Internet DRAFT - draft-hares-i2rs-info-model-policy
draft-hares-i2rs-info-model-policy
I2RS working group S. Hares
Internet-Draft Q. Wu
Intended status: Standards Track Huawei
Expires: January 3, 2015 July 2, 2014
An Information Model for Basic Network Policy
draft-hares-i2rs-info-model-policy-03
Abstract
This document contains three information Models: Basic Network Policy
(BNP IM), Policy-Based Routing (PBR), I2RS Local-Config (I2RS-LC IM).
The I2RRS-LC IM provides both an I2RS store of Policies plus a store
of Policy Templates. The BNP IM has the following levels of Policy
Hierarchy: Policy Set, Policy Group, Policy Rule, and conditional
actions within the policy rule (conditional match and Action). The
PBR IM, I2RS LC IM, BGP Information Model (BGP IM), Service Topology
Information Model (SF-Topo IM), and the Service Forwarding Chaining
IM (SFC IM) utilize and extend the BNP IM. This draft lists the
extensions to the BNP IM that support these information models (PBR
IM, I2RS LC IM, BGP IM, SSF-Topo IM and SFC-Policy IM).
The BNP IM is based on the concept of an extensible information model
for representing policies. This concept is also found in the Policy
Core Information Model (PCIM) (RFC3060) and the Quality of Service
(QoS) Policy Information Model (QPIM)(RFC3644) and policy based
routing.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2015.
Hares & Wu Expires January 3, 2015 [Page 1]
Internet-Draft IM for policy July 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions and Acronyms . . . . . . . . . . . . . . . . . . 5
3. Basic Network Policy Information Model (BNP IM) . . . . . . . 5
3.1. BNP IM Overview . . . . . . . . . . . . . . . . . . . . . 5
3.2. The Policy Set . . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Policy Set Overview . . . . . . . . . . . . . . . . . 7
3.2.2. Policy-Set RBNF . . . . . . . . . . . . . . . . . . . 8
3.3. The Policy Group . . . . . . . . . . . . . . . . . . . . 8
3.3.1. Policy Group Overview . . . . . . . . . . . . . . . . 8
3.3.2. Policy-Group RBNF . . . . . . . . . . . . . . . . . . 10
3.4. The Policy Rule . . . . . . . . . . . . . . . . . . . . . 11
3.4.1. Policy-Rule Overview . . . . . . . . . . . . . . . . 11
3.4.2. Policy-Rule RBNF . . . . . . . . . . . . . . . . . . 12
3.5. BNP IM Grammar . . . . . . . . . . . . . . . . . . . . . 16
4. The Policy Based Routing Information Model . . . . . . . . . 17
4.1. Policy Based Routing Overview . . . . . . . . . . . . . . 17
4.2. PBR-RIB definition . . . . . . . . . . . . . . . . . . . 17
4.3. PBR Rule Component . . . . . . . . . . . . . . . . . . . 18
4.4. PBR QOS RBNF . . . . . . . . . . . . . . . . . . . . . . 19
4.5. Relationship between PBR Rule Model and RIB Information
Model . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.6. PBR RBNF . . . . . . . . . . . . . . . . . . . . . . . . 21
4.7. Remaining PRB Issues . . . . . . . . . . . . . . . . . . 22
5. The I2RS Local Policy Information Model . . . . . . . . . . . 23
5.1. I2RS Local Policy IM Overview . . . . . . . . . . . . . . 23
5.2. I2RS Local Policy IM RBNF . . . . . . . . . . . . . . . . 23
6. Extensions to the Policy IM . . . . . . . . . . . . . . . . . 25
6.1. Extension to the RIB IM . . . . . . . . . . . . . . . . . 25
6.2. Extension from the BGP IM . . . . . . . . . . . . . . . . 25
6.3. Extension from SFC Topology IM . . . . . . . . . . . . . 26
6.4. Extension from the SFC Traffic Filters . . . . . . . . . 26
Hares & Wu Expires January 3, 2015 [Page 2]
Internet-Draft IM for policy July 2014
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
8. Security Considerations . . . . . . . . . . . . . . . . . . . 26
9. Informative References . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction
The Interface to the Routing System (I2RS) provides read and write
access to the information and state within the routing process within
routing elements. The I2RS client interacts with one or more I2RS
agents to collect information from network routing systems.
Processing of collected information at the I2RS agent may require the
I2RS Agent to filter certain information or group pieces of
information in order to reduce the data flow through the network to
the I2RS client. Some applications that that utilize the services of
I2RS client may also wish to require specific data in response to
network events or conditions based on pre-established rules. This
functionality is necessary to meet the requirements of i2rs enabled
services which include service-layer routing improvements, and
control of traffic flows and exit points.
This document introduces a Basic Network Policy information model
(BNP IM) to handle policies related to the network. This basic
policy model can be easily extended beyond the basic functions. The
[I-D.ietf-i2rs-architecture] suggests that associated with the i2RS
RIB model there will be "Policy-based Routing (ACLs)" and RIB "policy
controls". These basic policy functions can operate as part of this
functional blocks providing the basic model for policy operators.
This model can also be considered as the substance of the policy
templates.
The BNP IM is extensible allowing other extensions to make the BNP IM
policy adaptable to specific I2RS protocol features. This policy
model can be linked with other information models such as the
following:
o Policy Base Routing Information model (PBR-IM) (Model in section
4),
o I2RS RIB Informational Model (RIB IM) (see section 6)
([I-D.ietf-i2rs-rib-info-model])
o BGP Informational Model (BGP IM) (see section 6)
([I-D.hares-i2rs-bgp-im])
o Service Topology (see section 6)
([I-D.hares-i2rs-info-model-service-topo])
Hares & Wu Expires January 3, 2015 [Page 3]
Internet-Draft IM for policy July 2014
o Service Forwarding Chaining Filters Information Mode (SFC IM) (see
section 6) (ietf-hares-dunbar-i2rs-sfc-policy-im-00.txt)
The BNP IM model is a product of the industry approach to I2RS that
standardizes on a few basic functions network functions to obtain
quick deployment of initial I2RS RIB modules, and build on this
success to create network functions. Additional I2RS modules add
I2RS interfaces to policy-based routing, BGP, Service topology
creation, Service Chaining functions, and policy templates.
