= bsp;           &nb= sp;           &nbs= p;         =20

        
=
           &n= bsp;           &nb= sp;        =20 =
           &= nbsp;           &n= bsp;    =20 ------=_NextPart_000_0030_01BF718C.7E411DA0-- From majordomo@raleigh.ibm.com Mon Feb 7 11:42:24 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14679 for ; Mon, 7 Feb 2000 11:42:23 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA30272; Mon, 7 Feb 2000 11:38:37 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id LAA22308; Mon, 7 Feb 2000 11:38:36 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA34212; Mon, 7 Feb 2000 11:17:55 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA49812; Mon, 7 Feb 2000 11:17:51 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA31590 for ; Mon, 7 Feb 2000 11:17:53 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA06936 for ; Mon, 7 Feb 2000 11:17:48 -0500 Received: from jstrassn-lt (dhcp-171-71-229-172.cisco.com [171.71.229.172]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id IAA03525; Mon, 7 Feb 2000 08:13:25 -0800 (PST) Message-Id: <4.2.0.58.20000207081400.00a94870@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 07 Feb 2000 08:14:24 -0800 To: "Bert Wijnen" , jstrassn@cisco.com From: "John C. Strassner" Subject: Re: Policy Framework Core Information Model -- Version 1 Cc: policy@raleigh.ibm.com In-Reply-To: <200002070915.CAA211338@westrelay03.boulder.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" Sure, here it is version 1.3. Here is the URL: http://www.rational.com/uml/resources/documentation/index.jtmpl regards, John At 10:15 AM 2/7/00 +0100, Bert Wijnen wrote: >Ref: Your note of Sun, 06 Feb 2000 16:37:17 -0800 > >Subject: Re: Policy Framework Core Information Model -- Version 1 > >John, when you talk about "the latest relase of the UML spec" can >you pls tell us the exact release number and where we can get it in >case it came out recently? > >Thanks, >Bert From majordomo@raleigh.ibm.com Mon Feb 7 12:10:15 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15580 for ; Mon, 7 Feb 2000 12:10:14 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA07290; Mon, 7 Feb 2000 12:06:31 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id MAA22828; Mon, 7 Feb 2000 12:06:28 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA53554; Mon, 7 Feb 2000 11:48:36 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA36900; Mon, 7 Feb 2000 11:48:32 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA32966 for ; Mon, 7 Feb 2000 11:48:34 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA28514 for ; Mon, 7 Feb 2000 11:48:31 -0500 Received: from jstrassn-lt (dhcp-171-71-229-172.cisco.com [171.71.229.172]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id IAA07264; Mon, 7 Feb 2000 08:47:27 -0800 (PST) Message-Id: <4.2.0.58.20000207083330.00a57880@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 07 Feb 2000 08:48:25 -0800 To: "Jon Sjoberg" , "John C. Strassner" , "Jon Sjoberg" From: "John C. Strassner" Subject: RE: Policy Framework Core Information Model -- Version 1 Cc: In-Reply-To: References: <4.2.0.58.20000206162027.00bea3c0@omega.cisco.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_4538145==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" --=====================_4538145==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Hi Jon, comments inline. You did get the text to change to blue, if that's any encouragement ;-) regards, John At 05:52 AM 2/7/00 -0800, Jon Sjoberg wrote: >John (Sorry I can't put the comments inline, but I'm having an Outlook >problem!), > >1.) The important point here is that we don't use the inheritance of >associations. How ever associations CAN be modeled, this mechanism is not >used by us and so it is just more text in the document. More text makes >things more difficult to understand. I completely disagree. AssociationClass models an association not just as a connection, but as a class. Not using inheritance in this situation is exactly like not using inheritance for other classes. More to the point, it is used by the DMTF and by anyone using the DEN model. >2.) There is nothing "implementation dependent" (in the sense of >dictating a design) about where you put the attribute in a relationship >during analysis. There ARE certainly many ways to model a relationship, I >am just trying to think of one that would do what is needed with minimum >excess baggage. This is an attempt to get the document to focus tightly >on policy issues and not modeling issues. Sorry, I'm not following. The point of implementing an association as a class is to enable us to define properties on the association class that are a property of a relationship, not a property of either class at the ends of the association. This is critical in the design of the policy information model. >3.) I'm not saying (nor did I say) that CreationClassName was useless or >can't be explained. What I'm saying is there maybe lighter weight >solutions to the same problem that adds less bulk to the document, making >it easier to understand. But the problem is that this is already defined in CIM and DEN. Not using this property encourages a war between object models, which would be a Bad Thing. >If the intent is to say: "the modeling we have chosen is valid", of >course I agree. My intent was merely to trim the document down to make it >easier for us slow people to understand. > >What also seems clear is I'm the only one who had a problem with this. I >guess it doesn't make sense to make (or suggest) such large changes when >the vast majority seem to be content. I don't consider you slow at all. You appear, however, to be in the minority. This minority consists of people that want a pure model, and to use that foundation to build policy models. DEN as well as PCIM have made some compromises to help unite the different communities in the modeling world with the networking world. It takes a bit getting used to, that's all. ;-) > -----Original Message----- >>From: John C. Strassner [mailto:jstrassn@cisco.com] >>Sent: Sunday, February 06, 2000 4:37 PM >>To: Jon Sjoberg; John C. Strassner >>Cc: policy@raleigh.ibm.com >>Subject: RE: Policy Framework Core Information Model -- Version 1 >> >>Comments inline, look for ... >> >>regards, >>John >> >>At 06:57 AM 1/31/00 -0800, Jon Sjoberg wrote: >>>John, >>> >>> > So I personally would be happy to help rework the draft to "track >>> > tighter", >>> > as you put it, but in order to do that I need specific examples, >>> > especially >>> > concerning its not being compliant with UML. SO please supply >>> > examples, and >>> > I'll give it a shot. >>> >>>Here is a list of differences between CIM and UML. If you need any help >>>re-working this, let me know. >>> >>>1.) We don't use the inheritance of associations, so it is just more words >>>that add little value to our problem. Lets lop it out of the document. >> >> Respectfully, that is incorrect if you look at (especially) the >>latest release of the UML spec. Associations can be AssociationClasses, >>which have the combined semantics of associations and classes. From the spec: >> >> "The AssociationClass construct can be expressed in a few >> different ways in the metamodel (e.g., as a subclass of >> Class, as a subclass of Association, or as a subclass >> of Classifier)." >> >>Furthermore, implementing an association as a class, as is done in both >>CIM and DEN, is an elegant way to maximize the use of object-oriented >>design. If you look at CIM or DEN, you'll see the association inheritance >>is critical in defining specialized associations in the model. >>Furthermore, since associations have properties and methods (which are >>essential to being viewed as classes) why wouldn't they also have inheritance? >> >> >>>2.) Associations with attributes is not used in UML and seems un-necessary. >> >> >>I beg to differ. I've seen it used in many applications besides CIM and >>DEN. Please refer back to the UML spec, where it says that associations >>can be implemented as classes. >> >> >>>Standard information modeling says: >>> For one to many associations the key attribute(s) of the association go >>>to the one. >>> For the one to one association the key attribute(s) can go to either. >>> For the many to many associations then there is an associating object >>>that can hold the key attributes plus any other attributes of the >>>association (the only case that is somewhat like the current "associations >>>with attributes"). >>> >>>This eliminates a whole nest of sections on associations and provides just >>>secondary key attributes. Note that where the association keys go is just >>>an analysis tool and has NO relevance on the implementation. >> >> >>That is implementation-dependent. Look at the CIM and DEN models, which >>provide precedence for this feature. >> >> >>>3.) CreationClassName: Do we need this? I understand why CIM uses it, but >>>UML uses the concept of categories to provide name scoping. We have the >>>category of the base PCIM. All names within in it are scoped to be unique >>>(PCIM.PolicyGroup). There is a whole paragraph plus a bunch of attribute >>>descriptions for CreationClassName that are not part of the essential >>>problem. Perhaps the UML category idea would be lighter weight? Besides, >>>in all honesty, I don't quite get the whole "weak association" thing but >>>what I do get leads me to believe it is not intrinsic in the policy problem. >> >> >>It's always nice to know what type of class an instance is. So I think we >>need this regardless of implementation. >> >>If we want backward compatibility to the CIM 2.2 model, we definately >>need this. And note that PCIM uses CreationClassName as part of its >>scoping, so your argument is somewhat circular. >> >>Finally, weak associations simply mean that the non-weak entity provides >>scoping for the weak entity. Think of a service running on a system. The >>service (e.g., BGP) can't simply exist in the ether ;-), it has to be >>hosted by some entity. In this case, it would be hosted by a router >>interface, which is part of a system. So, the BGP service is weak to the >>router system, which means that the keys used to define the service must >>include keys propagated from the system. Stated another way, the system >>helps determine the name of the service, so you can identify and >>distinguish between different instances of the same service. >> >> >>>The above three deviations from UML add, what I would consider, >>>non-essential complexity to the document. >> >> I disagree. There are no deviations from UML (except for the >>additional concept of a weak relationship). CreationClassName is simply >>an attribute that has been uniformly used to help distinguish an >>instance, which is, imho, a Good Thing. >> >> >>> >>>If, as Ed implied, we are using CIM to play nicely with others, then there >>>is merit in that. To minimize the impact on us, perhaps we could move some >>>of the CIM specific text to appendices, just refer to the CIM modeling >>>language document (if it is publicly available), or a combination of the >>>two. >> >> The CIM meta-model and spec are publically available. >> >>>If we are using CIM because it is the modeling tool best known by the >>>authors, I would assert that it is not the best tool for the job. UML would >>>be better, Shlear-Mellor would be best. >> >> CIM is not a modeling tool, it is an information model. >> >>>NON-SEQUITOR: UML is not a bunch of boxes and arrows and therefore the use >>>of boxes and arrows does not make it UML. UML is an approach to system >>>architecture, design, and even, to extremes, implementation. CIM is NOT >>>UML, or even very much like UML. This does not mean CIM is evil, but on >>>several occasions I have heard the statement the CIM is UML (or so similar >>>as for there to be no distinction) as a defense. This statement is >>>inaccurate and should probably not be used. >>> >> >> >>Of course CIM isn't UML, I completely agree. However, I do assert that >>CIM uses portions of UML to document its information model. >> >>You happen to be in the minority of people that really grok what UML is. >>Many people do misuse the term UML. I'll try and encourage a more correct >>usage of the term. >> >> >> >>>Jon >>> >>>P.S. Yes "quark" was supposed to be "quirk". The spell checker was >>>checking what I typed, not what I meant. --=====================_4538145==_.ALT Content-Type: text/html; charset="us-ascii" Hi Jon, comments inline. You did get the text to change to blue, if that's any encouragement ;-)

regards,
John

At 05:52 AM 2/7/00 -0800, Jon Sjoberg wrote:
John (Sorry I can't put the comments inline, but I'm having an Outlook problem!),
 
1.)  The important point here is that we don't use the inheritance of associations.  How ever associations CAN be modeled, this mechanism is not used by us and so it is just more text in the document.  More text makes things more difficult to understand.

I completely disagree. AssociationClass models an association not just as a connection, but as a class. Not using inheritance in this situation is exactly like not using inheritance for other classes. More to the point, it is used by the DMTF and by anyone using the DEN model.

2.)  There is nothing "implementation dependent" (in the sense of dictating a design) about where you put the attribute in a relationship during analysis.  There ARE certainly many ways to model a relationship, I am just trying to think of one that would do what is needed with minimum excess baggage.  This is an attempt to get the document to focus tightly on policy issues and not modeling issues.

Sorry, I'm not following. The point of implementing an association as a class is to enable us to define properties on the association class that are a property of a relationship, not a property of either class at the ends of the association. This is critical in the design of the policy information model.

3.)  I'm not saying (nor did I say) that CreationClassName was useless or can't be explained.  What I'm saying is there maybe lighter weight solutions to the same problem that adds less bulk to the document, making it easier to understand.

But the problem is that this is already defined in CIM and DEN. Not using this property encourages a war between object models, which would be a Bad Thing.

If the intent is to say:  "the modeling we have chosen is valid", of course I agree.  My intent was merely to trim the document down to make it easier for us slow people to understand.
 
What also seems clear is I'm the only one who had a problem with this. I guess it doesn't make sense to make (or suggest) such large changes when the vast majority seem to be content.

I don't consider you slow at all. You appear, however, to be in the minority. This minority consists of people that want a pure model, and to use that foundation to build policy models.

DEN as well as PCIM have made some compromises to help unite the different communities in the modeling world with the networking world. It takes a bit getting used to, that's all. ;-)

 -----Original Message-----
From: John C. Strassner [mailto:jstrassn@cisco.com]
Sent: Sunday, February 06, 2000 4:37 PM
To: Jon Sjoberg; John C. Strassner
Cc: policy@raleigh.ibm.com
Subject: RE: Policy Framework Core Information Model -- Version 1

Comments inline, look for <js>...</js>

regards,
John

At 06:57 AM 1/31/00 -0800, Jon Sjoberg wrote:
John,

> So I personally would be happy to help rework the draft to "track
> tighter",
> as you put it, but in order to do that I need specific examples,
> especially
> concerning its not being compliant with UML. SO please supply
> examples, and
> I'll give it a shot.

Here is a list of differences between CIM and UML.  If you need any help
re-working this, let me know.

1.) We don't use the inheritance of associations, so it is just more words
that add little value to our problem.   Lets lop it out of the document.

<js> Respectfully, that is incorrect if you look at (especially) the latest release of the UML spec. Associations can be AssociationClasses, which have the combined semantics of associations and classes. From the spec:

   "The AssociationClass construct can be expressed in a few
          different ways in the metamodel (e.g., as a subclass of
          Class, as a subclass of Association, or as a subclass
         of Classifier)."

Furthermore, implementing an association as a class, as is done in both CIM and DEN, is an elegant way to maximize the use of object-oriented design. If you look at CIM or DEN, you'll see the association inheritance is critical in defining specialized associations in the model. Furthermore, since associations have properties and methods (which are essential to being viewed as classes) why wouldn't they also have inheritance?
</jcs>

2.) Associations with attributes is not used in UML and seems un-necessary.

<js>
I beg to differ. I've seen it used in many applications besides CIM and DEN. Please refer back to the UML spec, where it says that associations can be implemented as classes.
</js>

Standard information modeling says:
    For one to many associations the key attribute(s) of the association go
to the one.
    For the one to one association the key attribute(s) can go to either.
    For the many to many associations then there is an associating object
that can hold the key attributes plus any other attributes of the
association (the only case that is somewhat like the current "associations
with attributes").

This eliminates a whole nest of sections on associations and provides just
secondary key attributes.  Note that where the association keys go is just
an analysis tool and has NO relevance on the implementation.

<js>
That is implementation-dependent. Look at the CIM and DEN models, which provide precedence for this feature.
</js>

3.) CreationClassName:  Do we need this?  I understand why CIM uses it, but
UML uses the concept of categories to provide name scoping.  We have the
category of the base PCIM.  All names within in it are scoped to be unique
(PCIM.PolicyGroup).  There is a whole paragraph plus a bunch of attribute
descriptions for CreationClassName that are not part of the essential
problem.  Perhaps the UML category idea would be lighter weight?  Besides,
in all honesty, I don't quite get the whole "weak association" thing but
what I do get leads me to believe it is not intrinsic in the policy problem.

<js>
It's always nice to know what type of class an instance is. So I think we need this regardless of implementation.

If we want backward compatibility to the CIM 2.2 model, we definately need this. And note that PCIM uses CreationClassName as part of its scoping, so your argument is somewhat circular.

Finally, weak associations simply mean that the non-weak entity provides scoping for the weak entity. Think of a service running on a system. The service (e.g., BGP) can't simply exist in the ether ;-), it has to be hosted by some entity. In this case, it would be hosted by a router interface, which is part of a system. So, the BGP service is weak to the router system, which means that the keys used to define the service must include keys propagated from the system. Stated another way, the system helps determine the name of the service, so you can identify and distinguish between different instances of the same service.
</js>

The above three deviations from UML add, what I would consider,
non-essential complexity to the document.

<js> I disagree. There are no deviations from UML (except for the additional concept of a weak relationship). CreationClassName is simply an attribute that has been uniformly used to help distinguish an instance, which is, imho, a Good Thing.
</js>

<soap box>
If, as Ed implied, we are using CIM to play nicely with others, then there
is merit in that.  To minimize the impact on us, perhaps we could move some
of the CIM specific text to appendices, just refer to the CIM modeling
language document (if it is publicly available), or a combination of the
two.

<js> The CIM meta-model and spec are publically available. </js>

If we are using CIM because it is the modeling tool best known by the
authors, I would assert that it is not the best tool for the job.  UML would
be better, Shlear-Mellor would be best.

<js> CIM is not a modeling tool, it is an information model. </js>

NON-SEQUITOR:  UML is not a bunch of boxes and arrows and therefore the use
of boxes and arrows does not make it UML.  UML is an approach to system
architecture, design, and even, to extremes, implementation.  CIM is NOT
UML, or even very much like UML.  This does not mean CIM is evil, but on
several occasions I have heard the statement the CIM is UML (or so similar
as for there to be no distinction) as a defense.  This statement is
inaccurate and should probably not be used.
</soap box>

<js>
Of course CIM isn't UML, I completely agree. However, I do assert that CIM uses portions of UML to document its information model.

You happen to be in the minority of people that really grok what UML is. Many people do misuse the term UML. I'll try and encourage a more correct usage of the term.
</js>


Jon

P.S.  Yes "quark" was supposed to be "quirk".  The spell checker was
checking what I typed, not what I meant.
--=====================_4538145==_.ALT-- From majordomo@raleigh.ibm.com Tue Feb 8 11:49:47 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA01291 for ; Tue, 8 Feb 2000 11:49:44 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA06588; Tue, 8 Feb 2000 11:45:12 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id LAA29070; Tue, 8 Feb 2000 11:45:07 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA49528; Tue, 8 Feb 2000 11:23:07 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45160; Tue, 8 Feb 2000 11:23:03 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA29032 for ; Tue, 8 Feb 2000 11:22:54 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA33202 for ; Tue, 8 Feb 2000 11:22:51 -0500 Received: from jstrassn-lt ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id IAA06229; Tue, 8 Feb 2000 08:21:36 -0800 (PST) Message-Id: <4.2.0.58.20000208080450.00ad9a00@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 08 Feb 2000 08:22:33 -0800 To: Shai Herzog , "John C. Strassner" , Andrew Smith , "'Ken Roberts'" From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: <4.2.0.58.20000206232138.02f037b0@209.3.6.76> References: <4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com> <808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_43600744==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" --=====================_43600744==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Hi Shai, comments inline. regards, John At 11:48 PM 2/6/00 -0500, Shai Herzog wrote: >I think that one of the problems is that we're confusing the >various levels of "roles". Let me try to make the following >observations: Levels of roles? If a role is indeed an attribute used as a selector, this translates to levels of attributes. My head is hurting. ;-) More to the point, I don't know what you mean by "levels" of roles... I humbly submit that you're making this too complicated. Instead, thinking of roles as a means to select from among a larger subset is appealing because it always means the same thing each time it is used. >1. Roles and Role Combinations have only meaning (in the > definition sense) in the PEP. I disagree. Granted that for the cases we've considered so far, it has been tied specifically to device interfaces. But a "role" is an age-old concept, and can be used equally in other contexts as well - roles as a selector to the type of job that a person is performing, for example. Which can be tied back to networking (Shai's CTO role gets him on the Engineering subnet, whereas Shai's marketing role gets him onto the Marketing subnet). I suspect that as IPSP gets kicked off, they will want to use a more general definition of roles than just to describe the capabilities of a device interface. >2. PDPs and DEN Policy Schemas may or may not take advantage of PEP > roles. > > For example: > > PEP Roles: Edge+Ethernet, Edge+T1 > PDP Policy: If User=Joe, Mark (Traffic Desc) DSCP=AF11. > > Here the PDP may actually track down the ingress router and > mark on ALL of its interfaces, regardless of Roles. It will > produce the following instructions: > > Role = Edge+Ethernet: Mark (Traffic Desc) DSCP AF11 > Role = Edge+T1 : Mark (Traffic Desc) DSCP AF11 > > My point is that we should stop thinking that the policy is bound > to roles 1:1. I certainly never said that. A policy can contain multiple roles, and a role can be used by multiple policies. In fact, if you think of a role as a selector, you couldn't draw that conclusion anyway. So at least we agree here. ;-) >3. PEPs are not expected to be able to merge policies for Roles in > Role combination. > > Given the previous example, the PDP is not allowed to send the > following to the PEP: > > Role=Edge : Conf1 > Role=Ethernet: Conf2 > > Since the PEP that has an interface with both roles in a role > combination (Edge+Ethernet) is now required to merge Conf1+Conf2. > This merge is a big NO NO, since the whole point about external > policy processing is that the PEP doesn't understand policy > implications and complications and needs to receive very specific > instructions. Agreed >4. PDPs may be smart enough to merge roles (and therefore deal with > individual roles within a role combination). This is actually > an implication of observation (2) but I though it needs to be > clarified. > > For example, in the PDP, lets assume Ethernets get special > treatment (higher precedence rule). > > Role=Edge : If Service=Gold then Mark DSCP=xxx > Role=Ethernet: If Service=Gold then Mark DSCP=yyy > > This will produce the following configuration (using COPS, or equiv): > > Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy > Role=Edge+T1 : Mark (Traffic Desc) DSCP=xxx > >So, going back to the definition I gave a while back, the reason for >the "ALL" comes from observation 3. > >PDPs can process policy whatever the hell they wish (within reason) >but they have to respond to the PEP with specific policy for each >COMPLETE role combination, and cannot respond to partial role >combination or a specific role which is only a part of a role >combination. Seems to me that you want to differentiate between roles as used to influence device configuration on the PEP level vs. roles as used to build policy statements at the PDP level. Is this what you meant by "levels" of roles? If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith suggested earlier) vs. roles as a selector (to make me happy ;-) ) >Shai > >At 05:49 PM 02/06/2000, John C. Strassner wrote: >>A role is just one of possibly many selectors that is used to download a >>subset of appropriate policies from a much larger set of availale policies. >> >>A role can be specified as part of a policy condition or action, both of >>which are components of a policy rule as defined in the Policy Core >>Information Model. >> >>HTH, >>John >> >>At 05:23 PM 1/31/00 -0800, Andrew Smith wrote: >>>e.g. "HTTP traffic gets AF treatment on all Ethernet and FDDI interfaces" is >>>a policy rule that references two roles: "Ethernet interfaces" and "FDDI >>>interfaces". You wouldn't bother sending that rule to token-ring devices. >>> >>>(I guess I'm really an assembler programmer so I don't understand these >>>"class" and "subclass" things you talk about). >>> >>>Andrew >>> >>>P.S. Maybe we should drop the "policy framework" list from this thread since >>>this appears to be purely a "device" thing. But I did think we were >>>attempting the (maybe thankless) task of unifying the terminology between >>>all the WGs. >>> >>>-----Original Message----- >>>From: Ken Roberts [mailto:kjr@nortelnetworks.com] >>>Sent: Monday, January 31, 2000 4:42 PM >>>To: Andrew Smith; 'Bob Natale' >>>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' >>>Subject: RE: Policy issues: definition of Roles >>> >>> >>>Gents & others, >>>I'm a little confused by Andrew's statement of a policy that has multiple >>>roles. I understood a policy had rules. Rules may be crafted to include the >>>notion of roles but are they separate rules or sub classes of one rule? >>>When the statement "A policy that references roles W and X" is made does >>>this imply there is a matrix relationship that can be established from one >>>parent policy (/rule)? How is this managed? Why is this required? If >>>policies have hierarchical structure can this not be done with containment >>>or another relationship? >>>I think I had better re-read the thread as maybe I've missed something. >>>-------------------------------------------------------------------------- >>>Regards, >>>Ken Roberts >>>INM Product Architecture >>>Nortel Networks >>>?ESN : 655-7844 ?Direct : 408-565-7844 >>>? Fax : 408-565-8226 >>>? email : kjr@nortelnetworks.com >>> >>>This message may contain information proprietary to Nortel Networks >>>Corporation so any >>>unauthorised disclosure, copying or distribution of its contents is strictly >>>prohibited. >>> -----Original Message----- >>>From: Andrew Smith [mailto:andrew@extremenetworks.com] >>>Sent: Monday, January 31, 2000 3:36 PM >>>To: 'Bob Natale' >>>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com' >>>Subject: RE: Policy issues: definition of Roles >>>And, in particular, you only need to tell the device about those roles that >>>are relevant to it - that is where the big savings are, I think. e.g. >>>1. Device A has roles W, X and Y. >>>2. Device B has roles W, X and Z. >>>3. A policy that references roles W and X should be downloaded to both >>>devices. >>>4. A policy that references roles W and Y should be downloaded only to >>>device A, not device B. >>>The role combination concept in the PIB was introduced specifically in order >>> >>>to do this: you have to be able to list only those roles that are relevant >>>to the policy, not necessarily ALL roles on the device, in a role >>>combination. >>>(Apologies if I'm repeating stuff here). >>>Andrew >>> >>> >>> > -----Original Message----- >>> > From: Bob Natale [mailto:bnatale@acecomm.com] >>> > Sent: Monday, January 31, 2000 3:27 PM >>> > To: Andrew Smith >>> > Cc: policy@raleigh.ibm.com >>> > Subject: RE: Policy issues: definition of Roles >>>... >>> > That works fine for me. All I care about on this thread is that a >>> > "role combination" DOES NOT HAVE to include ALL of the roles supported >>> > by a network entity/component (although there MAY well be a role >>> > combination which does incorporate all roles supported by a network >>> > entity/component). > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > --=====================_43600744==_.ALT Content-Type: text/html; charset="us-ascii" Hi Shai, comments inline.

regards,
John

At 11:48 PM 2/6/00 -0500, Shai Herzog wrote:
I think that one of the problems is that we're confusing the
various levels of "roles". Let me try to make the following
observations:

<js>
Levels of roles? If a role is indeed an attribute used as a selector, this translates to levels of attributes. My head is hurting. ;-) More to the point, I don't know what you mean by "levels" of roles...

I humbly submit that you're making this too complicated. Instead, thinking of roles as a means to select from among a larger subset is appealing because it always means the same thing each time it is used.
</js>

1. Roles and Role Combinations have only meaning (in the
   definition sense) in the PEP.

<js>
I disagree. Granted that for the cases we've considered so far, it has been tied specifically to device interfaces. But a "role" is an age-old concept, and can be used equally in other contexts as well - roles as a selector to the type of job that a person is performing, for example. Which can be tied back to networking (Shai's CTO role gets him on the Engineering subnet, whereas Shai's marketing role gets him onto the Marketing subnet).

I suspect that as IPSP gets kicked off, they will want to use a more general definition of roles than just to describe the capabilities of a device interface.
</js>

2. PDPs and DEN Policy Schemas may or may not take advantage of PEP
   roles.

   For example:

   PEP Roles: Edge+Ethernet, Edge+T1
   PDP Policy: If User=Joe, Mark (Traffic Desc) DSCP=AF11.

   Here the PDP may actually track down the ingress router and
   mark on ALL of its interfaces, regardless of Roles. It will
   produce the following instructions:

   Role = Edge+Ethernet: Mark (Traffic Desc) DSCP AF11
   Role = Edge+T1      : Mark (Traffic Desc) DSCP AF11

   My point is that we should stop thinking that the policy is bound
   to roles 1:1.

<js>
I certainly never said that. A policy can contain multiple roles, and a role can be used by multiple policies. In fact, if you think of a role as a selector, you couldn't draw that conclusion anyway. So at least we agree here. ;-)
</js>

3. PEPs are not expected to be able to merge policies for Roles in
   Role combination.

   Given the previous example, the PDP is not allowed to send the
   following to the PEP:

   Role=Edge    : Conf1
   Role=Ethernet: Conf2

   Since the PEP that has an interface with both roles in a role
   combination (Edge+Ethernet) is now required to merge Conf1+Conf2.
   This merge is a big NO NO, since the whole point about external
   policy processing is that the PEP doesn't understand policy
   implications and complications and needs to receive very specific
   instructions.

<jcs> Agreed </js>

4. PDPs may be smart enough to merge roles (and therefore deal with
   individual roles within a role combination). This is actually
   an implication of observation (2) but I though it needs to be
   clarified.

   For example, in the PDP, lets assume Ethernets get special
   treatment (higher precedence rule).

   Role=Edge    : If Service=Gold then Mark DSCP=xxx
   Role=Ethernet: If Service=Gold then Mark DSCP=yyy

   This will produce the following configuration (using COPS, or equiv):

   Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy
   Role=Edge+T1      : Mark (Traffic Desc) DSCP=xxx

So, going back to the definition I gave a while back, the reason for
the "ALL" comes from observation 3.

PDPs can process policy whatever the hell they wish (within reason)
but they have to respond to the PEP with specific policy for each
COMPLETE role combination, and cannot respond to partial role
combination or a specific role which is only a part of a role
combination.

<js>
Seems to me that you want to differentiate between roles as used to influence device configuration on the PEP level vs. roles as used to build policy statements at the PDP level. Is this what you meant by "levels" of roles?

If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith suggested earlier) vs. roles as a selector (to make me happy ;-) )
</js>


Shai

At 05:49 PM 02/06/2000, John C. Strassner wrote:
A role is just one of possibly many selectors that is used to download a subset of appropriate policies from a much larger set of availale policies.

A role can be specified as part of a policy condition or action, both of which are components of a policy rule as defined in the Policy Core Information Model.

HTH,
John

At 05:23 PM 1/31/00 -0800, Andrew Smith wrote:
e.g. "HTTP traffic gets AF treatment on all Ethernet and FDDI interfaces" is
a policy rule that references two roles: "Ethernet interfaces" and "FDDI
interfaces". You wouldn't bother sending that rule to token-ring devices.

(I guess I'm really an assembler programmer so I don't understand these
"class" and "subclass" things you talk about).

Andrew

P.S. Maybe we should drop the "policy framework" list from this thread since
this appears to be purely a "device" thing. But I did think we were
attempting the (maybe thankless) task of unifying the terminology between
all the WGs.

-----Original Message-----
From: Ken Roberts [mailto:kjr@nortelnetworks.com]
Sent: Monday, January 31, 2000 4:42 PM
To: Andrew Smith; 'Bob Natale'
Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'
Subject: RE: Policy issues: definition of Roles


Gents & others,
I'm a little confused by Andrew's statement of a policy that has multiple
roles. I understood a policy had rules. Rules may be crafted to include the
notion of roles but are they separate rules or sub classes of one rule?
When the statement "A policy that references roles W and X" is made does
this imply there is a matrix relationship that can be established from one
parent policy (/rule)? How is this managed? Why is this required? If
policies have hierarchical structure can this not be done with containment
or another relationship?
I think I had better re-read the thread as maybe I've missed something.
--------------------------------------------------------------------------
Regards,
Ken Roberts
INM Product Architecture
Nortel Networks
?ESN   :        655-7844                        ?Direct  : 408-565-7844
?  Fax    :        408-565-8226
? email :      kjr@nortelnetworks.com

This message may contain information proprietary to Nortel Networks
Corporation so any
unauthorised disclosure, copying or distribution of its contents is strictly
prohibited.
 -----Original Message-----
From:   Andrew Smith [mailto:andrew@extremenetworks.com]
Sent:   Monday, January 31, 2000 3:36 PM
To:     'Bob Natale'
Cc:     policy@raleigh.ibm.com; 'snmpconf@snmp.com'
Subject:        RE: Policy issues: definition of Roles
And, in particular, you only need to tell the device about those roles that
are relevant to it - that is where the big savings are, I think. e.g.
1. Device A has roles W, X and Y.
2. Device B has roles W, X and Z.
3. A policy that references roles W and X should be downloaded to both
devices.
4. A policy that references roles W and Y should be downloaded only to
device A, not device B.
The role combination concept in the PIB was introduced specifically in order

to do this: you have to be able to list only those roles that are relevant
to the policy, not necessarily ALL roles on the device, in a role
combination.
(Apologies if I'm repeating stuff here).
Andrew


> -----Original Message-----
> From: Bob Natale [mailto:bnatale@acecomm.com]
> Sent: Monday, January 31, 2000 3:27 PM
> To: Andrew Smith
> Cc: policy@raleigh.ibm.com
> Subject: RE: Policy issues: definition of Roles
...
> That works fine for me.  All I care about on this thread is that a
> "role combination" DOES NOT HAVE to include ALL of the roles supported
> by a network entity/component (although there MAY well be a role
> combination which does incorporate all roles supported by a network
> entity/component).


