One document matched: draft-hares-i2rs-info-model-policy-03.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3060 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3060.xml">
<!ENTITY RFC3644 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3644.xml">
<!ENTITY RFC5394 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5394.xml">
<!ENTITY RFC5511 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5511.xml">
<!ENTITY I-D.ietf-i2rs-architecture SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-i2rs-architecture.xml">
<!ENTITY I-D.ietf-i2rs-rib-info-model SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-i2rs-rib-info-model.xml">
<!ENTITY I-D.atlas-i2rs-policy-framework SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.atlas-i2rs-policy-framework.xml">
<!ENTITY I-D.white-i2rs-use-case SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.white-i2rs-use-case.xml">
<!ENTITY I-D.hares-i2rs-bgp-im SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.hares-i2rs-bgp-im.xml">
<!ENTITY I-D.hares-i2rs-info-model-service-topo SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.hares-i2rs-info-model-service-topo.xml">
<!ENTITY I-D.krishnan-i2rs-large-flow-use-case SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.krishnan-i2rs-large-flow-use-case.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<rfc category="std" docName="draft-hares-i2rs-info-model-policy-03"
ipr="trust200902">
<front>
<title abbrev="IM for policy">An Information Model for Basic Network Policy </title>
<author fullname="Susan Hares" initials="S" surname="Hares">
<organization>Huawei</organization>
<address>
<postal>
<street>7453 Hickory Hill</street>
<city>Saline</city>
<region>MI</region>
<code>48176</code>
<country>USA</country>
</postal>
<email>shares@ndzh.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Qin Wu" initials="Q." surname="Wu">
<organization>Huawei</organization>
<address>
<postal>
<street>101 Software Avenue, Yuhua District</street>
<city>Nanjing</city>
<region>Jiangsu</region>
<code>210012</code>
<country>China</country>
</postal>
<email>sunseawq@huawei.com</email>
</address>
</author>
<date year="2014" />
<area>Routing Area</area>
<workgroup>I2RS working group</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>I2RS</keyword>
<abstract>
<t>This document contains three information Models:
Basic Network Policy (BNP IM), Policy-Based Routing (PBR),
I2RS Local-Config (I2RS-LC IM). The I2RRS-LC IM provides
both an I2RS store of Policies plus a store of Policy Templates.
The BNP IM has the following levels of Policy Hierarchy: Policy Set,
Policy Group, Policy Rule, and conditional actions within the
policy rule (conditional match and Action). The PBR IM,
I2RS LC IM, BGP Information Model (BGP IM),
Service Topology Information Model (SF-Topo IM),
and the Service Forwarding Chaining IM (SFC IM) utilize
and extend the BNP IM. This draft lists the extensions
to the BNP IM that support these information models (PBR IM,
I2RS LC IM, BGP IM, SSF-Topo IM and SFC-Policy IM).
</t>
<t>The BNP IM is based on the concept of an extensible information model for
representing policies. This concept is also found in the Policy Core Information Model
(PCIM) (RFC3060) and the Quality of Service (QoS) Policy Information
Model (QPIM)(RFC3644) and policy based routing.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>The Interface to the Routing System (I2RS) provides read and write
access to the information and state within the routing process within
routing elements. The I2RS client interacts with one or more I2RS agents
to collect information from network routing systems.</t>
<t>Processing of collected information at the I2RS agent may require the
I2RS Agent to filter certain information or group pieces of information
in order to reduce the data flow through the network to the I2RS client.
Some applications that that utilize the services of I2RS client may also
wish to require specific data in response to network events or
conditions based on pre-established rules. This functionality is
necessary to meet the requirements of i2rs enabled services which
include service-layer routing improvements, and control of traffic flows
and exit points.</t>
<t>This document introduces a Basic Network Policy information model
(BNP IM) to handle policies related to the network.
This basic policy model can be easily extended beyond the basic
functions. The <xref target="I-D.ietf-i2rs-architecture"></xref>
suggests that associated with the i2RS RIB model there will be
"Policy-based Routing (ACLs)" and RIB "policy controls". These basic
policy functions can operate as part of this functional blocks providing
the basic model for policy operators. This model can also be considered
as the substance of the policy templates.</t>
<t> The BNP IM
is extensible allowing other extensions to make the BNP IM
policy adaptable to specific I2RS protocol features.
This policy model can be linked with other information models
such as the following:
<list style="symbols">
<t> Policy Base Routing Information model (PBR-IM) (Model in section 4), </t>
<t> I2RS RIB Informational Model (RIB IM) (see section 6)
(<xref target="I-D.ietf-i2rs-rib-info-model"></xref>)</t>
<t> BGP Informational Model (BGP IM) (see section 6)
(<xref target="I-D.hares-i2rs-bgp-im"></xref>) </t>
<t> Service Topology (see section 6)
(<xref target="I-D.hares-i2rs-info-model-service-topo"></xref>) </t>
<t> Service Forwarding Chaining Filters Information Mode (SFC IM) (see section 6)
(ietf-hares-dunbar-i2rs-sfc-policy-im-00.txt) </t>
</list>
</t>
<t>The BNP IM model is a product of the industry
approach to I2RS that standardizes on a few basic functions
network functions to obtain quick deployment of initial I2RS RIB
modules, and build on this success to create network functions.