This information model leverages previous work done on extensible
information model for representing policies, for example, the Policy
Core Information Model (PCIM) [RFC3060] [RFC3060], and an extension
to this model to address the need for QoS management, called the
Quality of Service (QoS) Policy Information Model (QPIM) [RFC3644]
[RFC3644].
Most policy within routing and forwarding systems has become
hierarchical with individual specific policies being grouped as a set
policy. The hierarchical policy rule definition enhances policy
readability and reusability. Groups of network policies have labels
to aid operational use. Named groups of policy are easily identified
and reused as blocks.
The Basic Network Policy information model contains the following
three components:
Policy Group
Policy is described by a set of policy rules that may be grouped
into subsets. A Policy group is used to provide a hierarchical
policy definition that provides the model context or scope for
sub-rule actions. The model context includes identity, scope,
role, precedence, priority and security model. In a policy group
policy rules and policy groups can be nested within other policy
rules.
Policy Set
is a set of Policy Groups identified by a Policy Set Name.
Policy Rule
Policy Rule is represented by semantics "If Condition then
Action", therefore condition and action comprise Policy Rule
model.
This draft contains the following Informational Models
Hares & Wu Expires January 3, 2015 [Page 4]
Internet-Draft IM for policy July 2014
Basic Network-Policy Information Model (BNP IM)
is generic network policy model. It can be thought of as a
coherent set of rules to administer, manage, and control access to
network resources and defines a network policy at its most general
level of abstraction. It models aspects such as actions and
conditions that constitute a policy element relationship, as well
as operators contained in the both condition and action that can
either be used to overwrite an old value of the variable or imply
match relationship.
Policy Based Routing Information Model (PBR IM)
defines information that allows the network administer to forward
the packet based on other criteria than the destination address in
the packet.
I2RS Local Config Information Model (I2RS-LC IM)
defines I2RS Local Configuration database kept in the I2RS Agent
that can be leveraged to quickly set-up policies via the I2RS
Agent. This local configuration store contains basic network
policies and network templates, and provides quick local access to
polies rather than transfer the policies down from the I2RS Client
prior to enacting a policy via I2RS interface.
2. Definitions and Acronyms
IGP: Interior Gateway Protocol
Information Model: An abstract model of a conceptual domain,
independent of a specific implementations or data representation
CLI: Command Line Interface
SNMP: The Simple Network Management Protocol
NETCONF: The Network Configuration Protocol
RBNF: Routing Backus-Naur Form
3. Basic Network Policy Information Model (BNP IM)
3.1. BNP IM Overview
I2RS needs its own implicit and explicit policy. This section
provides an overview of the network policy model. The network policy
Hares & Wu Expires January 3, 2015 [Page 5]
Internet-Draft IM for policy July 2014
model is defined by the following components, whose relationship is
roughly depicted in the figure below.
+-----------------------+
| Network-Policy |
+-----------+-----------+
^
/|\
| "extends"
+-----------^-------------+
| Policy Set |
+--+-------------------+--+
^ ^ +---------------+
/|\ /|\ ---|PBR Policy-Rule|
| | | | Additions |
| | | +---------------+
| "extends" | "extends" | +---------------+
+--------^-------+ +-------^-------+ |--|LP Policy-Rule |
| Policy Group | | Policy Rule |<---| |Additions |
+----------------+ +---------------+ | +---------------+
: : | . . .
: : | +---------------+
......: :..... ---|RIB Policy-Rule|
: : | Additions |
: : +---------------+
: :
+---------V---------+ +-V-------------+
| Policy Condition | | Policy Action |
+-------------------+ +---------------+
: : : : : :
.....: . :..... .....: . :.....
: : : : : :
+----V---+ +---V----+ +--V---+ +-V------++--V-----++--V---+
| Match | |Policy | |Policy| | Set || Policy ||Policy|
|Operator| |Variable| |Value | |Operator||Variable|| Value|
+--------+ +--------+ +------+ +--------++--------++------+
Figure 1: Overall model BNP IM structure
Network_policy - contains sets of policies.
Policy-Set - is introduced to provide an abstraction for a set of
rules. it is inserted into the inheritance hierarchy above both
Policy-Group and Policy-Rule.
Policy-Group -defines the basic network policy Group model which
combines the a list of Policy-Rules.
Hares & Wu Expires January 3, 2015 [Page 6]
Internet-Draft IM for policy July 2014
Policy Rule is represented by semantics "If Condition then Action",
therefore condition and action comprise Policy Rule model.
o Condition models the elementary match operation "<variable> match
<value>".
o Action models the elementary set operation. "SET <variable> TO
<value>".
In Condition model, the 'Match' operator is usually implied while in
the action model, the 'Set operator is explicitly used.
Policy-Sets, Policy-Groups, and Policy-Rules have basic functionality
(Policy-Basic IM) plus extensions defined by specific Information
Models such as:
the PBR Information Model (PBR IM) (contained in this document),
the I2RS_Local_Policy Model (LP IM) (contained in this document),
the RIB Information Model (RIB IM)
([I-D.ietf-i2rs-rib-info-model]),
the BGP Information Model (BGP-IM) ([I-D.hares-i2rs-bgp-im]),
the Traffic Steering Information Model
([I-D.hares-i2rs-info-model-service-topo]),
the SFC Information Model (SFC IM) (ietf-hares-dunbar-i2rs-sfc-
policy-im-00.txt)
the MPLS LDP Information Model (MPLS LDP IM) as templates for
policy.
