Research On Policy Conflicts Detection And Resolution Mechanism For Policy-Based Network Management System

With the development of NGN, IPv6 and multimedia communicating technology, the importance of the network manangement goes up quickly. The policy-based network manangement departs the control of manangement behavior from the concrete execution througy policy, thus enhance the abstract level of management tasks, hide the specialization of the managed network objects and relieve the burden of network manager. The IETF's policy definition is that policy is a set of management rules which are composed of conditions and actions. The satisfaction of some conditions may cause the execution of a group of actions. However, when we apply several different policies to the same network equipment, the maintenance of the consistence between manangement policies becomes very important. The consistent detection between policies is to estimate if there exits conflict between policies, i.e. the conditions of two or more policies are satisfied at the same time, but the actions couldn't be executed simultaneously.The IETF and DMTF's PBNM framework contains five parts: policy manangement tool, which provide the network mananger with a centrialized visual interface to difine policies as well as the functions of performing policy transformation and consistent detection; policy repository, which is used to store technical policy and can be implemented by the directory server; policy decision point, which sees to select the appreciate policy from the policy repository and transforms it into the mananged device's configurations, then transfer them to PEP; policy enforcement point, which generates the conditions transferred to PDP in terms of network states and the events that happenes in the network, further more receives and executes the actions generated by PDP; policy communication protocols, including LDAP protocol used for PDP accessing the policy repository and COPS protocol used for PDP and PEP's interaction as well as the extended protocal COPS-RSVP and COPS-PR.Policy can be either abstract or concrete. The abstract policy only describes the goal, objective or constraint that needs to be achieved but doesn't specify how to achieve it. By using abstract policy we can manange the network resource in an abstract uniform way, hide the inhomogeneity of the resource and set up a generalmodel for the manangement activities. The concrete policy explicitly specifies the process or procedure that needs to be executed. Because there are no details which are unclear or undescribed, the concrete policy is easy to achieve. Moreover the concrete policy contains the manner of measuring outcomes, which enables us to know whether the policy goal is obtained or not. Before being transformed into the executable concrete policy, the abstract policy can be decomposed into smaller goals in detail. This process is called policy refinement, translation or transformation.Policy transformation is a refining process that contains policy conflict detection and resolution, which finally enables policy to be executed in the manangement system. We can use a case database or historical system behaviors to provide an experiential basis for policy transformation. A case is an experience, a story or a past scene. Case-based reasoning is a sort of reasoning model in which the old case is selected from the case database in terms of the new case, and then modified to come out a solution for the new case. In the policy transformation approach of case-based reasoning, the system learns the past experiential behavior and maintains a database of past case, where each case is a combination of the business objectives and the system configuration parameters that achieve the corresponding business objectives. The transformation module uses the knowledge learned from the behavior of the system in the past to predict its present and future behavior. When we need to find the configuration parameters for a new business objective, the transformation module will consult the case database to find the closest matching case or modify the configuration parameters of a set of cases to determine the appropriate configuration parameters that will realize the desired business objectives.A very important problem that must be resolved during the process of policy transformation is policy conflict, i.e. which rule's action ought to be executed while several rules' conditions are satisfied simultaneously. Now many academic organizations devote to the research of policy and PBNM system, among which the policy work groups in imperial university and bell laboratory have did some outstanding works. Both of them have developed their own policy language and policy framework as well as the approach of policy conflict resolution based on the policy language they developed. The imperial university explored the conflictdetection mechanism for security policy using role-based accessing control and the ponder language template. The network management system developed by bell laboratory uses the policy description language (PDL). Since the policy description language is based on events, they put forward the approach of policy conflict resolution using event-based logic programming.The policy-based network management adheres to the concept of "modality" all the time, such as policy representation, policy trigger, policy execution, all of which depend on the modality. Moreover the concrete approach of policy conflict detection and resolution ties to the policy modality more closely. So, first of all, in this paper we present the formal definition of policy, policy rule and policy conflict using set-based algebraic structure which helps to convey the information of actions executed when the policy conflict happens, then use the semi-lattice based approach to detect and resolve the inconsistency between policies, and finally extend this approach to the AND-ed and OR-ed sets of actions. The semi-lattice based policy conflict resolution method relies on two pivotal ideas: conditions can be represented by set-based approach and the semi-lattice based algebraic structure is used for action selection in conflict resolution. The semi-lattice can be regarded as a partially ordered set and is possible to be represented in graph. The policy conflict happens when the conditions of two or more policy rules intersect but their action sets are not the same one, and it can be resolved by selecting a new action to be executed after detection. Therefore we can draw a conclusion: if an action set is coincident to semi-lattice, it is sure that a new action can be selected for policy conlflict resolution. The advantage of the semi-lattice based policy conflict resolution is that it can inherit all the mathematical results and algorithms from graph theory. In addition, this approach is independent of the policy syntaxes and of the layer at which the rules are defined. In fact, we abstract the conflict resolution as the selection of a new action to enforce when two or more rules conflict.We use Sun One Directory Server acting as the policy repository to store policy, JAVA programming language to develop the policy management tool, Netscape Directory SDK to implement the LDAP API and Oracle database to develop policy conflict detection database and case database. The policy management tool provides the network manager with plentiful policy definition...