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006




                            

--=====================_43600744==_.ALT-- From majordomo@raleigh.ibm.com Tue Feb 8 12:31:38 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA03530 for ; Tue, 8 Feb 2000 12:31:38 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA32212; Tue, 8 Feb 2000 12:28:26 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id MAA28404; Tue, 8 Feb 2000 12:28:24 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA44482; Tue, 8 Feb 2000 12:11:50 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45240; Tue, 8 Feb 2000 12:11:44 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id MAA32520 for ; Tue, 8 Feb 2000 12:11:45 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA06414 for ; Tue, 8 Feb 2000 12:11:42 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS0GR; Tue, 8 Feb 2000 12:08:46 -0500 Message-Id: <4.2.0.58.20000208113808.00ab6c60@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 08 Feb 2000 12:11:24 -0500 To: "John C. Strassner" , "John C. Strassner" , Andrew Smith , "'Ken Roberts'" From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: <4.2.0.58.20000208080450.00ad9a00@omega.cisco.com> References: <4.2.0.58.20000206232138.02f037b0@209.3.6.76> <4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com> <808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_344563736==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog --=====================_344563736==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 08:22 AM 02/08/2000, John C. Strassner wrote: >Hi Shai, comments inline. > >regards, >John > >At 11:48 PM 2/6/00 -0500, Shai Herzog wrote: >>I think that one of the problems is that we're confusing the >>various levels of "roles". Let me try to make the following >>observations: > > >Levels of roles? If a role is indeed an attribute used as a selector, this >translates to levels of attributes. My head is hurting. ;-) More to the >point, I don't know what you mean by "levels" of roles... Sorry, didn't mean to hurt anyone ;-) I meant: Roles at PEP, Roles at PDP, Roles in the Schema, Roles in our head, etc.... >I humbly submit that you're making this too complicated. Instead, thinking >of roles as a means to select from among a larger subset is appealing >because it always means the same thing each time it is used. > I think the two of us have been discussing this for perhaps years ;-) I believe that the input to the PDP (schema, GUI, whatever) isn't necessarily mapped 1:1 with PEP configuration (In fact, it better not be). This means that the PDP may have as input an E-2-E definition w/o roles ( this user gets gold service (low delay, drop) ) The PDP gets this non-role info and converts it into COPS commands to configure the PEP based on roles: Role=Edge, DS GOLD Service -> Mark DSCP AF11 So, the schema didn't have roles, but roles were used in configuring the edge router. So, the role isn't a selector in the schema (although simple schema may use it) it is also not a selector at the PDP, but only a selector for the PEP to advertise the kind of roles it has, and receive policy for each one of its roles. ... > >Seems to me that you want to differentiate between roles as used to >influence device configuration on the PEP level vs. roles as used to build >policy statements at the PDP level. Is this what you meant by "levels" of >roles? > >If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith >suggested earlier) vs. roles as a selector (to make me happy ;-) ) > YES YES YES, you hit it bulls eye! I was talking about PEP roles only and was trying (clumsily) to express myself, thanks! So, lets call it "PEP ROLES" As for the other one, I believe PDP is merely an interpreter (in comes abstract policy, out goes device policy) so it doesn't really have roles. So, we should find another name for the second type that you described, perhaps "Profile" (as in "user profile, application profile,...)? or "Usage Roles". Shai __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 --=====================_344563736==_.ALT Content-Type: text/html; charset="us-ascii" At 08:22 AM 02/08/2000, John C. Strassner wrote:
Hi Shai, comments inline.

regards,
John

At 11:48 PM 2/6/00 -0500, Shai Herzog wrote:
I think that one of the problems is that we're confusing the
various levels of "roles". Let me try to make the following
observations:

<js>
Levels of roles? If a role is indeed an attribute used as a selector, this translates to levels of attributes. My head is hurting. ;-) More to the point, I don't know what you mean by "levels" of roles...

Sorry, didn't mean to hurt anyone ;-)
I meant: Roles at PEP, Roles at PDP, Roles in the Schema, Roles in our
head, etc....


I humbly submit that you're making this too complicated. Instead, thinking of roles as a means to select from among a larger subset is appealing because it always means the same thing each time it is used.
</js>

I think the two of us have been discussing this for perhaps years ;-)
I believe that the input to the PDP (schema, GUI, whatever) isn't
necessarily mapped 1:1 with PEP configuration (In fact, it better
not be). This means that the PDP may have as input an E-2-E definition
w/o roles ( this user gets gold service (low delay, drop) ) The PDP
gets this non-role info and converts it into COPS commands to
configure the PEP based on roles:

Role=Edge, DS GOLD Service -> Mark DSCP AF11

So, the schema didn't have roles, but roles were used in configuring the
edge router.

So, the role isn't a selector in the schema (although simple schema may
use it) it is also not a selector at the PDP, but only a selector
for the PEP to advertise the kind of roles it has, and receive policy
for each one of its roles.
...

<js>
Seems to me that you want to differentiate between roles as used to influence device configuration on the PEP level vs. roles as used to build policy statements at the PDP level. Is this what you meant by "levels" of roles?

If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith suggested earlier) vs. roles as a selector (to make me happy ;-) )
</js>

YES YES YES, you hit it bulls eye! I was talking about PEP roles only
and was trying (clumsily) to express myself, thanks!

So, lets call it "PEP ROLES"

As for the other one, I believe PDP is merely an interpreter (in comes
abstract policy, out goes device policy) so it doesn't really have
roles. So, we should find another name for the second type that you
described, perhaps "Profile" (as in "user profile, application
profile,...)? or "Usage Roles".

Shai




__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                             --=====================_344563736==_.ALT-- From majordomo@raleigh.ibm.com Tue Feb 8 14:13:00 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA08093 for ; Tue, 8 Feb 2000 14:12:59 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA19122; Tue, 8 Feb 2000 14:04:59 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA30064; Tue, 8 Feb 2000 14:04:59 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA30856; Tue, 8 Feb 2000 13:46:32 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA24186; Tue, 8 Feb 2000 13:46:26 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id NAA22628 for ; Tue, 8 Feb 2000 13:46:27 -0500 From: avri.doria@nokia.com Received: from mgw-x2.nokia.com (mgw-x2.nokia.com [131.228.20.22]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id NAA27494 for ; Tue, 8 Feb 2000 13:46:10 -0500 Received: from mgw-i2.ntc.nokia.com (mgw-i2.ntc.nokia.com [131.228.118.61]) by mgw-x2.nokia.com (8.9.3/8.9.3/o) with ESMTP id UAA07790; Tue, 8 Feb 2000 20:45:25 +0200 (EET) Received: from daebh01nok.americas.nokia.com (daebh01nok.americas.nokia.com [172.18.242.182]) by mgw-i2.ntc.nokia.com (8.9.3/8.9.3) with ESMTP id UAA00950; Tue, 8 Feb 2000 20:45:21 +0200 (EET) Received: by daebh01nok with Internet Mail Service (5.5.2448.0) id <1RM26K5L>; Tue, 8 Feb 2000 12:44:48 -0600 Message-Id: To: herzog@iphighway.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com Cc: policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org Subject: RE: Policy issues: definition of Roles Date: Tue, 8 Feb 2000 12:44:22 -0600 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: avri.doria@nokia.com So, the role isn't a selector in the schema (although simple schema may use it) it is also not a selector at the PDP, but only a selector for the PEP to advertise the kind of roles it has, and receive policy for each one of its roles. ... Seems to me that you want to differentiate between roles as used to influence device configuration on the PEP level vs. roles as used to build policy statements at the PDP level. Is this what you meant by "levels" of roles? If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith suggested earlier) vs. roles as a selector (to make me happy ;-) ) YES YES YES, you hit it bulls eye! I was talking about PEP roles only and was trying (clumsily) to express myself, thanks! So, lets call it "PEP ROLES" As for the other one, I believe PDP is merely an interpreter (in comes abstract policy, out goes device policy) so it doesn't really have roles. So, we should find another name for the second type that you described, perhaps "Profile" (as in "user profile, application profile,...)? or "Usage Roles". Shai __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 From majordomo@raleigh.ibm.com Tue Feb 8 14:41:19 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA09083 for ; Tue, 8 Feb 2000 14:41:17 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA33702; Tue, 8 Feb 2000 14:35:34 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA27474; Tue, 8 Feb 2000 14:35:35 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA41348; Tue, 8 Feb 2000 14:17:41 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45924; Tue, 8 Feb 2000 14:00:50 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA26026 for ; Tue, 8 Feb 2000 14:00:52 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA23428 for ; Tue, 8 Feb 2000 14:00:49 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS02D; Tue, 8 Feb 2000 13:57:53 -0500 Message-Id: <4.2.0.58.20000208134959.01ac2500@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 08 Feb 2000 14:00:46 -0500 To: avri.doria@nokia.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog Yap. It just dawned on me that a roles are "logical interfaces" in the router, as opposed to "physical interfaces". So, in a router with physical interfaces S0..S4, rather than SNMP: "Configure interface S0 with ....." "Configure interface S1 with ....." "Configure interface S2 with ....." "Configure interface S3 with ....." "Configure interface S4 with ....." The PDP says (using COPS or similar): "Configure role "Edge+Serial" with ....." And the PEP knows that it has 5 serial physical interfaces with this role combination and configures S0..S4 with .... Shai P.S., ...With a note regarding "user profiles" and other attributes used in the schema, which may overload the term Roles but aren't related to the PEP roles. I call it user profiles since this is the terminology used in security, access policies, and many other areas of networking. At 12:44 PM 02/08/2000, avri.doria@nokia.com wrote: >So, the role isn't a selector in the schema (although simple schema may >use it) it is also not a selector at the PDP, but only a selector >for the PEP to advertise the kind of roles it has, and receive policy >for each one of its roles. >... > > > > > > > > >Seems to me that you want to differentiate between roles as used to >influence device configuration on the PEP level vs. roles as used to build >policy statements at the PDP level. Is this what you meant by "levels" of >roles? > >If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith >suggested earlier) vs. roles as a selector (to make me happy ;-) ) > > > > >YES YES YES, you hit it bulls eye! I was talking about PEP roles only >and was trying (clumsily) to express myself, thanks! > >So, lets call it "PEP ROLES" > >As for the other one, I believe PDP is merely an interpreter (in comes >abstract policy, out goes device policy) so it doesn't really have >roles. So, we should find another name for the second type that you >described, perhaps "Profile" (as in "user profile, application >profile,...)? or "Usage Roles". > >Shai > > > > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 From majordomo@raleigh.ibm.com Tue Feb 8 15:03:14 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09699 for ; Tue, 8 Feb 2000 15:03:14 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA06418; Tue, 8 Feb 2000 14:55:55 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA34150; Tue, 8 Feb 2000 14:55:53 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45600; Tue, 8 Feb 2000 13:55:46 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA40728; Tue, 8 Feb 2000 13:55:43 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id NAA27494 for ; Tue, 8 Feb 2000 13:55:46 -0500 From: avri.doria@nokia.com Received: from mgw-x1.nokia.com (mgw-x1.nokia.com [131.228.20.21]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id NAA26880 for ; Tue, 8 Feb 2000 13:55:42 -0500 Received: from mgw-i2.ntc.nokia.com (mgw-i2.ntc.nokia.com [131.228.118.61]) by mgw-x1.nokia.com (8.9.3/8.9.3/o) with ESMTP id UAA21877; Tue, 8 Feb 2000 20:54:47 +0200 (EET) Received: from daebh02nok.americas.nokia.com (daebh02nok.americas.nokia.com [172.18.242.183]) by mgw-i2.ntc.nokia.com (8.9.3/8.9.3) with ESMTP id UAA03660; Tue, 8 Feb 2000 20:54:45 +0200 (EET) Received: by daebh02nok with Internet Mail Service (5.5.2448.0) id <1RM3DDL3>; Tue, 8 Feb 2000 12:54:44 -0600 Message-Id: To: policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org Subject: RE: Policy issues: definition of Roles Date: Tue, 8 Feb 2000 12:52:30 -0600 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: avri.doria@nokia.com >So, the role isn't a selector in the schema (although simple schema may >use it) it is also not a selector at the PDP, but only a selector >for the PEP to advertise the kind of roles it has, and receive policy >for each one of its roles. I do not understand why roles are not used at the PDP. I thought that roles was the way the PDP determined which policies needed to be applied to the PEPs it was dealing with. In fact I was thinking that roles where the main link between policies and the objects they affected, no matter were in the architecture this occurs (e.g. at the PDP). Regards, a. ----------------------------------- avri doria Office: +1 781 993 4645 Mobile: +1 781 308 7680 From majordomo@raleigh.ibm.com Tue Feb 8 15:08:29 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09792 for ; Tue, 8 Feb 2000 15:08:28 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA23934; Tue, 8 Feb 2000 14:59:52 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA29490; Tue, 8 Feb 2000 14:59:45 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38748; Tue, 8 Feb 2000 14:45:54 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39508; Tue, 8 Feb 2000 14:45:49 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA33716 for ; Tue, 8 Feb 2000 14:45:48 -0500 Received: from sol.extremenetworks.com (sol.extremenetworks.com [216.52.8.2]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA12362 for ; Tue, 8 Feb 2000 14:45:45 -0500 Received: by SOL with Internet Mail Service (5.5.2650.21) id <1R66A4KS>; Tue, 8 Feb 2000 11:44:36 -0800 Message-Id: <808F64DDB492D3119D3C00508B5D8D733EC504@SOL> From: Andrew Smith To: "'Shai Herzog'" Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com Subject: RE: Policy issues: definition of Roles Date: Mon, 7 Feb 2000 15:07:55 -0800 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Andrew Smith Shai, In the worst case then, yes, you're right, the PDP has to multiply out the role combinations and send them all to the PEP. But there will be many cases where the PDP knows that a policy does not need to distinguish between "T1" and "Ethernet": then, the PDP can download a policy for role-combination "Edge". In that case, the ALL in your definition is not applicable. That is what I was trying to explain in my response to Bob Natale last week (1/31). Andrew > From: Shai Herzog [mailto:herzog@iphighway.com] > Sent: Sunday, February 06, 2000 8:48 PM > To: John C. Strassner; Andrew Smith; 'Ken Roberts' > Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com > Subject: RE: Policy issues: definition of Roles > ... > > 4. PDPs may be smart enough to merge roles (and therefore deal with > individual roles within a role combination). This is actually > an implication of observation (2) but I though it needs to be > clarified. > > For example, in the PDP, lets assume Ethernets get special > treatment (higher precedence rule). > > Role=Edge : If Service=Gold then Mark DSCP=xxx > Role=Ethernet: If Service=Gold then Mark DSCP=yyy > > This will produce the following configuration (using > COPS, or equiv): > > Role=Edge+Ethernet: Mark (Traffic Desc) DSCP=yyy > Role=Edge+T1 : Mark (Traffic Desc) DSCP=xxx > > So, going back to the definition I gave a while back, the reason for > the "ALL" comes from observation 3. > > PDPs can process policy whatever the hell they wish (within reason) > but they have to respond to the PEP with specific policy for each > COMPLETE role combination, and cannot respond to partial role > combination or a specific role which is only a part of a role > combination. From majordomo@raleigh.ibm.com Tue Feb 8 15:25:33 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10187 for ; Tue, 8 Feb 2000 15:25:32 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA19814; Tue, 8 Feb 2000 15:18:13 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id PAA32010; Tue, 8 Feb 2000 15:18:12 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55246; Tue, 8 Feb 2000 14:58:58 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55978; Tue, 8 Feb 2000 14:58:49 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA35018 for ; Tue, 8 Feb 2000 14:58:01 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA24316 for ; Tue, 8 Feb 2000 14:56:58 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS0JF; Tue, 8 Feb 2000 14:54:02 -0500 Message-Id: <4.2.0.58.20000208145449.00ab6c60@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 08 Feb 2000 14:56:54 -0500 To: avri.doria@nokia.com, policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org From: Shai Herzog Subject: RE: Policy issues: definition of Roles In-Reply-To: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_354483590==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog --=====================_354483590==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 12:52 PM 02/08/2000, avri.doria@nokia.com wrote: > >So, the role isn't a selector in the schema (although simple schema may > >use it) it is also not a selector at the PDP, but only a selector > >for the PEP to advertise the kind of roles it has, and receive policy > >for each one of its roles. > > >I do not understand why roles are not used at the PDP. >I thought that roles was the way the PDP determined >which policies needed to be applied to the PEPs it was >dealing with. Of course the PDP uses them, but only the way they are created by the PEP. The PDP has two sides to it, one that understands PEP stuff (hence uses Roles) and the other that understands schemas (no roles required). >In fact I was thinking that roles where the main link >between policies and the objects they affected, no matter >were in the architecture this occurs (e.g. at the PDP). Absolutely. See my previous message (sent after you sent this one). I think we are in Sync. Shai >Regards, > >a. >----------------------------------- >avri doria >Office: +1 781 993 4645 >Mobile: +1 781 308 7680 > __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 --=====================_354483590==_.ALT Content-Type: text/html; charset="us-ascii" At 12:52 PM 02/08/2000, avri.doria@nokia.com wrote:
>So, the role isn't a selector in the schema (although simple schema may
>use it) it is also not a selector at the PDP, but only a selector
>for the PEP to advertise the kind of roles it has, and receive policy
>for each one of its roles.


I do not understand why roles are not used at the PDP.
I thought that roles was the way the PDP determined
which policies needed to be applied to the PEPs it was
dealing with.

Of course the PDP uses them, but only the way they are created by
the PEP. The PDP has two sides to it, one that understands PEP stuff
(hence uses Roles) and the other that understands schemas (no roles
required).

In fact I was thinking that roles where the main link
between policies and the objects they affected, no matter
were in the architecture this occurs (e.g. at the PDP).

Absolutely. See my previous message (sent after you sent this one).

I think we are in Sync.

Shai

Regards,

a.
-----------------------------------
avri doria
Office: +1 781 993 4645
Mobile: +1 781 308 7680               
 


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                             --=====================_354483590==_.ALT-- From majordomo@raleigh.ibm.com Tue Feb 8 15:26:43 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10214 for ; Tue, 8 Feb 2000 15:26:43 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA18778; Tue, 8 Feb 2000 15:18:23 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id PAA26372; Tue, 8 Feb 2000 15:18:15 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA23406; Tue, 8 Feb 2000 14:00:53 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45924; Tue, 8 Feb 2000 14:00:50 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA26026 for ; Tue, 8 Feb 2000 14:00:52 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA23428 for ; Tue, 8 Feb 2000 14:00:49 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS02D; Tue, 8 Feb 2000 13:57:53 -0500 Message-Id: <4.2.0.58.20000208134959.01ac2500@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 08 Feb 2000 14:00:46 -0500 To: avri.doria@nokia.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog Yap. It just dawned on me that a roles are "logical interfaces" in the router, as opposed to "physical interfaces". So, in a router with physical interfaces S0..S4, rather than SNMP: "Configure interface S0 with ....." "Configure interface S1 with ....." "Configure interface S2 with ....." "Configure interface S3 with ....." "Configure interface S4 with ....." The PDP says (using COPS or similar): "Configure role "Edge+Serial" with ....." And the PEP knows that it has 5 serial physical interfaces with this role combination and configures S0..S4 with .... Shai P.S., ...With a note regarding "user profiles" and other attributes used in the schema, which may overload the term Roles but aren't related to the PEP roles. I call it user profiles since this is the terminology used in security, access policies, and many other areas of networking. At 12:44 PM 02/08/2000, avri.doria@nokia.com wrote: >So, the role isn't a selector in the schema (although simple schema may >use it) it is also not a selector at the PDP, but only a selector >for the PEP to advertise the kind of roles it has, and receive policy >for each one of its roles. >... > > > > > > > > >Seems to me that you want to differentiate between roles as used to >influence device configuration on the PEP level vs. roles as used to build >policy statements at the PDP level. Is this what you meant by "levels" of >roles? > >If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith >suggested earlier) vs. roles as a selector (to make me happy ;-) ) > > > > >YES YES YES, you hit it bulls eye! I was talking about PEP roles only >and was trying (clumsily) to express myself, thanks! > >So, lets call it "PEP ROLES" > >As for the other one, I believe PDP is merely an interpreter (in comes >abstract policy, out goes device policy) so it doesn't really have >roles. So, we should find another name for the second type that you >described, perhaps "Profile" (as in "user profile, application >profile,...)? or "Usage Roles". > >Shai > > > > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 From majordomo@raleigh.ibm.com Tue Feb 8 16:01:57 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11056 for ; Tue, 8 Feb 2000 16:01:54 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA33690; Tue, 8 Feb 2000 15:55:09 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id PAA28914; Tue, 8 Feb 2000 15:54:25 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39388; Tue, 8 Feb 2000 15:33:28 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45268; Tue, 8 Feb 2000 15:33:22 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id PAA29410 for ; Tue, 8 Feb 2000 15:33:25 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA34432 for ; Tue, 8 Feb 2000 15:33:20 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS0KJ; Tue, 8 Feb 2000 15:30:07 -0500 Message-Id: <4.2.0.58.20000208145823.00ab6c60@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 08 Feb 2000 15:32:13 -0500 To: Andrew Smith From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com In-Reply-To: <808F64DDB492D3119D3C00508B5D8D733EC504@SOL> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_356649234==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog --=====================_356649234==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 03:07 PM 02/07/2000, Andrew Smith wrote: >Shai, > >In the worst case then, yes, you're right, the PDP has to multiply out the >role combinations and send them all to the PEP. But there will be many cases >where the PDP knows that a policy does not need to distinguish between "T1" >and "Ethernet": then, the PDP can download a policy for role-combination >"Edge". In that case, the ALL in your definition is not applicable. That is >what I was trying to explain in my response to Bob Natale last week (1/31). I think I am beginning to understand what you mean... ;-) with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP normally would send two different configurations such as "Edge+T1": Mark DSCP AF21 "Edge+Ether": Mark DSCP AF11 If it turns out that the instructions for these two are the same (by chance) meaning (Policy1): "Edge+T1": Mark DSCP AF11 "Edge+Ether": Mark DSCP AF11 Then perhaps we'd want to have a wildcard that says (Policy2): "Edge+*": Mark DSCP AF11 BUT, Policy2 is merely a short hand for Policy1 but they mean the same. The important distinction in my view is that the PDP cannot send a policy "T1+*" and expect the PEP to merge the policy in "Edge+*" with "T1+*" into "Edge+T1". So, when receiving a policy for "Edge+*" the PEP interprets it as "Replace/override the policy for all role combinations with Edge in them with the following"... If a "T1+*" comes later, it will REPLACE (not merge) the configuration installed on "Edge+T1". This is why I insist on the "ALL" in the role combination: The PDP must provide a policy that is clearly for a specific COMPLETE role combination, and the PEP isn't expected to merge policy for roles into role combination. BUT as you suggested a shorthand representation may be made for the purpose of saving bits and overhead but that has the same meaning as the "ALL". I am not sure if my description is clear, but I hope ;-) Shai __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 --=====================_356649234==_.ALT Content-Type: text/html; charset="us-ascii" At 03:07 PM 02/07/2000, Andrew Smith wrote:
Shai,

In the worst case then, yes, you're right, the PDP has to multiply out the
role combinations and send them all to the PEP. But there will be many cases
where the PDP knows that a policy does not need to distinguish between "T1"
and "Ethernet": then, the PDP can download a policy for role-combination
"Edge". In that case, the ALL in your definition is not applicable. That is
what I was trying to explain in my response to Bob Natale last week (1/31).

I think I am beginning to understand what you mean... ;-)

with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP
normally would send two different configurations such as

"Edge+T1":    Mark DSCP AF21
"Edge+Ether": Mark DSCP AF11

If it turns out that the instructions for these two are the same
(by chance) meaning (Policy1):

"Edge+T1":    Mark DSCP AF11
"Edge+Ether": Mark DSCP AF11

Then perhaps we'd want to have a wildcard that says (Policy2):

"Edge+*":     Mark DSCP AF11

BUT, Policy2 is merely a short hand for Policy1 but they mean the same.
The important distinction in my view is that the PDP cannot send
a policy "T1+*" and expect the PEP to merge the policy
in "Edge+*" with "T1+*" into "Edge+T1".

So, when receiving a policy for "Edge+*" the PEP interprets it
as

"Replace/override the policy for all role combinations with Edge
in them with the following"...

If a "T1+*" comes later, it will REPLACE (not merge) the configuration
installed on "Edge+T1".

This is why I insist on the "ALL" in the role combination: The PDP
must provide a policy that is clearly for a specific COMPLETE
role combination, and the PEP isn't expected to merge policy
for roles into role combination. BUT as you suggested a shorthand
representation may be made for the purpose of saving bits and overhead
but that has the same meaning as the "ALL".

I am not sure if my description is clear, but I hope ;-)