Additional I2RS modules add I2RS interfaces to policy-based routing,
BGP, Service topology creation, Service Chaining functions,
and policy templates.</t>
<t>This information model leverages previous work done on extensible
information model for representing policies, for example, the Policy
Core Information Model (PCIM) <xref target="RFC3060"></xref> [RFC3060],
and an extension to this model to address the need for QoS management,
called the Quality of Service (QoS) Policy Information Model (QPIM)
<xref target="RFC3644"></xref> [RFC3644].</t>
<t>Most policy within routing and forwarding systems has become
hierarchical with individual specific policies being grouped as a set
policy. The hierarchical policy rule definition enhances policy
readability and reusability. Groups of network policies have labels to
aid operational use. Named groups of policy are easily identified and
reused as blocks.</t>
<t>The Basic Network Policy information model contains the following three components:
<list style="hanging">
<t hangText="Policy Group"><vspace blankLines="1" />Policy is
described by a set of policy rules that may be grouped into subsets.
A Policy group is used to provide a hierarchical policy definition
that provides the model context or scope for sub-rule actions. The
model context includes identity, scope, role, precedence, priority
and security model. In a policy group policy rules and policy groups
can be nested within other policy rules.</t>
<t hangText="Policy Set"><vspace blankLines="1" /> is a
set of Policy Groups identified by a Policy Set Name.</t>
<t hangText="Policy Rule"><vspace blankLines="1" />
Policy Rule is represented by semantics “If Condition then Action”,
therefore condition and action comprise Policy Rule model. </t>
</list>
</t>
<t> This draft contains the following Informational Models
<list style="hanging">
<t hangText="Basic Network-Policy Information Model (BNP IM)"><vspace blankLines="1" /> is
generic network policy model. It can be thought of as a coherent set
of rules to administer, manage, and control access to network
resources and defines a network policy at its most general level of
abstraction. It models aspects such as actions and conditions that
constitute a policy element relationship, as well as operators
contained in the both condition and action that can either be used
to overwrite an old value of the variable or imply match
relationship.</t>
<t hangText="Policy Based Routing Information Model (PBR IM)"><vspace blankLines="1" />defines
information that allows the network administer to forward the packet based on
other criteria than the destination address in the packet. </t>
<t hangText="I2RS Local Config Information Model (I2RS-LC IM) "><vspace blankLines="1" />defines
I2RS Local Configuration database kept in the I2RS Agent that can be leveraged
to quickly set-up policies via the I2RS Agent. This local configuration
store contains basic network policies and network templates, and provides
quick local access to polies rather than transfer the policies down from the
I2RS Client prior to enacting a policy via I2RS interface. </t>
</list></t>
</section>
<section title="Definitions and Acronyms">
<t><list>
<t>IGP: Interior Gateway Protocol</t>
<t>Information Model: An abstract model of a conceptual domain,
independent of a specific implementations or data representation</t>
<t>CLI: Command Line Interface</t>
<t>SNMP: The Simple Network Management Protocol</t>
<t>NETCONF: The Network Configuration Protocol</t>
<t>RBNF: Routing Backus-Naur Form</t>
</list></t>
</section>
<section title="Basic Network Policy Information Model (BNP IM)">
<section title="BNP IM Overview ">
<t>I2RS needs its own implicit and explicit policy. This section
provides an overview of the network policy model. The network policy
model is defined by the following components, whose relationship is
roughly depicted in the figure below.</t>
<t>
<figure>
<artwork>
+-----------------------+
| Network-Policy |
+-----------+-----------+
^
/|\
| "extends"
+-----------^-------------+
| Policy Set |
+--+-------------------+--+
^ ^ +---------------+
/|\ /|\ ---|PBR Policy-Rule|
| | | | Additions |
| | | +---------------+
| "extends" | "extends" | +---------------+
+--------^-------+ +-------^-------+ |--|LP Policy-Rule |
| Policy Group | | Policy Rule |<---| |Additions |
+----------------+ +---------------+ | +---------------+
: : | . . .
: : | +---------------+
......: :..... ---|RIB Policy-Rule|
: : | Additions |
: : +---------------+
: :
+---------V---------+ +-V-------------+
| Policy Condition | | Policy Action |
+-------------------+ +---------------+
: : : : : :
.....: . :..... .....: . :.....
: : : : : :
+----V---+ +---V----+ +--V---+ +-V------++--V-----++--V---+
| Match | |Policy | |Policy| | Set || Policy ||Policy|
|Operator| |Variable| |Value | |Operator||Variable|| Value|
+--------+ +--------+ +------+ +--------++--------++------+
Figure 1: Overall model BNP IM structure
</artwork>
</figure>
</t>
<t> Network_policy - contains sets of policies. </t>
<t>Policy-Set - is introduced to provide an abstraction for a set of
rules. it is inserted into the inheritance hierarchy above
both Policy-Group and Policy-Rule. </t>
<t>Policy-Group -defines the basic network policy Group
model which combines the a list of Policy-Rules. </t>
<t>Policy Rule is represented by semantics “If Condition then Action”,
therefore condition and action comprise Policy Rule model.
