Hi all,
We are actually using COPS-PR to dynamically provision IPSec tunnels, based on the framework PIB and the IPSec PIB drafts. To proceed, we need for some part of the configuration to address policies to one particular interface only. According to draft-framworkpib-07, this is possible :
"We point out that, in the event that the administrator needs to have
unique policy for each interface, this can be achieved by
configuring each interface with a unique role."
I'm not medium, but I believe that the deployment of services thanks to COPS-PR may require to be able to address each interface in some circumstances. Therefore, my question is: should this be taken into account in the definition of roles ? For instance, adding systematically the corresponding Ifindex to the role combination of an interface could be a means to proceed, and this would not heavily impact the use of roles. For instance, roles wouldn't lose the level of indirection their provide.
In this context, suppose we have three interfaces:
Roles A, B, R1 and Ifindex1 are assigned to interface I1
Roles A, B, R2 and Ifindex2 are assigned to interface I2
Roles A, B, R2 and Ifindex3 are assigned to interface I3
A policy applied to "*+Ifindex1" will only apply to I1
A policy applied to "*+A+B+R2" will only apply to I2 and I3
A policy applied to "*+A+B" will apply to I1, I2 and I3
Furthemore, some services may in the future require to push policy intended for the equipment, and not a given (subset of) interface(s). For instance, when using AAA, the Radius server could be provided that way, and so could be a CA/PKI server for other purposes...etc.
Should this also be taken into account by the framework PIB, by for instance, defining a special pseudo-interface, with a specific unique role, that would in fact represent the device and would be used by the different client-types to configure features on the device itself, independantly of the interfaces, when they need it ??
Thanks for your reactions.
Yoann