Shai

__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                             --=====================_356649234==_.ALT-- From majordomo@raleigh.ibm.com Tue Feb 8 17:13:58 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA12662 for ; Tue, 8 Feb 2000 17:13:57 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id RAA36832; Tue, 8 Feb 2000 17:02:15 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id QAA24938; Tue, 8 Feb 2000 16:59:03 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA51140; Tue, 8 Feb 2000 16:38:48 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA50098; Tue, 8 Feb 2000 16:38:43 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id QAA24926 for ; Tue, 8 Feb 2000 16:38:46 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id QAA28958 for ; Tue, 8 Feb 2000 16:38:43 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZS0L5; Tue, 8 Feb 2000 16:35:28 -0500 Message-Id: <4.2.0.58.20000208162852.00ab6c60@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 08 Feb 2000 16:29:37 -0500 To: James_Binder@3com.com From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: avri.doria@nokia.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com, policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: <8825687F.007370B2.00@hqoutbound.ops.3com.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog At 12:56 PM 02/08/2000, James_Binder@3com.com wrote: And what is T1's responsibility? ;-) (...to deliver data faster than dial-up and slower than T3? ;-) Shai >Maybe we should be thinking terms of "Responsibilities" as well as "Roles". >That is, Edge is "responsible" for packet classification, marking, shapping, >ect.. > >/jsb > > > > > >Shai Herzog on 02/08/2000 11:00:46 AM > >To: avri.doria@nokia.com, jstrassn@cisco.com, andrew@extremenetworks.com, > kjr@nortelnetworks.com >cc: policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, > ipsec-policy@vpnc.org (bcc: James Binder/HQ/3Com) > >Subject: RE: Policy issues: definition of Roles > > > > >Yap. > >It just dawned on me that a roles are "logical interfaces" in the >router, as opposed to "physical interfaces". > >So, in a router with physical interfaces S0..S4, rather than > >SNMP: > >"Configure interface S0 with ....." >"Configure interface S1 with ....." >"Configure interface S2 with ....." >"Configure interface S3 with ....." >"Configure interface S4 with ....." > >The PDP says (using COPS or similar): > >"Configure role "Edge+Serial" with ....." > >And the PEP knows that it has 5 serial physical interfaces with this >role combination and configures S0..S4 with .... > >Shai > >P.S., ...With a note regarding "user profiles" and other attributes >used in the schema, which may overload the term Roles but aren't >related to the PEP roles. I call it user profiles since this >is the terminology used in security, access policies, and many >other areas of networking. > > >At 12:44 PM 02/08/2000, avri.doria@nokia.com wrote: > >So, the role isn't a selector in the schema (although simple schema may > >use it) it is also not a selector at the PDP, but only a selector > >for the PEP to advertise the kind of roles it has, and receive policy > >for each one of its roles. > >... > > > > > > > > > > > > > > > > > >Seems to me that you want to differentiate between roles as used to > >influence device configuration on the PEP level vs. roles as used to build > >policy statements at the PDP level. Is this what you meant by "levels" of > >roles? > > > >If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith > >suggested earlier) vs. roles as a selector (to make me happy ;-) ) > > > > > > > > > >YES YES YES, you hit it bulls eye! I was talking about PEP roles only > >and was trying (clumsily) to express myself, thanks! > > > >So, lets call it "PEP ROLES" > > > >As for the other one, I believe PDP is merely an interpreter (in comes > >abstract policy, out goes device policy) so it doesn't really have > >roles. So, we should find another name for the second type that you > >described, perhaps "Profile" (as in "user profile, application > >profile,...)? or "Usage Roles". > > > >Shai > > > > > > > > > > > >__________________________________________________________________ > >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 > >55 New York Avenue Main: (508) 620-1141 > >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > > > > > > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 From majordomo@raleigh.ibm.com Tue Feb 8 17:47:53 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA13041 for ; Tue, 8 Feb 2000 17:47:53 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id RAA31408; Tue, 8 Feb 2000 17:39:50 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id QAA26136; Tue, 8 Feb 2000 16:30:17 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55790; Tue, 8 Feb 2000 16:06:55 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA56038; Tue, 8 Feb 2000 16:06:52 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id QAA21250 for ; Tue, 8 Feb 2000 16:06:55 -0500 From: James_Binder@3com.com Received: from seattle.3com.com ([129.213.128.97]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id QAA25540 for ; Tue, 8 Feb 2000 16:06:50 -0500 Received: from new-york.3com.com (new-york.3com.com [129.213.157.12]) by seattle.3com.com (8.8.8/8.8.8) with ESMTP id NAA19421; Tue, 8 Feb 2000 13:03:22 -0800 (PST) Received: from hqoutbound.ops.3com.com (hqoutbound.OPS.3Com.COM [139.87.48.104]) by new-york.3com.com (8.8.8/8.8.8) with SMTP id NAA15892; Tue, 8 Feb 2000 13:03:22 -0800 (PST) Received: by hqoutbound.ops.3com.com(Lotus SMTP MTA v4.6.3 (778.2 1-4-1999)) id 8825687F.00737307 ; Tue, 8 Feb 2000 13:01:00 -0800 X-Lotus-Fromdomain: 3COM To: Shai Herzog Cc: avri.doria@nokia.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com, policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org Message-Id: <8825687F.007370B2.00@hqoutbound.ops.3com.com> Date: Tue, 8 Feb 2000 12:56:40 -0800 Subject: RE: Policy issues: definition of Roles Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: James_Binder@3com.com Maybe we should be thinking terms of "Responsibilities" as well as "Roles". That is, Edge is "responsible" for packet classification, marking, shapping, ect.. /jsb Shai Herzog on 02/08/2000 11:00:46 AM To: avri.doria@nokia.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com cc: policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org (bcc: James Binder/HQ/3Com) Subject: RE: Policy issues: definition of Roles Yap. It just dawned on me that a roles are "logical interfaces" in the router, as opposed to "physical interfaces". So, in a router with physical interfaces S0..S4, rather than SNMP: "Configure interface S0 with ....." "Configure interface S1 with ....." "Configure interface S2 with ....." "Configure interface S3 with ....." "Configure interface S4 with ....." The PDP says (using COPS or similar): "Configure role "Edge+Serial" with ....." And the PEP knows that it has 5 serial physical interfaces with this role combination and configures S0..S4 with .... Shai P.S., ...With a note regarding "user profiles" and other attributes used in the schema, which may overload the term Roles but aren't related to the PEP roles. I call it user profiles since this is the terminology used in security, access policies, and many other areas of networking. At 12:44 PM 02/08/2000, avri.doria@nokia.com wrote: >So, the role isn't a selector in the schema (although simple schema may >use it) it is also not a selector at the PDP, but only a selector >for the PEP to advertise the kind of roles it has, and receive policy >for each one of its roles. >... > > > > > > > > >Seems to me that you want to differentiate between roles as used to >influence device configuration on the PEP level vs. roles as used to build >policy statements at the PDP level. Is this what you meant by "levels" of >roles? > >If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith >suggested earlier) vs. roles as a selector (to make me happy ;-) ) > > > > >YES YES YES, you hit it bulls eye! I was talking about PEP roles only >and was trying (clumsily) to express myself, thanks! > >So, lets call it "PEP ROLES" > >As for the other one, I believe PDP is merely an interpreter (in comes >abstract policy, out goes device policy) so it doesn't really have >roles. So, we should find another name for the second type that you >described, perhaps "Profile" (as in "user profile, application >profile,...)? or "Usage Roles". > >Shai > > > > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 From majordomo@raleigh.ibm.com Wed Feb 9 06:10:43 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA03241 for ; Wed, 9 Feb 2000 06:10:43 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id GAA32334; Wed, 9 Feb 2000 06:07:47 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id GAA20046; Wed, 9 Feb 2000 06:07:46 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55218; Wed, 9 Feb 2000 05:51:07 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA45738; Wed, 9 Feb 2000 05:51:03 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id FAA26710 for ; Wed, 9 Feb 2000 05:51:02 -0500 Received: from mail.toplayer.com ([199.103.238.97]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id FAA32178 for ; Wed, 9 Feb 2000 05:50:59 -0500 Received: from eh6mq5 ([10.100.1.2]) by mail.toplayer.com (8.8.7/8.8.7) with SMTP id FAA25501; Wed, 9 Feb 2000 05:49:51 -0500 From: "Jon Sjoberg" To: "Shai Herzog" , "Andrew Smith" Cc: , , Subject: RE: Policy issues: definition of Roles Date: Wed, 9 Feb 2000 05:59:00 -0800 Message-Id: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01BF72C2.C2BB7430" X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: <4.2.0.58.20000208145823.00ab6c60@209.3.6.76> Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Jon Sjoberg" This is a multi-part message in MIME format. ------=_NextPart_000_0000_01BF72C2.C2BB7430 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Shai, Correct me if I'm wrong, but I read the below to say that the "ALL" in your definition means that all the roles in a role combination associated to a policy must be a proper subset of the roles on a PEP for the policy to be loaded. So, for your example: If I had a QoS policy P1 associated with the combination "Edge+Ethernet", and a PEP that supported the roles "Edge+Ethernet+TrustedInterface+Engineering", then P1 would be appropriate for that PEP. Correct? In this case, a security policy, P2, for all TrustedInterface PEPs would be merged with P1. Correct? What I'm also understanding that may be wrong is that this position further holds that the association between Edge+Ethernet and P1 is not stored in the schema but the PDP comes up with this out of some learned or intrinsic network knowledge (proprietary). What is stored in the schema, and associated with a policy in the schema, is some set of identifiers as to the general functionality that a policy pertains to (Configuration, QoS, Security, etc.). Am I close? Jon -----Original Message----- From: policy-owner@raleigh.ibm.com [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog Sent: Tuesday, February 08, 2000 12:32 PM To: Andrew Smith Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com Subject: RE: Policy issues: definition of Roles At 03:07 PM 02/07/2000, Andrew Smith wrote: Shai, In the worst case then, yes, you're right, the PDP has to multiply out the role combinations and send them all to the PEP. But there will be many cases where the PDP knows that a policy does not need to distinguish between "T1" and "Ethernet": then, the PDP can download a policy for role-combination "Edge". In that case, the ALL in your definition is not applicable. That is what I was trying to explain in my response to Bob Natale last week (1/31). I think I am beginning to understand what you mean... ;-) with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP normally would send two different configurations such as "Edge+T1": Mark DSCP AF21 "Edge+Ether": Mark DSCP AF11 If it turns out that the instructions for these two are the same (by chance) meaning (Policy1): "Edge+T1": Mark DSCP AF11 "Edge+Ether": Mark DSCP AF11 Then perhaps we'd want to have a wildcard that says (Policy2): "Edge+*": Mark DSCP AF11 BUT, Policy2 is merely a short hand for Policy1 but they mean the same. The important distinction in my view is that the PDP cannot send a policy "T1+*" and expect the PEP to merge the policy in "Edge+*" with "T1+*" into "Edge+T1". So, when receiving a policy for "Edge+*" the PEP interprets it as "Replace/override the policy for all role combinations with Edge in them with the following"... If a "T1+*" comes later, it will REPLACE (not merge) the configuration installed on "Edge+T1". This is why I insist on the "ALL" in the role combination: The PDP must provide a policy that is clearly for a specific COMPLETE role combination, and the PEP isn't expected to merge policy for roles into role combination. BUT as you suggested a shorthand representation may be made for the purpose of saving bits and overhead but that has the same meaning as the "ALL". I am not sure if my description is clear, but I hope ;-) Shai __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 ------=_NextPart_000_0000_01BF72C2.C2BB7430 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Shai,
 
Correct me if I'm wrong, but I read the below = to say=20 that the "ALL" in your definition means that all the roles in a role = combination=20 associated to a policy must be a proper subset of the roles on a PEP for = the=20 policy to be loaded.
 
So,=20 for your example:
 
If I=20 had a QoS policy P1 associated with the combination "Edge+Ethernet", and = a PEP=20 that supported the roles "Edge+Ethernet+TrustedInterface+Engineering", = then P1=20 would be appropriate for that PEP.  Correct?
 
In=20 this case, a security policy, P2, for all TrustedInterface PEPs would be = merged=20 with P1.  Correct?
 
What=20 I'm also understanding that may be wrong is that this position = further=20 holds that the association between Edge+Ethernet and P1 is not = stored in=20 the schema but the PDP comes up with this out of some learned or = intrinsic=20 network knowledge (proprietary).  What is stored in the schema, and = associated with a policy in the schema, is some set of identifiers as to = the=20 general functionality that a policy pertains to (Configuration, QoS, = Security,=20 etc.). 
 
Am I=20 close?
 
Jon
-----Original Message-----
From: = policy-owner@raleigh.ibm.com=20 [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai=20 Herzog
Sent: Tuesday, February 08, 2000 12:32 = PM
To:=20 Andrew Smith
Cc: policy@raleigh.ibm.com; = 'snmpconf@snmp.com';=20 rap@iphighway.com
Subject: RE: Policy issues: definition of=20 Roles

At 03:07 PM 02/07/2000, Andrew Smith = wrote:
Shai,

In the worst case then, = yes,=20 you're right, the PDP has to multiply out the
role combinations = and send=20 them all to the PEP. But there will be many cases
where the PDP = knows=20 that a policy does not need to distinguish between "T1"
and = "Ethernet":=20 then, the PDP can download a policy for role-combination
"Edge". = In that=20 case, the ALL in your definition is not applicable. That is
what = I was=20 trying to explain in my response to Bob Natale last week=20 (1/31).

I think I am beginning to understand what you = mean...=20 ;-)

with two Role Combinations "Edge+Ethernet" and "Edge+T1" = the=20 PDP
normally would send two different configurations such=20 as

"Edge+T1":    Mark DSCP AF21
"Edge+Ether": = Mark=20 DSCP AF11

If it turns out that the instructions for these two = are the=20 same
(by chance) meaning = (Policy1):

"Edge+T1":   =20 Mark DSCP AF11
"Edge+Ether": Mark DSCP AF11

Then perhaps = we'd want=20 to have a wildcard that says=20 (Policy2):

"Edge+*":     Mark DSCP = AF11

BUT,=20 Policy2 is merely a short hand for Policy1 but they mean the = same.
The=20 important distinction in my view is that the PDP cannot send
a = policy=20 "T1+*" and expect the PEP to merge the policy
in "Edge+*" with = "T1+*" into=20 "Edge+T1".

So, when receiving a policy for "Edge+*" the PEP = interprets=20 it
as

"Replace/override the policy for all role = combinations with=20 Edge
in them with the following"...

If a "T1+*" comes later, = it will=20 REPLACE (not merge) the configuration
installed on = "Edge+T1".

This=20 is why I insist on the "ALL" in the role combination: The PDP
must = provide=20 a policy that is clearly for a specific COMPLETE
role combination, = and the=20 PEP isn't expected to merge policy
for roles into role combination. = BUT as=20 you suggested a shorthand
representation may be made for the = purpose of=20 saving bits and overhead
but that has the same meaning as the=20 "ALL".

I am not sure if my description is clear, but I hope=20 ;-)

Shai

=
__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway = Inc.   Tel=20 : (914) 654-4810
55 New York=20 = Avenue           &= nbsp;           &n= bsp;   =20 Main: (508) 620-1141
Framingham, MA=20 = 01701           &n= bsp;           &nb= sp; =20 Fax : (212) 656-1006
=
           &n= bsp;           &nb= sp;           &nbs= p;         =20

        
=
           &n= bsp;           &nb= sp;        =20 =
           &= nbsp;           &n= bsp;    =20 ------=_NextPart_000_0000_01BF72C2.C2BB7430-- From majordomo@raleigh.ibm.com Wed Feb 9 11:46:01 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA10139 for ; Wed, 9 Feb 2000 11:46:00 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA10360; Wed, 9 Feb 2000 11:42:01 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id LAA25010; Wed, 9 Feb 2000 11:42:00 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA54390; Wed, 9 Feb 2000 11:18:34 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55912; Wed, 9 Feb 2000 11:18:29 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA28482 for ; Wed, 9 Feb 2000 11:18:28 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA30210 for ; Wed, 9 Feb 2000 11:18:23 -0500 Received: from jstrassn-lt (dhcp-171-71-229-137.cisco.com [171.71.229.137]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id IAA27134; Wed, 9 Feb 2000 08:17:17 -0800 (PST) Message-Id: <4.2.0.58.20000209074033.00c1b1d0@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 09 Feb 2000 08:18:14 -0800 To: Shai Herzog , "John C. Strassner" , Andrew Smith , "'Ken Roberts'" From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: <4.2.0.58.20000208113808.00ab6c60@209.3.6.76> References: <4.2.0.58.20000208080450.00ad9a00@omega.cisco.com> <4.2.0.58.20000206232138.02f037b0@209.3.6.76> <4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com> <808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_3426967==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" --=====================_3426967==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Comments inline. regards, John At 12:11 PM 2/8/00 -0500, Shai Herzog wrote: >At 08:22 AM 02/08/2000, John C. Strassner wrote: >>Hi Shai, comments inline. >> >>regards, >>John >> >>At 11:48 PM 2/6/00 -0500, Shai Herzog wrote: >>>I think that one of the problems is that we're confusing the >>>various levels of "roles". Let me try to make the following >>>observations: >> >> >>Levels of roles? If a role is indeed an attribute used as a selector, >>this translates to levels of attributes. My head is hurting. ;-) More to >>the point, I don't know what you mean by "levels" of roles... > >Sorry, didn't mean to hurt anyone ;-) >I meant: Roles at PEP, Roles at PDP, Roles in the Schema, Roles in our >head, etc.... OK, fine. You're talking about different uses of the term "role". >>I humbly submit that you're making this too complicated. Instead, >>thinking of roles as a means to select from among a larger subset is >>appealing because it always means the same thing each time it is used. >> > >I think the two of us have been discussing this for perhaps years ;-) seems longer ;-) >I believe that the input to the PDP (schema, GUI, whatever) isn't >necessarily mapped 1:1 with PEP configuration (In fact, it better >not be). This means that the PDP may have as input an E-2-E definition >w/o roles ( this user gets gold service (low delay, drop) ) The PDP >gets this non-role info and converts it into COPS commands to >configure the PEP based on roles: > >Role=Edge, DS GOLD Service -> Mark DSCP AF11 > >So, the schema didn't have roles, but roles were used in configuring the >edge router. The schema may have just had policy configuration information and no roles as you suggest, but in this case I wonder how we achieve consistent device configuration? It is the role that is used to define how the edge is to be configured. Therefore, if each PDP defines its own role, you have chaos. On the other hand, if the PDP knows about a certain set of roles, then it can distribute these to other PDPs so that each may consistently configure the set of devices that it controls. >So, the role isn't a selector in the schema (although simple schema may >use it) it is also not a selector at the PDP, but only a selector >for the PEP to advertise the kind of roles it has, and receive policy >for each one of its roles. >... I have no problem with your above example, and is certainly a valid use of roles. However, it is not the only use of roles, right? Equally correct would be to describe the provisioning of the system using roles. There are two obvious examples of using roles as selectors: 1) as a way to select the subset of policies from a large set of policies that are stored in the repository. 2) as a way to retrieve the subset of policies that pertain to a specific set of devices or interfaces The first way assumes that the provisioning of the system is described in terms of roles. This is in contrast to your example, where roles can be used to provision the system. The second uses roles as a selector to retrieve policies for specific devices or device interfaces. This is slightly different than the first. The first describes the behavior of the system. The second describes the capabilities of a device in the form of roles (note that this is NOT the only way, but rather ONE way, that the PEP can do this) so that the PDP can retrieve the policies that affect that device. >> >>Seems to me that you want to differentiate between roles as used to >>influence device configuration on the PEP level vs. roles as used to >>build policy statements at the PDP level. Is this what you meant by >>"levels" of roles? >> >>If so, then I suggest that we talk about PEP roles vs. PDP roles (as >>Keith suggested earlier) vs. roles as a selector (to make me happy ;-) ) >> > >YES YES YES, you hit it bulls eye! I was talking about PEP roles only >and was trying (clumsily) to express myself, thanks! > >So, lets call it "PEP ROLES" > >As for the other one, I believe PDP is merely an interpreter (in comes >abstract policy, out goes device policy) so it doesn't really have >roles. So, we should find another name for the second type that you >described, perhaps "Profile" (as in "user profile, application >profile,...)? or "Usage Roles". Well, we're getting very close here. Let me propose a summary to see if we can agree. Roles have three fundamentally different uses: 1) to directly influence device configuration - let's call this PEP ROLES for now 2) to translate from a high-level description of policy into one that configures the device either directly or indirectly - let's call this PDP ROLES for now 3) to be used as a selector to retrieve a subset of applicable policies from a larger set of available policies - let's call this SELECTOR ROLES for now Note that the second use is subtlely different than the third. The second uses roles as a means to translate between expressing policy in general terms and in configuring the device to implement or support that policy. So in Shai's example, the PDP has two inputs. One input is the definition of the policy from the administrator's point-of-view, which probably can not be used in its current form to configure devices. The other is from the devices that it controls. They announce their capabilities in terms of roles. The PDP then uses roles to translate policy from a business expression (Gold service, or don't allow more than 30% of my core bandwidth to be devoted to a certain type of traffic, or...) to a form that is used to ultimately configure the devices that it controls. The third use is not focused on translation. Rather, it is a way of selecting policies and/or policy information to be retrieved for further processing. >Shai > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 --=====================_3426967==_.ALT Content-Type: text/html; charset="us-ascii" Comments inline.

regards,
John

At 12:11 PM 2/8/00 -0500, Shai Herzog wrote:
At 08:22 AM 02/08/2000, John C. Strassner wrote:
Hi Shai, comments inline.

regards,
John

At 11:48 PM 2/6/00 -0500, Shai Herzog wrote:
I think that one of the problems is that we're confusing the
various levels of "roles". Let me try to make the following
observations:

<js>
Levels of roles? If a role is indeed an attribute used as a selector, this translates to levels of attributes. My head is hurting. ;-) More to the point, I don't know what you mean by "levels" of roles...

Sorry, didn't mean to hurt anyone ;-)
I meant: Roles at PEP, Roles at PDP, Roles in the Schema, Roles in our
head, etc....

<js> OK, fine. You're talking about different uses of the term "role". </js>


I humbly submit that you're making this too complicated. Instead, thinking of roles as a means to select from among a larger subset is appealing because it always means the same thing each time it is used.
</js>

I think the two of us have been discussing this for perhaps years ;-)

<js> seems longer ;-) </js>

I believe that the input to the PDP (schema, GUI, whatever) isn't
necessarily mapped 1:1 with PEP configuration (In fact, it better
not be). This means that the PDP may have as input an E-2-E definition
w/o roles ( this user gets gold service (low delay, drop) ) The PDP
gets this non-role info and converts it into COPS commands to
configure the PEP based on roles:

Role=Edge, DS GOLD Service -> Mark DSCP AF11

So, the schema didn't have roles, but roles were used in configuring the
edge router.

<js>
The schema may have just had policy configuration information and no roles as you suggest, but in this case I wonder how we achieve consistent device configuration? It is the role that is used to define how the edge is to be configured. Therefore, if each PDP defines its own role, you have chaos. On the other hand, if the PDP knows about a certain set of roles, then it can distribute these to other PDPs so that each may consistently configure the set of devices that it controls.
</js>

So, the role isn't a selector in the schema (although simple schema may
use it) it is also not a selector at the PDP, but only a selector
for the PEP to advertise the kind of roles it has, and receive policy
for each one of its roles.
...

<js>
I have no problem with your above example, and is certainly a valid use of roles. However, it is not the only use of roles, right? Equally correct would be to describe the provisioning of the system using roles. There are two obvious examples of using roles as selectors:

  1) as a way to select the subset of policies from a large
     set of policies that are stored in the repository.
  2) as a way to retrieve the subset of policies that pertain
     to a specific set of devices or interfaces

The first way assumes that the provisioning of the system is described in terms of roles. This is in contrast to your example, where roles can be used to provision the system. The second uses roles as a selector to retrieve policies for specific devices or device interfaces. This is slightly different than the first. The first describes the behavior of the system. The second describes the capabilities of a device in the form of roles (note that this is NOT the only way, but rather ONE way, that the PEP can do this) so that the PDP can retrieve the policies that affect that device.
</js>


<js>
Seems to me that you want to differentiate between roles as used to influence device configuration on the PEP level vs. roles as used to build policy statements at the PDP level. Is this what you meant by "levels" of roles?

If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith suggested earlier) vs. roles as a selector (to make me happy ;-) )
</js>

YES YES YES, you hit it bulls eye! I was talking about PEP roles only
and was trying (clumsily) to express myself, thanks!

So, lets call it "PEP ROLES"

As for the other one, I believe PDP is merely an interpreter (in comes
abstract policy, out goes device policy) so it doesn't really have
roles. So, we should find another name for the second type that you
described, perhaps "Profile" (as in "user profile, application
profile,...)? or "Usage Roles".

<js>
Well, we're getting very close here. Let me propose a summary to see if we can agree. Roles have three fundamentally different uses:

  1) to directly influence device configuration - let's
     call this PEP ROLES for now
  2) to translate from a high-level description of policy
     into one that configures the device either directly
     or indirectly - let's call this PDP ROLES for now
  3) to be used as a selector to retrieve a subset of
     applicable policies from a larger set of available
     policies - let's call this SELECTOR ROLES for now

Note that the second use is subtlely different than the third. The second uses roles as a means to translate between expressing policy in general terms and in configuring the device to implement or support that policy. So in Shai's example, the PDP has two inputs. One input is the definition of the policy from the administrator's point-of-view, which probably can not be used in its current form to configure devices. The other is from the devices that it controls. They announce their capabilities in terms of roles. The PDP then uses roles to translate policy from a business expression (Gold service, or don't allow more than 30% of my core bandwidth to be devoted to a certain type of traffic, or...) to a form that is used to ultimately configure the devices that it controls.

The third use is not focused on translation. Rather, it is a way of selecting policies and/or policy information to be retrieved for further processing.
</js>
 
