1 / 32

Policy-Based Networking

Policy-Based Networking. 指導教授: 鍾添曜教授 主講人: 李孝治 12/01/99. Policy Framework Architecture. Internet Draft: Waters et al., February 1999. Policy The combination of rules and services where rules define the criteria for resource access and usage. An abstraction

becky
Download Presentation

Policy-Based Networking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy-Based Networking 指導教授: 鍾添曜教授 主講人: 李孝治 12/01/99

  2. Policy Framework Architecture • Internet Draft: Waters et al., February 1999. • Policy • The combination of rules and serviceswhere rules define the criteria for resource access and usage. • An abstraction • of general configuration and operational characteristics of resources in a policy domain(Autonomous System/Administrative Domain) & • of service-level objects (SLO) on these resources(derived from service-level Agreements, SLA) • Components: Condition/Action pairs • Policy Management Tool - define and update policy rules • Policy Repository - retain and retrieve rules • Policy Decision Point (PDP) - access the conditional criteria of a rule • Policy Enforcement Point (PEP)- execute the actions of a rule when the conditions evaluate to “true”

  3. Policy prescriptions | V +--------------------+ | Policy | Functions: Policy Editor | Management Tool | Rule Translation +---------+----------+ Rule Validation | | <--- Repository Access Protocol | (e.g., LDAP) +---------+----------+ | Policy Repository | | (Directory Server, | Functions: Storage and Retrieval | Database, etc. ) | of Rules +---------+----------+ | | <--- Repository Access Protocol | (e.g., LDAP) +---------+----------+ | Policy Decision | Functions: Policy Trigger and | Point (PDP) | rule locator. +---------+----------+ Device Adapter | State and Resource Validation | | <--- Policy Protocol for policy mechanisms | +---------+----------+ | Policy Enforcement | Function: Execution of specified Actions | Point (PEP) | Device State and Resource +--------------------+ ValidationFigure 2. Policy Architecture Functional Definition

  4. A Framework for Policy-Based Admission Control • Internet Draft: Yavatkar et al., April 1999. • IP’s best effort service  QoS service • Integrated Service (int-serv) • Certain data flows receive preferential treatment over other flows • Requires Explicit Signaling (Example: RFC 2205 - RSVP) • Differentiated Service (diff-serv) • Current Admission Control Schemes do not include “policy” criteria such as identity of user and application, ingress point, traffic/bandwidth requirements, security, time of day/week, etc.

  5. ________________ Policy server | | ______ | Network Node | | |-------------> | _____ | | | May use LDAP,SNMP,.. for accessing | | | | | | policy database, authentication,etc. | | PEP |<-----|------->| PDP |-------------> | |_____| | |_____| | | |________________| Figure 1: A simple configuration with the primary policy control architecture components. PDP may use additional mechanisms and protocols for the purpose of accounting, authentication, policy storage, etc.

  6. ________________ ____________________ | | | | | Network Node | Policy Server | Network Node | | _____ | _____ | _____ _____ | | | | | | | | | | | | | | | PEP |<-----|---->| PDP | | | PEP |<-->| PDP | | | |_____| | |_____| | |_____| |_____| | | ^ | | | | | _____ | |____________________| | \-->| | | | | LPDP| | | |_____| | | | |________________|Figure 2: Two other possible configurations of policy control architecture components. The configuration on left shows a local decision point at a network node and the configuration on the right shows PEP and PDP co-located at the same node. Note: LPDP = Local Policy Decision Point

  7. ______________________________ | | | RSVP Router | | ________ _____ | _____ | | | | | | | | | | RSVP |<------->| PEP |<--|---------->| PDP | | |________| |_____| | |_____| | ^ | | | Traffic control | | | _____________ | | \---->| _________ | | | | |capacity | | | | | | ADM CTL | | | | | |_________| | | --|----------->| ____ ____ | | | Data | | PC | PS | | | | | |____|____| | | | |_____________| | | | |______________________________|Figure 3: Relationship between PEP and other int-serv components within an RSVP router. Note: PC = Packet Classifier, PS = Packet Scheduler

  8. AD-1 AD-2 AD-3 ________________/\_______________ __/\___ __/\___ { } { } { } A B C D E +-------+ +-----+ +-------+ +-------+ +-------+ | RSVP | | RSVP| | RSVP | | RSVP | | RSVP | +----+ |-------| |-----| |-------| |-------| |-------| | S1 |--| P | L |---| |----| P | L |----| P | P |----| P | +----+ +----+ | E | D | +-----+ | E | D | | E | D | | E |----| R1 | | P | P | | P | P | | P | P | | P | +----+ +-------+ +-------+ +------+ +-------+ ^ ^ ^ | | | | | | | | +-------+ | | | PDP | | +------+ | |-------| +-------->| PDP |<-------+ | | |------| +-------+ | | PS-2 +------+ PS-1Figure 4: Placement of Policy Elements in an internet

  9. RSVP Extensions for Policy Control • Internet Draft: Herzog, April 1999. • These extensions include the standard format of POLICY_DATA objects, and a description of RSVP's handling of policy events. • POLICY_DATA objects are carried by RSVP messages and contain policy information. • All policy-capable nodes can generate, modify, or remove policy objects. • Such policies can be successfully deployed across multiple administrative domains when border nodesmanipulate and translate POLICY_DATA objects according to established sets of bilateral agreements.

