[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Distributing site-wide RFC 3484 policy
Brian E Carpenter wrote:
On 2007-08-03 12:34, YOSHIFUJI Hideaki / $B5HF#1QL@ wrote:
2. Applicability of distribution of "exact" policy table is too
An implementation may want to have their own policy, or more
(probably, in addition to ifindex), e.g. traffic class or whatever.
The ifindex should be assumed one of extensions to the "standard"
policy table, and the details should be left to implementations.
The policy announced from network cannot be set directly.
I know that conflicts are common, but, I would say, the distribution
should not (or cannot) be an exact one, but a "hint", "suggestion" or
"recommendation". I do think it is much better to have information as
"relative" representation, but at least, we should make the
Of course, an implementation may assume such information an order from
network, but the network policy can only be enforced by the network.
If the interpretation of the "policy" is relaxed, we will have more
chances to use such framework.
I agree that the IETF specifcation should not say that the central
policy takes priority over the host policy. IMHO we should provide
a mechanism (such as assigning a weight to each policy element),
so that it is a configuration issue whether the central policy or the
host policy wins.
About zone-index we don't hesitate to remove it from our specification
if there is no single case that utilize zone index or we cannot make
use of it because of it's characteristics.
About Brian's comment,
I agree that we should provide such a mechanism for changing
policy acceptance behavior at hosts. Although these issues should be
"implementation depenedent", IMHO it is better to describe several
possible and valid implementation approaches in the specification draft.
Whether the distributed values should be "relative" or "absolute"
depends on such a mechanism. If the mechanism allows a host's policy
to be fully overwriten, the distributed values can be used as absolute
values. They have to be taken as relative values if a user chooses
"merge mechanism", which can lead to policy collision in some cases though.
IP Technology Expert Team
Secure Communication Project
NTT Information Sharing Platform Laboratories