Shai

__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
--=====================_3426967==_.ALT-- From majordomo@raleigh.ibm.com Wed Feb 9 14:29:21 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18893 for ; Wed, 9 Feb 2000 14:29:14 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA33008; Wed, 9 Feb 2000 14:19:16 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA29970; Wed, 9 Feb 2000 14:19:16 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA34498; Wed, 9 Feb 2000 13:57:56 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA48314; Wed, 9 Feb 2000 13:57:54 -0500 Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id NAA30228 for ; Wed, 9 Feb 2000 13:57:56 -0500 From: remoore@us.ibm.com Received: from d54mta04.raleigh.ibm.com (d54mta04.raleigh.ibm.com [9.67.228.36]) by southrelay02.raleigh.ibm.com (8.8.8m2/NCO v2.06) with SMTP id NAA27694; Wed, 9 Feb 2000 13:57:54 -0500 Received: by d54mta04.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256880.00682CC8 ; Wed, 9 Feb 2000 13:57:52 -0500 X-Lotus-Fromdomain: IBMUS To: jschnizl@cisco.com Cc: policy@raleigh.ibm.com, johns@cisco.com, Ed_Ellesson/Tivoli_Systems@Tivoli_Systems.raleigh.ibm.com Message-Id: <85256880.0067E366.00@d54mta04.raleigh.ibm.com> Date: Wed, 9 Feb 2000 13:51:28 -0500 Subject: RE: time period syntax: draft-ietf-policy-core-info-model-03.txt Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: remoore@us.ibm.com John, After poking around in RFC 2445 a little, I can sort of see the appeal of using its format for time intervals, but I also have quite a few questions that we'd have to answer. 1. First, my take is that RFC 2445's basic format for a time interval is neither better nor worse than ours -- just different: Interval: January 1, 1999, 0800 through January 31, 1999, noon PCIM: 19990101080000:19990131120000 RFC 2445: 19990101T080000/19990131T120000 2. The PCIM has three "special" formats for a time interval: omit the end time, omit the start time, and omit both. Are you suggesting that we get rid of these (I think they have value), or that we tweak the RFC 2445 format to allow them. Of course once it's been tweaked, then it's not the RFC 2445 format any more, so what have we gained? 3. As I read RFC 2445, the only way to do an offset from UTC is to embed it in each of the time strings. Since the PCIM needs to apply a UTC offset to the mask properties as well as to the time interval, we represent the UTC offset for the whole PTP Condition object in a separate property. Once again, we need to understand exactly how you're proposing for us to handle the offsets. 4. What task(s) would we simplify if we switched to the RFC 2445 format for time intervals? Asking it another way, where are implementations of RFC 2445 deployed (or going to be deployed), and for what purpose? In support of the existing PCIM format, I can certainly envision cases where Policy Monitoring might need to be turned on/off via the Schedule MIB, at the same times that a Policy Rule became active/inactive. So there might be value in sharing a common time format between these two activities. Until we have answers to these questions, I'm planning to leave the encoding for time intervals unchanged in the PCIM. Thanks. Regards, Bob Bob Moore IBM Networking Software +1-919-254-4436 remoore@us.ibm.com From majordomo@raleigh.ibm.com Wed Feb 9 14:30:32 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18987 for ; Wed, 9 Feb 2000 14:30:29 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA31480; Wed, 9 Feb 2000 14:19:18 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA26918; Wed, 9 Feb 2000 14:19:17 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA42010; Wed, 9 Feb 2000 14:02:15 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA43534; Wed, 9 Feb 2000 14:02:10 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA33494 for ; Wed, 9 Feb 2000 14:02:12 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA17544 for ; Wed, 9 Feb 2000 14:02:09 -0500 Received: from jstrassn-lt (dhcp-171-71-229-137.cisco.com [171.71.229.137]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id LAA20145; Wed, 9 Feb 2000 11:01:03 -0800 (PST) Message-Id: <4.2.0.58.20000209093146.00b7ae70@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 09 Feb 2000 09:56:47 -0800 To: avri.doria@nokia.com, herzog@iphighway.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, snmpconf@snmp.com, rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" Hi Avri, please see my last response. Roles have three fundamentally different uses. One is as a selector of policy, independent of whether the PDP or the PEP is involved. A second is as a translation between different forms of policy (e.g., a high-level business specification vs. a low-level device configuration specification). A third is to be able to directly influence device configuration. At 12:44 PM 2/8/00 -0600, avri.doria@nokia.com wrote: >So, the role isn't a selector in the schema (although simple schema may >use it) it is also not a selector at the PDP, but only a selector >for the PEP to advertise the kind of roles it has, and receive policy >for each one of its roles. >... > > > > > > > > >Seems to me that you want to differentiate between roles as used to >influence device configuration on the PEP level vs. roles as used to build >policy statements at the PDP level. Is this what you meant by "levels" of >roles? > >If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith >suggested earlier) vs. roles as a selector (to make me happy ;-) ) > > > > >YES YES YES, you hit it bulls eye! I was talking about PEP roles only >and was trying (clumsily) to express myself, thanks! > >So, lets call it "PEP ROLES" > >As for the other one, I believe PDP is merely an interpreter (in comes >abstract policy, out goes device policy) so it doesn't really have >roles. So, we should find another name for the second type that you >described, perhaps "Profile" (as in "user profile, application >profile,...)? or "Usage Roles". > >Shai > > > > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > From majordomo@raleigh.ibm.com Wed Feb 9 15:11:30 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA21128 for ; Wed, 9 Feb 2000 15:11:30 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA26624; Wed, 9 Feb 2000 15:04:00 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id PAA36014; Wed, 9 Feb 2000 15:02:13 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39288; Wed, 9 Feb 2000 14:44:06 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55404; Wed, 9 Feb 2000 14:44:00 -0500 Received: from lmr (dyn9-37-87-30.raleigh.ibm.com [9.37.87.30]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA20078; Wed, 9 Feb 2000 14:44:03 -0500 Message-Id: <001e01bf7336$35e21360$1e572509@raleigh.ibm.com> From: "Lee Rafalow" To: Cc: , , References: <4.2.0.58.20000208080450.00ad9a00@omega.cisco.com><4.2.0.58.20000206232138.02f037b0@209.3.6.76><4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com><808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> <4.2.0.58.20000209074033.00c1b1d0@omega.cisco.com> Subject: Re: Policy issues: definition of Roles Date: Wed, 9 Feb 2000 14:45:23 -0500 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001B_01BF730C.4B500380" X-Priority: 3 X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Lee Rafalow" This is a multi-part message in MIME format. ------=_NextPart_000_001B_01BF730C.4B500380 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I like Bert's suggestion...I don't know how others feel, but my laptop = only has 6 gig...can we confine this (and other) discussion(s) to one = list, say policy. Cheers, Lee ------=_NextPart_000_001B_01BF730C.4B500380 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I like Bert's suggestion...I = don't know how=20 others feel, but my laptop only has 6 gig...can we confine this (and = other)=20 discussion(s) to one list, say policy.  Cheers, = Lee ------=_NextPart_000_001B_01BF730C.4B500380-- From majordomo@raleigh.ibm.com Wed Feb 9 15:25:58 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA21688 for ; Wed, 9 Feb 2000 15:25:56 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA30764; Wed, 9 Feb 2000 15:17:58 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id PAA32374; Wed, 9 Feb 2000 15:17:53 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA49002; Wed, 9 Feb 2000 14:55:58 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA30802; Wed, 9 Feb 2000 14:55:55 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA28688 for ; Wed, 9 Feb 2000 14:55:57 -0500 From: avri.doria@nokia.com Received: from mgw-x2.nokia.com (mgw-x2.nokia.com [131.228.20.22]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA26238 for ; Wed, 9 Feb 2000 14:55:55 -0500 Received: from mgw-i2.ntc.nokia.com (mgw-i2.ntc.nokia.com [131.228.118.61]) by mgw-x2.nokia.com (8.9.3/8.9.3/o) with ESMTP id VAA06362; Wed, 9 Feb 2000 21:54:17 +0200 (EET) Received: from daebh01nok.americas.nokia.com (daebh01nok.americas.nokia.com [172.18.242.182]) by mgw-i2.ntc.nokia.com (8.9.3/8.9.3) with ESMTP id VAA00313; Wed, 9 Feb 2000 21:54:15 +0200 (EET) Received: by daebh01nok with Internet Mail Service (5.5.2448.0) id <1RM26SQX>; Wed, 9 Feb 2000 13:53:36 -0600 Message-Id: To: policy@raleigh.ibm.com, jstrassn@cisco.com Subject: RE: Policy issues: definition of Roles Date: Wed, 9 Feb 2000 13:53:08 -0600 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: avri.doria@nokia.com Hi John, This matches the way I have been thinking about roles. My only quibble would be with naming #2 as PDP roles. It is not certain that PDP's will always be the consumers doing translation, so I would refer to these as referent or abstract roles since at every level of abstraction they refer to another level of abstraction. Well, we're getting very close here. Let me propose a summary to see if we can agree. Roles have three fundamentally different uses: 1) to directly influence device configuration - let's call this PEP ROLES for now 2) to translate from a high-level description of policy into one that configures the device either directly or indirectly - let's call this PDP ROLES for now 3) to be used as a selector to retrieve a subset of applicable policies from a larger set of available policies - let's call this SELECTOR ROLES for now Note that the second use is subtlely different than the third. The second uses roles as a means to translate between expressing policy in general terms and in configuring the device to implement or support that policy. So in Shai's example, the PDP has two inputs. One input is the definition of the policy from the administrator's point-of-view, which probably can not be used in its current form to configure devices. The other is from the devices that it controls. They announce their capabilities in terms of roles. The PDP then uses roles to translate policy from a business expression (Gold service, or don't allow more than 30% of my core bandwidth to be devoted to a certain type of traffic, or...) to a form that is used to ultimately configure the devices that it controls. The third use is not focused on translation. Rather, it is a way of selecting policies and/or policy information to be retrieved for further processing. From majordomo@raleigh.ibm.com Wed Feb 9 16:18:26 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA24014 for ; Wed, 9 Feb 2000 16:18:24 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id QAA23330; Wed, 9 Feb 2000 16:05:21 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id QAA29812; Wed, 9 Feb 2000 16:05:17 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35340; Wed, 9 Feb 2000 15:49:34 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA52228; Wed, 9 Feb 2000 15:49:31 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id PAA36416 for ; Wed, 9 Feb 2000 15:49:34 -0500 Received: from diablo.cisco.com (diablo.cisco.com [171.68.224.210]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA36920 for ; Wed, 9 Feb 2000 15:49:29 -0500 Received: from jschnizl1-pc.cisco.com (jschnizl-isdn.cisco.com [171.70.238.115]) by diablo.cisco.com (8.8.6 (PHNE_14041)/CISCO.SERVER.1.2) with SMTP id MAA00922; Wed, 9 Feb 2000 12:48:15 -0800 (PST) Message-Id: <4.1.20000209150008.00a8bc50@diablo.cisco.com> X-Sender: jschnizl@diablo.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 09 Feb 2000 15:46:50 -0500 To: remoore@us.ibm.com From: John Schnizlein Subject: RE: time period syntax: draft-ietf-policy-core-info-model-03.txt Cc: policy@raleigh.ibm.com, johns@cisco.com, Ed_Ellesson/Tivoli_Systems@Tivoli_Systems.raleigh.ibm.com In-Reply-To: <85256880.0067E366.00@d54mta04.raleigh.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: John Schnizlein Bob, answers embedded: At 01:51 PM 02/09/2000 -0500, remoore@us.ibm.com wrote: >After poking around in RFC 2445 a little, I can sort of see the >appeal of using its format for time intervals, but I also have >quite a few questions that we'd have to answer. > >1. First, my take is that RFC 2445's basic format for a time > interval is neither better nor worse than ours -- just different: Different from an existing Internet Standard is bad. RFC 1598 says this: 3.2 If there are several ways of doing the same thing, choose one. If a previous design, in the Internet context or elsewhere, has successfully solved the same problem, choose the same solution unless there is a good technical reason not to. >2. The PCIM has three "special" formats for a time interval: omit > the end time, omit the start time, and omit both. Are you > suggesting that we get rid of these (I think they have value), > or that we tweak the RFC 2445 format to allow them. Of course > once it's been tweaked, then it's not the RFC 2445 format any > more, so what have we gained? I dislike formats that imply "special" meaning to omitted items. The THISANDPRIOR and THISANDFUTURE values for time in a range in section 4.2.13 of RFC 2445 seem to cover the same territory without attributing meaning to empty fields. The [from now] semantics in the draft implies an interpretation when "now" is that is at least problematic for a distributed policy system. >3. As I read RFC 2445, the only way to do an offset from UTC is to > embed it in each of the time strings. Since the PCIM needs to > apply a UTC offset to the mask properties as well as to the > time interval, we represent the UTC offset for the whole > PTP Condition object in a separate property. Once again, we > need to understand exactly how you're proposing for us to > handle the offsets. I see no problem defining the time zone for local time in a separate property. Section 4.3.5 of RFC 2445 specifies local time as follows: The date with local time form is simply a date-time value that does not contain the UTC designator nor does it reference a time zone. For example, the following represents Janurary 18, 1998, at 11 PM: DTSTART:19980118T230000 Date-time values of this type are said to be "floating" and are not bound to any time zone in particular. >4. What task(s) would we simplify if we switched to the RFC 2445 > format for time intervals? Asking it another way, where are > implementations of RFC 2445 deployed (or going to be deployed), > and for what purpose? Since RFC 2445 is Standards Track, it is reasonable to expect its deployment even if I cannot describe (or predict) its deployment. > In support of the existing PCIM format, > I can certainly envision cases where Policy Monitoring might > need to be turned on/off via the Schedule MIB, at the same > times that a Policy Rule became active/inactive. So there > might be value in sharing a common time format between these > two activities. Since RFC 2591 (Schedule MIB) does not specify a time format, it is reasonable for applications using it to use the format specified in RFC 2445 (or NTP). The need for another format is not clear. >Until we have answers to these questions, I'm planning to leave >the encoding for time intervals unchanged in the PCIM. I hope these answers are sufficient. Changing the draft can avoid creating conflict between it and the Standards Track RFC. What is the reason not to change it? Is there some other standard or tradition the proposed format follows? >Thanks. You are welcome. John From majordomo@raleigh.ibm.com Thu Feb 10 10:15:17 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA29947 for ; Thu, 10 Feb 2000 10:15:16 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA25020; Thu, 10 Feb 2000 10:05:58 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id KAA33124; Thu, 10 Feb 2000 10:05:58 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA36002; Thu, 10 Feb 2000 09:41:18 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA30872; Thu, 10 Feb 2000 09:41:14 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id JAA32670 for ; Thu, 10 Feb 2000 09:41:17 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA23976 for ; Thu, 10 Feb 2000 09:41:14 -0500 Received: from jstrass-lap (sjck-dial-gw5-118.cisco.com [171.68.183.118]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id GAA11809; Thu, 10 Feb 2000 06:39:38 -0800 (PST) Message-Id: <4.2.0.58.20000210084042.00c256c0@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 10 Feb 2000 08:41:56 -0800 To: avri.doria@nokia.com, policy@raleigh.ibm.com, jstrassn@cisco.com From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" Hi Avri, that seems reasonable, though I like the term "translation roles" slightly better (but not enough to argue about) ;-) John At 01:53 PM 2/9/00 -0600, avri.doria@nokia.com wrote: >Hi John, > >This matches the way I have been thinking about roles. >My only quibble would be with naming #2 as PDP roles. >It is not certain that PDP's will always be the consumers doing translation, >so I would refer to these as referent or >abstract roles since at every level of abstraction they refer to >another level of abstraction. > > >Well, we're getting very close here. Let me propose a summary to see if we >can agree. Roles have three fundamentally different uses: > > 1) to directly influence device configuration - let's > call this PEP ROLES for now > 2) to translate from a high-level description of policy > into one that configures the device either directly > or indirectly - let's call this PDP ROLES for now > 3) to be used as a selector to retrieve a subset of > applicable policies from a larger set of available > policies - let's call this SELECTOR ROLES for now > >Note that the second use is subtlely different than the third. The second >uses roles as a means to translate between expressing policy in general >terms and in configuring the device to implement or support that policy. So >in Shai's example, the PDP has two inputs. One input is the definition of >the policy from the administrator's point-of-view, which probably can not be >used in its current form to configure devices. The other is from the devices >that it controls. They announce their capabilities in terms of roles. The >PDP then uses roles to translate policy from a business expression (Gold >service, or don't allow more than 30% of my core bandwidth to be devoted to >a certain type of traffic, or...) to a form that is used to ultimately >configure the devices that it controls. > >The third use is not focused on translation. Rather, it is a way of >selecting policies and/or policy information to be retrieved for further >processing. > From majordomo@raleigh.ibm.com Thu Feb 10 16:38:40 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11241 for ; Thu, 10 Feb 2000 16:38:39 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id QAA14846; Thu, 10 Feb 2000 16:31:07 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id QAA27298; Thu, 10 Feb 2000 16:31:09 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35368; Thu, 10 Feb 2000 16:03:37 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39196; Thu, 10 Feb 2000 16:03:24 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id QAA24978 for ; Thu, 10 Feb 2000 16:03:29 -0500 Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id QAA26318 for ; Thu, 10 Feb 2000 16:03:24 -0500 Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2448.0) id <1FBG1T45>; Thu, 10 Feb 2000 16:02:54 -0500 Message-Id: <75ADD7496F0BD211ADC000104B8846CF019115B4@rerun.lucentctc.com> From: "Weiss, Walter" To: policy@raleigh.ibm.com Subject: RE: Policy issues: definition of Roles Date: Thu, 10 Feb 2000 16:02:53 -0500 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Weiss, Walter" I noticed that roles have been described in PFCIM through the PolicyKeywords attribute in the Policy class. As PolicyGroup, PolicyRule, PolicyCondition and PolicyAction both derive from Policy, all of these classes can specify PolicyKeywords. This suggests that rather than having a role per policy/rule, you can have keywords at any and all levels of a policy. Is this desirable or are we going to place certain usage restrictions or precedence hierarchies on the keywords/roles? regards, -Walter From majordomo@raleigh.ibm.com Thu Feb 10 17:17:14 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA11920 for ; Thu, 10 Feb 2000 17:17:14 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id RAA26314; Thu, 10 Feb 2000 17:09:04 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id RAA28624; Thu, 10 Feb 2000 17:09:07 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA40470; Thu, 10 Feb 2000 16:48:46 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35338; Thu, 10 Feb 2000 16:48:44 -0500 Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id QAA25802 for ; Thu, 10 Feb 2000 16:48:49 -0500 From: remoore@us.ibm.com Received: from d54mta04.raleigh.ibm.com (d54mta04.raleigh.ibm.com [9.67.228.36]) by southrelay02.raleigh.ibm.com (8.8.8m2/NCO v2.06) with SMTP id QAA72144; Thu, 10 Feb 2000 16:48:48 -0500 Received: by d54mta04.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256881.0077D1C2 ; Thu, 10 Feb 2000 16:48:44 -0500 X-Lotus-Fromdomain: IBMUS To: policy@raleigh.ibm.com, wg-service@dmtf.org Message-Id: <85256881.0077D08A.00@d54mta04.raleigh.ibm.com> Date: Thu, 10 Feb 2000 16:45:18 -0500 Subject: PCIM: Encodings for the three Mask properties in PTPCondition Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: remoore@us.ibm.com In CIM, the string data type uses the UCS-2 encoding, which means that each character is encoded in 2 octets. While this encoding makes sense for strings in general, it's very inefficient (and inefficient for no apparent benefit) in the case of the three properties MonthOfYearMask, DayOfMonthMask, and DayOfWeekMask. First, the current definitions for these properties are incorrect: they say both that the properties are CIM strings ( --> they're UCS-2 strings --> each of the characters in the strings is encoded in 2 octets) and that the format is "A string of 12 (or 62, or 7) ASCII 0's and 1's" ( ==> each character is encoded in 1 octet). One way to eliminate this contradiction would be to remove the reference to ASCII, and say that the characters in the strings are UCS-2-encoded 0's and 1's. But this would mean that each bit's worth of information was being represented with a 16-bit encoding. Not only is this inefficient -- it invites data models based on the PCIM to define different formats for their encodings (e.g., strings of ASCII 0's and 1's), precisely because it is so inefficient. The authors of the PCIM believe that there's a better approach: recast these three properties as CIM octet strings of the appropriate length, with each bit's worth of information encoded in one bit. Given this CIM encoding, it will be up to each data model based on the PCIM to determine whether to retain the 4-octet length that CIM puts on the front of its octet strings, or to map just the octets containing the significant bits. Regardless of whether it's this proposal or another one, we'd like to get consensus on *some* way of removing the contradictions in these property definitions ASAP, so we can roll it into an updated version of the PCIM. Thanks. Regards, Bob Bob Moore IBM Networking Software +1-919-254-4436 remoore@us.ibm.com From majordomo@raleigh.ibm.com Fri Feb 11 08:25:24 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA07718 for ; Fri, 11 Feb 2000 08:25:22 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id IAA37282; Fri, 11 Feb 2000 08:22:09 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id IAA27354; Fri, 11 Feb 2000 08:22:09 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA41698; Fri, 11 Feb 2000 08:03:20 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA42454; Fri, 11 Feb 2000 08:03:16 -0500 Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id IAA13224 for ; Fri, 11 Feb 2000 08:03:20 -0500 From: remoore@us.ibm.com Received: from d54mta04.raleigh.ibm.com (d54mta04.raleigh.ibm.com [9.67.228.36]) by southrelay02.raleigh.ibm.com (8.8.8m2/NCO v2.06) with SMTP id IAA31460; Fri, 11 Feb 2000 08:03:17 -0500 Received: by d54mta04.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256882.0047B3CF ; Fri, 11 Feb 2000 08:03:10 -0500 X-Lotus-Fromdomain: IBMUS To: "Weiss, Walter" Cc: policy@raleigh.ibm.com, johns@cisco.com Message-Id: <85256882.00479897.00@d54mta04.raleigh.ibm.com> Date: Fri, 11 Feb 2000 07:58:41 -0500 Subject: RE: Policy issues: definition of Roles Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: remoore@us.ibm.com Walter, In an earlier posting I proposed separating Policy Roles out from the more general set of Policy Keywords. At that time I left it open where the PolicyRoles property should be placed: in the abstract class Policy (which is where PolicyKeywords is now), or in the class PolicyRule. I'm now convinced that PolicyRoles should be placed in PolicyRule, rather than in Policy, because the function of PolicyRoles is to (help) select the set of PolicyRules that apply to a given resource. Contrast this function with that of the PolicyKeywords property, which is to identify any object in the policy repository that might be of interest to a PDP that's searching the repository. I'm planning to write up a new section for the PCIM describing the PolicyRoles property, which I will post to the list as soon as I've completed it. Then people can decide whether it makes sense. John is going to be taking a shot at a section positioning this type of role versus, say, the roles that are used in COPS. I don't know whether he's planning to proposed a set of adjectives to distinguish the different types of roles, although this has certainly been discussed on the list. Regards, Bob Bob Moore IBM Networking Software +1-919-254-4436 remoore@us.ibm.com "Weiss, Walter" @raleigh.ibm.com on 02/10/2000 04:02:53 PM Please respond to "Weiss, Walter" Sent by: policy-owner@raleigh.ibm.com To: policy@raleigh.ibm.com cc: Subject: RE: Policy issues: definition of Roles I noticed that roles have been described in PFCIM through the PolicyKeywords attribute in the Policy class. As PolicyGroup, PolicyRule, PolicyCondition and PolicyAction both derive from Policy, all of these classes can specify PolicyKeywords. This suggests that rather than having a role per policy/rule, you can have keywords at any and all levels of a policy. Is this desirable or are we going to place certain usage restrictions or precedence hierarchies on the keywords/roles? regards, -Walter From majordomo@raleigh.ibm.com Fri Feb 11 09:35:01 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA09901 for ; Fri, 11 Feb 2000 09:34:53 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA25234; Fri, 11 Feb 2000 09:24:25 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id JAA33462; Fri, 11 Feb 2000 09:24:09 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39288; Fri, 11 Feb 2000 09:07:49 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA41568; Fri, 11 Feb 2000 09:07:43 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id JAA32018 for ; Fri, 11 Feb 2000 09:07:43 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA12162 for ; Fri, 11 Feb 2000 09:07:38 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZTA66; Fri, 11 Feb 2000 09:04:33 -0500 Message-Id: <4.2.0.58.20000211090103.02de3f10@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 Feb 2000 09:05:23 -0500 To: "John C. Strassner" , "John C. Strassner" , Andrew Smith , "'Ken Roberts'" From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, "'snmpconf@snmp.com'" , rap@iphighway.com, ipsec-policy@vpnc.org In-Reply-To: <4.2.0.58.20000209074033.00c1b1d0@omega.cisco.com> References: <4.2.0.58.20000208113808.00ab6c60@209.3.6.76> <4.2.0.58.20000208080450.00ad9a00@omega.cisco.com> <4.2.0.58.20000206232138.02f037b0@209.3.6.76> <4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com> <808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_592727597==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog --=====================_592727597==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 08:18 AM 02/09/2000, John C. Strassner wrote: > >Well, we're getting very close here. Let me propose a summary to see if we >can agree. Roles have three fundamentally different uses: > > 1) to directly influence device configuration - let's > call this PEP ROLES for now > 2) to translate from a high-level description of policy > into one that configures the device either directly > or indirectly - let's call this PDP ROLES for now > 3) to be used as a selector to retrieve a subset of > applicable policies from a larger set of available > policies - let's call this SELECTOR ROLES for now > >Note that the second use is subtlely different than the third. The second >uses roles as a means to translate between expressing policy in general >terms and in configuring the device to implement or support that policy. >So in Shai's example, the PDP has two inputs. One input is the definition >of the policy from the administrator's point-of-view, which probably can >not be used in its current form to configure devices. The other is from >the devices that it controls. They announce their capabilities in terms of >roles. The PDP then uses roles to translate policy from a business >expression (Gold service, or don't allow more than 30% of my core >bandwidth to be devoted to a certain type of traffic, or...) to a form >that is used to ultimately configure the devices that it controls. > >The third use is not focused on translation. Rather, it is a way of >selecting policies and/or policy information to be retrieved for further >processing. The #1 is agreed upon, but I fail to see the #2 & #3 being separate and I have a hard time with "PDP" roles given that PDP is a translation machine and doe not have its own definition or determination of policy (or roles for that matter). It takes two types of input, one from above (schema) and one from bellow (device). Those inputs may have roles in them, but those are different "role types". PEP Roles <-----------> PDP <---------------> Schema Roles The job of the PDP is to bridge between PEPs and Schema, but it doesn't have roles or policy per se. Shai __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 --=====================_592727597==_.ALT Content-Type: text/html; charset="us-ascii" At 08:18 AM 02/09/2000, John C. Strassner wrote:

<js>
Well, we're getting very close here. Let me propose a summary to see if we can agree. Roles have three fundamentally different uses:

  1) to directly influence device configuration - let's
     call this PEP ROLES for now
  2) to translate from a high-level description of policy
     into one that configures the device either directly
     or indirectly - let's call this PDP ROLES for now
  3) to be used as a selector to retrieve a subset of
     applicable policies from a larger set of available
     policies - let's call this SELECTOR ROLES for now

Note that the second use is subtlely different than the third. The second uses roles as a means to translate between expressing policy in general terms and in configuring the device to implement or support that policy. So in Shai's example, the PDP has two inputs. One input is the definition of the policy from the administrator's point-of-view, which probably can not be used in its current form to configure devices. The other is from the devices that it controls. They announce their capabilities in terms of roles. The PDP then uses roles to translate policy from a business expression (Gold service, or don't allow more than 30% of my core bandwidth to be devoted to a certain type of traffic, or...) to a form that is used to ultimately configure the devices that it controls.

The third use is not focused on translation. Rather, it is a way of selecting policies and/or policy information to be retrieved for further processing.

The #1 is agreed upon, but I fail to see the #2 & #3 being separate
and I have a hard time with "PDP" roles given that PDP is a translation
machine and doe not have its own definition or determination of policy
(or roles for that matter). It takes two types of input, one from above
(schema) and one from bellow (device). Those inputs may have roles in
them, but those are different "role types".


PEP Roles <-----------> PDP <---------------> Schema Roles

The job of the PDP is to bridge between PEPs and Schema, but it doesn't
have roles or policy per se.

Shai


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                             --=====================_592727597==_.ALT-- From majordomo@raleigh.ibm.com Fri Feb 11 09:35:54 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA09931 for ; Fri, 11 Feb 2000 09:35:28 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA34854; Fri, 11 Feb 2000 09:24:10 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id JAA33470; Fri, 11 Feb 2000 09:24:11 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA33900; Fri, 11 Feb 2000 09:07:47 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA33874; Fri, 11 Feb 2000 09:07:40 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id JAA33540 for ; Fri, 11 Feb 2000 09:07:41 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA38484 for ; Fri, 11 Feb 2000 09:07:38 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZTA6Z; Fri, 11 Feb 2000 09:04:32 -0500 Message-Id: <4.2.0.58.20000211085610.02facc10@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 Feb 2000 08:58:51 -0500 To: "Jon Sjoberg" , "Andrew Smith" From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: , , In-Reply-To: References: <4.2.0.58.20000208145823.00ab6c60@209.3.6.76> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_592727537==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog --=====================_592727537==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed At 05:59 AM 02/09/2000, Jon Sjoberg wrote: >Shai, > >Correct me if I'm wrong, but I read the below to say that the "ALL" in >your definition means that all the roles in a role combination associated >to a policy must be a proper subset of the roles on a PEP for the policy >to be loaded. > >So, for your example: > >If I had a QoS policy P1 associated with the combination "Edge+Ethernet", >and a PEP that supported the roles >"Edge+Ethernet+TrustedInterface+Engineering", then P1 would be appropriate >for that PEP. Correct? > >In this case, a security policy, P2, for all TrustedInterface PEPs would >be merged with P1. Correct? This is too vague, what do you mean by "associated" so you mean that it is sent to the PEP with the role "Edge+Ethernet", or do you mean that it is associated in the policy DB? I must understand the level your talking about. > What I'm also understanding that may be wrong is that this position > further holds that the association between Edge+Ethernet and P1 is not > stored in the schema but the PDP comes up with this out of some learned > or intrinsic network knowledge (proprietary). What is stored in the > schema, and associated with a policy in the schema, is some set of > identifiers as to the general functionality that a policy pertains to > (Configuration, QoS, Security, etc.). > >Am I close? > >Jon >>-----Original Message----- >>From: policy-owner@raleigh.ibm.com >>[mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog >>Sent: Tuesday, February 08, 2000 12:32 PM >>To: Andrew Smith >>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com >>Subject: RE: Policy issues: definition of Roles >> >>At 03:07 PM 02/07/2000, Andrew Smith wrote: >>>Shai, >>> >>>In the worst case then, yes, you're right, the PDP has to multiply out the >>>role combinations and send them all to the PEP. But there will be many cases >>>where the PDP knows that a policy does not need to distinguish between "T1" >>>and "Ethernet": then, the PDP can download a policy for role-combination >>>"Edge". In that case, the ALL in your definition is not applicable. That is >>>what I was trying to explain in my response to Bob Natale last week (1/31). >> >>I think I am beginning to understand what you mean... ;-) >> >>with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP >>normally would send two different configurations such as >> >>"Edge+T1": Mark DSCP AF21 >>"Edge+Ether": Mark DSCP AF11 >> >>If it turns out that the instructions for these two are the same >>(by chance) meaning (Policy1): >> >>"Edge+T1": Mark DSCP AF11 >>"Edge+Ether": Mark DSCP AF11 >> >>Then perhaps we'd want to have a wildcard that says (Policy2): >> >>"Edge+*": Mark DSCP AF11 >> >>BUT, Policy2 is merely a short hand for Policy1 but they mean the same. >>The important distinction in my view is that the PDP cannot send >>a policy "T1+*" and expect the PEP to merge the policy >>in "Edge+*" with "T1+*" into "Edge+T1". >> >>So, when receiving a policy for "Edge+*" the PEP interprets it >>as >> >>"Replace/override the policy for all role combinations with Edge >>in them with the following"... >> >>If a "T1+*" comes later, it will REPLACE (not merge) the configuration >>installed on "Edge+T1". >> >>This is why I insist on the "ALL" in the role combination: The PDP >>must provide a policy that is clearly for a specific COMPLETE >>role combination, and the PEP isn't expected to merge policy >>for roles into role combination. BUT as you suggested a shorthand >>representation may be made for the purpose of saving bits and overhead >>but that has the same meaning as the "ALL". >> >>I am not sure if my description is clear, but I hope ;-) >> >>Shai >> >>__________________________________________________________________ >>Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >>55 New York Avenue Main: (508) 620-1141 >>Framingham, MA 01701 Fax : (212) 656-1006 >> >> >> >> >> __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 --=====================_592727537==_.ALT Content-Type: text/html; charset="us-ascii" At 05:59 AM 02/09/2000, Jon Sjoberg wrote:
Shai,
 
Correct me if I'm wrong, but I read the below to say that the "ALL" in your definition means that all the roles in a role combination associated to a policy must be a proper subset of the roles on a PEP for the policy to be loaded.
 
So, for your example:
 
If I had a QoS policy P1 associated with the combination "Edge+Ethernet", and a PEP that supported the roles "Edge+Ethernet+TrustedInterface+Engineering", then P1 would be appropriate for that PEP.  Correct?
 
In this case, a security policy, P2, for all TrustedInterface PEPs would be merged with P1.  Correct?

This is too vague, what do you mean by "associated" so you mean that
it is sent to the PEP with the role "Edge+Ethernet", or do you
mean that it is associated in the policy DB? I must understand the
level your talking about.

 What I'm also understanding that may be wrong is that this position further holds that the association between Edge+Ethernet and P1 is not stored in the schema but the PDP comes up with this out of some learned or intrinsic network knowledge (proprietary).  What is stored in the schema, and associated with a policy in the schema, is some set of identifiers as to the general functionality that a policy pertains to (Configuration, QoS, Security, etc.).
 
Am I close?
 
Jon
-----Original Message-----
From: policy-owner@raleigh.ibm.com [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog
Sent: Tuesday, February 08, 2000 12:32 PM
To: Andrew Smith
Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com
Subject: RE: Policy issues: definition of Roles

At 03:07 PM 02/07/2000, Andrew Smith wrote:
Shai,

In the worst case then, yes, you're right, the PDP has to multiply out the
role combinations and send them all to the PEP. But there will be many cases
where the PDP knows that a policy does not need to distinguish between "T1"
and "Ethernet": then, the PDP can download a policy for role-combination
"Edge". In that case, the ALL in your definition is not applicable. That is
what I was trying to explain in my response to Bob Natale last week (1/31).

I think I am beginning to understand what you mean... ;-)

with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP
normally would send two different configurations such as

"Edge+T1":    Mark DSCP AF21
"Edge+Ether": Mark DSCP AF11

If it turns out that the instructions for these two are the same
(by chance) meaning (Policy1):

"Edge+T1":    Mark DSCP AF11
"Edge+Ether": Mark DSCP AF11

Then perhaps we'd want to have a wildcard that says (Policy2):

"Edge+*":     Mark DSCP AF11

BUT, Policy2 is merely a short hand for Policy1 but they mean the same.
The important distinction in my view is that the PDP cannot send
a policy "T1+*" and expect the PEP to merge the policy
in "Edge+*" with "T1+*" into "Edge+T1".

So, when receiving a policy for "Edge+*" the PEP interprets it
as

"Replace/override the policy for all role combinations with Edge
in them with the following"...

If a "T1+*" comes later, it will REPLACE (not merge) the configuration
installed on "Edge+T1".

This is why I insist on the "ALL" in the role combination: The PDP
must provide a policy that is clearly for a specific COMPLETE
role combination, and the PEP isn't expected to merge policy
for roles into role combination. BUT as you suggested a shorthand
representation may be made for the purpose of saving bits and overhead
but that has the same meaning as the "ALL".

I am not sure if my description is clear, but I hope ;-)

Shai

__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                            


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                             --=====================_592727537==_.ALT-- From majordomo@raleigh.ibm.com Fri Feb 11 11:50:54 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA14070 for ; Fri, 11 Feb 2000 11:50:44 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA38658; Fri, 11 Feb 2000 11:47:44 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id LAA32768; Fri, 11 Feb 2000 11:47:42 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA40068; Fri, 11 Feb 2000 11:25:54 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA37750; Fri, 11 Feb 2000 11:25:50 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA34762 for ; Fri, 11 Feb 2000 11:25:53 -0500 Received: from mail.toplayer.com ([199.103.238.97]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA28328 for ; Fri, 11 Feb 2000 11:25:45 -0500 Received: from jsjobergnt (dyn146.TopLayer.com [199.103.238.146]) by mail.toplayer.com (8.8.7/8.8.7) with SMTP id LAA26745; Fri, 11 Feb 2000 11:24:55 -0500 From: "Jon Sjoberg" To: "Shai Herzog" Cc: Subject: RE: Policy issues: definition of Roles Date: Fri, 11 Feb 2000 11:22:59 -0500 Message-Id: <001d01bf74ac$42f0d6a0$92ee67c7@blazenet.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001E_01BF7482.5A1ACEA0" X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2232.26 In-Reply-To: <4.2.0.58.20000211085610.02facc10@209.3.6.76> Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Jon Sjoberg" This is a multi-part message in MIME format. ------=_NextPart_000_001E_01BF7482.5A1ACEA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I mean logically associated with it, whether we store this association in the DB or not seems to be under discussion. So P1 is destined for any PEP that supports "Edge+Ethernet" and P2 is destined for any PEP that supports a TrustedInterface. -----Original Message----- From: Shai Herzog [mailto:herzog@iphighway.com] Sent: Friday, February 11, 2000 8:59 AM To: Jon Sjoberg; Andrew Smith Cc: policy@raleigh.ibm.com; snmpconf@snmp.com; rap@iphighway.com Subject: RE: Policy issues: definition of Roles At 05:59 AM 02/09/2000, Jon Sjoberg wrote: Shai, Correct me if I'm wrong, but I read the below to say that the "ALL" in your definition means that all the roles in a role combination associated to a policy must be a proper subset of the roles on a PEP for the policy to be loaded. So, for your example: If I had a QoS policy P1 associated with the combination "Edge+Ethernet", and a PEP that supported the roles "Edge+Ethernet+TrustedInterface+Engineering", then P1 would be appropriate for that PEP. Correct? In this case, a security policy, P2, for all TrustedInterface PEPs would be merged with P1. Correct? This is too vague, what do you mean by "associated" so you mean that it is sent to the PEP with the role "Edge+Ethernet", or do you mean that it is associated in the policy DB? I must understand the level your talking about. What I'm also understanding that may be wrong is that this position further holds that the association between Edge+Ethernet and P1 is not stored in the schema but the PDP comes up with this out of some learned or intrinsic network knowledge (proprietary). What is stored in the schema, and associated with a policy in the schema, is some set of identifiers as to the general functionality that a policy pertains to (Configuration, QoS, Security, etc.). Am I close? Jon -----Original Message----- From: policy-owner@raleigh.ibm.com [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog Sent: Tuesday, February 08, 2000 12:32 PM To: Andrew Smith Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com Subject: RE: Policy issues: definition of Roles At 03:07 PM 02/07/2000, Andrew Smith wrote: Shai, In the worst case then, yes, you're right, the PDP has to multiply out the role combinations and send them all to the PEP. But there will be many cases where the PDP knows that a policy does not need to distinguish between "T1" and "Ethernet": then, the PDP can download a policy for role-combination "Edge". In that case, the ALL in your definition is not applicable. That is what I was trying to explain in my response to Bob Natale last week (1/31). I think I am beginning to understand what you mean... ;-) with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP normally would send two different configurations such as "Edge+T1": Mark DSCP AF21 "Edge+Ether": Mark DSCP AF11 If it turns out that the instructions for these two are the same (by chance) meaning (Policy1): "Edge+T1": Mark DSCP AF11 "Edge+Ether": Mark DSCP AF11 Then perhaps we'd want to have a wildcard that says (Policy2): "Edge+*": Mark DSCP AF11 BUT, Policy2 is merely a short hand for Policy1 but they mean the same. The important distinction in my view is that the PDP cannot send a policy "T1+*" and expect the PEP to merge the policy in "Edge+*" with "T1+*" into "Edge+T1". So, when receiving a policy for "Edge+*" the PEP interprets it as "Replace/override the policy for all role combinations with Edge in them with the following"... If a "T1+*" comes later, it will REPLACE (not merge) the configuration installed on "Edge+T1". This is why I insist on the "ALL" in the role combination: The PDP must provide a policy that is clearly for a specific COMPLETE role combination, and the PEP isn't expected to merge policy for roles into role combination. BUT as you suggested a shorthand representation may be made for the purpose of saving bits and overhead but that has the same meaning as the "ALL". I am not sure if my description is clear, but I hope ;-) Shai __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 ------=_NextPart_000_001E_01BF7482.5A1ACEA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I mean=20 logically associated with it, whether we store this association in the = DB or not=20 seems to be under discussion.  So P1 is destined for any PEP that = supports=20 "Edge+Ethernet" and P2 is destined for any PEP that supports a=20 TrustedInterface.
 
-----Original Message-----
From: Shai Herzog=20 [mailto:herzog@iphighway.com]
Sent: Friday, February 11, = 2000 8:59=20 AM
To: Jon Sjoberg; Andrew Smith
Cc:=20 policy@raleigh.ibm.com; snmpconf@snmp.com;=20 rap@iphighway.com
Subject: RE: Policy issues: definition of=20 Roles

At 05:59 AM 02/09/2000, Jon Sjoberg = wrote:
Shai,
 
Correct me if I'm wrong, but I read the below = to say that=20 the "ALL" in your definition means that all the roles in a role = combination=20 associated to a policy must be a proper subset of the roles on a PEP = for the=20 policy to be loaded.
 
So, for your example:
 
If I had a QoS policy P1 associated with the = combination=20 "Edge+Ethernet", and a PEP that supported the roles=20 "Edge+Ethernet+TrustedInterface+Engineering", then P1 would be = appropriate=20 for that PEP.  Correct?
 
In this case, a security policy, P2, for all=20 TrustedInterface PEPs would be merged with P1. =20 Correct?