I2RS Client-Agents Information Models MAY support only the Policy-
Basic IM, or MAY support any additional specific information models.
Each level of the Policy hierarchy (Policy-Set, Policy-Group, and
Policy-Rules have both a read and write scope
3.2. The Policy Set
3.2.1. Policy Set Overview
The PolicySet structure has the following elements:
o Policy-Set_Name - Unique Name for Policy Set
Hares & Wu Expires January 3, 2015 [Page 7]
Internet-Draft IM for policy July 2014
o Policy-Group is introduced to provide an abstraction for a set of
rules. It is derived from Policy, and it is inserted into the
inheritance hierarchy above both PolicyGroup and PolicyRule. This
reflects the additional structural flexibility and semantic
capability of both subclasses.
3.2.2. Policy-Set RBNF
Figure 2 - Policy Set RBNF
<Network_policy> ::= (<Policy_Set> ...)
<Policy-Set> ::= <Policy-Set-Name>
<Policy-Group_list> ::=
(<Policy-Group> ...)
(<Policy-Rule> ...)
(<local_Config>)
(<PBR_rule>)
3.3. The Policy Group
3.3.1. Policy Group Overview
In order to provide hierarchical policy definition and associate
policy rule with other constraint, the basic policy group model needs
to be defined. The corresponding extensions are introduced in a
component, whose structure is informally depicted in the following
diagram.
Hares & Wu Expires January 3, 2015 [Page 8]
Internet-Draft IM for policy July 2014
Figure 3 - Policy Group
+------------------------------------+ (optional)
| Policy Group |....
+------------------------------------+ :
* * * * * ^ :
| | | | | :....:
| | | | |
| | | | |
| | | | |
+--------+ +--------+ +--------+| +-----------+
|Identity| | Role | |Priority|| |Policy Rule|
+--------+ +--------+ +--------+| +-----------+
* * | * * *
| | | | | |
+--- | | +---+---+ | ++----+
| | | |Enabled| | |Usage|
| | | +-------+ | +-----+
+-----+----+ +------+ | |
| Resource | |Scope | | |
+----------+ +------+ | |
* * | +--+------+
| | +----+------+ |Mandatory|
| | | Precedence| +---------+
| | +-----------+
| |
+-----++-----+
| Read||Write|
|Scope||Scope|
+-----++-----+
The basic information model works as follows: Within the policy group
information model, hierarchy is used to model context or scope for
the sub-rule actions. A policy group contains Identity, scope,
priority,precedence, and policy rule. Optionally, the policy group
can contain a list of policy groups.
The elements of the Policy Group information model are as follows:
o Each policy group is captured in its own list, distinguished via a
identity, role, priority, precedence.
o A policy group has a certain role, such as resource or scope. A
policy group can even have multiple roles simultaneously. The
role, are captured in the list of "role" component.
o A policy role has a certain Scope, such as read scope or write
scope. A policy group can even have multiple scope
Hares & Wu Expires January 3, 2015 [Page 9]
Internet-Draft IM for policy July 2014
simultaneously. The scope, or scopes, are captured in the list of
"scope" components.
o A policy has a certain priority, such as priority 0-255. A policy
can only have one priority. The priority is captured in the list
of "priority" component.
o A policy rule can inherit properties (e.g., identity, role,
priority, precedence) from policy group. A policy rule also can
have its own properties, e.g., enabled, mandatory, usage.
o The policy, policy group elements can be extended with policy-
specific components (policy-extensions, policy-group-extension
respectively).
3.3.2. Policy-Group RBNF
A more formal depiction in RBNF format follows below
Figure 4 - Policy-Group RBNF
<Policy-Group> ::= <Policy-Group_Identity>
<Policy-Group_Roles>
<Policy-Group_priority>
<Policy-Group_precedence>
(<Policy-Rule-list>)
[<Supporting-Policy-Group>]
[<Policy-Group-Extension>]
<Policy-Group_Identity> ::= <Policy-Group-Name>
[<Policy-Group-Secure-Identity>]
<Policy-Group-priority> ::= INTEGER (0..255);
<Policy-Group-precedence> ::= INTEGER (0..250);
<Policy-Rule-list> ::= ((<Policy-Rule> <Policy-Rule-Status>) ...)
<Policy-Rule-Status> ::= <POLICY-RULE-ENABLE>
[<POLICY-RULE-MANDATORY>]
[<Policy-Rule_usage>]
<Policy-Rule_usage> ::== <Policy-Rule-REFCNT>
<Policy-Group-Roles> ::= (<Policy-Group-Role> ...)
<Policy-Group-Role> ::=<Node-RESOURCES> | <Policy-Group-Scope>
<Node-RESOURCES> ::= [<I2RS_AGENT_RESOURCE>]
<Policy-Group-Scope> ::= (<READ_SCOPE> <Policy-Group_Read_Scope>)
| (<WRITE_SCOPE> <Policy-Group_Write_Scope>)
Hares & Wu Expires January 3, 2015 [Page 10]
Internet-Draft IM for policy July 2014
<Policy-Group_Read_Scope> ::= <Policy-Group_Read_Scope_Type>
[<RIB-IM_READ_list>]
[<BGP-IM-READ_list>]
<Policy-Group_Read_Scope_Type> ::= <RIB-IM_READ_SCOPE_TYPE>
| <BGP-IM_READ_SCOPE_TYPE>
<Policy-Group_Write_Scope> ::= <Policy-Group_Write_Scope_Type>
[<RIB-IM_WRITE_list>]
[<BGP-IM-WRITE_list>]
<Policy-Group_Write_Scope_Type> ::= <RIB-IM_WRITE_SCOPE_TYPE>
| <BGP-IM_WRITE_SCOPE_TYPE>
<Supporting-Policy-Group> ::= <SUPPORT-POLICY-GROUP> (
<Policy-Group> ...)