<list style="symbols">
<t> Condition models the elementary match operation “<variable> match
<value>”. </t>
<t> Action models the elementary set operation. "SET
<variable> TO <value>". </t>
</list>
In Condition model, the ‘Match’ operator is usually implied
while in the action model, the ‘Set operator is explicitly used.</t>
<t>Policy-Sets, Policy-Groups, and Policy-Rules have
basic functionality (Policy-Basic IM) plus extensions defined
by specific Information Models such as:
<list>
<t> the PBR Information Model (PBR IM) (contained in this document), </t>
<t> the I2RS_Local_Policy Model (LP IM) (contained in this document), </t>
<t> the RIB Information Model (RIB IM) (<xref target="I-D.ietf-i2rs-rib-info-model"></xref>), </t>
<t> the BGP Information Model (BGP-IM) (<xref target="I-D.hares-i2rs-bgp-im"></xref>), </t>
<t> the Traffic Steering Information Model (<xref target="I-D.hares-i2rs-info-model-service-topo"></xref>), </t>
<t> the SFC Information Model (SFC IM) (ietf-hares-dunbar-i2rs-sfc-policy-im-00.txt) </t>
<t> the MPLS LDP Information Model (MPLS LDP IM) as templates for policy. </t>
</list>
</t>
<t>
I2RS Client-Agents Information Models MAY support
only the Policy-Basic IM, or MAY support any additional
specific information models. </t>
<t> Each level of the Policy hierarchy (Policy-Set,
Policy-Group, and Policy-Rules have both a read and write scope
</t>
</section>
<section title="The Policy Set" >
<section title="Policy Set Overview">
<t>The PolicySet structure has the following elements:
<list style="symbols">
<t> Policy-Set_Name - Unique Name for Policy Set </t>
<t> Policy-Group is introduced to provide an abstraction for a set of
rules. It is derived from Policy, and it is inserted into the
inheritance hierarchy above both PolicyGroup and PolicyRule. This
reflects the additional structural flexibility and semantic capability
of both subclasses.</t>
</list>
</t>
</section>
<section title="Policy-Set RBNF">
<t>
<figure>
<artwork>
Figure 2 - Policy Set RBNF
<Network_policy> ::= (<Policy_Set> ...)
<Policy-Set> ::= <Policy-Set-Name>
<Policy-Group_list> ::=
(<Policy-Group> ...)
(<Policy-Rule> ...)
(<local_Config>)
(<PBR_rule>)
</artwork>
</figure>
</t>
</section>
</section>
<section title="The Policy Group">
<section title="Policy Group Overview">
<t>In order to provide hierarchical policy definition and associate
policy rule with other constraint, the basic policy group model needs
to be defined. The corresponding extensions are introduced in a
component, whose structure is informally depicted in the following
diagram.</t>
<figure>
<artwork>
Figure 3 - Policy Group
+------------------------------------+ (optional)
| Policy Group |....
+------------------------------------+ :
* * * * * ^ :
| | | | | :....:
| | | | |
| | | | |
| | | | |
+--------+ +--------+ +--------+| +-----------+
|Identity| | Role | |Priority|| |Policy Rule|
+--------+ +--------+ +--------+| +-----------+
* * | * * *
| | | | | |
+--- | | +---+---+ | ++----+
| | | |Enabled| | |Usage|
| | | +-------+ | +-----+
+-----+----+ +------+ | |
| Resource | |Scope | | |
+----------+ +------+ | |
* * | +--+------+
| | +----+------+ |Mandatory|
| | | Precedence| +---------+
| | +-----------+
| |
+-----++-----+
| Read||Write|
|Scope||Scope|
+-----++-----+
</artwork>
</figure>
<t></t>
<t>The basic information model works as follows: Within the policy
group information model, hierarchy is used to model context or scope
for the sub-rule actions. A policy group contains Identity, scope,
priority,precedence, and policy rule. Optionally, the policy group
can contain a list of policy groups. </t>
<t>The elements of the Policy Group information model are as follows:
<list style="symbols">
<t>Each policy group is captured in its own list, distinguished
via a identity, role, priority, precedence.</t>
<t>A policy group has a certain role, such as resource or scope. A
policy group can even have multiple roles simultaneously. The
role, are captured in the list of "role" component.</t>
<t>A policy role has a certain Scope, such as read scope or write
scope. A policy group can even have multiple scope simultaneously.
The scope, or scopes, are captured in the list of "scope"
components.</t>
<t>A policy has a certain priority, such as priority 0-255. A
policy can only have one priority. The priority is captured in the
list of "priority" component.</t>
<t>A policy rule can inherit properties (e.g.,
identity, role, priority, precedence) from policy group. A policy
rule also can have its own properties, e.g., enabled, mandatory,
usage.</t>
<t>The policy, policy group elements can be extended with
policy-specific components (policy-extensions,
policy-group-extension respectively).</t>
</list></t>
</section>
<section title="Policy-Group RBNF">
<t>A more formal depiction in RBNF format follows below
<figure>
<artwork>
Figure 4 - Policy-Group RBNF
<Policy-Group> ::= <Policy-Group_Identity>
<Policy-Group_Roles>
<Policy-Group_priority>
<Policy-Group_precedence>
(<Policy-Rule-list>)
[<Supporting-Policy-Group>]
[<Policy-Group-Extension>]
<Policy-Group_Identity> ::= <Policy-Group-Name>
[<Policy-Group-Secure-Identity>]
<Policy-Group-priority> ::= INTEGER (0..255);
<Policy-Group-precedence> ::= INTEGER (0..250);
<Policy-Rule-list> ::= ((<Policy-Rule> <Policy-Rule-Status>) ...)
<Policy-Rule-Status> ::= <POLICY-RULE-ENABLE>
[<POLICY-RULE-MANDATORY>]
[<Policy-Rule_usage>]
<Policy-Rule_usage> ::== <Policy-Rule-REFCNT>
<Policy-Group-Roles> ::= (<Policy-Group-Role> ...)
<Policy-Group-Role> ::=<Node-RESOURCES> | <Policy-Group-Scope>
<Node-RESOURCES> ::= [<I2RS_AGENT_RESOURCE>]
<Policy-Group-Scope> ::= (<READ_SCOPE> <Policy-Group_Read_Scope>)
| (<WRITE_SCOPE> <Policy-Group_Write_Scope>)
<Policy-Group_Read_Scope> ::= <Policy-Group_Read_Scope_Type>
[<RIB-IM_READ_list>]
[<BGP-IM-READ_list>]
<Policy-Group_Read_Scope_Type> ::= <RIB-IM_READ_SCOPE_TYPE>
| <BGP-IM_READ_SCOPE_TYPE>
<Policy-Group_Write_Scope> ::= <Policy-Group_Write_Scope_Type>
[<RIB-IM_WRITE_list>]
[<BGP-IM-WRITE_list>]
<Policy-Group_Write_Scope_Type> ::= <RIB-IM_WRITE_SCOPE_TYPE>
| <BGP-IM_WRITE_SCOPE_TYPE>
<Supporting-Policy-Group> ::= <SUPPORT-POLICY-GROUP> (
<Policy-Group> ...)