This is too vague, what do you mean by = "associated" so you mean that
it is sent to the PEP with the role=20 "Edge+Ethernet", or do you
mean that it is associated in the = policy DB? I=20 must understand the
level your talking about.

 What I'm also understanding that may be wrong is that this = position=20 further holds that the association between Edge+Ethernet and P1 is = not=20 stored in the schema but the PDP comes up with this out of some = learned or=20 intrinsic network knowledge (proprietary).  What is stored in = the=20 schema, and associated with a policy in the schema, is some set of=20 identifiers as to the general functionality that a policy pertains = to=20 (Configuration, QoS, Security, etc.).
 
Am I = close?
 
Jon
-----Original = Message-----
From:=20 policy-owner@raleigh.ibm.com [mailto:policy-owner@raleigh.ibm.com]On=20 Behalf Of Shai Herzog
Sent: Tuesday, February 08, = 2000 12:32=20 PM
To: Andrew Smith
Cc: = policy@raleigh.ibm.com;=20 'snmpconf@snmp.com'; rap@iphighway.com
Subject: RE: = Policy=20 issues: definition of Roles

At 03:07 PM 02/07/2000, = Andrew=20 Smith wrote:
Shai,

In the worst case = then, yes,=20 you're right, the PDP has to multiply out the
role = combinations and=20 send them all to the PEP. But there will be many cases
where = the PDP=20 knows that a policy does not need to distinguish between = "T1"
and=20 "Ethernet": then, the PDP can download a policy for=20 role-combination
"Edge". In that case, the ALL in your = definition is=20 not applicable. That is
what I was trying to explain in my = response=20 to Bob Natale last week (1/31).

I think I am = beginning to=20 understand what you mean... ;-)

with two Role Combinations=20 "Edge+Ethernet" and "Edge+T1" the PDP
normally would send two = different=20 configurations such as

"Edge+T1":    Mark = DSCP=20 AF21
"Edge+Ether": Mark DSCP AF11

If it turns out that = the=20 instructions for these two are the same
(by chance) meaning=20 (Policy1):

"Edge+T1":    Mark DSCP=20 AF11
"Edge+Ether": Mark DSCP AF11

Then perhaps we'd want = to have=20 a wildcard that says = (Policy2):

"Edge+*":    =20 Mark DSCP AF11

BUT, Policy2 is merely a short hand for = Policy1 but=20 they mean the same.
The important distinction in my view is = that the=20 PDP cannot send
a policy "T1+*" and expect the PEP to merge the = policy
in "Edge+*" with "T1+*" into "Edge+T1".

So, when = receiving a policy for "Edge+*" the PEP interprets it
as=20

"Replace/override the policy for all role combinations = with=20 Edge
in them with the following"...

If a "T1+*" comes = later, it=20 will REPLACE (not merge) the configuration
installed on=20 "Edge+T1".

This is why I insist on the "ALL" in the role=20 combination: The PDP
must provide a policy that is clearly for = a=20 specific COMPLETE
role combination, and the PEP isn't expected = to merge=20 policy
for roles into role combination. BUT as you suggested a=20 shorthand
representation may be made for the purpose of saving = bits and=20 overhead
but that has the same meaning as the "ALL".

I = am not=20 sure if my description is clear, but I hope=20 = ;-)

Shai

__________________________________________________= ________________
Shai=20 Herzog, Founder & CTO   IPHighway Inc.   = Tel :=20 (914) 654-4810
55 New York=20 = Avenue           &= nbsp;           &n= bsp;   =20 Main: (508) 620-1141
Framingham, MA=20 = 01701           &n= bsp;           &nb= sp; =20 Fax : (212)=20 = 656-1006
          &= nbsp;           &n= bsp;           &nb= sp;          =20

        =20 =
           &nb= sp;           &nbs= p;        =20 =
           &nb= sp;           &nbs= p;    =20


=
__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway = Inc.   Tel=20 : (914) 654-4810
55 New York=20 = Avenue           &= nbsp;           &n= bsp;   =20 Main: (508) 620-1141
Framingham, MA=20 = 01701           &n= bsp;           &nb= sp; =20 Fax : (212) 656-1006
=
           &n= bsp;           &nb= sp;           &nbs= p;         =20

        
=
           &n= bsp;           &nb= sp;        =20 =
           &= nbsp;           &n= bsp;    =20 ------=_NextPart_000_001E_01BF7482.5A1ACEA0-- From majordomo@raleigh.ibm.com Fri Feb 11 12:30:11 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15227 for ; Fri, 11 Feb 2000 12:30:03 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA10480; Fri, 11 Feb 2000 12:24:59 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id MAA30630; Fri, 11 Feb 2000 12:24:58 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA40590; Fri, 11 Feb 2000 12:05:52 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA40574; Fri, 11 Feb 2000 12:05:43 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id MAA25224 for ; Fri, 11 Feb 2000 12:05:47 -0500 Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA26216 for ; Fri, 11 Feb 2000 12:05:44 -0500 Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2448.0) id <1FBG14QK>; Fri, 11 Feb 2000 12:05:11 -0500 Message-Id: <75ADD7496F0BD211ADC000104B8846CF019115BC@rerun.lucentctc.com> From: "Weiss, Walter" To: "'remoore@us.ibm.com'" Cc: policy@raleigh.ibm.com, johns@cisco.com Subject: RE: Policy issues: definition of Roles Date: Fri, 11 Feb 2000 12:05:09 -0500 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Weiss, Walter" Bob, I think this is an excellent idea. However, I believe another problem arrises. Let's consider two policy rules. In one policy rule, let's suppose we are trying to limit engineering traffic to some arbitrary level/rate. This policy rule would presumably have two roles: Engineering Interface and Edge Interface. I believe the presumption is that the policy rule can only be applied if both roles are satisfied. Now, let's suppose the second policy is designed to facilitate a network login by preventing access to the network until the appropriate IP address has been given by the DHCP server. Thus when the IP address is assigned, the policy adds or removes the filter (as the case may be) to allow access to certain parts of the network based on the identity of the new user. Now, here I am trying to make a feable attempt at describing a policy that crosses two technology domains. Presumably, because we are crossing two domains, the roles need to represent both domains so that the policy (or portions of the policy) can be distributed (or processed on behalf of) the DHCP server and the router managing the filter. Hence, the role for the policy rule would presumably be DHCP and EndUserInterface. Now, in the first policy example, we only processed the policy rule on behalf of devices that satisfied both role criteria (a logical AND of the roles). In the second policy rule, we want to process the policy for either role (a logical OR of the roles). If we go with a AND semantic or we go with an OR semantic seems to cause problems. regards, -Walter > -----Original Message----- > From: remoore@us.ibm.com [mailto:remoore@us.ibm.com] > Sent: Friday, February 11, 2000 7:59 AM > To: Weiss, Walter > Cc: policy@raleigh.ibm.com; johns@cisco.com > Subject: RE: Policy issues: definition of Roles > > > > > Walter, > > In an earlier posting I proposed separating Policy Roles out from > the more general set of Policy Keywords. At that time I left it > open where the PolicyRoles property should be placed: in the > abstract class Policy (which is where PolicyKeywords is now), or > in the class PolicyRule. I'm now convinced that PolicyRoles should > be placed in PolicyRule, rather than in Policy, because the function > of PolicyRoles is to (help) select the set of PolicyRules that apply > to a given resource. Contrast this function with that of the > PolicyKeywords property, which is to identify any object in the > policy repository that might be of interest to a PDP that's > searching the repository. > > I'm planning to write up a new section for the PCIM describing the > PolicyRoles property, which I will post to the list as soon as I've > completed it. Then people can decide whether it makes sense. John > is going to be taking a shot at a section positioning this type of > role versus, say, the roles that are used in COPS. I don't know > whether he's planning to proposed a set of adjectives to distinguish > the different types of roles, although this has certainly been > discussed on the list. > > Regards, > Bob > > Bob Moore > IBM Networking Software > +1-919-254-4436 > remoore@us.ibm.com > > > > "Weiss, Walter" @raleigh.ibm.com on 02/10/2000 > 04:02:53 PM > > Please respond to "Weiss, Walter" > > Sent by: policy-owner@raleigh.ibm.com > > > To: policy@raleigh.ibm.com > cc: > Subject: RE: Policy issues: definition of Roles > > > > I noticed that roles have been described in PFCIM through the > PolicyKeywords > attribute in the Policy class. As PolicyGroup, PolicyRule, > PolicyCondition > and PolicyAction both derive from Policy, all of these > classes can specify > PolicyKeywords. This suggests that rather than having a role per > policy/rule, you can have keywords at any and all levels of a > policy. Is > this desirable or are we going to place certain usage restrictions or > precedence hierarchies on the keywords/roles? > > regards, > > -Walter > > > From majordomo@raleigh.ibm.com Fri Feb 11 12:41:15 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15607 for ; Fri, 11 Feb 2000 12:40:59 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA40918; Fri, 11 Feb 2000 12:38:34 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id MAA30832; Fri, 11 Feb 2000 12:38:36 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39250; Fri, 11 Feb 2000 12:20:02 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA57376; Fri, 11 Feb 2000 12:19:55 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id MAA18322 for ; Fri, 11 Feb 2000 12:19:59 -0500 Received: from bmailnj.iphighway.com ([209.3.6.76]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA29918 for ; Fri, 11 Feb 2000 12:19:55 -0500 Received: from SHAI (216-59-44-28.usa.flashcom.net [216.59.44.28]) by bmailnj.iphighway.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id D6TZTA0S; Fri, 11 Feb 2000 12:16:51 -0500 Message-Id: <4.2.0.58.20000211120737.02fa1a48@209.3.6.76> X-Sender: herzog@209.3.6.76 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 Feb 2000 12:19:49 -0500 To: "Jon Sjoberg" From: Shai Herzog Subject: RE: Policy issues: definition of Roles Cc: In-Reply-To: <001d01bf74ac$42f0d6a0$92ee67c7@blazenet.com> References: <4.2.0.58.20000211085610.02facc10@209.3.6.76> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_604267410==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Shai Herzog --=====================_604267410==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Missed the point. "logically" is exactly why I am confused by your example. You have to be more precise since there are multiple levels of policy each with its own "logical" stuff. I guess I'll ask this as a yes/no question: Is this association a decision by the PDP? (or a schema style association?) Are P1 and P2 mergable at all (from the same policy domain) or are they separate (orthogonal) one? In your example, it seem that they are NOT from the same domain therefore they don't merge anyway. The reason I'm asking: 1. If they are NOT mergeable at all (separate domains) then we don't have a question (in COPS it would be different client types). PDP -> PEP: (Client-type-X) Role="Edge+Ethernet+TrustedInterface+Engineering" P1 PDP -> PEP: (Client-type-Y) Role="Edge+Ethernet+TrustedInterface+Engineering" P2 2. If they are mergeable, then any PEP role combination can't get two of them since it is not supposed to know how to merge them. What needs to happen is that the PDP will merge both and send a COPS message for "Edge+Ethernet+TrustedInterface+Engineering" with merge(P1,P2). Shai At 11:22 AM 02/11/2000, Jon Sjoberg wrote: >I mean logically associated with it, whether we store this association in >the DB or not seems to be under discussion. So P1 is destined for any PEP >that supports "Edge+Ethernet" and P2 is destined for any PEP that supports >a TrustedInterface. > >>-----Original Message----- >>From: Shai Herzog [mailto:herzog@iphighway.com] >>Sent: Friday, February 11, 2000 8:59 AM >>To: Jon Sjoberg; Andrew Smith >>Cc: policy@raleigh.ibm.com; snmpconf@snmp.com; rap@iphighway.com >>Subject: RE: Policy issues: definition of Roles >> >>At 05:59 AM 02/09/2000, Jon Sjoberg wrote: >>>Shai, >>> >>>Correct me if I'm wrong, but I read the below to say that the "ALL" in >>>your definition means that all the roles in a role combination >>>associated to a policy must be a proper subset of the roles on a PEP for >>>the policy to be loaded. >>> >>>So, for your example: >>> >>>If I had a QoS policy P1 associated with the combination >>>"Edge+Ethernet", and a PEP that supported the roles >>>"Edge+Ethernet+TrustedInterface+Engineering", then P1 would be >>>appropriate for that PEP. Correct? >>> >>>In this case, a security policy, P2, for all TrustedInterface PEPs would >>>be merged with P1. Correct? >> >>This is too vague, what do you mean by "associated" so you mean that >>it is sent to the PEP with the role "Edge+Ethernet", or do you >>mean that it is associated in the policy DB? I must understand the >>level your talking about. >> >>> What I'm also understanding that may be wrong is that this position >>> further holds that the association between Edge+Ethernet and P1 is not >>> stored in the schema but the PDP comes up with this out of some learned >>> or intrinsic network knowledge (proprietary). What is stored in the >>> schema, and associated with a policy in the schema, is some set of >>> identifiers as to the general functionality that a policy pertains to >>> (Configuration, QoS, Security, etc.). >>> >>>Am I close? >>> >>>Jon >>>>-----Original Message----- >>>>From: policy-owner@raleigh.ibm.com >>>>[mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog >>>>Sent: Tuesday, February 08, 2000 12:32 PM >>>>To: Andrew Smith >>>>Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com >>>>Subject: RE: Policy issues: definition of Roles >>>> >>>>At 03:07 PM 02/07/2000, Andrew Smith wrote: >>>>>Shai, >>>>> >>>>>In the worst case then, yes, you're right, the PDP has to multiply out the >>>>>role combinations and send them all to the PEP. But there will be many >>>>>cases >>>>>where the PDP knows that a policy does not need to distinguish between >>>>>"T1" >>>>>and "Ethernet": then, the PDP can download a policy for role-combination >>>>>"Edge". In that case, the ALL in your definition is not applicable. >>>>>That is >>>>>what I was trying to explain in my response to Bob Natale last week >>>>>(1/31). >>>> >>>>I think I am beginning to understand what you mean... ;-) >>>> >>>>with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP >>>>normally would send two different configurations such as >>>> >>>>"Edge+T1": Mark DSCP AF21 >>>>"Edge+Ether": Mark DSCP AF11 >>>> >>>>If it turns out that the instructions for these two are the same >>>>(by chance) meaning (Policy1): >>>> >>>>"Edge+T1": Mark DSCP AF11 >>>>"Edge+Ether": Mark DSCP AF11 >>>> >>>>Then perhaps we'd want to have a wildcard that says (Policy2): >>>> >>>>"Edge+*": Mark DSCP AF11 >>>> >>>>BUT, Policy2 is merely a short hand for Policy1 but they mean the same. >>>>The important distinction in my view is that the PDP cannot send >>>>a policy "T1+*" and expect the PEP to merge the policy >>>>in "Edge+*" with "T1+*" into "Edge+T1". >>>> >>>>So, when receiving a policy for "Edge+*" the PEP interprets it >>>>as >>>> >>>>"Replace/override the policy for all role combinations with Edge >>>>in them with the following"... >>>> >>>>If a "T1+*" comes later, it will REPLACE (not merge) the configuration >>>>installed on "Edge+T1". >>>> >>>>This is why I insist on the "ALL" in the role combination: The PDP >>>>must provide a policy that is clearly for a specific COMPLETE >>>>role combination, and the PEP isn't expected to merge policy >>>>for roles into role combination. BUT as you suggested a shorthand >>>>representation may be made for the purpose of saving bits and overhead >>>>but that has the same meaning as the "ALL". >>>> >>>>I am not sure if my description is clear, but I hope ;-) >>>> >>>>Shai >>>> >>>>__________________________________________________________________ >>>>Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >>>>55 New York Avenue Main: (508) 620-1141 >>>>Framingham, MA 01701 Fax : (212) 656-1006 >>>> >>>> >>>> >>>> >>>> >> >> >>__________________________________________________________________ >>Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >>55 New York Avenue Main: (508) 620-1141 >>Framingham, MA 01701 Fax : (212) 656-1006 >> >> >> >> >> __________________________________________________________________ Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 55 New York Avenue Main: (508) 620-1141 Framingham, MA 01701 Fax : (212) 656-1006 --=====================_604267410==_.ALT Content-Type: text/html; charset="us-ascii" Missed the point. "logically" is exactly why I am confused by your
example. You have to be more precise since there are multiple levels
of policy each with its own "logical" stuff.

I guess I'll ask this as a yes/no question:

Is this association a decision by the PDP? (or a schema style association?)
Are P1 and P2 mergable at all (from the same policy domain) or are they separate (orthogonal) one?
In your example, it seem that they are NOT from the same domain
therefore they don't merge anyway.

The reason I'm asking:

1. If they are NOT mergeable at all (separate domains) then we don't have
   a question (in COPS it would be different client types).

   PDP -> PEP: (Client-type-X)
       Role="Edge+Ethernet+TrustedInterface+Engineering" P1

   PDP -> PEP: (Client-type-Y)
       Role="Edge+Ethernet+TrustedInterface+Engineering" P2
 
2. If they are mergeable, then any PEP role combination can't get two
   of them since it is not supposed to know how to merge them. What
   needs to happen is that the PDP will merge both and send a COPS
   message for "Edge+Ethernet+TrustedInterface+Engineering" with merge(P1,P2).

Shai

At 11:22 AM 02/11/2000, Jon Sjoberg wrote:
I mean logically associated with it, whether we store this association in the DB or not seems to be under discussion.  So P1 is destined for any PEP that supports "Edge+Ethernet" and P2 is destined for any PEP that supports a TrustedInterface.
 
-----Original Message-----
From: Shai Herzog [mailto:herzog@iphighway.com]
Sent: Friday, February 11, 2000 8:59 AM
To: Jon Sjoberg; Andrew Smith
Cc: policy@raleigh.ibm.com; snmpconf@snmp.com; rap@iphighway.com
Subject: RE: Policy issues: definition of Roles

At 05:59 AM 02/09/2000, Jon Sjoberg wrote:
Shai,
 
Correct me if I'm wrong, but I read the below to say that the "ALL" in your definition means that all the roles in a role combination associated to a policy must be a proper subset of the roles on a PEP for the policy to be loaded.
 
So, for your example:
 
If I had a QoS policy P1 associated with the combination "Edge+Ethernet", and a PEP that supported the roles "Edge+Ethernet+TrustedInterface+Engineering", then P1 would be appropriate for that PEP.  Correct?
 
In this case, a security policy, P2, for all TrustedInterface PEPs would be merged with P1.  Correct?

This is too vague, what do you mean by "associated" so you mean that
it is sent to the PEP with the role "Edge+Ethernet", or do you
mean that it is associated in the policy DB? I must understand the
level your talking about.

 What I'm also understanding that may be wrong is that this position further holds that the association between Edge+Ethernet and P1 is not stored in the schema but the PDP comes up with this out of some learned or intrinsic network knowledge (proprietary).  What is stored in the schema, and associated with a policy in the schema, is some set of identifiers as to the general functionality that a policy pertains to (Configuration, QoS, Security, etc.).
 
Am I close?
 
Jon
-----Original Message-----
From: policy-owner@raleigh.ibm.com [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Shai Herzog
Sent: Tuesday, February 08, 2000 12:32 PM
To: Andrew Smith
Cc: policy@raleigh.ibm.com; 'snmpconf@snmp.com'; rap@iphighway.com
Subject: RE: Policy issues: definition of Roles

At 03:07 PM 02/07/2000, Andrew Smith wrote:
Shai,

In the worst case then, yes, you're right, the PDP has to multiply out the
role combinations and send them all to the PEP. But there will be many cases
where the PDP knows that a policy does not need to distinguish between "T1"
and "Ethernet": then, the PDP can download a policy for role-combination
"Edge". In that case, the ALL in your definition is not applicable. That is
what I was trying to explain in my response to Bob Natale last week (1/31).

I think I am beginning to understand what you mean... ;-)

with two Role Combinations "Edge+Ethernet" and "Edge+T1" the PDP
normally would send two different configurations such as

"Edge+T1":    Mark DSCP AF21
"Edge+Ether": Mark DSCP AF11

If it turns out that the instructions for these two are the same
(by chance) meaning (Policy1):

"Edge+T1":    Mark DSCP AF11
"Edge+Ether": Mark DSCP AF11

Then perhaps we'd want to have a wildcard that says (Policy2):

"Edge+*":     Mark DSCP AF11

BUT, Policy2 is merely a short hand for Policy1 but they mean the same.
The important distinction in my view is that the PDP cannot send
a policy "T1+*" and expect the PEP to merge the policy
in "Edge+*" with "T1+*" into "Edge+T1".

So, when receiving a policy for "Edge+*" the PEP interprets it
as

"Replace/override the policy for all role combinations with Edge
in them with the following"...

If a "T1+*" comes later, it will REPLACE (not merge) the configuration
installed on "Edge+T1".

This is why I insist on the "ALL" in the role combination: The PDP
must provide a policy that is clearly for a specific COMPLETE
role combination, and the PEP isn't expected to merge policy
for roles into role combination. BUT as you suggested a shorthand
representation may be made for the purpose of saving bits and overhead
but that has the same meaning as the "ALL".

I am not sure if my description is clear, but I hope ;-)

Shai

__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                            


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                            


__________________________________________________________________
Shai Herzog, Founder & CTO   IPHighway Inc.   Tel : (914) 654-4810
55 New York Avenue                            Main: (508) 620-1141
Framingham, MA 01701                          Fax : (212) 656-1006
                                             

        
                                