<Policy-Group-Extension> ::= ... /* Vendor Specific Policy */
3.4. The Policy Rule
3.4.1. Policy-Rule Overview
The following diagram contains an informal graphical depiction of the
main elements of the information model:
Figure 5 - Policy Rule
+----------------+
| Policy Rule |<...
+----------------+ :
* * : :
| | :...:
| |
+---------+ +--------+
...>|Condition|<.......| Action |<...
: +---------+<.......+--------+ :
: : * * : :
:..... | : :... :
| :
+--------+...........:
|Operator|
+--------+
Hares & Wu Expires January 3, 2015 [Page 11]
Internet-Draft IM for policy July 2014
Roughly speaking, the basic information model works as follows: A
policy rule contains conditions and actions. Each condition or each
action in turn contains operator. A operator connects variable and
value in the action or condition. Condition can map onto and be
supported by other condition, while action can map onto and be
supported by other actions. Policy rule can map onto other, policy
rules.
The elements of the Policy Rule information model are as follows:
o A policy can in turn be part of a hierarchy of policies, building
on top of other policies. Each policy is captured in its own
level, distinguished via a policy-identity.
o Policy rule inherit scope from policy group. A policy role has a
certain Scope, such as read scope or write scope. A policy rule
can even have multiple scope simultaneously. The scope, or
scopes, are captured in the list of "scope" components.
o Furthermore, a policy rule contains conditions and actions, each
captured in their own list.
o A condition contains a variable and a value and use a match
operator, to connect variable with value. An examples of an
operator might be a" IP ADDRESS AS RESOLVED BYDNS" or "Set to a
member". Also, a condition can in turn map onto other condition
in an underlay policy. This is captured in list"supporting-
condition".
o An action contains a variable and a value. An action uses Set
operator to connect variable with value. Analogous to a node, an
action can in turn map onto other actions in an underlay policy.
This is captured in list "supporting-action".
o The policy, condition, action and operator elements can be
extended with policy-specific components (policy-extensions,
condition-extension, action-extension and operator-extension
respectively).
3.4.2. Policy-Rule RBNF
The information model for the Network-policy component is more
formally shown in RBNF below:
Figure 6 Policy Rule RBNF
<Policy-Rule> ::= <Policy-Rule_identity>
<Policy-Rule_priority>
Hares & Wu Expires January 3, 2015 [Page 12]
Internet-Draft IM for policy July 2014
<Policy-Rule_precedence>
<Policy-Rule_Roles>
(<Policy-Rule_Condition>
<Policy-Rule_Action> ...)
<Policy-Rule_Security_model>
[<Policy-Rule_rule_extensions>]
<Policy-Rule_identity> ::= <Policy-Rule-Name>
[<Policy-Rule-Secure-Identity>]
<Policy-Rule_priority> ::= INTEGER (0..250);
<Policy-Rule_precedence> :;= INTEGER (0..250);
<Policy-Rule_Roles> ::= (<Policy_Rule_Role> ...);
<Policy-Rule_Role> ::=<RESOURCES> |
<Policy_Rule_Scope>
<RESOURCES> ::= [<I2RS_AGENT_RESOURCE>]
<Policy-Rule_Scope> ::= (<READ_SCOPE>
<Policy-Rule_Read_scope>)
| (<WRITE_SCOPE>
<Policy-Rule_Write_scope>)
<Policy-Rule_Read_scope> ::= ((<BNP_READ_SCOPE_TYPE>
<BNP_READ_SCOPE_list>) ...)
| [<Policy-Rule_Read_Scope_External>]
<Policy-Rule_Write_scope> ::= ((<BNP_WRITE_SCOPE_TYPE>
<BNP_WRITE_SCOPE_list>)...)
[<Policy-Rule_Write_Scope_External>]
<Policy-Rule_Condition> ::= <Policy-Rule_Match_node>
(<Policy-Rule_Match_value> ...)
[<Policy-Rule_mode>]
[<Policy-Rule_Match_Operator>]
[<Policy-Rule_Condition_extension>]
<Policy-Rule_Match_node> ::= [<Policy-Rule_Match_Node_BNP-IM>]
| [<Policy-Rule_Match_node_external]
<Policy-Rule_Match_value> ::= [<Policy-Rule_Match_Value_BNP-IM>]
| [<Policy-Rule_Match_Value_external]
<Policy-Rule_mode> ::= PERMIT | DENY ;
<Policy-Rule_Match_operator_external> ::=
[<Policy-Rule_Match_Operator_BNP-IM>]
| [<Policy-Rule_Match_Operator_external]
Hares & Wu Expires January 3, 2015 [Page 13]
Internet-Draft IM for policy July 2014
<Policy-Rule-action> ::= <Policy-Rule_Action_variable>
<Policy-Rule_Action_value>
<Policy-Rule_Set-Operator>
[<Policy-Rule_action-extension> ]
<Policy-Rule_Security-Model> ::= <First-Matching>
|<All-Matching>]
<Policy-Rule_rule_extension> ::=
<I2RS-LC-policy_rule_extensions>
<Policy-Rule-action> ::= <Policy-Rule_Action_variable>
<Policy-Rule_Action_value>
<Policy-Rule_Set-Operator>
[<Policy-Rule_action-extension> ]
<Policy-Rule_Action_variable> ::= <Policy-Rule_Action_var>
(<Policy-Rule_Action_value> ...)