<Policy-Group-Extension> ::= ... /* Vendor Specific Policy */
</artwork>
</figure>
</t>
</section>
</section>
<section title="The Policy Rule ">
<section title="Policy-Rule Overview">
<t>The following diagram contains an informal graphical depiction of
the main elements of the information model:
<figure>
<artwork>
Figure 5 - Policy Rule
+----------------+
| Policy Rule |<...
+----------------+ :
* * : :
| | :...:
| |
+---------+ +--------+
...>|Condition|<.......| Action |<...
: +---------+<.......+--------+ :
: : * * : :
:..... | : :... :
| :
+--------+...........:
|Operator|
+--------+
</artwork>
</figure>
</t>
<t>Roughly speaking, the basic information model works as follows: A
policy rule contains conditions and actions. Each condition or each
action in turn contains operator. A operator connects variable and
value in the action or condition. Condition can map onto and be
supported by other condition, while action can map onto and be
supported by other actions. Policy rule can map onto other, policy
rules.</t>
<t>The elements of the Policy Rule information model are as
follows:
<list style="symbols">
<t>A policy can in turn be part of a hierarchy of policies,
building on top of other policies. Each policy is captured in its
own level, distinguished via a policy-identity.</t>
<t>Policy rule inherit scope from policy group. A policy role has
a certain Scope, such as read scope or write scope. A policy rule
can even have multiple scope simultaneously. The scope, or scopes,
are captured in the list of "scope" components.</t>
<t>Furthermore, a policy rule contains conditions and actions,
each captured in their own list.</t>
<t>A condition contains a variable and a value and use a match
operator, to connect variable with value. An examples of an
operator might be a” IP ADDRESS AS RESOLVED BYDNS” or “Set to a
member”. Also, a condition can in turn map onto other condition in
an underlay policy. This is captured in
list"supporting-condition".</t>
<t>An action contains a variable and a value. An action uses Set
operator to connect variable with value. Analogous to a node, an
action can in turn map onto other actions in an underlay policy.
This is captured in list "supporting-action".</t>
<t>The policy, condition, action and operator elements can be
extended with policy-specific components (policy-extensions,
condition-extension, action-extension and operator-extension
respectively).</t>
</list>
</t>
</section>
<section title="Policy-Rule RBNF">
<t>The information model for the Network-policy component is more
formally shown in RBNF below:
<figure>
<artwork>
Figure 6 Policy Rule RBNF
<Policy-Rule> ::= <Policy-Rule_identity>
<Policy-Rule_priority>
<Policy-Rule_precedence>
<Policy-Rule_Roles>
(<Policy-Rule_Condition>
<Policy-Rule_Action> ...)
<Policy-Rule_Security_model>
[<Policy-Rule_rule_extensions>]
<Policy-Rule_identity> ::= <Policy-Rule-Name>
[<Policy-Rule-Secure-Identity>]
<Policy-Rule_priority> ::= INTEGER (0..250);
<Policy-Rule_precedence> :;= INTEGER (0..250);
<Policy-Rule_Roles> ::= (<Policy_Rule_Role> ...);
<Policy-Rule_Role> ::=<RESOURCES> |
<Policy_Rule_Scope>
<RESOURCES> ::= [<I2RS_AGENT_RESOURCE>]
<Policy-Rule_Scope> ::= (<READ_SCOPE>
<Policy-Rule_Read_scope>)
| (<WRITE_SCOPE>
<Policy-Rule_Write_scope>)
<Policy-Rule_Read_scope> ::= ((<BNP_READ_SCOPE_TYPE>
<BNP_READ_SCOPE_list>) ...)
| [<Policy-Rule_Read_Scope_External>]
<Policy-Rule_Write_scope> ::= ((<BNP_WRITE_SCOPE_TYPE>
<BNP_WRITE_SCOPE_list>)...)
[<Policy-Rule_Write_Scope_External>]
<Policy-Rule_Condition> ::= <Policy-Rule_Match_node>
(<Policy-Rule_Match_value> ...)
[<Policy-Rule_mode>]
[<Policy-Rule_Match_Operator>]
[<Policy-Rule_Condition_extension>]
<Policy-Rule_Match_node> ::= [<Policy-Rule_Match_Node_BNP-IM>]
| [<Policy-Rule_Match_node_external]
<Policy-Rule_Match_value> ::= [<Policy-Rule_Match_Value_BNP-IM>]
| [<Policy-Rule_Match_Value_external]
<Policy-Rule_mode> ::= PERMIT | DENY ;
<Policy-Rule_Match_operator_external> ::=
[<Policy-Rule_Match_Operator_BNP-IM>]
| [<Policy-Rule_Match_Operator_external]
<Policy-Rule-action> ::= <Policy-Rule_Action_variable>
<Policy-Rule_Action_value>
<Policy-Rule_Set-Operator>
[<Policy-Rule_action-extension> ]
<Policy-Rule_Security-Model> ::= <First-Matching>
|<All-Matching>]
<Policy-Rule_rule_extension> ::=
<I2RS-LC-policy_rule_extensions>
<Policy-Rule-action> ::= <Policy-Rule_Action_variable>
<Policy-Rule_Action_value>
<Policy-Rule_Set-Operator>
[<Policy-Rule_action-extension> ]
<Policy-Rule_Action_variable> ::= <Policy-Rule_Action_var>
(<Policy-Rule_Action_value> ...)