                             --=====================_604267410==_.ALT-- From majordomo@raleigh.ibm.com Fri Feb 11 13:46:55 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA17076 for ; Fri, 11 Feb 2000 13:46:49 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id NAA35522; Fri, 11 Feb 2000 13:44:45 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id NAB36980; Fri, 11 Feb 2000 13:44:43 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA38752; Fri, 11 Feb 2000 13:23:39 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA37976; Fri, 11 Feb 2000 13:23:36 -0500 Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id NAA31216 for ; Fri, 11 Feb 2000 13:23:41 -0500 From: remoore@us.ibm.com Received: from d54mta04.raleigh.ibm.com (d54mta04.raleigh.ibm.com [9.67.228.36]) by southrelay02.raleigh.ibm.com (8.8.8m2/NCO v2.06) with SMTP id NAA45144; Fri, 11 Feb 2000 13:23:39 -0500 Received: by d54mta04.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256882.00650731 ; Fri, 11 Feb 2000 13:23:29 -0500 X-Lotus-Fromdomain: IBMUS To: "Weiss, Walter" Cc: policy@raleigh.ibm.com, johns@cisco.com Message-Id: <85256882.00650382.00@d54mta04.raleigh.ibm.com> Date: Fri, 11 Feb 2000 13:19:59 -0500 Subject: RE: Policy issues: definition of Roles Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: remoore@us.ibm.com Walter, Let me see how far I can get with your cases before I get into trouble: CASE 1: PolicyRule 1 PolicyKeywords {TrafficManagement, Engineering, ByWalter} PolicyRoles {EdgeIntf&&EngineeringIntf} -- role combination CASE 2: PolicyGroup A PolicyKeywords {DHCP, UserAccess, ByWalter} -- contains two PolicyRules A1 and A2 PolicyRule A1 PolicyKeywords {DHCP, UserAccess, ByWalter} PolicyRoles {DHCP} PolicyRule A2 PolicyKeywords {DHCP, UserAccess, ByWalter} PolicyRoles {EndUserIntf} I've represented your second "policy" as a PolicyGroup rather than a PolicyRule, because it seems like there would be nothing in common between the conditions / actions for the DHCP server and the subsequent conditions / actions for the router. Because of this, each of the rules has only a single value in its PolicyRoles. The property itself, however, is multivalued, so in a different case it could have multiple valued which would be ORed, say PolicyRoles {EndUserIntf, EdgeIntf}. What's left unspecified here is the "magic" that gets you from an event at the DHCP server (the user gets an IP address) to events at the routers (this IP address gets added to their filters). I don't think this magic has anything to do with the PolicyRoles property, though. Regards, Bob Bob Moore IBM Networking Software +1-919-254-4436 remoore@us.ibm.com "Weiss, Walter" on 02/11/2000 12:05:09 PM To: Robert Moore/Raleigh/IBM@IBMUS cc: policy@raleigh.ibm.com, johns@cisco.com Subject: RE: Policy issues: definition of Roles Bob, I think this is an excellent idea. However, I believe another problem arrises. Let's consider two policy rules. In one policy rule, let's suppose we are trying to limit engineering traffic to some arbitrary level/rate. This policy rule would presumably have two roles: Engineering Interface and Edge Interface. I believe the presumption is that the policy rule can only be applied if both roles are satisfied. Now, let's suppose the second policy is designed to facilitate a network login by preventing access to the network until the appropriate IP address has been given by the DHCP server. Thus when the IP address is assigned, the policy adds or removes the filter (as the case may be) to allow access to certain parts of the network based on the identity of the new user. Now, here I am trying to make a feable attempt at describing a policy that crosses two technology domains. Presumably, because we are crossing two domains, the roles need to represent both domains so that the policy (or portions of the policy) can be distributed (or processed on behalf of) the DHCP server and the router managing the filter. Hence, the role for the policy rule would presumably be DHCP and EndUserInterface. Now, in the first policy example, we only processed the policy rule on behalf of devices that satisfied both role criteria (a logical AND of the roles). In the second policy rule, we want to process the policy for either role (a logical OR of the roles). If we go with a AND semantic or we go with an OR semantic seems to cause problems. regards, -Walter > -----Original Message----- > From: remoore@us.ibm.com [mailto:remoore@us.ibm.com] > Sent: Friday, February 11, 2000 7:59 AM > To: Weiss, Walter > Cc: policy@raleigh.ibm.com; johns@cisco.com > Subject: RE: Policy issues: definition of Roles > > > > > Walter, > > In an earlier posting I proposed separating Policy Roles out from > the more general set of Policy Keywords. At that time I left it > open where the PolicyRoles property should be placed: in the > abstract class Policy (which is where PolicyKeywords is now), or > in the class PolicyRule. I'm now convinced that PolicyRoles should > be placed in PolicyRule, rather than in Policy, because the function > of PolicyRoles is to (help) select the set of PolicyRules that apply > to a given resource. Contrast this function with that of the > PolicyKeywords property, which is to identify any object in the > policy repository that might be of interest to a PDP that's > searching the repository. > > I'm planning to write up a new section for the PCIM describing the > PolicyRoles property, which I will post to the list as soon as I've > completed it. Then people can decide whether it makes sense. John > is going to be taking a shot at a section positioning this type of > role versus, say, the roles that are used in COPS. I don't know > whether he's planning to proposed a set of adjectives to distinguish > the different types of roles, although this has certainly been > discussed on the list. > > Regards, > Bob > > Bob Moore > IBM Networking Software > +1-919-254-4436 > remoore@us.ibm.com > > > > "Weiss, Walter" @raleigh.ibm.com on 02/10/2000 > 04:02:53 PM > > Please respond to "Weiss, Walter" > > Sent by: policy-owner@raleigh.ibm.com > > > To: policy@raleigh.ibm.com > cc: > Subject: RE: Policy issues: definition of Roles > > > > I noticed that roles have been described in PFCIM through the > PolicyKeywords > attribute in the Policy class. As PolicyGroup, PolicyRule, > PolicyCondition > and PolicyAction both derive from Policy, all of these > classes can specify > PolicyKeywords. This suggests that rather than having a role per > policy/rule, you can have keywords at any and all levels of a > policy. Is > this desirable or are we going to place certain usage restrictions or > precedence hierarchies on the keywords/roles? > > regards, > > -Walter > > > From majordomo@raleigh.ibm.com Fri Feb 11 14:36:57 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18053 for ; Fri, 11 Feb 2000 14:36:53 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA27634; Fri, 11 Feb 2000 14:34:24 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id OAA36886; Fri, 11 Feb 2000 14:34:23 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA28690; Fri, 11 Feb 2000 14:14:38 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA34568; Fri, 11 Feb 2000 14:14:33 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id OAA14154 for ; Fri, 11 Feb 2000 14:14:34 -0500 Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id OAA38010 for ; Fri, 11 Feb 2000 14:14:31 -0500 Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2448.0) id <1FBG14VP>; Fri, 11 Feb 2000 14:14:01 -0500 Message-Id: <75ADD7496F0BD211ADC000104B8846CF019115C0@rerun.lucentctc.com> From: "Weiss, Walter" To: "'remoore@us.ibm.com'" Cc: policy@raleigh.ibm.com, johns@cisco.com Subject: RE: Policy issues: definition of Roles Date: Fri, 11 Feb 2000 14:14:00 -0500 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Weiss, Walter" Bob, see below: > > CASE 1: > > PolicyRule 1 > PolicyKeywords {TrafficManagement, Engineering, ByWalter} > PolicyRoles {EdgeIntf&&EngineeringIntf} -- role combination > This is fine. > CASE 2: > > PolicyGroup A > PolicyKeywords {DHCP, UserAccess, ByWalter} > -- contains two PolicyRules A1 and A2 > > PolicyRule A1 > PolicyKeywords {DHCP, UserAccess, ByWalter} > PolicyRoles {DHCP} > > PolicyRule A2 > PolicyKeywords {DHCP, UserAccess, ByWalter} > PolicyRoles {EndUserIntf} > > I've represented your second "policy" as a PolicyGroup rather > than a PolicyRule, because it seems like there would be nothing > in common between the conditions / actions for the DHCP server > and the subsequent conditions / actions for the router. > Because of this, each of the rules has only a single value in > its PolicyRoles. The property itself, however, is multivalued, > so in a different case it could have multiple valued which > would be ORed, say > PolicyRoles {EndUserIntf, EdgeIntf}. > I don't think so. The fact of the matter is that the condition is in the DHCP server and the action is in the router. Therefore, DHCP and EndUserInterface do in fact exist within the same rule. Again, if you are going to suggest that policy rules can't operate across technologies as your example implies, then it is fair to say that this is a limitation of your proposal. We can then discuss if this is reasonable or not. As I have suggested before, I think it is not. I can think of many instances of policies where it would be desirable to have a condition in one system (whether it is a server like DHCP or a software element like BGP) invoke actions in one or more other systems. > What's left unspecified here is the "magic" that gets you from > an event at the DHCP server (the user gets an IP address) to > events at the routers (this IP address gets added to their > filters). I don't think this magic has anything to do with > the PolicyRoles property, though. > > Regards, > Bob > > Bob Moore > IBM Networking Software > +1-919-254-4436 > remoore@us.ibm.com > > > > "Weiss, Walter" on 02/11/2000 12:05:09 PM > > To: Robert Moore/Raleigh/IBM@IBMUS > cc: policy@raleigh.ibm.com, johns@cisco.com > Subject: RE: Policy issues: definition of Roles > > > > Bob, > > I think this is an excellent idea. However, I believe another problem > arrises. Let's consider two policy rules. In one policy rule, > let's suppose > we are trying to limit engineering traffic to some arbitrary > level/rate. > This policy rule would presumably have two roles: Engineering > Interface and > Edge Interface. I believe the presumption is that the policy > rule can only > be applied if both roles are satisfied. > > Now, let's suppose the second policy is designed to > facilitate a network > login by preventing access to the network until the > appropriate IP address > has been given by the DHCP server. Thus when the IP address > is assigned, > the > policy adds or removes the filter (as the case may be) to > allow access to > certain parts of the network based on the identity of the new > user. Now, > here I am trying to make a feable attempt at describing a policy that > crosses two technology domains. Presumably, because we are > crossing two > domains, the roles need to represent both domains so that the > policy (or > portions of the policy) can be distributed (or processed on > behalf of) the > DHCP server and the router managing the filter. Hence, the > role for the > policy rule would presumably be DHCP and EndUserInterface. > > Now, in the first policy example, we only processed the policy rule on > behalf of devices that satisfied both role criteria (a > logical AND of the > roles). In the second policy rule, we want to process the > policy for either > role (a logical OR of the roles). If we go with a AND > semantic or we go > with > an OR semantic seems to cause problems. > > regards, > > -Walter > > > -----Original Message----- > > From: remoore@us.ibm.com [mailto:remoore@us.ibm.com] > > Sent: Friday, February 11, 2000 7:59 AM > > To: Weiss, Walter > > Cc: policy@raleigh.ibm.com; johns@cisco.com > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > Walter, > > > > In an earlier posting I proposed separating Policy Roles out from > > the more general set of Policy Keywords. At that time I left it > > open where the PolicyRoles property should be placed: in the > > abstract class Policy (which is where PolicyKeywords is now), or > > in the class PolicyRule. I'm now convinced that PolicyRoles should > > be placed in PolicyRule, rather than in Policy, because the function > > of PolicyRoles is to (help) select the set of PolicyRules that apply > > to a given resource. Contrast this function with that of the > > PolicyKeywords property, which is to identify any object in the > > policy repository that might be of interest to a PDP that's > > searching the repository. > > > > I'm planning to write up a new section for the PCIM describing the > > PolicyRoles property, which I will post to the list as soon as I've > > completed it. Then people can decide whether it makes sense. John > > is going to be taking a shot at a section positioning this type of > > role versus, say, the roles that are used in COPS. I don't know > > whether he's planning to proposed a set of adjectives to distinguish > > the different types of roles, although this has certainly been > > discussed on the list. > > > > Regards, > > Bob > > > > Bob Moore > > IBM Networking Software > > +1-919-254-4436 > > remoore@us.ibm.com > > > > > > > > "Weiss, Walter" @raleigh.ibm.com on 02/10/2000 > > 04:02:53 PM > > > > Please respond to "Weiss, Walter" > > > > Sent by: policy-owner@raleigh.ibm.com > > > > > > To: policy@raleigh.ibm.com > > cc: > > Subject: RE: Policy issues: definition of Roles > > > > > > > > I noticed that roles have been described in PFCIM through the > > PolicyKeywords > > attribute in the Policy class. As PolicyGroup, PolicyRule, > > PolicyCondition > > and PolicyAction both derive from Policy, all of these > > classes can specify > > PolicyKeywords. This suggests that rather than having a role per > > policy/rule, you can have keywords at any and all levels of a > > policy. Is > > this desirable or are we going to place certain usage > restrictions or > > precedence hierarchies on the keywords/roles? > > > > regards, > > > > -Walter > > > > > > > > > From majordomo@raleigh.ibm.com Fri Feb 11 15:59:30 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20226 for ; Fri, 11 Feb 2000 15:59:24 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA27322; Fri, 11 Feb 2000 15:55:55 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id PAA33562; Fri, 11 Feb 2000 15:55:56 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA21598; Fri, 11 Feb 2000 15:35:18 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA21570; Fri, 11 Feb 2000 15:35:13 -0500 Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id PAA21050 for ; Fri, 11 Feb 2000 15:35:14 -0500 From: remoore@us.ibm.com Received: from d54mta04.raleigh.ibm.com (d54mta04.raleigh.ibm.com [9.67.228.36]) by southrelay02.raleigh.ibm.com (8.8.8m2/NCO v2.06) with SMTP id PAA67186; Fri, 11 Feb 2000 15:35:11 -0500 Received: by d54mta04.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256882.007114CA ; Fri, 11 Feb 2000 15:35:08 -0500 X-Lotus-Fromdomain: IBMUS To: "Bert Wijnen" Cc: policy@raleigh.ibm.com Message-Id: <85256882.00710CB1.00@d54mta04.raleigh.ibm.com> Date: Fri, 11 Feb 2000 15:31:27 -0500 Subject: Re: WG Last Call PCIM - OIDs Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: remoore@us.ibm.com Bert, Actually, this is not specified in the CIM spec. There is some mapping material related to OIDs as identifiers for information objects (OBJECT-TYPE and NOTIFICATION-TYPE macros in SMIv2), but that's not the case we're concerned with in the PCIM. Our case is one where the OIDs serve as code points (OBJECT-IDENTITY macro in SMIv2) that appear as the value of a property in the PCIM. Since the CIM spec hasn't defined an encoding for OIDs in this role, we're free to do what we think is right. Since I agree with your proposed format, that's what I'm going to document for the two affected properties in the PCIM: - UCS-2 strings - dotted digits format - US ASCII encodings "upgraded" to UCS-2 with leading x00's. Regards, Bob Bob Moore IBM Networking Software +1-919-254-4436 remoore@us.ibm.com "Bert Wijnen" @raleigh.ibm.com on 01/31/2000 08:05:45 AM Please respond to "Bert Wijnen" Sent by: policy-owner@raleigh.ibm.com To: policy@raleigh.ibm.com cc: Subject: WG Last Call PCIM - OIDs Taking sect 6.6.2 as an example, it is not clear to me how an OID is encoded in a UCS-2 string. is it 2 octets per character (I think yes) and is it of the form 1.3.6.x.y.z or is it of another form. If this form, are the digoits and the dot from the US ASCII set?? Maybe this is defined in DMTF CIM doc. I still need to read that one. Bert From majordomo@raleigh.ibm.com Fri Feb 11 16:15:31 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA21068 for ; Fri, 11 Feb 2000 16:15:24 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id QAA28256; Fri, 11 Feb 2000 16:12:47 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id QAA33976; Fri, 11 Feb 2000 16:12:48 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA52290; Fri, 11 Feb 2000 15:48:42 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA22586; Fri, 11 Feb 2000 15:48:39 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id PAA18402 for ; Fri, 11 Feb 2000 15:48:40 -0500 Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id PAA19498 for ; Fri, 11 Feb 2000 15:48:38 -0500 Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2448.0) id <1FBG145F>; Fri, 11 Feb 2000 15:48:06 -0500 Message-Id: <75ADD7496F0BD211ADC000104B8846CF019115C4@rerun.lucentctc.com> From: "Weiss, Walter" To: "'John C. Strassner'" Cc: policy@raleigh.ibm.com Subject: RE: Policy issues: definition of Roles Date: Fri, 11 Feb 2000 15:48:05 -0500 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Weiss, Walter" John, I would agree that this is somewhat unrelated to the concept of roles, assuming that roles focus on distribution issues. However, at some point we will have to agree on how we can achieve the unambiguous interpretation of the policy conditions and actions. regards, -Walter > -----Original Message----- > From: John C. Strassner [mailto:jstrassn@cisco.com] > Sent: Sunday, February 06, 2000 8:37 PM > To: Weiss, Walter; 'Jon Sjoberg' > Cc: policy@raleigh.ibm.com > Subject: RE: Policy issues: definition of Roles > > > > In the original posting, my main concern was that the policy > rules, and more > precisely the attributes within policy rules, eventually have > to be bound to > some physical attribute somewhere in order to effect changes > in network > devices or services. Specifying keywords is not enough. We should also > document how an attribute actually maps to given instances of > that attribute > in an interface, queue or whatever. > > > I would humbly submit that this issue, though important, is > orthogonal to > roles. See my earlier posting. This is a binding issue, and > affects not > just roles (which are, after all, attributes) but other types > of attributes > as well. > > regards, > John > > At 01:36 PM 1/31/00 -0500, Weiss, Walter wrote: > >Jon, > > > >Since my posting, the intent of Roles (in the form of > keywords and keyword > >combinations) has become clearer to me. With role > combinations, I can create > >policies that cross domains. That said, I wanted to draw > attention to the > >text because it was too vague for me to understand what the > intent was. > > > >It seems that the definition of Roles that PCIM authors had > in mind is a bit > >more high level then what I was thinking of. I don't have > any problem with > >grouping policies together based on some keyword. These are > fairly abstract > >concepts that I could easily see as useful for policy > conflicts. However, I > >have not seen the rubber hit the road yet. > > > >In the original posting, my main concern was that the policy > rules, and more > >precisely the attributes within policy rules, eventually > have to be bound to > >some physical attribute somewhere in order to effect changes > in network > >devices or services. Specifying keywords is not enough. We > should also > >document how an attribute actually maps to given instances > of that attribute > >in an interface, queue or whatever. We could use the role > keyword as a way > >of indicating which set of interfaces or queues we would > like the policy to > >apply to, but then we need a mechanism to bind the keyword > to that set. If > >that is the approach taken, then we still have attribute > qualifiers to deal > >with, but at least I know how I can use Role Keys beyond > conflict detection. > > > >As a side note, we are spending a considerable amount of > time focused on > >device interfaces. I would like to remind folks that the > purpose of this > >working group is to come up with a framework that can not > only be applied to > >QoS components in forwarding engines, but also other problem domains. > >Security policies, Address management policies, and Routing > policies have > >little if anything to do with interfaces. While I am comfortable with > >focusing on QoS (as per our charter), I would like to make > sure that we > >don't make assumptions about how and where policy will be used. > > > >regards, > > > >-Walter > > > > > -----Original Message----- > > > From: Jon Sjoberg [mailto:jsjoberg@TopLayer.com] > > > Sent: Sunday, January 30, 2000 9:08 AM > > > To: Weiss, Walter > > > Cc: policy@raleigh.ibm.com > > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > Walter, > > > > > > > > > > > The Policy Framework is then responsible for configuring > > > > each of the resources associated with a role in such a > way that it > > > > behaves according to the policies specified for that role. > > > > > > > > > > > > First, there is a reference to resources without any context. > > > > Second, I find > > > > policies that can only operate within the confines of a > > > > particular resource > > > > unnecessarily restrictive. > > > > > > > I don't understand where the second point is derived from. I > > > guess I read > > > the text to say that policies are confined within a specific > > > role. It seems > > > that policies, in the general sense, can operate across > > > resource and role > > > boundaries. Each policy rule that enacts a policy must > be restricted, > > > however, to a role. It would be easier, from a PDP/PEP > > > implementation stand > > > point, to restrict each policy rule down to a resource (and > > > make the policy > > > management tool do all the REAL work). > > > > > > > > > > > > > > > Roles are represented in the Core Policy Schema by values of the > > > > PolicyKeywords property. > > > > > > > > > > > > I found this text to be even more confusing because it > > > supported a third > > > > concept not defined in either of the two concepts I > described: an > > > > arbitrary > > > > grouping based on a keyword possibly bound to a technology > > > like QoS or > > > > security, or an organization like engineering, or > something else??? > > > > > > > Actually the possible current values are enumerated in 6.1.2, > > > and the values > > > fall into the "something else" category. If I read > > > correctly, the standard > > > possible values are: > > > UNKNOWN", "CONFIGURATION", "USAGE", "SECURITY", "SERVICE", > > > "MOTIVATIONAL", > > > "INSTALLATION", and "EVENT". I am not sure I fully > understand many of > > > these, though the document does explain them. Anyway, it is > > > clearly another > > > definition of role not akin to your two or, best I can tell, > > > Shai's newest > > > proposal. > > > > > > > > > > From majordomo@raleigh.ibm.com Fri Feb 11 22:12:58 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA02363 for ; Fri, 11 Feb 2000 22:12:58 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id WAA16698; Fri, 11 Feb 2000 22:10:51 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id WAA32136; Fri, 11 Feb 2000 22:10:51 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA32198; Fri, 11 Feb 2000 21:48:30 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA54460; Fri, 11 Feb 2000 21:48:24 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id VAA32188 for ; Fri, 11 Feb 2000 21:48:24 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id VAA38064 for ; Fri, 11 Feb 2000 21:48:22 -0500 Received: from jstrass-lap ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id SAA16338; Fri, 11 Feb 2000 18:47:29 -0800 (PST) Message-Id: <4.2.0.58.20000211204814.00b10350@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 Feb 2000 20:49:44 -0800 To: Shai Herzog , avri.doria@nokia.com, jstrassn@cisco.com, andrew@extremenetworks.com, kjr@nortelnetworks.com From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com In-Reply-To: <4.2.0.58.20000208134959.01ac2500@209.3.6.76> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" Sorry, but I don't think that equating a role to a logical interface helps at all. The whole point of roles is that they are selectors (don't respond to this email, wait for the next couple, Shai ;-) ). An interface implies a single location on a single device. A role selects multiple interfaces on multiple devices. regards, John At 02:00 PM 2/8/00 -0500, Shai Herzog wrote: >Yap. > >It just dawned on me that a roles are "logical interfaces" in the >router, as opposed to "physical interfaces". > >So, in a router with physical interfaces S0..S4, rather than > >SNMP: > >"Configure interface S0 with ....." >"Configure interface S1 with ....." >"Configure interface S2 with ....." >"Configure interface S3 with ....." >"Configure interface S4 with ....." > >The PDP says (using COPS or similar): > >"Configure role "Edge+Serial" with ....." > >And the PEP knows that it has 5 serial physical interfaces with this >role combination and configures S0..S4 with .... > >Shai > >P.S., ...With a note regarding "user profiles" and other attributes >used in the schema, which may overload the term Roles but aren't >related to the PEP roles. I call it user profiles since this >is the terminology used in security, access policies, and many >other areas of networking. > > >At 12:44 PM 02/08/2000, avri.doria@nokia.com wrote: >>So, the role isn't a selector in the schema (although simple schema may >>use it) it is also not a selector at the PDP, but only a selector >>for the PEP to advertise the kind of roles it has, and receive policy >>for each one of its roles. >>... >> >> >> >> >> >> >> >> >>Seems to me that you want to differentiate between roles as used to >>influence device configuration on the PEP level vs. roles as used to build >>policy statements at the PDP level. Is this what you meant by "levels" of >>roles? >> >>If so, then I suggest that we talk about PEP roles vs. PDP roles (as Keith >>suggested earlier) vs. roles as a selector (to make me happy ;-) ) >> >> >> >> >>YES YES YES, you hit it bulls eye! I was talking about PEP roles only >>and was trying (clumsily) to express myself, thanks! >> >>So, lets call it "PEP ROLES" >> >>As for the other one, I believe PDP is merely an interpreter (in comes >>abstract policy, out goes device policy) so it doesn't really have >>roles. So, we should find another name for the second type that you >>described, perhaps "Profile" (as in "user profile, application >>profile,...)? or "Usage Roles". >> >>Shai >> >> >> >> >> >>__________________________________________________________________ >>Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >>55 New York Avenue Main: (508) 620-1141 >>Framingham, MA 01701 Fax : (212) 656-1006 >> >> >> >> > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 > > > > > > From majordomo@raleigh.ibm.com Fri Feb 11 22:16:01 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA02443 for ; Fri, 11 Feb 2000 22:16:00 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id WAA32000; Fri, 11 Feb 2000 22:13:43 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id WAA34450; Fri, 11 Feb 2000 22:13:40 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA51160; Fri, 11 Feb 2000 21:58:58 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA57296; Fri, 11 Feb 2000 21:58:55 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id VAA22770 for ; Fri, 11 Feb 2000 21:58:56 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id VAA16740 for ; Fri, 11 Feb 2000 21:58:55 -0500 Received: from jstrass-lap ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id SAA17201; Fri, 11 Feb 2000 18:58:09 -0800 (PST) Message-Id: <4.2.0.58.20000211205006.00c09ad0@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 Feb 2000 21:00:25 -0800 To: Shai Herzog , "John C. Strassner" , Andrew Smith , "'Ken Roberts'" From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com In-Reply-To: <4.2.0.58.20000211090103.02de3f10@209.3.6.76> References: <4.2.0.58.20000209074033.00c1b1d0@omega.cisco.com> <4.2.0.58.20000208113808.00ab6c60@209.3.6.76> <4.2.0.58.20000208080450.00ad9a00@omega.cisco.com> <4.2.0.58.20000206232138.02f037b0@209.3.6.76> <4.2.0.58.20000206174814.00c4a2a0@omega.cisco.com> <808F64DDB492D3119D3C00508B5D8D733EC4B2@SOL> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" OK, #1 is agreed on, that's progress at least. ;-) >The #1 is agreed upon, but I fail to see the #2 & #3 being separate >and I have a hard time with "PDP" roles given that PDP is a translation >machine and doe not have its own definition or determination of policy >(or roles for that matter). It takes two types of input, one from above >(schema) and one from bellow (device). Those inputs may have roles in >them, but those are different "role types". But if the PDP is using roles (which you did in your earlier posting) to achieve the translation, then it's a role. Furthermore, if it taking input from above and below which both have roles, I fail to see how it can not therefore understand what a role is. #2 and #3 happen to be the EXACT case where a role is most closely used as a selector. You have role definitions in the schema and in the device, and the PDP will retrieve the subset of policies that are applicable to these role definitions from the much larger set of available policies that are in the repository. So I still see nothing wrong with calling these translation roles and selector roles. regards, John At 09:05 AM 2/11/00 -0500, Shai Herzog wrote: >At 08:18 AM 02/09/2000, John C. Strassner wrote: > >> >>Well, we're getting very close here. Let me propose a summary to see if >>we can agree. Roles have three fundamentally different uses: >> >> 1) to directly influence device configuration - let's >> call this PEP ROLES for now >> 2) to translate from a high-level description of policy >> into one that configures the device either directly >> or indirectly - let's call this PDP ROLES for now >> 3) to be used as a selector to retrieve a subset of >> applicable policies from a larger set of available >> policies - let's call this SELECTOR ROLES for now >> >>Note that the second use is subtlely different than the third. The second >>uses roles as a means to translate between expressing policy in general >>terms and in configuring the device to implement or support that policy. >>So in Shai's example, the PDP has two inputs. One input is the definition >>of the policy from the administrator's point-of-view, which probably can >>not be used in its current form to configure devices. The other is from >>the devices that it controls. They announce their capabilities in terms >>of roles. The PDP then uses roles to translate policy from a business >>expression (Gold service, or don't allow more than 30% of my core >>bandwidth to be devoted to a certain type of traffic, or...) to a form >>that is used to ultimately configure the devices that it controls. >> >>The third use is not focused on translation. Rather, it is a way of >>selecting policies and/or policy information to be retrieved for further >>processing. > >The #1 is agreed upon, but I fail to see the #2 & #3 being separate >and I have a hard time with "PDP" roles given that PDP is a translation >machine and doe not have its own definition or determination of policy >(or roles for that matter). It takes two types of input, one from above >(schema) and one from bellow (device). Those inputs may have roles in >them, but those are different "role types". > > >PEP Roles <-----------> PDP <---------------> Schema Roles > >The job of the PDP is to bridge between PEPs and Schema, but it doesn't >have roles or policy per se. > >Shai > > >__________________________________________________________________ >Shai Herzog, Founder & CTO IPHighway Inc. Tel : (914) 654-4810 >55 New York Avenue Main: (508) 620-1141 >Framingham, MA 01701 Fax : (212) 656-1006 From majordomo@raleigh.ibm.com Fri Feb 11 22:37:06 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA03986 for ; Fri, 11 Feb 2000 22:37:04 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id WAA17582; Fri, 11 Feb 2000 22:33:40 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id WAA29056; Fri, 11 Feb 2000 22:33:39 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA49752; Fri, 11 Feb 2000 22:12:22 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35404; Fri, 11 Feb 2000 22:12:17 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id WAA33802 for ; Fri, 11 Feb 2000 22:12:19 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id WAA24466 for ; Fri, 11 Feb 2000 22:12:16 -0500 Received: from jstrass-lap ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id TAA18092; Fri, 11 Feb 2000 19:11:01 -0800 (PST) Message-Id: <4.2.0.58.20000211210406.00affa60@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 Feb 2000 21:13:16 -0800 To: "Weiss, Walter" , "'remoore@us.ibm.com'" From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com, johns@cisco.com In-Reply-To: <75ADD7496F0BD211ADC000104B8846CF019115C0@rerun.lucentctc.c om> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_16675448==_.ALT" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" --=====================_16675448==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Comments inline. You argue that CASE 1 below demands AND semantics and CASE 2 below demands OR semantics. You further posit that this is the case because we are crossing two technology domains, and "...the roles need to represent both domains so that the policy (or portions of the policy) can be distributed (or processed on behalf of) the DHCP server and the router managing the filter". I disagree. Rather than formulating this problem as one policyRule, why not divide it into two separate rules? regards, John At 02:14 PM 2/11/00 -0500, Weiss, Walter wrote: >Bob, > >see below: > > > > CASE 1: > > > > PolicyRule 1 > > PolicyKeywords {TrafficManagement, Engineering, ByWalter} > > PolicyRoles {EdgeIntf&&EngineeringIntf} -- role combination > > >This is fine. > > > CASE 2: > > > > PolicyGroup A > > PolicyKeywords {DHCP, UserAccess, ByWalter} > > -- contains two PolicyRules A1 and A2 > > > > PolicyRule A1 > > PolicyKeywords {DHCP, UserAccess, ByWalter} > > PolicyRoles {DHCP} > > > > PolicyRule A2 > > PolicyKeywords {DHCP, UserAccess, ByWalter} > > PolicyRoles {EndUserIntf} > > > > I've represented your second "policy" as a PolicyGroup rather > > than a PolicyRule, because it seems like there would be nothing > > in common between the conditions / actions for the DHCP server > > and the subsequent conditions / actions for the router. > > Because of this, each of the rules has only a single value in > > its PolicyRoles. The property itself, however, is multivalued, > > so in a different case it could have multiple valued which > > would be ORed, say > > PolicyRoles {EndUserIntf, EdgeIntf}. > > >I don't think so. The fact of the matter is that the condition is in the >DHCP server and the action is in the router. Therefore, DHCP and >EndUserInterface do in fact exist within the same rule. Sorry, I disagree. These resolve into completely separate actions. Changing ACLs on the router is independent of whether the user gets an IP address, since you're probably allocating from a pool as opposed to filtering on an individual address. And even if you are filtering on an individual address, you have to assume that at some point the user will be allowed a legal IP address. So as far as I can tell, you don't have "...a condition in the DHCP server and an action in the router"; rather, you have a logon Event that generates two actions, one for the DHCP server and one for the router. They don't in fact have to be directly associated at all. >Again, if you are >going to suggest that policy rules can't operate across technologies as your >example implies, then it is fair to say that this is a limitation of your >proposal. We can then discuss if this is reasonable or not. As I have >suggested before, I think it is not. I can think of many instances of >policies where it would be desirable to have a condition in one system >(whether it is a server like DHCP or a software element like BGP) invoke >actions in one or more other systems. No one suggested that. I think that the problem was mal-formed. > > What's left unspecified here is the "magic" that gets you from > > an event at the DHCP server (the user gets an IP address) to > > events at the routers (this IP address gets added to their > > filters). I don't think this magic has anything to do with > > the PolicyRoles property, though. > > > > Regards, > > Bob > > > > Bob Moore > > IBM Networking Software > > +1-919-254-4436 > > remoore@us.ibm.com > > > > > > > > "Weiss, Walter" on 02/11/2000 12:05:09 PM > > > > To: Robert Moore/Raleigh/IBM@IBMUS > > cc: policy@raleigh.ibm.com, johns@cisco.com > > Subject: RE: Policy issues: definition of Roles > > > > > > > > Bob, > > > > I think this is an excellent idea. However, I believe another problem > > arrises. Let's consider two policy rules. In one policy rule, > > let's suppose > > we are trying to limit engineering traffic to some arbitrary > > level/rate. > > This policy rule would presumably have two roles: Engineering > > Interface and > > Edge Interface. I believe the presumption is that the policy > > rule can only > > be applied if both roles are satisfied. > > > > Now, let's suppose the second policy is designed to > > facilitate a network > > login by preventing access to the network until the > > appropriate IP address > > has been given by the DHCP server. Thus when the IP address > > is assigned, > > the > > policy adds or removes the filter (as the case may be) to > > allow access to > > certain parts of the network based on the identity of the new > > user. Now, > > here I am trying to make a feable attempt at describing a policy that > > crosses two technology domains. Presumably, because we are > > crossing two > > domains, the roles need to represent both domains so that the > > policy (or > > portions of the policy) can be distributed (or processed on > > behalf of) the > > DHCP server and the router managing the filter. Hence, the > > role for the > > policy rule would presumably be DHCP and EndUserInterface. > > > > Now, in the first policy example, we only processed the policy rule on > > behalf of devices that satisfied both role criteria (a > > logical AND of the > > roles). In the second policy rule, we want to process the > > policy for either > > role (a logical OR of the roles). If we go with a AND > > semantic or we go > > with > > an OR semantic seems to cause problems. > > > > regards, > > > > -Walter > > > > > -----Original Message----- > > > From: remoore@us.ibm.com [mailto:remoore@us.ibm.com] > > > Sent: Friday, February 11, 2000 7:59 AM > > > To: Weiss, Walter > > > Cc: policy@raleigh.ibm.com; johns@cisco.com > > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > > > > > > Walter, > > > > > > In an earlier posting I proposed separating Policy Roles out from > > > the more general set of Policy Keywords. At that time I left it > > > open where the PolicyRoles property should be placed: in the > > > abstract class Policy (which is where PolicyKeywords is now), or > > > in the class PolicyRule. I'm now convinced that PolicyRoles should > > > be placed in PolicyRule, rather than in Policy, because the function > > > of PolicyRoles is to (help) select the set of PolicyRules that apply > > > to a given resource. Contrast this function with that of the > > > PolicyKeywords property, which is to identify any object in the > > > policy repository that might be of interest to a PDP that's > > > searching the repository. > > > > > > I'm planning to write up a new section for the PCIM describing the > > > PolicyRoles property, which I will post to the list as soon as I've > > > completed it. Then people can decide whether it makes sense. John > > > is going to be taking a shot at a section positioning this type of > > > role versus, say, the roles that are used in COPS. I don't know > > > whether he's planning to proposed a set of adjectives to distinguish > > > the different types of roles, although this has certainly been > > > discussed on the list. > > > > > > Regards, > > > Bob > > > > > > Bob Moore > > > IBM Networking Software > > > +1-919-254-4436 > > > remoore@us.ibm.com > > > > > > > > > > > > "Weiss, Walter" @raleigh.ibm.com on 02/10/2000 > > > 04:02:53 PM > > > > > > Please respond to "Weiss, Walter" > > > > > > Sent by: policy-owner@raleigh.ibm.com > > > > > > > > > To: policy@raleigh.ibm.com > > > cc: > > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > > > I noticed that roles have been described in PFCIM through the > > > PolicyKeywords > > > attribute in the Policy class. As PolicyGroup, PolicyRule, > > > PolicyCondition > > > and PolicyAction both derive from Policy, all of these > > > classes can specify > > > PolicyKeywords. This suggests that rather than having a role per > > > policy/rule, you can have keywords at any and all levels of a > > > policy. Is > > > this desirable or are we going to place certain usage > > restrictions or > > > precedence hierarchies on the keywords/roles? > > > > > > regards, > > > > > > -Walter > > > > > > > > > > > > > > > --=====================_16675448==_.ALT Content-Type: text/html; charset="us-ascii" Comments inline. You argue that CASE 1 below demands AND semantics and CASE 2 below demands OR semantics. You further posit that this is the case because we are crossing two technology domains, and "...the roles need to represent both domains so that the policy (or portions of the policy) can be distributed (or processed on behalf of) the DHCP server and the router managing the filter".

I disagree. Rather than formulating this problem as one policyRule, why not divide it into two separate rules?

regards,
John

At 02:14 PM 2/11/00 -0500, Weiss, Walter wrote:
Bob,

see below:
>
> CASE 1:
>
> PolicyRule 1
>   PolicyKeywords {TrafficManagement, Engineering, ByWalter}
>   PolicyRoles {EdgeIntf&&EngineeringIntf} -- role combination
>
This is fine.

> CASE 2:
>
> PolicyGroup A
>   PolicyKeywords {DHCP, UserAccess, ByWalter}
>   -- contains two PolicyRules A1 and A2
>
> PolicyRule A1
>   PolicyKeywords {DHCP, UserAccess, ByWalter}
>   PolicyRoles {DHCP}
>
> PolicyRule A2
>   PolicyKeywords {DHCP, UserAccess, ByWalter}
>   PolicyRoles {EndUserIntf}
>
> I've represented your second "policy" as a PolicyGroup rather
> than a PolicyRule, because it seems like there would be nothing
> in common between the conditions / actions for the DHCP server
> and the subsequent conditions / actions for the router.
> Because of this, each of the rules has only a single value in
> its PolicyRoles.  The property itself, however, is multivalued,
> so in a different case it could have multiple valued which
> would be ORed, say
>   PolicyRoles {EndUserIntf, EdgeIntf}.
>
I don't think so. The fact of the matter is that the condition is in the
DHCP server and the action is in the router. Therefore, DHCP and
EndUserInterface do in fact exist within the same rule.

<js>
Sorry, I disagree. These resolve into completely separate actions. Changing ACLs on the router is independent of whether the user gets an IP address, since you're probably allocating from a pool as opposed to filtering on an individual address. And even if you are filtering on an individual address, you have to assume that at some point the user will be allowed a legal IP address. So as far as I can tell, you don't have "...a condition in the DHCP server and an action in the router"; rather, you have a logon Event that generates two actions, one for the DHCP server and one for the router. They don't in fact have to be directly associated at all.
</js>

Again, if you are
going to suggest that policy rules can't operate across technologies as your
example implies, then it is fair to say that this is a limitation of your
proposal. We can then discuss if this is reasonable or not. As I have
suggested before, I think it is not. I can think of many instances of
policies where it would be desirable to have a condition in one system
(whether it is a server like DHCP or a software element like BGP) invoke
actions in one or more other systems.