[<Policy-Rule_Set_Operator>]
[<Policy-Rule_Action_extension>]
<Policy-Rule_Action_var> ::= [<Policy-Rule_Action_Vars_BNP-IM>]
| [<Policy-Rule_Action_external>]
<Policy-Rule_Action_value> ::= [<Policy-Rule_Action_Vars_BNP-IM>]
| [<Policy-Rule_Action_external>]
<Policy-Rule_Set_Operator> ::= [<Policy-Rule_Set_Operator_BNP-IM>]
| [<Policy-Rule_Set_Operator_external>]
<Policy-Rule-action-extension> ::=
[<Policy-Rule_act_ext_BNP-IM>]
| [<Policy-Rule_act_ext_external>]
<Policy-Rule-Match-Operator-Policy-IM> ::= <IS-SET-MEMBER'>
|<IN-INTEGER-RANGE>
|<IP-ADDRESS-AS-RESOLVED-BY-DNS>
|<Policy_IM-Match-Operator-extension>
<Policy-Rule_condition_extension> ::=
<Policy_Rule_condition_ext-BNP-IM>
[<Policy-Rule_Condition_ext_external>]
/* these scopes besides RIB IM are defined in each IM */
<PR_Read_Scope_RIB_IM> ::=<RIB-IM_READ_SCOPE_TYPE>
<RIB-IM_READ_list>
Hares & Wu Expires January 3, 2015 [Page 14]
Internet-Draft IM for policy July 2014
<PR_Read_Scope_RIB_IM> ::=<RIB-IM_READ_SCOPE_TYPE>
<RIB-IM_READ_list>
<RIB-IM_READ_list> ::= [<RIB-IM-Tree-Match> ...]
<RIB-IM_WRITE_list> ::= [<RIB-IM-Tree-Match> ...]
<RIB-IM-Tree-Match> ::= <RIB-IM-Match-routing-instance>
<RIB-IM-Match-interface-list>
<RIM-IM-Match-rib_list>
<RIB-IM-match-route-list>
/* extensions to other IM */
/* External Read and Write Scope */
<Policy-Rule_Read_Scope_External> ::=
[<PR_Read_Scope_RIB_IM>]
[<PR_Read_Scope_BGP_IM>]
[<PR_Read_Scope_PBR_IM>]
[<PR_Read_Scope_I2RSLC_IM>]
[<PR_Read_Scope_STopo_IM>]
[<PR_Read_Scope_SFC-Policy_IM>]
<Policy-Rule_Write_Scope_External> ::=
[<PR_Write_Scope_RIB_IM>]
[<PR_Write_Scope_BGP_IM>]
[<PR_WriteScope_PBR_IM>]
[<PR_Read_Scope_I2RSLC_IM>]
[<PR_Read_Scope_STopo_IM>]
[<PR_Read_Scope_SFC-PolicyIM>]
/* External Rule Conditionals */
<Policy-Rule_Match_node_external> ::=
[<Policy-Rule_Match_Node_RIB-IM>]
| [<Policy-Rule_Match_Node_PBR-IM>]
| [<Policy-Rule_match_Node_I2RSLC-IM>]
| [<Policy-Rule_Match_Node_BGP-IM>]
| [<Policy-Rule_Match_Node_STopo-IM>]
| [<Policy-Rule_Match_Node_SFC-Policy-IM>]
<Policy-Rule_Match_Value_external> ::=
[<Policy-Rule_Match_Value_RIB-IM>]
| [<Policy-Rule_Match_Value_PBR-IM>]
| [<Policy-Rule_Match_Value_I2RSLC-IM>]
| [<Policy-Rule_Match_Value_BGP-IM>]
| [<Policy-Rule_Match_Value_STopo-IM>]
| [<Policy-Rule_Match_Value_SFC-Policy-IM>]
<Policy-Rule_Match_operator_external> ::=
[<Policy-Rule_Match_Operator_RIB-IM>]
Hares & Wu Expires January 3, 2015 [Page 15]
Internet-Draft IM for policy July 2014
| [<Policy-Rule_Match_Operator_PBR-IM>]
| [<Policy-Rule_Match_Operator_I2RSLC-IM>]
| [<Policy-Rule_Match_Operator_BGP-IM>]
| [<Policy-Rule_Match_Operator_STopo-IM>]
| [<Policy-Rule_Match_Operator_SFC-Policy-IM>]
<Policy-Rule_Action_value_external> ::=
[<Policy-Rule_Action_Values_RIB-IM>]
| [<Policy-Rule_Action_Values_PBR-IM>]
| [<Policy-Rule_Match_Operator_I2RSLC-IM>]
| [<Policy-Rule_Action_Values_BGP-IM>]
| [<Policy-Rule_Set_Operator_STopo-IM>]
| [<Policy-Rule_Set_Operator_SFC-Policy-IM>]
<Policy-Rule_Set_Operator_external> :==
[<Policy-Rule_Set_Operator_RIB-IM>]
| [<Policy-Rule_Set_Operator_PBR-IM>]
| [<Policy-Rule_Match_Operator_I2RSLC-IM>]
| [<Policy-Rule_Set_Operator_RIB-IM>]
| [<Policy-Rule_Set_Operator_BGP-IM>]
| [<Policy-Rule_Set_Operator_STopo-IM>]
| [<Policy-Rule_Set_Operator_SFC-Policy-IM>]
<Policy-Rule_act_ext_external> ::=
[<Policy-Rule_extension_RIB-IM>]
| [<Policy-Rule_act_ext_PBR-IM>]
| [<Policy-Rule_act_ext_I2RSLC-IM>]
| [<Policy-Rule_act_ext_RIB-IM>]
| [<Policy-Rule_act_ext_BGP-IM>]
| [<Policy-Rule_act_ext_STopo-IM>]
| [<Policy-Rule_act_ext_SFC-Policy-IM>]
| [<I2RS_Vendor-Rule_act_ext>]/* other I2RS IM */
3.5. BNP IM Grammar
This section specifies the network policy information model in
Routing Backus-Naur Form (RBNF, [RFC5511]). It also provides
diagrams of the main entities of which the information model is
comprised.
<basic-network_policy_in> ::= (<policy-set> ...)
<basic-network_policy_out> ::= (<policy-set> ...)
