Download
1 / 11
110 likes | 227 Vues
The 49th IETF meeting in San Diego highlighted significant discussions around the IPSP Configuration Model Framework, specifically focusing on various models like PCIM (general framework), QPIM (domain-level policy), and QDDIM (device-level operational). Key topics included condition differences, decision strategies, policy roles, and inheritance issues. Participants explored the relationships between various policy models and operational behaviors, emphasizing the implications of filters and actions in policy evaluation. This dialogue contributed to the ongoing development of device and policy management within the DMTF context.
E N D
IPSP Configuration ModelFramework Feedback • IPSP Configuration Information Model (ICIM) • http://rafalow.home.mindspring.com/dmtf.htm • http://www.dmtf.org/spec/cims.html • Feedback discussions Lee Rafalow rafalow@raleigh.ibm.com IPSP WG & Policy WG 49th IETF - San Diego
DMTF Device-Model Overview 49th IETF - San Diego
Derived from Policy Framework 49th IETF - San Diego
Filter-based Conditions 49th IETF - San Diego
Actions, Proposals & Transforms 49th IETF - San Diego
IPSP Configuration Info Model Feedback Discussion • Many of the differences in the models can be traced back to: • PCIM is a general framework • QPIM is a domain-level policy model • QDDIM is a device-level model of operational behavior • ICIM is a device-level policy model • A few are just different approaches 49th IETF - San Diego
Condition Differences • Filters & “Atoms” (QPIM) • IPSP provides for discipline-specific condition evaluation information using associations to a FilterList and CredentialManagementService • QPIM defines subclasses of Condition that provide a general <variable><operator><value> grammar • Implicit Condition Semantics • IPsec protocol provides identity information at different times in the protocol sequence • Condition evaluation is predicated on presence of the information, i.e., semantic of identity and credential filter is compound “if present and <matchcondition>” if <address filter> and <identity filter> may evaluate to TRUE in early stage of Phase 1 and evaluate to FALSE once identity information is available 49th IETF - San Diego
IPsecPolicyGroupInPolicyGroup.GroupPriority (QPIM) IPSP models GroupPriority in the aggregation QPIM models gpPriority as a property of gpsPolicyGroup (in the same way as RulePriority) Rules in exactly one group (PCIM) Unique Rule & Group Priority values (PCIM) Deterministic rule evaluation order Decision Strategy (QPIM) IPSP decision strategy is Match First, implicit QPIM has explicit decision strategies defined in qpPolicyDomain.gpPolicyRuleMatchMethod and gpsPolicyGroup.gpNamedPolicyRuleMatchMethod Group-related Differences 49th IETF - San Diego
Policy Roles • PolicyGroup, Roles & Interface Bindings (PCIM) • IPsec model defines explicit association between IPsecPolicyGroup and interfaces (IPProtocolEndpoint) to which it applies • PCIM defines PolicyRole on a rule basis, association by named relationship • IKERule.IdentityContexts & Roles (PCIM) • IdentityContexts uses roles and role combinations syntax • Provides named relationship between IKERule and appropriate local identity to use, used with other properties • IKEAction.UseIkeIdentityType • IPProtocolEndpoint 49th IETF - San Diego
Inheritance Discussion • Device-level model structures • QDDIM is a model of operational behavior, derives from operational classes • IPSP ICIM is a policy model, derives from Policy classes • PolicyActions vs. Settings • Some disagreement about class derivations • Multiple inheritance in a single inheritance environment • Bypass and Discard 49th IETF - San Diego
Other Discussion Topics • PolicyRule.SequencedActions (PCIM) • “Mandatory” but with a “use first appropriate” semantic, extend enumeration values? • PolicyElementInRepository (QPIM) • IPSP defines …InRepository associations for SAProposal & SATransform, weak associations • QPIM defines one general association 49th IETF - San Diego