[<Policy-Rule_Set_Operator>]
[<Policy-Rule_Action_extension>]
<Policy-Rule_Action_var> ::= [<Policy-Rule_Action_Vars_BNP-IM>]
| [<Policy-Rule_Action_external>]
<Policy-Rule_Action_value> ::= [<Policy-Rule_Action_Vars_BNP-IM>]
| [<Policy-Rule_Action_external>]
<Policy-Rule_Set_Operator> ::= [<Policy-Rule_Set_Operator_BNP-IM>]
| [<Policy-Rule_Set_Operator_external>]
<Policy-Rule-action-extension> ::=
[<Policy-Rule_act_ext_BNP-IM>]
| [<Policy-Rule_act_ext_external>]
<Policy-Rule-Match-Operator-Policy-IM> ::= <IS-SET-MEMBER'>
|<IN-INTEGER-RANGE>
|<IP-ADDRESS-AS-RESOLVED-BY-DNS>
|<Policy_IM-Match-Operator-extension>
<Policy-Rule_condition_extension> ::=
<Policy_Rule_condition_ext-BNP-IM>
[<Policy-Rule_Condition_ext_external>]
/* these scopes besides RIB IM are defined in each IM */
<PR_Read_Scope_RIB_IM> ::=<RIB-IM_READ_SCOPE_TYPE>
<RIB-IM_READ_list>
<PR_Read_Scope_RIB_IM> ::=<RIB-IM_READ_SCOPE_TYPE>
<RIB-IM_READ_list>
<RIB-IM_READ_list> ::= [<RIB-IM-Tree-Match> ...]
<RIB-IM_WRITE_list> ::= [<RIB-IM-Tree-Match> ...]
<RIB-IM-Tree-Match> ::= <RIB-IM-Match-routing-instance>
<RIB-IM-Match-interface-list>
<RIM-IM-Match-rib_list>
<RIB-IM-match-route-list>
/* extensions to other IM */
/* External Read and Write Scope */
<Policy-Rule_Read_Scope_External> ::=
[<PR_Read_Scope_RIB_IM>]
[<PR_Read_Scope_BGP_IM>]
[<PR_Read_Scope_PBR_IM>]
[<PR_Read_Scope_I2RSLC_IM>]
[<PR_Read_Scope_STopo_IM>]
[<PR_Read_Scope_SFC-Policy_IM>]
<Policy-Rule_Write_Scope_External> ::=
[<PR_Write_Scope_RIB_IM>]
[<PR_Write_Scope_BGP_IM>]
[<PR_WriteScope_PBR_IM>]
[<PR_Read_Scope_I2RSLC_IM>]
[<PR_Read_Scope_STopo_IM>]
[<PR_Read_Scope_SFC-PolicyIM>]
/* External Rule Conditionals */
<Policy-Rule_Match_node_external> ::=
[<Policy-Rule_Match_Node_RIB-IM>]
| [<Policy-Rule_Match_Node_PBR-IM>]
| [<Policy-Rule_match_Node_I2RSLC-IM>]
| [<Policy-Rule_Match_Node_BGP-IM>]
| [<Policy-Rule_Match_Node_STopo-IM>]
| [<Policy-Rule_Match_Node_SFC-Policy-IM>]
<Policy-Rule_Match_Value_external> ::=
[<Policy-Rule_Match_Value_RIB-IM>]
| [<Policy-Rule_Match_Value_PBR-IM>]
| [<Policy-Rule_Match_Value_I2RSLC-IM>]
| [<Policy-Rule_Match_Value_BGP-IM>]
| [<Policy-Rule_Match_Value_STopo-IM>]
| [<Policy-Rule_Match_Value_SFC-Policy-IM>]
<Policy-Rule_Match_operator_external> ::=
[<Policy-Rule_Match_Operator_RIB-IM>]
| [<Policy-Rule_Match_Operator_PBR-IM>]
| [<Policy-Rule_Match_Operator_I2RSLC-IM>]
| [<Policy-Rule_Match_Operator_BGP-IM>]
| [<Policy-Rule_Match_Operator_STopo-IM>]
| [<Policy-Rule_Match_Operator_SFC-Policy-IM>]
<Policy-Rule_Action_value_external> ::=
[<Policy-Rule_Action_Values_RIB-IM>]
| [<Policy-Rule_Action_Values_PBR-IM>]
| [<Policy-Rule_Match_Operator_I2RSLC-IM>]
| [<Policy-Rule_Action_Values_BGP-IM>]
| [<Policy-Rule_Set_Operator_STopo-IM>]
| [<Policy-Rule_Set_Operator_SFC-Policy-IM>]
<Policy-Rule_Set_Operator_external> :==
[<Policy-Rule_Set_Operator_RIB-IM>]
| [<Policy-Rule_Set_Operator_PBR-IM>]
| [<Policy-Rule_Match_Operator_I2RSLC-IM>]
| [<Policy-Rule_Set_Operator_RIB-IM>]
| [<Policy-Rule_Set_Operator_BGP-IM>]
| [<Policy-Rule_Set_Operator_STopo-IM>]
| [<Policy-Rule_Set_Operator_SFC-Policy-IM>]
<Policy-Rule_act_ext_external> ::=
[<Policy-Rule_extension_RIB-IM>]
| [<Policy-Rule_act_ext_PBR-IM>]
| [<Policy-Rule_act_ext_I2RSLC-IM>]
| [<Policy-Rule_act_ext_RIB-IM>]
| [<Policy-Rule_act_ext_BGP-IM>]
| [<Policy-Rule_act_ext_STopo-IM>]
| [<Policy-Rule_act_ext_SFC-Policy-IM>]
| [<I2RS_Vendor-Rule_act_ext>]/* other I2RS IM */
</artwork>
</figure>
</t>
</section>
</section>
<section title="BNP IM Grammar">
<t>This section specifies the network policy information model in
Routing Backus-Naur Form (RBNF, <xref target="RFC5511"></xref>). It also
provides diagrams of the main entities of which the information model is
comprised.</t>
<t>
<figure>
<artwork>
<basic-network_policy_in> ::= (<policy-set> ...)