<network-policy_rules_list> ::= (<policy-rule>...)
Hares & Wu Expires January 3, 2015 [Page 16]
Internet-Draft IM for policy July 2014
4. The Policy Based Routing Information Model
4.1. Policy Based Routing Overview
Policy based Routing is a technique used to make routing decisions
based on policies set by the network administrator. PBR enables
network administrator to forward the packet based on other criteria
than the destination address in the packet, which is used to lookup
an entry in the routing table.
The policy based routing problem can be viewed as a resource
allocation problem that incorporates business decision with routing.
Policy based routing provides many benefits, including cost saving,
load balancing and basic QoS.
Routing decisions in policy based routing are based on several
criteria beyond destination address, such as packet size,
application, protocol used, and identity of the end system. Policy
constraints are applied before applying QoS constraints since policy
constraint overrides QoS constraint. Policy constraints may be
exchanged by routing protocols while updating routing information.
The I2RS use cases which benefit from PBR are:
[I-D.white-i2rs-use-case] and
[I-D.krishnan-i2rs-large-flow-use-case],
PBR-Rules extends from Policy Basic Rule with a set of condition,
action and attributes. Routing decisions in policy based routing are
based on several criteria beyond destination address, such as packet
size, application, protocol used, and identity of the end system.
4.2. PBR-RIB definition
One routing instance (named by an INSTANCE_NAME) can contain multiple
PBR RIBs, and is associated with a set of interfaces, and a ROUTER-
ID. The entries associated with each routing instance relating to
the PBR are:
o INSTANCE NAME
o interface_list
o PRB RIB list - with each entry having an order set of routes
o PRB Default RIB - default forwarding FIB.
o ROUTER-ID
Hares & Wu Expires January 3, 2015 [Page 17]
Internet-Draft IM for policy July 2014
Each PBR RIB has the following:
o PRB RIB NAME
o PBR Route-entry
The Route entry in a PRB has the following information:
o match field - as in the RIB IM route
o order_list PBR route list with each entry having: a) next-hops, b)
PBR route attributes, and c) vendor-attributes
The PRB route attributes include QOS Attributes as show in the policy
list below.
4.3. PBR Rule Component
A PBR rule is constructed using condition, action and attributes that
are inherited from Policy Group Component.
Hares & Wu Expires January 3, 2015 [Page 18]
Internet-Draft IM for policy July 2014
Figure 7 - PBR Policy Rule
+-----------------------+
| Policy Rule |
+-----------+-----------+
^
/|\ "extends"
+-----------^-----------+
| PBR Rule |
+--+-----------------+--+
: :
: : .......
: : : :
+--------V-------+ +-------V-------+ :
| PBR Condition | | PBR Action |<...
+----------------+ +-+----------+--+
/|\ /|\
"extends"| | "extends"
+---+ +--------+
| |
+-------^-------+ +-----^---------+
| QoS Action | |Forward Action |
+---------------+ +---------------+
: : : : : :
....: : :..... .....: : :.....
: : : : : :
+----V---+ +---V----+ +--V---+ +-V------++--V-----++--V-----+
|Set | |QoS | |QoS | |Forward ||Next Hop||Next Hop|
|Operator| |Variable| |Value | |Operator||Variable||Value |
+--------+ +--------+ +------+ +--------++--+-----++--------+
/|\
| "extends"
+---^----+
|Next Hop|
|Type |
+--------+
Figure 3: Policy based routing IM structure
4.4. PBR QOS RBNF
The PBR QOS RBNF is below
Figure 8 - PRB QOS RBNF
/* policy rules */
<Policy-Rule_Match_Node_PBR-IM> ::= <IPv4_QoS_Node_Matches>
| <IPv6_QoS_Node_Matches>
Hares & Wu Expires January 3, 2015 [Page 19]
Internet-Draft IM for policy July 2014
<Policy-Rule_Match_Value_PBR-IM> ::= <IPv4_QoS_Value_Matches>
| <IPv6_QoS_Value_Matches>
<IPv4_QoS_Node_matches> = <IPv4-QOS_Matches>
<IPv6_QoS_Node_matches> = <Pv6-QOS_Matches>
<IPv4_QoS_Value_matches> = <IPv4-QOS_Matches>
<IPv6_QoS_Value_matches> = <IPv6-QOS_Matches>
<IPv4-QOS_Matches> ::= [<IPv4-SRC>]
[<IPv4_DST>]
[<IPv4_Proto>]
[<IPv4_TOS-DSCP>]
[<IPv4_ICMP_field>]
[<IPv4_length>]
<IPv6-QOS_Matches> ::= [<IPv6-SRC>]
[<IPv6_DST>]
[<IPv6_Proto>]
[<IPv6_Flow>]
[<IPv6_length>]
<Policy-Rule_Match_Operator_PBR-IM> ::= [<Longest-prefix>]
| [<Exact>]
| [(<IPv4-RANGE> <IPv4-Low> <IPv4-High>)]
| [(<IPv6-RANGE> <IPv6-Low> <IPv6-High>)]
| [(<LENGTH-Range> <LENGTH_Low> <LENGTH_High>)]
<IPv4_low> ::= <IPv4-Prefix>
<IPv4_high> ::= <IPv4-Prefix>
<IPv6_low> ::= <IPv6-Prefix>
<IPv6_high> ::= <IPv6-Prefix>
<Policy-Rule_Action_value_PBR-IM> ::= [<QOS_action>]
[<FWD_action>]
<QOS_action> ::= <QOS_IP-TOS_Set>
| <QOS_DSCP>
<FWD_action> ::= <Drop_packet>
| <Drop_Packet_ICMP>
| (<Forward_Specific> <next-hop>)
| (<Forward_Default>)
<Policy-Rule_Set_Operator_PBR-IM> ::= [<SET_QOS_BITS>]
| [<SET_FWD_ACTION<]
Hares & Wu Expires January 3, 2015 [Page 20]
Internet-Draft IM for policy July 2014
4.5. Relationship between PBR Rule Model and RIB Information Model
As described in [I-D.ietf-i2rs-rib-info-model], each Routing instance
contains a collection of RIBs, interfaces, and routing parameters
including the following:
o The set of interfaces indicates which interfaces are associated
with this routing instance.
o The RIBs specify how incoming traffic is to be forwarded based on
destination.
o the routing parameters control the information in the RIBs/PIBs.
