The Research On PDL-based Policy Management System

With the development of scope and application of Network, the importance ofthe policy based network management goes up quickly. The PBNM systemtranslate the requests and management goals from consumer to policies, and storethem to policy repository. According to the service requests of network device, thePBNM system query the appropriate policies and decide whether to execute therelated polices by computing. Finally, translate the policies to commands tospecific devices, operate and configure the devices, to satify some managementgoals and tasks.Presently, the research of PBNM system mainly focus on the the IETF andDMTF's PBNM framework, which contains five parts: policy manangement tool,policy repository, policy decision point, policy enforcement point and policycommunication protocols. But the PBNM system of IETF is too general , anddifficult to direct the developer to construct a specific PBNM system , furthermore,IETF didn`t present the standard policy description language, and the problem ofpolicy conflict is very intractable.Many organizations and individuals tried to study the methods of policyrepresentation, but four classes are much famous than others, they are logic-basedpolicy representation, information model based policy representation , Ponder ofImperial College and PDL of Bell Labs.Logic-based languages have proved attractive for the specification of securitypolicy, as they have a well-understood formalism, which is amenable to analysis.However they can be difficult to use and are not always directly translatable intoefficient implementation. Ponder is a declarative language for specifying policiesdesigned by Imperial College. Ponder is an object-oriented language that can beused to specify both security and management policies. The policy informationmodel PCIM is the method of policy specification designed by IETF, PCIM is aobject oriented information model, and independent of the specific implementationof storage. PCIM is a general model for policy description.Subsequently, IETFpresented the extended RFC document PCIMe, and QPCIM which is especially forservice quality. The Policy Description Language(PDL) was designed by JorgeLobo,Randeep Bhatia and Shamim Naqvi of Bell Labs. In PDL, the policies aredescribed by a collection of propositions two types: policy rule propositions andpolicy defined event proposition. Policy rule propositions are expressions of theform event causes action if condition, and policy defined event propositions areexpressions of the form event triggers event if condition. In this paper, weintroduce the semantic, the syntax and presentation examples of PDL.The PDL policy system is a distributed policy based management systemwhich consists of a collection of cooperating policy enabled nodes called PolicyElements. These policy elements communicate using events and actions. Everypolicy induces a hierarchical view of policy element. The nodes in this hierarchycooperate to enforce the given policy. There is at least one leaf element in everypolicy server. There may be zero or more interior elements in any given policyserver. Any policy element can be simultaneously part of many policy servers.Every policy element consists of several sub-systems or services. Each of theseperforms a specific policy management role. In addition to the common partsPolicy Engine and Action manager of policy element, interior elements haveDomain Distributor. Leaf elements have several specialized services such as ActionMapper, Event Mapper, Event Filter, and Domain Filter, which allow them tointerface to devices and system in the network.Policy Engine which manages the registration and execution of policies.Whenever an element is selected to participate in a policy execution it is providedthe sub-policy that it is responsible for. This is inatalled in the policy engine whichroutes appropriate events to it and actions from it.Action Manager which processes action requests. Actions triggered from thepolicy engine are routed to the action manager which determines where the actionis to be executed and sends the appropriate request.Domain Distributor which determines the appropriate policy elements toreceive particular action requests and policy registrations.Action Mapper which maps action requests from policies to actual devicespecific commands to be performed by the device.Event Mapper which converts world (device specific) event into policyevent.Event Filter which only passes events that are desired by some policy. Anyevent that no policy has expressed intrest in is discarded by the filter.Domain Filter which dynamically determines if this leaf element is indeedpart of the action or event domain specified by the policy. If this is not so the eventor action is ignored.The heart of the policy engine is the policy evaluator that evaluate the policiesto determine the set of actions to enforce the policies. This paper presents analgorithm for evaluating policies specified using PDL. The algorithm works inrealtime: The algorithm only gets to see the current epoch .Based on the set ofevents that happen in the current epoch and the past history the algorithm evaluatesall the actions that must happen in the current epoch, as specified by the policy. Thepolicy evaluation algorithm PE has two phase: the initialization phase and thereal-time phase. The former involves compiling the policy description to evaluateall the static information. In the real-time phases, the algorithm PE evaluates thepolicy rule in current history to determine the actions to be taken ,or the policydefined events to be triggered at current epoch.To the PDL policy system, the paramount issue is how to detect and resolveaction conflicts . We proposed the action constraints as a basic technique fordetecting conflicts, action conflicts are captured as violations of action constraints.During the research of detection and resolution of policy conflicts ,where the policyis composed of ECA rules, we focus on the dimension of time. Especially for thesequence events in the rule, we resolve the conflicts by cancellation and delay ofactions. In this paper, we show how to define monitors for policies with rules thatrefer to sequence events, also presented the algorithms of different classes ofmonitors.The criteria to select the appropriate monitor in the context of a specificapplication must consider the properties of conflicting actions in more detail. If aconflicting action is unlikely to be repeated and makes sense even when it isdelayed, then it is better to use a delay monitor. Otherwise, a cancellation monitoris more appropriate. Action should not be cancelled (or delayed) arbitrarily. Clearly,a monitor should be as close to the policy as possible, This can be interpreted intwo ways. If we focus on canceling (or delaying)a minimal set of conflictingactions, we get action monitors. On the other hand, if we choose to apply theoriginal policy to a maximal consistent reduction of the original input, we get eventmonitors.In this paper we design and implement a simple policy management tool ofPDL. The policy management tool provides the network manager with policydefinition interface. It can receive high level policies defined by the administrator.With the tool the administrator can edit and store policies defined by PDL. Also,we can detect conflicts with the application of action constraints before the storageof policies to database. Thus the edit, storage and conflict detection have beencompletely implemented.