<basic-network_policy_out> ::= (<policy-set> ...)
<network-policy_rules_list> ::= (<policy-rule>...)
</artwork>
</figure>
</t>
</section>
</section>
<section title="The Policy Based Routing Information Model ">
<section title="Policy Based Routing Overview">
<t>Policy based Routing is a technique used to make routing
decisions based on policies set by the network administrator. PBR
enables network administrator to forward the packet based on other
criteria than the destination address in the packet, which is used
to lookup an entry in the routing table. </t>
<t>The policy based routing problem can be viewed as a resource
allocation problem that incorporates business decision
with routing. Policy based routing provides many benefits, including cost
saving, load balancing and basic QoS.</t>
<t>Routing decisions in policy based routing are based on several
criteria beyond destination address, such as packet size,
application, protocol used, and identity of the end system.
Policy constraints are applied before applying QoS constraints
since policy constraint overrides QoS constraint.
Policy constraints may be exchanged by routing protocols while
updating routing information.</t>
<t> The I2RS use cases which benefit from PBR are:
<xref target="I-D.white-i2rs-use-case"> </xref> and
<xref target="I-D.krishnan-i2rs-large-flow-use-case"></xref>,
</t>
<t> PBR-Rules extends from Policy Basic Rule with
a set of condition, action and attributes.
Routing decisions in policy based routing
are based on several criteria beyond destination address, such as packet
size, application, protocol used, and identity of the end system. </t>
</section>
<section title="PBR-RIB definition">
<t>One routing instance (named by an INSTANCE_NAME) can contain multiple PBR RIBs,
and is associated with a set of interfaces, and a ROUTER-ID.
The entries associated with each routing instance relating to the
PBR are:
<list style="symbols">
<t> INSTANCE NAME </t>
<t> interface_list </t>
<t> PRB RIB list - with each entry having an order set of routes </t>
<t> PRB Default RIB - default forwarding FIB. </t>
<t> ROUTER-ID</t>
</list>
</t>
<t>
Each PBR RIB has the following:
<list style="symbols">
<t> PRB RIB NAME </t>
<t> PBR Route-entry </t>
</list>
The Route entry in a PRB has the following information:
<list style="symbols">
<t> match field - as in the RIB IM route </t>
<t> order_list PBR route list with each entry having: a) next-hops,
b) PBR route attributes, and c) vendor-attributes</t>
</list>
The PRB route attributes include QOS Attributes as show in the policy list below.
</t>
</section>
<section title="PBR Rule Component">
<t>A PBR rule is constructed using condition, action and attributes
that are inherited from Policy Group Component.
<figure>
<artwork>
Figure 7 - PBR Policy Rule
+-----------------------+
| Policy Rule |
+-----------+-----------+
^
/|\ "extends"
+-----------^-----------+
| PBR Rule |
+--+-----------------+--+
: :
: : .......
: : : :
+--------V-------+ +-------V-------+ :
| PBR Condition | | PBR Action |<...
+----------------+ +-+----------+--+
/|\ /|\
"extends"| | "extends"
+---+ +--------+
| |
+-------^-------+ +-----^---------+
| QoS Action | |Forward Action |
+---------------+ +---------------+
: : : : : :
....: : :..... .....: : :.....