PIB and RIB can not be used at the same time, which means:
o If a router doesn't support policy based routing, a router MUST
use rib and MUST not use PIB.
o If a router supports policy based routing,
* PIB is used if several criteria beyond destination address is
matched.
* RIB is used if several criteria beyond destination address is
not matched.
Policy constraints information either comes from RSVP,BGP/IGP, or
comes from manual configuration or policy configuration tool.
Therefore PBR uses from the RIB IM:
o Interface-list: The interface list contains a list of identifiers,
with each identifier uniquely identifying an interface.
o Origin: an indication used to identify from which protocols (e.g.,
ISIS, OSPF, BGP, I2RS, CLI etc.) the policy based route is.
4.6. PBR RBNF
Hares & Wu Expires January 3, 2015 [Page 21]
Internet-Draft IM for policy July 2014
Figure 9 - PBR RBNF
/* pbr defintion */
<pbr-routing-instance> ::= <PBR_INSTANCE_NAME>
[<interface-list>] <pbr-rib_list>
[<prb-default-rib>]
[<Router-ID>]
<pbr-rib-list> ::= <PRB_RIB_NAME>
<PRB_rib_family>
(<prb_rib> ...)
<PRB_rib_family> ::=<IPv4_PRB_FAMILY>
| <IPV6_PRB_FAIMILY>
<prb_rib> ::= <PRB_RIB_NAME>
<PRB_rib_family>
<prb_policy_set>
<prb_policy_set< ::= <BNP_policy_set>
<RIB_policy_set_extensions>
<PRB_policy_set_extensions>
<BGP_policy_set_extensions>
<QOS_policy_set_extensions>
<prb_policy_set_exetensions> ::=
<Policy-Rule_Match_Node_PBR-IM>
<Policy-Rule_Match_Value_PBR-IM>
<Policy-Rule_Match_Operator_PBR-IM>
<Policy-Rule_Action_value_PBR-IM>
<Policy-Rule_Set_Operator_PBR-IM>
4.7. Remaining PRB Issues
Policy based routing MUST tackle the following difficult questions:
o How is policy management strategy selected? Centralized or
distributed.
o At which point in a network domain are policy constraints checked
and enforced? i.e., policy coverage, here policy constraint can be
exchanged by routing protocol?
o How are policy constraints exchanged within a domain?
o How is policy data stored, refreshed and retrieved from policy
repository?
Hares & Wu Expires January 3, 2015 [Page 22]
Internet-Draft IM for policy July 2014
o How are policy rule conflicts avoided?
5. The I2RS Local Policy Information Model
5.1. I2RS Local Policy IM Overview
The Local Policy Information Model (LB IM) stores I2RS policy and
policy templates that are used across many I2RS modules. The LB IM
stores a set of policy and a set of policy templates. This section
defines the LB IM extensions needed to the Basic Policy set at the
Policy-set, Policy-Group, and Policy-Rule level. It also defines the
optional extensions to this LP policy model as:
o PBR IM,
o RIB IM,
o BGP IM,
o Traffic Steering (TS IM)
o SFC Filter (SFC-F IM),
o Basic Route Templates IM
The key benefit of the I2RS Local Configure Information Model (Local-
is that it provides a place to store I2RS policy, and I2RS templates.
The LB IM MAY allow for: a) re-use of these policy templates across
multiple I2RS client-I2RS agent sessions, b) storing of some policy
into permanent configuration store
5.2. I2RS Local Policy IM RBNF
Hares & Wu Expires January 3, 2015 [Page 23]
Internet-Draft IM for policy July 2014
Figure 10 - Local I2RS Policy Story extensions
<i2rs-Local-Policy> ::= <I2RS_LOCAL_POLICY_STORE>
<Policy-Set>
<Policy-Templates>
<i2rs-condition-extension> :== [<I2RS-Client-Agent_transport_list>]
[<I2RS_IPADRESS_DNS_resolve>]
[<Policy-Template_match>]
<I2RS-Client-Agent_transport_list> :== (< i2rs_transport > ...)
<i2rs_transport< ::= [TCP][SCTP][SSL];
/* these actions allow local I2RS configure store could
* write to local Node policy store */
<i2rs-action-extension> ::= [<i2rs_write_policy_config_store>]
[<i2rs_write_bgp_config_store>]
...
The model extends the original network-policy model as follows:
o A local policy rule can in turn be part of a hierarchy of
policies, building on top of other policies. Each local
configuration policy is captured in its own level, distinguished
via a policy identity.
o A local policy rule inherit scope from policy group. A local
policy rule has a certain Scope, such as read scope or write
scope. A local policy rule can even have multiple scope
simultaneously. The scope, or scopes, are captured in the list of
"scope" components.
o Furthermore, a local policy contains conditions and actions, each
captured in their own list.
o A condition contains a variable and a value and use a match
operator, to connect variable with value. An examples of an
operator might be a" IP ADDRESS AS RESOLVED BYDNS" or "Set to a
member". Also, a condition can in turn map onto other condition
in an underlay policy. This is captured in list in "supporting-
condition".
o An action contains a variable and a value. An action uses Set
operator to connect variable with value. Analogous to a node, an
action can in turn map onto other actions in an underlay policy.
This is captured in list "supporting-action".