<js> No one suggested that. I think that the problem was mal-formed. </js>

> What's left unspecified here is the "magic" that gets you from
> an event at the DHCP server (the user gets an IP address) to
> events at the routers (this IP address gets added to their
> filters).  I don't think this magic has anything to do with
> the PolicyRoles property, though.
>
> Regards,
> Bob
>
> Bob Moore
> IBM Networking Software
> +1-919-254-4436
> remoore@us.ibm.com
>
>
>
> "Weiss, Walter" <WWeiss@lucentctc.com> on 02/11/2000 12:05:09 PM
>
> To:   Robert Moore/Raleigh/IBM@IBMUS
> cc:   policy@raleigh.ibm.com, johns@cisco.com
> Subject:  RE: Policy issues: definition of Roles
>
>
>
> Bob,
>
> I think this is an excellent idea. However, I believe another problem
> arrises. Let's consider two policy rules. In one policy rule,
> let's suppose
> we are trying to limit engineering traffic to some arbitrary
> level/rate.
> This policy rule would presumably have two roles: Engineering
> Interface and
> Edge Interface. I believe the presumption is that the policy
> rule can only
> be applied if both roles are satisfied.
>
> Now, let's suppose the second policy is designed to
> facilitate a network
> login by preventing access to the network until the
> appropriate IP address
> has been given by the DHCP server. Thus when the IP address
> is assigned,
> the
> policy adds or removes the filter (as the case may be) to
> allow access to
> certain parts of the network based on the identity of the new
> user. Now,
> here I am trying to make a feable attempt at describing a policy that
> crosses two technology domains. Presumably, because we are
> crossing two
> domains, the roles need to represent both domains so that the
> policy (or
> portions of the policy) can be distributed (or processed on
> behalf of) the
> DHCP server and the router managing the filter. Hence, the
> role for the
> policy rule would presumably be DHCP and EndUserInterface.
>
> Now, in the first policy example, we only processed the policy rule on
> behalf of devices that satisfied both role criteria (a
> logical AND of the
> roles). In the second policy rule, we want to process the
> policy for either
> role (a logical OR of the roles). If we go with a AND
> semantic or we go
> with
> an OR semantic seems to cause problems.
>
> regards,
>
> -Walter
>
> > -----Original Message-----
> > From: remoore@us.ibm.com [mailto:remoore@us.ibm.com]
> > Sent: Friday, February 11, 2000 7:59 AM
> > To: Weiss, Walter
> > Cc: policy@raleigh.ibm.com; johns@cisco.com
> > Subject: RE: Policy issues: definition of Roles
> >
> >
> >
> >
> > Walter,
> >
> > In an earlier posting I proposed separating Policy Roles out from
> > the more general set of Policy Keywords.  At that time I left it
> > open where the PolicyRoles property should be placed:  in the
> > abstract class Policy (which is where PolicyKeywords is now), or
> > in the class PolicyRule.  I'm now convinced that PolicyRoles should
> > be placed in PolicyRule, rather than in Policy, because the function
> > of PolicyRoles is to (help) select the set of PolicyRules that apply
> > to a given resource.  Contrast this function with that of the
> > PolicyKeywords property, which is to identify any object in the
> > policy repository that might be of interest to a PDP that's
> > searching the repository.
> >
> > I'm planning to write up a new section for the PCIM describing the
> > PolicyRoles property, which I will post to the list as soon as I've
> > completed it.  Then people can decide whether it makes sense.  John
> > is going to be taking a shot at a section positioning this type of
> > role versus, say, the roles that are used in COPS.  I don't know
> > whether he's planning to proposed a set of adjectives to distinguish
> > the different types of roles, although this has certainly been
> > discussed on the list.
> >
> > Regards,
> > Bob
> >
> > Bob Moore
> > IBM Networking Software
> > +1-919-254-4436
> > remoore@us.ibm.com
> >
> >
> >
> > "Weiss, Walter" <WWeiss@lucentctc.com>@raleigh.ibm.com on 02/10/2000
> > 04:02:53 PM
> >
> > Please respond to "Weiss, Walter" <WWeiss@lucentctc.com>
> >
> > Sent by:  policy-owner@raleigh.ibm.com
> >
> >
> > To:   policy@raleigh.ibm.com
> > cc:
> > Subject:  RE: Policy issues: definition of Roles
> >
> >
> >
> > I noticed that roles have been described in PFCIM through the
> > PolicyKeywords
> > attribute in the Policy class. As PolicyGroup, PolicyRule,
> > PolicyCondition
> > and PolicyAction both derive from Policy, all of these
> > classes can specify
> > PolicyKeywords. This suggests that rather than having a role per
> > policy/rule, you can have keywords at any and all levels of a
> > policy. Is
> > this desirable or are we going to place certain usage
> restrictions or
> > precedence hierarchies on the keywords/roles?
> >
> > regards,
> >
> > -Walter
> >
> >
> >
>
>
>
--=====================_16675448==_.ALT-- From majordomo@raleigh.ibm.com Fri Feb 11 22:37:56 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA04016 for ; Fri, 11 Feb 2000 22:37:56 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id WAA07344; Fri, 11 Feb 2000 22:33:37 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id WAA26228; Fri, 11 Feb 2000 22:33:37 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA55064; Fri, 11 Feb 2000 22:14:52 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35332; Fri, 11 Feb 2000 22:14:47 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id WAA32540 for ; Fri, 11 Feb 2000 22:14:44 -0500 Received: from omega.cisco.com (omega.cisco.com [171.69.63.141]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id WAA21054 for ; Fri, 11 Feb 2000 22:14:24 -0500 Received: from jstrass-lap ([171.69.108.130]) by omega.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id TAA18255; Fri, 11 Feb 2000 19:13:38 -0800 (PST) Message-Id: <4.2.0.58.20000211211340.00afe100@omega.cisco.com> X-Sender: jstrassn@omega.cisco.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 Feb 2000 21:15:53 -0800 To: "Weiss, Walter" , "'John C. Strassner'" From: "John C. Strassner" Subject: RE: Policy issues: definition of Roles Cc: policy@raleigh.ibm.com In-Reply-To: <75ADD7496F0BD211ADC000104B8846CF019115C4@rerun.lucentctc.c om> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "John C. Strassner" Fair enough. However, the PCIM is an information model. It is not directly instantiable, and the binding that you are talking about is relevant to the various mappings from the PCIM to their respective repositories. For example, if I am mapping to a database, then I can use triggers and stored procedures to add constraints and metadata to help me interpret the binding. I can't do this when mapping to a directory. So I think that we should defer this to the next round of specs (e.g., the Policy Core Schema Spec), and not deal with it here anymore. regards, John At 03:48 PM 2/11/00 -0500, Weiss, Walter wrote: >John, > >I would agree that this is somewhat unrelated to the concept of roles, >assuming that roles focus on distribution issues. However, at some point we >will have to agree on how we can achieve the unambiguous interpretation of >the policy conditions and actions. > >regards, > >-Walter > > > -----Original Message----- > > From: John C. Strassner [mailto:jstrassn@cisco.com] > > Sent: Sunday, February 06, 2000 8:37 PM > > To: Weiss, Walter; 'Jon Sjoberg' > > Cc: policy@raleigh.ibm.com > > Subject: RE: Policy issues: definition of Roles > > > > > > > > In the original posting, my main concern was that the policy > > rules, and more > > precisely the attributes within policy rules, eventually have > > to be bound to > > some physical attribute somewhere in order to effect changes > > in network > > devices or services. Specifying keywords is not enough. We should also > > document how an attribute actually maps to given instances of > > that attribute > > in an interface, queue or whatever. > > > > > > I would humbly submit that this issue, though important, is > > orthogonal to > > roles. See my earlier posting. This is a binding issue, and > > affects not > > just roles (which are, after all, attributes) but other types > > of attributes > > as well. > > > > regards, > > John > > > > At 01:36 PM 1/31/00 -0500, Weiss, Walter wrote: > > >Jon, > > > > > >Since my posting, the intent of Roles (in the form of > > keywords and keyword > > >combinations) has become clearer to me. With role > > combinations, I can create > > >policies that cross domains. That said, I wanted to draw > > attention to the > > >text because it was too vague for me to understand what the > > intent was. > > > > > >It seems that the definition of Roles that PCIM authors had > > in mind is a bit > > >more high level then what I was thinking of. I don't have > > any problem with > > >grouping policies together based on some keyword. These are > > fairly abstract > > >concepts that I could easily see as useful for policy > > conflicts. However, I > > >have not seen the rubber hit the road yet. > > > > > >In the original posting, my main concern was that the policy > > rules, and more > > >precisely the attributes within policy rules, eventually > > have to be bound to > > >some physical attribute somewhere in order to effect changes > > in network > > >devices or services. Specifying keywords is not enough. We > > should also > > >document how an attribute actually maps to given instances > > of that attribute > > >in an interface, queue or whatever. We could use the role > > keyword as a way > > >of indicating which set of interfaces or queues we would > > like the policy to > > >apply to, but then we need a mechanism to bind the keyword > > to that set. If > > >that is the approach taken, then we still have attribute > > qualifiers to deal > > >with, but at least I know how I can use Role Keys beyond > > conflict detection. > > > > > >As a side note, we are spending a considerable amount of > > time focused on > > >device interfaces. I would like to remind folks that the > > purpose of this > > >working group is to come up with a framework that can not > > only be applied to > > >QoS components in forwarding engines, but also other problem domains. > > >Security policies, Address management policies, and Routing > > policies have > > >little if anything to do with interfaces. While I am comfortable with > > >focusing on QoS (as per our charter), I would like to make > > sure that we > > >don't make assumptions about how and where policy will be used. > > > > > >regards, > > > > > >-Walter > > > > > > > -----Original Message----- > > > > From: Jon Sjoberg [mailto:jsjoberg@TopLayer.com] > > > > Sent: Sunday, January 30, 2000 9:08 AM > > > > To: Weiss, Walter > > > > Cc: policy@raleigh.ibm.com > > > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > > > Walter, > > > > > > > > > > > > > > The Policy Framework is then responsible for configuring > > > > > each of the resources associated with a role in such a > > way that it > > > > > behaves according to the policies specified for that role. > > > > > > > > > > > > > > > First, there is a reference to resources without any context. > > > > > Second, I find > > > > > policies that can only operate within the confines of a > > > > > particular resource > > > > > unnecessarily restrictive. > > > > > > > > > I don't understand where the second point is derived from. I > > > > guess I read > > > > the text to say that policies are confined within a specific > > > > role. It seems > > > > that policies, in the general sense, can operate across > > > > resource and role > > > > boundaries. Each policy rule that enacts a policy must > > be restricted, > > > > however, to a role. It would be easier, from a PDP/PEP > > > > implementation stand > > > > point, to restrict each policy rule down to a resource (and > > > > make the policy > > > > management tool do all the REAL work). > > > > > > > > > > > > > > > > > > > Roles are represented in the Core Policy Schema by values of the > > > > > PolicyKeywords property. > > > > > > > > > > > > > > > I found this text to be even more confusing because it > > > > supported a third > > > > > concept not defined in either of the two concepts I > > described: an > > > > > arbitrary > > > > > grouping based on a keyword possibly bound to a technology > > > > like QoS or > > > > > security, or an organization like engineering, or > > something else??? > > > > > > > > > Actually the possible current values are enumerated in 6.1.2, > > > > and the values > > > > fall into the "something else" category. If I read > > > > correctly, the standard > > > > possible values are: > > > > UNKNOWN", "CONFIGURATION", "USAGE", "SECURITY", "SERVICE", > > > > "MOTIVATIONAL", > > > > "INSTALLATION", and "EVENT". I am not sure I fully > > understand many of > > > > these, though the document does explain them. Anyway, it is > > > > clearly another > > > > definition of role not akin to your two or, best I can tell, > > > > Shai's newest > > > > proposal. > > > > > > > > > > > > > > From majordomo@raleigh.ibm.com Sun Feb 13 09:11:53 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA09887 for ; Sun, 13 Feb 2000 09:11:52 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id JAA16788; Sun, 13 Feb 2000 09:08:07 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id JAA35566; Sun, 13 Feb 2000 09:08:07 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA57602; Sun, 13 Feb 2000 08:48:13 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA58616; Sun, 13 Feb 2000 08:48:07 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id IAA31268 for ; Sun, 13 Feb 2000 08:48:12 -0500 Received: from csi-admin1.cisco.com (csi-admin1.cisco.com [144.254.91.12]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id IAA17850 for ; Sun, 13 Feb 2000 08:48:07 -0500 Received: from ysnir8000 (telaviv3-dhcp36.cisco.com [144.254.93.164]) by csi-admin1.cisco.com (8.8.4-Cisco.1/8.6.5) with SMTP id PAA01866; Sun, 13 Feb 2000 15:52:04 +0200 (IST) From: "Yoram Snir" To: "'Weiss, Walter'" , "'John C. Strassner'" Cc: Subject: RE: Policy issues: definition of Roles Date: Sun, 13 Feb 2000 15:45:48 +0200 Message-Id: <002a01bf7628$a2fc0ce0$a45dfe90@cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <75ADD7496F0BD211ADC000104B8846CF019115C4@rerun.lucentctc.com> X-Mimeole: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Yoram Snir" Content-Transfer-Encoding: 7bit Walter Wouldn't distribution issues and unambiguous interpretations of policy rules (conditions and actions) are 2 different issues? The methods used to solve the first issue, Roles for example, is not the method to solve consistent decision making (clear priorities, decision strategy...). Thanks. Yoram Snir Cisco Systems Tel. 972-9-9700085 Mobile 972-54-970085 > -----Original Message----- > From: policy-owner@raleigh.ibm.com > [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Weiss, Walter > Sent: Friday, February 11, 2000 10:48 PM > To: 'John C. Strassner' > Cc: policy@raleigh.ibm.com > Subject: RE: Policy issues: definition of Roles > > > John, > > I would agree that this is somewhat unrelated to the concept of roles, > assuming that roles focus on distribution issues. However, at > some point we > will have to agree on how we can achieve the unambiguous > interpretation of > the policy conditions and actions. > > regards, > > -Walter > > > -----Original Message----- > > From: John C. Strassner [mailto:jstrassn@cisco.com] > > Sent: Sunday, February 06, 2000 8:37 PM > > To: Weiss, Walter; 'Jon Sjoberg' > > Cc: policy@raleigh.ibm.com > > Subject: RE: Policy issues: definition of Roles > > > > > > > > In the original posting, my main concern was that the policy > > rules, and more > > precisely the attributes within policy rules, eventually have > > to be bound to > > some physical attribute somewhere in order to effect changes > > in network > > devices or services. Specifying keywords is not enough. We > should also > > document how an attribute actually maps to given instances of > > that attribute > > in an interface, queue or whatever. > > > > > > I would humbly submit that this issue, though important, is > > orthogonal to > > roles. See my earlier posting. This is a binding issue, and > > affects not > > just roles (which are, after all, attributes) but other types > > of attributes > > as well. > > > > regards, > > John > > > > At 01:36 PM 1/31/00 -0500, Weiss, Walter wrote: > > >Jon, > > > > > >Since my posting, the intent of Roles (in the form of > > keywords and keyword > > >combinations) has become clearer to me. With role > > combinations, I can create > > >policies that cross domains. That said, I wanted to draw > > attention to the > > >text because it was too vague for me to understand what the > > intent was. > > > > > >It seems that the definition of Roles that PCIM authors had > > in mind is a bit > > >more high level then what I was thinking of. I don't have > > any problem with > > >grouping policies together based on some keyword. These are > > fairly abstract > > >concepts that I could easily see as useful for policy > > conflicts. However, I > > >have not seen the rubber hit the road yet. > > > > > >In the original posting, my main concern was that the policy > > rules, and more > > >precisely the attributes within policy rules, eventually > > have to be bound to > > >some physical attribute somewhere in order to effect changes > > in network > > >devices or services. Specifying keywords is not enough. We > > should also > > >document how an attribute actually maps to given instances > > of that attribute > > >in an interface, queue or whatever. We could use the role > > keyword as a way > > >of indicating which set of interfaces or queues we would > > like the policy to > > >apply to, but then we need a mechanism to bind the keyword > > to that set. If > > >that is the approach taken, then we still have attribute > > qualifiers to deal > > >with, but at least I know how I can use Role Keys beyond > > conflict detection. > > > > > >As a side note, we are spending a considerable amount of > > time focused on > > >device interfaces. I would like to remind folks that the > > purpose of this > > >working group is to come up with a framework that can not > > only be applied to > > >QoS components in forwarding engines, but also other > problem domains. > > >Security policies, Address management policies, and Routing > > policies have > > >little if anything to do with interfaces. While I am > comfortable with > > >focusing on QoS (as per our charter), I would like to make > > sure that we > > >don't make assumptions about how and where policy will be used. > > > > > >regards, > > > > > >-Walter > > > > > > > -----Original Message----- > > > > From: Jon Sjoberg [mailto:jsjoberg@TopLayer.com] > > > > Sent: Sunday, January 30, 2000 9:08 AM > > > > To: Weiss, Walter > > > > Cc: policy@raleigh.ibm.com > > > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > > > Walter, > > > > > > > > > > > > > > The Policy Framework is then responsible for configuring > > > > > each of the resources associated with a role in such a > > way that it > > > > > behaves according to the policies specified for that role. > > > > > > > > > > > > > > > First, there is a reference to resources without any context. > > > > > Second, I find > > > > > policies that can only operate within the confines of a > > > > > particular resource > > > > > unnecessarily restrictive. > > > > > > > > > I don't understand where the second point is derived from. I > > > > guess I read > > > > the text to say that policies are confined within a specific > > > > role. It seems > > > > that policies, in the general sense, can operate across > > > > resource and role > > > > boundaries. Each policy rule that enacts a policy must > > be restricted, > > > > however, to a role. It would be easier, from a PDP/PEP > > > > implementation stand > > > > point, to restrict each policy rule down to a resource (and > > > > make the policy > > > > management tool do all the REAL work). > > > > > > > > > > > > > > > > > > > Roles are represented in the Core Policy Schema by > values of the > > > > > PolicyKeywords property. > > > > > > > > > > > > > > > I found this text to be even more confusing because it > > > > supported a third > > > > > concept not defined in either of the two concepts I > > described: an > > > > > arbitrary > > > > > grouping based on a keyword possibly bound to a technology > > > > like QoS or > > > > > security, or an organization like engineering, or > > something else??? > > > > > > > > > Actually the possible current values are enumerated in 6.1.2, > > > > and the values > > > > fall into the "something else" category. If I read > > > > correctly, the standard > > > > possible values are: > > > > UNKNOWN", "CONFIGURATION", "USAGE", "SECURITY", "SERVICE", > > > > "MOTIVATIONAL", > > > > "INSTALLATION", and "EVENT". I am not sure I fully > > understand many of > > > > these, though the document does explain them. Anyway, it is > > > > clearly another > > > > definition of role not akin to your two or, best I can tell, > > > > Shai's newest > > > > proposal. > > > > > > > > > > > > > > > > From majordomo@raleigh.ibm.com Mon Feb 14 11:39:35 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA16535 for ; Mon, 14 Feb 2000 11:39:30 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA21490; Mon, 14 Feb 2000 11:35:58 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id LAA24322; Mon, 14 Feb 2000 11:35:58 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA41534; Mon, 14 Feb 2000 11:11:16 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39716; Mon, 14 Feb 2000 11:11:07 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA34306 for ; Mon, 14 Feb 2000 11:10:32 -0500 Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id LAA10342 for ; Mon, 14 Feb 2000 11:09:47 -0500 Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2448.0) id <1FBG1V9V>; Mon, 14 Feb 2000 11:09:09 -0500 Message-Id: <75ADD7496F0BD211ADC000104B8846CF019115CC@rerun.lucentctc.com> From: "Weiss, Walter" To: "'John C. Strassner'" , "'remoore@us.ibm.com'" Cc: policy@raleigh.ibm.com, johns@cisco.com Subject: RE: Policy issues: definition of Roles Date: Mon, 14 Feb 2000 11:09:08 -0500 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Weiss, Walter" John, I think you are suggesting a condition independent of action in one rule and an action independent of condition in another rule. Since the relationship between the condition and action is causal, you need some type of binding to represent this causal relationship. Hence, If then . Hence, if you want to have a condition on a DHCP server influence an action in one or more routers, you somehow need to indicate this relationship. Two disjoint rules do not achieve this objective. Perhaps you could ellaborate on how this would work. I do not believe Bob's approach will work. However, perhaps there are other mechanisms in the model I am missing. regards, -Walter Comments inline. You argue that CASE 1 below demands AND semantics and CASE 2 below demands OR semantics. You further posit that this is the case because we are crossing two technology domains, and "...the roles need to represent both domains so that the policy (or portions of the policy) can be distributed (or processed on behalf of) the DHCP server and the router managing the filter". I disagree. Rather than formulating this problem as one policyRule, why not divide it into two separate rules? regards, John At 02:14 PM 2/11/00 -0500, Weiss, Walter wrote: Bob, see below: > > CASE 1: > > PolicyRule 1 > PolicyKeywords {TrafficManagement, Engineering, ByWalter} > PolicyRoles {EdgeIntf&&EngineeringIntf} -- role combination > This is fine. > CASE 2: > > PolicyGroup A > PolicyKeywords {DHCP, UserAccess, ByWalter} > -- contains two PolicyRules A1 and A2 > > PolicyRule A1 > PolicyKeywords {DHCP, UserAccess, ByWalter} > PolicyRoles {DHCP} > > PolicyRule A2 > PolicyKeywords {DHCP, UserAccess, ByWalter} > PolicyRoles {EndUserIntf} > > I've represented your second "policy" as a PolicyGroup rather > than a PolicyRule, because it seems like there would be nothing > in common between the conditions / actions for the DHCP server > and the subsequent conditions / actions for the router. > Because of this, each of the rules has only a single value in > its PolicyRoles. The property itself, however, is multivalued, > so in a different case it could have multiple valued which > would be ORed, say > PolicyRoles {EndUserIntf, EdgeIntf}. > I don't think so. The fact of the matter is that the condition is in the DHCP server and the action is in the router. Therefore, DHCP and EndUserInterface do in fact exist within the same rule. Sorry, I disagree. These resolve into completely separate actions. Changing ACLs on the router is independent of whether the user gets an IP address, since you're probably allocating from a pool as opposed to filtering on an individual address. And even if you are filtering on an individual address, you have to assume that at some point the user will be allowed a legal IP address. So as far as I can tell, you don't have "...a condition in the DHCP server and an action in the router"; rather, you have a logon Event that generates two actions, one for the DHCP server and one for the router. They don't in fact have to be directly associated at all. Again, if you are going to suggest that policy rules can't operate across technologies as your example implies, then it is fair to say that this is a limitation of your proposal. We can then discuss if this is reasonable or not. As I have suggested before, I think it is not. I can think of many instances of policies where it would be desirable to have a condition in one system (whether it is a server like DHCP or a software element like BGP) invoke actions in one or more other systems. No one suggested that. I think that the problem was mal-formed. > What's left unspecified here is the "magic" that gets you from > an event at the DHCP server (the user gets an IP address) to > events at the routers (this IP address gets added to their > filters). I don't think this magic has anything to do with > the PolicyRoles property, though. > > Regards, > Bob > > Bob Moore > IBM Networking Software > +1-919-254-4436 > remoore@us.ibm.com > > > > "Weiss, Walter" on 02/11/2000 12:05:09 PM > > To: Robert Moore/Raleigh/IBM@IBMUS > cc: policy@raleigh.ibm.com, johns@cisco.com > Subject: RE: Policy issues: definition of Roles > > > > Bob, > > I think this is an excellent idea. However, I believe another problem > arrises. Let's consider two policy rules. In one policy rule, > let's suppose > we are trying to limit engineering traffic to some arbitrary > level/rate. > This policy rule would presumably have two roles: Engineering > Interface and > Edge Interface. I believe the presumption is that the policy > rule can only > be applied if both roles are satisfied. > > Now, let's suppose the second policy is designed to > facilitate a network > login by preventing access to the network until the > appropriate IP address > has been given by the DHCP server. Thus when the IP address > is assigned, > the > policy adds or removes the filter (as the case may be) to > allow access to > certain parts of the network based on the identity of the new > user. Now, > here I am trying to make a feable attempt at describing a policy that > crosses two technology domains. Presumably, because we are > crossing two > domains, the roles need to represent both domains so that the > policy (or > portions of the policy) can be distributed (or processed on > behalf of) the > DHCP server and the router managing the filter. Hence, the > role for the > policy rule would presumably be DHCP and EndUserInterface. > > Now, in the first policy example, we only processed the policy rule on > behalf of devices that satisfied both role criteria (a > logical AND of the > roles). In the second policy rule, we want to process the > policy for either > role (a logical OR of the roles). If we go with a AND > semantic or we go > with > an OR semantic seems to cause problems. > > regards, > > -Walter > > > -----Original Message----- > > From: remoore@us.ibm.com [ mailto:remoore@us.ibm.com ] > > Sent: Friday, February 11, 2000 7:59 AM > > To: Weiss, Walter > > Cc: policy@raleigh.ibm.com; johns@cisco.com > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > Walter, > > > > In an earlier posting I proposed separating Policy Roles out from > > the more general set of Policy Keywords. At that time I left it > > open where the PolicyRoles property should be placed: in the > > abstract class Policy (which is where PolicyKeywords is now), or > > in the class PolicyRule. I'm now convinced that PolicyRoles should > > be placed in PolicyRule, rather than in Policy, because the function > > of PolicyRoles is to (help) select the set of PolicyRules that apply > > to a given resource. Contrast this function with that of the > > PolicyKeywords property, which is to identify any object in the > > policy repository that might be of interest to a PDP that's > > searching the repository. > > > > I'm planning to write up a new section for the PCIM describing the > > PolicyRoles property, which I will post to the list as soon as I've > > completed it. Then people can decide whether it makes sense. John > > is going to be taking a shot at a section positioning this type of > > role versus, say, the roles that are used in COPS. I don't know > > whether he's planning to proposed a set of adjectives to distinguish > > the different types of roles, although this has certainly been > > discussed on the list. > > > > Regards, > > Bob > > > > Bob Moore > > IBM Networking Software > > +1-919-254-4436 > > remoore@us.ibm.com > > > > > > > > "Weiss, Walter" @raleigh.ibm.com on 02/10/2000 > > 04:02:53 PM > > > > Please respond to "Weiss, Walter" > > > > Sent by: policy-owner@raleigh.ibm.com > > > > > > To: policy@raleigh.ibm.com > > cc: > > Subject: RE: Policy issues: definition of Roles > > > > > > > > I noticed that roles have been described in PFCIM through the > > PolicyKeywords > > attribute in the Policy class. As PolicyGroup, PolicyRule, > > PolicyCondition > > and PolicyAction both derive from Policy, all of these > > classes can specify > > PolicyKeywords. This suggests that rather than having a role per > > policy/rule, you can have keywords at any and all levels of a > > policy. Is > > this desirable or are we going to place certain usage > restrictions or > > precedence hierarchies on the keywords/roles? > > > > regards, > > > > -Walter > > > > > > > > > From majordomo@raleigh.ibm.com Mon Feb 14 12:04:16 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA17587 for ; Mon, 14 Feb 2000 12:04:15 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id MAA25416; Mon, 14 Feb 2000 12:01:41 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id MAA20536; Mon, 14 Feb 2000 12:01:41 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA48714; Mon, 14 Feb 2000 11:41:48 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA42818; Mon, 14 Feb 2000 11:41:43 -0500 Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id LAA30352 for ; Mon, 14 Feb 2000 11:41:45 -0500 From: remoore@us.ibm.com Received: from d54mta04.raleigh.ibm.com (d54mta04.raleigh.ibm.com [9.67.228.36]) by southrelay02.raleigh.ibm.com (8.8.8m2/NCO v2.06) with SMTP id LAA46814; Mon, 14 Feb 2000 11:40:27 -0500 Received: by d54mta04.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 85256885.005B9794 ; Mon, 14 Feb 2000 11:40:25 -0500 X-Lotus-Fromdomain: IBMUS To: "Weiss, Walter" Cc: policy@raleigh.ibm.com, johns@cisco.com Message-Id: <85256885.005B9525.00@d54mta04.raleigh.ibm.com> Date: Mon, 14 Feb 2000 11:36:52 -0500 Subject: RE: Policy issues: definition of Roles Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: remoore@us.ibm.com Walter, I want to make sure we're all in agreement about what we're discussing. Modeling policies that span two or more technologies, as well as modeling policies that span two or more systems, are both Very Hard problems. But I don't think we have to solve these problems, or even go very far down the path towards solving them, in order to determine that the structure I've proposed for the PolicyRoles property will be able to do the job in these cases. Do you agree that we're now discussing how to model cross-system and/or cross-technology policies, not whether PolicyRoles as I've proposed that it be defined is adequate for these cases? If so, is there anything else in the PCIM that needs to be changed in order to leave us room to address these Very Hard problems later, in the context of a subclass schema such as QoS? By the way, I hope you're not saying that we need to have solutions for these two Very Hard problems *in* the PCIM, and that it can't be approved without these solutions. As we can all attest, coming up with solutions, especially general solutions, to Very Hard problems ordinarily takes a Long Time. So I think the correct precondition for advancing the PCIM is not that it solve these problems itself, but rather that it not introduce anything that makes the problems harder to solve than they would otherwise be. I think the PCIM passes this second test. Regards, Bob Bob Moore IBM Networking Software +1-919-254-4436 remoore@us.ibm.com "Weiss, Walter" on 02/14/2000 11:09:08 AM To: "'John C. Strassner'" , Robert Moore/Raleigh/IBM@IBMUS cc: policy@raleigh.ibm.com, johns@cisco.com Subject: RE: Policy issues: definition of Roles John, I think you are suggesting a condition independent of action in one rule and an action independent of condition in another rule. Since the relationship between the condition and action is causal, you need some type of binding to represent this causal relationship. Hence, If then . Hence, if you want to have a condition on a DHCP server influence an action in one or more routers, you somehow need to indicate this relationship. Two disjoint rules do not achieve this objective. Perhaps you could ellaborate on how this would work. I do not believe Bob's approach will work. However, perhaps there are other mechanisms in the model I am missing. regards, -Walter Comments inline. You argue that CASE 1 below demands AND semantics and CASE 2 below demands OR semantics. You further posit that this is the case because we are crossing two technology domains, and "...the roles need to represent both domains so that the policy (or portions of the policy) can be distributed (or processed on behalf of) the DHCP server and the router managing the filter". I disagree. Rather than formulating this problem as one policyRule, why not divide it into two separate rules? regards, John At 02:14 PM 2/11/00 -0500, Weiss, Walter wrote: Bob, see below: > > CASE 1: > > PolicyRule 1 > PolicyKeywords {TrafficManagement, Engineering, ByWalter} > PolicyRoles {EdgeIntf&&EngineeringIntf} -- role combination > This is fine. > CASE 2: > > PolicyGroup A > PolicyKeywords {DHCP, UserAccess, ByWalter} > -- contains two PolicyRules A1 and A2 > > PolicyRule A1 > PolicyKeywords {DHCP, UserAccess, ByWalter} > PolicyRoles {DHCP} > > PolicyRule A2 > PolicyKeywords {DHCP, UserAccess, ByWalter} > PolicyRoles {EndUserIntf} > > I've represented your second "policy" as a PolicyGroup rather > than a PolicyRule, because it seems like there would be nothing > in common between the conditions / actions for the DHCP server > and the subsequent conditions / actions for the router. > Because of this, each of the rules has only a single value in > its PolicyRoles. The property itself, however, is multivalued, > so in a different case it could have multiple valued which > would be ORed, say > PolicyRoles {EndUserIntf, EdgeIntf}. > I don't think so. The fact of the matter is that the condition is in the DHCP server and the action is in the router. Therefore, DHCP and EndUserInterface do in fact exist within the same rule. Sorry, I disagree. These resolve into completely separate actions. Changing ACLs on the router is independent of whether the user gets an IP address, since you're probably allocating from a pool as opposed to filtering on an individual address. And even if you are filtering on an individual address, you have to assume that at some point the user will be allowed a legal IP address. So as far as I can tell, you don't have "...a condition in the DHCP server and an action in the router"; rather, you have a logon Event that generates two actions, one for the DHCP server and one for the router. They don't in fact have to be directly associated at all. Again, if you are going to suggest that policy rules can't operate across technologies as your example implies, then it is fair to say that this is a limitation of your proposal. We can then discuss if this is reasonable or not. As I have suggested before, I think it is not. I can think of many instances of policies where it would be desirable to have a condition in one system (whether it is a server like DHCP or a software element like BGP) invoke actions in one or more other systems. No one suggested that. I think that the problem was mal-formed. > What's left unspecified here is the "magic" that gets you from > an event at the DHCP server (the user gets an IP address) to > events at the routers (this IP address gets added to their > filters). I don't think this magic has anything to do with > the PolicyRoles property, though. > > Regards, > Bob > > Bob Moore > IBM Networking Software > +1-919-254-4436 > remoore@us.ibm.com > > > > "Weiss, Walter" on 02/11/2000 12:05:09 PM > > To: Robert Moore/Raleigh/IBM@IBMUS > cc: policy@raleigh.ibm.com, johns@cisco.com > Subject: RE: Policy issues: definition of Roles > > > > Bob, > > I think this is an excellent idea. However, I believe another problem > arrises. Let's consider two policy rules. In one policy rule, > let's suppose > we are trying to limit engineering traffic to some arbitrary > level/rate. > This policy rule would presumably have two roles: Engineering > Interface and > Edge Interface. I believe the presumption is that the policy > rule can only > be applied if both roles are satisfied. > > Now, let's suppose the second policy is designed to > facilitate a network > login by preventing access to the network until the > appropriate IP address > has been given by the DHCP server. Thus when the IP address > is assigned, > the > policy adds or removes the filter (as the case may be) to > allow access to > certain parts of the network based on the identity of the new > user. Now, > here I am trying to make a feable attempt at describing a policy that > crosses two technology domains. Presumably, because we are > crossing two > domains, the roles need to represent both domains so that the > policy (or > portions of the policy) can be distributed (or processed on > behalf of) the > DHCP server and the router managing the filter. Hence, the > role for the > policy rule would presumably be DHCP and EndUserInterface. > > Now, in the first policy example, we only processed the policy rule on > behalf of devices that satisfied both role criteria (a > logical AND of the > roles). In the second policy rule, we want to process the > policy for either > role (a logical OR of the roles). If we go with a AND > semantic or we go > with > an OR semantic seems to cause problems. > > regards, > > -Walter > > > -----Original Message----- > > From: remoore@us.ibm.com [ mailto:remoore@us.ibm.com ] > > Sent: Friday, February 11, 2000 7:59 AM > > To: Weiss, Walter > > Cc: policy@raleigh.ibm.com; johns@cisco.com > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > Walter, > > > > In an earlier posting I proposed separating Policy Roles out from > > the more general set of Policy Keywords. At that time I left it > > open where the PolicyRoles property should be placed: in the > > abstract class Policy (which is where PolicyKeywords is now), or > > in the class PolicyRule. I'm now convinced that PolicyRoles should > > be placed in PolicyRule, rather than in Policy, because the function > > of PolicyRoles is to (help) select the set of PolicyRules that apply > > to a given resource. Contrast this function with that of the > > PolicyKeywords property, which is to identify any object in the > > policy repository that might be of interest to a PDP that's > > searching the repository. > > > > I'm planning to write up a new section for the PCIM describing the > > PolicyRoles property, which I will post to the list as soon as I've > > completed it. Then people can decide whether it makes sense. John > > is going to be taking a shot at a section positioning this type of > > role versus, say, the roles that are used in COPS. I don't know > > whether he's planning to proposed a set of adjectives to distinguish > > the different types of roles, although this has certainly been > > discussed on the list. > > > > Regards, > > Bob > > > > Bob Moore > > IBM Networking Software > > +1-919-254-4436 > > remoore@us.ibm.com > > > > > > > > "Weiss, Walter" @raleigh.ibm.com on 02/10/2000 > > 04:02:53 PM > > > > Please respond to "Weiss, Walter" > > > > Sent by: policy-owner@raleigh.ibm.com > > > > > > To: policy@raleigh.ibm.com > > cc: > > Subject: RE: Policy issues: definition of Roles > > > > > > > > I noticed that roles have been described in PFCIM through the > > PolicyKeywords > > attribute in the Policy class. As PolicyGroup, PolicyRule, > > PolicyCondition > > and PolicyAction both derive from Policy, all of these > > classes can specify > > PolicyKeywords. This suggests that rather than having a role per > > policy/rule, you can have keywords at any and all levels of a > > policy. Is > > this desirable or are we going to place certain usage > restrictions or > > precedence hierarchies on the keywords/roles? > > > > regards, > > > > -Walter > > > > > > > > > From majordomo@raleigh.ibm.com Mon Feb 14 18:11:59 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA26159 for ; Mon, 14 Feb 2000 18:11:59 -0500 (EST) Received: from rtpmail01.raleigh.ibm.com (rtpmail01.raleigh.ibm.com [9.37.172.24]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id SAA07436; Mon, 14 Feb 2000 18:09:12 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id SAA29578; Mon, 14 Feb 2000 18:09:13 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA43832; Mon, 14 Feb 2000 17:43:21 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA48944; Mon, 14 Feb 2000 17:43:18 -0500 Received: from fwns1.raleigh.ibm.com (fwns1.raleigh.ibm.com [9.37.0.3]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id RAA25820 for ; Mon, 14 Feb 2000 17:43:22 -0500 Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id RAA23122 for ; Mon, 14 Feb 2000 17:43:18 -0500 Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2448.0) id <1FBG1WST>; Mon, 14 Feb 2000 17:42:48 -0500 Message-Id: <75ADD7496F0BD211ADC000104B8846CF019115D6@rerun.lucentctc.com> From: "Weiss, Walter" To: "'Yoram Snir'" , "'John C. Strassner'" Cc: policy@raleigh.ibm.com Subject: RE: Policy issues: definition of Roles Date: Mon, 14 Feb 2000 17:42:47 -0500 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Weiss, Walter" Yoram, At the begining of this thread, I posited two possible definitions for Roles. One emphasized distribution issues. The other emphasized consistent policy interpretation. We seem to have agreed since then that roles are specified to address distribution issues, with which I agree. This does not make the other issue go away. However, I have no problem with John's suggestion to wait with this issue until after PFCIM is out. regards, -Walter > -----Original Message----- > From: Yoram Snir [mailto:ysnir@cisco.com] > Sent: Sunday, February 13, 2000 8:46 AM > To: 'Weiss, Walter'; 'John C. Strassner' > Cc: policy@raleigh.ibm.com > Subject: RE: Policy issues: definition of Roles > > > Walter > Wouldn't distribution issues and unambiguous interpretations > of policy rules > (conditions and actions) are 2 different issues? > The methods used to solve the first issue, Roles for example, > is not the > method to solve consistent decision making (clear priorities, decision > strategy...). > Thanks. > > Yoram Snir > Cisco Systems > Tel. 972-9-9700085 > Mobile 972-54-970085 > > > -----Original Message----- > > From: policy-owner@raleigh.ibm.com > > [mailto:policy-owner@raleigh.ibm.com]On Behalf Of Weiss, Walter > > Sent: Friday, February 11, 2000 10:48 PM > > To: 'John C. Strassner' > > Cc: policy@raleigh.ibm.com > > Subject: RE: Policy issues: definition of Roles > > > > > > John, > > > > I would agree that this is somewhat unrelated to the > concept of roles, > > assuming that roles focus on distribution issues. However, at > > some point we > > will have to agree on how we can achieve the unambiguous > > interpretation of > > the policy conditions and actions. > > > > regards, > > > > -Walter > > > > > -----Original Message----- > > > From: John C. Strassner [mailto:jstrassn@cisco.com] > > > Sent: Sunday, February 06, 2000 8:37 PM > > > To: Weiss, Walter; 'Jon Sjoberg' > > > Cc: policy@raleigh.ibm.com > > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > > > In the original posting, my main concern was that the policy > > > rules, and more > > > precisely the attributes within policy rules, eventually have > > > to be bound to > > > some physical attribute somewhere in order to effect changes > > > in network > > > devices or services. Specifying keywords is not enough. We > > should also > > > document how an attribute actually maps to given instances of > > > that attribute > > > in an interface, queue or whatever. > > > > > > > > > I would humbly submit that this issue, though important, is > > > orthogonal to > > > roles. See my earlier posting. This is a binding issue, and > > > affects not > > > just roles (which are, after all, attributes) but other types > > > of attributes > > > as well. > > > > > > regards, > > > John > > > > > > At 01:36 PM 1/31/00 -0500, Weiss, Walter wrote: > > > >Jon, > > > > > > > >Since my posting, the intent of Roles (in the form of > > > keywords and keyword > > > >combinations) has become clearer to me. With role > > > combinations, I can create > > > >policies that cross domains. That said, I wanted to draw > > > attention to the > > > >text because it was too vague for me to understand what the > > > intent was. > > > > > > > >It seems that the definition of Roles that PCIM authors had > > > in mind is a bit > > > >more high level then what I was thinking of. I don't have > > > any problem with > > > >grouping policies together based on some keyword. These are > > > fairly abstract > > > >concepts that I could easily see as useful for policy > > > conflicts. However, I > > > >have not seen the rubber hit the road yet. > > > > > > > >In the original posting, my main concern was that the policy > > > rules, and more > > > >precisely the attributes within policy rules, eventually > > > have to be bound to > > > >some physical attribute somewhere in order to effect changes > > > in network > > > >devices or services. Specifying keywords is not enough. We > > > should also > > > >document how an attribute actually maps to given instances > > > of that attribute > > > >in an interface, queue or whatever. We could use the role > > > keyword as a way > > > >of indicating which set of interfaces or queues we would > > > like the policy to > > > >apply to, but then we need a mechanism to bind the keyword > > > to that set. If > > > >that is the approach taken, then we still have attribute > > > qualifiers to deal > > > >with, but at least I know how I can use Role Keys beyond > > > conflict detection. > > > > > > > >As a side note, we are spending a considerable amount of > > > time focused on > > > >device interfaces. I would like to remind folks that the > > > purpose of this > > > >working group is to come up with a framework that can not > > > only be applied to > > > >QoS components in forwarding engines, but also other > > problem domains. > > > >Security policies, Address management policies, and Routing > > > policies have > > > >little if anything to do with interfaces. While I am > > comfortable with > > > >focusing on QoS (as per our charter), I would like to make > > > sure that we > > > >don't make assumptions about how and where policy will be used. > > > > > > > >regards, > > > > > > > >-Walter > > > > > > > > > -----Original Message----- > > > > > From: Jon Sjoberg [mailto:jsjoberg@TopLayer.com] > > > > > Sent: Sunday, January 30, 2000 9:08 AM > > > > > To: Weiss, Walter > > > > > Cc: policy@raleigh.ibm.com > > > > > Subject: RE: Policy issues: definition of Roles > > > > > > > > > > > > > > > Walter, > > > > > > > > > > > > > > > > > The Policy Framework is then responsible for configuring > > > > > > each of the resources associated with a role in such a > > > way that it > > > > > > behaves according to the policies specified for that role. > > > > > > > > > > > > > > > > > > First, there is a reference to resources without > any context. > > > > > > Second, I find > > > > > > policies that can only operate within the confines of a > > > > > > particular resource > > > > > > unnecessarily restrictive. > > > > > > > > > > > I don't understand where the second point is derived from. I > > > > > guess I read > > > > > the text to say that policies are confined within a specific > > > > > role. It seems > > > > > that policies, in the general sense, can operate across > > > > > resource and role > > > > > boundaries. Each policy rule that enacts a policy must > > > be restricted, > > > > > however, to a role. It would be easier, from a PDP/PEP > > > > > implementation stand > > > > > point, to restrict each policy rule down to a resource (and > > > > > make the policy > > > > > management tool do all the REAL work). > > > > > > > > > > > > > > > > > > > > > > > Roles are represented in the Core Policy Schema by > > values of the > > > > > > PolicyKeywords property. > > > > > > > > > > > > > > > > > > I found this text to be even more confusing because it > > > > > supported a third > > > > > > concept not defined in either of the two concepts I > > > described: an > > > > > > arbitrary > > > > > > grouping based on a keyword possibly bound to a technology > > > > > like QoS or > > > > > > security, or an organization like engineering, or > > > something else??? > > > > > > > > > > > Actually the possible current values are enumerated in 6.1.2, > > > > > and the values > > > > > fall into the "something else" category. If I read > > > > > correctly, the standard > > > > > possible values are: > > > > > UNKNOWN", "CONFIGURATION", "USAGE", "SECURITY", "SERVICE", > > > > > "MOTIVATIONAL", > > > > > "INSTALLATION", and "EVENT". I am not sure I fully > > > understand many of > > > > > these, though the document does explain them. Anyway, it is > > > > > clearly another > > > > > definition of role not akin to your two or, best I can tell, > > > > > Shai's newest > > > > > proposal. > > > > > > > > > > > > > > > > > > > > > > > From majordomo@raleigh.ibm.com Mon Feb 14 18:30:27 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA26326 for ; Mon, 14 Feb 2000 18:30:27 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id SAA21662; Mon, 14 Feb 2000 18:28:34 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id SAA28630; Mon, 14 Feb 2000 18:28:36 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA39928; Mon, 14 Feb 2000 18:08:03 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA28140; Mon, 14 Feb 2000 18:07:57 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id SAA31016 for ; Mon, 14 Feb 2000 18:08:01 -0500 Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id SAA07622 for ; Mon, 14 Feb 2000 18:07:57 -0500 Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2448.0) id <1FBG1WT1>; Mon, 14 Feb 2000 18:07:27 -0500 Message-Id: <75ADD7496F0BD211ADC000104B8846CF019115D7@rerun.lucentctc.com> From: "Weiss, Walter" To: "'remoore@us.ibm.com'" Cc: policy@raleigh.ibm.com, johns@cisco.com Subject: RE: Policy issues: definition of Roles Date: Mon, 14 Feb 2000 18:07:27 -0500 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "Weiss, Walter" Bob, > > I want to make sure we're all in agreement about what we're > discussing. Modeling policies that span two or more technologies, > as well as modeling policies that span two or more systems, are > both Very Hard problems. But I don't think we have to solve these > problems, or even go very far down the path towards solving them, > in order to determine that the structure I've proposed for the > PolicyRoles property will be able to do the job in these cases. > I would agree that these are hard problems given your current approach. However, I also believe the problem is a fundamental one. Either this model can support cross technology or cross service rules or it can't. Once we actually start using policies, I am fairly convinced that the cross service policies will be more prevalent then the single service policies. Here is another example. Let's suppose that I have two ports A and B connected to another router. Port B is a standby port that becomes active when port A fails. Port C mirrors all traffic arriving on port A. Suppose I want a policy that says "If port A fails, change the configuration of port C to start mirroring traffic from port B." In this case, I have another condition that is bound to one interface and an action bound to a different interface. > Do you agree that we're now discussing how to model cross-system > and/or cross-technology policies, not whether PolicyRoles as I've > proposed that it be defined is adequate for these cases? If so, > is there anything else in the PCIM that needs to be changed in > order to leave us room to address these Very Hard problems later, > in the context of a subclass schema such as QoS? > I think it is rather easy to model the policies, as I hope the last example demonstrates. What is difficult is modeling the distribution of the policies. If a policy can only be distributed to a specific service instance, then it is also only applicable to that service instance. > By the way, I hope you're not saying that we need to have solutions > for these two Very Hard problems *in* the PCIM, and that it can't > be approved without these solutions. As we can all attest, coming > up with solutions, especially general solutions, to Very Hard > problems ordinarily takes a Long Time. So I think the > correct precondition for advancing the PCIM is not that it solve > these problems itself, but rather that it not introduce anything > that makes the problems harder to solve than they would otherwise be. > I think the PCIM passes this second test. I don't have a problem with standardizing PCIM without specifying this. However, I would argue that if you want to avoid this issue, you can simply state that the current model for describing roles does not support this cabability. regards, -Walter From majordomo@raleigh.ibm.com Mon Feb 28 10:22:17 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA11291 for ; Mon, 28 Feb 2000 10:22:17 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA21990; Mon, 28 Feb 2000 10:18:30 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id KAA29602; Mon, 28 Feb 2000 10:18:29 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA37266; Mon, 28 Feb 2000 09:52:42 -0500 Received: from rtpmail03.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA53350; Mon, 28 Feb 2000 09:52:36 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id JAA28186 for ; Mon, 28 Feb 2000 09:52:37 -0500 Received: from wssone.bj.co.uk (wssone.bj.co.uk [194.72.164.250]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with SMTP id JAA19772 for ; Mon, 28 Feb 2000 09:52:32 -0500 Received: from 194.72.164.27 by wssone.bj.co.uk with ESMTP (WorldSecure Server SMTP Relay(WSS) v4.3); Mon, 28 Feb 00 15:02:48 -0000 X-Server-Uuid: 1407cc62-e1e1-11d2-808b-0060971f0dc2 Received: by bjex1.bj.co.uk with Internet Mail Service (5.5.2448.0) id ; Mon, 28 Feb 2000 14:47:38 -0000 Message-Id: <608D67882786D211B1070090271E4CB96ECAD5@bjex1.bj.co.uk> From: "David Lowndes" To: "'policy@raleigh.ibm.com'" Subject: Why is there no week of month facility in policyTimePeriodConditi onAuxClass? Date: Mon, 28 Feb 2000 14:47:36 -0000 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) X-Wss-Id: 14A4519238401-01-01 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BF81FA.C1DE9E24" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "David Lowndes" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF81FA.C1DE9E24 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit In working on an implementation of the proposed standard for policy time periods, one of the requirements we've come across is the need to specify the week of a month. For example, a policy might be applicable during: The first (second, third, fourth, fifth) week of a month. The last week of a month. The next to last week of a month. The first and last weeks of a month. I can't see any provision for this in the proposed attributes. Has this requirement been considered, and is there a way of achieving this using the existing attributes? Dave Lowndes ------_=_NextPart_001_01BF81FA.C1DE9E24 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Why is there no week of month facility in = policyTimePeriodConditionAuxClass?

