[Nsi-wg] Topology virtualisation

John MacAuley john.macauley at surfnet.nl
Mon Jun 28 19:26:18 CDT 2010 

Quick question that may be related.  How would we model a client routing 
policy?  For example, my organization has a policy against routing over 
links from another organization and I am requesting a schedule from the 
network.  How does the NSA learn of this policy?  I would assume it is a 
similar issue to specifying SLRG values, and the requesting client would 
specify the domain for exclusion.

John.

On 10-06-28 7:16 PM, John Vollbrecht wrote:
> On Jun 28, 2010, at 3:02 PM, Freek Dijkstra wrote:
>
>    
>> John Vollbrecht wrote:
>>
>>      
>>>> [..] A domain of a single link however seems different [..]
>>>>          
>>      
>>> [...] it is important to note that the adjacent network (not
>>> necessarily a node) enforces the policy of the link.  This could be
>>> done by having the link delegate policy to the adjacent network or by
>>> having the adjacent network contact the policy server for the link.
>>> In the first case policy is run by the adjacent network for the link,
>>> in the second the adjacent network asks for approval from the link.
>>>        
>> This is indeed the crucial question. From an architectural point of
>> view, the former model is the easiest one, as the requester does not
>> need to have knowledge about the delegation is done (the requester
>> directly talks to the owner of the link without worrying how it is
>> enforced). In the later model, the requester ask one domain for
>> resources in another domain, and (presumably?) has to be aware of that.
>>
>> For reasons of simplicity, I prefer the first model. As added advantage
>> is that this seems very similar to how delegation is done for virtual
>> networks.
>>
>>      
> It seems to me that the first model has some problems that might make it harder.  The biggest is that it has to delegate policy for its domain to another domain.  It is not clear how to do this in a standard way - perhaps XACML could be used to define policy and send it to the enforcing domain.
>
> The alternative - having the enforcing domain query the link's policy requires knowing how to question the other domain policy server.  This is pretty much what happens during connection reservation where there is no enforcement other than by provider NSAs accepting or rejecting a request.
>
> Either way requires an SLA between enforcing domain and adjacent domain - one domain must trust that the other will enforce policy as agreed.
>
> My thinking is that either of these ways might be best - perhaps in different situations.  Some specific use cases would help.
>
> John
>
>
>    
>> Perhaps related is the question how NSI deals with domains that do not
>> support NSI yet. This is something to consider -- if we create an
>> architecture that only works if all domains in the world deploy it at
>> the same time, then we risk that the deployment takes as long as, say,
>> IPv6. I wonder if the second model you describe above (where a domain
>> enforces the policy of a neighbouring domain that does not support NSI)
>> is applicable to this situation as well.
>>
>> Regards,
>> Freek
>>      
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/nsi-wg
>

More information about the nsi-wg mailing list