Hares & Wu Expires January 3, 2015 [Page 24]
Internet-Draft IM for policy July 2014
o The local policy, condition, action and operator elements can be
extended with policy-specific components (condition-extension,
action-extension and operator-extension respectively).
6. Extensions to the Policy IM
6.1. Extension to the RIB IM
Figure 11 - RIB Information Model Extensions
<RIB-IM_READ_list> ::= [<RIB-IM-Tree-Match ...]
<RIB-IM_WRITE_list> ::= [<RIB-IM-Tree-Match ...]
<RIB-IM-Tree-Match> ::= <RIB-IM-Match-routing-instance>
<RIB-IM-Match-interface-list>
<RIM-IM-Match-rib_list>
<RIB-IM-match-route-list;
/* BGP Info Module Tree Match */
<BGP-IM_READ_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM_WRITE_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM-Tree-Match> ::= <BGP-IM-Tree-Match-protocol-instance>
<BGP-IM-Match-Protocol-instance> ::= (<BGP_protocol> ...)
<prb_rib> ::= <bgp_route_list>
<bgp_route_list> ::= (<bgp_route> ...)
<bgp_route> ::= <BGP_ROUTE_TYPE>
<bgp_route_prefix>
<bgp_attribute_list>
<bgp_route_create>
<bgp_rt_state_info>
<basic-network_policy_in> ::= (<policy-set> ...)
<basic-network_policy_out> ::= (<policy-set> ...)
<network-policy_rules_list> ::= (<policy-rule>...)
6.2. Extension from the BGP IM
Figure 12 - BGP Information Model Extensions
<BGP-IM_READ_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM_WRITE_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM-Tree-Match> ::= <BGP-IM-Tree-Match-protocol-instance>
<BGP-IM-Match-Protocol-instance> ::= (<BGP_protocol> ...)
Hares & Wu Expires January 3, 2015 [Page 25]
Internet-Draft IM for policy July 2014
6.3. Extension from SFC Topology IM
Figure 13 - SFC Topology Information Model Extensions
/* what part of the STopo Model can access */
<STopo-IM_READ_list> ::= [<STopo-IM-Tree-Match ...]
<STopo-IM_WRITE_list> ::= [<STopo-IM-Tree-Match ...]
<STopo-IM-Tree-Match> ::= <STopo-IM-Tree-Match-protocol-instance>
<STopo-IM-Match-Protocol-instance> ::= (<STopo_protocol> ...)
6.4. Extension from the SFC Traffic Filters
Figure 14 - Traffic Steering Information Model Extensions
/* what part of the STopo Model can access */
<SFC-Policy-IM_READ_list> ::= [<SF-Policy-IM-Tree-Match ...]
<SFC-Policy-IM_WRITE_list> ::= [<SF-Policy-IM-Tree-Match ...]
<SFC-Policy-IM-Tree-Match> ::= <SF-Policy-IM-Tree-Match-protocol-instance>
<SFC-Policy-IM-Match-Protocol-instance> ::= <SF_instance_list>
7. IANA Considerations
This draft includes no request to IANA.
8. Security Considerations
TBD.
9. Informative References
[I-D.atlas-i2rs-policy-framework]
Atlas, A., Hares, S., and J. Halpern, "A Policy Framework
for the Interface to the Routing System", draft-atlas-
i2rs-policy-framework-00 (work in progress), February
2013.
[I-D.hares-i2rs-bgp-im]
Hares, S., Wang, L., and S. Zhuang, "An I2RS BGP
Information Model", draft-hares-i2rs-bgp-im-00 (work in
progress), July 2014.
[I-D.hares-i2rs-info-model-service-topo]
Hares, S., Wu, W., and X. Guan, "An Information model for
service topology", draft-hares-i2rs-info-model-service-
topo-00 (work in progress), February 2014.
Hares & Wu Expires January 3, 2015 [Page 26]
Internet-Draft IM for policy July 2014
[I-D.ietf-i2rs-architecture]
Atlas, A., Halpern, J., Hares, S., Ward, D., and T.
Nadeau, "An Architecture for the Interface to the Routing
System", draft-ietf-i2rs-architecture-04 (work in
progress), June 2014.
[I-D.ietf-i2rs-rib-info-model]
Bahadur, N., Folkes, R., Kini, S., and J. Medved, "Routing
Information Base Info Model", draft-ietf-i2rs-rib-info-
model-03 (work in progress), May 2014.
[I-D.krishnan-i2rs-large-flow-use-case]
ramki, r., Ghanwani, A., Kini, S., McDysan, D., and D.
Lopez, "Large Flow Use Cases for I2RS PBR and QoS", draft-
krishnan-i2rs-large-flow-use-case-04 (work in progress),
April 2014.
[I-D.white-i2rs-use-case]
White, R., Hares, S., and A. Retana, "Protocol Independent
Use Cases for an Interface to the Routing System", draft-
white-i2rs-use-case-05 (work in progress), June 2014.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen,
"Policy Core Information Model -- Version 1
Specification", RFC 3060, February 2001.
[RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B.
Moore, "Policy Quality of Service (QoS) Information
Model", RFC 3644, November 2003.
[RFC5394] Bryskin, I., Papadimitriou, D., Berger, L., and J. Ash,
"Policy-Enabled Path Computation Framework", RFC 5394,
December 2008.
[RFC5511] Farrel, A., "Routing Backus-Naur Form (RBNF): A Syntax
Used to Form Encoding Rules in Various Routing Protocol
Specifications", RFC 5511, April 2009.
Authors' Addresses
Hares & Wu Expires January 3, 2015 [Page 27]
Internet-Draft IM for policy July 2014
Susan Hares
Huawei
7453 Hickory Hill
Saline, MI 48176
USA
Email: shares@ndzh.com
Qin Wu
Huawei
101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012
China
Email: sunseawq@huawei.com
Hares & Wu Expires January 3, 2015 [Page 28]