: : : : : :
+----V---+ +---V----+ +--V---+ +-V------++--V-----++--V-----+
|Set | |QoS | |QoS | |Forward ||Next Hop||Next Hop|
|Operator| |Variable| |Value | |Operator||Variable||Value |
+--------+ +--------+ +------+ +--------++--+-----++--------+
/|\
| "extends"
+---^----+
|Next Hop|
|Type |
+--------+
Figure 3: Policy based routing IM structure
</artwork>
</figure>
</t>
</section>
<section title="PBR QOS RBNF">
<t> The PBR QOS RBNF is below
<figure>
<artwork>
Figure 8 - PRB QOS RBNF
/* policy rules */
<Policy-Rule_Match_Node_PBR-IM> ::= <IPv4_QoS_Node_Matches>
| <IPv6_QoS_Node_Matches>
<Policy-Rule_Match_Value_PBR-IM> ::= <IPv4_QoS_Value_Matches>
| <IPv6_QoS_Value_Matches>
<IPv4_QoS_Node_matches> = <IPv4-QOS_Matches>
<IPv6_QoS_Node_matches> = <Pv6-QOS_Matches>
<IPv4_QoS_Value_matches> = <IPv4-QOS_Matches>
<IPv6_QoS_Value_matches> = <IPv6-QOS_Matches>
<IPv4-QOS_Matches> ::= [<IPv4-SRC>]
[<IPv4_DST>]
[<IPv4_Proto>]
[<IPv4_TOS-DSCP>]
[<IPv4_ICMP_field>]
[<IPv4_length>]
<IPv6-QOS_Matches> ::= [<IPv6-SRC>]
[<IPv6_DST>]
[<IPv6_Proto>]
[<IPv6_Flow>]
[<IPv6_length>]
<Policy-Rule_Match_Operator_PBR-IM> ::= [<Longest-prefix>]
| [<Exact>]
| [(<IPv4-RANGE> <IPv4-Low> <IPv4-High>)]
| [(<IPv6-RANGE> <IPv6-Low> <IPv6-High>)]
| [(<LENGTH-Range> <LENGTH_Low> <LENGTH_High>)]
<IPv4_low> ::= <IPv4-Prefix>
<IPv4_high> ::= <IPv4-Prefix>
<IPv6_low> ::= <IPv6-Prefix>
<IPv6_high> ::= <IPv6-Prefix>
<Policy-Rule_Action_value_PBR-IM> ::= [<QOS_action>]
[<FWD_action>]
<QOS_action> ::= <QOS_IP-TOS_Set>
| <QOS_DSCP>
<FWD_action> ::= <Drop_packet>
| <Drop_Packet_ICMP>
| (<Forward_Specific> <next-hop>)
| (<Forward_Default>)
<Policy-Rule_Set_Operator_PBR-IM> ::= [<SET_QOS_BITS>]
| [<SET_FWD_ACTION<]
</artwork>
</figure>
</t>
</section>
<section title="Relationship between PBR Rule Model and RIB Information Model">
<t>As described in <xref target="I-D.ietf-i2rs-rib-info-model"> </xref>,
each Routing instance contains a collection of RIBs, interfaces, and routing
parameters including the following:
<list style="symbols">
<t>The set of interfaces indicates which interfaces are
associated with this routing instance. </t>
<t>The RIBs specify how incoming traffic is to be forwarded
based on destination. </t>
<t>the routing parameters control the information in the
RIBs/PIBs.</t>
</list></t>
<t>PIB and RIB can not be used at the same time, which means:
<list style="symbols">
<t>If a router doesn’t support policy based routing, a router
MUST use rib and MUST not use PIB.</t>
<t>If a router supports policy based routing,<list>
<t>PIB is used if several criteria beyond destination
address is matched.</t>
<t>RIB is used if several criteria beyond destination
address is not matched.</t>
</list></t>
</list></t>
<t>Policy constraints information either comes from RSVP,BGP/IGP, or
comes from manual configuration or policy configuration tool.
Therefore PBR uses from the RIB IM:
<list style="symbols">
<t>Interface-list: The interface list contains a list of
identifiers, with each identifier uniquely identifying an
interface. </t>
<t>Origin: an indication used to identify from which protocols
(e.g., ISIS, OSPF, BGP, I2RS, CLI etc.) the policy based route
is.</t>
</list></t>
</section>
<section title="PBR RBNF">
<t>
<figure>
<artwork>
Figure 9 - PBR RBNF
/* pbr defintion */
<pbr-routing-instance> ::= <PBR_INSTANCE_NAME>
[<interface-list>] <pbr-rib_list>
[<prb-default-rib>]
[<Router-ID>]
<pbr-rib-list> ::= <PRB_RIB_NAME>
<PRB_rib_family>
(<prb_rib> ...)
<PRB_rib_family> ::=<IPv4_PRB_FAMILY>
| <IPV6_PRB_FAIMILY>
<prb_rib> ::= <PRB_RIB_NAME>
<PRB_rib_family>
<prb_policy_set>
<prb_policy_set< ::= <BNP_policy_set>
<RIB_policy_set_extensions>
<PRB_policy_set_extensions>
<BGP_policy_set_extensions>
<QOS_policy_set_extensions>
<prb_policy_set_exetensions> ::=
<Policy-Rule_Match_Node_PBR-IM>
<Policy-Rule_Match_Value_PBR-IM>
<Policy-Rule_Match_Operator_PBR-IM>
<Policy-Rule_Action_value_PBR-IM>
<Policy-Rule_Set_Operator_PBR-IM>
</artwork>
</figure>
</t>
</section>
<section title="Remaining PRB Issues">
<t>Policy based routing MUST tackle the following difficult
questions:<list style="symbols">
<t>How is policy management strategy selected? Centralized or
distributed. </t>
<t>At which point in a network domain are policy constraints
checked and enforced? i.e., policy coverage, here policy
constraint can be exchanged by routing protocol? </t>
<t>How are policy constraints exchanged within a domain? </t>
<t>How is policy data stored, refreshed and retrieved from
policy repository? </t>
<t>How are policy rule conflicts avoided? </t>
</list></t>
</section>
</section>
<section title="The I2RS Local Policy Information Model">
<section title="I2RS Local Policy IM Overview">
<t>The Local Policy Information Model (LB IM) stores I2RS policy
and policy templates that are used across many I2RS modules.
The LB IM stores a set of policy and a set of policy templates.
This section defines the LB IM extensions needed to the
Basic Policy set at the Policy-set, Policy-Group, and
Policy-Rule level. It also defines the optional extensions
to this LP policy model as:
<list style="symbols">
<t> PBR IM, </t>
<t> RIB IM, </t>
<t> BGP IM, </t>
<t> Traffic Steering (TS IM) </t>
<t> SFC Filter (SFC-F IM), </t>
<t> Basic Route Templates IM </t>
</list>
</t>
<t>The key benefit of the I2RS Local Configure Information Model (Local- is that it
provides a place to store I2RS policy, and I2RS templates.