In working on an implementation of the proposed = standard for policy time periods, one of the requirements we've come = across is the need to specify the week of a month.

For example, a policy might be applicable = during:

        The first = (second, third, fourth, fifth) week of a month.
        The last = week of a month.
        The next = to last week of a month.
        The first = and last weeks of a month.

I can't see any provision for this in the proposed = attributes. Has this requirement been considered, and is there a way of = achieving this using the existing attributes?

Dave Lowndes

------_=_NextPart_001_01BF81FA.C1DE9E24-- From majordomo@raleigh.ibm.com Mon Feb 28 14:03:17 2000 Received: from fwns2.raleigh.ibm.com (fwns2d.raleigh.ibm.com [204.146.167.236]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA17739 for ; Mon, 28 Feb 2000 14:03:15 -0500 (EST) Received: from rtpmail02.raleigh.ibm.com (rtpmail02.raleigh.ibm.com [9.37.172.48]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id NAA30718; Mon, 28 Feb 2000 13:58:55 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id NAA03592; Mon, 28 Feb 2000 13:58:39 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA53178; Mon, 28 Feb 2000 13:41:50 -0500 Received: from rtpmail02.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA25770; Mon, 28 Feb 2000 13:41:47 -0500 Received: from corp.tivoli.com (corp.tivoli.com [146.84.104.1]) by rtpmail02.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id NAA31242 for ; Mon, 28 Feb 2000 13:41:49 -0500 From: Ed_Ellesson@tivoli.com Received: from tivmta4.tivoli.com (tivmta4.tivoli.com [146.84.104.47]) by corp.tivoli.com (8.9.3/8.9.0) with SMTP id MAA08505 for ; Mon, 28 Feb 2000 12:42:03 -0600 (CST) Received: by tivmta4.tivoli.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 86256893.00593C1C ; Mon, 28 Feb 2000 10:14:40 -0600 X-Lotus-Fromdomain: TIVOLI SYSTEMS To: policy@raleigh.ibm.com Message-Id: <86256893.005939AC.00@tivmta4.tivoli.com> Date: Mon, 28 Feb 2000 13:36:28 -0500 Subject: Re: Why is there no week of month facility in policyTimePeriodConditi onAuxClass? Mime-Version: 1.0 Content-Type: multipart/mixed; Boundary="0__=t7JiPOGNwo1rhS9DsR4y3asnYFJAs8ZlGveLjjS8HUrCUKXQ2ZwIGkNV" Content-Disposition: inline Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: Ed_Ellesson@tivoli.com --0__=t7JiPOGNwo1rhS9DsR4y3asnYFJAs8ZlGveLjjS8HUrCUKXQ2ZwIGkNV Content-type: text/plain; charset=us-ascii Content-Disposition: inline I meant to send this to the list, as well as to David. Ed Ellesson Tivoli Systems Research Triangle Park, NC ed_ellesson@tivoli.com 919-254-4115 ---------------------- Forwarded by Ed Ellesson/Tivoli Systems on 02/28/2000 01:38 PM --------------------------- Ed Ellesson 02/28/2000 01:35 PM To: "David Lowndes" cc: From: Subject: Re: Why is there no week of month facility in policyTimePeriodConditi onAuxClass? (Document link: Ed Ellesson) David, This sounds like a potentially ambiguous specification. That is, how would one go about defining, in a general way, what consititutes the "first week of the month", which would yield a specific set of days, for any given month? For example, for this coming month, March 2000, what is "the first week of the month"? 1. Wednesday, March 1, through Saturday, March 4? 2. Sunday March 5, through Saturday, March 11? 3. Does it start on Sunday and end on Saturday? (I think there are countries which do not begin their "week" on Sunday.) eg. Saturday, March 4 through Friday, March 10? 4. Or is the first week literally the first week, which would be Wed. March 1 through Tuesday, March 6? There are probably other possibilities. It seems to me like it would be better for an administrator to choose the days that a policy applies to, according to the day bit mask of each month. The administrator would have to sit down and do this once each year, is my guess. What do you think? Ed Ellesson Tivoli Systems Research Triangle Park, NC ed_ellesson@tivoli.com 919-254-4115 "David Lowndes" on 02/28/2000 09:47:36 AM Please respond to "David Lowndes" To: "'policy@raleigh.ibm.com'" cc: (bcc: Ed Ellesson/Tivoli Systems) Subject: Why is there no week of month facility in policyTimePeriodConditi onAuxClass? In working on an implementation of the proposed standard for policy time periods, one of the requirements we've come across is the need to specify the week of a month. For example, a policy might be applicable during: The first (second, third, fourth, fifth) week of a month. The last week of a month. The next to last week of a month. The first and last weeks of a month. I can't see any provision for this in the proposed attributes. Has this requirement been considered, and is there a way of achieving this using the existing attributes? Dave Lowndes --0__=t7JiPOGNwo1rhS9DsR4y3asnYFJAs8ZlGveLjjS8HUrCUKXQ2ZwIGkNV Content-type: text/html; name="att1.htm" Content-Disposition: attachment; filename="att1.htm" Content-Description: Internet HTML Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMi8vRU4iPg0KPEhUTUw+ DQo8SEVBRD4NCjxNRVRBIEhUVFAtRVFVSVY9IkNvbnRlbnQtVHlwZSIgQ09OVEVOVD0idGV4dC9o dG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPE1FVEEgTkFNRT0iR2VuZXJhdG9yIiBDT05URU5U PSJNUyBFeGNoYW5nZSBTZXJ2ZXIgdmVyc2lvbiA1LjUuMjQ0OC4wIj4NCjxUSVRMRT5XaHkgaXMg dGhlcmUgbm8gd2VlayBvZiBtb250aCBmYWNpbGl0eSBpbiBwb2xpY3lUaW1lUGVyaW9kQ29uZGl0 aW9uQXV4Q2xhc3M/PC9USVRMRT4NCjwvSEVBRD4NCjxCT0RZPg0KDQo8UD48Rk9OVCBTSVpFPTI+ SW4gd29ya2luZyBvbiBhbiBpbXBsZW1lbnRhdGlvbiBvZiB0aGUgcHJvcG9zZWQgc3RhbmRhcmQg Zm9yIHBvbGljeSB0aW1lIHBlcmlvZHMsIG9uZSBvZiB0aGUgcmVxdWlyZW1lbnRzIHdlJ3ZlIGNv bWUgYWNyb3NzIGlzIHRoZSBuZWVkIHRvIHNwZWNpZnkgdGhlIHdlZWsgb2YgYSBtb250aC48L0ZP TlQ+PC9QPg0KDQo8UD48Rk9OVCBTSVpFPTI+Rm9yIGV4YW1wbGUsIGEgcG9saWN5IG1pZ2h0IGJl IGFwcGxpY2FibGUgZHVyaW5nOjwvRk9OVD4NCjwvUD4NCg0KPFA+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDxGT05UIFNJWkU9Mj5UaGUgZmlyc3QgKHNlY29uZCwg dGhpcmQsIGZvdXJ0aCwgZmlmdGgpIHdlZWsgb2YgYSBtb250aC48L0ZPTlQ+DQo8QlI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDxGT05UIFNJWkU9Mj5UaGUgbGFz dCB3ZWVrIG9mIGEgbW9udGguPC9GT05UPg0KPEJSPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyA8Rk9OVCBTSVpFPTI+VGhlIG5leHQgdG8gbGFzdCB3ZWVrIG9mIGEg bW9udGguPC9GT05UPg0KPEJSPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyA8Rk9OVCBTSVpFPTI+VGhlIGZpcnN0IGFuZCBsYXN0IHdlZWtzIG9mIGEgbW9udGguPC9G T05UPg0KPC9QPg0KDQo8UD48Rk9OVCBTSVpFPTI+SSBjYW4ndCBzZWUgYW55IHByb3Zpc2lvbiBm b3IgdGhpcyBpbiB0aGUgcHJvcG9zZWQgYXR0cmlidXRlcy4gSGFzIHRoaXMgcmVxdWlyZW1lbnQg YmVlbiBjb25zaWRlcmVkLCBhbmQgaXMgdGhlcmUgYSB3YXkgb2YgYWNoaWV2aW5nIHRoaXMgdXNp bmcgdGhlIGV4aXN0aW5nIGF0dHJpYnV0ZXM/PC9GT05UPjwvUD4NCg0KPFA+PEZPTlQgU0laRT0y PkRhdmUgTG93bmRlczwvRk9OVD4NCjwvUD4NCg0KPC9CT0RZPg0KPC9IVE1MPg== --0__=t7JiPOGNwo1rhS9DsR4y3asnYFJAs8ZlGveLjjS8HUrCUKXQ2ZwIGkNV-- From majordomo@raleigh.ibm.com Tue Feb 29 11:34:55 2000 Received: from fwns1.raleigh.ibm.com (fwns1d.raleigh.ibm.com [204.146.167.235]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA24100 for ; Tue, 29 Feb 2000 11:34:54 -0500 (EST) Received: from rtpmail03.raleigh.ibm.com (rtpmail03.raleigh.ibm.com [9.37.172.47]) by fwns1.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with ESMTP id KAA29940; Tue, 29 Feb 2000 10:31:09 -0500 Received: from rtpaix11.raleigh.ibm.com (rtpaix11.raleigh.ibm.com [9.37.172.4]) by rtpmail03.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with SMTP id KAA22276; Tue, 29 Feb 2000 10:31:08 -0500 Received: by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA35954; Tue, 29 Feb 2000 10:02:29 -0500 Received: from rtpmail01.raleigh.ibm.com by rtpaix11.raleigh.ibm.com (AIX 4.1/UCB 5.64/4.03-RAL) id AA27490; Tue, 29 Feb 2000 10:02:22 -0500 Received: from fwns2.raleigh.ibm.com (fwns2.raleigh.ibm.com [9.37.0.4]) by rtpmail01.raleigh.ibm.com (8.8.5/8.8.5/RTP-ral-1.1) with ESMTP id KAA29952 for ; Tue, 29 Feb 2000 10:02:24 -0500 Received: from wssone.bj.co.uk (wssone.bj.co.uk [194.72.164.250]) by fwns2.raleigh.ibm.com (8.9.0/8.9.0/RTP-FW-1.2) with SMTP id KAA30124 for ; Tue, 29 Feb 2000 10:02:19 -0500 Received: from 194.72.164.27 by wssone.bj.co.uk with ESMTP (WorldSecure Server SMTP Relay(WSS) v4.3); Tue, 29 Feb 00 15:09:30 -0000 X-Server-Uuid: 1407cc62-e1e1-11d2-808b-0060971f0dc2 Received: by bjex1.bj.co.uk with Internet Mail Service (5.5.2448.0) id ; Tue, 29 Feb 2000 14:52:55 -0000 Message-Id: <608D67882786D211B1070090271E4CB96ECADC@bjex1.bj.co.uk> From: "David Lowndes" To: policy@raleigh.ibm.com Subject: RE: Why is there no week of month facility in policyTimePeriodCon ditionAuxClass? Date: Tue, 29 Feb 2000 14:52:54 -0000 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) X-Wss-Id: 14A53EA044-01-01 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BF82C4.A922E320" Sender: policy-owner@raleigh.ibm.com Precedence: bulk Reply-To: "David Lowndes" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF82C4.A922E320 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit > This sounds like a potentially ambiguous specification. That is, how would one go about defining, in a general way, what consititutes the "first week of the month", which would yield a specific set of days, for any given month? For example, for this coming month, March 2000, what is "the first week of the month"? 1. Wednesday, March 1, through Saturday, March 4? 2. Sunday March 5, through Saturday, March 11? < You're right Ed, this is ambiguous and on reflection my point wasn't well thought out - I don't know if it's any better now either! Rather than specify the whole week, our actual requirement may be more like: The (1'st/2'nd/3'rd,4'th/5'th/last/next to last) (M/T/W/T/F/Sat/Sun/Weekday/Weekend day/Day) of a month. For example: The 1'st Monday of a month, or, The last Friday of a month. I think these are achievable in the standard by: Setting the first 7 days in the ptpConditionDayOfMonth flags and the Monday flag in ptpConditionDayOfWeek Setting the last 7 days in the ptpConditionDayOfMonth flags and the Friday flag in ptpConditionDayOfWeek (I'm assuming here that the intention is to logically AND all the attributes). However, the requirement to say something like: The 2'st Weekday of a month is in itself ambiguous as it could be interpreted as being the day after the first weekday of a month, or (as in a weekly context) as the first weekday in the second week of a month. More clearly understandable may be the business case for: The first weekday of a month I think this would entail an evaluation such as: ((day = Monday) AND (monthdate <=3)) OR ((Tuesday <= day <= Friday) AND (monthdate = 1)) Is there any way of expressing and evaluating this using the standard attributes? Dave Lowndes ------_=_NextPart_001_01BF82C4.A922E320 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable RE: Why is there no week of month facility in = policyTimePeriodConditionAuxClass?

> This sounds like a potentially ambiguous = specification.  That is, how would one
go about defining, in a general way, what = consititutes the "first week of the
month",  which would yield a specific set = of days, for any given month?

For example, for this coming month, March 2000, what = is "the first week of the
month"?
1. Wednesday, March 1, through Saturday, March = 4?
2. Sunday March 5, through Saturday, March = 11?
<

You're right Ed, this is ambiguous and on reflection = my point wasn't well thought out - I don't know if it's any better now = either!

Rather than specify the whole week, our actual = requirement may be more like:

        The = (1'st/2'nd/3'rd,4'th/5'th/last/next to last) = (M/T/W/T/F/Sat/Sun/Weekday/Weekend day/Day) of a month.

For example:

        The 1'st = Monday of a month, or,
        The last = Friday of a month.

I think these are achievable in the standard = by:

        Setting = the first 7 days in the ptpConditionDayOfMonth flags and the Monday = flag in ptpConditionDayOfWeek
        Setting = the last 7 days in the ptpConditionDayOfMonth flags and the Friday flag = in ptpConditionDayOfWeek
        (I'm = assuming here that the intention is to logically AND all the = attributes).

However, the requirement to say something = like:

        The 2'st = Weekday of a month

is in itself ambiguous as it could be interpreted as = being the day after the first weekday of a month, or (as in a weekly = context) as the first weekday in the second week of a month.

More clearly understandable may be the business case = for:

        The first = weekday of a month

I think this would entail an evaluation such = as:

        ((day =3D = Monday) AND (monthdate <=3D3)) OR ((Tuesday <=3D day <=3D = Friday) AND (monthdate =3D 1))

Is there any way of expressing and evaluating this = using the standard attributes?

Dave Lowndes

------_=_NextPart_001_01BF82C4.A922E320--