  10. PDP1 PDP2 | | | | +---+ +---+ +---+ | A +---------+ B +---------+ C | +---+ +---+ +---+ PEP2 PIN PEP2Figure 1: Autonomous Domain scenario Note: PIN = Policy Ignorant Node

  11. IANA Considerations:RSVP Policy Elements (P-Types) • Numbers 0-4915: • standard policy elements by IETF Consensus action • Numbers 49152-53247: • vendor specific (one per vendor) by First Come First Serve basis • Numbers 53248-65535: • reserved for private use and are not assigned by IANA

  12. A Policy Based Networking Architecture for Enterprise Networks • Nomura et al. – ICC’99 • Policy-based Systems Management (PSM) • To reduce the total cost of ownership (TCO) while providing highly functional enterprise systems:conventional data, voice data, and video, etc. • Tendencies of enterprise networks: • Scalability • QoS guarantee for multimedia data: QoS/CoS control • Reliability over IP networks • Problems of conventional enterprise systems • Increasing cost of system operation and management • Complication of network device control • Not sharing management information

  13. • PSM Componets: • System • Application • Network ★

  15.     

  16. Policy-Based Networking Architecture for QoS Interworking in IP Management • Blight & Hamada – IFIP/IEEE INM’99 • Scalable architecture for large-scale enterprise public interoperation • Two approaches: • Policy abstraction • Hierarchy organization with precedence rules

  17. Three approaches to meet QoS requirements in IP networks: • Integrated Services (IntServ) • Differential Services (DiffServ) • Traffic Shaping and Policing • To differentiate traffic: • In the traditional IP management – • IP Address, Protocol, Port, TOS(IPv4) and Priority(IPv6) • In the new enhanced IP management – • Users, Service, User Priority

  18. Netscape LDAP servers,Novell NDS,MS Active Directories LDAP COPS,DIAMETER

  19. ★ ★Edge switches are primarily responsible for supporting end-to-end QoS: ◆ Management view translation ◆ Policy interoperation ◆ SLA management

  20. Scalability • Physical Scalability • A primary concern • X.500 series • Distributed Directory System Agents (DSA) • Control Path Scalability • Not a critical factor (∵control traffic is low in volume) • Management Scalability • The main theme of this paper

  21. Two mechanisms that interact between the directory server and network elements: • Active Networks: Network elements maypull policies from the directory server • Passive Networks: The directory server must push policies to network elements • Two mechanisms may coexist in a domain. • The difference between the two mechanisms does not affect physical scalability, but the balance of load and intelligence.

  22. To manage complexity, two orthogonal manners to organize policies: • (1) Policy Abstraction • Specific policies for QoS routing • Identity of traffic streams • Minimum and maximum QoS • Priority • Identity of policy source • Enabling conditions

  23. Corporate Policy (A) Tokyo D < AA < C B < A D San Jose Department Policy (B) London Department Policy (C) • (2) Aggregation Hierarchy with Precedence Rules • Policy Divergence: • It becomes increasingly difficult to detect and predict policy conflicts within large policy sets. • A solution to override policy conflicts locally:Precedence Rules

  24. The COPS Protocol(Common Open Policy Service) • Internet Draft: Boyle, August 1999. • A client/server model to exchange policy information between a PDP and its clients (PEP). • Assume that at least one policy server exists in each controlled administrative domain.

  25. +----------------+ | | | Network Node | Policy Server | | | +-----+ | COPS +-----+ | | PEP |<-----|-------------->| PDP | | +-----+ | +-----+ | ^ | | | | | \-->+-----+ | | | LDP | | | +-----+ | | | +----------------+ Figure 1: A COPS illustration.

  26. The PEP is responsible for initiating a persistent TCP connection to a PDP. • When the PEP sends a configuration request, it expects the PDP to continuously send named units of configuration data to the PEP via decision messages. • When a unit of named configuration data is successfully installed on the PEP, the PEP should send a report message to the PDP confirming the installation. • The PDP may then update or remove the named configuration information via a new decision message. • The PEP will delete the specified configuration and send a report message to the PDP as confirmation. • The PEP is responsible for notifyingthe PDP when a request state has changed on the PEP. • The PEP may make a local policy decision via its LDP. But the PEP must relay the local decision to the PDP.

  27. Signaled Preemption Priority Policy • Internet Draft: Herzog, February 1999. • Traditional Capacity-based Admission Control (CAC) vs.Policy-based Admission Control (PAC) • Preemptive Priority • To preempt some previous admitted low-priority flows in order to make room for a newer, higher-priority flow • Assumptions: • They are created by PDPs • They can be processed by LDPs • The are enforced by PEPs • Stateless Policy

  28. Policy Element Format: +-------------+-------------+-------------+-------------+ | Length (12) | P-Type = PREEMPTION_PRI | +------+------+-------------+-------------+-------------+ | Flags (0) | M. Strategy | Error Code | Reserved(0) | +------+------+-------------+-------------+-------------+ | Preemption Priority | Defending Priority | +------+------+-------------+-------------+-------------+ • P-type = PREEMPTIN_PRI • Preemption Priority: • Used to compete when admitting • Defending Priority: • Used to defense once admitted • PP ≦ DP • If DP – PP is large → more stable

  29. Priority Merging • Problem: • F1: QoS = High, Priority = LowF2: QoS = Low, Priority = HighF1 + F2 = F3: QoS = High, Priority = ? • If Priority of F3 = High, F1 becomes a Free-RiderIf Priority of F3 = Low, F2 may gets a Denial of Service • Different Merging Strategies(specified in the policy element: “M. Strategy”) • Take priority of highest QoS → Low • Take highest priority → High • Force error on heterogeneous merge (different QoS) → Error

  30. Issues on Policy Based Networking/Management • Policy Representation • Policy Conflicts • Inter-operability • Inter-Network and Inter-Domain Communication • Scalability • Multicasting • AAA (Authorization, Authentication, and Accounting) • Reliability • Security

More Related