The LB IM MAY allow for: a) re-use of these policy templates across
multiple I2RS client-I2RS agent sessions, b) storing of some policy
into permanent configuration store </t>
</section>
<section title="I2RS Local Policy IM RBNF">
<t>
<figure>
<artwork>
Figure 10 - Local I2RS Policy Story extensions
<i2rs-Local-Policy> ::= <I2RS_LOCAL_POLICY_STORE>
<Policy-Set>
<Policy-Templates>
<i2rs-condition-extension> :== [<I2RS-Client-Agent_transport_list>]
[<I2RS_IPADRESS_DNS_resolve>]
[<Policy-Template_match>]
<I2RS-Client-Agent_transport_list> :== (< i2rs_transport > ...)
<i2rs_transport< ::= [TCP][SCTP][SSL];
/* these actions allow local I2RS configure store could
* write to local Node policy store */
<i2rs-action-extension> ::= [<i2rs_write_policy_config_store>]
[<i2rs_write_bgp_config_store>]
...
</artwork>
</figure>
</t>
<t>The model extends the original network-policy model as follows:
<list style="symbols">
<t>A local policy rule can in turn be part of a hierarchy of
policies, building on top of other policies. Each local
configuration policy is captured in its own level, distinguished
via a policy identity.</t>
<t>A local policy rule inherit scope from policy group. A local
policy rule has a certain Scope, such as read scope or write
scope. A local policy rule can even have multiple scope
simultaneously. The scope, or scopes, are captured in the list of
"scope" components.</t>
<t>Furthermore, a local policy contains conditions and actions,
each captured in their own list.</t>
<t>A condition contains a variable and a value and use a match
operator, to connect variable with value. An examples of an
operator might be a” IP ADDRESS AS RESOLVED BYDNS” or “Set to a
member”. Also, a condition can in turn map onto other condition in
an underlay policy. This is captured in list in "supporting-condition".</t>
<t>An action contains a variable and a value. An action uses Set
operator to connect variable with value. Analogous to a node, an
action can in turn map onto other actions in an underlay policy.
This is captured in list "supporting-action".</t>
<t>The local policy, condition, action and operator elements can
be extended with policy-specific components (condition-extension,
action-extension and operator-extension respectively).</t>
</list>
</t>
</section>
</section>
<section title="Extensions to the Policy IM">
<section title="Extension to the RIB IM">
<t>
<figure>
<artwork>
Figure 11 - RIB Information Model Extensions
<RIB-IM_READ_list> ::= [<RIB-IM-Tree-Match ...]
<RIB-IM_WRITE_list> ::= [<RIB-IM-Tree-Match ...]
<RIB-IM-Tree-Match> ::= <RIB-IM-Match-routing-instance>
<RIB-IM-Match-interface-list>
<RIM-IM-Match-rib_list>
<RIB-IM-match-route-list;
/* BGP Info Module Tree Match */
<BGP-IM_READ_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM_WRITE_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM-Tree-Match> ::= <BGP-IM-Tree-Match-protocol-instance>
<BGP-IM-Match-Protocol-instance> ::= (<BGP_protocol> ...)
<prb_rib> ::= <bgp_route_list>
<bgp_route_list> ::= (<bgp_route> ...)
<bgp_route> ::= <BGP_ROUTE_TYPE>
<bgp_route_prefix>
<bgp_attribute_list>
<bgp_route_create>
<bgp_rt_state_info>
<basic-network_policy_in> ::= (<policy-set> ...)
<basic-network_policy_out> ::= (<policy-set> ...)
<network-policy_rules_list> ::= (<policy-rule>...)
</artwork>
</figure>
</t>
</section>
<section title="Extension from the BGP IM">
<t>
<figure>
<artwork>
Figure 12 - BGP Information Model Extensions
<BGP-IM_READ_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM_WRITE_list> ::= [<BGP-IM-Tree-Match ...]
<BGP-IM-Tree-Match> ::= <BGP-IM-Tree-Match-protocol-instance>
<BGP-IM-Match-Protocol-instance> ::= (<BGP_protocol> ...)
</artwork>
</figure>
</t>
</section>
<section title="Extension from SFC Topology IM">
<t>
<figure>
<artwork>
Figure 13 - SFC Topology Information Model Extensions
/* what part of the STopo Model can access */
<STopo-IM_READ_list> ::= [<STopo-IM-Tree-Match ...]
<STopo-IM_WRITE_list> ::= [<STopo-IM-Tree-Match ...]
<STopo-IM-Tree-Match> ::= <STopo-IM-Tree-Match-protocol-instance>
<STopo-IM-Match-Protocol-instance> ::= (<STopo_protocol> ...)
</artwork>
</figure>
</t>
</section>
<section title="Extension from the SFC Traffic Filters">
<t>
<figure>
<artwork>
Figure 14 - Traffic Steering Information Model Extensions
/* what part of the STopo Model can access */
<SFC-Policy-IM_READ_list> ::= [<SF-Policy-IM-Tree-Match ...]
<SFC-Policy-IM_WRITE_list> ::= [<SF-Policy-IM-Tree-Match ...]
<SFC-Policy-IM-Tree-Match> ::= <SF-Policy-IM-Tree-Match-protocol-instance>
<SFC-Policy-IM-Match-Protocol-instance> ::= <SF_instance_list>
</artwork>
</figure>
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This draft includes no request to IANA.</t>
</section>
<section title="Security Considerations">
<t>TBD.</t>
</section>
</middle>
<back>
<references title="Informative References">
&RFC2119;
&RFC3060;
&RFC3644;
&RFC5394;
&RFC5511;
&I-D.ietf-i2rs-architecture;
&I-D.ietf-i2rs-rib-info-model;
&I-D.atlas-i2rs-policy-framework;
&I-D.white-i2rs-use-case;
&I-D.hares-i2rs-bgp-im;
&I-D.hares-i2rs-info-model-service-topo;
&I-D.krishnan-i2rs-large-flow-use-case;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:58:29 |